On 04/10/2024 18:13, Donald Hunter wrote:
On Wed, 2 Oct 2024 at 10:03, Antonio Quartulli <anto...@openvpn.net> wrote:

+definitions:
+  -
+    type: const
+    name: nonce-tail-size
+    value: 8
+  -
+    type: enum
+    name: cipher-alg
+    value-start: 0

value-start defaults to 0 for enum so this is unnecessary. Same for
the following enum definitions.

ACK


+    entries: [ none, aes-gcm, chacha20-poly1305 ]
+  -
+    type: enum
+    name: del-peer-reason
+    value-start: 0
+    entries: [ teardown, userspace, expired, transport-error, 
transport-disconnect ]
+  -
+    type: enum
+    name: key-slot
+    value-start: 0
+    entries: [ primary, secondary ]
+  -
+    type: enum
+    name: mode
+    value-start: 0
+    entries: [ p2p, mp ]
+

[...]

+operations:
+  list:
+    -
+      name: dev-new
+      attribute-set: ovpn
+      flags: [ admin-perm ]
+      doc: Create a new interface of type ovpn
+      do:
+        request:
+          attributes:
+            - ifname
+            - mode
+        reply:
+          attributes:
+            - ifname
+            - ifindex
+    -
+      name: dev-del
+      attribute-set: ovpn
+      flags: [ admin-perm ]
+      doc: Delete existing interface of type ovpn
+      do:
+        pre: ovpn-nl-pre-doit
+        post: ovpn-nl-post-doit
+        request:
+          attributes:
+            - ifindex

There's no dev-get do/dump op. I think there should be one for
diagnostics and metrics.

I am not sure how much information it can provide (as of now we only have the 'mode' that is being set upon creation).

In any case, I am not against implementing the op now and extend it later as we see fit.


+    -
+      name: key-new
+      attribute-set: ovpn
+      flags: [ admin-perm ]
+      doc: Add a cipher key for a specific peer
+      do:
+        pre: ovpn-nl-pre-doit
+        post: ovpn-nl-post-doit
+        request:
+          attributes:
+            - ifindex
+            - keyconf
+    -
+      name: key-swap
+      attribute-set: ovpn
+      flags: [ admin-perm ]
+      doc: Swap primary and secondary session keys for a specific peer
+      do:
+        pre: ovpn-nl-pre-doit
+        post: ovpn-nl-post-doit
+        request:
+          attributes:
+            - ifindex
+            - keyconf
+    -
+      name: key-swap-ntf
+      notify: key-new

This doesn't work because key-new doesn't have a reply. You should
define it with an event: block instead. You can see the build errors
here:

make -C tools/net/ynl

Oh, I wasn't aware of this subfolder.
Thanks for pointing it out!

I am thinking that it may make sense to implement a key-get op to extract non-sensible data about the keys (i.e. what cipher was configured). This may be useful for debugging as well.

At that point the key-swap-ntf can re-use the key-get as notify.


Cheers,


CC ovpn-user.o
In file included from ovpn-user.c:8:
ovpn-user.h:1194:33: error: field ‘obj’ has incomplete type
  1194 |         struct ovpn_key_new_rsp obj __attribute__((aligned(8)));
       |                                 ^~~
ovpn-user.c:835:35: error: ‘ovpn_key_new_rsp_parse’ undeclared here
(not in a function); did you mean ‘ovpn_dev_new_rsp_parse’?
   835 |                 .cb             = ovpn_key_new_rsp_parse,
       |                                   ^~~~~~~~~~~~~~~~~~~~~~
       |                                   ovpn_dev_new_rsp_parse
make[1]: *** [Makefile:41: ovpn-user.o] Error 1

+      doc: |
+        Notification about key having exhausted its IV space and requiring
+        renegotiation
+      mcgrp: peers
+    -
+      name: key-del
+      attribute-set: ovpn
+      flags: [ admin-perm ]
+      doc: Delete cipher key for a specific peer
+      do:
+        pre: ovpn-nl-pre-doit
+        post: ovpn-nl-post-doit
+        request:
+          attributes:
+            - ifindex
+            - keyconf
+
+mcast-groups:
+  list:
+    -
+      name: peers

--
Antonio Quartulli
OpenVPN Inc.

Reply via email to