iproute2: support xfrm upper protocol gre key

Similar to tunnel side: accept dotted-quad and number formats.
Use regular number for printing the key.

Signed-off-by: Timo Teräs <timo.teras@iki.fi>

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 99a6756a3b2e31e1b62b7003b3c9e6580f8be9bf..9753822d9ba46598c9df09dabb2a66b025721afa 100644 (file)
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -483,6 +483,12 @@ void xfrm_selector_print(struct xfrm_selector *sel, __u16 family,
                if (sel->dport_mask)
                        fprintf(fp, "code %u ", ntohs(sel->dport));
                break;
+       case IPPROTO_GRE:
+               if (sel->sport_mask || sel->dport_mask)
+                       fprintf(fp, "key %u ",
+                               (((__u32)ntohs(sel->sport)) << 16) +
+                               ntohs(sel->dport));
+               break;
        case IPPROTO_MH:
                if (sel->sport_mask)
                        fprintf(fp, "type %u ", ntohs(sel->sport));
@@ -1086,6 +1092,7 @@ static int xfrm_selector_upspec_parse(struct xfrm_selector *sel,
        char *dportp = NULL;
        char *typep = NULL;
        char *codep = NULL;
+       char *grekey = NULL;
 
        while (1) {
                if (strcmp(*argv, "proto") == 0) {
@@ -1162,6 +1169,29 @@ static int xfrm_selector_upspec_parse(struct xfrm_selector *sel,
 
                        filter.upspec_dport_mask = XFRM_FILTER_MASK_FULL;
 
+               } else if (strcmp(*argv, "key") == 0) {
+                       unsigned uval;
+
+                       grekey = *argv;
+
+                       NEXT_ARG();
+
+                       if (strchr(*argv, '.'))
+                               uval = htonl(get_addr32(*argv));
+                       else {
+                               if (get_unsigned(&uval, *argv, 0)<0) {
+                                       fprintf(stderr, "invalid value of \"key\"\n");
+                                       exit(-1);
+                               }
+                       }
+
+                       sel->sport = htons(uval >> 16);
+                       sel->dport = htons(uval & 0xffff);
+                       sel->sport_mask = ~((__u16)0);
+                       sel->dport_mask = ~((__u16)0);
+
+                       filter.upspec_dport_mask = XFRM_FILTER_MASK_FULL;
+
                } else {
                        PREV_ARG(); /* back track */
                        break;
@@ -1196,6 +1226,15 @@ static int xfrm_selector_upspec_parse(struct xfrm_selector *sel,
                        exit(1);
                }
        }
+       if (grekey) {
+               switch (sel->proto) {
+               case IPPROTO_GRE:
+                       break;
+               default:
+                       fprintf(stderr, "\"key\" is invalid with proto=%s\n", strxf_proto(sel->proto));
+                       exit(1);
+               }
+       }
 
        *argcp = argc;
        *argvp = argv;

diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
index 121afa135e93e30097308a53f690840b694ae78f..dcb3da42efd19b67ca8326c960de70f0f1968169 100644 (file)
--- a/ip/xfrm_policy.c
+++ b/ip/xfrm_policy.c
@@ -66,7 +66,8 @@ static void usage(void)
        fprintf(stderr, "SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]\n");
 
        fprintf(stderr, "UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |\n");
-       fprintf(stderr, "                        [ type NUMBER ] [ code NUMBER ] ]\n");
+       fprintf(stderr, "                        [ type NUMBER ] [ code NUMBER ] |\n");
+       fprintf(stderr, "                        [ key { DOTTED_QUAD | NUMBER } ] ]\n");
 
        //fprintf(stderr, "DEV - device name(default=none)\n");
 

diff --git a/man/man8/ip.8 b/man/man8/ip.8
index 1a73efa66e9b8c7a4ccf0cccf92be9683367b5d1..c1e03f3fc1a16d5890329e07361a88daa9db9ba0 100644 (file)
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -547,7 +547,10 @@ throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
 .RB " [ " type
 .IR NUMBER " ] "
 .RB " [ " code
-.IR NUMBER " ]] "
+.IR NUMBER " ] | "
+.br
+.RB " [ " key
+.IR KEY " ]] "
 
 .ti -8
 .IR LIMIT-LIST " := [ " LIMIT-LIST " ] |"
@@ -642,7 +645,10 @@ throw " | " unreachable " | " prohibit " | " blackhole " | " nat " ]"
 .RB " [ " type
 .IR NUMBER " ] "
 .RB " [ " code
-.IR NUMBER " ] ] "
+.IR NUMBER " ] | "
+.br
+.RB " [ " key
+.IR KEY " ] ] "
 
 .ti -8
 .IR ACTION " := "
@@ -2487,9 +2493,11 @@ is defined by source port
 .BR sport ", "
 destination port
 .BR dport ", " type
-as number and
+as number,
 .B code
-also number.
+also number and
+.BR key
+as dotted-quad or number.
 
 .TP
 .BI dev " DEV "
@@ -2556,11 +2564,10 @@ and the other choice is
 .TP
 .IR UPSPEC
 is specified by
-.BR sport ", "
-.BR dport ", " type
-and
-.B code
-(NUMBER).
+.BR sport " and " dport " (for UDP/TCP), "
+.BR type " and " code " (for ICMP; as number) or "
+.BR key " (for GRE; as dotted-quad or number)."
+.
 
 .SS ip xfrm monitor - is used for listing all objects or defined group of them.
 The