• E
    xfrm: interface: support collect metadata mode · abc340b3
    Eyal Birger 提交于
    This commit adds support for 'collect_md' mode on xfrm interfaces.
    
    Each net can have one collect_md device, created by providing the
    IFLA_XFRM_COLLECT_METADATA flag at creation. This device cannot be
    altered and has no if_id or link device attributes.
    
    On transmit to this device, the if_id is fetched from the attached dst
    metadata on the skb. If exists, the link property is also fetched from
    the metadata. The dst metadata type used is METADATA_XFRM which holds
    these properties.
    
    On the receive side, xfrmi_rcv_cb() populates a dst metadata for each
    packet received and attaches it to the skb. The if_id used in this case is
    fetched from the xfrm state, and the link is fetched from the incoming
    device. This information can later be used by upper layers such as tc,
    ebpf, and ip rules.
    
    Because the skb is scrubed in xfrmi_rcv_cb(), the attachment of the dst
    metadata is postponed until after scrubing. Similarly, xfrm_input() is
    adapted to avoid dropping metadata dsts by only dropping 'valid'
    (skb_valid_dst(skb) == true) dsts.
    
    Policy matching on packets arriving from collect_md xfrmi devices is
    done by using the xfrm state existing in the skb's sec_path.
    The xfrm_if_cb.decode_cb() interface implemented by xfrmi_decode_session()
    is changed to keep the details of the if_id extraction tucked away
    in xfrm_interface.c.
    Reviewed-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
    Reviewed-by: NNikolay Aleksandrov <razor@blackwall.org>
    Signed-off-by: NEyal Birger <eyal.birger@gmail.com>
    Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
    abc340b3
xfrm_policy.c 106.4 KB