On 04/10/2024 18:13, Donald Hunter wrote:
On Wed, 2 Oct 2024 at 10:03, Antonio Quartulli <anto...@openvpn.net> wrote:
+definitions:
+ -
+ type: const
+ name: nonce-tail-size
+ value: 8
+ -
+ type: enum
+ name: cipher-alg
+ value-start: 0
value-start defaults to 0 for enum so this is unnecessary. Same for
the following enum definitions.
ACK
+ entries: [ none, aes-gcm, chacha20-poly1305 ]
+ -
+ type: enum
+ name: del-peer-reason
+ value-start: 0
+ entries: [ teardown, userspace, expired, transport-error,
transport-disconnect ]
+ -
+ type: enum
+ name: key-slot
+ value-start: 0
+ entries: [ primary, secondary ]
+ -
+ type: enum
+ name: mode
+ value-start: 0
+ entries: [ p2p, mp ]
+
[...]
+operations:
+ list:
+ -
+ name: dev-new
+ attribute-set: ovpn
+ flags: [ admin-perm ]
+ doc: Create a new interface of type ovpn
+ do:
+ request:
+ attributes:
+ - ifname
+ - mode
+ reply:
+ attributes:
+ - ifname
+ - ifindex
+ -
+ name: dev-del
+ attribute-set: ovpn
+ flags: [ admin-perm ]
+ doc: Delete existing interface of type ovpn
+ do:
+ pre: ovpn-nl-pre-doit
+ post: ovpn-nl-post-doit
+ request:
+ attributes:
+ - ifindex
There's no dev-get do/dump op. I think there should be one for
diagnostics and metrics.
I am not sure how much information it can provide (as of now we only
have the 'mode' that is being set upon creation).
In any case, I am not against implementing the op now and extend it
later as we see fit.
+ -
+ name: key-new
+ attribute-set: ovpn
+ flags: [ admin-perm ]
+ doc: Add a cipher key for a specific peer
+ do:
+ pre: ovpn-nl-pre-doit
+ post: ovpn-nl-post-doit
+ request:
+ attributes:
+ - ifindex
+ - keyconf
+ -
+ name: key-swap
+ attribute-set: ovpn
+ flags: [ admin-perm ]
+ doc: Swap primary and secondary session keys for a specific peer
+ do:
+ pre: ovpn-nl-pre-doit
+ post: ovpn-nl-post-doit
+ request:
+ attributes:
+ - ifindex
+ - keyconf
+ -
+ name: key-swap-ntf
+ notify: key-new
This doesn't work because key-new doesn't have a reply. You should
define it with an event: block instead. You can see the build errors
here:
make -C tools/net/ynl
Oh, I wasn't aware of this subfolder.
Thanks for pointing it out!
I am thinking that it may make sense to implement a key-get op to
extract non-sensible data about the keys (i.e. what cipher was
configured). This may be useful for debugging as well.
At that point the key-swap-ntf can re-use the key-get as notify.
Cheers,
CC ovpn-user.o
In file included from ovpn-user.c:8:
ovpn-user.h:1194:33: error: field ‘obj’ has incomplete type
1194 | struct ovpn_key_new_rsp obj __attribute__((aligned(8)));
| ^~~
ovpn-user.c:835:35: error: ‘ovpn_key_new_rsp_parse’ undeclared here
(not in a function); did you mean ‘ovpn_dev_new_rsp_parse’?
835 | .cb = ovpn_key_new_rsp_parse,
| ^~~~~~~~~~~~~~~~~~~~~~
| ovpn_dev_new_rsp_parse
make[1]: *** [Makefile:41: ovpn-user.o] Error 1
+ doc: |
+ Notification about key having exhausted its IV space and requiring
+ renegotiation
+ mcgrp: peers
+ -
+ name: key-del
+ attribute-set: ovpn
+ flags: [ admin-perm ]
+ doc: Delete cipher key for a specific peer
+ do:
+ pre: ovpn-nl-pre-doit
+ post: ovpn-nl-post-doit
+ request:
+ attributes:
+ - ifindex
+ - keyconf
+
+mcast-groups:
+ list:
+ -
+ name: peers
--
Antonio Quartulli
OpenVPN Inc.