Le 25/08/2022 à 15:46, Eyal Birger a écrit :
> Allow specifying the xfrm interface if_id and link as part of a route
> metadata using the lwtunnel infrastructure.
>
> This allows for example using a single xfrm interface in collect_md
> mode as the target of multiple routes each specifying a different if_id.
>
> With the appropriate changes to iproute2, considering an xfrm device
> ipsec1 in collect_md mode one can for example add a route specifying
> an if_id like so:
>
> ip route add <SUBNET> dev ipsec1 encap xfrm if_id 1
>
> In which case traffic routed to the device via this route would use
> if_id in the xfrm interface policy lookup.
>
> Or in the context of vrf, one can also specify the "link" property:
>
> ip route add <SUBNET> dev ipsec1 encap xfrm if_id 1 dev eth15
>
> Signed-off-by: Eyal Birger <eyal.birger@xxxxxxxxx>
[snip]
> +static int xfrmi_build_state(struct net *net, struct nlattr *nla,
> + unsigned int family, const void *cfg,
> + struct lwtunnel_state **ts,
> + struct netlink_ext_ack *extack)
> +{
> + struct nlattr *tb[LWT_XFRM_MAX + 1];
> + struct lwtunnel_state *new_state;
> + struct xfrm_md_info *info;
> + int ret;
> +
> + ret = nla_parse_nested(tb, LWT_XFRM_MAX, nla, xfrm_lwt_policy, extack);
> + if (ret < 0)
> + return ret;
> +
> + if (!tb[LWT_XFRM_IF_ID])
> + return -EINVAL;
It would be nice to add extack error message for all error cases, particularly
for EINVAL ;-)
> +
> + new_state = lwtunnel_state_alloc(sizeof(*info));
> + if (!new_state)
> + return -ENOMEM;
> +
> + new_state->type = LWTUNNEL_ENCAP_XFRM;
> +
> + info = lwt_xfrm_info(new_state);
> +
> + info->if_id = nla_get_u32(tb[LWT_XFRM_IF_ID]);
> + if (!info->if_id) {
> + ret = -EINVAL;
> + goto errout;
> + }
> +
> + if (tb[LWT_XFRM_LINK]) {
> + info->link = nla_get_u32(tb[LWT_XFRM_LINK]);
> + if (!info->link) {
> + ret = -EINVAL;
> + goto errout;
> + }
> + }
> +
> + *ts = new_state;
> + return 0;
> +
> +errout:
> + xfrmi_destroy_state(new_state);
> + kfree(new_state);
> + return ret;
> +}
