[iproute2]: Enhance iproute2 to update PN for XPN (#11474)

Why I did it ip command cannot update packet number if the cipher is XPN. How I did it Specify SSCI when update packet number and ignore SSCI value if update action. Signed-off-by: Ze Gan <ganze718@gmail.com>
2022-07-24 19:19:33 +08:00 · 2022-07-24 19:19:33 +08:00 · 78ad769548
commit 78ad769548
parent ba991ab2bf
1 changed files with 47 additions and 32 deletions
--- a/src/iproute2/patch/0001-patch-macsec-xpn-support.patch
+++ b/src/iproute2/patch/0001-patch-macsec-xpn-support.patch
@ -1,15 +1,15 @@
-From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001
+From 129613207b2f1616507814fbe060a2ce317d0bbb Mon Sep 17 00:00:00 2001
 From: Ze Gan <ganze718@gmail.com>
-Date: Mon, 30 Aug 2021 06:45:28 +0000
+Date: Mon, 18 Jul 2022 15:07:15 +0000
 Subject: [PATCH] MACsec XPN support
 Signed-off-by: Ze Gan <ganze718@gmail.com>
 ---
- ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++-------
+ ip/ipmacsec.c | 97 +++++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 74 insertions(+), 12 deletions(-)
+ 1 file changed, 83 insertions(+), 14 deletions(-)
 diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
-index 18289ecd..1df19bf1 100644
+index 18289ec..fffe94a 100644
 --- a/ip/ipmacsec.c
 +++ b/ip/ipmacsec.c
@@ -10,6 +10,7 @@
@ -119,33 +119,23 @@ index 18289ecd..1df19bf1 100644
 		if (sa->key_len) {
 			addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID,
-@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
+@@ -428,6 +457,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
 			addattr8(&req.n, MACSEC_BUFLEN,
 				 MACSEC_SA_ATTR_ACTIVE, sa->active);
 		}
 +
-+		if (sa->ssci != 0) {
+        if (c == CMD_ADD) {
-+			addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
+            if (sa->ssci != 0) {
-+				  sa->ssci);
+                addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
-+			addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
+                      sa->ssci);
-+				  sa->salt, MACSEC_SALT_LEN);
+                addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
-+		}
+                      sa->salt, MACSEC_SALT_LEN);
 +            }
 +        }
 	}
 	addattr_nest_end(&req.n, attr_sa);
-@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa)
+@@ -637,6 +675,8 @@ static void print_key(struct rtattr *key)
 			fprintf(stderr, "cannot change key on SA\n");
 			return -1;
 		}
 +
 +		if (sa->ssci) {
 +			fprintf(stderr, "cannot change SSCI on SA\n");
 +			return -1;
 +		}
 	}
 	return 0;
@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key)
 #define CIPHER_NAME_GCM_AES_128 "GCM-AES-128"
 #define CIPHER_NAME_GCM_AES_256 "GCM-AES-256"
@ -154,7 +144,7 @@ index 18289ecd..1df19bf1 100644
 #define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128
 static const char *cs_id_to_name(__u64 cid)
-@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid)
+@@ -649,6 +689,10 @@ static const char *cs_id_to_name(__u64 cid)
 		return CIPHER_NAME_GCM_AES_128;
 	case MACSEC_CIPHER_ID_GCM_AES_256:
 		return CIPHER_NAME_GCM_AES_256;
@ -165,7 +155,7 @@ index 18289ecd..1df19bf1 100644
 	default:
 		return "(unknown)";
 	}
-@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
+@@ -897,12 +941,21 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
 		print_string(PRINT_FP, NULL, "%s", prefix);
 		print_uint(PRINT_ANY, "an", "%d:",
 			   rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
@ -175,7 +165,7 @@ index 18289ecd..1df19bf1 100644
 +			print_uint(PRINT_ANY, "pn", " PN %u,",
 +				rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
 +		} else {
-+			print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",",
+			print_u64(PRINT_ANY, "pn", " PN %" PRIu64 ",",
 +				rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
 +		}
@ -184,13 +174,38 @@ index 18289ecd..1df19bf1 100644
 			     " state %s,", state ? "on" : "off");
 +		if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
 +			print_uint(PRINT_ANY, "ssci", " SSCI %u,",
-+				rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]));
+				ntohl(rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI])));
 +		}
 		print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
 		print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
- 		close_json_object();
+@@ -965,13 +1018,23 @@ static void print_rx_sc(const char *prefix, __be64 sci, __u8 active,
-@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
+ 		print_string(PRINT_FP, NULL, "%s", prefix);
 		print_uint(PRINT_ANY, "an", "%u:",
 			   rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
 -		print_uint(PRINT_ANY, "pn", " PN %u,",
 -			   rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
 +		if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
 +			print_uint(PRINT_ANY, "pn", " PN %u,",
 +				rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
 +		} else {
 +			print_u64(PRINT_ANY, "pn", " PN %" PRIu64 ",",
 +				rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
 +		}
 		print_bool(PRINT_JSON, "active", NULL, state);
 		print_string(PRINT_FP, NULL, " state %s,",
 			     state ? "on" : "off");
 +		if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
 +			print_uint(PRINT_ANY, "ssci", " SSCI %u,",
 +				ntohl(rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI])));
 +		}
 +
 		print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
 		print_rxsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
@@ -1322,9 +1385,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 			else if (strcmp(*argv, "gcm-aes-256") == 0 ||
 			         strcmp(*argv, "GCM-AES-256") == 0)
 				cipher.id = MACSEC_CIPHER_ID_GCM_AES_256;
@ -209,5 +224,5 @@ index 18289ecd..1df19bf1 100644
 			NEXT_ARG();
 			if (cipher.icv_len)
 -- 
-2.17.1
+2.25.1