Noted. Should I wait until xfrm is converted to JSON output formatting?
Or if there are no structural and stylistic issues, should I re-send
this as a patch?
On Fri, Jan 4, 2019 at 4:21 PM Stephen Hemminger
<step...@networkplumber.org> wrote:
>
> On Fri, 4 Jan 2019 15:19:10 -0800
> Benedict Wong <benedictw...@google.com> wrote:
>
> > ip xfrm state show currently dumps keys unconditionally. This limits its
> > use in logging, as security information can be leaked.
> >
> > This patch adds a nokeys option to ip xfrm ( state show | monitor ), which
> > prevents the printing of keys. This allows ip xfrm state show to be used
> > in logging without exposing keys.
> >
> > Signed-off-by: Benedict Wong <benedictw...@google.com>
> > ---
> > ip/ipxfrm.c | 45 +++++++++++++++++++++++++--------------------
> > ip/xfrm.h | 5 +++--
> > ip/xfrm_monitor.c | 7 +++++--
> > ip/xfrm_state.c | 27 ++++++++++++++++++++++-----
> > man/man8/ip-xfrm.8 | 15 ++++++++++++++-
> > 5 files changed, 69 insertions(+), 30 deletions(-)
> >
> > diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
> > index 2dea4e37..1334ca9f 100644
> > --- a/ip/ipxfrm.c
> > +++ b/ip/ipxfrm.c
> > @@ -497,7 +497,8 @@ void xfrm_selector_print(struct xfrm_selector *sel,
> > __u16 family,
> > }
> >
> > static void __xfrm_algo_print(struct xfrm_algo *algo, int type, int len,
> > - FILE *fp, const char *prefix, int newline)
> > + FILE *fp, const char *prefix, int newline,
> > + bool nokeys)
> > {
> > int keylen;
> > int i;
> > @@ -521,7 +522,9 @@ static void __xfrm_algo_print(struct xfrm_algo *algo,
> > int type, int len,
> > goto fin;
> > }
> >
> > - if (keylen > 0) {
> > + if (nokeys)
> > + fprintf(fp, "<<Keys hidden>>")
>
>
> This reminds me, xfrm never got converted to use JSON output formatting.
