Make xfrm linux-only

The xfrm framework is linux-only. Only implement the respective types for GOOS=linux to avoid dependencies to x/sys/unix on non-linux or non-unix platforms. Provide dummy XfrmPolicy and XfrmState types for the globally defined XfrmPolicy* and XfrmState* functions.
vishvananda · Oct 24, 2023 · 77df5d3 · 77df5d3
1 parent ccef072
commit 77df5d3
Show file tree

Hide file tree

Showing 9 changed files with 244 additions and 255 deletions.
diff --git a/xfrm.go → xfrm_linux.go b/xfrm.go → xfrm_linux.go
@@ -14,7 +14,7 @@ const (
 	XFRM_PROTO_ESP       Proto = unix.IPPROTO_ESP
 	XFRM_PROTO_AH        Proto = unix.IPPROTO_AH
 	XFRM_PROTO_HAO       Proto = unix.IPPROTO_DSTOPTS
-	XFRM_PROTO_COMP      Proto = 0x6c // NOTE not defined on darwin
+	XFRM_PROTO_COMP      Proto = unix.IPPROTO_COMP
 	XFRM_PROTO_IPSEC_ANY Proto = unix.IPPROTO_RAW
 )
 

diff --git a/xfrm_monitor_test.go → xfrm_monitor_linux_test.go b/xfrm_monitor_test.go → xfrm_monitor_linux_test.go
@@ -1,6 +1,3 @@
-//go:build linux
-// +build linux
-
 package netlink
 
 import (

diff --git a/xfrm_policy.go b/xfrm_policy.go
diff --git a/xfrm_policy_linux.go b/xfrm_policy_linux.go
@@ -1,10 +1,104 @@
 package netlink
 
 import (
+	"fmt"
+	"net"
+
 	"github.com/vishvananda/netlink/nl"
 	"golang.org/x/sys/unix"
 )
 
+// Dir is an enum representing an ipsec template direction.
+type Dir uint8
+
+const (
+	XFRM_DIR_IN Dir = iota
+	XFRM_DIR_OUT
+	XFRM_DIR_FWD
+	XFRM_SOCKET_IN
+	XFRM_SOCKET_OUT
+	XFRM_SOCKET_FWD
+)
+
+func (d Dir) String() string {
+	switch d {
+	case XFRM_DIR_IN:
+		return "dir in"
+	case XFRM_DIR_OUT:
+		return "dir out"
+	case XFRM_DIR_FWD:
+		return "dir fwd"
+	case XFRM_SOCKET_IN:
+		return "socket in"
+	case XFRM_SOCKET_OUT:
+		return "socket out"
+	case XFRM_SOCKET_FWD:
+		return "socket fwd"
+	}
+	return fmt.Sprintf("socket %d", d-XFRM_SOCKET_IN)
+}
+
+// PolicyAction is an enum representing an ipsec policy action.
+type PolicyAction uint8
+
+const (
+	XFRM_POLICY_ALLOW PolicyAction = 0
+	XFRM_POLICY_BLOCK PolicyAction = 1
+)
+
+func (a PolicyAction) String() string {
+	switch a {
+	case XFRM_POLICY_ALLOW:
+		return "allow"
+	case XFRM_POLICY_BLOCK:
+		return "block"
+	default:
+		return fmt.Sprintf("action %d", a)
+	}
+}
+
+// XfrmPolicyTmpl encapsulates a rule for the base addresses of an ipsec
+// policy. These rules are matched with XfrmState to determine encryption
+// and authentication algorithms.
+type XfrmPolicyTmpl struct {
+	Dst      net.IP
+	Src      net.IP
+	Proto    Proto
+	Mode     Mode
+	Spi      int
+	Reqid    int
+	Optional int
+}
+
+func (t XfrmPolicyTmpl) String() string {
+	return fmt.Sprintf("{Dst: %v, Src: %v, Proto: %s, Mode: %s, Spi: 0x%x, Reqid: 0x%x}",
+		t.Dst, t.Src, t.Proto, t.Mode, t.Spi, t.Reqid)
+}
+
+// XfrmPolicy represents an ipsec policy. It represents the overlay network
+// and has a list of XfrmPolicyTmpls representing the base addresses of
+// the policy.
+type XfrmPolicy struct {
+	Dst      *net.IPNet
+	Src      *net.IPNet
+	Proto    Proto
+	DstPort  int
+	SrcPort  int
+	Dir      Dir
+	Priority int
+	Index    int
+	Action   PolicyAction
+	Ifindex  int
+	Ifid     int
+	Mark     *XfrmMark
+	Tmpls    []XfrmPolicyTmpl
+}
+
+func (p XfrmPolicy) String() string {
+	return fmt.Sprintf("{Dst: %v, Src: %v, Proto: %s, DstPort: %d, SrcPort: %d, Dir: %s, Priority: %d, Index: %d, Action: %s, Ifindex: %d, Ifid: %d, Mark: %s, Tmpls: %s}",
+		p.Dst, p.Src, p.Proto, p.DstPort, p.SrcPort, p.Dir, p.Priority, p.Index, p.Action, p.Ifindex, p.Ifid, p.Mark, p.Tmpls)
+}
+
 func selFromPolicy(sel *nl.XfrmSelector, policy *XfrmPolicy) {
 	sel.Family = uint16(nl.FAMILY_V4)
 	if policy.Dst != nil {

diff --git a/xfrm_policy_test.go → xfrm_policy_linux_test.go b/xfrm_policy_test.go → xfrm_policy_linux_test.go
@@ -1,6 +1,3 @@
-//go:build linux
-// +build linux
-
 package netlink
 
 import (

diff --git a/xfrm_state.go b/xfrm_state.go