commit f3de468299d13204f47dd8e431750fcba33fcd29

Author: Christophe Gouault <christophe.gouault@6wind.com>

Date:   Thu Apr 9 17:39:32 2015 +0200

    xfrm: add command for configuring SPD hash table

    add a new command to configure the SPD hash table:

       ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]

    and code to display the SPD hash configuration:

      ip -s -s xfrm policy count

    hthresh4: defines minimum local and remote IPv4 prefix lengths of

    selectors to hash a policy. If prefix lengths are greater or equal

    to the thresholds, then the policy is hashed, otherwise it falls back

    in the policy_inexact chained list.

    hthresh6: defines minimum local and remote IPv6 prefix lengths of

    selectors to hash a policy, otherwise it falls back

    in the policy_inexact chained list.

    Example:

    % ip -s -s xfrm policy count

             SPD IN  0 OUT 0 FWD 0 (Sock: IN 0 OUT 0 FWD 0)

             SPD buckets: count 7 Max 1048576

             SPD IPv4 thresholds: local 32 remote 32

             SPD IPv6 thresholds: local 128 remote 128

    % ip xfrm pol set hthresh4 24 16 hthresh6 64 56

    % ip -s -s xfrm policy count

             SPD IN  0 OUT 0 FWD 0 (Sock: IN 0 OUT 0 FWD 0)

             SPD buckets: count 7 Max 1048576

             SPD IPv4 thresholds: local 24 remote 16

             SPD IPv6 thresholds: local 64 remote 56

    Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>

diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c

index 36e33c9..9ac4a89 100644

--- a/ip/xfrm_policy.c

+++ b/ip/xfrm_policy.c

@@ -64,7 +64,8 @@ static void usage(void)

 	fprintf(stderr, "        [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]\n");

 	fprintf(stderr, "        [ flag FLAG-LIST ]\n");

 	fprintf(stderr, "Usage: ip xfrm policy flush [ ptype PTYPE ]\n");

-	fprintf(stderr, "Usage: ip xfrm count\n");

+	fprintf(stderr, "Usage: ip xfrm policy count\n");

+	fprintf(stderr, "Usage: ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]\n");

 	fprintf(stderr, "SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]\n");

 	fprintf(stderr, "UPSPEC := proto { { ");

 	fprintf(stderr, "%s | ", strxf_proto(IPPROTO_TCP));

@@ -935,7 +936,7 @@ static int print_spdinfo( struct nlmsghdr *n, void *arg)

 			fprintf(fp,")");

 		}

-		fprintf(fp,"\n");

+		fprintf(fp, "%s", _SL_);

 	}

 	if (show_stats > 1) {

 		struct xfrmu_spdhinfo *sh;

@@ -949,13 +950,109 @@ static int print_spdinfo( struct nlmsghdr *n, void *arg)

 			fprintf(fp,"\t SPD buckets:");

 			fprintf(fp," count %d", sh->spdhcnt);

 			fprintf(fp," Max %d", sh->spdhmcnt);

+			fprintf(fp, "%s", _SL_);

+		}

+		if (tb[XFRMA_SPD_IPV4_HTHRESH]) {

+			struct xfrmu_spdhthresh *th;

+			if (RTA_PAYLOAD(tb[XFRMA_SPD_IPV4_HTHRESH]) < sizeof(*th)) {

+				fprintf(stderr, "SPDinfo: Wrong len %d\n", len);

+				return -1;

+			}

+			th = RTA_DATA(tb[XFRMA_SPD_IPV4_HTHRESH]);

+			fprintf(fp,"\t SPD IPv4 thresholds:");

+			fprintf(fp," local %d", th->lbits);

+			fprintf(fp," remote %d", th->rbits);

+			fprintf(fp, "%s", _SL_);

+

+		}

+		if (tb[XFRMA_SPD_IPV6_HTHRESH]) {

+			struct xfrmu_spdhthresh *th;

+			if (RTA_PAYLOAD(tb[XFRMA_SPD_IPV6_HTHRESH]) < sizeof(*th)) {

+				fprintf(stderr, "SPDinfo: Wrong len %d\n", len);

+				return -1;

+			}

+			th = RTA_DATA(tb[XFRMA_SPD_IPV6_HTHRESH]);

+			fprintf(fp,"\t SPD IPv6 thresholds:");

+			fprintf(fp," local %d", th->lbits);

+			fprintf(fp," remote %d", th->rbits);

+			fprintf(fp, "%s", _SL_);

 		}

 	}

-	fprintf(fp,"\n");

+

+	if (oneline)

+		fprintf(fp, "\n");

         return 0;

 }

+static int xfrm_spd_setinfo(int argc, char **argv)

+{

+	struct rtnl_handle rth;

+	struct {

+		struct nlmsghdr			n;

+		__u32				flags;

+		char				buf[RTA_BUF_SIZE];

+	} req;

+

+	char *thr4 = NULL;

+	char *thr6 = NULL;

+

+	memset(&req, 0, sizeof(req));

+

+	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(__u32));

+	req.n.nlmsg_flags = NLM_F_REQUEST;

+	req.n.nlmsg_type = XFRM_MSG_NEWSPDINFO;

+	req.flags = 0XFFFFFFFF;

+

+	while (argc > 0) {

+		if (strcmp(*argv, "hthresh4") == 0) {

+			struct xfrmu_spdhthresh thr;

+

+			if (thr4)

+				duparg("hthresh4", *argv);

+			thr4 = *argv;

+			NEXT_ARG();

+			if (get_u8(&thr.lbits, *argv, 0) || thr.lbits > 32)

+				invarg("hthresh4 LBITS value is invalid", *argv);

+			NEXT_ARG();

+			if (get_u8(&thr.rbits, *argv, 0) || thr.rbits > 32)

+				invarg("hthresh4 RBITS value is invalid", *argv);

+

+			addattr_l(&req.n, sizeof(req), XFRMA_SPD_IPV4_HTHRESH,

+				  (void *)&thr, sizeof(thr));

+		} else if (strcmp(*argv, "hthresh6") == 0) {

+			struct xfrmu_spdhthresh thr;

+

+			if (thr6)

+				duparg("hthresh6", *argv);

+			thr6 = *argv;

+			NEXT_ARG();

+			if (get_u8(&thr.lbits, *argv, 0) || thr.lbits > 128)

+				invarg("hthresh6 LBITS value is invalid", *argv);

+			NEXT_ARG();

+			if (get_u8(&thr.rbits, *argv, 0) || thr.rbits > 128)

+				invarg("hthresh6 RBITS value is invalid", *argv);

+

+			addattr_l(&req.n, sizeof(req), XFRMA_SPD_IPV6_HTHRESH,

+				  (void *)&thr, sizeof(thr));

+		} else {

+			invarg("unknown", *argv);

+		}

+

+		argc--; argv++;

+	}

+

+	if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)

+		exit(1);

+

+	if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)

+		exit(2);

+

+	rtnl_close(&rth);

+

+	return 0;

+}

+

 static int xfrm_spd_getinfo(int argc, char **argv)

 {

 	struct rtnl_handle rth;

@@ -1059,6 +1156,8 @@ int do_xfrm_policy(int argc, char **argv)

 		return xfrm_policy_flush(argc-1, argv+1);

 	if (matches(*argv, "count") == 0)

 		return xfrm_spd_getinfo(argc, argv);

+	if (matches(*argv, "set") == 0)

+		return xfrm_spd_setinfo(argc-1, argv+1);

 	if (matches(*argv, "help") == 0)

 		usage();

 	fprintf(stderr, "Command \"%s\" is unknown, try \"ip xfrm policy help\".\n", *argv);

commit 0b1562a4459c59d79ecabcf919e3db423a2c321d

Author: Christophe Gouault <christophe.gouault@6wind.com>

Date:   Thu Apr 9 17:39:33 2015 +0200

    xfrm: revise man page and document ip xfrm policy set

    - document ip xfrm policy set

    - update ip xfrm monitor documentation

    - in DESCRIPTION section, reorganize grouping of commands

    Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>

diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8

index 2d31b4d..e305c0b 100644

--- a/man/man8/ip-xfrm.8

+++ b/man/man8/ip-xfrm.8

@@ -252,6 +252,13 @@ ip-xfrm \- transform configuration

 .B "ip xfrm policy count"

 .ti -8

+.B "ip xfrm policy set"

+.RB "[ " hthresh4

+.IR LBITS " " RBITS " ]"

+.RB "[ " hthresh6

+.IR LBITS " " RBITS " ]"

+

+.ti -8

 .IR SELECTOR " :="

 .RB "[ " src

 .IR ADDR "[/" PLEN "] ]"

@@ -355,6 +362,13 @@ ip-xfrm \- transform configuration

 .BR "ip xfrm monitor" " [ " all " |"

 .IR LISTofXFRM-OBJECTS " ]"

+.ti -8

+.IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT

+

+.ti -8

+.IR XFRM-OBJECT " := "

+.BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report

+

 .in -8

 .ad b

@@ -380,7 +394,6 @@ ip xfrm state deleteall	delete all existing state in xfrm

 ip xfrm state list	print out the list of existing state in xfrm

 ip xfrm state flush	flush all state in xfrm

 ip xfrm state count	count all existing state in xfrm

-ip xfrm monitor 	state monitoring for xfrm objects

 .TE

 .TP

@@ -502,7 +515,9 @@ encapsulates packets with protocol

 .BR espinudp " or " espinudp-nonike ","

 .RI "using source port " SPORT ", destination port "  DPORT

 .RI ", and original address " OADDR "."

+

 .sp

+.PP

 .TS

 l l.

 ip xfrm policy add	add a new policy

@@ -512,7 +527,6 @@ ip xfrm policy get	get an existing policy

 ip xfrm policy deleteall	delete all existing xfrm policies

 ip xfrm policy list	print out the list of xfrm policies

 ip xfrm policy flush	flush policies

-ip xfrm policy count	count existing policies

 .TE

 .TP

@@ -607,7 +621,50 @@ and inbound trigger

 can be

 .BR required " (default) or " use "."

+.sp

+.PP

+.TS

+l l.

+ip xfrm policy count	count existing policies

+.TE

+

+.PP

+Use one or more -s options to display more details, including policy hash table

+information.

+

+.sp

+.PP

+.TS

+l l.

+ip xfrm policy set	configure the policy hash table

+.TE

+

+.PP

+Security policies whose address prefix lengths are greater than or equal

+policy hash table thresholds are hashed. Others are stored in the

+policy_inexact chained list.

+

+.TP

+.I LBITS

+specifies the minimum local address prefix length of policies that are

+stored in the Security Policy Database hash table.

+

+.TP

+.I RBITS

+specifies the minimum remote address prefix length of policies that are

+stored in the Security Policy Database hash table.

+

+.sp

+.PP

+.TS

+l l.

+ip xfrm monitor 	state monitoring for xfrm objects

+.TE

+

+.PP

 The xfrm objects to monitor can be optionally specified.

 .SH AUTHOR

 Manpage revised by David Ward <david.ward@ll.mit.edu>

+.br

+Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>

commit 5bf9f5c5a0f2d8a0fdb06c60242ff805177a4d73

Author: Vadim Kochan <vadim4j@gmail.com>

Date:   Sat Feb 14 19:45:04 2015 +0200

    ip xfrm: Allow to specify "all" option for monitor

    Just to be aligned with the usage output.

    Signed-off-by: Vadim Kochan <vadim4j@gmail.com>

diff --git a/ip/xfrm_monitor.c b/ip/xfrm_monitor.c

index 79453e4..8aa6f49 100644

--- a/ip/xfrm_monitor.c

+++ b/ip/xfrm_monitor.c

@@ -374,7 +374,7 @@ int do_xfrm_monitor(int argc, char **argv)

 			groups = 0;

 		} else if (matches(*argv, "help") == 0) {

 			usage();

-		} else {

+		} else if (strcmp(*argv, "all")) {

 			fprintf(stderr, "Argument \"%s\" is unknown, try \"ip xfrm monitor help\".\n", *argv);

 			exit(-1);

 		}