xfrm_policy: Add filter option for socket policies

Listing policies on systems with a lot of socket policies can be
confusing due to the number of returned polices. Even if socket polices
are not of interest, they cannot be filtered. This patch adds an option
to filter all socket policies from the output.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

diff --git a/ip/xfrm.h b/ip/xfrm.h
index 54d80ce5e9497625e790ad04ca2ab1cb3d0fd2af..8566d639facf9fa86999cf29e940c7d0fb1b16fa 100644 (file)
--- a/ip/xfrm.h
+++ b/ip/xfrm.h
@@ -90,6 +90,7 @@ struct xfrm_filter {
        __u8 action_mask;
        __u32 priority_mask;
        __u8 policy_flags_mask;
+       __u8 filter_socket;
 
        __u8 ptype;
        __u8 ptype_mask;

diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
index de689c4d86c4df0223bb05033c2b0156014b2a0a..0c86a52a7d6e21333cc8e10b4fe13739b4f1243c 100644 (file)
--- a/ip/xfrm_policy.c
+++ b/ip/xfrm_policy.c
@@ -58,7 +58,7 @@ static void usage(void)
        fprintf(stderr, "        [ LIMIT-LIST ] [ TMPL-LIST ]\n");
        fprintf(stderr, "Usage: ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR\n");
        fprintf(stderr, "        [ ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]\n");
-       fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ SELECTOR ] [ dir DIR ]\n");
+       fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ] [ dir DIR ]\n");
        fprintf(stderr, "        [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]\n");
        fprintf(stderr, "        [ flag FLAG-LIST ]\n");
        fprintf(stderr, "Usage: ip xfrm policy flush [ ptype PTYPE ]\n");
@@ -403,6 +403,9 @@ static int xfrm_policy_filter_match(struct xfrm_userpolicy_info *xpinfo,
        if ((xpinfo->dir^filter.xpinfo.dir)&filter.dir_mask)
                return 0;
 
+       if (filter.filter_socket && (xpinfo->dir >= XFRM_POLICY_MAX))
+               return 0;
+
        if ((ptype^filter.ptype)&filter.ptype_mask)
                return 0;
 
@@ -806,6 +809,9 @@ static int xfrm_policy_list_or_deleteall(int argc, char **argv, int deleteall)
 
                        filter.policy_flags_mask = XFRM_FILTER_MASK_FULL;
 
+               } else if (strcmp(*argv, "nosock") == 0) {
+                       /* filter all socket-based policies */
+                       filter.filter_socket = 1;
                } else {
                        if (selp)
                                invarg("unknown", *argv);