[iproute2]: Add macsec-xpn-support iproute2 in syncd (#8702)
* Add macsec-xpn-support iproute2 in syncd Signed-off-by: Ze Gan <ganze718@gmail.com> * Polish code Signed-off-by: Ze Gan <ganze718@gmail.com> * Remove useless files Signed-off-by: Ze Gan <ganze718@gmail.com> * Add self-compiled iproute2 to docker sonic vs Signed-off-by: Ze Gan <ganze718@gmail.com> * Enhance apt install for iproute2 dependencies Signed-off-by: Ze Gan <ganze718@gmail.com>
This commit is contained in:
parent
879c18417a
commit
ada0e50218
@ -13,7 +13,8 @@ $(DOCKER_SONIC_VS)_DEPENDS += $(SWSS) \
|
|||||||
$(LIBYANG_CPP) \
|
$(LIBYANG_CPP) \
|
||||||
$(LIBYANG_PY3) \
|
$(LIBYANG_PY3) \
|
||||||
$(SONIC_UTILITIES_DATA) \
|
$(SONIC_UTILITIES_DATA) \
|
||||||
$(SONIC_HOST_SERVICES_DATA)
|
$(SONIC_HOST_SERVICES_DATA) \
|
||||||
|
$(IPROUTE2)
|
||||||
|
|
||||||
# swsssdk is a dependency of sonic-py-common
|
# swsssdk is a dependency of sonic-py-common
|
||||||
# TODO: sonic-py-common should depend on swsscommon instead
|
# TODO: sonic-py-common should depend on swsscommon instead
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
DOCKER_SYNCD_PLATFORM_CODE = vs
|
DOCKER_SYNCD_PLATFORM_CODE = vs
|
||||||
include $(PLATFORM_PATH)/../template/docker-syncd-base.mk
|
include $(PLATFORM_PATH)/../template/docker-syncd-base.mk
|
||||||
|
|
||||||
$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS)
|
$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) \
|
||||||
|
$(IPROUTE2)
|
||||||
|
|
||||||
$(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \
|
$(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \
|
||||||
$(LIBSWSSCOMMON_DBG) \
|
$(LIBSWSSCOMMON_DBG) \
|
||||||
|
@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND=noninteractive
|
|||||||
|
|
||||||
RUN apt-get update
|
RUN apt-get update
|
||||||
|
|
||||||
RUN apt-get install -f -y iproute2 libcap2-bin
|
RUN apt-get install -f -y libcap2-bin
|
||||||
|
|
||||||
COPY \
|
COPY \
|
||||||
{% for deb in docker_syncd_vs_debs.split(' ') -%}
|
{% for deb in docker_syncd_vs_debs.split(' ') -%}
|
||||||
@ -20,7 +20,7 @@ debs/
|
|||||||
RUN dpkg -i \
|
RUN dpkg -i \
|
||||||
{% for deb in docker_syncd_vs_debs.split(' ') -%}
|
{% for deb in docker_syncd_vs_debs.split(' ') -%}
|
||||||
debs/{{ deb }}{{' '}}
|
debs/{{ deb }}{{' '}}
|
||||||
{%- endfor %}
|
{%- endfor %} || apt-get install -f -y
|
||||||
|
|
||||||
COPY ["start.sh", "/usr/bin/"]
|
COPY ["start.sh", "/usr/bin/"]
|
||||||
|
|
||||||
|
@ -1,7 +1,11 @@
|
|||||||
# iproute2 package
|
# iproute2 package
|
||||||
|
|
||||||
IPROUTE2_VERSION = 4.9.0-1
|
IPROUTE2_VERSION = 5.10.0
|
||||||
|
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4~bpo10+1
|
||||||
|
|
||||||
IPROUTE2 = iproute2_$(IPROUTE2_VERSION)_$(CONFIGURED_ARCH).deb
|
export IPROUTE2_VERSION
|
||||||
|
export IPROUTE2_VERSION_FULL
|
||||||
|
|
||||||
|
IPROUTE2 = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
|
||||||
$(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2
|
$(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2
|
||||||
SONIC_MAKE_DEBS += $(IPROUTE2)
|
SONIC_MAKE_DEBS += $(IPROUTE2)
|
||||||
|
@ -356,6 +356,12 @@ RUN apt-get update && apt-get install -y \
|
|||||||
libsystemd-dev \
|
libsystemd-dev \
|
||||||
pkg-config
|
pkg-config
|
||||||
|
|
||||||
|
# For iproute2
|
||||||
|
RUN apt-get install -y -t buster-backports \
|
||||||
|
libbpf-dev \
|
||||||
|
dwz \
|
||||||
|
debhelper
|
||||||
|
|
||||||
RUN apt-get -y build-dep openssh
|
RUN apt-get -y build-dep openssh
|
||||||
|
|
||||||
# Build fix for ARMHF buster libsairedis
|
# Build fix for ARMHF buster libsairedis
|
||||||
|
1
src/iproute2/.gitignore
vendored
1
src/iproute2/.gitignore
vendored
@ -1,3 +1,4 @@
|
|||||||
*
|
*
|
||||||
!.gitignore
|
!.gitignore
|
||||||
!Makefile
|
!Makefile
|
||||||
|
!patch/*
|
||||||
|
@ -2,21 +2,21 @@ SHELL = /bin/bash
|
|||||||
.ONESHELL:
|
.ONESHELL:
|
||||||
.SHELLFLAGS += -e
|
.SHELLFLAGS += -e
|
||||||
|
|
||||||
IPROUTE2_VERSION = 4.9.0
|
|
||||||
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-1
|
|
||||||
|
|
||||||
MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
|
MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
|
||||||
|
|
||||||
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
|
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
|
||||||
# Remove any stale files
|
# Remove any stale files
|
||||||
rm -rf iproute2-$(IPROUTE2_VERSION)
|
rm -rf iproute2-$(IPROUTE2_VERSION)
|
||||||
|
|
||||||
wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0.orig.tar.xz?sv=2015-04-05&sr=b&sig=9nvybd1xkXyRQbaG6Fy6wBazPA8IbZV0AO41GWXPEP8%3D&se=2154-10-23T11%3A59%3A00Z&sp=r"
|
wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION).orig.tar.xz
|
||||||
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.dsc?sv=2015-04-05&sr=b&sig=m6FcMH9dOh8ggipBgOsONiXvDxoi6bfUO%2BxvidsMNMQ%3D&se=2154-10-23T11%3A59%3A53Z&sp=r"
|
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).dsc
|
||||||
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.debian.tar.xz?sv=2015-04-05&sr=b&sig=U5NFuwG5C3vZXlUUNvoPMnKDtMKk66zbweA9rQYbEVY%3D&se=2154-10-23T12%3A00%3A15Z&sp=r"
|
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz
|
||||||
dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc
|
dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc
|
||||||
|
|
||||||
pushd iproute2-$(IPROUTE2_VERSION)
|
pushd iproute2-$(IPROUTE2_VERSION)
|
||||||
|
|
||||||
|
patch -p1 < ../patch/0001-patch-macsec-xpn-support.patch
|
||||||
|
|
||||||
dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
|
dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
|
||||||
popd
|
popd
|
||||||
|
|
||||||
|
213
src/iproute2/patch/0001-patch-macsec-xpn-support.patch
Normal file
213
src/iproute2/patch/0001-patch-macsec-xpn-support.patch
Normal file
@ -0,0 +1,213 @@
|
|||||||
|
From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ze Gan <ganze718@gmail.com>
|
||||||
|
Date: Mon, 30 Aug 2021 06:45:28 +0000
|
||||||
|
Subject: [PATCH] MACsec XPN support
|
||||||
|
|
||||||
|
Signed-off-by: Ze Gan <ganze718@gmail.com>
|
||||||
|
---
|
||||||
|
ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++-------
|
||||||
|
1 file changed, 74 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
|
||||||
|
index 18289ecd..1df19bf1 100644
|
||||||
|
--- a/ip/ipmacsec.c
|
||||||
|
+++ b/ip/ipmacsec.c
|
||||||
|
@@ -10,6 +10,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
+#include <inttypes.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -23,6 +24,8 @@
|
||||||
|
#include "ll_map.h"
|
||||||
|
#include "libgenl.h"
|
||||||
|
|
||||||
|
+#define MACSEC_SALT_LEN 12
|
||||||
|
+
|
||||||
|
static const char * const values_on_off[] = { "off", "on" };
|
||||||
|
|
||||||
|
static const char * const validate_str[] = {
|
||||||
|
@@ -45,11 +48,13 @@ struct sci {
|
||||||
|
|
||||||
|
struct sa_desc {
|
||||||
|
__u8 an;
|
||||||
|
- __u32 pn;
|
||||||
|
+ __u64 pn;
|
||||||
|
__u8 key_id[MACSEC_KEYID_LEN];
|
||||||
|
__u32 key_len;
|
||||||
|
__u8 key[MACSEC_MAX_KEY_LEN];
|
||||||
|
__u8 active;
|
||||||
|
+ __u32 ssci;
|
||||||
|
+ __u8 salt[MACSEC_SALT_LEN];
|
||||||
|
};
|
||||||
|
|
||||||
|
struct cipher_args {
|
||||||
|
@@ -88,7 +93,7 @@ static int genl_family = -1;
|
||||||
|
static void ipmacsec_usage(void)
|
||||||
|
{
|
||||||
|
fprintf(stderr,
|
||||||
|
- "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n"
|
||||||
|
+ "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n"
|
||||||
|
" ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n"
|
||||||
|
" ip macsec del DEV tx sa { 0..3 }\n"
|
||||||
|
" ip macsec add DEV rx SCI [ on | off ]\n"
|
||||||
|
@@ -100,10 +105,12 @@ static void ipmacsec_usage(void)
|
||||||
|
" ip macsec show\n"
|
||||||
|
" ip macsec show DEV\n"
|
||||||
|
" ip macsec offload DEV [ off | phy | mac ]\n"
|
||||||
|
- "where OPTS := [ pn <u32> ] [ on | off ]\n"
|
||||||
|
+ "where OPTS := [ pn <u64> ] [ on | off ]\n"
|
||||||
|
" ID := 128-bit hex string\n"
|
||||||
|
" KEY := 128-bit or 256-bit hex string\n"
|
||||||
|
- " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n");
|
||||||
|
+ " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n"
|
||||||
|
+ " SSCI := <u32>\n"
|
||||||
|
+ " SALT := 96-bit hex string\n");
|
||||||
|
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
|
||||||
|
if (sa->pn != 0)
|
||||||
|
duparg2("pn", "pn");
|
||||||
|
NEXT_ARG();
|
||||||
|
- ret = get_u32(&sa->pn, *argv, 0);
|
||||||
|
+ ret = get_u64(&sa->pn, *argv, 0);
|
||||||
|
if (ret)
|
||||||
|
invarg("expected pn", *argv);
|
||||||
|
if (sa->pn == 0)
|
||||||
|
@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
|
||||||
|
duparg2("on/off", "off");
|
||||||
|
sa->active = false;
|
||||||
|
active_set = true;
|
||||||
|
+ } else if (strcmp(*argv, "ssci") == 0) {
|
||||||
|
+ if (sa->ssci != 0)
|
||||||
|
+ duparg2("ssci", "ssci");
|
||||||
|
+ NEXT_ARG();
|
||||||
|
+ ret = get_u32(&sa->ssci, *argv, 0);
|
||||||
|
+ if (ret)
|
||||||
|
+ invarg("expected ssci", *argv);
|
||||||
|
+ if (sa->ssci == 0)
|
||||||
|
+ invarg("expected ssci != 0", *argv);
|
||||||
|
+ } else if (strcmp(*argv, "salt") == 0) {
|
||||||
|
+ unsigned int len;
|
||||||
|
+
|
||||||
|
+ NEXT_ARG();
|
||||||
|
+ if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN,
|
||||||
|
+ &len))
|
||||||
|
+ invarg("expected salt", *argv);
|
||||||
|
} else {
|
||||||
|
fprintf(stderr, "macsec: unknown command \"%s\"?\n",
|
||||||
|
*argv);
|
||||||
|
@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
|
||||||
|
addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);
|
||||||
|
|
||||||
|
if (c != CMD_DEL) {
|
||||||
|
- if (sa->pn)
|
||||||
|
- addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
|
||||||
|
- sa->pn);
|
||||||
|
+ if (sa->pn) {
|
||||||
|
+ if (sa->ssci == 0) {
|
||||||
|
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
|
||||||
|
+ sa->pn);
|
||||||
|
+ } else {
|
||||||
|
+ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
|
||||||
|
+ sa->pn);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (sa->key_len) {
|
||||||
|
addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID,
|
||||||
|
@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
|
||||||
|
addattr8(&req.n, MACSEC_BUFLEN,
|
||||||
|
MACSEC_SA_ATTR_ACTIVE, sa->active);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (sa->ssci != 0) {
|
||||||
|
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
|
||||||
|
+ sa->ssci);
|
||||||
|
+ addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
|
||||||
|
+ sa->salt, MACSEC_SALT_LEN);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
addattr_nest_end(&req.n, attr_sa);
|
||||||
|
@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa)
|
||||||
|
fprintf(stderr, "cannot change key on SA\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (sa->ssci) {
|
||||||
|
+ fprintf(stderr, "cannot change SSCI on SA\n");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key)
|
||||||
|
|
||||||
|
#define CIPHER_NAME_GCM_AES_128 "GCM-AES-128"
|
||||||
|
#define CIPHER_NAME_GCM_AES_256 "GCM-AES-256"
|
||||||
|
+#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128"
|
||||||
|
+#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256"
|
||||||
|
#define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128
|
||||||
|
|
||||||
|
static const char *cs_id_to_name(__u64 cid)
|
||||||
|
@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid)
|
||||||
|
return CIPHER_NAME_GCM_AES_128;
|
||||||
|
case MACSEC_CIPHER_ID_GCM_AES_256:
|
||||||
|
return CIPHER_NAME_GCM_AES_256;
|
||||||
|
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
|
||||||
|
+ return CIPHER_NAME_GCM_AES_XPN_128;
|
||||||
|
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
|
||||||
|
+ return CIPHER_NAME_GCM_AES_XPN_256;
|
||||||
|
default:
|
||||||
|
return "(unknown)";
|
||||||
|
}
|
||||||
|
@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
|
||||||
|
print_string(PRINT_FP, NULL, "%s", prefix);
|
||||||
|
print_uint(PRINT_ANY, "an", "%d:",
|
||||||
|
rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
|
||||||
|
- print_uint(PRINT_ANY, "pn", " PN %u,",
|
||||||
|
- rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
|
||||||
|
+ if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
|
||||||
|
+ print_uint(PRINT_ANY, "pn", " PN %u,",
|
||||||
|
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
|
||||||
|
+ } else {
|
||||||
|
+ print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",",
|
||||||
|
+ rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
|
||||||
|
+ }
|
||||||
|
|
||||||
|
print_bool(PRINT_JSON, "active", NULL, state);
|
||||||
|
print_string(PRINT_FP, NULL,
|
||||||
|
" state %s,", state ? "on" : "off");
|
||||||
|
print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
|
||||||
|
+ if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
|
||||||
|
+ print_uint(PRINT_ANY, "ssci", " SSCI %u,",
|
||||||
|
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]));
|
||||||
|
+ }
|
||||||
|
|
||||||
|
print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
|
||||||
|
close_json_object();
|
||||||
|
@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
|
||||||
|
else if (strcmp(*argv, "gcm-aes-256") == 0 ||
|
||||||
|
strcmp(*argv, "GCM-AES-256") == 0)
|
||||||
|
cipher.id = MACSEC_CIPHER_ID_GCM_AES_256;
|
||||||
|
+ else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 ||
|
||||||
|
+ strcmp(*argv, "GCM-AES-XPN-128") == 0)
|
||||||
|
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128;
|
||||||
|
+ else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 ||
|
||||||
|
+ strcmp(*argv, "GCM-AES-XPN-256") == 0)
|
||||||
|
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256;
|
||||||
|
else
|
||||||
|
- invarg("expected: default, gcm-aes-128 or"
|
||||||
|
- " gcm-aes-256", *argv);
|
||||||
|
+ invarg("expected: default, gcm-aes-128"
|
||||||
|
+ " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv);
|
||||||
|
} else if (strcmp(*argv, "icvlen") == 0) {
|
||||||
|
NEXT_ARG();
|
||||||
|
if (cipher.icv_len)
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
Loading…
Reference in New Issue
Block a user