Add XFRM-I support to XfrmController
This patch adds support for creating and managing XFRM interfaces,
adding xfrm_if_id parameters to all relevant netlink calls.
This is part of a patch set to enable XFRM-I support, with automatic
fallbacks to VTI in XfrmController (2/3)
Bug: 77856928
Test: Xfrm, Binder tests updated, passing
Change-Id: I09869e6a0000384c9c4d0aef1de4d5434c33374a
diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp
index 7bcc392..7e1965b 100644
--- a/server/NetdNativeService.cpp
+++ b/server/NetdNativeService.cpp
@@ -759,46 +759,32 @@
}
binder::Status NetdNativeService::ipSecAddSecurityAssociation(
- int32_t transformId,
- int32_t mode,
- const std::string& sourceAddress,
- const std::string& destinationAddress,
- int32_t underlyingNetId,
- int32_t spi,
- int32_t markValue,
- int32_t markMask,
- const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
- const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
- const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits,
- int32_t encapType,
- int32_t encapLocalPort,
- int32_t encapRemotePort) {
+ int32_t transformId, int32_t mode, const std::string& sourceAddress,
+ const std::string& destinationAddress, int32_t underlyingNetId, int32_t spi,
+ int32_t markValue, int32_t markMask, const std::string& authAlgo,
+ const std::vector<uint8_t>& authKey, int32_t authTruncBits, const std::string& cryptAlgo,
+ const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits, const std::string& aeadAlgo,
+ const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits, int32_t encapType,
+ int32_t encapLocalPort, int32_t encapRemotePort, int32_t interfaceId) {
// Necessary locking done in IpSecService and kernel
ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
gLog.log("ipSecAddSecurityAssociation()");
return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation(
transformId, mode, sourceAddress, destinationAddress, underlyingNetId, spi, markValue,
markMask, authAlgo, authKey, authTruncBits, cryptAlgo, cryptKey, cryptTruncBits,
- aeadAlgo, aeadKey, aeadIcvBits, encapType, encapLocalPort, encapRemotePort));
+ aeadAlgo, aeadKey, aeadIcvBits, encapType, encapLocalPort, encapRemotePort,
+ interfaceId));
}
binder::Status NetdNativeService::ipSecDeleteSecurityAssociation(
- int32_t transformId,
- const std::string& sourceAddress,
- const std::string& destinationAddress,
- int32_t spi,
- int32_t markValue,
- int32_t markMask) {
+ int32_t transformId, const std::string& sourceAddress,
+ const std::string& destinationAddress, int32_t spi, int32_t markValue, int32_t markMask,
+ int32_t interfaceId) {
// Necessary locking done in IpSecService and kernel
ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL);
gLog.log("ipSecDeleteSecurityAssociation()");
return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation(
- transformId,
- sourceAddress,
- destinationAddress,
- spi,
- markValue,
- markMask));
+ transformId, sourceAddress, destinationAddress, spi, markValue, markMask, interfaceId));
}
binder::Status NetdNativeService::ipSecApplyTransportModeTransform(
@@ -834,51 +820,49 @@
const std::string& tmplSrcAddress,
const std::string& tmplDstAddress,
int32_t spi, int32_t markValue,
- int32_t markMask) {
+ int32_t markMask, int32_t interfaceId) {
// Necessary locking done in IpSecService and kernel
ENFORCE_PERMISSION(NETWORK_STACK);
gLog.log("ipSecAddSecurityPolicy()");
return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityPolicy(
transformId, selAddrFamily, direction, tmplSrcAddress, tmplDstAddress, spi, markValue,
- markMask));
+ markMask, interfaceId));
}
-binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(int32_t transformId,
- int32_t selAddrFamily,
- int32_t direction,
- const std::string& tmplSrcAddress,
- const std::string& tmplDstAddress,
- int32_t spi, int32_t markValue,
- int32_t markMask) {
+binder::Status NetdNativeService::ipSecUpdateSecurityPolicy(
+ int32_t transformId, int32_t selAddrFamily, int32_t direction,
+ const std::string& tmplSrcAddress, const std::string& tmplDstAddress, int32_t spi,
+ int32_t markValue, int32_t markMask, int32_t interfaceId) {
// Necessary locking done in IpSecService and kernel
ENFORCE_PERMISSION(NETWORK_STACK);
gLog.log("ipSecAddSecurityPolicy()");
return asBinderStatus(gCtls->xfrmCtrl.ipSecUpdateSecurityPolicy(
transformId, selAddrFamily, direction, tmplSrcAddress, tmplDstAddress, spi, markValue,
- markMask));
+ markMask, interfaceId));
}
binder::Status NetdNativeService::ipSecDeleteSecurityPolicy(int32_t transformId,
int32_t selAddrFamily,
int32_t direction, int32_t markValue,
- int32_t markMask) {
+ int32_t markMask, int32_t interfaceId) {
// Necessary locking done in IpSecService and kernel
ENFORCE_PERMISSION(NETWORK_STACK);
gLog.log("ipSecAddSecurityPolicy()");
return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityPolicy(
- transformId, selAddrFamily, direction, markValue, markMask));
+ transformId, selAddrFamily, direction, markValue, markMask, interfaceId));
}
binder::Status NetdNativeService::ipSecAddTunnelInterface(const std::string& deviceName,
const std::string& localAddress,
const std::string& remoteAddress,
- int32_t iKey, int32_t oKey) {
+ int32_t iKey, int32_t oKey,
+ int32_t interfaceId) {
// Necessary locking done in IpSecService and kernel
ENFORCE_PERMISSION(NETWORK_STACK);
auto entry = gLog.newEntry().prettyFunction(__PRETTY_FUNCTION__);
netdutils::Status result = gCtls->xfrmCtrl.ipSecAddTunnelInterface(
- deviceName, localAddress, remoteAddress, iKey, oKey, false);
+ deviceName, localAddress, remoteAddress, iKey, oKey, interfaceId, false);
RETURN_BINDER_STATUS_IF_NOT_OK(entry, result);
gLog.log(entry.returns(result).withAutomaticDuration());
@@ -888,13 +872,14 @@
binder::Status NetdNativeService::ipSecUpdateTunnelInterface(const std::string& deviceName,
const std::string& localAddress,
const std::string& remoteAddress,
- int32_t iKey, int32_t oKey) {
+ int32_t iKey, int32_t oKey,
+ int32_t interfaceId) {
// Necessary locking done in IpSecService and kernel
ENFORCE_PERMISSION(NETWORK_STACK);
auto entry = gLog.newEntry().prettyFunction(__PRETTY_FUNCTION__);
netdutils::Status result = gCtls->xfrmCtrl.ipSecAddTunnelInterface(
- deviceName, localAddress, remoteAddress, iKey, oKey, true);
+ deviceName, localAddress, remoteAddress, iKey, oKey, interfaceId, true);
RETURN_BINDER_STATUS_IF_NOT_OK(entry, result);
gLog.log(entry.returns(result).withAutomaticDuration());