Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1448351 Details for
Bug 1588041
MACsec interfaces created by NM have send-sci disabled
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
[PATCH] macsec: enable send-sci by default and make the option configurable
0001-macsec-enable-send-sci-by-default-and-make-the-optio.patch (text/plain), 7.00 KB, created by
Beniamino Galvani
on 2018-06-06 14:05:11 UTC
(
hide
)
Description:
[PATCH] macsec: enable send-sci by default and make the option configurable
Filename:
MIME Type:
Creator:
Beniamino Galvani
Created:
2018-06-06 14:05:11 UTC
Size:
7.00 KB
patch
obsolete
>From ada07b5ca47e0ec0000210d5a8d3df5d1776e756 Mon Sep 17 00:00:00 2001 >From: Beniamino Galvani <bgalvani@redhat.com> >Date: Wed, 6 Jun 2018 15:26:17 +0200 >Subject: [PATCH] macsec: enable send-sci by default and make the option > configurable > >It is safer to enable send-sci by default because, at the cost of >8-byte overhead, it makes MACsec work over bridges (note that kernel >also enables it by default). While at it, also make the option >configurable. >--- > clients/common/nm-meta-setting-desc.c | 3 ++ > clients/common/settings-docs.h.in | 1 + > libnm-core/nm-setting-macsec.c | 40 ++++++++++++++++++++++++++- > libnm-core/nm-setting-macsec.h | 3 ++ > libnm/libnm.ver | 1 + > src/devices/nm-device-macsec.c | 1 + > 6 files changed, 48 insertions(+), 1 deletion(-) > >diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c >index 2988b084b..1a65b8790 100644 >--- a/clients/common/nm-meta-setting-desc.c >+++ b/clients/common/nm-meta-setting-desc.c >@@ -6221,6 +6221,9 @@ static const NMMetaPropertyInfo *const property_infos_MACSEC[] = { > | NM_META_PROPERTY_TYP_FLAG_ENUM_GET_PRETTY_TEXT, > ), > ), >+ PROPERTY_INFO_WITH_DESC (NM_SETTING_MACSEC_SEND_SCI, >+ .property_type = &_pt_gobject_bool, >+ ), > NULL > }; > >diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in >index 06f96a4e1..ea0ef51e0 100644 >--- a/clients/common/settings-docs.h.in >+++ b/clients/common/settings-docs.h.in >@@ -260,6 +260,7 @@ > #define DESCRIBE_DOC_NM_SETTING_MACSEC_NAME N_("The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".") > #define DESCRIBE_DOC_NM_SETTING_MACSEC_PARENT N_("If given, specifies the parent interface name or parent connection UUID from which this MACSEC interface should be created. If this property is not specified, the connection must contain an \"802-3-ethernet\" setting with a \"mac-address\" property.") > #define DESCRIBE_DOC_NM_SETTING_MACSEC_PORT N_("The port component of the SCI (Secure Channel Identifier), between 1 and 65534.") >+#define DESCRIBE_DOC_NM_SETTING_MACSEC_SEND_SCI N_("Specifies whether the SCI (Secure Channel Identifier) is included in every packet.") > #define DESCRIBE_DOC_NM_SETTING_MACSEC_VALIDATION N_("Specifies the validation mode for incoming frames.") > #define DESCRIBE_DOC_NM_SETTING_MACVLAN_MODE N_("The macvlan mode, which specifies the communication mechanism between multiple macvlans on the same lower device.") > #define DESCRIBE_DOC_NM_SETTING_MACVLAN_NAME N_("The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".") >diff --git a/libnm-core/nm-setting-macsec.c b/libnm-core/nm-setting-macsec.c >index 7a8a5a34a..92ebafa62 100644 >--- a/libnm-core/nm-setting-macsec.c >+++ b/libnm-core/nm-setting-macsec.c >@@ -49,7 +49,8 @@ NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_MACSEC) > typedef struct { > char *parent; > NMSettingMacsecMode mode; >- gboolean encrypt; >+ bool encrypt:1; >+ bool send_sci:1; > char *mka_cak; > NMSettingSecretFlags mka_cak_flags; > char *mka_ckn; >@@ -66,6 +67,7 @@ NM_GOBJECT_PROPERTIES_DEFINE_BASE ( > PROP_MKA_CKN, > PROP_PORT, > PROP_VALIDATION, >+ PROP_SEND_SCI, > ); > > /** >@@ -204,6 +206,21 @@ nm_setting_macsec_get_validation (NMSettingMacsec *setting) > return NM_SETTING_MACSEC_GET_PRIVATE (setting)->validation; > } > >+/** >+ * nm_setting_macsec_get_send_sci: >+ * @setting: the #NMSettingMacsec >+ * >+ * Returns: the #NMSettingMacsec:send-sci property of the setting >+ * >+ * Since: 1.12 >+ **/ >+gboolean >+nm_setting_macsec_get_send_sci (NMSettingMacsec *setting) >+{ >+ g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), TRUE); >+ return NM_SETTING_MACSEC_GET_PRIVATE (setting)->send_sci; >+} >+ > static GPtrArray * > need_secrets (NMSetting *setting) > { >@@ -390,6 +407,9 @@ set_property (GObject *object, guint prop_id, > case PROP_VALIDATION: > priv->validation = g_value_get_int (value); > break; >+ case PROP_SEND_SCI: >+ priv->send_sci = g_value_get_boolean (value); >+ break; > default: > G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); > break; >@@ -428,6 +448,9 @@ get_property (GObject *object, guint prop_id, > case PROP_VALIDATION: > g_value_set_int (value, priv->validation); > break; >+ case PROP_SEND_SCI: >+ g_value_set_boolean (value, priv->send_sci); >+ break; > default: > G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); > break; >@@ -588,5 +611,20 @@ nm_setting_macsec_class_init (NMSettingMacsecClass *setting_class) > NM_SETTING_PARAM_INFERRABLE | > G_PARAM_STATIC_STRINGS); > >+ /** >+ * NMSettingMacsec:send-sci: >+ * >+ * Specifies whether the SCI (Secure Channel Identifier) is included >+ * in every packet. >+ * >+ * Since: 1.12 >+ **/ >+ obj_properties[PROP_SEND_SCI] = >+ g_param_spec_boolean (NM_SETTING_MACSEC_SEND_SCI, "", "", >+ TRUE, >+ G_PARAM_READWRITE | >+ G_PARAM_CONSTRUCT | >+ G_PARAM_STATIC_STRINGS); >+ > g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); > } >diff --git a/libnm-core/nm-setting-macsec.h b/libnm-core/nm-setting-macsec.h >index 6a524faab..0f545007b 100644 >--- a/libnm-core/nm-setting-macsec.h >+++ b/libnm-core/nm-setting-macsec.h >@@ -47,6 +47,7 @@ G_BEGIN_DECLS > #define NM_SETTING_MACSEC_MKA_CKN "mka-ckn" > #define NM_SETTING_MACSEC_PORT "port" > #define NM_SETTING_MACSEC_VALIDATION "validation" >+#define NM_SETTING_MACSEC_SEND_SCI "send-sci" > > /** > * NMSettingMacsec: >@@ -122,6 +123,8 @@ NM_AVAILABLE_IN_1_6 > int nm_setting_macsec_get_port (NMSettingMacsec *setting); > NM_AVAILABLE_IN_1_6 > NMSettingMacsecValidation nm_setting_macsec_get_validation (NMSettingMacsec *setting); >+NM_AVAILABLE_IN_1_12 >+gboolean nm_setting_macsec_get_send_sci (NMSettingMacsec *setting); > > G_END_DECLS > >diff --git a/libnm/libnm.ver b/libnm/libnm.ver >index ec1b91dad..e3c63b25e 100644 >--- a/libnm/libnm.ver >+++ b/libnm/libnm.ver >@@ -1355,6 +1355,7 @@ global: > nm_setting_connection_get_mdns; > nm_setting_connection_mdns_get_type; > nm_setting_ip_tunnel_get_flags; >+ nm_setting_macsec_get_send_sci; > nm_setting_vpn_get_data_keys; > nm_setting_vpn_get_secret_keys; > nm_setting_wireless_security_get_fils; >diff --git a/src/devices/nm-device-macsec.c b/src/devices/nm-device-macsec.c >index 4eaf54697..166bfb57a 100644 >--- a/src/devices/nm-device-macsec.c >+++ b/src/devices/nm-device-macsec.c >@@ -704,6 +704,7 @@ create_and_realize (NMDevice *device, > sci.s.port = htons (nm_setting_macsec_get_port (s_macsec)); > lnk.sci = be64toh (sci.u); > lnk.validation = nm_setting_macsec_get_validation (s_macsec); >+ lnk.include_sci = nm_setting_macsec_get_send_sci (s_macsec); > > parent_ifindex = nm_device_get_ifindex (parent); > g_warn_if_fail (parent_ifindex > 0); >-- >2.17.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1588041
: 1448351