diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2018-06-06 15:26:17 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2018-06-14 15:13:11 +0200 |
commit | bb20f2eb612a25c8a9b046d967c801a736f4dcc2 (patch) | |
tree | 8bd590dd917357787fbf889a25bf7754a90a3ee5 | |
parent | ed638b71260d106d0a465d520d854fb44ca915f0 (diff) | |
download | NetworkManager-bb20f2eb612a25c8a9b046d967c801a736f4dcc2.tar.gz |
macsec: enable send-sci by default and make the option configurable
It is safer to enable send-sci by default because, at the cost of
8-byte overhead, it makes MACsec work over bridges (note that kernel
also enables it by default). While at it, also make the option
configurable.
https://bugzilla.redhat.com/show_bug.cgi?id=1588041
-rw-r--r-- | clients/common/nm-meta-setting-desc.c | 3 | ||||
-rw-r--r-- | clients/common/settings-docs.h.in | 1 | ||||
-rw-r--r-- | libnm-core/nm-setting-macsec.c | 40 | ||||
-rw-r--r-- | libnm-core/nm-setting-macsec.h | 3 | ||||
-rw-r--r-- | libnm/libnm.ver | 1 | ||||
-rw-r--r-- | src/devices/nm-device-macsec.c | 1 |
6 files changed, 48 insertions, 1 deletions
diff --git a/clients/common/nm-meta-setting-desc.c b/clients/common/nm-meta-setting-desc.c index 1154fabfb6..6f0183492e 100644 --- a/clients/common/nm-meta-setting-desc.c +++ b/clients/common/nm-meta-setting-desc.c @@ -6224,6 +6224,9 @@ static const NMMetaPropertyInfo *const property_infos_MACSEC[] = { | NM_META_PROPERTY_TYP_FLAG_ENUM_GET_PRETTY_TEXT, ), ), + PROPERTY_INFO_WITH_DESC (NM_SETTING_MACSEC_SEND_SCI, + .property_type = &_pt_gobject_bool, + ), NULL }; diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in index c4b15b4cc2..7beed42964 100644 --- a/clients/common/settings-docs.h.in +++ b/clients/common/settings-docs.h.in @@ -261,6 +261,7 @@ #define DESCRIBE_DOC_NM_SETTING_MACSEC_NAME N_("The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".") #define DESCRIBE_DOC_NM_SETTING_MACSEC_PARENT N_("If given, specifies the parent interface name or parent connection UUID from which this MACSEC interface should be created. If this property is not specified, the connection must contain an \"802-3-ethernet\" setting with a \"mac-address\" property.") #define DESCRIBE_DOC_NM_SETTING_MACSEC_PORT N_("The port component of the SCI (Secure Channel Identifier), between 1 and 65534.") +#define DESCRIBE_DOC_NM_SETTING_MACSEC_SEND_SCI N_("Specifies whether the SCI (Secure Channel Identifier) is included in every packet.") #define DESCRIBE_DOC_NM_SETTING_MACSEC_VALIDATION N_("Specifies the validation mode for incoming frames.") #define DESCRIBE_DOC_NM_SETTING_MACVLAN_MODE N_("The macvlan mode, which specifies the communication mechanism between multiple macvlans on the same lower device.") #define DESCRIBE_DOC_NM_SETTING_MACVLAN_NAME N_("The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example \"ppp\" or \"wireless\" or \"wired\".") diff --git a/libnm-core/nm-setting-macsec.c b/libnm-core/nm-setting-macsec.c index 7a8a5a34ad..92ebafa625 100644 --- a/libnm-core/nm-setting-macsec.c +++ b/libnm-core/nm-setting-macsec.c @@ -49,7 +49,8 @@ NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_MACSEC) typedef struct { char *parent; NMSettingMacsecMode mode; - gboolean encrypt; + bool encrypt:1; + bool send_sci:1; char *mka_cak; NMSettingSecretFlags mka_cak_flags; char *mka_ckn; @@ -66,6 +67,7 @@ NM_GOBJECT_PROPERTIES_DEFINE_BASE ( PROP_MKA_CKN, PROP_PORT, PROP_VALIDATION, + PROP_SEND_SCI, ); /** @@ -204,6 +206,21 @@ nm_setting_macsec_get_validation (NMSettingMacsec *setting) return NM_SETTING_MACSEC_GET_PRIVATE (setting)->validation; } +/** + * nm_setting_macsec_get_send_sci: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:send-sci property of the setting + * + * Since: 1.12 + **/ +gboolean +nm_setting_macsec_get_send_sci (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), TRUE); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->send_sci; +} + static GPtrArray * need_secrets (NMSetting *setting) { @@ -390,6 +407,9 @@ set_property (GObject *object, guint prop_id, case PROP_VALIDATION: priv->validation = g_value_get_int (value); break; + case PROP_SEND_SCI: + priv->send_sci = g_value_get_boolean (value); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); break; @@ -428,6 +448,9 @@ get_property (GObject *object, guint prop_id, case PROP_VALIDATION: g_value_set_int (value, priv->validation); break; + case PROP_SEND_SCI: + g_value_set_boolean (value, priv->send_sci); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); break; @@ -588,5 +611,20 @@ nm_setting_macsec_class_init (NMSettingMacsecClass *setting_class) NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS); + /** + * NMSettingMacsec:send-sci: + * + * Specifies whether the SCI (Secure Channel Identifier) is included + * in every packet. + * + * Since: 1.12 + **/ + obj_properties[PROP_SEND_SCI] = + g_param_spec_boolean (NM_SETTING_MACSEC_SEND_SCI, "", "", + TRUE, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS); + g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); } diff --git a/libnm-core/nm-setting-macsec.h b/libnm-core/nm-setting-macsec.h index 6a524faabf..0f545007bd 100644 --- a/libnm-core/nm-setting-macsec.h +++ b/libnm-core/nm-setting-macsec.h @@ -47,6 +47,7 @@ G_BEGIN_DECLS #define NM_SETTING_MACSEC_MKA_CKN "mka-ckn" #define NM_SETTING_MACSEC_PORT "port" #define NM_SETTING_MACSEC_VALIDATION "validation" +#define NM_SETTING_MACSEC_SEND_SCI "send-sci" /** * NMSettingMacsec: @@ -122,6 +123,8 @@ NM_AVAILABLE_IN_1_6 int nm_setting_macsec_get_port (NMSettingMacsec *setting); NM_AVAILABLE_IN_1_6 NMSettingMacsecValidation nm_setting_macsec_get_validation (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_12 +gboolean nm_setting_macsec_get_send_sci (NMSettingMacsec *setting); G_END_DECLS diff --git a/libnm/libnm.ver b/libnm/libnm.ver index 6408436dd3..08b7c531e7 100644 --- a/libnm/libnm.ver +++ b/libnm/libnm.ver @@ -1358,6 +1358,7 @@ global: nm_setting_connection_mdns_get_type; nm_setting_ip_tunnel_get_flags; nm_setting_ip6_config_get_dhcp_duid; + nm_setting_macsec_get_send_sci; nm_setting_vpn_get_data_keys; nm_setting_vpn_get_secret_keys; nm_setting_wireless_security_get_fils; diff --git a/src/devices/nm-device-macsec.c b/src/devices/nm-device-macsec.c index 4eaf54697f..166bfb57a4 100644 --- a/src/devices/nm-device-macsec.c +++ b/src/devices/nm-device-macsec.c @@ -704,6 +704,7 @@ create_and_realize (NMDevice *device, sci.s.port = htons (nm_setting_macsec_get_port (s_macsec)); lnk.sci = be64toh (sci.u); lnk.validation = nm_setting_macsec_get_validation (s_macsec); + lnk.include_sci = nm_setting_macsec_get_send_sci (s_macsec); parent_ifindex = nm_device_get_ifindex (parent); g_warn_if_fail (parent_ifindex > 0); |