[Swan-dev] [OpenWrt-Devel] [PATCH v3 2/3] network/config: add xfrm interface support scripts]

[Paul Wouters]

On Tue, 11 Jun 2019, Antony Antony wrote:

> XFRMi seems to be picking up fast. A proposed patch to OpenWRT network
> scripts would add support for an xfrm device. I guess we/Libreswan should
> merge our branch soon!

Cool. What is preventing the branch from being merged right now?

> OpenWRT patch proposal suggest the whole interface creation and its
> lifecycle could be managed by system network scripts.
> I imagine on Debian/Fedora systemd-networkd would get similar support soon.
> Or may be NetworkManager. I am not sure.

I think it is certainly something we want to support. If a connection is
configured with mark=, and something else creates the interface, are we
still expected to change the routing too?

> Note they also planned to add ip address there. I wonder how this would work
> in various cases, road warrior, or BGP/routing protocol situations.

I guess it would only work for the static IP cases? Which seems to be
the more likely case for openwrt anyway?

> This package adds scripts for xfrm interfaces support.
> Example configuration via /etc/config/network:
>
> config interface 'xfrm0'
>        option proto 'xfrm'
>        option mtu '1300'
>        option zone 'VPN'
>        option tunlink 'wan'
>        option ifid 30

Ok so that would pre-create the interface. But if they already route
into it without ipsec running, packets would be lost. That could be a
bug or a feature, depending on your view.

> config interface 'xfrm0_static'
>        option proto 'static'
>        option ifname '@xfrm0'
>        option ip6addr 'fe80::1/64'
>        option ipaddr '10.0.0.1/30'

I guess _static is a generic way to configure an interface? Kind of odd
it needs a seperate section.

> Now set in strongswan IPsec policy:
> 	if_id_in = 30
> 	if_id_out = 30

right, which for us would be mark=30/0xffffffff

(we should support mark's without mask, but our parser doesn't like to
  get only numbers for a string)

Paul