[Swan-dev] remove pfkey checks from pluto and startup scripts
Paul Wouters
paul at nohats.ca
Fri May 3 16:20:02 UTC 2019
On Fri, 3 May 2019, Antony Antony wrote:
> Could you or someone test these two patches? run Libreswan without PF_KEY
> support in kernel, [1]
I still need to test further, but I updated the patches a little bit.
It uses /proc/net/xfrm_stat to test for XFRM/NETKEY support instead of
/proc/net/pfkey. Support for xfrm_stat was added in 2.6.28 in Nov 2008.
I've removed af_key from our _stackmanager probe list, but on current
kernels it does still get dragged in by other modules. I did unload it
and then bring up an IPsec tunnel and it seems to work fine :)
I've also done some output renaming from NETKEY to XFRM, but did not
touch the stackname "netkey" (which really should be "xfrm" but with
"netkey" as backwards compatible option).
I've also changed it so that kernel_pfkey.c now throws an error if
compiled without USE_KLIPS, since we know XFRM/NETKEY and BSDKAME do
not use it.
> Since it is not necessary we could remove it from pluto. Also tests by
> Steffen noticed compiling kernel with pfkey use quite a bit extra cpu.
> His observation was pfkey_send_new_mapping use "3.69% of my cpu cycles".
That's worth the gain :)
> I think it is worth removing pfkey completely.
Yes! Thanks for starting this!
> I am wondering if there are more places where pluto depend on pfkey, will
> this break something else.
I checked and found a few more that I changed in the attached patch.
> Should I push this now or hold on until 3.28 is out?
I think I am okay with this going in for 3.28. Especially because of the
performance gain. But I'm also fine doing this after 3.28.
Paul
-------------- next part --------------
diff --git a/README.nss b/README.nss
index d3fc620..de52554 100644
--- a/README.nss
+++ b/README.nss
@@ -9,8 +9,7 @@ https://www.mozilla.org/projects/security/pki/nss/
The NSS crypto library is a user space library. It is only used with the
libreswan userspace IKE daemon pluto for cryptographic operations. NSS
-does not perform IPsec crypto operations inside the kernel (KLIPS
-nor NETKEY)
+does not perform IPsec crypto operations inside the kernel (KLIPS nor XFRM)
The NSS library exports a PKCS#11 API for the application to
communicate to a cryptographic device. The cryptographic device is
diff --git a/contrib/README b/contrib/README
index 5b06f55..0a8f0fb 100644
--- a/contrib/README
+++ b/contrib/README
@@ -6,5 +6,5 @@ cisco-pcf - convert cisco PCF configuration files to libreswan config files
ldsaref - SAref example implementation
lucent - interop hacking with some proprietary lucent gateway
patching - klips patching scripts from/between klips trees (unused)
-scripts - perl scripts for emulating ipsec eroute output when using NETKEY
+scripts - perl scripts for emulating ipsec eroute output when using XFRM
python-swan - python module to determine if traffic to a destination would get encrypted
diff --git a/contrib/scripts/README b/contrib/scripts/README
index b46bb60..eb75d74 100644
--- a/contrib/scripts/README
+++ b/contrib/scripts/README
@@ -1,5 +1,5 @@
This directory contains scripts that mimic certain KLIPS-only commands
-when using NETKEY. These may fold back into the distribution later on,
+when using XFRM. These may fold back into the distribution later on,
or get replaced by new code. Output is not guaranteed to be identical
to the KLIPS versions.
diff --git a/contrib/scripts/look b/contrib/scripts/look
index efaf2da..aae46e3 100755
--- a/contrib/scripts/look
+++ b/contrib/scripts/look
@@ -2,7 +2,7 @@
#
# (c) Feb 2008 - Matteo Vitturi <matteo_vitturi at virgilio.it>
#
-# A script to parse ip xfrm output - NETKEY version of "ipsec look"
+# A script to parse ip xfrm output - XFRM version of "ipsec look"
open(IPSXP,"ip -s x p|");
diff --git a/initsystems/docker/ipsec.init.in b/initsystems/docker/ipsec.init.in
index 11bdb10..8b806f6 100755
--- a/initsystems/docker/ipsec.init.in
+++ b/initsystems/docker/ipsec.init.in
@@ -8,7 +8,7 @@
# Default-Start:
# Default-Stop: 0 1 6
# Short-Description: Start Libreswan IPsec at boot time
-# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
+# Description: Enable automatic key management for IPsec (KLIPS and XFRM
### END INIT INFO
#
### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
@@ -45,7 +45,7 @@
#
# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
-# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
+# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
@@ -80,7 +80,7 @@ lockdir=/run/lock/subsys
lockfile=ipsec
lockpath=${lockdir}/${lockfile}
ipsecversion=/proc/net/ipsec_version
-kamepfkey=/proc/net/pfkey
+xfrmnetkey=/proc/net/xfrm_stat
# /etc/resolv.conf related paths
LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
diff --git a/initsystems/sysvinit/init.debian.in b/initsystems/sysvinit/init.debian.in
index a0a8131..e16a52e 100644
--- a/initsystems/sysvinit/init.debian.in
+++ b/initsystems/sysvinit/init.debian.in
@@ -11,7 +11,7 @@ FIXME
# Default-Start:
# Default-Stop: 0 1 6
# Short-Description: Start Libreswan IPsec at boot time
-# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
+# Description: Enable automatic key management for IPsec (KLIPS and XFRM)
### END INIT INFO
#
### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
@@ -50,7 +50,7 @@ FIXME
#
# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
-# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
+# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
# Source function library.
. /etc/init.d/functions
diff --git a/initsystems/sysvinit/init.rhel b/initsystems/sysvinit/init.rhel
index b5d34be..932a5ec 100755
--- a/initsystems/sysvinit/init.rhel
+++ b/initsystems/sysvinit/init.rhel
@@ -8,7 +8,7 @@
# Default-Start:
# Default-Stop: 0 1 6
# Short-Description: Start Libreswan IPsec at boot time
-# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
+# Description: Enable automatic key management for IPsec (KLIPS and XFRM)
### END INIT INFO
#
### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
@@ -44,7 +44,7 @@
#
# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
-# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
+# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
@@ -82,7 +82,7 @@ lockdir=/var/lock/subsys
lockfile=ipsec
lockpath=${lockdir}/${lockfile}
ipsecversion=/proc/net/ipsec_version
-kamepfkey=/proc/net/pfkey
+xfrmstack=/proc/net/xfrm_stat
# /etc/resolv.conf related paths
LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
diff --git a/initsystems/sysvinit/ipsec.init.in b/initsystems/sysvinit/ipsec.init.in
index 705899e..6ef1acb 100755
--- a/initsystems/sysvinit/ipsec.init.in
+++ b/initsystems/sysvinit/ipsec.init.in
@@ -8,7 +8,7 @@
# Default-Start: @SYSVINIT_DEFAULT_START@
# Default-Stop: 0 1 6
# Short-Description: Start Libreswan IPsec at boot time
-# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
+# Description: Enable automatic key management for IPsec (KLIPS and XFRM)
### END INIT INFO
#
### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
@@ -44,7 +44,7 @@
#
# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
-# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
+# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
@@ -81,7 +81,7 @@ plutoctl=${rundir}/pluto.ctl
lockdir=@FINALVARDIR@/lock/subsys
lockfile=${lockdir}/ipsec
ipsecversion=/proc/net/ipsec_version
-kamepfkey=/proc/net/pfkey
+xfrmstack=/proc/net/xfrm_stat
# @FINALSYSCONFDIR@/resolv.conf related paths
LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
diff --git a/initsystems/upstart/ipsec.conf.in b/initsystems/upstart/ipsec.conf.in
index 10e30ac..bbf56bf 100644
--- a/initsystems/upstart/ipsec.conf.in
+++ b/initsystems/upstart/ipsec.conf.in
@@ -1,7 +1,7 @@
# ipsec - ipsec services and ike demon (pluto)
#
# IPsec provides encrypted and authenticated communications;
-# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level
+# XFRM or KLIPS is the kernel half of it, Pluto is the user-level
# management daemon.
description "libreswan ipsec services"
diff --git a/mk/userland-cflags.mk b/mk/userland-cflags.mk
index 698ce34..13eae61 100644
--- a/mk/userland-cflags.mk
+++ b/mk/userland-cflags.mk
@@ -67,53 +67,34 @@ endif
#
# Kernel support
#
-# Order these so that the enabled kernel support can fill in defaults
-# for rest. For instance, MAST should enable KLIPS which should enble
-# PFKEYv2. So that Makefile.inc.local can override, the values are
-# not forced. over However don't force
# support BSD/KAME kernels (on *BSD and OSX)?
+# Uses PFKEY API but its own version, not the KLIPS one
USE_BSDKAME?=false
ifeq ($(USE_BSDKAME),true)
-USE_NETKEY?=false
-USE_KLIPS?=false
-endif
-
-# support KLIPS kernel module (KLIPS requires PFKEYv2)
-USE_KLIPS?=false
-ifeq ($(USE_KLIPS),true)
-USE_PFKEYv2?=true
+USERLAND_CFLAGS+=-DBSD_KAME
+USE_NETKEY=false
+USE_KLIPS=false
+USE_PFKEYv2=false
endif
-# support Linux kernel's NETLINK_XFRM (aka NETKEY) (aka "native",
-# "kame"???) (NETLINK does not use PFKEY, but it does share some code.
-# True?!?)
+# support Linux kernel's NETLINK_XFRM (aka NETKEY)
+# This no longer uses PFKEY
USE_NETKEY?=true
ifeq ($(USE_NETKEY),true)
-USE_PFKEYv2=true
-endif
-
-# above should set these
-USE_PFKEYv2?=false
-
-ifeq ($(USE_BSDKAME),true)
-USERLAND_CFLAGS += -DBSD_KAME
+USERLAND_CFLAGS+=-DNETKEY_SUPPORT
+USE_PFKEYv2=false
+USE_BSDKAME=false
endif
+# support old style Linux KLIPS kernel module (KLIPS requires PFKEYv2)
+USE_KLIPS?=false
ifeq ($(USE_KLIPS),true)
+USE_PFKEYv2=true
USERLAND_CFLAGS+=-DKLIPS
+USE_BSDKAME=false
endif
-ifeq ($(USE_NETKEY),true)
-USERLAND_CFLAGS+=-DNETKEY_SUPPORT
-endif
-
-ifeq ($(USE_PFKEYv2),true)
-USERLAND_CFLAGS+=-DPFKEY
-endif
-
-#
-
ifeq ($(USE_DNSSEC),true)
USERLAND_CFLAGS+=-DUSE_DNSSEC
UNBOUND_LDFLAGS ?= -lunbound -lldns
diff --git a/programs/_realsetup.bsd/_realsetup.in b/programs/_realsetup.bsd/_realsetup.in
index 9e6a193..14dfe5a 100755
--- a/programs/_realsetup.bsd/_realsetup.in
+++ b/programs/_realsetup.bsd/_realsetup.in
@@ -27,7 +27,7 @@ plutoctl=/var/run/pluto/pluto.ctl
subsyslock=/var/lock/subsys/ipsec
lock=/var/run/pluto/ipsec_setup.pid
-kamepfkey=/proc/net/pfkey
+xfrmstack=/proc/net/xfrm_stat
# defaults for "config setup" items
IPSECuniqueids=${IPSECuniqueids:-yes}
@@ -183,7 +183,7 @@ case "$1" in
rm -f /var/run/pluto.pid
# When we exit we clean up (remove) the modules we are using, even the kame'ish ones
- if test -e ${kamepfkey}; then
+ if test -e ${xfrmstack}; then
lsmod 2>&1 | grep "^xfrm4_tunnel" > /dev/null && rmmod xfrm4_tunnel
lsmod 2>&1 | grep "^af_key" > /dev/null && rmmod af_key
# old name for xfrm4_tunnel
diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in
index 16add5a..cb1621a 100644
--- a/programs/_stackmanager/_stackmanager.in
+++ b/programs/_stackmanager/_stackmanager.in
@@ -28,8 +28,8 @@ eval $(ASAN_OPTIONS=detect_leaks=0 ipsec addconn --configsetup | grep -v "#" |
test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@"
-kamepfkey=/proc/net/pfkey
-ipsecpfkey=/proc/net/ipsec/version
+xfrmstack=/proc/net/xfrm_stat
+klipsstack=/proc/net/ipsec/version
action="${1}"
if [ -z "${action}" ]; then
@@ -44,11 +44,11 @@ stopnetkey() {
# Validate wait option
[ "${1}" = "--wait" -o "${1}" = "-w" ] && wait="${1}"
- if [ -f ${kamepfkey} ]; then
+ if [ -f ${xfrmstack} ]; then
ip xfrm state flush
ip xfrm policy flush
if [ -n "$(ip xfrm state)" -o -n "$(ip xfrm policy)" ]; then
- echo "NETKEY IPsec stack could not be cleared" >&2
+ echo "XFRM IPsec stack could not be cleared" >&2
fi
if [ -f /proc/modules ]; then
@@ -61,11 +61,11 @@ stopnetkey() {
echo 0 >/proc/sys/net/core/xfrm_larval_drop
fi
fi
- # netkey stack found, let's unload.
+ # xfrm stack found, let's unload.
for mod in xfrm_ipcomp ipcomp ipcomp6 ip_vti xfrm6_tunnel \
xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro \
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel \
- xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 af_key \
+ xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 \
xfrm_user xfrm_interface
do
# first try and unload the modules without the 10s wait pause
@@ -114,17 +114,17 @@ startnetkey() {
cryptomodules
- if [ -f ${ipsecpfkey} ]; then
+ if [ -f ${klipsstack} ]; then
echo "Warning: found KLIPS stack loaded - attempting to unload..." >&2
stopklips
- if [ -f ${ipsecpfkey} ]; then
+ if [ -f ${klipsstack} ]; then
echo "FAILURE to unload KLIPS module" >&2
exit 1
fi
fi
if [ -f /proc/modules ]; then
- # load all NETKEY modules
+ # load all XFRM modules
for mod in ipcomp6 xfrm_ipcomp ipcomp xfrm6_tunnel xfrm6_mode_tunnel \
xfrm6_mode_beet xfrm6_mode_ro xfrm6_mode_transport \
xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel \
@@ -150,15 +150,15 @@ startnetkey() {
echo "WARNING: can not change /proc/sys/net/core/xfrm_acq_expires from ${xcur} to ${xfrmlifetime}" >&2
fi
- # Fail on error in loading NETKEY/XFRM stack
+ # Fail on error in loading XFRM stack
if [ ! -f ${kamepfkey} ]; then
- echo "FAILURE in loading NETKEY/XFRM stack" >&2
+ echo "FAILURE in loading XFRM stack" >&2
exit 1
fi
}
stopklips() {
- if [ -f ${ipsecpfkey} ]; then
+ if [ -f ${klipsstack} ]; then
# Bring down ipsecX and mast0 interfaces
ifl=$(grep -v NULL /proc/net/ipsec_tncfg 2>/dev/null | sed -n -e "/^ipsec/s/ .*//p")
if [ -n "${ifl}" ]; then
@@ -182,7 +182,7 @@ stopklips() {
rmmod ipsec 2>/dev/null
fi
fi
- if [ -f ${ipsecpfkey} -o -n "$(lsmod | grep ^ipsec)" ]; then
+ if [ -f ${klipsstack} -o -n "$(lsmod | grep ^ipsec)" ]; then
echo "FAILURE to unload KLIPS module" >&2
exit 1
fi
@@ -209,7 +209,7 @@ stop() {
cryptomodules() {
# load any OCF and CryptoAPI modules we might need for acceleration
- # (OCF works for NETKEY and KLIPS)
+ # (OCF works for XFRM and KLIPS)
# OCF cryptosoft is for kernel acceleration (ESP/AH)
${MODPROBE} cryptosoft 2>/dev/null
# We skip cryptodev.ko because we no longer support /dev/crypto offloading
@@ -259,15 +259,15 @@ startmast() {
startklips() {
cryptomodules
- if [ -f ${kamepfkey} ]; then
- echo "Warning: found NETKEY/XFRM stack loaded - attempting to unload..." >&2
+ if [ -f ${xfrmstack} ]; then
+ echo "Warning: found XFRM stack loaded - attempting to unload..." >&2
stopnetkey --wait
- if [ -f ${kamepfkey} ]; then
+ if [ -f ${xfrmstack} ]; then
echo "FAILURE to unload KLIPS module" >&2
exit 1
fi
fi
- if [ ! -f ${ipsecpfkey} ]; then
+ if [ ! -f ${klipsstack} ]; then
# KLIPS-related paths
bareversion=$(uname -r | sed -e 's/\.nptl//' | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/')
case ${bareversion} in
@@ -285,7 +285,7 @@ startklips() {
${MODPROBE} ${modulename}
fi
- if [ ! -f ${ipsecpfkey} ]; then
+ if [ ! -f ${klipsstack} ]; then
echo "FAILURE to load KLIPS module" >&2
exit 1
fi
@@ -450,14 +450,14 @@ esac
case ${action} in
stop)
- # We don't unload NETKEY/XFRM on stop - only when we detect a stack
+ # We don't unload XFRM on stop - only when we detect a stack
# change.
- if [ -f ${ipsecpfkey} ]; then
+ if [ -f ${klipsstack} ]; then
ipsec eroute --clear
# this clears all IP addresses on ipsecX interfaces by
# unloading the module
stopklips
- elif [ -f ${kamepfkey} ]; then
+ elif [ -f ${xfrmstack} ]; then
ip xfrm state flush
ip xfrm policy flush
# module unloading skipped on purpose - can hang for a long
diff --git a/programs/barf/barf.in b/programs/barf/barf.in
index 7cae4e2..bc6f9c9 100755
--- a/programs/barf/barf.in
+++ b/programs/barf/barf.in
@@ -169,10 +169,6 @@ if test -r /proc/net/ipsec_tncfg
then
cat /proc/net/ipsec_tncfg
fi
-_________________________ /proc/net/pfkey
-if test -r /proc/net/pfkey
-then
- cat /proc/net/pfkey
_________________________ ip-xfrm-state
ip xfrm state
_________________________ ip-xfrm-policy
@@ -291,7 +287,7 @@ if test -r /proc/net/ipsec_version
then
cat /proc/net/ipsec_version
else
- if test -r /proc/net/pfkey
+ if test -r /proc/net/xfrm_stat
then
echo "NETKEY (`uname -r`) support detected "
else
diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c
index ec2d002..d57b534 100644
--- a/programs/eroute/eroute.c
+++ b/programs/eroute/eroute.c
@@ -494,7 +494,7 @@ int main(int argc, char **argv)
if (argcount == 1) {
struct stat sts;
- if (stat("/proc/net/pfkey", &sts) == 0) {
+ if (stat("/proc/net/xfrm_stat", &sts) == 0) {
fprintf(stderr,
"%s: NETKEY does not support eroute table.\n",
progname);
diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
index 3dd5509..eb6d76b 100755
--- a/programs/ipsec/ipsec.in
+++ b/programs/ipsec/ipsec.in
@@ -61,7 +61,7 @@ fixversion() {
stack=" (klips)"
kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
else
- if [ -f /proc/net/pfkey ]; then
+ if [ -f /proc/net/xfrm_stat ]; then
stack=" (netkey)"
kv="${version}"
else
diff --git a/programs/look/look.in b/programs/look/look.in
index 50ca0d3..975566e 100755
--- a/programs/look/look.in
+++ b/programs/look/look.in
@@ -71,8 +71,8 @@ if [ -f /proc/net/ipsec_spi ]; then
sort /proc/net/ipsec_spi
fi
-# xfrm for netkey
-if [ -f /proc/net/pfkey ]; then
+# xfrm
+if [ -f /proc/net/xfrm_stat ]; then
echo "XFRM state:"
ip xfrm state
echo "XFRM policy:"
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 93bbcc6..596d8b0 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -221,7 +221,7 @@ void record_and_initiate_opportunistic(const ip_subnet *ours,
* Add the kernel shunt to the pluto bare shunt list.
* We need to do this because the %hold shunt was installed by kernel
* and we want to keep track of it inside pluto.
- * WARNING: there is different behaviour between KLIPS and NETKEY, and
+ * WARNING: there is different behaviour between KLIPS and XFRM, and
* it might be that netkey causes duplicate acquires when the
* proc value is different from our internal value?
*/
@@ -989,7 +989,7 @@ static enum routability could_route(struct connection *c)
if (!compatible_overlapping_connections(c, ero)) {
/*
* Another connection is already using the eroute.
- * TODO: NETKEY can do this?
+ * TODO: XFRM can do this?
*/
return route_impossible;
}
@@ -1035,7 +1035,7 @@ static enum routability could_route(struct connection *c)
if (LDISJOINT(POLICY_OVERLAPIP, c->policy | ero->policy)) {
/*
* another connection is already using the eroute,
- * TODO: NETKEY apparently can do this though
+ * TODO: XFRM apparently can do this though
*/
loglog(RC_LOG_SERIOUS,
"cannot install eroute -- it is in use for \"%s\"%s #%lu",
@@ -2648,7 +2648,6 @@ static void kernel_scan_shunts(void)
void init_kernel(void)
{
struct utsname un;
-
#if defined(NETKEY_SUPPORT) || defined(KLIPS)
struct stat buf;
#endif
@@ -2660,13 +2659,13 @@ void init_kernel(void)
switch (kern_interface) {
#if defined(NETKEY_SUPPORT)
case USE_NETKEY:
- if (stat("/proc/net/pfkey", &buf) != 0) {
- libreswan_log(
- "No XFRM/NETKEY kernel interface detected");
- exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
- }
+ if (stat("/proc/net/xfrm_stat", &buf) != 0) {
+ libreswan_log("No XFRM kernel interface detected");
+ exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
+ }
+
libreswan_log(
- "Using Linux XFRM/NETKEY IPsec interface code on %s",
+ "Using Linux XFRM IPsec interface code on %s",
kversion);
kernel_ops = &netkey_kernel_ops;
break;
diff --git a/programs/pluto/kernel_pfkey.c b/programs/pluto/kernel_pfkey.c
index 276d5bc..91a5818 100644
--- a/programs/pluto/kernel_pfkey.c
+++ b/programs/pluto/kernel_pfkey.c
@@ -70,6 +70,10 @@
#define KLIPS_OP_MASK 0xFF
#define KLIPS_OP_FLAG_SHIFT 8
+#ifndef USE_KLIPS
+# error This file is now only used to support the KLIPS PFKEY API
+#endif
+
int pfkeyfd = NULL_FD;
typedef uint32_t pfkey_seq_t;
diff --git a/programs/setup/setup.in b/programs/setup/setup.in
index 8d69fc8..a4faaf7 100755
--- a/programs/setup/setup.in
+++ b/programs/setup/setup.in
@@ -109,7 +109,7 @@ case "$1" in
# If stack is non-modular, we want to force clean too
[ -f /proc/net/pf_key ] && ipsec eroute --clear
- [ -f /proc/net/pfkey ] && ip xfrm state flush && ip xfrm policy flush
+ [ -f /proc/net/xfrm_stat ] && ip xfrm state flush && ip xfrm policy flush
# Cleaning up backup resolv.conf
if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
diff --git a/programs/spi/spi.c b/programs/spi/spi.c
index 6b46c8f..7126878 100644
--- a/programs/spi/spi.c
+++ b/programs/spi/spi.c
@@ -1133,9 +1133,9 @@ int main(int argc, char *argv[])
progname);
}
- if (stat("/proc/net/pfkey", &sts) == 0) {
+ if (stat("/proc/net/xfrm_stat", &sts) == 0) {
fprintf(stderr,
- "%s: NETKEY does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
+ "%s: XFRM does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
progname);
exit(1);
}
diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c
index 0f3d12e..a8b12c2 100644
--- a/programs/spigrp/spigrp.c
+++ b/programs/spigrp/spigrp.c
@@ -149,9 +149,9 @@ int main(int argc, char **argv)
if (debug)
fprintf(stdout, "...After check for --label option.\n");
- if (stat("/proc/net/pfkey", &sts) == 0) {
+ if (stat("/proc/net/xfrm_stat", &sts) == 0) {
fprintf(stderr,
- "%s: NETKEY does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",
+ "%s: XFRM does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",
progname);
exit(1);
}
diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c
index 8bc9dcd..eca94ed 100644
--- a/programs/tncfg/tncfg.c
+++ b/programs/tncfg/tncfg.c
@@ -257,9 +257,9 @@ int main(int argc, char *argv[])
}
}
- if (stat("/proc/net/pfkey", &sts) == 0) {
+ if (stat("/proc/net/xfrm_stat", &sts) == 0) {
fprintf(stderr,
- "%s: NETKEY does not support virtual interfaces.\n",
+ "%s: XFRM does not support virtual interfaces.\n",
progname);
exit(1);
}
diff --git a/programs/verify/verify.in b/programs/verify/verify.in
index 0708e66..9321631 100755
--- a/programs/verify/verify.in
+++ b/programs/verify/verify.in
@@ -223,7 +223,7 @@ def installstartcheck():
print_result("FAIL","FAILED")
printfun("Checking for IPsec support in kernel")
- if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/pfkey"):
+ if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/xfrm_stat"):
print_result("FAIL","FAILED")
if "no kernel code presently loaded" in output:
print("\n The ipsec service should be started before running 'ipsec verify'\n")
More information about the Swan-dev
mailing list