4 * Copyright (C)2004 USAGI/WIDE Project
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 * Masahide NAKAMURA @USAGI
32 #include <linux/xfrm.h>
35 #include "ip_common.h"
37 //#define NLMSG_FLUSH_BUF_SIZE (4096-512)
38 #define NLMSG_FLUSH_BUF_SIZE 8192
41 * Receiving buffer defines:
43 * data = struct xfrm_usersa_info
46 * ... (max count of rtattr is XFRM_MAX_DEPTH)
48 * each rtattr data = struct xfrm_algo(dynamic size) or xfrm_address_t
50 #define NLMSG_BUF_SIZE 4096
51 #define RTA_BUF_SIZE 2048
52 #define XFRM_ALGO_KEY_BUF_SIZE 512
54 static void usage(void) __attribute__((noreturn
));
56 static void usage(void)
58 fprintf(stderr
, "Usage: ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ]\n");
59 fprintf(stderr
, " [ reqid REQID ] [ FLAG-LIST ] [ sel SELECTOR ] [ LIMIT-LIST ]\n");
61 fprintf(stderr
, "Usage: ip xfrm state { delete | get } ID\n");
62 fprintf(stderr
, "Usage: ip xfrm state { flush | list } [ ID ] [ mode MODE ] [ reqid REQID ]\n");
63 fprintf(stderr
, " [ FLAG_LIST ]\n");
65 fprintf(stderr
, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]\n");
66 //fprintf(stderr, "XFRM_PROTO := [ esp | ah | ipcomp ]\n");
67 fprintf(stderr
, "XFRM_PROTO := [ ");
68 fprintf(stderr
, "%s | ", strxf_proto(IPPROTO_ESP
));
69 fprintf(stderr
, "%s | ", strxf_proto(IPPROTO_AH
));
70 fprintf(stderr
, "%s", strxf_proto(IPPROTO_COMP
));
71 fprintf(stderr
, " ]\n");
73 //fprintf(stderr, "SPI - security parameter index(default=0)\n");
75 fprintf(stderr
, "MODE := [ transport | tunnel ](default=transport)\n");
76 //fprintf(stderr, "REQID - number(default=0)\n");
78 fprintf(stderr
, "FLAG-LIST := [ FLAG-LIST ] [ flag FLAG ]\n");
79 fprintf(stderr
, "FLAG := [ noecn ]\n");
81 fprintf(stderr
, "ALGO-LIST := [ ALGO-LIST ] | [ algo ALGO ]\n");
82 fprintf(stderr
, "ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY\n");
83 fprintf(stderr
, "ALGO_TYPE := [ E | A | C ]\n");
84 //fprintf(stderr, "ALGO_NAME - algorithm name\n");
85 //fprintf(stderr, "ALGO_KEY - algorithm key\n");
87 fprintf(stderr
, "SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ upspec UPSPEC ] [ dev DEV ]\n");
89 fprintf(stderr
, "UPSPEC := proto PROTO [ sport PORT ] [ dport PORT ]\n");
91 //fprintf(stderr, "DEV - device name(default=none)\n");
92 fprintf(stderr
, "LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]\n");
93 fprintf(stderr
, "LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |\n");
94 fprintf(stderr
, " [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] COUNT ]\n");
98 static int xfrm_algo_parse(struct xfrm_algo
*alg
, enum xfrm_attr_type_t type
,
99 char *name
, char *key
, int max
)
104 /* XXX: verifying both name and key is required! */
105 fprintf(stderr
, "warning: ALGONAME/ALGOKEY will send to kernel promiscuously!(verifying them isn't implemented yet)\n");
108 strncpy(alg
->alg_name
, name
, sizeof(alg
->alg_name
));
110 if (strncmp(key
, "0x", 2) == 0) {
115 char *p
= (char *)&val
;
117 if (get_u64(&val
, key
, 16))
118 invarg("\"ALGOKEY\" is invalid", key
);
120 len
= (strlen(key
) - 2) / 2;
121 if (len
> sizeof(val
))
122 invarg("\"ALGOKEY\" is invalid: too large", key
);
125 int index
= sizeof(val
) - len
;
127 invarg("\"ALGOKEY\" makes buffer overflow\n", key
);
129 memcpy(alg
->alg_key
, &p
[index
], len
);
136 invarg("\"ALGOKEY\" makes buffer overflow\n", key
);
138 strncpy(alg
->alg_key
, key
, len
);
142 alg
->alg_key_len
= len
* 8;
147 static int xfrm_state_flag_parse(__u8
*flags
, int *argcp
, char ***argvp
)
150 char **argv
= *argvp
;
151 int len
= strlen(*argv
);
153 if (len
> 2 && strncmp(*argv
, "0x", 2) == 0) {
156 if (get_u8(&val
, *argv
, 16))
157 invarg("\"FLAG\" is invalid", *argv
);
160 if (strcmp(*argv
, "noecn") == 0)
161 *flags
|= XFRM_STATE_NOECN
;
163 invarg("\"FLAG\" is invalid", *argv
);
166 filter
.state_flags_mask
= XFRM_FILTER_MASK_FULL
;
174 static int xfrm_state_modify(int cmd
, unsigned flags
, int argc
, char **argv
)
176 struct rtnl_handle rth
;
179 struct xfrm_usersa_info xsinfo
;
180 char buf
[RTA_BUF_SIZE
];
187 memset(&req
, 0, sizeof(req
));
189 req
.n
.nlmsg_len
= NLMSG_LENGTH(sizeof(req
.xsinfo
));
190 req
.n
.nlmsg_flags
= NLM_F_REQUEST
|flags
;
191 req
.n
.nlmsg_type
= cmd
;
192 req
.xsinfo
.family
= preferred_family
;
194 req
.xsinfo
.lft
.soft_byte_limit
= XFRM_INF
;
195 req
.xsinfo
.lft
.hard_byte_limit
= XFRM_INF
;
196 req
.xsinfo
.lft
.soft_packet_limit
= XFRM_INF
;
197 req
.xsinfo
.lft
.hard_packet_limit
= XFRM_INF
;
200 if (strcmp(*argv
, "algo") == 0) {
202 struct xfrm_algo alg
;
203 char buf
[XFRM_ALGO_KEY_BUF_SIZE
];
206 enum xfrm_attr_type_t type
;
212 if (strcmp(*argv
, "E") == 0) {
214 duparg("ALGOTYPE", *argv
);
216 type
= XFRMA_ALG_CRYPT
;
217 } else if (strcmp(*argv
, "A") == 0) {
219 duparg("ALGOTYPE", *argv
);
221 type
= XFRMA_ALG_AUTH
;
223 } else if (strcmp(*argv
, "C") == 0) {
225 duparg("ALGOTYPE", *argv
);
227 type
= XFRMA_ALG_COMP
;
229 invarg("\"ALGOTYPE\" is invalid\n", *argv
);
241 memset(&alg
, 0, sizeof(alg
));
243 xfrm_algo_parse((void *)&alg
, type
, name
, key
, sizeof(alg
.buf
));
244 len
= sizeof(struct xfrm_algo
) + alg
.alg
.alg_key_len
;
246 addattr_l(&req
.n
, sizeof(req
.buf
), type
,
249 } else if (strcmp(*argv
, "mode") == 0) {
251 xfrm_mode_parse(&req
.xsinfo
.mode
, &argc
, &argv
);
252 } else if (strcmp(*argv
, "reqid") == 0) {
254 xfrm_reqid_parse(&req
.xsinfo
.reqid
, &argc
, &argv
);
255 } else if (strcmp(*argv
, "flag") == 0) {
257 xfrm_state_flag_parse(&req
.xsinfo
.flags
, &argc
, &argv
);
258 } else if (strcmp(*argv
, "sel") == 0) {
260 xfrm_selector_parse(&req
.xsinfo
.sel
, &argc
, &argv
);
262 } else if (strcmp(*argv
, "limit") == 0) {
264 xfrm_lifetime_cfg_parse(&req
.xsinfo
.lft
, &argc
, &argv
);
267 invarg("unknown", *argv
);
271 xfrm_id_parse(&req
.xsinfo
.saddr
, &req
.xsinfo
.id
,
272 &req
.xsinfo
.family
, &argc
, &argv
);
273 if (preferred_family
== AF_UNSPEC
)
274 preferred_family
= req
.xsinfo
.family
;
280 fprintf(stderr
, "Not enough information: \"ID\" is required\n");
284 if (ealgop
|| aalgop
|| calgop
) {
285 if (req
.xsinfo
.id
.proto
!= IPPROTO_ESP
&&
286 req
.xsinfo
.id
.proto
!= IPPROTO_AH
&&
287 req
.xsinfo
.id
.proto
!= IPPROTO_COMP
) {
288 fprintf(stderr
, "\"ALGO\" is invalid with proto=%d\n", req
.xsinfo
.id
.proto
);
292 if (req
.xsinfo
.id
.proto
== IPPROTO_ESP
||
293 req
.xsinfo
.id
.proto
== IPPROTO_AH
||
294 req
.xsinfo
.id
.proto
== IPPROTO_COMP
) {
295 fprintf(stderr
, "\"ALGO\" is required with proto=%d\n", req
.xsinfo
.id
.proto
);
300 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
303 if (req
.xsinfo
.family
== AF_UNSPEC
)
304 req
.xsinfo
.family
= AF_INET
;
306 if (rtnl_talk(&rth
, &req
.n
, 0, 0, NULL
, NULL
, NULL
) < 0)
314 static int xfrm_state_filter_match(struct xfrm_usersa_info
*xsinfo
)
319 if (filter
.id_src_mask
)
320 if (memcmp(&xsinfo
->saddr
, &filter
.xsinfo
.saddr
,
321 filter
.id_src_mask
) != 0)
323 if (filter
.id_dst_mask
)
324 if (memcmp(&xsinfo
->id
.daddr
, &filter
.xsinfo
.id
.daddr
,
325 filter
.id_dst_mask
) != 0)
327 if ((xsinfo
->id
.proto
^filter
.xsinfo
.id
.proto
)&filter
.id_proto_mask
)
329 if ((xsinfo
->id
.spi
^filter
.xsinfo
.id
.spi
)&filter
.id_spi_mask
)
331 if ((xsinfo
->mode
^filter
.xsinfo
.mode
)&filter
.mode_mask
)
333 if ((xsinfo
->reqid
^filter
.xsinfo
.reqid
)&filter
.reqid_mask
)
335 if (filter
.state_flags_mask
)
336 if ((xsinfo
->flags
& filter
.xsinfo
.flags
) == 0)
342 int xfrm_state_print(struct sockaddr_nl
*who
, struct nlmsghdr
*n
, void *arg
)
344 FILE *fp
= (FILE*)arg
;
345 struct xfrm_usersa_info
*xsinfo
= NLMSG_DATA(n
);
346 int len
= n
->nlmsg_len
;
347 struct rtattr
* tb
[XFRMA_MAX
+1];
350 if (n
->nlmsg_type
!= XFRM_MSG_NEWSA
&&
351 n
->nlmsg_type
!= XFRM_MSG_DELSA
) {
352 fprintf(stderr
, "Not a state: %08x %08x %08x\n",
353 n
->nlmsg_len
, n
->nlmsg_type
, n
->nlmsg_flags
);
357 len
-= NLMSG_LENGTH(sizeof(*xsinfo
));
359 fprintf(stderr
, "BUG: wrong nlmsg len %d\n", len
);
363 if (!xfrm_state_filter_match(xsinfo
))
366 memset(tb
, 0, sizeof(tb
));
367 ntb
= parse_rtattr_byindex(tb
, XFRM_MAX_DEPTH
, XFRMS_RTA(xsinfo
), len
);
369 if (n
->nlmsg_type
== XFRM_MSG_DELSA
)
370 fprintf(fp
, "Deleted ");
372 xfrm_id_info_print(&xsinfo
->saddr
, &xsinfo
->id
, xsinfo
->mode
,
373 xsinfo
->reqid
, xsinfo
->family
, fp
, NULL
);
376 if (show_stats
> 0) {
377 fprintf(fp
, "seq 0x%08u ", xsinfo
->seq
);
378 fprintf(fp
, "replay-window %d ", xsinfo
->replay_window
);
380 fprintf(fp
, "flag 0x%s", strxf_flags(xsinfo
->flags
));
381 if (show_stats
> 0) {
384 if (xsinfo
->flags
& XFRM_STATE_NOECN
)
385 fprintf(fp
, "noecn");
391 xfrm_xfrma_print(tb
, ntb
, xsinfo
->family
, fp
, "\t");
393 if (show_stats
> 0) {
394 fprintf(fp
, "\tsel\n");
395 xfrm_selector_print(&xsinfo
->sel
, xsinfo
->family
, fp
, "\t ");
398 if (show_stats
> 0) {
399 xfrm_lifetime_print(&xsinfo
->lft
, &xsinfo
->curlft
, fp
, "\t");
400 xfrm_stats_print(&xsinfo
->stats
, fp
, "\t");
406 static int xfrm_state_get_or_delete(int argc
, char **argv
, int delete)
408 struct rtnl_handle rth
;
411 struct xfrm_usersa_id xsid
;
416 memset(&req
, 0, sizeof(req
));
418 req
.n
.nlmsg_len
= NLMSG_LENGTH(sizeof(req
.xsid
));
419 req
.n
.nlmsg_flags
= NLM_F_REQUEST
;
420 req
.n
.nlmsg_type
= delete ? XFRM_MSG_DELSA
: XFRM_MSG_GETSA
;
421 req
.xsid
.family
= preferred_family
;
425 * XXX: Source address is not used and ignore it to follow
426 * XXX: a manner of setkey e.g. in the case of deleting/getting
427 * XXX: message of IPsec SA.
429 xfrm_address_t ignore_saddr
;
432 invarg("unknown", *argv
);
436 memset(&id
, 0, sizeof(id
));
437 xfrm_id_parse(&ignore_saddr
, &id
, &req
.xsid
.family
,
440 memcpy(&req
.xsid
.daddr
, &id
.daddr
, sizeof(req
.xsid
.daddr
));
441 req
.xsid
.spi
= id
.spi
;
442 req
.xsid
.proto
= id
.proto
;
447 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
450 if (req
.xsid
.family
== AF_UNSPEC
)
451 req
.xsid
.family
= AF_INET
;
454 if (rtnl_talk(&rth
, &req
.n
, 0, 0, NULL
, NULL
, NULL
) < 0)
457 char buf
[NLMSG_BUF_SIZE
];
458 struct nlmsghdr
*res_n
= (struct nlmsghdr
*)buf
;
460 memset(buf
, 0, sizeof(buf
));
462 if (rtnl_talk(&rth
, &req
.n
, 0, 0, res_n
, NULL
, NULL
) < 0)
465 if (xfrm_state_print(NULL
, res_n
, (void*)stdout
) < 0) {
466 fprintf(stderr
, "An error :-)\n");
477 * With an existing state of nlmsg, make new nlmsg for deleting the state
478 * and store it to buffer.
480 int xfrm_state_keep(struct sockaddr_nl
*who
, struct nlmsghdr
*n
, void *arg
)
482 struct xfrm_buffer
*xb
= (struct xfrm_buffer
*)arg
;
483 struct rtnl_handle
*rth
= xb
->rth
;
484 struct xfrm_usersa_info
*xsinfo
= NLMSG_DATA(n
);
485 int len
= n
->nlmsg_len
;
486 struct nlmsghdr
*new_n
;
487 struct xfrm_usersa_id
*xsid
;
489 if (n
->nlmsg_type
!= XFRM_MSG_NEWSA
) {
490 fprintf(stderr
, "Not a state: %08x %08x %08x\n",
491 n
->nlmsg_len
, n
->nlmsg_type
, n
->nlmsg_flags
);
495 len
-= NLMSG_LENGTH(sizeof(*xsinfo
));
497 fprintf(stderr
, "BUG: wrong nlmsg len %d\n", len
);
501 if (!xfrm_state_filter_match(xsinfo
))
504 if (xb
->offset
> xb
->size
) {
505 fprintf(stderr
, "Flush buffer overflow\n");
509 new_n
= (struct nlmsghdr
*)(xb
->buf
+ xb
->offset
);
510 new_n
->nlmsg_len
= NLMSG_LENGTH(sizeof(*xsid
));
511 new_n
->nlmsg_flags
= NLM_F_REQUEST
;
512 new_n
->nlmsg_type
= XFRM_MSG_DELSA
;
513 new_n
->nlmsg_seq
= ++rth
->seq
;
515 xsid
= NLMSG_DATA(new_n
);
516 xsid
->family
= xsinfo
->family
;
517 memcpy(&xsid
->daddr
, &xsinfo
->id
.daddr
, sizeof(xsid
->daddr
));
518 xsid
->spi
= xsinfo
->id
.spi
;
519 xsid
->proto
= xsinfo
->id
.proto
;
521 xb
->offset
+= new_n
->nlmsg_len
;
527 static int xfrm_state_list_or_flush(int argc
, char **argv
, int flush
)
530 struct rtnl_handle rth
;
533 filter
.xsinfo
.family
= preferred_family
;
536 if (strcmp(*argv
, "mode") == 0) {
538 xfrm_mode_parse(&filter
.xsinfo
.mode
, &argc
, &argv
);
540 filter
.mode_mask
= XFRM_FILTER_MASK_FULL
;
542 } else if (strcmp(*argv
, "reqid") == 0) {
544 xfrm_reqid_parse(&filter
.xsinfo
.reqid
, &argc
, &argv
);
546 filter
.reqid_mask
= XFRM_FILTER_MASK_FULL
;
548 } else if (strcmp(*argv
, "flag") == 0) {
550 xfrm_state_flag_parse(&filter
.xsinfo
.flags
, &argc
, &argv
);
552 filter
.state_flags_mask
= XFRM_FILTER_MASK_FULL
;
556 invarg("unknown", *argv
);
560 xfrm_id_parse(&filter
.xsinfo
.saddr
,
562 &filter
.xsinfo
.family
, &argc
, &argv
);
563 if (preferred_family
== AF_UNSPEC
)
564 preferred_family
= filter
.xsinfo
.family
;
569 if (rtnl_open_byproto(&rth
, 0, NETLINK_XFRM
) < 0)
573 struct xfrm_buffer xb
;
574 char buf
[NLMSG_FLUSH_BUF_SIZE
];
578 xb
.size
= sizeof(buf
);
586 fprintf(stderr
, "Flush round = %d\n", i
);
588 if (rtnl_wilddump_request(&rth
, preferred_family
, XFRM_MSG_GETSA
) < 0) {
589 perror("Cannot send dump request");
593 if (rtnl_dump_filter(&rth
, xfrm_state_keep
, &xb
, NULL
, NULL
) < 0) {
594 fprintf(stderr
, "Flush terminated\n");
597 if (xb
.nlmsg_count
== 0) {
599 fprintf(stderr
, "Flush completed\n");
603 if (rtnl_send(&rth
, xb
.buf
, xb
.offset
) < 0) {
604 perror("Failed to send flush request\n");
608 fprintf(stderr
, "Flushed nlmsg count = %d\n", xb
.nlmsg_count
);
615 if (rtnl_wilddump_request(&rth
, preferred_family
, XFRM_MSG_GETSA
) < 0) {
616 perror("Cannot send dump request");
620 if (rtnl_dump_filter(&rth
, xfrm_state_print
, stdout
, NULL
, NULL
) < 0) {
621 fprintf(stderr
, "Dump terminated\n");
631 int do_xfrm_state(int argc
, char **argv
)
634 return xfrm_state_list_or_flush(0, NULL
, 0);
636 if (matches(*argv
, "add") == 0)
637 return xfrm_state_modify(XFRM_MSG_NEWSA
, 0,
639 if (matches(*argv
, "update") == 0)
640 return xfrm_state_modify(XFRM_MSG_UPDSA
, 0,
642 if (matches(*argv
, "delete") == 0 || matches(*argv
, "del") == 0)
643 return xfrm_state_get_or_delete(argc
-1, argv
+1, 1);
644 if (matches(*argv
, "list") == 0 || matches(*argv
, "show") == 0
645 || matches(*argv
, "lst") == 0)
646 return xfrm_state_list_or_flush(argc
-1, argv
+1, 0);
647 if (matches(*argv
, "get") == 0)
648 return xfrm_state_get_or_delete(argc
-1, argv
+1, 0);
649 if (matches(*argv
, "flush") == 0)
650 return xfrm_state_list_or_flush(argc
-1, argv
+1, 1);
651 if (matches(*argv
, "help") == 0)
653 fprintf(stderr
, "Command \"%s\" is unknown, try \"ip xfrm state help\".\n", *argv
);