Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PF_KEY portability #4

Open
sg2342 opened this issue Apr 8, 2016 · 9 comments
Open

PF_KEY portability #4

sg2342 opened this issue Apr 8, 2016 · 9 comments
Labels
question

Comments

@sg2342
Copy link
Contributor

sg2342 commented Apr 8, 2016

  • SPD flush is an invalid operation on OpenBSD
  • the extension_type enum in pfkey/pfkey_wire.ml FreeBSD specific (on OpenBSD decoding sadb_register response fails because of unknown extension type 30 -- this is supported_comp in OpenBSD)

we will need platform specific pfkey_wire code (enum values at least) in order to support more
than FreeBSD.
@sg2342 sg2342 added the question label Apr 8, 2016
@hannesm
Copy link
Member

hannesm commented Apr 8, 2016

  • is there a way on OpenBSD to flush policies (and should we flush policies at all (it is convenient for developing, but in the end we should dump the policies and SAs on startup!?))?
  • on FreeBSD, the extension type enum does not include 30, so we can add that?
  • another issue will be struct sockaddr, and whether that includes a length or not

If we really need to deal with platform-specific code, we can use cppo https://github.com/mjambon/cppo/ similar to the C preprocessor (but we should avoid it if possible)...

@sg2342
Copy link
Contributor Author

sg2342 commented Apr 10, 2016

we will need platform-specific numbers; looking at the extension header defines for kernels with PF_KEY support:

illuminos HEAD

/*
 * Extension header values.
 */

#define SADB_EXT_RESERVED       0

#define SADB_EXT_SA         1
#define SADB_EXT_LIFETIME_CURRENT   2
#define SADB_EXT_LIFETIME_HARD      3
#define SADB_EXT_LIFETIME_SOFT      4
#define SADB_EXT_ADDRESS_SRC        5
#define SADB_EXT_ADDRESS_DST        6
/* These two are synonyms. */
#define SADB_EXT_ADDRESS_PROXY      7
#define SADB_X_EXT_ADDRESS_INNER_SRC    SADB_EXT_ADDRESS_PROXY
#define SADB_EXT_KEY_AUTH       8
#define SADB_EXT_KEY_ENCRYPT        9
#define SADB_EXT_IDENTITY_SRC       10
#define SADB_EXT_IDENTITY_DST       11
#define SADB_EXT_SENSITIVITY        12
#define SADB_EXT_PROPOSAL       13
#define SADB_EXT_SUPPORTED_AUTH     14
#define SADB_EXT_SUPPORTED_ENCRYPT  15
#define SADB_EXT_SPIRANGE       16
#define SADB_X_EXT_EREG         17
#define SADB_X_EXT_EPROP        18
#define SADB_X_EXT_KM_COOKIE        19
#define SADB_X_EXT_ADDRESS_NATT_LOC 20
#define SADB_X_EXT_ADDRESS_NATT_REM 21
#define SADB_X_EXT_ADDRESS_INNER_DST    22
#define SADB_X_EXT_PAIR         23
#define SADB_X_EXT_REPLAY_VALUE     24
#define SADB_X_EXT_EDUMP        25
#define SADB_X_EXT_LIFETIME_IDLE    26
#define SADB_X_EXT_OUTER_SENS       27

#define SADB_EXT_MAX            27

linux 4.5

/* Extension Header values */
#define SADB_EXT_RESERVED               0
#define SADB_EXT_SA                     1
#define SADB_EXT_LIFETIME_CURRENT       2
#define SADB_EXT_LIFETIME_HARD          3
#define SADB_EXT_LIFETIME_SOFT          4
#define SADB_EXT_ADDRESS_SRC            5
#define SADB_EXT_ADDRESS_DST            6
#define SADB_EXT_ADDRESS_PROXY          7
#define SADB_EXT_KEY_AUTH               8
#define SADB_EXT_KEY_ENCRYPT            9
#define SADB_EXT_IDENTITY_SRC           10
#define SADB_EXT_IDENTITY_DST           11
#define SADB_EXT_SENSITIVITY            12
#define SADB_EXT_PROPOSAL               13
#define SADB_EXT_SUPPORTED_AUTH         14
#define SADB_EXT_SUPPORTED_ENCRYPT      15
#define SADB_EXT_SPIRANGE               16
#define SADB_X_EXT_KMPRIVATE            17
#define SADB_X_EXT_POLICY               18
#define SADB_X_EXT_SA2                  19
/* The next four entries are for setting up NAT Traversal */
#define SADB_X_EXT_NAT_T_TYPE           20
#define SADB_X_EXT_NAT_T_SPORT          21
#define SADB_X_EXT_NAT_T_DPORT          22
#define SADB_X_EXT_NAT_T_OA             23
#define SADB_X_EXT_SEC_CTX              24
/* Used with MIGRATE to pass @ to IKE for negotiation */
#define SADB_X_EXT_KMADDRESS            25
#define SADB_X_EXT_FILTER               26
#define SADB_EXT_MAX                    26

OS X (10.11) and iOS 9.x

#define SADB_EXT_RESERVED             0
#define SADB_EXT_SA                   1
#define SADB_EXT_LIFETIME_CURRENT     2
#define SADB_EXT_LIFETIME_HARD        3
#define SADB_EXT_LIFETIME_SOFT        4
#define SADB_EXT_ADDRESS_SRC          5
#define SADB_EXT_ADDRESS_DST          6
#define SADB_EXT_ADDRESS_PROXY        7
#define SADB_EXT_KEY_AUTH             8
#define SADB_EXT_KEY_ENCRYPT          9
#define SADB_EXT_IDENTITY_SRC         10
#define SADB_EXT_IDENTITY_DST         11
#define SADB_EXT_SENSITIVITY          12
#define SADB_EXT_PROPOSAL             13
#define SADB_EXT_SUPPORTED_AUTH       14
#define SADB_EXT_SUPPORTED_ENCRYPT    15
#define SADB_EXT_SPIRANGE             16
#define SADB_X_EXT_KMPRIVATE          17
#define SADB_X_EXT_POLICY             18
#define SADB_X_EXT_SA2                19
#define SADB_EXT_SESSION_ID           20
#define SADB_EXT_SASTAT               21
#define SADB_X_EXT_IPSECIF            22
#define SADB_X_EXT_ADDR_RANGE_SRC_START 23
#define SADB_X_EXT_ADDR_RANGE_SRC_END   24
#define SADB_X_EXT_ADDR_RANGE_DST_START 25
#define SADB_X_EXT_ADDR_RANGE_DST_END   26
#define SADB_EXT_MIGRATE_ADDRESS_SRC  27
#define SADB_EXT_MIGRATE_ADDRESS_DST  28
#define SADB_X_EXT_MIGRATE_IPSECIF    29
#define SADB_EXT_MAX                  29

NetBSD HEAD

#define SADB_EXT_RESERVED             0
#define SADB_EXT_SA                   1
#define SADB_EXT_LIFETIME_CURRENT     2
#define SADB_EXT_LIFETIME_HARD        3
#define SADB_EXT_LIFETIME_SOFT        4
#define SADB_EXT_ADDRESS_SRC          5
#define SADB_EXT_ADDRESS_DST          6
#define SADB_EXT_ADDRESS_PROXY        7
#define SADB_EXT_KEY_AUTH             8
#define SADB_EXT_KEY_ENCRYPT          9
#define SADB_EXT_IDENTITY_SRC         10
#define SADB_EXT_IDENTITY_DST         11
#define SADB_EXT_SENSITIVITY          12
#define SADB_EXT_PROPOSAL             13
#define SADB_EXT_SUPPORTED_AUTH       14
#define SADB_EXT_SUPPORTED_ENCRYPT    15
#define SADB_EXT_SPIRANGE             16
#define SADB_X_EXT_KMPRIVATE          17
#define SADB_X_EXT_POLICY             18
#define SADB_X_EXT_SA2                19
#define SADB_X_EXT_NAT_T_TYPE         20
#define SADB_X_EXT_NAT_T_SPORT        21
#define SADB_X_EXT_NAT_T_DPORT        22
#define SADB_X_EXT_NAT_T_OA           23    /* compat */
#define SADB_X_EXT_NAT_T_OAI          23
#define SADB_X_EXT_NAT_T_OAR          24
#define SADB_X_EXT_NAT_T_FRAG         25
#if 0
#define SADB_X_EXT_TAG            25    /* KAME */
#define SADB_X_EXT_SA3            26    /* KAME */
#define SADB_X_EXT_PACKET         27    /* KAME */
#endif
#define SADB_EXT_MAX                  25

FreeBSD HEAD

#define SADB_EXT_RESERVED             0
#define SADB_EXT_SA                   1
#define SADB_EXT_LIFETIME_CURRENT     2
#define SADB_EXT_LIFETIME_HARD        3
#define SADB_EXT_LIFETIME_SOFT        4
#define SADB_EXT_ADDRESS_SRC          5
#define SADB_EXT_ADDRESS_DST          6
#define SADB_EXT_ADDRESS_PROXY        7
#define SADB_EXT_KEY_AUTH             8
#define SADB_EXT_KEY_ENCRYPT          9
#define SADB_EXT_IDENTITY_SRC         10
#define SADB_EXT_IDENTITY_DST         11
#define SADB_EXT_SENSITIVITY          12
#define SADB_EXT_PROPOSAL             13
#define SADB_EXT_SUPPORTED_AUTH       14
#define SADB_EXT_SUPPORTED_ENCRYPT    15
#define SADB_EXT_SPIRANGE             16
#define SADB_X_EXT_KMPRIVATE          17
#define SADB_X_EXT_POLICY             18
#define SADB_X_EXT_SA2                19
#define SADB_X_EXT_NAT_T_TYPE         20
#define SADB_X_EXT_NAT_T_SPORT        21
#define SADB_X_EXT_NAT_T_DPORT        22
#define SADB_X_EXT_NAT_T_OA           23    /* Deprecated. */
#define SADB_X_EXT_NAT_T_OAI          23    /* Peer's NAT_OA for src of SA. */
#define SADB_X_EXT_NAT_T_OAR          24    /* Peer's NAT_OA for dst of SA. */
#define SADB_X_EXT_NAT_T_FRAG         25    /* Manual MTU override. */
#define SADB_EXT_MAX                  25

OpenBSD HEAD

#define SADB_EXT_RESERVED             0
#define SADB_EXT_SA                   1
#define SADB_EXT_LIFETIME_CURRENT     2
#define SADB_EXT_LIFETIME_HARD        3
#define SADB_EXT_LIFETIME_SOFT        4
#define SADB_EXT_ADDRESS_SRC          5
#define SADB_EXT_ADDRESS_DST          6
#define SADB_EXT_ADDRESS_PROXY        7
#define SADB_EXT_KEY_AUTH             8
#define SADB_EXT_KEY_ENCRYPT          9
#define SADB_EXT_IDENTITY_SRC         10
#define SADB_EXT_IDENTITY_DST         11
#define SADB_EXT_SENSITIVITY          12
#define SADB_EXT_PROPOSAL             13
#define SADB_EXT_SUPPORTED_AUTH       14
#define SADB_EXT_SUPPORTED_ENCRYPT    15
#define SADB_EXT_SPIRANGE             16
#define SADB_X_EXT_SRC_MASK           17
#define SADB_X_EXT_DST_MASK           18
#define SADB_X_EXT_PROTOCOL           19
#define SADB_X_EXT_FLOW_TYPE          20
#define SADB_X_EXT_SRC_FLOW           21
#define SADB_X_EXT_DST_FLOW           22
#define SADB_X_EXT_SA2                23
#define SADB_X_EXT_DST2               24
#define SADB_X_EXT_POLICY             25
#define SADB_X_EXT_LOCAL_CREDENTIALS  26
#define SADB_X_EXT_REMOTE_CREDENTIALS 27
#define SADB_X_EXT_LOCAL_AUTH         28
#define SADB_X_EXT_REMOTE_AUTH        29
#define SADB_X_EXT_SUPPORTED_COMP     30
#define SADB_X_EXT_UDPENCAP           31
#define SADB_X_EXT_LIFETIME_LASTUSE   32
#define SADB_X_EXT_TAG                33
#define SADB_X_EXT_TAP                34
#define SADB_EXT_MAX                  34

@hannesm
Copy link
Member

hannesm commented Apr 10, 2016

thanks for this extensive survey... any chance we can find magics for android?
up to including 16 they're all the same, and let's use cppo for the higher numbers (I started with the FreeBSD header file, and manually converted it to cenum syntax (using emacs keyboard macros), then removed the SADB_X_EXT prefix).

conduit uses cppo, include, code and build -- looks like we've to manually extract and define the platform (by calling out to uname?) we're on (or we're compiling for, for now let's assume that build and target are the same).

@hannesm
Copy link
Member

hannesm commented Apr 11, 2016

there are similar incompatibilities with the command enum. Until 10 (maybe 11, PROMISC) all is the same, but then:

illumos (no policies):

#define SADB_X_PROMISC  11
#define SADB_X_INVERSE_ACQUIRE  12
#define SADB_X_UPDATEPAIR   13
#define SADB_X_DELPAIR      14
#define SADB_X_DELPAIR_STATE    15

Linux (same as FreeBSD <= 22):

#define SADB_X_NAT_T_NEW_MAPPING        23
#define SADB_X_MIGRATE          24

MacOSX (same as FreeBSD <= 22):

#define SADB_GETSASTAT    23
#define SADB_X_SPDENABLE  24    /* by policy id */
#define SADB_X_SPDDISABLE 25    /* by policy id */
#define SADB_MIGRATE      26

NetBSD (same as FreeBSD <= 22):

#define SADB_X_NAT_T_NEW_MAPPING 23
#if 0
#define SADB_X_MIGRATE    24    /* KAME */
#endif

OpenBSD (no policies):

#define SADB_X_PROMISC     11
#define SADB_X_ADDFLOW     12
#define SADB_X_DELFLOW     13
#define SADB_X_GRPSPIS     14
#define SADB_X_ASKPOLICY   15
#define SADB_X_SPDDUMP     16

@hannesm
Copy link
Member

hannesm commented Apr 11, 2016

another approach is used in ocaml-unix-errno which provides a host and than a host-specific mapping from int to value(s)... not entirely sure what is more ugly.

I'm wondering how illumos/OpenBSD communicate policies to and from the kernel...

@sg2342
Copy link
Contributor Author

sg2342 commented Apr 11, 2016

OpenBSD uses their FLOW concept for SPD.

regarding OS selection/detection: i would prefer to be able to target any supported PF_KEY interface regardless of the platform intended to run the ocaml ike (but default to one platform, detected by calling uname(1) during build)

@hannesm
Copy link
Member

hannesm commented Apr 11, 2016

maybe no preprocessor then, and instead use a runtime configuration option host, and have for each platform separate enums (and always dispatch first on host)? This would allow to run OCaml-ike on e.g. FreeBSD talking to Illumos PFKEY... Obviously depending on the host some functionality will not be available (which we'll only find out at runtime)

@sg2342
Copy link
Contributor Author

sg2342 commented Apr 11, 2016

functor. no need to dispatch.

@hannesm
Copy link
Member

hannesm commented Apr 11, 2016

sure, I assume all modules in the pfkey directory will need to live under the functor..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sg2342 @hannesm