4 * Copyright (C)2004 USAGI/WIDE Project
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 * Masahide NAKAMURA @USAGI
32 #include <linux/netlink.h>
33 #include <linux/xfrm.h>
36 #include "ip_common.h"
38 //#define NLMSG_DELETEALL_BUF_SIZE (4096-512)
39 #define NLMSG_DELETEALL_BUF_SIZE 8192
42 * Receiving buffer defines:
44 * data = struct xfrm_userpolicy_info
46 * data = struct xfrm_user_tmpl[]
48 #define NLMSG_BUF_SIZE 4096
49 #define RTA_BUF_SIZE 2048
50 #define XFRM_TMPLS_BUF_SIZE 1024
52 static void usage(void) __attribute__((noreturn
));
54 static void usage(void)
56 fprintf(stderr
, "Usage: ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ] [ ptype PTYPE ]\n");
57 fprintf(stderr
, " [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST ] [ TMPL-LIST ] [mark MARK [mask MASK]]\n");
58 fprintf(stderr
, "Usage: ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ] [ ptype PTYPE ] [mark MARK [mask MASK]]\n");
59 fprintf(stderr
, "Usage: ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ]\n");
60 fprintf(stderr
, " [ index INDEX ] [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ]\n");
61 fprintf(stderr
, "Usage: ip xfrm policy flush [ ptype PTYPE ]\n");
62 fprintf(stderr
, "Usage: ip xfrm count\n");
63 fprintf(stderr
, "PTYPE := [ main | sub ](default=main)\n");
64 fprintf(stderr
, "DIR := [ in | out | fwd ]\n");
66 fprintf(stderr
, "SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]\n");
68 fprintf(stderr
, "UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |\n");
69 fprintf(stderr
, " [ type NUMBER ] [ code NUMBER ] ]\n");
71 //fprintf(stderr, "DEV - device name(default=none)\n");
73 fprintf(stderr
, "ACTION := [ allow | block ](default=allow)\n");
75 //fprintf(stderr, "PRIORITY - priority value(default=0)\n");
77 fprintf(stderr
, "FLAG-LIST := [ FLAG-LIST ] FLAG\n");
78 fprintf(stderr
, "FLAG := [ localok ]\n");
80 fprintf(stderr
, "LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]\n");
81 fprintf(stderr
, "LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |\n");
82 fprintf(stderr
, " [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] NUMBER ]\n");
84 fprintf(stderr
, "TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]\n");
85 fprintf(stderr
, "TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]\n");
86 fprintf(stderr
, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]\n");
88 fprintf(stderr
, "XFRM_PROTO := [ ");
89 fprintf(stderr
, "%s | ", strxf_xfrmproto(IPPROTO_ESP
));
90 fprintf(stderr
, "%s | ", strxf_xfrmproto(IPPROTO_AH
));
91 fprintf(stderr
, "%s | ", strxf_xfrmproto(IPPROTO_COMP
));
92 fprintf(stderr
, "%s | ", strxf_xfrmproto(IPPROTO_ROUTING
));
93 fprintf(stderr
, "%s ", strxf_xfrmproto(IPPROTO_DSTOPTS
));
94 fprintf(stderr
, "]\n");
96 fprintf(stderr
, "MODE := [ transport | tunnel | beet ](default=transport)\n");
97 //fprintf(stderr, "REQID - number(default=0)\n");
98 fprintf(stderr
, "LEVEL := [ required | use ](default=required)\n");
103 static int xfrm_policy_dir_parse(__u8
*dir
, int *argcp
, char ***argvp
)
106 char **argv
= *argvp
;
108 if (strcmp(*argv
, "in") == 0)
109 *dir
= XFRM_POLICY_IN
;
110 else if (strcmp(*argv
, "out") == 0)
111 *dir
= XFRM_POLICY_OUT
;
112 else if (strcmp(*argv
, "fwd") == 0)
113 *dir
= XFRM_POLICY_FWD
;
115 invarg("\"DIR\" is invalid", *argv
);
123 static int xfrm_policy_ptype_parse(__u8
*ptype
, int *argcp
, char ***argvp
)
126 char **argv
= *argvp
;
128 if (strcmp(*argv
, "main") == 0)
129 *ptype
= XFRM_POLICY_TYPE_MAIN
;
130 else if (strcmp(*argv
, "sub") == 0)
131 *ptype
= XFRM_POLICY_TYPE_SUB
;
133 invarg("\"PTYPE\" is invalid", *argv
);
141 static int xfrm_policy_flag_parse(__u8
*flags
, int *argcp
, char ***argvp
)
144 char **argv
= *argvp
;
145 int len
= strlen(*argv
);
147 if (len
> 2 && strncmp(*argv
, "0x", 2) == 0) {
150 if (get_u8(&val
, *argv
, 16))
151 invarg("\"FLAG\" is invalid", *argv
);
155 if (strcmp(*argv
, "localok") == 0)
156 *flags
|= XFRM_POLICY_LOCALOK
;
158 PREV_ARG(); /* back track */
174 static int xfrm_tmpl_parse(struct xfrm_user_tmpl
*tmpl
,
175 int *argcp
, char ***argvp
)
178 char **argv
= *argvp
;
182 if (strcmp(*argv
, "mode") == 0) {
184 xfrm_mode_parse(&tmpl
->mode
, &argc
, &argv
);
185 } else if (strcmp(*argv
, "reqid") == 0) {
187 xfrm_reqid_parse(&tmpl
->reqid
, &argc
, &argv
);
188 } else if (strcmp(*argv
, "level") == 0) {
191 if (strcmp(*argv
, "required") == 0)
193 else if (strcmp(*argv
, "use") == 0)
196 invarg("\"LEVEL\" is invalid\n", *argv
);
200 PREV_ARG(); /* back track */
204 preferred_family
= AF_UNSPEC
;
205 xfrm_id_parse(&tmpl
->saddr
, &tmpl
->id
, &tmpl
->family
,
207 preferred_family
= tmpl
->family
;
224 static int xfrm_policy_modify(int cmd
, unsigned flags
, int argc
, char **argv
)
226 struct rtnl_handle rth
;
229 struct xfrm_userpolicy_info xpinfo
;
230 char buf
[RTA_BUF_SIZE
];
235 struct xfrm_userpolicy_type upt
;
236 char tmpls_buf
[XFRM_TMPLS_BUF_SIZE
];
238 struct xfrm_mark mark
= {0, 0};
240 memset(&req
, 0, sizeof(req
));
241 memset(&upt
, 0, sizeof(upt
));
242 memset(&tmpls_buf
, 0, sizeof(tmpls_buf
));
244 req
.n
.nlmsg_len
= NLMSG_LENGTH(sizeof(req
.xpinfo
));
245 req
.n
.nlmsg_flags
= NLM_F_REQUEST
|flags
;
246 req
.n
.nlmsg_type
= cmd
;
247 req
.xpinfo
.sel
.family
= preferred_family
;
249 req
.xpinfo
.lft
.soft_byte_limit
= XFRM_INF
;
250 req
.xpinfo
.lft
.hard_byte_limit
= XFRM_INF
;
251 req
.xpinfo
.lft
.soft_packet_limit
= XFRM_INF
;
252 req
.xpinfo
.lft
.hard_packet_limit
= XFRM_INF
;
255 if (strcmp(*argv
, "dir") == 0) {
257 duparg("dir", *argv
);
261 xfrm_policy_dir_parse(&req
.xpinfo
.dir
, &argc
, &argv
);
262 } else if (strcmp(*argv
, "mark") == 0) {
263 xfrm_parse_mark(&mark
, &argc
, &argv
);
264 } else if (strcmp(*argv
, "index") == 0) {
266 if (get_u32(&req
.xpinfo
.index
, *argv
, 0))
267 invarg("\"INDEX\" is invalid", *argv
);
268 } else if (strcmp(*argv
, "ptype") == 0) {
270 duparg("ptype", *argv
);
274 xfrm_policy_ptype_parse(&upt
.type
, &argc
, &argv
);
275 } else if (strcmp(*argv
, "action") == 0) {
277 if (strcmp(*argv
, "allow") == 0)
278 req
.xpinfo
.action
= XFRM_POLICY_ALLOW
;
279 else if (strcmp(*argv
, "block") == 0)
280 req
.xpinfo
.action
= XFRM_POLICY_BLOCK
;
282 invarg("\"action\" value is invalid\n", *argv
);
283 } else if (strcmp(*argv
, "priority") == 0) {
285 if (get_u32(&req
.xpinfo
.priority
, *argv
, 0))
286 invarg("\"PRIORITY\" is invalid", *argv
);
287 } else if (strcmp(*argv
, "flag") == 0) {
289 xfrm_policy_flag_parse(&req
.xpinfo
.flags
, &argc
,
291 } else if (strcmp(*argv
, "limit") == 0) {
293 xfrm_lifetime_cfg_parse(&req
.xpinfo
.lft
, &argc
, &argv
);
294 } else if (strcmp(*argv
, "tmpl") == 0) {
295 struct xfrm_user_tmpl
*tmpl
;
297 if (tmpls_len
+ sizeof(*tmpl
) > sizeof(tmpls_buf
)) {
298 fprintf(stderr
, "Too many tmpls: buffer overflow\n");
301 tmpl
= (struct xfrm_user_tmpl
*)((char *)tmpls_buf
+ tmpls_len
);
303 tmpl
->family
= preferred_family
;
304 tmpl
->aalgos
= (~(__u32
)0);
305 tmpl
->ealgos
= (~(__u32
)0);
306 tmpl
->calgos
= (~(__u32
)0);
309 xfrm_tmpl_parse(tmpl
, &argc
, &argv
);
311 tmpls_len
+= sizeof(*tmpl
);
314 duparg("unknown", *argv
);
317 xfrm_selector_parse(&req
.xpinfo
.sel
, &argc
, &argv
);
318 if (preferred_family
== AF_UNSPEC
)
319 preferred_family
= req
.xpinfo
.sel
.family
;
326 fprintf(stderr
, "Not enough information: \"DIR\" is required.\n");
331 addattr_l(&req
.n
, sizeof(req
), XFRMA_POLICY_TYPE
,
332 (void *)&upt
, sizeof(upt
));
336 addattr_l(&req
.n
, sizeof(req
), XFRMA_TMPL
,
337 (void *)tmpls_buf
, tmpls_len
);
340 if (mark
.m
& mark
.v
) {
341 int r
= addattr_l(&req
.n
, sizeof(req
.buf
), XFRMA_MARK
,
342 (void *)&mark
, sizeof(mark
));
344 fprintf(stderr
, "%s: XFRMA_MARK failed\n",__func__
);
350 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
353 if (req
.xpinfo
.sel
.family
== AF_UNSPEC
)
354 req
.xpinfo
.sel
.family
= AF_INET
;
356 if (rtnl_talk(&rth
, &req
.n
, 0, 0, NULL
, NULL
, NULL
) < 0)
364 static int xfrm_policy_filter_match(struct xfrm_userpolicy_info
*xpinfo
,
370 if ((xpinfo
->dir
^filter
.xpinfo
.dir
)&filter
.dir_mask
)
373 if ((ptype
^filter
.ptype
)&filter
.ptype_mask
)
376 if (filter
.sel_src_mask
) {
377 if (xfrm_addr_match(&xpinfo
->sel
.saddr
, &filter
.xpinfo
.sel
.saddr
,
378 filter
.sel_src_mask
))
382 if (filter
.sel_dst_mask
) {
383 if (xfrm_addr_match(&xpinfo
->sel
.daddr
, &filter
.xpinfo
.sel
.daddr
,
384 filter
.sel_dst_mask
))
388 if ((xpinfo
->sel
.ifindex
^filter
.xpinfo
.sel
.ifindex
)&filter
.sel_dev_mask
)
391 if ((xpinfo
->sel
.proto
^filter
.xpinfo
.sel
.proto
)&filter
.upspec_proto_mask
)
394 if (filter
.upspec_sport_mask
) {
395 if ((xpinfo
->sel
.sport
^filter
.xpinfo
.sel
.sport
)&filter
.upspec_sport_mask
)
399 if (filter
.upspec_dport_mask
) {
400 if ((xpinfo
->sel
.dport
^filter
.xpinfo
.sel
.dport
)&filter
.upspec_dport_mask
)
404 if ((xpinfo
->index
^filter
.xpinfo
.index
)&filter
.index_mask
)
407 if ((xpinfo
->action
^filter
.xpinfo
.action
)&filter
.action_mask
)
410 if ((xpinfo
->priority
^filter
.xpinfo
.priority
)&filter
.priority_mask
)
413 if (filter
.policy_flags_mask
)
414 if ((xpinfo
->flags
& filter
.xpinfo
.flags
) == 0)
420 int xfrm_policy_print(const struct sockaddr_nl
*who
, struct nlmsghdr
*n
,
423 struct rtattr
* tb
[XFRMA_MAX
+1];
425 struct xfrm_userpolicy_info
*xpinfo
= NULL
;
426 struct xfrm_user_polexpire
*xpexp
= NULL
;
427 struct xfrm_userpolicy_id
*xpid
= NULL
;
428 __u8 ptype
= XFRM_POLICY_TYPE_MAIN
;
429 FILE *fp
= (FILE*)arg
;
430 int len
= n
->nlmsg_len
;
432 if (n
->nlmsg_type
!= XFRM_MSG_NEWPOLICY
&&
433 n
->nlmsg_type
!= XFRM_MSG_DELPOLICY
&&
434 n
->nlmsg_type
!= XFRM_MSG_UPDPOLICY
&&
435 n
->nlmsg_type
!= XFRM_MSG_POLEXPIRE
) {
436 fprintf(stderr
, "Not a policy: %08x %08x %08x\n",
437 n
->nlmsg_len
, n
->nlmsg_type
, n
->nlmsg_flags
);
441 if (n
->nlmsg_type
== XFRM_MSG_DELPOLICY
) {
442 xpid
= NLMSG_DATA(n
);
443 len
-= NLMSG_SPACE(sizeof(*xpid
));
444 } else if (n
->nlmsg_type
== XFRM_MSG_POLEXPIRE
) {
445 xpexp
= NLMSG_DATA(n
);
446 xpinfo
= &xpexp
->pol
;
447 len
-= NLMSG_SPACE(sizeof(*xpexp
));
450 xpinfo
= NLMSG_DATA(n
);
451 len
-= NLMSG_SPACE(sizeof(*xpinfo
));
455 fprintf(stderr
, "BUG: wrong nlmsg len %d\n", len
);
459 if (n
->nlmsg_type
== XFRM_MSG_DELPOLICY
)
460 rta
= XFRMPID_RTA(xpid
);
461 else if (n
->nlmsg_type
== XFRM_MSG_POLEXPIRE
)
462 rta
= XFRMPEXP_RTA(xpexp
);
464 rta
= XFRMP_RTA(xpinfo
);
466 parse_rtattr(tb
, XFRMA_MAX
, rta
, len
);
468 if (tb
[XFRMA_POLICY_TYPE
]) {
469 struct xfrm_userpolicy_type
*upt
;
471 if (RTA_PAYLOAD(tb
[XFRMA_POLICY_TYPE
]) < sizeof(*upt
)) {
472 fprintf(stderr
, "too short XFRMA_POLICY_TYPE len\n");
475 upt
= (struct xfrm_userpolicy_type
*)RTA_DATA(tb
[XFRMA_POLICY_TYPE
]);
479 if (xpinfo
&& !xfrm_policy_filter_match(xpinfo
, ptype
))
482 if (n
->nlmsg_type
== XFRM_MSG_DELPOLICY
)
483 fprintf(fp
, "Deleted ");
484 else if (n
->nlmsg_type
== XFRM_MSG_UPDPOLICY
)
485 fprintf(fp
, "Updated ");
486 else if (n
->nlmsg_type
== XFRM_MSG_POLEXPIRE
)
487 fprintf(fp
, "Expired ");
489 if (n
->nlmsg_type
== XFRM_MSG_DELPOLICY
) {
490 //xfrm_policy_id_print();
491 if (!tb
[XFRMA_POLICY
]) {
492 fprintf(stderr
, "Buggy XFRM_MSG_DELPOLICY: no XFRMA_POLICY\n");
495 if (RTA_PAYLOAD(tb
[XFRMA_POLICY
]) < sizeof(*xpinfo
)) {
496 fprintf(stderr
, "Buggy XFRM_MSG_DELPOLICY: too short XFRMA_POLICY len\n");
499 xpinfo
= (struct xfrm_userpolicy_info
*)RTA_DATA(tb
[XFRMA_POLICY
]);
502 xfrm_policy_info_print(xpinfo
, tb
, fp
, NULL
, NULL
);
504 if (n
->nlmsg_type
== XFRM_MSG_POLEXPIRE
) {
506 fprintf(fp
, "hard %u", xpexp
->hard
);
507 fprintf(fp
, "%s", _SL_
);
517 static int xfrm_policy_get_or_delete(int argc
, char **argv
, int delete,
520 struct rtnl_handle rth
;
523 struct xfrm_userpolicy_id xpid
;
524 char buf
[RTA_BUF_SIZE
];
530 struct xfrm_userpolicy_type upt
;
531 struct xfrm_mark mark
= {0, 0};
533 memset(&req
, 0, sizeof(req
));
534 memset(&upt
, 0, sizeof(upt
));
536 req
.n
.nlmsg_len
= NLMSG_LENGTH(sizeof(req
.xpid
));
537 req
.n
.nlmsg_flags
= NLM_F_REQUEST
;
538 req
.n
.nlmsg_type
= delete ? XFRM_MSG_DELPOLICY
: XFRM_MSG_GETPOLICY
;
541 if (strcmp(*argv
, "dir") == 0) {
543 duparg("dir", *argv
);
547 xfrm_policy_dir_parse(&req
.xpid
.dir
, &argc
, &argv
);
549 } else if (strcmp(*argv
, "mark") == 0) {
550 xfrm_parse_mark(&mark
, &argc
, &argv
);
551 } else if (strcmp(*argv
, "index") == 0) {
553 duparg("index", *argv
);
557 if (get_u32(&req
.xpid
.index
, *argv
, 0))
558 invarg("\"INDEX\" is invalid", *argv
);
560 } else if (strcmp(*argv
, "ptype") == 0) {
562 duparg("ptype", *argv
);
566 xfrm_policy_ptype_parse(&upt
.type
, &argc
, &argv
);
570 invarg("unknown", *argv
);
573 xfrm_selector_parse(&req
.xpid
.sel
, &argc
, &argv
);
574 if (preferred_family
== AF_UNSPEC
)
575 preferred_family
= req
.xpid
.sel
.family
;
583 fprintf(stderr
, "Not enough information: \"DIR\" is required.\n");
587 addattr_l(&req
.n
, sizeof(req
), XFRMA_POLICY_TYPE
,
588 (void *)&upt
, sizeof(upt
));
590 if (!selp
&& !indexp
) {
591 fprintf(stderr
, "Not enough information: either \"SELECTOR\" or \"INDEX\" is required.\n");
595 duparg2("SELECTOR", "INDEX");
597 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
600 if (req
.xpid
.sel
.family
== AF_UNSPEC
)
601 req
.xpid
.sel
.family
= AF_INET
;
603 if (mark
.m
& mark
.v
) {
604 int r
= addattr_l(&req
.n
, sizeof(req
.buf
), XFRMA_MARK
,
605 (void *)&mark
, sizeof(mark
));
607 fprintf(stderr
, "%s: XFRMA_MARK failed\n",__func__
);
612 if (rtnl_talk(&rth
, &req
.n
, 0, 0, res_nlbuf
, NULL
, NULL
) < 0)
620 static int xfrm_policy_delete(int argc
, char **argv
)
622 return xfrm_policy_get_or_delete(argc
, argv
, 1, NULL
);
625 static int xfrm_policy_get(int argc
, char **argv
)
627 char buf
[NLMSG_BUF_SIZE
];
628 struct nlmsghdr
*n
= (struct nlmsghdr
*)buf
;
630 memset(buf
, 0, sizeof(buf
));
632 xfrm_policy_get_or_delete(argc
, argv
, 0, n
);
634 if (xfrm_policy_print(NULL
, n
, (void*)stdout
) < 0) {
635 fprintf(stderr
, "An error :-)\n");
643 * With an existing policy of nlmsg, make new nlmsg for deleting the policy
644 * and store it to buffer.
646 static int xfrm_policy_keep(const struct sockaddr_nl
*who
,
650 struct xfrm_buffer
*xb
= (struct xfrm_buffer
*)arg
;
651 struct rtnl_handle
*rth
= xb
->rth
;
652 struct xfrm_userpolicy_info
*xpinfo
= NLMSG_DATA(n
);
653 int len
= n
->nlmsg_len
;
654 struct rtattr
*tb
[XFRMA_MAX
+1];
655 __u8 ptype
= XFRM_POLICY_TYPE_MAIN
;
656 struct nlmsghdr
*new_n
;
657 struct xfrm_userpolicy_id
*xpid
;
659 if (n
->nlmsg_type
!= XFRM_MSG_NEWPOLICY
) {
660 fprintf(stderr
, "Not a policy: %08x %08x %08x\n",
661 n
->nlmsg_len
, n
->nlmsg_type
, n
->nlmsg_flags
);
665 len
-= NLMSG_LENGTH(sizeof(*xpinfo
));
667 fprintf(stderr
, "BUG: wrong nlmsg len %d\n", len
);
671 parse_rtattr(tb
, XFRMA_MAX
, XFRMP_RTA(xpinfo
), len
);
673 if (tb
[XFRMA_POLICY_TYPE
]) {
674 struct xfrm_userpolicy_type
*upt
;
676 if (RTA_PAYLOAD(tb
[XFRMA_POLICY_TYPE
]) < sizeof(*upt
)) {
677 fprintf(stderr
, "too short XFRMA_POLICY_TYPE len\n");
680 upt
= (struct xfrm_userpolicy_type
*)RTA_DATA(tb
[XFRMA_POLICY_TYPE
]);
684 if (!xfrm_policy_filter_match(xpinfo
, ptype
))
687 if (xb
->offset
> xb
->size
) {
688 fprintf(stderr
, "Policy buffer overflow\n");
692 new_n
= (struct nlmsghdr
*)(xb
->buf
+ xb
->offset
);
693 new_n
->nlmsg_len
= NLMSG_LENGTH(sizeof(*xpid
));
694 new_n
->nlmsg_flags
= NLM_F_REQUEST
;
695 new_n
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
696 new_n
->nlmsg_seq
= ++rth
->seq
;
698 xpid
= NLMSG_DATA(new_n
);
699 memcpy(&xpid
->sel
, &xpinfo
->sel
, sizeof(xpid
->sel
));
700 xpid
->dir
= xpinfo
->dir
;
701 xpid
->index
= xpinfo
->index
;
703 xb
->offset
+= new_n
->nlmsg_len
;
709 static int xfrm_policy_list_or_deleteall(int argc
, char **argv
, int deleteall
)
712 struct rtnl_handle rth
;
716 filter
.xpinfo
.sel
.family
= preferred_family
;
719 if (strcmp(*argv
, "dir") == 0) {
721 xfrm_policy_dir_parse(&filter
.xpinfo
.dir
, &argc
, &argv
);
723 filter
.dir_mask
= XFRM_FILTER_MASK_FULL
;
725 } else if (strcmp(*argv
, "index") == 0) {
727 if (get_u32(&filter
.xpinfo
.index
, *argv
, 0))
728 invarg("\"INDEX\" is invalid", *argv
);
730 filter
.index_mask
= XFRM_FILTER_MASK_FULL
;
732 } else if (strcmp(*argv
, "ptype") == 0) {
734 xfrm_policy_ptype_parse(&filter
.ptype
, &argc
, &argv
);
736 filter
.ptype_mask
= XFRM_FILTER_MASK_FULL
;
738 } else if (strcmp(*argv
, "action") == 0) {
740 if (strcmp(*argv
, "allow") == 0)
741 filter
.xpinfo
.action
= XFRM_POLICY_ALLOW
;
742 else if (strcmp(*argv
, "block") == 0)
743 filter
.xpinfo
.action
= XFRM_POLICY_BLOCK
;
745 invarg("\"ACTION\" is invalid\n", *argv
);
747 filter
.action_mask
= XFRM_FILTER_MASK_FULL
;
749 } else if (strcmp(*argv
, "priority") == 0) {
751 if (get_u32(&filter
.xpinfo
.priority
, *argv
, 0))
752 invarg("\"PRIORITY\" is invalid", *argv
);
754 filter
.priority_mask
= XFRM_FILTER_MASK_FULL
;
756 } else if (strcmp(*argv
, "flag") == 0) {
758 xfrm_policy_flag_parse(&filter
.xpinfo
.flags
, &argc
,
761 filter
.policy_flags_mask
= XFRM_FILTER_MASK_FULL
;
765 invarg("unknown", *argv
);
768 xfrm_selector_parse(&filter
.xpinfo
.sel
, &argc
, &argv
);
769 if (preferred_family
== AF_UNSPEC
)
770 preferred_family
= filter
.xpinfo
.sel
.family
;
777 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
781 struct xfrm_buffer xb
;
782 char buf
[NLMSG_DELETEALL_BUF_SIZE
];
786 xb
.size
= sizeof(buf
);
794 fprintf(stderr
, "Delete-all round = %d\n", i
);
796 if (rtnl_wilddump_request(&rth
, preferred_family
, XFRM_MSG_GETPOLICY
) < 0) {
797 perror("Cannot send dump request");
801 if (rtnl_dump_filter(&rth
, xfrm_policy_keep
, &xb
, NULL
, NULL
) < 0) {
802 fprintf(stderr
, "Delete-all terminated\n");
805 if (xb
.nlmsg_count
== 0) {
807 fprintf(stderr
, "Delete-all completed\n");
811 if (rtnl_send_check(&rth
, xb
.buf
, xb
.offset
) < 0) {
812 perror("Failed to send delete-all request");
816 fprintf(stderr
, "Delete-all nlmsg count = %d\n", xb
.nlmsg_count
);
822 if (rtnl_wilddump_request(&rth
, preferred_family
, XFRM_MSG_GETPOLICY
) < 0) {
823 perror("Cannot send dump request");
827 if (rtnl_dump_filter(&rth
, xfrm_policy_print
, stdout
, NULL
, NULL
) < 0) {
828 fprintf(stderr
, "Dump terminated\n");
838 int print_spdinfo( struct nlmsghdr
*n
, void *arg
)
840 FILE *fp
= (FILE*)arg
;
841 __u32
*f
= NLMSG_DATA(n
);
842 struct rtattr
* tb
[XFRMA_SPD_MAX
+1];
845 int len
= n
->nlmsg_len
;
847 len
-= NLMSG_LENGTH(sizeof(__u32
));
849 fprintf(stderr
, "SPDinfo: Wrong len %d\n", len
);
853 rta
= XFRMSAPD_RTA(f
);
854 parse_rtattr(tb
, XFRMA_SPD_MAX
, rta
, len
);
856 fprintf(fp
,"\t SPD");
857 if (tb
[XFRMA_SPD_INFO
]) {
858 struct xfrmu_spdinfo
*si
;
860 if (RTA_PAYLOAD(tb
[XFRMA_SPD_INFO
]) < sizeof(*si
)) {
861 fprintf(stderr
, "SPDinfo: Wrong len %d\n", len
);
864 si
= RTA_DATA(tb
[XFRMA_SPD_INFO
]);
865 fprintf(fp
," IN %d", si
->incnt
);
866 fprintf(fp
," OUT %d", si
->outcnt
);
867 fprintf(fp
," FWD %d", si
->fwdcnt
);
870 fprintf(fp
," (Sock:");
871 fprintf(fp
," IN %d", si
->inscnt
);
872 fprintf(fp
," OUT %d", si
->outscnt
);
873 fprintf(fp
," FWD %d", si
->fwdscnt
);
879 if (show_stats
> 1) {
880 struct xfrmu_spdhinfo
*sh
;
882 if (tb
[XFRMA_SPD_HINFO
]) {
883 if (RTA_PAYLOAD(tb
[XFRMA_SPD_HINFO
]) < sizeof(*sh
)) {
884 fprintf(stderr
, "SPDinfo: Wrong len %d\n", len
);
887 sh
= RTA_DATA(tb
[XFRMA_SPD_HINFO
]);
888 fprintf(fp
,"\t SPD buckets:");
889 fprintf(fp
," count %d", sh
->spdhcnt
);
890 fprintf(fp
," Max %d", sh
->spdhmcnt
);
898 static int xfrm_spd_getinfo(int argc
, char **argv
)
900 struct rtnl_handle rth
;
907 memset(&req
, 0, sizeof(req
));
909 req
.n
.nlmsg_len
= NLMSG_LENGTH(sizeof(__u32
));
910 req
.n
.nlmsg_flags
= NLM_F_REQUEST
;
911 req
.n
.nlmsg_type
= XFRM_MSG_GETSPDINFO
;
912 req
.flags
= 0XFFFFFFFF;
914 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
917 if (rtnl_talk(&rth
, &req
.n
, 0, 0, &req
.n
, NULL
, NULL
) < 0)
920 print_spdinfo(&req
.n
, (void*)stdout
);
927 static int xfrm_policy_flush(int argc
, char **argv
)
929 struct rtnl_handle rth
;
932 char buf
[RTA_BUF_SIZE
];
935 struct xfrm_userpolicy_type upt
;
937 memset(&req
, 0, sizeof(req
));
938 memset(&upt
, 0, sizeof(upt
));
940 req
.n
.nlmsg_len
= NLMSG_LENGTH(0); /* nlmsg data is nothing */
941 req
.n
.nlmsg_flags
= NLM_F_REQUEST
;
942 req
.n
.nlmsg_type
= XFRM_MSG_FLUSHPOLICY
;
945 if (strcmp(*argv
, "ptype") == 0) {
947 duparg("ptype", *argv
);
951 xfrm_policy_ptype_parse(&upt
.type
, &argc
, &argv
);
953 invarg("unknown", *argv
);
959 addattr_l(&req
.n
, sizeof(req
), XFRMA_POLICY_TYPE
,
960 (void *)&upt
, sizeof(upt
));
963 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
967 fprintf(stderr
, "Flush policy\n");
969 if (rtnl_talk(&rth
, &req
.n
, 0, 0, NULL
, NULL
, NULL
) < 0)
977 int do_xfrm_policy(int argc
, char **argv
)
980 return xfrm_policy_list_or_deleteall(0, NULL
, 0);
982 if (matches(*argv
, "add") == 0)
983 return xfrm_policy_modify(XFRM_MSG_NEWPOLICY
, 0,
985 if (matches(*argv
, "update") == 0)
986 return xfrm_policy_modify(XFRM_MSG_UPDPOLICY
, 0,
988 if (matches(*argv
, "delete") == 0)
989 return xfrm_policy_delete(argc
-1, argv
+1);
990 if (matches(*argv
, "deleteall") == 0 || matches(*argv
, "delall") == 0)
991 return xfrm_policy_list_or_deleteall(argc
-1, argv
+1, 1);
992 if (matches(*argv
, "list") == 0 || matches(*argv
, "show") == 0
993 || matches(*argv
, "lst") == 0)
994 return xfrm_policy_list_or_deleteall(argc
-1, argv
+1, 0);
995 if (matches(*argv
, "get") == 0)
996 return xfrm_policy_get(argc
-1, argv
+1);
997 if (matches(*argv
, "flush") == 0)
998 return xfrm_policy_flush(argc
-1, argv
+1);
999 if (matches(*argv
, "count") == 0)
1000 return xfrm_spd_getinfo(argc
, argv
);
1001 if (matches(*argv
, "help") == 0)
1003 fprintf(stderr
, "Command \"%s\" is unknown, try \"ip xfrm policy help\".\n", *argv
);