#1905280 Proof of concept for xfrm_interfaces.

Author: max-foss

doc/netplan-yaml.md

@@ -65,6 +65,10 @@ network:
 
   > Configures Virtual Routing and Forwarding (VRF) devices.
 
+- [**`xfrm-interfaces`**](#properties-for-device-type-xfrm-interfaces) (mapping)
+
+  > Creates and configures XFRM devices for offloaded IPsec.
+
 - [**`wifis`**](#properties-for-device-type-wifis) (mapping)
 
   > Configures physical Wi-Fi interfaces as `client`, `adhoc` or `access point`.
@@ -1956,6 +1960,45 @@ VXLAN specific keys:
   > Allows setting the IPv4 Do not Fragment (DF) bit in outgoing packets.
   > Takes a boolean value. When unset, the kernel default will be used.
 
+(yaml-xfrm-interfaces)=
+## Properties for device type `xfrm-interfaces`
+
+**Status**: Optional.
+
+**Purpose**: Use the `xfrm-interfaces` key to create virtual XFRM (IPsec) interfaces.
+
+**Structure**: The key consists of a mapping of XFRM interface names. Each
+`xfrm-interface` requires an `if_id`. The general configuration structure for
+XFRM interfaces is shown below.
+
+```yaml
+network:
+  xfrm-interfaces:
+    xfrm0:
+      if_id: 10
+      link: eth0
+      ...
+```
+
+When applied, a virtual interface called `xfrm0` will be created in the system.
+
+XFRM interfaces provide the kernel interface for IPsec transform operations.
+
+The specific settings for `xfrm-interfaces` are defined below.
+
+- **`if_id`** (scalar)
+
+  > The XFRM interface ID (if_id). This is a required parameter.
+  > Takes a number in the range `1..4294967295`.
+
+- **`link`** (scalar)
+
+  > The underlying physical interface for this XFRM interface.
+
+- **`independent`** (boolean)
+
+  > If set to `true`, the XFRM interface is independent of the underlying interface (`link`). Defaults to `false`.
+
 ## Properties for device type `virtual-ethernets`
 
 **Status**: Optional.

include/types.h

@@ -57,6 +57,7 @@ typedef enum {
     NETPLAN_DEF_TYPE_TUNNEL,
     NETPLAN_DEF_TYPE_PORT,
     NETPLAN_DEF_TYPE_VRF,
+    NETPLAN_DEF_TYPE_XFRM,
     /* Type fallback/passthrough */
     NETPLAN_DEF_TYPE_NM,
     NETPLAN_DEF_TYPE_DUMMY,     /* wokeignore:rule=dummy */

src/abi.h

@@ -356,6 +356,13 @@ struct netplan_net_definition {
         guint port;
     } tunnel;
 
+    /* XFRM interface properties */
+    struct {
+        guint interface_id;
+        gboolean independent;
+        NetplanNetDefinition* link;
+    } xfrm;
+
     NetplanAuthenticationSettings auth;
     gboolean has_auth;
 

src/names.c

@@ -49,6 +49,7 @@ netplan_def_type_to_str[NETPLAN_DEF_TYPE_MAX_] = {
     [NETPLAN_DEF_TYPE_VLAN] = "vlans",
     [NETPLAN_DEF_TYPE_VRF] = "vrfs",
     [NETPLAN_DEF_TYPE_TUNNEL] = "tunnels",
+    [NETPLAN_DEF_TYPE_XFRM] = "xfrm-interfaces",
     [NETPLAN_DEF_TYPE_DUMMY] = "dummy-devices",       /* wokeignore:rule=dummy */
     [NETPLAN_DEF_TYPE_VETH] = "virtual-ethernets",
     [NETPLAN_DEF_TYPE_PORT] = "_ovs-ports",

src/networkd.c

@@ -697,6 +697,15 @@ write_netdev_file(const NetplanNetDefinition* def, const char* rootdir, const ch
                 write_tunnel_params(s, def);
             break;
 
+        /* Generate XFRM interface netdev file */
+                case NETPLAN_DEF_TYPE_XFRM:
+            g_string_append_printf(s, "Kind=xfrm\n\n[Xfrm]\nInterfaceId=%u\n", def->xfrm.interface_id);
+                /* Independent interfaces operate without link device, in reality it will show up as @lo. */
+            if (def->xfrm.independent) {
+                g_string_append(s, "Independent=true\n");
+            }
+            break;
+
         default: g_assert_not_reached(); // LCOV_EXCL_LINE
     }
 

src/parse.c

@@ -346,6 +346,36 @@ process_mapping(NetplanParser* npp, yaml_node_t* node, const char* key_prefix, c
  * Generic helper functions to extract data from scalar nodes.
  *************************************************************/
 
+/**
+ * Handler for setting a guint field from a scalar node, inside a given struct
+ * Supports hex (0x prefix) and decimal values
+ * @entryptr: pointer to the begining of the to-be-modified data structure
+ * @data: offset into entryptr struct where the guint field to write is located
+ */
+STATIC gboolean
+handle_generic_guint_hex_dec(NetplanParser* npp, yaml_node_t* node, const void* entryptr, const void* data, GError** error)
+{
+    g_assert(entryptr != NULL);
+    guint offset = GPOINTER_TO_UINT(data);
+    guint64 v;
+    gchar* endptr;
+
+    const char* s_node = scalar(node);
+
+    if (g_str_has_prefix(s_node, "0x") || g_str_has_prefix(s_node, "0X")) {
+        v = g_ascii_strtoull(s_node, &endptr, 16);
+    } else {
+        v = g_ascii_strtoull(s_node, &endptr, 10);
+    }
+
+    if (*endptr != '\0' || v > G_MAXUINT)
+        return yaml_error(npp, node, error, "invalid unsigned int value '%s'", s_node);
+
+    mark_data_as_dirty(npp, entryptr + offset);
+    *((guint*) ((void*) entryptr + offset)) = (guint) v;
+    return TRUE;
+}
+
 /**
  * Handler for setting a guint field from a scalar node, inside a given struct
  * @entryptr: pointer to the begining of the to-be-modified data structure
@@ -733,6 +763,12 @@ handle_netdef_guint(NetplanParser* npp, yaml_node_t* node, const void* data, GEr
     return handle_generic_guint(npp, node, npp->current.netdef, data, error);
 }
 
+STATIC gboolean
+handle_netdef_guint_hex_dec(NetplanParser* npp, yaml_node_t* node, const void* data, GError** error)
+{
+    return handle_generic_guint_hex_dec(npp, node, npp->current.netdef, data, error);
+}
+
 STATIC gboolean
 handle_netdef_ip4(NetplanParser* npp, yaml_node_t* node, const void* data, GError** error)
 {
@@ -3141,6 +3177,15 @@ static const mapping_entry_handler tunnel_def_handlers[] = {
     {NULL}
 };
 
+static const mapping_entry_handler xfrm_def_handlers[] = {
+    COMMON_LINK_HANDLERS,
+    COMMON_BACKEND_HANDLERS,
+    {"if_id", YAML_SCALAR_NODE, {.generic=handle_netdef_guint_hex_dec}, netdef_offset(xfrm.interface_id)}, /* hex/dec like iproute2 */
+    {"independent", YAML_SCALAR_NODE, {.generic=handle_netdef_bool}, netdef_offset(xfrm.independent)},
+    {"link", YAML_SCALAR_NODE, {.generic=handle_netdef_id_ref}, netdef_offset(xfrm.link)},
+    {NULL}
+};
+
 /****************************************************
  * Grammar and handlers for network node
  ****************************************************/
@@ -3375,6 +3420,7 @@ handle_network_type(NetplanParser* npp, yaml_node_t* node, const char* key_prefi
             case NETPLAN_DEF_TYPE_ETHERNET: handlers = ethernet_def_handlers; break;
             case NETPLAN_DEF_TYPE_MODEM: handlers = modem_def_handlers; break;
             case NETPLAN_DEF_TYPE_TUNNEL: handlers = tunnel_def_handlers; break;
+            case NETPLAN_DEF_TYPE_XFRM: handlers = xfrm_def_handlers; break;
             case NETPLAN_DEF_TYPE_VLAN: handlers = vlan_def_handlers; break;
             case NETPLAN_DEF_TYPE_VRF: handlers = vrf_def_handlers; break;
             case NETPLAN_DEF_TYPE_WIFI: handlers = wifi_def_handlers; break;
@@ -3427,6 +3473,10 @@ handle_network_type(NetplanParser* npp, yaml_node_t* node, const char* key_prefi
                 npp->current.netdef->vxlan->independent = TRUE;
         }
 
+        if (!npp->xfrm_if_ids) {
+            npp->xfrm_if_ids = g_hash_table_new(g_direct_hash, g_direct_equal);
+        }
+
         /* validate definition-level conditions */
         int ret = validate_netdef_grammar(npp, npp->current.netdef, error);
         if (!ret && (npp->flags & NETPLAN_PARSER_IGNORE_ERRORS) == 0)
@@ -3485,6 +3535,7 @@ static const mapping_entry_handler network_handlers[] = {
     {"vlans", YAML_MAPPING_NODE, {.map={.custom=handle_network_type}}, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_VLAN)},
     {"vrfs", YAML_MAPPING_NODE, {.map={.custom=handle_network_type}}, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_VRF)},
     {"wifis", YAML_MAPPING_NODE, {.map={.custom=handle_network_type}}, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_WIFI)},
+    {"xfrm-interfaces", YAML_MAPPING_NODE, {.map={.custom=handle_network_type}}, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_XFRM)},
     {"modems", YAML_MAPPING_NODE, {.map={.custom=handle_network_type}}, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_MODEM)},
     {"dummy-devices", YAML_MAPPING_NODE, {.map={.custom=handle_network_type}}, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_DUMMY)},    /* wokeignore:rule=dummy */
     {"virtual-ethernets", YAML_MAPPING_NODE, {.map={.custom=handle_network_type}}, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_VETH)},
@@ -3811,6 +3862,11 @@ netplan_parser_reset(NetplanParser* npp)
     }
     // LCOV_EXCL_STOP
 
+    if (npp->xfrm_if_ids) {
+        g_hash_table_destroy(npp->xfrm_if_ids);
+        npp->xfrm_if_ids = NULL;
+    }
+
     if (npp->missing_id) {
         g_hash_table_destroy(npp->missing_id);
         npp->missing_id = NULL;
@@ -3839,7 +3895,17 @@ netplan_parser_reset(NetplanParser* npp)
         npp->global_renderer = NULL;
     }
 
+    if (npp->xfrm_if_ids) {
+        g_hash_table_destroy(npp->xfrm_if_ids);
+        npp->xfrm_if_ids = NULL;
+    }
+
     npp->flags = 0;
+
+    if (npp->xfrm_if_ids) {
+        g_hash_table_destroy(npp->xfrm_if_ids);
+        npp->xfrm_if_ids = NULL;
+    }
     npp->error_count = 0;
 }
 

src/types-internal.h

@@ -273,6 +273,9 @@ struct netplan_parser {
      * when the flag IGNORE_ERRORS is set
      * */
     unsigned int error_count;
+
+    /* Hash table to track XFRM interface IDs to ensure uniqueness */
+    GHashTable* xfrm_if_ids;
 };
 
 struct netplan_state_iterator {

src/types.c

@@ -350,6 +350,11 @@ reset_netdef(NetplanNetDefinition* netdef, NetplanDefType new_type, NetplanBacke
     memset(&netdef->tunnel, 0, sizeof(netdef->tunnel));
     netdef->tunnel.mode = NETPLAN_TUNNEL_MODE_UNKNOWN;
 
+    /* Reset XFRM parameters */
+    memset(&netdef->xfrm, 0, sizeof(netdef->xfrm));
+    netdef->xfrm.independent = FALSE;
+    netdef->xfrm.link = NULL;
+
     reset_auth_settings(&netdef->auth);
     netdef->has_auth = FALSE;
 

src/validation.c

@@ -417,6 +417,27 @@ validate_netdef_grammar(const NetplanParser* npp, NetplanNetDefinition* nd, GErr
         }
     }
 
+    /* Validate XFRM interface configuration */
+        if (nd->type == NETPLAN_DEF_TYPE_XFRM) {
+        if (nd->xfrm.interface_id == 0) {
+            return yaml_error(npp, NULL, error, "%s: missing 'if_id'", nd->id);
+        }
+        if (nd->xfrm.interface_id < 1 || nd->xfrm.interface_id > 0xffffffff) {
+            return yaml_error(npp, NULL, error, "%s: XFRM 'if_id' must be in range [1..0xffffffff]", nd->id);
+        }
+        if (!nd->xfrm.independent && nd->xfrm.link == NULL) {
+            return yaml_error(npp, NULL, error, "%s: Non-independent XFRM interfaces require property 'link'", nd->id);
+        }
+
+        /* Ensure no xfrm if_id is used more than once */
+        NetplanNetDefinition* existing_def = g_hash_table_lookup(npp->xfrm_if_ids, GINT_TO_POINTER(nd->xfrm.interface_id));
+        if (existing_def != NULL && existing_def != nd) {
+            return yaml_error(npp, NULL, error, "%s: duplicate if_id '%u' (already used by %s)",
+                              nd->id, nd->xfrm.interface_id, existing_def->id);
+        }
+        g_hash_table_insert(npp->xfrm_if_ids, GINT_TO_POINTER(nd->xfrm.interface_id), nd);
+    }
+
     if (nd->type == NETPLAN_DEF_TYPE_VRF) {
         if (nd->vrf_table == G_MAXUINT) {
             return yaml_error(npp, NULL, error, "%s: missing 'table' property", nd->id);

tests/config_fuzzer/schemas/xfrm-interfaces.js

@@ -0,0 +1,68 @@
+import * as common from "./common.js";
+
+const xfrm_interfaces_schema = {
+    type: "object",
+    additionalProperties: false,
+    properties: {
+        network: {
+            type: "object",
+            additionalProperties: false,
+            properties: {
+                renderer: {
+                    type: "string",
+                    enum: ["networkd"]
+                },
+                version: {
+                    type: "integer",
+                    minimum: 2,
+                    maximum: 2
+                },
+                ethernets: {
+                    type: "object",
+                    additionalProperties: false,
+                    properties: {
+                        "eth0": {
+                            type: "object",
+                            additionalProperties: false,
+                            properties: {
+                                "dhcp4": {
+                                    type: "boolean"
+                                }
+                            }
+                        }
+                    }
+                },
+                "xfrm-interfaces": {
+                    type: "object",
+                    additionalProperties: false,
+                    properties: {
+                        "xfrm0": {
+                            type: "object",
+                            additionalProperties: false,
+                            properties: {
+                                "if_id": {
+                                    type: "integer",
+                                    minimum: 1,
+                                    maximum: 4294967295
+                                },
+                                "independent": {
+                                    type: "boolean"
+                                },
+                                "link": {
+                                    type: "string",
+                                    enum: ["eth0"]
+                                },
+                                ...common.common_properties
+                            },
+                            required: ["if_id"]
+                        }
+                    }
+                }
+            },
+            required: ["version", "xfrm-interfaces"]
+        }
+    },
+    required: ["network"]
+};
+
+export default xfrm_interfaces_schema;