ip: xfrm: add support for tfcpad

This patch adds support for setting and displaying the Traffic Flow Confidentiality attribute for an XFRM state, which allows padding ESP packets to a specified length. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David Ahern <dsahern@kernel.org>
2021-03-19 17:57:17 +01:00 · 2021-03-19 17:57:17 +01:00 · 3c75135835
parent fa505da84b
commit 3c75135835
3 changed files with 19 additions and 1 deletions
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@ -907,6 +907,14 @@ void xfrm_xfrma_print(struct rtattr *tb[], __u16 family,
 		fprintf(fp, "if_id %#x", if_id);
 		fprintf(fp, "%s", _SL_);
 	}
+	if (tb[XFRMA_TFCPAD]) {
+		__u32 tfcpad = rta_getattr_u32(tb[XFRMA_TFCPAD]);
+
+		if (prefix)
+			fputs(prefix, fp);
+		fprintf(fp, "tfcpad %u", tfcpad);
+		fprintf(fp, "%s", _SL_);
+	}
 }

 static int xfrm_selector_iszero(struct xfrm_selector *s)
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@ -63,7 +63,7 @@ static void usage(void)
 		"        [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]\n"
 		"        [ offload [dev DEV] dir DIR ]\n"
 		"        [ output-mark OUTPUT-MARK [ mask MASK ] ]\n"
-		"        [ if_id IF_ID ]\n"
+		"        [ if_id IF_ID ] [ tfcpad LENGTH ]\n"
 		"Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]\n"
 		"        [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]\n"
 		"Usage: ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\n"
@ -331,6 +331,7 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
 	struct xfrm_mark output_mark = {0, 0};
 	bool is_if_id_set = false;
 	__u32 if_id = 0;
+	__u32 tfcpad = 0;

 	while (argc > 0) {
 		if (strcmp(*argv, "mode") == 0) {
@ -465,6 +466,10 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_u32(&if_id, *argv, 0))
 				invarg("value after \"if_id\" is invalid", *argv);
 			is_if_id_set = true;
+		} else if (strcmp(*argv, "tfcpad") == 0) {
+			NEXT_ARG();
+			if (get_u32(&tfcpad, *argv, 0))
+				invarg("value after \"tfcpad\" is invalid", *argv);
 		} else {
 			/* try to assume ALGO */
 			int type = xfrm_algotype_getbyname(*argv);
@ -650,6 +655,9 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv)
 	if (is_if_id_set)
 		addattr32(&req.n, sizeof(req.buf), XFRMA_IF_ID, if_id);

+	if (tfcpad)
+		addattr32(&req.n, sizeof(req.buf), XFRMA_TFCPAD, tfcpad);
+
 	if (xfrm_xfrmproto_is_ipsec(req.xsinfo.id.proto)) {
 		switch (req.xsinfo.mode) {
 		case XFRM_MODE_TRANSPORT:
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@ -65,6 +65,8 @@ ip-xfrm \- transform configuration
 .IR MASK " ] ]"
 .RB "[ " if_id
 .IR IF-ID " ]"
+.RB "[ " tfcpad
+.IR LENGTH " ]"

 .ti -8
 .B "ip xfrm state allocspi"