使用 socket 接口创建 XFRM 安全策略示例：新增 xfrm_usersa_info 结构体

#include <linux/xfrm.h> #include <sys/socket.h>

int main() { struct sockaddr_nl nladdr; memset(&nladdr, 0, sizeof(nladdr)); nladdr.nl_family = AF_NETLINK;

int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
if (fd < 0) {
    perror("socket");
    return -1;
}

struct xfrm_usersa_info sa_info;
memset(&sa_info, 0, sizeof(sa_info));
sa_info.family = AF_INET;
sa_info.saddr.a4 = htonl(INADDR_ANY);
sa_info.reqid = 100;
sa_info.mode = XFRM_MODE_TUNNEL;
sa_info.flags = XFRM_STATE_ESN | XFRM_STATE_VALID;
sa_info.aalgos = 1 << XFRM_AALG_AUTH_HMAC_SHA256;
sa_info.ealgos = 1 << XFRM_EALG_AES_CBC;
sa_info.salgos = 1 << XFRM_CALG_DEFAULT;
sa_info.id.daddr.a4 = inet_addr('192.168.1.1');
sa_info.id.spi = 1234;

struct nlmsghdr *nlh;
struct iovec iov;
struct msghdr msg;

nlh = (struct nlmsghdr *)calloc(NLMSG_SPACE(sizeof(sa_info)), 1);
nlh->nlmsg_len = NLMSG_SPACE(sizeof(sa_info));
nlh->nlmsg_type = XFRM_MSG_NEWSA;
nlh->nlmsg_flags = NLM_F_CREATE | NLM_F_EXCL | NLM_F_REQUEST;
nlh->nlmsg_seq = 12345;
nlh->nlmsg_pid = getpid();

memcpy(NLMSG_DATA(nlh), &sa_info, sizeof(sa_info));

iov.iov_base = (void *)nlh;
iov.iov_len = nlh->nlmsg_len;

memset(&msg, 0, sizeof(msg));
msg.msg_name = (void *)&nladdr;
msg.msg_namelen = sizeof(nladdr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;

int ret = sendmsg(fd, &msg, 0);
if (ret < 0) {
    perror("sendmsg");
    return -1;
}

return 0;

}

该示例中，首先创建一个 AF_NETLINK 套接字，然后构造一个 xfrm_usersa_info 结构体，填充需要的安全策略信息。接着，创建一个 NLMSG_SPACE 大小的 nlmsghdr 结构体，并将 xfrm_usersa_info 结构体复制到 NLMSG_DATA(nlh) 所指向的位置。最后，通过 sendmsg 函数将消息发送到内核，内核会根据消息中的信息创建一个新的 XFRM 安全策略。