[iproute2]: Add macsec-xpn-support iproute2 in syncd (#8702)
* Add macsec-xpn-support iproute2 in syncd Signed-off-by: Ze Gan <ganze718@gmail.com> * Polish code Signed-off-by: Ze Gan <ganze718@gmail.com> * Remove useless files Signed-off-by: Ze Gan <ganze718@gmail.com> * Add self-compiled iproute2 to docker sonic vs Signed-off-by: Ze Gan <ganze718@gmail.com> * Enhance apt install for iproute2 dependencies Signed-off-by: Ze Gan <ganze718@gmail.com>
This commit is contained in:
parent
879c18417a
commit
ada0e50218
@ -13,7 +13,8 @@ $(DOCKER_SONIC_VS)_DEPENDS += $(SWSS) \
|
||||
$(LIBYANG_CPP) \
|
||||
$(LIBYANG_PY3) \
|
||||
$(SONIC_UTILITIES_DATA) \
|
||||
$(SONIC_HOST_SERVICES_DATA)
|
||||
$(SONIC_HOST_SERVICES_DATA) \
|
||||
$(IPROUTE2)
|
||||
|
||||
# swsssdk is a dependency of sonic-py-common
|
||||
# TODO: sonic-py-common should depend on swsscommon instead
|
||||
|
@ -3,7 +3,8 @@
|
||||
DOCKER_SYNCD_PLATFORM_CODE = vs
|
||||
include $(PLATFORM_PATH)/../template/docker-syncd-base.mk
|
||||
|
||||
$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS)
|
||||
$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) \
|
||||
$(IPROUTE2)
|
||||
|
||||
$(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \
|
||||
$(LIBSWSSCOMMON_DBG) \
|
||||
|
@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
RUN apt-get update
|
||||
|
||||
RUN apt-get install -f -y iproute2 libcap2-bin
|
||||
RUN apt-get install -f -y libcap2-bin
|
||||
|
||||
COPY \
|
||||
{% for deb in docker_syncd_vs_debs.split(' ') -%}
|
||||
@ -20,7 +20,7 @@ debs/
|
||||
RUN dpkg -i \
|
||||
{% for deb in docker_syncd_vs_debs.split(' ') -%}
|
||||
debs/{{ deb }}{{' '}}
|
||||
{%- endfor %}
|
||||
{%- endfor %} || apt-get install -f -y
|
||||
|
||||
COPY ["start.sh", "/usr/bin/"]
|
||||
|
||||
|
@ -1,7 +1,11 @@
|
||||
# iproute2 package
|
||||
|
||||
IPROUTE2_VERSION = 4.9.0-1
|
||||
IPROUTE2_VERSION = 5.10.0
|
||||
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4~bpo10+1
|
||||
|
||||
IPROUTE2 = iproute2_$(IPROUTE2_VERSION)_$(CONFIGURED_ARCH).deb
|
||||
export IPROUTE2_VERSION
|
||||
export IPROUTE2_VERSION_FULL
|
||||
|
||||
IPROUTE2 = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
|
||||
$(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2
|
||||
SONIC_MAKE_DEBS += $(IPROUTE2)
|
||||
|
@ -356,6 +356,12 @@ RUN apt-get update && apt-get install -y \
|
||||
libsystemd-dev \
|
||||
pkg-config
|
||||
|
||||
# For iproute2
|
||||
RUN apt-get install -y -t buster-backports \
|
||||
libbpf-dev \
|
||||
dwz \
|
||||
debhelper
|
||||
|
||||
RUN apt-get -y build-dep openssh
|
||||
|
||||
# Build fix for ARMHF buster libsairedis
|
||||
|
1
src/iproute2/.gitignore
vendored
1
src/iproute2/.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
*
|
||||
!.gitignore
|
||||
!Makefile
|
||||
!patch/*
|
||||
|
@ -2,21 +2,21 @@ SHELL = /bin/bash
|
||||
.ONESHELL:
|
||||
.SHELLFLAGS += -e
|
||||
|
||||
IPROUTE2_VERSION = 4.9.0
|
||||
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-1
|
||||
|
||||
MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
|
||||
|
||||
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
|
||||
# Remove any stale files
|
||||
rm -rf iproute2-$(IPROUTE2_VERSION)
|
||||
|
||||
wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0.orig.tar.xz?sv=2015-04-05&sr=b&sig=9nvybd1xkXyRQbaG6Fy6wBazPA8IbZV0AO41GWXPEP8%3D&se=2154-10-23T11%3A59%3A00Z&sp=r"
|
||||
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.dsc?sv=2015-04-05&sr=b&sig=m6FcMH9dOh8ggipBgOsONiXvDxoi6bfUO%2BxvidsMNMQ%3D&se=2154-10-23T11%3A59%3A53Z&sp=r"
|
||||
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.debian.tar.xz?sv=2015-04-05&sr=b&sig=U5NFuwG5C3vZXlUUNvoPMnKDtMKk66zbweA9rQYbEVY%3D&se=2154-10-23T12%3A00%3A15Z&sp=r"
|
||||
wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION).orig.tar.xz
|
||||
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).dsc
|
||||
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz
|
||||
dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc
|
||||
|
||||
pushd iproute2-$(IPROUTE2_VERSION)
|
||||
|
||||
patch -p1 < ../patch/0001-patch-macsec-xpn-support.patch
|
||||
|
||||
dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
|
||||
popd
|
||||
|
||||
|
213
src/iproute2/patch/0001-patch-macsec-xpn-support.patch
Normal file
213
src/iproute2/patch/0001-patch-macsec-xpn-support.patch
Normal file
@ -0,0 +1,213 @@
|
||||
From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001
|
||||
From: Ze Gan <ganze718@gmail.com>
|
||||
Date: Mon, 30 Aug 2021 06:45:28 +0000
|
||||
Subject: [PATCH] MACsec XPN support
|
||||
|
||||
Signed-off-by: Ze Gan <ganze718@gmail.com>
|
||||
---
|
||||
ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 74 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
|
||||
index 18289ecd..1df19bf1 100644
|
||||
--- a/ip/ipmacsec.c
|
||||
+++ b/ip/ipmacsec.c
|
||||
@@ -10,6 +10,7 @@
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
+#include <inttypes.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
@@ -23,6 +24,8 @@
|
||||
#include "ll_map.h"
|
||||
#include "libgenl.h"
|
||||
|
||||
+#define MACSEC_SALT_LEN 12
|
||||
+
|
||||
static const char * const values_on_off[] = { "off", "on" };
|
||||
|
||||
static const char * const validate_str[] = {
|
||||
@@ -45,11 +48,13 @@ struct sci {
|
||||
|
||||
struct sa_desc {
|
||||
__u8 an;
|
||||
- __u32 pn;
|
||||
+ __u64 pn;
|
||||
__u8 key_id[MACSEC_KEYID_LEN];
|
||||
__u32 key_len;
|
||||
__u8 key[MACSEC_MAX_KEY_LEN];
|
||||
__u8 active;
|
||||
+ __u32 ssci;
|
||||
+ __u8 salt[MACSEC_SALT_LEN];
|
||||
};
|
||||
|
||||
struct cipher_args {
|
||||
@@ -88,7 +93,7 @@ static int genl_family = -1;
|
||||
static void ipmacsec_usage(void)
|
||||
{
|
||||
fprintf(stderr,
|
||||
- "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n"
|
||||
+ "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n"
|
||||
" ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n"
|
||||
" ip macsec del DEV tx sa { 0..3 }\n"
|
||||
" ip macsec add DEV rx SCI [ on | off ]\n"
|
||||
@@ -100,10 +105,12 @@ static void ipmacsec_usage(void)
|
||||
" ip macsec show\n"
|
||||
" ip macsec show DEV\n"
|
||||
" ip macsec offload DEV [ off | phy | mac ]\n"
|
||||
- "where OPTS := [ pn <u32> ] [ on | off ]\n"
|
||||
+ "where OPTS := [ pn <u64> ] [ on | off ]\n"
|
||||
" ID := 128-bit hex string\n"
|
||||
" KEY := 128-bit or 256-bit hex string\n"
|
||||
- " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n");
|
||||
+ " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n"
|
||||
+ " SSCI := <u32>\n"
|
||||
+ " SALT := 96-bit hex string\n");
|
||||
|
||||
exit(-1);
|
||||
}
|
||||
@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
|
||||
if (sa->pn != 0)
|
||||
duparg2("pn", "pn");
|
||||
NEXT_ARG();
|
||||
- ret = get_u32(&sa->pn, *argv, 0);
|
||||
+ ret = get_u64(&sa->pn, *argv, 0);
|
||||
if (ret)
|
||||
invarg("expected pn", *argv);
|
||||
if (sa->pn == 0)
|
||||
@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
|
||||
duparg2("on/off", "off");
|
||||
sa->active = false;
|
||||
active_set = true;
|
||||
+ } else if (strcmp(*argv, "ssci") == 0) {
|
||||
+ if (sa->ssci != 0)
|
||||
+ duparg2("ssci", "ssci");
|
||||
+ NEXT_ARG();
|
||||
+ ret = get_u32(&sa->ssci, *argv, 0);
|
||||
+ if (ret)
|
||||
+ invarg("expected ssci", *argv);
|
||||
+ if (sa->ssci == 0)
|
||||
+ invarg("expected ssci != 0", *argv);
|
||||
+ } else if (strcmp(*argv, "salt") == 0) {
|
||||
+ unsigned int len;
|
||||
+
|
||||
+ NEXT_ARG();
|
||||
+ if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN,
|
||||
+ &len))
|
||||
+ invarg("expected salt", *argv);
|
||||
} else {
|
||||
fprintf(stderr, "macsec: unknown command \"%s\"?\n",
|
||||
*argv);
|
||||
@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
|
||||
addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);
|
||||
|
||||
if (c != CMD_DEL) {
|
||||
- if (sa->pn)
|
||||
- addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
|
||||
- sa->pn);
|
||||
+ if (sa->pn) {
|
||||
+ if (sa->ssci == 0) {
|
||||
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
|
||||
+ sa->pn);
|
||||
+ } else {
|
||||
+ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
|
||||
+ sa->pn);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (sa->key_len) {
|
||||
addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID,
|
||||
@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
|
||||
addattr8(&req.n, MACSEC_BUFLEN,
|
||||
MACSEC_SA_ATTR_ACTIVE, sa->active);
|
||||
}
|
||||
+
|
||||
+ if (sa->ssci != 0) {
|
||||
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
|
||||
+ sa->ssci);
|
||||
+ addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
|
||||
+ sa->salt, MACSEC_SALT_LEN);
|
||||
+ }
|
||||
}
|
||||
|
||||
addattr_nest_end(&req.n, attr_sa);
|
||||
@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa)
|
||||
fprintf(stderr, "cannot change key on SA\n");
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ if (sa->ssci) {
|
||||
+ fprintf(stderr, "cannot change SSCI on SA\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key)
|
||||
|
||||
#define CIPHER_NAME_GCM_AES_128 "GCM-AES-128"
|
||||
#define CIPHER_NAME_GCM_AES_256 "GCM-AES-256"
|
||||
+#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128"
|
||||
+#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256"
|
||||
#define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128
|
||||
|
||||
static const char *cs_id_to_name(__u64 cid)
|
||||
@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid)
|
||||
return CIPHER_NAME_GCM_AES_128;
|
||||
case MACSEC_CIPHER_ID_GCM_AES_256:
|
||||
return CIPHER_NAME_GCM_AES_256;
|
||||
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
|
||||
+ return CIPHER_NAME_GCM_AES_XPN_128;
|
||||
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
|
||||
+ return CIPHER_NAME_GCM_AES_XPN_256;
|
||||
default:
|
||||
return "(unknown)";
|
||||
}
|
||||
@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
|
||||
print_string(PRINT_FP, NULL, "%s", prefix);
|
||||
print_uint(PRINT_ANY, "an", "%d:",
|
||||
rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
|
||||
- print_uint(PRINT_ANY, "pn", " PN %u,",
|
||||
- rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
|
||||
+ if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
|
||||
+ print_uint(PRINT_ANY, "pn", " PN %u,",
|
||||
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
|
||||
+ } else {
|
||||
+ print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",",
|
||||
+ rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
|
||||
+ }
|
||||
|
||||
print_bool(PRINT_JSON, "active", NULL, state);
|
||||
print_string(PRINT_FP, NULL,
|
||||
" state %s,", state ? "on" : "off");
|
||||
print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
|
||||
+ if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
|
||||
+ print_uint(PRINT_ANY, "ssci", " SSCI %u,",
|
||||
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]));
|
||||
+ }
|
||||
|
||||
print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
|
||||
close_json_object();
|
||||
@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
|
||||
else if (strcmp(*argv, "gcm-aes-256") == 0 ||
|
||||
strcmp(*argv, "GCM-AES-256") == 0)
|
||||
cipher.id = MACSEC_CIPHER_ID_GCM_AES_256;
|
||||
+ else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 ||
|
||||
+ strcmp(*argv, "GCM-AES-XPN-128") == 0)
|
||||
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128;
|
||||
+ else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 ||
|
||||
+ strcmp(*argv, "GCM-AES-XPN-256") == 0)
|
||||
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256;
|
||||
else
|
||||
- invarg("expected: default, gcm-aes-128 or"
|
||||
- " gcm-aes-256", *argv);
|
||||
+ invarg("expected: default, gcm-aes-128"
|
||||
+ " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv);
|
||||
} else if (strcmp(*argv, "icvlen") == 0) {
|
||||
NEXT_ARG();
|
||||
if (cipher.icv_len)
|
||||
--
|
||||
2.17.1
|
||||
|
Loading…
Reference in New Issue
Block a user