/
probe_linux.go
79 lines (69 loc) · 1.92 KB
/
probe_linux.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
//go:build linux
package ipsec
import (
"encoding/hex"
"errors"
"net"
"github.com/vishvananda/netlink"
"github.com/cilium/cilium/pkg/datapath/linux/linux_defaults"
)
const (
dummyIP = "169.254.169.254"
aeadKey = "4242424242424242424242424242424242424242"
aeadAlgo = "rfc4106(gcm(aes))"
stateId = 42
)
func initDummyXfrmState() *netlink.XfrmState {
k, _ := hex.DecodeString(aeadKey)
return &netlink.XfrmState{
Mode: netlink.XFRM_MODE_TUNNEL,
Proto: netlink.XFRM_PROTO_ESP,
ESN: false,
Spi: stateId,
Reqid: stateId,
Aead: &netlink.XfrmStateAlgo{
Name: aeadAlgo,
Key: k,
ICVLen: 128,
},
Src: net.ParseIP(dummyIP),
Dst: net.ParseIP(dummyIP),
}
}
func createDummyXfrmState(state *netlink.XfrmState) error {
state.Mark = &netlink.XfrmMark{
Value: linux_defaults.RouteMarkDecrypt,
Mask: linux_defaults.IPsecMarkMaskIn,
}
state.OutputMark = &netlink.XfrmMark{
Value: linux_defaults.RouteMarkDecrypt,
Mask: linux_defaults.RouteMarkMask,
}
return netlink.XfrmStateAdd(state)
}
// ProbeXfrmStateOutputMask probes the kernel to determine if it supports
// setting the xfrm state output mask (Linux 4.19+). It returns an error if
// the output mask is not supported or if an error occurred, nil otherwise.
func ProbeXfrmStateOutputMask() (e error) {
state := initDummyXfrmState()
err := createDummyXfrmState(state)
if err != nil {
return err
}
defer func() {
e = errors.Join(e, netlink.XfrmStateDel(state))
}()
var probedState *netlink.XfrmState
if probedState, err = netlink.XfrmStateGet(state); err != nil {
return err
}
if probedState == nil || probedState.OutputMark == nil {
return errors.New("IPSec output mark attribute missing from xfrm probe")
}
if probedState.OutputMark.Mask != linux_defaults.RouteMarkMask {
return errors.New("incorrect value for probed IPSec output mask attribute")
}
return
}