Attachment 1448351 Details for Bug 1588041 – [PATCH] macsec: enable send-sci by default and make the option configurable

[patch] [PATCH] macsec: enable send-sci by default and make the option configurable

0001-macsec-enable-send-sci-by-default-and-make-the-optio.patch (text/plain), 7.00 KB, created by Beniamino Galvani on 2018-06-06 14:05:11 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Beniamino Galvani

Created: 2018-06-06 14:05:11 UTC

Size: 7.00 KB

patch

obsolete

>From ada07b5ca47e0ec0000210d5a8d3df5d1776e756 Mon Sep 17 00:00:00 2001
>From: Beniamino Galvani <bgalvani@redhat.com>
>Date: Wed, 6 Jun 2018 15:26:17 +0200
>Subject: [PATCH] macsec: enable send-sci by default and make the option
> configurable
>
>It is safer to enable send-sci by default because, at the cost of
>8-byte overhead, it makes MACsec work over bridges (note that kernel
>also enables it by default). While at it, also make the option
>configurable.
>---
> clients/common/nm-meta-setting-desc.c |  3 ++
> clients/common/settings-docs.h.in     |  1 +
> libnm-core/nm-setting-macsec.c        | 40 ++++++++++++++++++++++++++-
> libnm-core/nm-setting-macsec.h        |  3 ++
> libnm/libnm.ver                       |  1 +
> src/devices/nm-device-macsec.c        |  1 +
> 6 files changed, 48 insertions(+), 1 deletion(-)
>
>diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c
>index 2988b084b..1a65b8790 100644
>--- a/clients/common/nm-meta-setting-desc.c
>+++ b/clients/common/nm-meta-setting-desc.c
>@@ -6221,6 +6221,9 @@ static const NMMetaPropertyInfo *const property_infos_MACSEC[] = {
> 			                            | NM_META_PROPERTY_TYP_FLAG_ENUM_GET_PRETTY_TEXT,
> 		),
> 	),
>+	PROPERTY_INFO_WITH_DESC (NM_SETTING_MACSEC_SEND_SCI,
>+		.property_type =                &_pt_gobject_bool,
>+	),
> 	NULL
> };
> 
>diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in
>index 06f96a4e1..ea0ef51e0 100644
>--- a/clients/common/settings-docs.h.in
>+++ b/clients/common/settings-docs.h.in
>@@ -260,6 +260,7 @@
> #define DESCRIBE_DOC_NM_SETTING_MACSEC_NAME N_("The setting's name, which uniquely identifies the setting within the connection.  Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".")
> #define DESCRIBE_DOC_NM_SETTING_MACSEC_PARENT N_("If given, specifies the parent interface name or parent connection UUID from which this MACSEC interface should be created.  If this property is not specified, the connection must contain an \"802-3-ethernet\" setting with a \"mac-address\" property.")
> #define DESCRIBE_DOC_NM_SETTING_MACSEC_PORT N_("The port component of the SCI (Secure Channel Identifier), between 1 and 65534.")
>+#define DESCRIBE_DOC_NM_SETTING_MACSEC_SEND_SCI N_("Specifies whether the SCI (Secure Channel Identifier) is included in every packet.")
> #define DESCRIBE_DOC_NM_SETTING_MACSEC_VALIDATION N_("Specifies the validation mode for incoming frames.")
> #define DESCRIBE_DOC_NM_SETTING_MACVLAN_MODE N_("The macvlan mode, which specifies the communication mechanism between multiple macvlans on the same lower device.")
> #define DESCRIBE_DOC_NM_SETTING_MACVLAN_NAME N_("The setting's name, which uniquely identifies the setting within the connection.  Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".")
>diff --git a/libnm-core/nm-setting-macsec.c b/libnm-core/nm-setting-macsec.c
>index 7a8a5a34a..92ebafa62 100644
>--- a/libnm-core/nm-setting-macsec.c
>+++ b/libnm-core/nm-setting-macsec.c
>@@ -49,7 +49,8 @@ NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_MACSEC)
> typedef struct {
> 	char *parent;
> 	NMSettingMacsecMode mode;
>-	gboolean encrypt;
>+	bool encrypt:1;
>+	bool send_sci:1;
> 	char *mka_cak;
> 	NMSettingSecretFlags mka_cak_flags;
> 	char *mka_ckn;
>@@ -66,6 +67,7 @@ NM_GOBJECT_PROPERTIES_DEFINE_BASE (
> 	PROP_MKA_CKN,
> 	PROP_PORT,
> 	PROP_VALIDATION,
>+	PROP_SEND_SCI,
> );
> 
> /**
>@@ -204,6 +206,21 @@ nm_setting_macsec_get_validation (NMSettingMacsec *setting)
> 	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->validation;
> }
> 
>+/**
>+ * nm_setting_macsec_get_send_sci:
>+ * @setting: the #NMSettingMacsec
>+ *
>+ * Returns: the #NMSettingMacsec:send-sci property of the setting
>+ *
>+ * Since: 1.12
>+ **/
>+gboolean
>+nm_setting_macsec_get_send_sci (NMSettingMacsec *setting)
>+{
>+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), TRUE);
>+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->send_sci;
>+}
>+
> static GPtrArray *
> need_secrets (NMSetting *setting)
> {
>@@ -390,6 +407,9 @@ set_property (GObject *object, guint prop_id,
> 	case PROP_VALIDATION:
> 		priv->validation = g_value_get_int (value);
> 		break;
>+	case PROP_SEND_SCI:
>+		priv->send_sci = g_value_get_boolean (value);
>+		break;
> 	default:
> 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
> 		break;
>@@ -428,6 +448,9 @@ get_property (GObject *object, guint prop_id,
> 	case PROP_VALIDATION:
> 		g_value_set_int (value, priv->validation);
> 		break;
>+	case PROP_SEND_SCI:
>+		g_value_set_boolean (value, priv->send_sci);
>+		break;
> 	default:
> 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
> 		break;
>@@ -588,5 +611,20 @@ nm_setting_macsec_class_init (NMSettingMacsecClass *setting_class)
> 	                      NM_SETTING_PARAM_INFERRABLE |
> 	                      G_PARAM_STATIC_STRINGS);
> 
>+	/**
>+	 * NMSettingMacsec:send-sci:
>+	 *
>+	 * Specifies whether the SCI (Secure Channel Identifier) is included
>+	 * in every packet.
>+	 *
>+	 * Since: 1.12
>+	 **/
>+	obj_properties[PROP_SEND_SCI] =
>+	    g_param_spec_boolean (NM_SETTING_MACSEC_SEND_SCI, "", "",
>+	                          TRUE,
>+	                          G_PARAM_READWRITE |
>+	                          G_PARAM_CONSTRUCT |
>+	                          G_PARAM_STATIC_STRINGS);
>+
> 	g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
> }
>diff --git a/libnm-core/nm-setting-macsec.h b/libnm-core/nm-setting-macsec.h
>index 6a524faab..0f545007b 100644
>--- a/libnm-core/nm-setting-macsec.h
>+++ b/libnm-core/nm-setting-macsec.h
>@@ -47,6 +47,7 @@ G_BEGIN_DECLS
> #define NM_SETTING_MACSEC_MKA_CKN              "mka-ckn"
> #define NM_SETTING_MACSEC_PORT                 "port"
> #define NM_SETTING_MACSEC_VALIDATION           "validation"
>+#define NM_SETTING_MACSEC_SEND_SCI             "send-sci"
> 
> /**
>  * NMSettingMacsec:
>@@ -122,6 +123,8 @@ NM_AVAILABLE_IN_1_6
> int         nm_setting_macsec_get_port           (NMSettingMacsec *setting);
> NM_AVAILABLE_IN_1_6
> NMSettingMacsecValidation nm_setting_macsec_get_validation (NMSettingMacsec *setting);
>+NM_AVAILABLE_IN_1_12
>+gboolean nm_setting_macsec_get_send_sci          (NMSettingMacsec *setting);
> 
> G_END_DECLS
> 
>diff --git a/libnm/libnm.ver b/libnm/libnm.ver
>index ec1b91dad..e3c63b25e 100644
>--- a/libnm/libnm.ver
>+++ b/libnm/libnm.ver
>@@ -1355,6 +1355,7 @@ global:
> 	nm_setting_connection_get_mdns;
> 	nm_setting_connection_mdns_get_type;
> 	nm_setting_ip_tunnel_get_flags;
>+	nm_setting_macsec_get_send_sci;
> 	nm_setting_vpn_get_data_keys;
> 	nm_setting_vpn_get_secret_keys;
> 	nm_setting_wireless_security_get_fils;
>diff --git a/src/devices/nm-device-macsec.c b/src/devices/nm-device-macsec.c
>index 4eaf54697..166bfb57a 100644
>--- a/src/devices/nm-device-macsec.c
>+++ b/src/devices/nm-device-macsec.c
>@@ -704,6 +704,7 @@ create_and_realize (NMDevice *device,
> 	sci.s.port = htons (nm_setting_macsec_get_port (s_macsec));
> 	lnk.sci = be64toh (sci.u);
> 	lnk.validation = nm_setting_macsec_get_validation (s_macsec);
>+	lnk.include_sci = nm_setting_macsec_get_send_sci (s_macsec);
> 
> 	parent_ifindex = nm_device_get_ifindex (parent);
> 	g_warn_if_fail (parent_ifindex > 0);
>-- 
>2.17.0
>

Actions: View | Diff

Attachments on bug 1588041: 1448351