sonic-net · Pterosaur · Nov 25, 2021 · Sep 8, 2021 · Sep 13, 2021 · Sep 13, 2021
@@ -13,7 +13,8 @@ $(DOCKER_SONIC_VS)_DEPENDS += $(SWSS) \
                               $(LIBYANG_CPP) \
                               $(LIBYANG_PY3) \
                               $(SONIC_UTILITIES_DATA) \
-                              $(SONIC_HOST_SERVICES_DATA)
+                              $(SONIC_HOST_SERVICES_DATA) \
+                              $(IPROUTE2)
 
 # swsssdk is a dependency of sonic-py-common
 # TODO: sonic-py-common should depend on swsscommon instead

@@ -3,7 +3,8 @@
 DOCKER_SYNCD_PLATFORM_CODE = vs
 include $(PLATFORM_PATH)/../template/docker-syncd-base.mk
 
-$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS)
+$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) \
+                                $(IPROUTE2)
 
 $(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \
                                 $(LIBSWSSCOMMON_DBG) \

@@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update
 
-RUN apt-get install -f -y iproute2 libcap2-bin
+RUN apt-get install -f -y libcap2-bin
 
 COPY \
 {% for deb in docker_syncd_vs_debs.split(' ') -%}
@@ -20,7 +20,7 @@ debs/
 RUN dpkg -i \
 {% for deb in docker_syncd_vs_debs.split(' ') -%}
 debs/{{ deb }}{{' '}}
-{%- endfor %}
+{%- endfor %} || apt-get install -f -y
 
 COPY ["start.sh", "/usr/bin/"]
 

@@ -1,7 +1,11 @@
 # iproute2 package
 
-IPROUTE2_VERSION = 4.9.0-1
+IPROUTE2_VERSION = 5.10.0
+IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4~bpo10+1
 
-IPROUTE2 = iproute2_$(IPROUTE2_VERSION)_$(CONFIGURED_ARCH).deb
+export IPROUTE2_VERSION
+export IPROUTE2_VERSION_FULL
+
+IPROUTE2 = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
 $(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2
 SONIC_MAKE_DEBS += $(IPROUTE2)
@@ -356,6 +356,12 @@ RUN apt-get update && apt-get install -y \
         libsystemd-dev \
         pkg-config
 
+# For iproute2
+RUN apt-get install -y -t buster-backports \
+        libbpf-dev \
+        dwz \
+        debhelper
+
 RUN apt-get -y build-dep openssh
 
 # Build fix for ARMHF buster libsairedis

diff --git a/src/iproute2/.gitignore b/src/iproute2/.gitignore
@@ -1,3 +1,4 @@
 *
 !.gitignore
 !Makefile
+!patch/*
diff --git a/src/iproute2/Makefile b/src/iproute2/Makefile
@@ -2,21 +2,21 @@ SHELL = /bin/bash
 .ONESHELL:
 .SHELLFLAGS += -e
 
-IPROUTE2_VERSION = 4.9.0
-IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-1
-
 MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
 
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	# Remove any stale files
 	rm -rf iproute2-$(IPROUTE2_VERSION)
 
-	wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0.orig.tar.xz?sv=2015-04-05&sr=b&sig=9nvybd1xkXyRQbaG6Fy6wBazPA8IbZV0AO41GWXPEP8%3D&se=2154-10-23T11%3A59%3A00Z&sp=r"
-	wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.dsc?sv=2015-04-05&sr=b&sig=m6FcMH9dOh8ggipBgOsONiXvDxoi6bfUO%2BxvidsMNMQ%3D&se=2154-10-23T11%3A59%3A53Z&sp=r"
-	wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.debian.tar.xz?sv=2015-04-05&sr=b&sig=U5NFuwG5C3vZXlUUNvoPMnKDtMKk66zbweA9rQYbEVY%3D&se=2154-10-23T12%3A00%3A15Z&sp=r"
+	wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION).orig.tar.xz
+	wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).dsc
+	wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz
 	dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc
 
 	pushd iproute2-$(IPROUTE2_VERSION)
+
+	patch -p1 < ../patch/0001-patch-macsec-xpn-support.patch
+
 	dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
 	popd
 

diff --git a/src/iproute2/patch/0001-patch-macsec-xpn-support.patch b/src/iproute2/patch/0001-patch-macsec-xpn-support.patch
@@ -0,0 +1,213 @@
+From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001
+From: Ze Gan <[email protected]>
+Date: Mon, 30 Aug 2021 06:45:28 +0000
+Subject: [PATCH] MACsec XPN support
+
+Signed-off-by: Ze Gan <[email protected]>
+---
+ ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 74 insertions(+), 12 deletions(-)
+
+diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
+index 18289ecd..1df19bf1 100644
+--- a/ip/ipmacsec.c
++++ b/ip/ipmacsec.c
+@@ -10,6 +10,7 @@
+  */
+
+ #include <stdio.h>
++#include <inttypes.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <errno.h>
+@@ -23,6 +24,8 @@
+ #include "ll_map.h"
+ #include "libgenl.h"
+
++#define MACSEC_SALT_LEN 12
++
+ static const char * const values_on_off[] = { "off", "on" };
+
+ static const char * const validate_str[] = {
+@@ -45,11 +48,13 @@ struct sci {
+
+ struct sa_desc {
+ 	__u8 an;
+-	__u32 pn;
++	__u64 pn;
+ 	__u8 key_id[MACSEC_KEYID_LEN];
+ 	__u32 key_len;
+ 	__u8 key[MACSEC_MAX_KEY_LEN];
+ 	__u8 active;
++	__u32 ssci;
++	__u8 salt[MACSEC_SALT_LEN];
+ };
+
+ struct cipher_args {
+@@ -88,7 +93,7 @@ static int genl_family = -1;
+ static void ipmacsec_usage(void)
+ {
+ 	fprintf(stderr,
+-		"Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n"
++		"Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n"
+ 		"       ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n"
+ 		"       ip macsec del DEV tx sa { 0..3 }\n"
+ 		"       ip macsec add DEV rx SCI [ on | off ]\n"
+@@ -100,10 +105,12 @@ static void ipmacsec_usage(void)
+ 		"       ip macsec show\n"
+ 		"       ip macsec show DEV\n"
+ 		"       ip macsec offload DEV [ off | phy | mac ]\n"
+-		"where  OPTS := [ pn <u32> ] [ on | off ]\n"
++		"where  OPTS := [ pn <u64> ] [ on | off ]\n"
+ 		"       ID   := 128-bit hex string\n"
+ 		"       KEY  := 128-bit or 256-bit hex string\n"
+-		"       SCI  := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n");
++		"       SCI  := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n"
++		"       SSCI := <u32>\n"
++		"       SALT := 96-bit hex string\n");
+
+ 	exit(-1);
+ }
+@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
+ 			if (sa->pn != 0)
+ 				duparg2("pn", "pn");
+ 			NEXT_ARG();
+-			ret = get_u32(&sa->pn, *argv, 0);
++			ret = get_u64(&sa->pn, *argv, 0);
+ 			if (ret)
+ 				invarg("expected pn", *argv);
+ 			if (sa->pn == 0)
+@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
+ 				duparg2("on/off", "off");
+ 			sa->active = false;
+ 			active_set = true;
++		} else if (strcmp(*argv, "ssci") == 0) {
++			if (sa->ssci != 0)
++				duparg2("ssci", "ssci");
++			NEXT_ARG();
++			ret = get_u32(&sa->ssci, *argv, 0);
++			if (ret)
++				invarg("expected ssci", *argv);
++			if (sa->ssci == 0)
++				invarg("expected ssci != 0", *argv);
++		} else if (strcmp(*argv, "salt") == 0) {
++			unsigned int len;
++
++			NEXT_ARG();
++			if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN,
++					   &len))
++				invarg("expected salt", *argv);
+ 		} else {
+ 			fprintf(stderr, "macsec: unknown command \"%s\"?\n",
+ 				*argv);
+@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
+ 	addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);
+
+ 	if (c != CMD_DEL) {
+-		if (sa->pn)
+-			addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
+-				  sa->pn);
++		if (sa->pn) {
++			if (sa->ssci == 0) {
++				addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
++					sa->pn);
++			} else {
++				addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
++					sa->pn);
++			}
++		}
+
+ 		if (sa->key_len) {
+ 			addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID,
+@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
+ 			addattr8(&req.n, MACSEC_BUFLEN,
+ 				 MACSEC_SA_ATTR_ACTIVE, sa->active);
+ 		}
++
++		if (sa->ssci != 0) {
++			addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
++				  sa->ssci);
++			addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
++				  sa->salt, MACSEC_SALT_LEN);
++		}
+ 	}
+
+ 	addattr_nest_end(&req.n, attr_sa);
+@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa)
+ 			fprintf(stderr, "cannot change key on SA\n");
+ 			return -1;
+ 		}
++
++		if (sa->ssci) {
++			fprintf(stderr, "cannot change SSCI on SA\n");
++			return -1;
++		}
+ 	}
+
+ 	return 0;
+@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key)
+
+ #define CIPHER_NAME_GCM_AES_128 "GCM-AES-128"
+ #define CIPHER_NAME_GCM_AES_256 "GCM-AES-256"
++#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128"
++#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256"
+ #define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128
+
+ static const char *cs_id_to_name(__u64 cid)
+@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid)
+ 		return CIPHER_NAME_GCM_AES_128;
+ 	case MACSEC_CIPHER_ID_GCM_AES_256:
+ 		return CIPHER_NAME_GCM_AES_256;
++	case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
++		return CIPHER_NAME_GCM_AES_XPN_128;
++	case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
++		return CIPHER_NAME_GCM_AES_XPN_256;
+ 	default:
+ 		return "(unknown)";
+ 	}
+@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
+ 		print_string(PRINT_FP, NULL, "%s", prefix);
+ 		print_uint(PRINT_ANY, "an", "%d:",
+ 			   rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
+-		print_uint(PRINT_ANY, "pn", " PN %u,",
+-			   rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
++		if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
++			print_uint(PRINT_ANY, "pn", " PN %u,",
++				rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
++		} else {
++			print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",",
++				rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
++		}
+
+ 		print_bool(PRINT_JSON, "active", NULL, state);
+ 		print_string(PRINT_FP, NULL,
+ 			     " state %s,", state ? "on" : "off");
+ 		print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
++		if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
++			print_uint(PRINT_ANY, "ssci", " SSCI %u,",
++				rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]));
++		}
+
+ 		print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
+ 		close_json_object();
+@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
+ 			else if (strcmp(*argv, "gcm-aes-256") == 0 ||
+ 			         strcmp(*argv, "GCM-AES-256") == 0)
+ 				cipher.id = MACSEC_CIPHER_ID_GCM_AES_256;
++			else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 ||
++			         strcmp(*argv, "GCM-AES-XPN-128") == 0)
++				cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128;
++			else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 ||
++			         strcmp(*argv, "GCM-AES-XPN-256") == 0)
++				cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256;
+ 			else
+-				invarg("expected: default, gcm-aes-128 or"
+-				       " gcm-aes-256", *argv);
++				invarg("expected: default, gcm-aes-128"
++				       " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv);
+ 		} else if (strcmp(*argv, "icvlen") == 0) {
+ 			NEXT_ARG();
+ 			if (cipher.icv_len)
+-- 
+2.17.1
+