commit a450e727f492f3153dc2db06468c0c94d5760361
author Benedict Wong <benedictwong@google.com> Mon May 07 10:29:02 2018 -0700
committer Benedict Wong <benedictwong@google.com> Thu Nov 22 02:32:49 2018 -0800
tree 8fdd4d5872a6a8bf2ce601ab02619ca8d977d4a2
parent 319f17e3f9a85312627083dff6fbbb43ca022304

Add XFRM-I support to XfrmController

This patch adds support for creating and managing XFRM interfaces,
adding xfrm_if_id parameters to all relevant netlink calls.

This is part of a patch set to enable XFRM-I support, with automatic
fallbacks to VTI in XfrmController (2/3)

Bug: 77856928
Test: Xfrm, Binder tests updated, passing
Change-Id: I09869e6a0000384c9c4d0aef1de4d5434c33374a

tests/binder_test.cpp

diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index c805165..1cac36f 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -29,6 +29,7 @@
 #include <ifaddrs.h>
 #include <linux/if.h>
 #include <linux/if_tun.h>
+#include <net/if.h>
 #include <netdb.h>
 #include <netinet/in.h>
 #include <openssl/base64.h>
@@ -286,9 +287,11 @@
         const std::string remoteAddress;
         int32_t iKey;
         int32_t oKey;
+        int32_t ifId;
     } kTestData[] = {
-            {"IPV4", "ipsec_test", "127.0.0.1", "8.8.8.8", 0x1234 + 53, 0x1234 + 53},
-            {"IPV6", "ipsec_test6", "::1", "2001:4860:4860::8888", 0x1234 + 50, 0x1234 + 50},
+            {"IPV4", "ipsec_test", "127.0.0.1", "8.8.8.8", 0x1234 + 53, 0x1234 + 53, 0xFFFE},
+            {"IPV6", "ipsec_test6", "::1", "2001:4860:4860::8888", 0x1234 + 50, 0x1234 + 50,
+             0xFFFE},
     };
 
     for (unsigned int i = 0; i < std::size(kTestData); i++) {
@@ -298,17 +301,23 @@
 
         // Create Tunnel Interface.
         status = mNetd->ipSecAddTunnelInterface(td.deviceName, td.localAddress, td.remoteAddress,
-                                                td.iKey, td.oKey);
+                                                td.iKey, td.oKey, td.ifId);
         EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
 
+        // Check that the interface exists
+        EXPECT_NE(0, if_nametoindex(td.deviceName.c_str()));
+
         // Update Tunnel Interface.
         status = mNetd->ipSecUpdateTunnelInterface(td.deviceName, td.localAddress, td.remoteAddress,
-                                                   td.iKey, td.oKey);
+                                                   td.iKey, td.oKey, td.ifId);
         EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
 
         // Remove Tunnel Interface.
         status = mNetd->ipSecRemoveTunnelInterface(td.deviceName);
         EXPECT_TRUE(status.isOk()) << td.family << status.exceptionMessage();
+
+        // Check that the interface no longer exists
+        EXPECT_EQ(0, if_nametoindex(td.deviceName.c_str()));
     }
 }
 
@@ -327,14 +336,14 @@
     RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
 
     // Add a policy
-    status = XfrmController::ipSecAddSecurityPolicy(0, AF_INET6, 0, "::", "::1", 123, 0, 0);
+    status = XfrmController::ipSecAddSecurityPolicy(0, AF_INET6, 0, "::", "::1", 123, 0, 0, 0);
     SCOPED_TRACE(status);
     RETURN_FALSE_IF_NEQ(status.ok(), expectOk);
 
     // Add an ipsec interface
-    return expectOk ==
-           XfrmController::ipSecAddTunnelInterface("ipsec_test", "::", "::1", 0xF00D, 0xD00D, false)
-                   .ok();
+    return expectOk == XfrmController::ipSecAddTunnelInterface("ipsec_test", "::", "::1", 0xF00D,
+                                                               0xD00D, 0xE00D, false)
+                               .ok();
 }
 
 TEST_F(BinderTest, XfrmDualSelectorTunnelModePoliciesV4) {
@@ -345,7 +354,7 @@
         for (int direction : XFRM_DIRECTIONS) {
             for (int addrFamily : ADDRESS_FAMILIES) {
                 status = mNetd->ipSecAddSecurityPolicy(0, addrFamily, direction, "127.0.0.5",
-                                                       "127.0.0.6", 123, 0, 0);
+                                                       "127.0.0.6", 123, 0, 0, 0);
                 EXPECT_TRUE(status.isOk())
                         << " family: " << addrFamily << " direction: " << direction;
             }
@@ -354,7 +363,7 @@
         // Cleanup
         for (int direction : XFRM_DIRECTIONS) {
             for (int addrFamily : ADDRESS_FAMILIES) {
-                status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0);
+                status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0, 0);
                 EXPECT_TRUE(status.isOk());
             }
         }
@@ -369,7 +378,7 @@
         for (int direction : XFRM_DIRECTIONS) {
             for (int addrFamily : ADDRESS_FAMILIES) {
                 status = mNetd->ipSecAddSecurityPolicy(0, addrFamily, direction, "2001:db8::f00d",
-                                                       "2001:db8::d00d", 123, 0, 0);
+                                                       "2001:db8::d00d", 123, 0, 0, 0);
                 EXPECT_TRUE(status.isOk())
                         << " family: " << addrFamily << " direction: " << direction;
             }
@@ -378,7 +387,7 @@
         // Cleanup
         for (int direction : XFRM_DIRECTIONS) {
             for (int addrFamily : ADDRESS_FAMILIES) {
-                status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0);
+                status = mNetd->ipSecDeleteSecurityPolicy(0, addrFamily, direction, 0, 0, 0);
                 EXPECT_TRUE(status.isOk());
             }
         }
@@ -406,11 +415,11 @@
     ASSERT_TRUE(allocateIpSecResources(true, &spi));
 
     // Clean up
-    status = XfrmController::ipSecDeleteSecurityAssociation(0, "::", "::1", 123, spi, 0);
+    status = XfrmController::ipSecDeleteSecurityAssociation(0, "::", "::1", 123, spi, 0, 0);
     SCOPED_TRACE(status);
     ASSERT_TRUE(status.ok());
 
-    status = XfrmController::ipSecDeleteSecurityPolicy(0, AF_INET6, 0, 0, 0);
+    status = XfrmController::ipSecDeleteSecurityPolicy(0, AF_INET6, 0, 0, 0, 0);
     SCOPED_TRACE(status);
     ASSERT_TRUE(status.ok());