-
Notifications
You must be signed in to change notification settings - Fork 0
/
probe_linux.go
76 lines (64 loc) · 1.84 KB
/
probe_linux.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
//go:build linux
package ipsec
import (
"encoding/hex"
"errors"
"net"
"github.com/vishvananda/netlink"
"github.com/cilium/cilium/pkg/datapath/linux/linux_defaults"
)
const (
dummyIP = "169.254.169.254"
aeadKey = "4242424242424242424242424242424242424242"
aeadAlgo = "rfc4106(gcm(aes))"
stateId = 42
)
func initDummyXfrmState() *netlink.XfrmState {
state := ipSecNewState()
k, _ := hex.DecodeString(aeadKey)
state.Aead = &netlink.XfrmStateAlgo{
Name: aeadAlgo,
Key: k,
ICVLen: 128,
}
state.Spi = int(stateId)
state.Reqid = stateId
state.Src = net.ParseIP(dummyIP)
state.Dst = net.ParseIP(dummyIP)
return state
}
func createDummyXfrmState(state *netlink.XfrmState) error {
state.Mark = &netlink.XfrmMark{
Value: linux_defaults.RouteMarkDecrypt,
Mask: linux_defaults.IPsecMarkMaskIn,
}
state.OutputMark = &netlink.XfrmMark{
Value: linux_defaults.RouteMarkDecrypt,
Mask: linux_defaults.RouteMarkMask,
}
return netlink.XfrmStateAdd(state)
}
// ProbeXfrmStateOutputMask probes the kernel to determine if it supports
// setting the xfrm state output mask (Linux 4.19+). It returns an error if
// the output mask is not supported or if an error occurred, nil otherwise.
func ProbeXfrmStateOutputMask() error {
state := initDummyXfrmState()
err := createDummyXfrmState(state)
if err != nil {
return err
}
defer netlink.XfrmStateDel(state)
var probedState *netlink.XfrmState
if probedState, err = netlink.XfrmStateGet(state); err != nil {
return err
}
if probedState == nil || probedState.OutputMark == nil {
return errors.New("IPSec output mark attribute missing from xfrm probe")
}
if probedState.OutputMark.Mask != linux_defaults.RouteMarkMask {
return errors.New("incorrect value for probed IPSec output mask attribute")
}
return nil
}