]>
Commit | Line | Data |
---|---|---|
c7699875 | 1 | /* $USAGI: $ */ |
2 | ||
3 | /* | |
4 | * Copyright (C)2004 USAGI/WIDE Project | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License as published by | |
8 | * the Free Software Foundation; either version 2 of the License, or | |
9 | * (at your option) any later version. | |
10 | * | |
11 | * This program is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | * GNU General Public License for more details. | |
15 | * | |
16 | * You should have received a copy of the GNU General Public License | |
17 | * along with this program; if not, write to the Free Software | |
18 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
19 | */ | |
20 | /* | |
21 | * based on iproute.c | |
22 | */ | |
23 | /* | |
24 | * Authors: | |
25 | * Masahide NAKAMURA @USAGI | |
26 | */ | |
27 | ||
28 | #include <stdio.h> | |
29 | #include <stdlib.h> | |
30 | #include <string.h> | |
31 | #include <netdb.h> | |
32 | #include <linux/netlink.h> | |
33 | #include <linux/xfrm.h> | |
34 | #include "utils.h" | |
35 | #include "xfrm.h" | |
36 | #include "ip_common.h" | |
37 | ||
9bec1a43 SH |
38 | //#define NLMSG_DELETEALL_BUF_SIZE (4096-512) |
39 | #define NLMSG_DELETEALL_BUF_SIZE 8192 | |
c7699875 | 40 | |
41 | /* | |
42 | * Receiving buffer defines: | |
43 | * nlmsg | |
44 | * data = struct xfrm_userpolicy_info | |
45 | * rtattr | |
46 | * data = struct xfrm_user_tmpl[] | |
47 | */ | |
48 | #define NLMSG_BUF_SIZE 4096 | |
49 | #define RTA_BUF_SIZE 2048 | |
50 | #define XFRM_TMPLS_BUF_SIZE 1024 | |
51 | ||
52 | static void usage(void) __attribute__((noreturn)); | |
53 | ||
54 | static void usage(void) | |
55 | { | |
7809c616 | 56 | fprintf(stderr, "Usage: ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ] \n"); |
c7699875 | 57 | fprintf(stderr, " [ action ACTION ] [ priority PRIORITY ] [ LIMIT-LIST ] [ TMPL-LIST ]\n"); |
7809c616 | 58 | fprintf(stderr, "Usage: ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ]\n"); |
9bec1a43 | 59 | fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ]\n"); |
c7699875 | 60 | fprintf(stderr, " [ index INDEX ] [ action ACTION ] [ priority PRIORITY ]\n"); |
9bec1a43 | 61 | fprintf(stderr, "Usage: ip xfrm policy flush\n"); |
c7699875 | 62 | fprintf(stderr, "DIR := [ in | out | fwd ]\n"); |
63 | ||
7809c616 | 64 | fprintf(stderr, "SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]\n"); |
c7699875 | 65 | |
c70b36d2 | 66 | fprintf(stderr, "UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |\n"); |
67 | fprintf(stderr, " [ type NUMBER ] [ code NUMBER ] ]\n"); | |
c7699875 | 68 | |
69 | //fprintf(stderr, "DEV - device name(default=none)\n"); | |
70 | ||
71 | fprintf(stderr, "ACTION := [ allow | block ](default=allow)\n"); | |
72 | ||
73 | //fprintf(stderr, "PRIORITY - priority value(default=0)\n"); | |
74 | ||
75 | fprintf(stderr, "LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]\n"); | |
76 | fprintf(stderr, "LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |\n"); | |
77 | fprintf(stderr, " [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] NUMBER ]\n"); | |
78 | ||
ad273962 | 79 | fprintf(stderr, "TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]\n"); |
c7699875 | 80 | fprintf(stderr, "TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]\n"); |
81 | fprintf(stderr, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]\n"); | |
82 | ||
29aa4dd7 | 83 | //fprintf(stderr, "XFRM_PROTO := [ esp | ah | comp ]\n"); |
ad273962 | 84 | fprintf(stderr, "XFRM_PROTO := [ "); |
29aa4dd7 | 85 | fprintf(stderr, "%s | ", strxf_xfrmproto(IPPROTO_ESP)); |
86 | fprintf(stderr, "%s | ", strxf_xfrmproto(IPPROTO_AH)); | |
87 | fprintf(stderr, "%s", strxf_xfrmproto(IPPROTO_COMP)); | |
ad273962 | 88 | fprintf(stderr, " ]\n"); |
c7699875 | 89 | |
90 | fprintf(stderr, "MODE := [ transport | tunnel ](default=transport)\n"); | |
91 | //fprintf(stderr, "REQID - number(default=0)\n"); | |
92 | fprintf(stderr, "LEVEL := [ required | use ](default=required)\n"); | |
93 | ||
94 | exit(-1); | |
95 | } | |
96 | ||
97 | static int xfrm_policy_dir_parse(__u8 *dir, int *argcp, char ***argvp) | |
98 | { | |
99 | int argc = *argcp; | |
100 | char **argv = *argvp; | |
101 | ||
102 | if (strcmp(*argv, "in") == 0) | |
103 | *dir = XFRM_POLICY_IN; | |
104 | else if (strcmp(*argv, "out") == 0) | |
105 | *dir = XFRM_POLICY_OUT; | |
106 | else if (strcmp(*argv, "fwd") == 0) | |
107 | *dir = XFRM_POLICY_FWD; | |
108 | else | |
109 | invarg("\"DIR\" is invalid", *argv); | |
110 | ||
111 | *argcp = argc; | |
112 | *argvp = argv; | |
113 | ||
114 | return 0; | |
115 | } | |
116 | ||
117 | static int xfrm_tmpl_parse(struct xfrm_user_tmpl *tmpl, | |
118 | int *argcp, char ***argvp) | |
119 | { | |
120 | int argc = *argcp; | |
121 | char **argv = *argvp; | |
122 | char *idp = NULL; | |
123 | ||
124 | while (1) { | |
125 | if (strcmp(*argv, "mode") == 0) { | |
126 | NEXT_ARG(); | |
127 | xfrm_mode_parse(&tmpl->mode, &argc, &argv); | |
128 | } else if (strcmp(*argv, "reqid") == 0) { | |
129 | NEXT_ARG(); | |
130 | xfrm_reqid_parse(&tmpl->reqid, &argc, &argv); | |
131 | } else if (strcmp(*argv, "level") == 0) { | |
132 | NEXT_ARG(); | |
133 | ||
134 | if (strcmp(*argv, "required") == 0) | |
135 | tmpl->optional = 0; | |
136 | else if (strcmp(*argv, "use") == 0) | |
137 | tmpl->optional = 1; | |
138 | else | |
7809c616 | 139 | invarg("\"LEVEL\" is invalid\n", *argv); |
c7699875 | 140 | |
141 | } else { | |
142 | if (idp) { | |
143 | PREV_ARG(); /* back track */ | |
144 | break; | |
145 | } | |
146 | idp = *argv; | |
147 | xfrm_id_parse(&tmpl->saddr, &tmpl->id, &tmpl->family, | |
7809c616 | 148 | 0, &argc, &argv); |
c7699875 | 149 | if (preferred_family == AF_UNSPEC) |
150 | preferred_family = tmpl->family; | |
151 | } | |
152 | ||
153 | if (!NEXT_ARG_OK()) | |
154 | break; | |
155 | ||
156 | NEXT_ARG(); | |
157 | } | |
158 | if (argc == *argcp) | |
159 | missarg("TMPL"); | |
160 | ||
161 | *argcp = argc; | |
162 | *argvp = argv; | |
163 | ||
164 | return 0; | |
165 | } | |
166 | ||
167 | static int xfrm_policy_modify(int cmd, unsigned flags, int argc, char **argv) | |
168 | { | |
169 | struct rtnl_handle rth; | |
170 | struct { | |
171 | struct nlmsghdr n; | |
172 | struct xfrm_userpolicy_info xpinfo; | |
173 | char buf[RTA_BUF_SIZE]; | |
174 | } req; | |
175 | char *dirp = NULL; | |
7809c616 | 176 | char *selp = NULL; |
c7699875 | 177 | char tmpls_buf[XFRM_TMPLS_BUF_SIZE]; |
178 | int tmpls_len = 0; | |
179 | ||
180 | memset(&req, 0, sizeof(req)); | |
181 | memset(&tmpls_buf, 0, sizeof(tmpls_buf)); | |
182 | ||
183 | req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xpinfo)); | |
184 | req.n.nlmsg_flags = NLM_F_REQUEST|flags; | |
185 | req.n.nlmsg_type = cmd; | |
186 | req.xpinfo.sel.family = preferred_family; | |
187 | ||
188 | req.xpinfo.lft.soft_byte_limit = XFRM_INF; | |
189 | req.xpinfo.lft.hard_byte_limit = XFRM_INF; | |
190 | req.xpinfo.lft.soft_packet_limit = XFRM_INF; | |
191 | req.xpinfo.lft.hard_packet_limit = XFRM_INF; | |
192 | ||
193 | while (argc > 0) { | |
194 | if (strcmp(*argv, "dir") == 0) { | |
195 | if (dirp) | |
196 | duparg("dir", *argv); | |
197 | dirp = *argv; | |
198 | ||
199 | NEXT_ARG(); | |
200 | xfrm_policy_dir_parse(&req.xpinfo.dir, &argc, &argv); | |
201 | ||
202 | filter.dir_mask = XFRM_FILTER_MASK_FULL; | |
203 | ||
c7699875 | 204 | } else if (strcmp(*argv, "index") == 0) { |
205 | NEXT_ARG(); | |
206 | if (get_u32(&req.xpinfo.index, *argv, 0)) | |
207 | invarg("\"INDEX\" is invalid", *argv); | |
208 | ||
209 | filter.index_mask = XFRM_FILTER_MASK_FULL; | |
210 | ||
211 | } else if (strcmp(*argv, "action") == 0) { | |
212 | NEXT_ARG(); | |
213 | if (strcmp(*argv, "allow") == 0) | |
214 | req.xpinfo.action = XFRM_POLICY_ALLOW; | |
215 | else if (strcmp(*argv, "block") == 0) | |
216 | req.xpinfo.action = XFRM_POLICY_BLOCK; | |
217 | else | |
218 | invarg("\"action\" value is invalid\n", *argv); | |
219 | ||
220 | filter.action_mask = XFRM_FILTER_MASK_FULL; | |
221 | ||
222 | } else if (strcmp(*argv, "priority") == 0) { | |
223 | NEXT_ARG(); | |
224 | if (get_u32(&req.xpinfo.priority, *argv, 0)) | |
225 | invarg("\"PRIORITY\" is invalid", *argv); | |
226 | ||
227 | filter.priority_mask = XFRM_FILTER_MASK_FULL; | |
228 | ||
229 | } else if (strcmp(*argv, "limit") == 0) { | |
230 | NEXT_ARG(); | |
231 | xfrm_lifetime_cfg_parse(&req.xpinfo.lft, &argc, &argv); | |
232 | } else if (strcmp(*argv, "tmpl") == 0) { | |
233 | struct xfrm_user_tmpl *tmpl; | |
234 | ||
235 | if (tmpls_len + sizeof(*tmpl) > sizeof(tmpls_buf)) { | |
236 | fprintf(stderr, "Too many tmpls: buffer overflow\n"); | |
237 | exit(1); | |
238 | } | |
239 | tmpl = (struct xfrm_user_tmpl *)((char *)tmpls_buf + tmpls_len); | |
240 | ||
241 | tmpl->family = preferred_family; | |
242 | tmpl->aalgos = (~(__u32)0); | |
243 | tmpl->ealgos = (~(__u32)0); | |
244 | tmpl->calgos = (~(__u32)0); | |
245 | ||
246 | NEXT_ARG(); | |
247 | xfrm_tmpl_parse(tmpl, &argc, &argv); | |
248 | ||
249 | tmpls_len += sizeof(*tmpl); | |
7809c616 | 250 | } else { |
251 | if (selp) | |
252 | duparg("unknown", *argv); | |
253 | selp = *argv; | |
254 | ||
255 | xfrm_selector_parse(&req.xpinfo.sel, &argc, &argv); | |
256 | if (preferred_family == AF_UNSPEC) | |
257 | preferred_family = req.xpinfo.sel.family; | |
258 | } | |
c7699875 | 259 | |
260 | argc--; argv++; | |
261 | } | |
262 | ||
263 | if (!dirp) { | |
264 | fprintf(stderr, "Not enough information: \"DIR\" is required.\n"); | |
265 | exit(1); | |
266 | } | |
267 | ||
268 | if (tmpls_len > 0) { | |
269 | addattr_l(&req.n, sizeof(req), XFRMA_TMPL, | |
270 | (void *)tmpls_buf, tmpls_len); | |
271 | } | |
272 | ||
273 | if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0) | |
274 | exit(1); | |
275 | ||
276 | if (req.xpinfo.sel.family == AF_UNSPEC) | |
277 | req.xpinfo.sel.family = AF_INET; | |
278 | ||
279 | if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0) | |
280 | exit(2); | |
281 | ||
282 | rtnl_close(&rth); | |
283 | ||
284 | return 0; | |
285 | } | |
286 | ||
287 | static int xfrm_policy_filter_match(struct xfrm_userpolicy_info *xpinfo) | |
288 | { | |
289 | if (!filter.use) | |
290 | return 1; | |
291 | ||
292 | if ((xpinfo->dir^filter.xpinfo.dir)&filter.dir_mask) | |
293 | return 0; | |
294 | ||
295 | if (filter.sel_src_mask) { | |
eaa34ee3 | 296 | if (xfrm_addr_match(&xpinfo->sel.saddr, &filter.xpinfo.sel.saddr, |
297 | filter.sel_src_mask)) | |
c7699875 | 298 | return 0; |
299 | } | |
300 | ||
301 | if (filter.sel_dst_mask) { | |
eaa34ee3 | 302 | if (xfrm_addr_match(&xpinfo->sel.daddr, &filter.xpinfo.sel.daddr, |
303 | filter.sel_dst_mask)) | |
c7699875 | 304 | return 0; |
305 | } | |
306 | ||
307 | if ((xpinfo->sel.ifindex^filter.xpinfo.sel.ifindex)&filter.sel_dev_mask) | |
308 | return 0; | |
309 | ||
310 | if ((xpinfo->sel.proto^filter.xpinfo.sel.proto)&filter.upspec_proto_mask) | |
311 | return 0; | |
312 | ||
313 | if (filter.upspec_sport_mask) { | |
314 | if ((xpinfo->sel.sport^filter.xpinfo.sel.sport)&filter.upspec_sport_mask) | |
315 | return 0; | |
316 | } | |
317 | ||
318 | if (filter.upspec_dport_mask) { | |
319 | if ((xpinfo->sel.dport^filter.xpinfo.sel.dport)&filter.upspec_dport_mask) | |
320 | return 0; | |
321 | } | |
322 | ||
323 | if ((xpinfo->index^filter.xpinfo.index)&filter.index_mask) | |
324 | return 0; | |
325 | ||
326 | if ((xpinfo->action^filter.xpinfo.action)&filter.action_mask) | |
327 | return 0; | |
328 | ||
329 | if ((xpinfo->priority^filter.xpinfo.priority)&filter.priority_mask) | |
330 | return 0; | |
331 | ||
332 | return 1; | |
333 | } | |
334 | ||
56e8ad38 | 335 | int xfrm_policy_print(const struct sockaddr_nl *who, struct nlmsghdr *n, |
336 | void *arg) | |
c7699875 | 337 | { |
2534613e | 338 | struct rtattr * tb[XFRMA_MAX+1]; |
90f93024 | 339 | struct rtattr * rta; |
c595c790 SH |
340 | struct xfrm_userpolicy_info *xpinfo = NULL; |
341 | struct xfrm_user_polexpire *xpexp = NULL; | |
342 | struct xfrm_userpolicy_id *xpid = NULL; | |
343 | FILE *fp = (FILE*)arg; | |
344 | int len = n->nlmsg_len; | |
c7699875 | 345 | |
346 | if (n->nlmsg_type != XFRM_MSG_NEWPOLICY && | |
90f93024 | 347 | n->nlmsg_type != XFRM_MSG_DELPOLICY && |
669ae748 | 348 | n->nlmsg_type != XFRM_MSG_UPDPOLICY && |
90f93024 | 349 | n->nlmsg_type != XFRM_MSG_POLEXPIRE) { |
c7699875 | 350 | fprintf(stderr, "Not a policy: %08x %08x %08x\n", |
351 | n->nlmsg_len, n->nlmsg_type, n->nlmsg_flags); | |
352 | return 0; | |
353 | } | |
354 | ||
669ae748 SH |
355 | if (n->nlmsg_type == XFRM_MSG_DELPOLICY) { |
356 | xpid = NLMSG_DATA(n); | |
357 | len -= NLMSG_LENGTH(sizeof(*xpid)); | |
358 | } else if (n->nlmsg_type == XFRM_MSG_POLEXPIRE) { | |
90f93024 SH |
359 | xpexp = NLMSG_DATA(n); |
360 | xpinfo = &xpexp->pol; | |
90f93024 SH |
361 | len -= NLMSG_LENGTH(sizeof(*xpexp)); |
362 | } else { | |
363 | xpexp = NULL; | |
364 | xpinfo = NLMSG_DATA(n); | |
90f93024 SH |
365 | len -= NLMSG_LENGTH(sizeof(*xpinfo)); |
366 | } | |
367 | ||
c7699875 | 368 | if (len < 0) { |
369 | fprintf(stderr, "BUG: wrong nlmsg len %d\n", len); | |
370 | return -1; | |
371 | } | |
372 | ||
669ae748 | 373 | if (xpinfo && !xfrm_policy_filter_match(xpinfo)) |
c7699875 | 374 | return 0; |
375 | ||
669ae748 SH |
376 | if (n->nlmsg_type == XFRM_MSG_DELPOLICY) |
377 | fprintf(fp, "Deleted "); | |
378 | else if (n->nlmsg_type == XFRM_MSG_UPDPOLICY) | |
379 | fprintf(fp, "Updated "); | |
380 | else if (n->nlmsg_type == XFRM_MSG_POLEXPIRE) | |
381 | fprintf(fp, "Expired "); | |
382 | ||
383 | if (n->nlmsg_type == XFRM_MSG_DELPOLICY) | |
384 | rta = XFRMPID_RTA(xpid); | |
385 | else if (n->nlmsg_type == XFRM_MSG_POLEXPIRE) | |
90f93024 SH |
386 | rta = XFRMPEXP_RTA(xpexp); |
387 | else | |
388 | rta = XFRMP_RTA(xpinfo); | |
389 | ||
390 | parse_rtattr(tb, XFRMA_MAX, rta, len); | |
c7699875 | 391 | |
c595c790 | 392 | if (n->nlmsg_type == XFRM_MSG_DELPOLICY) { |
c595c790 | 393 | //xfrm_policy_id_print(); |
669ae748 SH |
394 | if (!tb[XFRMA_POLICY]) { |
395 | fprintf(stderr, "Buggy XFRM_MSG_DELPOLICY: no XFRMA_POLICY\n"); | |
396 | return -1; | |
c595c790 | 397 | } |
669ae748 SH |
398 | if (RTA_PAYLOAD(tb[XFRMA_POLICY]) < sizeof(*xpinfo)) { |
399 | fprintf(stderr, "Buggy XFRM_MSG_DELPOLICY: too short XFRMA_POLICY len\n"); | |
400 | return -1; | |
401 | } | |
402 | xpinfo = (struct xfrm_userpolicy_info *)RTA_DATA(tb[XFRMA_POLICY]); | |
403 | } | |
c7699875 | 404 | |
56e8ad38 | 405 | xfrm_policy_info_print(xpinfo, tb, fp, NULL, NULL); |
c7699875 | 406 | |
90f93024 SH |
407 | if (n->nlmsg_type == XFRM_MSG_POLEXPIRE) { |
408 | fprintf(fp, "\t"); | |
409 | fprintf(fp, "hard %u", xpexp->hard); | |
410 | fprintf(fp, "%s", _SL_); | |
411 | } | |
412 | ||
7809c616 | 413 | if (oneline) |
414 | fprintf(fp, "\n"); | |
669ae748 | 415 | fflush(fp); |
7809c616 | 416 | |
c7699875 | 417 | return 0; |
418 | } | |
419 | ||
420 | static int xfrm_policy_get_or_delete(int argc, char **argv, int delete, | |
421 | void *res_nlbuf) | |
422 | { | |
423 | struct rtnl_handle rth; | |
424 | struct { | |
425 | struct nlmsghdr n; | |
426 | struct xfrm_userpolicy_id xpid; | |
427 | } req; | |
428 | char *dirp = NULL; | |
429 | char *selp = NULL; | |
430 | char *indexp = NULL; | |
431 | ||
432 | memset(&req, 0, sizeof(req)); | |
433 | ||
434 | req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xpid)); | |
435 | req.n.nlmsg_flags = NLM_F_REQUEST; | |
436 | req.n.nlmsg_type = delete ? XFRM_MSG_DELPOLICY : XFRM_MSG_GETPOLICY; | |
437 | ||
438 | while (argc > 0) { | |
439 | if (strcmp(*argv, "dir") == 0) { | |
440 | if (dirp) | |
441 | duparg("dir", *argv); | |
442 | dirp = *argv; | |
443 | ||
444 | NEXT_ARG(); | |
445 | xfrm_policy_dir_parse(&req.xpid.dir, &argc, &argv); | |
446 | ||
c7699875 | 447 | } else if (strcmp(*argv, "index") == 0) { |
448 | if (indexp) | |
449 | duparg("index", *argv); | |
450 | indexp = *argv; | |
451 | ||
452 | NEXT_ARG(); | |
453 | if (get_u32(&req.xpid.index, *argv, 0)) | |
454 | invarg("\"INDEX\" is invalid", *argv); | |
455 | ||
7809c616 | 456 | } else { |
457 | if (selp) | |
458 | invarg("unknown", *argv); | |
459 | selp = *argv; | |
460 | ||
461 | xfrm_selector_parse(&req.xpid.sel, &argc, &argv); | |
462 | if (preferred_family == AF_UNSPEC) | |
463 | preferred_family = req.xpid.sel.family; | |
464 | ||
465 | } | |
c7699875 | 466 | |
467 | argc--; argv++; | |
468 | } | |
469 | ||
470 | if (!dirp) { | |
471 | fprintf(stderr, "Not enough information: \"DIR\" is required.\n"); | |
472 | exit(1); | |
473 | } | |
474 | if (!selp && !indexp) { | |
475 | fprintf(stderr, "Not enough information: either \"SELECTOR\" or \"INDEX\" is required.\n"); | |
476 | exit(1); | |
477 | } | |
478 | if (selp && indexp) | |
479 | duparg2("SELECTOR", "INDEX"); | |
480 | ||
481 | if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0) | |
482 | exit(1); | |
483 | ||
484 | if (req.xpid.sel.family == AF_UNSPEC) | |
485 | req.xpid.sel.family = AF_INET; | |
486 | ||
487 | if (rtnl_talk(&rth, &req.n, 0, 0, res_nlbuf, NULL, NULL) < 0) | |
488 | exit(2); | |
489 | ||
490 | rtnl_close(&rth); | |
491 | ||
492 | return 0; | |
493 | } | |
494 | ||
495 | static int xfrm_policy_delete(int argc, char **argv) | |
496 | { | |
497 | return xfrm_policy_get_or_delete(argc, argv, 1, NULL); | |
498 | } | |
499 | ||
500 | static int xfrm_policy_get(int argc, char **argv) | |
501 | { | |
502 | char buf[NLMSG_BUF_SIZE]; | |
503 | struct nlmsghdr *n = (struct nlmsghdr *)buf; | |
504 | ||
505 | memset(buf, 0, sizeof(buf)); | |
506 | ||
507 | xfrm_policy_get_or_delete(argc, argv, 0, n); | |
508 | ||
509 | if (xfrm_policy_print(NULL, n, (void*)stdout) < 0) { | |
510 | fprintf(stderr, "An error :-)\n"); | |
511 | exit(1); | |
512 | } | |
513 | ||
514 | return 0; | |
515 | } | |
516 | ||
517 | /* | |
518 | * With an existing policy of nlmsg, make new nlmsg for deleting the policy | |
519 | * and store it to buffer. | |
520 | */ | |
6dc9f016 | 521 | static int xfrm_policy_keep(const struct sockaddr_nl *who, |
50772dc5 | 522 | struct nlmsghdr *n, |
6dc9f016 | 523 | void *arg) |
c7699875 | 524 | { |
525 | struct xfrm_buffer *xb = (struct xfrm_buffer *)arg; | |
526 | struct rtnl_handle *rth = xb->rth; | |
527 | struct xfrm_userpolicy_info *xpinfo = NLMSG_DATA(n); | |
528 | int len = n->nlmsg_len; | |
529 | struct nlmsghdr *new_n; | |
530 | struct xfrm_userpolicy_id *xpid; | |
531 | ||
532 | if (n->nlmsg_type != XFRM_MSG_NEWPOLICY) { | |
533 | fprintf(stderr, "Not a policy: %08x %08x %08x\n", | |
534 | n->nlmsg_len, n->nlmsg_type, n->nlmsg_flags); | |
535 | return 0; | |
536 | } | |
537 | ||
538 | len -= NLMSG_LENGTH(sizeof(*xpinfo)); | |
539 | if (len < 0) { | |
540 | fprintf(stderr, "BUG: wrong nlmsg len %d\n", len); | |
541 | return -1; | |
542 | } | |
543 | ||
544 | if (!xfrm_policy_filter_match(xpinfo)) | |
545 | return 0; | |
546 | ||
547 | if (xb->offset > xb->size) { | |
9bec1a43 | 548 | fprintf(stderr, "Policy buffer overflow\n"); |
c7699875 | 549 | return -1; |
550 | } | |
551 | ||
552 | new_n = (struct nlmsghdr *)(xb->buf + xb->offset); | |
553 | new_n->nlmsg_len = NLMSG_LENGTH(sizeof(*xpid)); | |
554 | new_n->nlmsg_flags = NLM_F_REQUEST; | |
555 | new_n->nlmsg_type = XFRM_MSG_DELPOLICY; | |
556 | new_n->nlmsg_seq = ++rth->seq; | |
557 | ||
558 | xpid = NLMSG_DATA(new_n); | |
559 | memcpy(&xpid->sel, &xpinfo->sel, sizeof(xpid->sel)); | |
560 | xpid->dir = xpinfo->dir; | |
561 | xpid->index = xpinfo->index; | |
562 | ||
563 | xb->offset += new_n->nlmsg_len; | |
564 | xb->nlmsg_count ++; | |
565 | ||
566 | return 0; | |
567 | } | |
568 | ||
9bec1a43 | 569 | static int xfrm_policy_list_or_deleteall(int argc, char **argv, int deleteall) |
c7699875 | 570 | { |
7809c616 | 571 | char *selp = NULL; |
c7699875 | 572 | struct rtnl_handle rth; |
573 | ||
574 | if (argc > 0) | |
575 | filter.use = 1; | |
576 | filter.xpinfo.sel.family = preferred_family; | |
577 | ||
578 | while (argc > 0) { | |
579 | if (strcmp(*argv, "dir") == 0) { | |
580 | NEXT_ARG(); | |
581 | xfrm_policy_dir_parse(&filter.xpinfo.dir, &argc, &argv); | |
582 | ||
583 | filter.dir_mask = XFRM_FILTER_MASK_FULL; | |
584 | ||
c7699875 | 585 | } else if (strcmp(*argv, "index") == 0) { |
586 | NEXT_ARG(); | |
587 | if (get_u32(&filter.xpinfo.index, *argv, 0)) | |
588 | invarg("\"INDEX\" is invalid", *argv); | |
589 | ||
590 | filter.index_mask = XFRM_FILTER_MASK_FULL; | |
591 | ||
592 | } else if (strcmp(*argv, "action") == 0) { | |
593 | NEXT_ARG(); | |
594 | if (strcmp(*argv, "allow") == 0) | |
595 | filter.xpinfo.action = XFRM_POLICY_ALLOW; | |
596 | else if (strcmp(*argv, "block") == 0) | |
597 | filter.xpinfo.action = XFRM_POLICY_BLOCK; | |
598 | else | |
7809c616 | 599 | invarg("\"ACTION\" is invalid\n", *argv); |
c7699875 | 600 | |
601 | filter.action_mask = XFRM_FILTER_MASK_FULL; | |
602 | ||
603 | } else if (strcmp(*argv, "priority") == 0) { | |
604 | NEXT_ARG(); | |
605 | if (get_u32(&filter.xpinfo.priority, *argv, 0)) | |
606 | invarg("\"PRIORITY\" is invalid", *argv); | |
607 | ||
608 | filter.priority_mask = XFRM_FILTER_MASK_FULL; | |
609 | ||
7809c616 | 610 | } else { |
611 | if (selp) | |
612 | invarg("unknown", *argv); | |
613 | selp = *argv; | |
614 | ||
615 | xfrm_selector_parse(&filter.xpinfo.sel, &argc, &argv); | |
616 | if (preferred_family == AF_UNSPEC) | |
617 | preferred_family = filter.xpinfo.sel.family; | |
618 | ||
619 | } | |
c7699875 | 620 | |
621 | argc--; argv++; | |
622 | } | |
623 | ||
624 | if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0) | |
625 | exit(1); | |
626 | ||
9bec1a43 | 627 | if (deleteall) { |
c7699875 | 628 | struct xfrm_buffer xb; |
9bec1a43 | 629 | char buf[NLMSG_DELETEALL_BUF_SIZE]; |
c7699875 | 630 | int i; |
631 | ||
632 | xb.buf = buf; | |
633 | xb.size = sizeof(buf); | |
634 | xb.rth = &rth; | |
635 | ||
636 | for (i = 0; ; i++) { | |
637 | xb.offset = 0; | |
638 | xb.nlmsg_count = 0; | |
639 | ||
640 | if (show_stats > 1) | |
9bec1a43 | 641 | fprintf(stderr, "Delete-all round = %d\n", i); |
c7699875 | 642 | |
643 | if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETPOLICY) < 0) { | |
644 | perror("Cannot send dump request"); | |
645 | exit(1); | |
646 | } | |
647 | ||
648 | if (rtnl_dump_filter(&rth, xfrm_policy_keep, &xb, NULL, NULL) < 0) { | |
9bec1a43 | 649 | fprintf(stderr, "Delete-all terminated\n"); |
c7699875 | 650 | exit(1); |
651 | } | |
652 | if (xb.nlmsg_count == 0) { | |
653 | if (show_stats > 1) | |
9bec1a43 | 654 | fprintf(stderr, "Delete-all completed\n"); |
c7699875 | 655 | break; |
656 | } | |
657 | ||
658 | if (rtnl_send(&rth, xb.buf, xb.offset) < 0) { | |
9bec1a43 | 659 | perror("Failed to send delete-all request\n"); |
c7699875 | 660 | exit(1); |
661 | } | |
662 | if (show_stats > 1) | |
9bec1a43 | 663 | fprintf(stderr, "Delete-all nlmsg count = %d\n", xb.nlmsg_count); |
c7699875 | 664 | |
665 | xb.offset = 0; | |
666 | xb.nlmsg_count = 0; | |
667 | } | |
668 | } else { | |
669 | if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETPOLICY) < 0) { | |
670 | perror("Cannot send dump request"); | |
671 | exit(1); | |
672 | } | |
673 | ||
674 | if (rtnl_dump_filter(&rth, xfrm_policy_print, stdout, NULL, NULL) < 0) { | |
675 | fprintf(stderr, "Dump terminated\n"); | |
676 | exit(1); | |
677 | } | |
678 | } | |
679 | ||
680 | rtnl_close(&rth); | |
681 | ||
682 | exit(0); | |
683 | } | |
684 | ||
9bec1a43 | 685 | static int xfrm_policy_flush(void) |
bd641cd6 | 686 | { |
687 | struct rtnl_handle rth; | |
688 | struct { | |
689 | struct nlmsghdr n; | |
690 | } req; | |
691 | ||
692 | memset(&req, 0, sizeof(req)); | |
693 | ||
694 | req.n.nlmsg_len = NLMSG_LENGTH(0); /* nlmsg data is nothing */ | |
695 | req.n.nlmsg_flags = NLM_F_REQUEST; | |
696 | req.n.nlmsg_type = XFRM_MSG_FLUSHPOLICY; | |
697 | ||
698 | if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0) | |
699 | exit(1); | |
700 | ||
701 | if (show_stats > 1) | |
9bec1a43 | 702 | fprintf(stderr, "Flush policy\n"); |
bd641cd6 | 703 | |
704 | if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0) | |
705 | exit(2); | |
706 | ||
707 | rtnl_close(&rth); | |
708 | ||
709 | return 0; | |
710 | } | |
711 | ||
c7699875 | 712 | int do_xfrm_policy(int argc, char **argv) |
713 | { | |
714 | if (argc < 1) | |
9bec1a43 | 715 | return xfrm_policy_list_or_deleteall(0, NULL, 0); |
c7699875 | 716 | |
717 | if (matches(*argv, "add") == 0) | |
718 | return xfrm_policy_modify(XFRM_MSG_NEWPOLICY, 0, | |
719 | argc-1, argv+1); | |
720 | if (matches(*argv, "update") == 0) | |
721 | return xfrm_policy_modify(XFRM_MSG_UPDPOLICY, 0, | |
722 | argc-1, argv+1); | |
9bec1a43 | 723 | if (matches(*argv, "delete") == 0) |
c7699875 | 724 | return xfrm_policy_delete(argc-1, argv+1); |
9bec1a43 SH |
725 | if (matches(*argv, "deleteall") == 0 || matches(*argv, "delall") == 0) |
726 | return xfrm_policy_list_or_deleteall(argc-1, argv+1, 1); | |
c7699875 | 727 | if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0 |
728 | || matches(*argv, "lst") == 0) | |
9bec1a43 | 729 | return xfrm_policy_list_or_deleteall(argc-1, argv+1, 0); |
c7699875 | 730 | if (matches(*argv, "get") == 0) |
731 | return xfrm_policy_get(argc-1, argv+1); | |
9bec1a43 SH |
732 | if (matches(*argv, "flush") == 0) |
733 | return xfrm_policy_flush(); | |
c7699875 | 734 | if (matches(*argv, "help") == 0) |
735 | usage(); | |
736 | fprintf(stderr, "Command \"%s\" is unknown, try \"ip xfrm policy help\".\n", *argv); | |
737 | exit(-1); | |
738 | } |