On 04/10/2024 18:13, Donald Hunter wrote:
On Wed, 2 Oct 2024 at 10:03, Antonio Quartulli antonio@openvpn.net wrote:
+definitions:
- type: const
- name: nonce-tail-size
- value: 8
- type: enum
- name: cipher-alg
- value-start: 0
value-start defaults to 0 for enum so this is unnecessary. Same for the following enum definitions.
ACK
- entries: [ none, aes-gcm, chacha20-poly1305 ]
- type: enum
- name: del-peer-reason
- value-start: 0
- entries: [ teardown, userspace, expired, transport-error, transport-disconnect ]
- type: enum
- name: key-slot
- value-start: 0
- entries: [ primary, secondary ]
- type: enum
- name: mode
- value-start: 0
- entries: [ p2p, mp ]
[...]
+operations:
- list:
name: dev-newattribute-set: ovpnflags: [ admin-perm ]doc: Create a new interface of type ovpndo:request:attributes:- ifname- modereply:attributes:- ifname- ifindex
name: dev-delattribute-set: ovpnflags: [ admin-perm ]doc: Delete existing interface of type ovpndo:pre: ovpn-nl-pre-doitpost: ovpn-nl-post-doitrequest:attributes:- ifindexThere's no dev-get do/dump op. I think there should be one for diagnostics and metrics.
I am not sure how much information it can provide (as of now we only have the 'mode' that is being set upon creation).
In any case, I am not against implementing the op now and extend it later as we see fit.
name: key-newattribute-set: ovpnflags: [ admin-perm ]doc: Add a cipher key for a specific peerdo:pre: ovpn-nl-pre-doitpost: ovpn-nl-post-doitrequest:attributes:- ifindex- keyconf
name: key-swapattribute-set: ovpnflags: [ admin-perm ]doc: Swap primary and secondary session keys for a specific peerdo:pre: ovpn-nl-pre-doitpost: ovpn-nl-post-doitrequest:attributes:- ifindex- keyconf
name: key-swap-ntfnotify: key-newThis doesn't work because key-new doesn't have a reply. You should define it with an event: block instead. You can see the build errors here:
make -C tools/net/ynl
Oh, I wasn't aware of this subfolder. Thanks for pointing it out!
I am thinking that it may make sense to implement a key-get op to extract non-sensible data about the keys (i.e. what cipher was configured). This may be useful for debugging as well.
At that point the key-swap-ntf can re-use the key-get as notify.
Cheers,
CC ovpn-user.o In file included from ovpn-user.c:8: ovpn-user.h:1194:33: error: field ‘obj’ has incomplete type 1194 | struct ovpn_key_new_rsp obj __attribute__((aligned(8))); | ^~~ ovpn-user.c:835:35: error: ‘ovpn_key_new_rsp_parse’ undeclared here (not in a function); did you mean ‘ovpn_dev_new_rsp_parse’? 835 | .cb = ovpn_key_new_rsp_parse, | ^~~~~~~~~~~~~~~~~~~~~~ | ovpn_dev_new_rsp_parse make[1]: *** [Makefile:41: ovpn-user.o] Error 1
doc: |Notification about key having exhausted its IV space and requiringrenegotiationmcgrp: peers
name: key-delattribute-set: ovpnflags: [ admin-perm ]doc: Delete cipher key for a specific peerdo:pre: ovpn-nl-pre-doitpost: ovpn-nl-post-doitrequest:attributes:- ifindex- keyconf+mcast-groups:
- list:
name: peers