24 #include <netlink-private/netlink.h> 25 #include <netlink/netlink.h> 26 #include <netlink/attr.h> 27 #include <netlink/utils.h> 28 #include <netlink/object.h> 29 #include <netlink/route/rtnl.h> 30 #include <netlink-private/route/link/api.h> 31 #include <netlink-private/utils.h> 33 #include <linux/if_macsec.h> 36 #define MACSEC_ATTR_SCI (1 << 0) 37 #define MACSEC_ATTR_ICV_LEN (1 << 1) 38 #define MACSEC_ATTR_CIPHER_SUITE (1 << 2) 39 #define MACSEC_ATTR_WINDOW (1 << 3) 40 #define MACSEC_ATTR_ENCODING_SA (1 << 4) 41 #define MACSEC_ATTR_ENCRYPT (1 << 5) 42 #define MACSEC_ATTR_PROTECT (1 << 6) 43 #define MACSEC_ATTR_INC_SCI (1 << 7) 44 #define MACSEC_ATTR_ES (1 << 8) 45 #define MACSEC_ATTR_SCB (1 << 9) 46 #define MACSEC_ATTR_REPLAY_PROTECT (1 << 10) 47 #define MACSEC_ATTR_VALIDATION (1 << 11) 48 #define MACSEC_ATTR_PORT (1 << 12) 54 uint64_t cipher_suite;
57 enum macsec_validation_type validate;
60 uint8_t send_sci, end_station, scb, replay_protect, protect, encrypt;
65 #define DEFAULT_ICV_LEN 16 69 static struct nla_policy macsec_policy[IFLA_MACSEC_MAX+1] = {
71 [IFLA_MACSEC_ICV_LEN] = { .type =
NLA_U8 },
72 [IFLA_MACSEC_CIPHER_SUITE] = { .type =
NLA_U64 },
73 [IFLA_MACSEC_WINDOW] = { .type =
NLA_U32 },
74 [IFLA_MACSEC_ENCODING_SA] = { .type =
NLA_U8 },
75 [IFLA_MACSEC_ENCRYPT] = { .type =
NLA_U8 },
76 [IFLA_MACSEC_PROTECT] = { .type =
NLA_U8 },
77 [IFLA_MACSEC_INC_SCI] = { .type =
NLA_U8 },
78 [IFLA_MACSEC_ES] = { .type =
NLA_U8 },
79 [IFLA_MACSEC_SCB] = { .type =
NLA_U8 },
80 [IFLA_MACSEC_REPLAY_PROTECT] = { .type =
NLA_U8 },
81 [IFLA_MACSEC_VALIDATION] = { .type =
NLA_U8 },
94 static int macsec_alloc(
struct rtnl_link *link)
96 struct macsec_info *info;
99 link->l_info = malloc(
sizeof(
struct macsec_info));
104 memset(link->l_info, 0,
sizeof(
struct macsec_info));
107 info->cipher_suite = MACSEC_DEFAULT_CIPHER_ID;
108 info->icv_len = DEFAULT_ICV_LEN;
109 info->ce_mask = MACSEC_ATTR_CIPHER_SUITE | MACSEC_ATTR_ICV_LEN;
114 static int macsec_parse(
struct rtnl_link *link,
struct nlattr *data,
115 struct nlattr *xstats)
117 struct nlattr *tb[IFLA_MACSEC_MAX+1];
118 struct macsec_info *info;
121 NL_DBG(3,
"Parsing MACsec link info\n");
126 if ((err = macsec_alloc(link)) < 0)
131 if (tb[IFLA_MACSEC_SCI]) {
133 info->ce_mask |= MACSEC_ATTR_SCI;
136 if (tb[IFLA_MACSEC_PROTECT]) {
137 info->protect =
nla_get_u8(tb[IFLA_MACSEC_PROTECT]);
138 info->ce_mask |= MACSEC_ATTR_PROTECT;
141 if (tb[IFLA_MACSEC_CIPHER_SUITE]) {
142 info->cipher_suite =
nla_get_u64(tb[IFLA_MACSEC_CIPHER_SUITE]);
143 info->ce_mask |= MACSEC_ATTR_CIPHER_SUITE;
146 if (tb[IFLA_MACSEC_ICV_LEN]) {
147 info->icv_len =
nla_get_u8(tb[IFLA_MACSEC_ICV_LEN]);
148 info->ce_mask |= MACSEC_ATTR_ICV_LEN;
151 if (tb[IFLA_MACSEC_ENCODING_SA]) {
152 info->encoding_sa =
nla_get_u8(tb[IFLA_MACSEC_ENCODING_SA]);
153 info->ce_mask |= MACSEC_ATTR_ENCODING_SA;
156 if (tb[IFLA_MACSEC_VALIDATION]) {
157 info->validate =
nla_get_u8(tb[IFLA_MACSEC_VALIDATION]);
158 info->ce_mask |= MACSEC_ATTR_VALIDATION;
161 if (tb[IFLA_MACSEC_ENCRYPT]) {
162 info->encrypt =
nla_get_u8(tb[IFLA_MACSEC_ENCRYPT]);
163 info->ce_mask |= MACSEC_ATTR_ENCRYPT;
166 if (tb[IFLA_MACSEC_INC_SCI]) {
167 info->send_sci =
nla_get_u8(tb[IFLA_MACSEC_INC_SCI]);
168 info->ce_mask |= MACSEC_ATTR_INC_SCI;
171 if (tb[IFLA_MACSEC_ES]) {
172 info->end_station =
nla_get_u8(tb[IFLA_MACSEC_ES]);
173 info->ce_mask |= MACSEC_ATTR_ES;
176 if (tb[IFLA_MACSEC_SCB]) {
178 info->ce_mask |= MACSEC_ATTR_SCB;
181 if (tb[IFLA_MACSEC_REPLAY_PROTECT]) {
182 info->replay_protect =
nla_get_u8(tb[IFLA_MACSEC_REPLAY_PROTECT]);
183 info->ce_mask |= MACSEC_ATTR_REPLAY_PROTECT;
186 if (tb[IFLA_MACSEC_WINDOW]) {
187 info->window =
nla_get_u32(tb[IFLA_MACSEC_WINDOW]);
188 info->ce_mask |= MACSEC_ATTR_WINDOW;
196 static void macsec_free(
struct rtnl_link *link)
202 static const char *values_on_off[] = {
"off",
"on" };
204 static const char *VALIDATE_STR[] = {
205 [MACSEC_VALIDATE_DISABLED] =
"disabled",
206 [MACSEC_VALIDATE_CHECK] =
"check",
207 [MACSEC_VALIDATE_STRICT] =
"strict",
210 static char *replay_protect_str(
char *buf, uint8_t replay_protect, uint8_t window)
212 if (replay_protect == 1) {
213 sprintf(buf,
"replay_protect on window %d", window);
214 }
else if (replay_protect == 0) {
215 sprintf(buf,
"replay_protect off");
224 #define PRINT_FLAG(buf, i, field, c) ({ if (i->field == 1) *buf++ = c; }) 226 static char *flags_str(
char *buf,
unsigned char len,
struct macsec_info *info)
231 PRINT_FLAG(tmp, info, protect,
'P');
232 PRINT_FLAG(tmp, info, encrypt,
'E');
233 PRINT_FLAG(tmp, info, send_sci,
'S');
234 PRINT_FLAG(tmp, info, end_station,
'e');
235 PRINT_FLAG(tmp, info, scb,
's');
236 PRINT_FLAG(tmp, info, replay_protect,
'R');
240 switch (info->validate) {
241 case MACSEC_VALIDATE_DISABLED:
244 case MACSEC_VALIDATE_CHECK:
247 case MACSEC_VALIDATE_STRICT:
254 sprintf(tmp,
" %d", info->encoding_sa);
261 struct macsec_info *info = link->l_info;
264 nl_dump(p,
"sci %016llx <%s>", ntohll(info->sci), flags_str(tmp,
sizeof(tmp), info));
269 struct macsec_info *info = link->l_info;
272 nl_dump(p,
" sci %016llx protect %s encoding_sa %d encrypt %s send_sci %s validate %s %s\n",
273 ntohll(info->sci), values_on_off[info->protect], info->encoding_sa, values_on_off[info->encrypt], values_on_off[info->send_sci],
274 VALIDATE_STR[info->validate],
275 replay_protect_str(tmp, info->replay_protect, info->window));
276 nl_dump(p,
" cipher suite: %016llx, icv_len %d\n",
277 info->cipher_suite, info->icv_len);
282 struct macsec_info *copy, *info = src->l_info;
293 memcpy(copy, info,
sizeof(
struct macsec_info));
298 static int macsec_put_attrs(
struct nl_msg *msg,
struct rtnl_link *link)
300 struct macsec_info *info = link->l_info;
306 if (info->ce_mask & MACSEC_ATTR_SCI)
308 else if (info->ce_mask & MACSEC_ATTR_PORT)
309 NLA_PUT_U16(msg, IFLA_MACSEC_PORT, htons(info->port));
311 if ((info->ce_mask & MACSEC_ATTR_ENCRYPT))
312 NLA_PUT_U8(msg, IFLA_MACSEC_ENCRYPT, info->encrypt);
314 if (info->cipher_suite != MACSEC_DEFAULT_CIPHER_ID || info->icv_len != DEFAULT_ICV_LEN) {
315 NLA_PUT_U64(msg, IFLA_MACSEC_CIPHER_SUITE, info->cipher_suite);
316 NLA_PUT_U8(msg, IFLA_MACSEC_ICV_LEN, info->icv_len);
319 if ((info->ce_mask & MACSEC_ATTR_INC_SCI))
320 NLA_PUT_U8(msg, IFLA_MACSEC_INC_SCI, info->send_sci);
322 if ((info->ce_mask & MACSEC_ATTR_ES))
323 NLA_PUT_U8(msg, IFLA_MACSEC_ES, info->end_station);
325 if ((info->ce_mask & MACSEC_ATTR_SCB))
328 if ((info->ce_mask & MACSEC_ATTR_PROTECT))
329 NLA_PUT_U8(msg, IFLA_MACSEC_PROTECT, info->protect);
331 if ((info->ce_mask & MACSEC_ATTR_REPLAY_PROTECT)) {
332 if (info->replay_protect && !(info->ce_mask & MACSEC_ATTR_WINDOW))
335 NLA_PUT_U8(msg, IFLA_MACSEC_REPLAY_PROTECT, info->replay_protect);
336 NLA_PUT_U32(msg, IFLA_MACSEC_WINDOW, info->window);
339 if ((info->ce_mask & MACSEC_ATTR_VALIDATION))
340 NLA_PUT_U8(msg, IFLA_MACSEC_VALIDATION, info->validate);
342 if ((info->ce_mask & MACSEC_ATTR_ENCODING_SA))
343 NLA_PUT_U8(msg, IFLA_MACSEC_ENCODING_SA, info->encoding_sa);
356 struct macsec_info *a = link_a->l_info;
357 struct macsec_info *b = link_b->l_info;
359 uint32_t attrs = flags & LOOSE_COMPARISON ? b->ce_mask : ~0;
361 #define MACSEC_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, MACSEC_ATTR_##ATTR, a, b, EXPR) 363 if (a->ce_mask & MACSEC_ATTR_SCI && b->ce_mask & MACSEC_ATTR_SCI)
364 diff |= MACSEC_DIFF(SCI, a->sci != b->sci);
365 else if (a->ce_mask & MACSEC_ATTR_PORT && b->ce_mask & MACSEC_ATTR_PORT)
366 diff |= MACSEC_DIFF(PORT, a->port != b->port);
368 if (a->ce_mask & MACSEC_ATTR_CIPHER_SUITE && b->ce_mask & MACSEC_ATTR_CIPHER_SUITE) {
369 diff |= MACSEC_DIFF(ICV_LEN, a->icv_len != b->icv_len);
370 diff |= MACSEC_DIFF(CIPHER_SUITE, a->cipher_suite != b->cipher_suite);
373 if (a->ce_mask & MACSEC_ATTR_REPLAY_PROTECT && b->ce_mask & MACSEC_ATTR_REPLAY_PROTECT) {
374 int d = MACSEC_DIFF(REPLAY_PROTECT, a->replay_protect != b->replay_protect);
375 if (a->replay_protect && b->replay_protect)
376 d |= MACSEC_DIFF(WINDOW, a->window != b->window);
380 diff |= MACSEC_DIFF(ENCODING_SA, a->encoding_sa != b->encoding_sa);
381 diff |= MACSEC_DIFF(ENCRYPT, a->encrypt != b->encrypt);
382 diff |= MACSEC_DIFF(PROTECT, a->protect != b->protect);
383 diff |= MACSEC_DIFF(INC_SCI, a->send_sci != b->send_sci);
384 diff |= MACSEC_DIFF(ES, a->end_station != b->end_station);
385 diff |= MACSEC_DIFF(SCB, a->scb != b->scb);
386 diff |= MACSEC_DIFF(VALIDATION, a->validate != b->validate);
393 static struct rtnl_link_info_ops macsec_info_ops = {
395 .io_alloc = macsec_alloc,
396 .io_parse = macsec_parse,
401 .io_clone = macsec_clone,
402 .io_put_attrs = macsec_put_attrs,
403 .io_free = macsec_free,
404 .io_compare = macsec_compare,
407 static void __init macsec_init(
void)
412 static void __exit macsec_exit(
void)
418 #define IS_MACSEC_LINK_ASSERT(link) \ 419 if ((link)->l_info_ops != &macsec_info_ops) { \ 420 APPBUG("Link is not a MACsec link. set type \"macsec\" first."); \ 421 return -NLE_OPNOTSUPP; \ 425 struct rtnl_link *rtnl_link_macsec_alloc(
void)
449 struct macsec_info *info = link->l_info;
451 IS_MACSEC_LINK_ASSERT(link);
454 info->ce_mask |= MACSEC_ATTR_SCI;
469 struct macsec_info *info = link->l_info;
471 IS_MACSEC_LINK_ASSERT(link);
473 if (!(info->ce_mask & MACSEC_ATTR_SCI))
491 struct macsec_info *info = link->l_info;
493 IS_MACSEC_LINK_ASSERT(link);
496 info->ce_mask |= MACSEC_ATTR_PORT;
510 struct macsec_info *info = link->l_info;
512 IS_MACSEC_LINK_ASSERT(link);
514 if (!(info->ce_mask & MACSEC_ATTR_PORT))
523 int rtnl_link_macsec_set_cipher_suite(
struct rtnl_link *link, uint64_t cipher_suite)
525 struct macsec_info *info = link->l_info;
527 IS_MACSEC_LINK_ASSERT(link);
529 info->cipher_suite = cipher_suite;
530 info->ce_mask |= MACSEC_ATTR_CIPHER_SUITE;
535 int rtnl_link_macsec_get_cipher_suite(
struct rtnl_link *link, uint64_t *cs)
537 struct macsec_info *info = link->l_info;
539 IS_MACSEC_LINK_ASSERT(link);
541 if (!(info->ce_mask & MACSEC_ATTR_CIPHER_SUITE))
545 *cs = info->cipher_suite;
550 int rtnl_link_macsec_set_icv_len(
struct rtnl_link *link, uint16_t icv_len)
552 struct macsec_info *info = link->l_info;
554 IS_MACSEC_LINK_ASSERT(link);
556 if (icv_len > MACSEC_STD_ICV_LEN)
559 info->icv_len = icv_len;
560 info->ce_mask |= MACSEC_ATTR_ICV_LEN;
565 int rtnl_link_macsec_get_icv_len(
struct rtnl_link *link, uint16_t *icv_len)
567 struct macsec_info *info = link->l_info;
569 IS_MACSEC_LINK_ASSERT(link);
571 if (!(info->ce_mask & MACSEC_ATTR_ICV_LEN))
575 *icv_len = info->icv_len;
580 int rtnl_link_macsec_set_protect(
struct rtnl_link *link, uint8_t protect)
582 struct macsec_info *info = link->l_info;
584 IS_MACSEC_LINK_ASSERT(link);
589 info->protect = protect;
590 info->ce_mask |= MACSEC_ATTR_PROTECT;
595 int rtnl_link_macsec_get_protect(
struct rtnl_link *link, uint8_t *protect)
597 struct macsec_info *info = link->l_info;
599 IS_MACSEC_LINK_ASSERT(link);
601 if (!(info->ce_mask & MACSEC_ATTR_PROTECT))
605 *protect = info->protect;
610 int rtnl_link_macsec_set_encrypt(
struct rtnl_link *link, uint8_t encrypt)
612 struct macsec_info *info = link->l_info;
614 IS_MACSEC_LINK_ASSERT(link);
619 info->encrypt = encrypt;
620 info->ce_mask |= MACSEC_ATTR_ENCRYPT;
625 int rtnl_link_macsec_get_encrypt(
struct rtnl_link *link, uint8_t *encrypt)
627 struct macsec_info *info = link->l_info;
629 IS_MACSEC_LINK_ASSERT(link);
631 if (!(info->ce_mask & MACSEC_ATTR_ENCRYPT))
635 *encrypt = info->encrypt;
640 int rtnl_link_macsec_set_encoding_sa(
struct rtnl_link *link, uint8_t encoding_sa)
642 struct macsec_info *info = link->l_info;
644 IS_MACSEC_LINK_ASSERT(link);
649 info->encoding_sa = encoding_sa;
650 info->ce_mask |= MACSEC_ATTR_ENCODING_SA;
655 int rtnl_link_macsec_get_encoding_sa(
struct rtnl_link *link, uint8_t *encoding_sa)
657 struct macsec_info *info = link->l_info;
659 IS_MACSEC_LINK_ASSERT(link);
661 if (!(info->ce_mask & MACSEC_ATTR_ENCODING_SA))
665 *encoding_sa = info->encoding_sa;
670 int rtnl_link_macsec_set_validation_type(
struct rtnl_link *link,
enum macsec_validation_type validate)
672 struct macsec_info *info = link->l_info;
674 IS_MACSEC_LINK_ASSERT(link);
679 info->validate = validate;
680 info->ce_mask |= MACSEC_ATTR_VALIDATION;
685 int rtnl_link_macsec_get_validation_type(
struct rtnl_link *link,
enum macsec_validation_type *validate)
687 struct macsec_info *info = link->l_info;
689 IS_MACSEC_LINK_ASSERT(link);
691 if (!(info->ce_mask & MACSEC_ATTR_VALIDATION))
695 *validate = info->validate;
700 int rtnl_link_macsec_set_replay_protect(
struct rtnl_link *link, uint8_t replay_protect)
702 struct macsec_info *info = link->l_info;
704 IS_MACSEC_LINK_ASSERT(link);
706 if (replay_protect > 1)
709 info->replay_protect = replay_protect;
710 info->ce_mask |= MACSEC_ATTR_REPLAY_PROTECT;
715 int rtnl_link_macsec_get_replay_protect(
struct rtnl_link *link, uint8_t *replay_protect)
717 struct macsec_info *info = link->l_info;
719 IS_MACSEC_LINK_ASSERT(link);
721 if (!(info->ce_mask & MACSEC_ATTR_REPLAY_PROTECT))
725 *replay_protect = info->replay_protect;
730 int rtnl_link_macsec_set_window(
struct rtnl_link *link, uint32_t window)
732 struct macsec_info *info = link->l_info;
734 IS_MACSEC_LINK_ASSERT(link);
736 info->window = window;
737 info->ce_mask |= MACSEC_ATTR_WINDOW;
742 int rtnl_link_macsec_get_window(
struct rtnl_link *link, uint32_t *window)
744 struct macsec_info *info = link->l_info;
746 IS_MACSEC_LINK_ASSERT(link);
748 if (!(info->ce_mask & MACSEC_ATTR_WINDOW))
752 *window = info->window;
757 int rtnl_link_macsec_set_send_sci(
struct rtnl_link *link, uint8_t send_sci)
759 struct macsec_info *info = link->l_info;
761 IS_MACSEC_LINK_ASSERT(link);
766 info->send_sci = send_sci;
767 info->ce_mask |= MACSEC_ATTR_INC_SCI;
772 int rtnl_link_macsec_get_send_sci(
struct rtnl_link *link, uint8_t *send_sci)
774 struct macsec_info *info = link->l_info;
776 IS_MACSEC_LINK_ASSERT(link);
778 if (!(info->ce_mask & MACSEC_ATTR_INC_SCI))
782 *send_sci = info->send_sci;
787 int rtnl_link_macsec_set_end_station(
struct rtnl_link *link, uint8_t end_station)
789 struct macsec_info *info = link->l_info;
791 IS_MACSEC_LINK_ASSERT(link);
796 info->end_station = end_station;
797 info->ce_mask |= MACSEC_ATTR_ES;
802 int rtnl_link_macsec_get_end_station(
struct rtnl_link *link, uint8_t *es)
804 struct macsec_info *info = link->l_info;
806 IS_MACSEC_LINK_ASSERT(link);
808 if (!(info->ce_mask & MACSEC_ATTR_ES))
812 *es = info->end_station;
817 int rtnl_link_macsec_set_scb(
struct rtnl_link *link, uint8_t scb)
819 struct macsec_info *info = link->l_info;
821 IS_MACSEC_LINK_ASSERT(link);
827 info->ce_mask |= MACSEC_ATTR_SCB;
832 int rtnl_link_macsec_get_scb(
struct rtnl_link *link, uint8_t *scb)
834 struct macsec_info *info = link->l_info;
836 IS_MACSEC_LINK_ASSERT(link);
838 if (!(info->ce_mask & MACSEC_ATTR_SCB))
Dump object briefly on one line.
int rtnl_link_register_info(struct rtnl_link_info_ops *ops)
Register operations for a link info type.
Attribute validation policy.
uint8_t nla_get_u8(const struct nlattr *nla)
Return value of 8 bit integer attribute.
struct rtnl_link * rtnl_link_alloc(void)
Allocate link object.
#define NLA_PUT_U64(msg, attrtype, value)
Add 64 bit integer attribute to netlink message.
uint32_t nla_get_u32(const struct nlattr *nla)
Return payload of 32 bit integer attribute.
#define NLA_PUT_U8(msg, attrtype, value)
Add 8 bit integer attribute to netlink message.
int rtnl_link_macsec_get_sci(struct rtnl_link *link, uint64_t *sci)
Get SCI.
Dump all attributes but no statistics.
int nla_nest_end(struct nl_msg *msg, struct nlattr *start)
Finalize nesting of attributes.
int nla_parse_nested(struct nlattr *tb[], int maxtype, struct nlattr *nla, struct nla_policy *policy)
Create attribute index based on nested attribute.
int rtnl_link_macsec_set_sci(struct rtnl_link *link, uint64_t sci)
Set SCI.
int rtnl_link_macsec_set_port(struct rtnl_link *link, uint16_t port)
Set port identifier.
int rtnl_link_set_type(struct rtnl_link *link, const char *type)
Set type of link object.
#define NLA_PUT_U32(msg, attrtype, value)
Add 32 bit integer attribute to netlink message.
int rtnl_link_macsec_get_port(struct rtnl_link *link, uint16_t *port)
Get port identifier.
int rtnl_link_unregister_info(struct rtnl_link_info_ops *ops)
Unregister operations for a link info type.
uint16_t type
Type of attribute or NLA_UNSPEC.
#define NLA_PUT_U16(msg, attrtype, value)
Add 16 bit integer attribute to netlink message.
uint64_t nla_get_u64(const struct nlattr *nla)
Return payload of u64 attribute.
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
void rtnl_link_put(struct rtnl_link *link)
Return a link object reference.
struct nlattr * nla_nest_start(struct nl_msg *msg, int attrtype)
Start a new level of nested attributes.