📄 xfrm_state.c
字号:
} else if (strcmp(*argv, "max") == 0) {
if (maxp)
duparg("max", *argv);
maxp = *argv;
NEXT_ARG();
if (get_u32(&req.xspi.max, *argv, 0))
invarg("\"max\" value is invalid", *argv);
} else {
/* try to assume ID */
if (idp)
invarg("unknown", *argv);
idp = *argv;
/* ID */
xfrm_id_parse(&req.xspi.info.saddr, &req.xspi.info.id,
&req.xspi.info.family, 0, &argc, &argv);
if (req.xspi.info.id.spi) {
fprintf(stderr, "\"SPI\" must be zero\n");
exit(1);
}
if (preferred_family == AF_UNSPEC)
preferred_family = req.xspi.info.family;
}
argc--; argv++;
}
if (!idp) {
fprintf(stderr, "Not enough information: \"ID\" is required\n");
exit(1);
}
if (minp) {
if (!maxp) {
fprintf(stderr, "\"max\" is missing\n");
exit(1);
}
if (req.xspi.min > req.xspi.max) {
fprintf(stderr, "\"min\" valie is larger than \"max\" one\n");
exit(1);
}
} else {
if (maxp) {
fprintf(stderr, "\"min\" is missing\n");
exit(1);
}
/* XXX: Default value defined in PF_KEY;
* See kernel's net/key/af_key.c(pfkey_getspi).
*/
req.xspi.min = 0x100;
req.xspi.max = 0x0fffffff;
/* XXX: IPCOMP spi is 16-bits;
* See kernel's net/xfrm/xfrm_user(verify_userspi_info).
*/
if (req.xspi.info.id.proto == IPPROTO_COMP)
req.xspi.max = 0xffff;
}
if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
exit(1);
if (req.xspi.info.family == AF_UNSPEC)
req.xspi.info.family = AF_INET;
if (rtnl_talk(&rth, &req.n, 0, 0, res_n, NULL, NULL) < 0)
exit(2);
if (xfrm_state_print(NULL, res_n, (void*)stdout) < 0) {
fprintf(stderr, "An error :-)\n");
exit(1);
}
rtnl_close(&rth);
return 0;
}
static int xfrm_state_filter_match(struct xfrm_usersa_info *xsinfo)
{
if (!filter.use)
return 1;
if (filter.id_src_mask)
if (xfrm_addr_match(&xsinfo->saddr, &filter.xsinfo.saddr,
filter.id_src_mask))
return 0;
if (filter.id_dst_mask)
if (xfrm_addr_match(&xsinfo->id.daddr, &filter.xsinfo.id.daddr,
filter.id_dst_mask))
return 0;
if ((xsinfo->id.proto^filter.xsinfo.id.proto)&filter.id_proto_mask)
return 0;
if ((xsinfo->id.spi^filter.xsinfo.id.spi)&filter.id_spi_mask)
return 0;
if ((xsinfo->mode^filter.xsinfo.mode)&filter.mode_mask)
return 0;
if ((xsinfo->reqid^filter.xsinfo.reqid)&filter.reqid_mask)
return 0;
if (filter.state_flags_mask)
if ((xsinfo->flags & filter.xsinfo.flags) == 0)
return 0;
return 1;
}
int xfrm_state_print(const struct sockaddr_nl *who, struct nlmsghdr *n,
void *arg)
{
FILE *fp = (FILE*)arg;
struct rtattr * tb[XFRMA_MAX+1];
struct rtattr * rta;
struct xfrm_usersa_info *xsinfo = NULL;
struct xfrm_user_expire *xexp = NULL;
struct xfrm_usersa_id *xsid = NULL;
int len = n->nlmsg_len;
if (n->nlmsg_type != XFRM_MSG_NEWSA &&
n->nlmsg_type != XFRM_MSG_DELSA &&
n->nlmsg_type != XFRM_MSG_UPDSA &&
n->nlmsg_type != XFRM_MSG_EXPIRE) {
fprintf(stderr, "Not a state: %08x %08x %08x\n",
n->nlmsg_len, n->nlmsg_type, n->nlmsg_flags);
return 0;
}
if (n->nlmsg_type == XFRM_MSG_DELSA) {
/* Dont blame me for this .. Herbert made me do it */
xsid = NLMSG_DATA(n);
len -= NLMSG_SPACE(sizeof(*xsid));
} else if (n->nlmsg_type == XFRM_MSG_EXPIRE) {
xexp = NLMSG_DATA(n);
xsinfo = &xexp->state;
len -= NLMSG_SPACE(sizeof(*xexp));
} else {
xexp = NULL;
xsinfo = NLMSG_DATA(n);
len -= NLMSG_SPACE(sizeof(*xsinfo));
}
if (len < 0) {
fprintf(stderr, "BUG: wrong nlmsg len %d\n", len);
return -1;
}
if (xsinfo && !xfrm_state_filter_match(xsinfo))
return 0;
if (n->nlmsg_type == XFRM_MSG_DELSA)
fprintf(fp, "Deleted ");
else if (n->nlmsg_type == XFRM_MSG_UPDSA)
fprintf(fp, "Updated ");
else if (n->nlmsg_type == XFRM_MSG_EXPIRE)
fprintf(fp, "Expired ");
if (n->nlmsg_type == XFRM_MSG_DELSA)
rta = XFRMSID_RTA(xsid);
else if (n->nlmsg_type == XFRM_MSG_EXPIRE)
rta = XFRMEXP_RTA(xexp);
else
rta = XFRMS_RTA(xsinfo);
parse_rtattr(tb, XFRMA_MAX, rta, len);
if (n->nlmsg_type == XFRM_MSG_DELSA) {
//xfrm_policy_id_print();
if (!tb[XFRMA_SA]) {
fprintf(stderr, "Buggy XFRM_MSG_DELSA: no XFRMA_SA\n");
return -1;
}
if (RTA_PAYLOAD(tb[XFRMA_SA]) < sizeof(*xsinfo)) {
fprintf(stderr, "Buggy XFRM_MSG_DELPOLICY: too short XFRMA_POLICY len\n");
return -1;
}
xsinfo = (struct xfrm_usersa_info *)RTA_DATA(tb[XFRMA_SA]);
}
xfrm_state_info_print(xsinfo, tb, fp, NULL, NULL);
if (n->nlmsg_type == XFRM_MSG_EXPIRE) {
fprintf(fp, "\t");
fprintf(fp, "hard %u", xexp->hard);
fprintf(fp, "%s", _SL_);
}
if (oneline)
fprintf(fp, "\n");
fflush(fp);
return 0;
}
static int xfrm_state_get_or_delete(int argc, char **argv, int delete)
{
struct rtnl_handle rth;
struct {
struct nlmsghdr n;
struct xfrm_usersa_id xsid;
char buf[RTA_BUF_SIZE];
} req;
struct xfrm_id id;
char *idp = NULL;
memset(&req, 0, sizeof(req));
req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xsid));
req.n.nlmsg_flags = NLM_F_REQUEST;
req.n.nlmsg_type = delete ? XFRM_MSG_DELSA : XFRM_MSG_GETSA;
req.xsid.family = preferred_family;
while (argc > 0) {
xfrm_address_t saddr;
if (idp)
invarg("unknown", *argv);
idp = *argv;
/* ID */
memset(&id, 0, sizeof(id));
memset(&saddr, 0, sizeof(saddr));
xfrm_id_parse(&saddr, &id, &req.xsid.family, 0,
&argc, &argv);
memcpy(&req.xsid.daddr, &id.daddr, sizeof(req.xsid.daddr));
req.xsid.spi = id.spi;
req.xsid.proto = id.proto;
addattr_l(&req.n, sizeof(req.buf), XFRMA_SRCADDR,
(void *)&saddr, sizeof(saddr));
argc--; argv++;
}
if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
exit(1);
if (req.xsid.family == AF_UNSPEC)
req.xsid.family = AF_INET;
if (delete) {
if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
exit(2);
} else {
char buf[NLMSG_BUF_SIZE];
struct nlmsghdr *res_n = (struct nlmsghdr *)buf;
memset(buf, 0, sizeof(buf));
if (rtnl_talk(&rth, &req.n, 0, 0, res_n, NULL, NULL) < 0)
exit(2);
if (xfrm_state_print(NULL, res_n, (void*)stdout) < 0) {
fprintf(stderr, "An error :-)\n");
exit(1);
}
}
rtnl_close(&rth);
return 0;
}
/*
* With an existing state of nlmsg, make new nlmsg for deleting the state
* and store it to buffer.
*/
static int xfrm_state_keep(const struct sockaddr_nl *who,
struct nlmsghdr *n,
void *arg)
{
struct xfrm_buffer *xb = (struct xfrm_buffer *)arg;
struct rtnl_handle *rth = xb->rth;
struct xfrm_usersa_info *xsinfo = NLMSG_DATA(n);
int len = n->nlmsg_len;
struct nlmsghdr *new_n;
struct xfrm_usersa_id *xsid;
if (n->nlmsg_type != XFRM_MSG_NEWSA) {
fprintf(stderr, "Not a state: %08x %08x %08x\n",
n->nlmsg_len, n->nlmsg_type, n->nlmsg_flags);
return 0;
}
len -= NLMSG_LENGTH(sizeof(*xsinfo));
if (len < 0) {
fprintf(stderr, "BUG: wrong nlmsg len %d\n", len);
return -1;
}
if (!xfrm_state_filter_match(xsinfo))
return 0;
if (xb->offset > xb->size) {
fprintf(stderr, "State buffer overflow\n");
return -1;
}
new_n = (struct nlmsghdr *)(xb->buf + xb->offset);
new_n->nlmsg_len = NLMSG_LENGTH(sizeof(*xsid));
new_n->nlmsg_flags = NLM_F_REQUEST;
new_n->nlmsg_type = XFRM_MSG_DELSA;
new_n->nlmsg_seq = ++rth->seq;
xsid = NLMSG_DATA(new_n);
xsid->family = xsinfo->family;
memcpy(&xsid->daddr, &xsinfo->id.daddr, sizeof(xsid->daddr));
xsid->spi = xsinfo->id.spi;
xsid->proto = xsinfo->id.proto;
addattr_l(new_n, xb->size, XFRMA_SRCADDR, &xsinfo->saddr,
sizeof(xsid->daddr));
xb->offset += new_n->nlmsg_len;
xb->nlmsg_count ++;
return 0;
}
static int xfrm_state_list_or_deleteall(int argc, char **argv, int deleteall)
{
char *idp = NULL;
struct rtnl_handle rth;
if(argc > 0)
filter.use = 1;
filter.xsinfo.family = preferred_family;
while (argc > 0) {
if (strcmp(*argv, "mode") == 0) {
NEXT_ARG();
xfrm_mode_parse(&filter.xsinfo.mode, &argc, &argv);
filter.mode_mask = XFRM_FILTER_MASK_FULL;
} else if (strcmp(*argv, "reqid") == 0) {
NEXT_ARG();
xfrm_reqid_parse(&filter.xsinfo.reqid, &argc, &argv);
filter.reqid_mask = XFRM_FILTER_MASK_FULL;
} else if (strcmp(*argv, "flag") == 0) {
NEXT_ARG();
xfrm_state_flag_parse(&filter.xsinfo.flags, &argc, &argv);
filter.state_flags_mask = XFRM_FILTER_MASK_FULL;
} else {
if (idp)
invarg("unknown", *argv);
idp = *argv;
/* ID */
xfrm_id_parse(&filter.xsinfo.saddr, &filter.xsinfo.id,
&filter.xsinfo.family, 1, &argc, &argv);
if (preferred_family == AF_UNSPEC)
preferred_family = filter.xsinfo.family;
}
argc--; argv++;
}
if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
exit(1);
if (deleteall) {
struct xfrm_buffer xb;
char buf[NLMSG_DELETEALL_BUF_SIZE];
int i;
xb.buf = buf;
xb.size = sizeof(buf);
xb.rth = &rth;
for (i = 0; ; i++) {
xb.offset = 0;
xb.nlmsg_count = 0;
if (show_stats > 1)
fprintf(stderr, "Delete-all round = %d\n", i);
if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETSA) < 0) {
perror("Cannot send dump request");
exit(1);
}
if (rtnl_dump_filter(&rth, xfrm_state_keep, &xb, NULL, NULL) < 0) {
fprintf(stderr, "Delete-all terminated\n");
exit(1);
}
if (xb.nlmsg_count == 0) {
if (show_stats > 1)
fprintf(stderr, "Delete-all completed\n");
break;
}
if (rtnl_send(&rth, xb.buf, xb.offset) < 0) {
perror("Failed to send delete-all request\n");
exit(1);
}
if (show_stats > 1)
fprintf(stderr, "Delete-all nlmsg count = %d\n", xb.nlmsg_count);
xb.offset = 0;
xb.nlmsg_count = 0;
}
} else {
if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETSA) < 0) {
perror("Cannot send dump request");
exit(1);
}
if (rtnl_dump_filter(&rth, xfrm_state_print, stdout, NULL, NULL) < 0) {
fprintf(stderr, "Dump terminated\n");
exit(1);
}
}
rtnl_close(&rth);
exit(0);
}
static int xfrm_state_flush(int argc, char **argv)
{
struct rtnl_handle rth;
struct {
struct nlmsghdr n;
struct xfrm_usersa_flush xsf;
} req;
char *protop = NULL;
memset(&req, 0, sizeof(req));
req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xsf));
req.n.nlmsg_flags = NLM_F_REQUEST;
req.n.nlmsg_type = XFRM_MSG_FLUSHSA;
req.xsf.proto = 0;
while (argc > 0) {
if (strcmp(*argv, "proto") == 0) {
int ret;
if (protop)
duparg("proto", *argv);
protop = *argv;
NEXT_ARG();
ret = xfrm_xfrmproto_getbyname(*argv);
if (ret < 0)
invarg("\"XFRM_PROTO\" is invalid", *argv);
req.xsf.proto = (__u8)ret;
} else
invarg("unknown", *argv);
argc--; argv++;
}
if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
exit(1);
if (show_stats > 1)
fprintf(stderr, "Flush state proto=%s\n",
(req.xsf.proto == IPSEC_PROTO_ANY) ? "any" :
strxf_xfrmproto(req.xsf.proto));
if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
exit(2);
rtnl_close(&rth);
return 0;
}
int do_xfrm_state(int argc, char **argv)
{
if (argc < 1)
return xfrm_state_list_or_deleteall(0, NULL, 0);
if (matches(*argv, "add") == 0)
return xfrm_state_modify(XFRM_MSG_NEWSA, 0,
argc-1, argv+1);
if (matches(*argv, "update") == 0)
return xfrm_state_modify(XFRM_MSG_UPDSA, 0,
argc-1, argv+1);
if (matches(*argv, "allocspi") == 0)
return xfrm_state_allocspi(argc-1, argv+1);
if (matches(*argv, "delete") == 0)
return xfrm_state_get_or_delete(argc-1, argv+1, 1);
if (matches(*argv, "deleteall") == 0 || matches(*argv, "delall") == 0)
return xfrm_state_list_or_deleteall(argc-1, argv+1, 1);
if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0
|| matches(*argv, "lst") == 0)
return xfrm_state_list_or_deleteall(argc-1, argv+1, 0);
if (matches(*argv, "get") == 0)
return xfrm_state_get_or_delete(argc-1, argv+1, 0);
if (matches(*argv, "flush") == 0)
return xfrm_state_flush(argc-1, argv+1);
if (matches(*argv, "help") == 0)
usage();
fprintf(stderr, "Command \"%s\" is unknown, try \"ip xfrm state help\".\n", *argv);
exit(-1);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -