[Swan-dev] remove pfkey checks from pluto and startup scripts
Antony Antony
antony at phenome.org
Fri May 3 16:35:12 UTC 2019
thanks for digging out more cruft. I tested with pfkey disabled. Now seems
basic things work.
I am confused about your patch. It seems to mix up renaming and removal
pfkey together.
I sugest we split these. So far I have 4 patches for functionality.
and will need part of your patch for stop - that would be 5.
With the 5 patches we have working pluto again without CONFIG_NET_KEY
kernel.
then re-naming patch should be 6th.
THEN we should look at #include "kernel_pfkey.h" I don't follow these
comments. May be it affect ipcomp in some ways.
/*
* pfkey_register_response() does not register an entry for
* msg->sadb_msg_satype=10 to indicate IPCOMP, so we override
* detection here. Seems the PF_KEY API in Linux with netkey
* is a joke that should be abandoned for a "linux children"
* native netlink query/response
*
* XXX: Given KLIPS defines K_SADB_X_SATYPE_COMP=9, and
* IPIP=10 which conflicts with the aboe, that might be the
* source of the problem?
*/
Tuomo see if you can test with these patches.
-antony
On Fri, May 03, 2019 at 12:20:02PM -0400, Paul Wouters wrote:
> On Fri, 3 May 2019, Antony Antony wrote:
>
> > Could you or someone test these two patches? run Libreswan without PF_KEY
> > support in kernel, [1]
>
> I still need to test further, but I updated the patches a little bit.
>
> It uses /proc/net/xfrm_stat to test for XFRM/NETKEY support instead of
> /proc/net/pfkey. Support for xfrm_stat was added in 2.6.28 in Nov 2008.
>
> I've removed af_key from our _stackmanager probe list, but on current
> kernels it does still get dragged in by other modules. I did unload it
> and then bring up an IPsec tunnel and it seems to work fine :)
>
> I've also done some output renaming from NETKEY to XFRM, but did not
> touch the stackname "netkey" (which really should be "xfrm" but with
> "netkey" as backwards compatible option).
>
> I've also changed it so that kernel_pfkey.c now throws an error if
> compiled without USE_KLIPS, since we know XFRM/NETKEY and BSDKAME do
> not use it.
>
> > Since it is not necessary we could remove it from pluto. Also tests by
> > Steffen noticed compiling kernel with pfkey use quite a bit extra cpu.
> > His observation was pfkey_send_new_mapping use "3.69% of my cpu cycles".
>
> That's worth the gain :)
>
> > I think it is worth removing pfkey completely.
>
> Yes! Thanks for starting this!
>
> > I am wondering if there are more places where pluto depend on pfkey, will
> > this break something else.
>
> I checked and found a few more that I changed in the attached patch.
>
> > Should I push this now or hold on until 3.28 is out?
>
> I think I am okay with this going in for 3.28. Especially because of the
> performance gain. But I'm also fine doing this after 3.28.
>
> Paul
> diff --git a/README.nss b/README.nss
> index d3fc620..de52554 100644
> --- a/README.nss
> +++ b/README.nss
> @@ -9,8 +9,7 @@ https://www.mozilla.org/projects/security/pki/nss/
>
> The NSS crypto library is a user space library. It is only used with the
> libreswan userspace IKE daemon pluto for cryptographic operations. NSS
> -does not perform IPsec crypto operations inside the kernel (KLIPS
> -nor NETKEY)
> +does not perform IPsec crypto operations inside the kernel (KLIPS nor XFRM)
>
> The NSS library exports a PKCS#11 API for the application to
> communicate to a cryptographic device. The cryptographic device is
> diff --git a/contrib/README b/contrib/README
> index 5b06f55..0a8f0fb 100644
> --- a/contrib/README
> +++ b/contrib/README
> @@ -6,5 +6,5 @@ cisco-pcf - convert cisco PCF configuration files to libreswan config files
> ldsaref - SAref example implementation
> lucent - interop hacking with some proprietary lucent gateway
> patching - klips patching scripts from/between klips trees (unused)
> -scripts - perl scripts for emulating ipsec eroute output when using NETKEY
> +scripts - perl scripts for emulating ipsec eroute output when using XFRM
> python-swan - python module to determine if traffic to a destination would get encrypted
> diff --git a/contrib/scripts/README b/contrib/scripts/README
> index b46bb60..eb75d74 100644
> --- a/contrib/scripts/README
> +++ b/contrib/scripts/README
> @@ -1,5 +1,5 @@
> This directory contains scripts that mimic certain KLIPS-only commands
> -when using NETKEY. These may fold back into the distribution later on,
> +when using XFRM. These may fold back into the distribution later on,
> or get replaced by new code. Output is not guaranteed to be identical
> to the KLIPS versions.
>
> diff --git a/contrib/scripts/look b/contrib/scripts/look
> index efaf2da..aae46e3 100755
> --- a/contrib/scripts/look
> +++ b/contrib/scripts/look
> @@ -2,7 +2,7 @@
> #
> # (c) Feb 2008 - Matteo Vitturi <matteo_vitturi at virgilio.it>
> #
> -# A script to parse ip xfrm output - NETKEY version of "ipsec look"
> +# A script to parse ip xfrm output - XFRM version of "ipsec look"
>
> open(IPSXP,"ip -s x p|");
>
> diff --git a/initsystems/docker/ipsec.init.in b/initsystems/docker/ipsec.init.in
> index 11bdb10..8b806f6 100755
> --- a/initsystems/docker/ipsec.init.in
> +++ b/initsystems/docker/ipsec.init.in
> @@ -8,7 +8,7 @@
> # Default-Start:
> # Default-Stop: 0 1 6
> # Short-Description: Start Libreswan IPsec at boot time
> -# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
> +# Description: Enable automatic key management for IPsec (KLIPS and XFRM
> ### END INIT INFO
> #
> ### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
> @@ -45,7 +45,7 @@
> #
> # chkconfig: - 47 76
> # description: IPsec provides encrypted and authenticated communications; \
> -# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
> +# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
>
> test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
>
> @@ -80,7 +80,7 @@ lockdir=/run/lock/subsys
> lockfile=ipsec
> lockpath=${lockdir}/${lockfile}
> ipsecversion=/proc/net/ipsec_version
> -kamepfkey=/proc/net/pfkey
> +xfrmnetkey=/proc/net/xfrm_stat
>
> # /etc/resolv.conf related paths
> LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
> diff --git a/initsystems/sysvinit/init.debian.in b/initsystems/sysvinit/init.debian.in
> index a0a8131..e16a52e 100644
> --- a/initsystems/sysvinit/init.debian.in
> +++ b/initsystems/sysvinit/init.debian.in
> @@ -11,7 +11,7 @@ FIXME
> # Default-Start:
> # Default-Stop: 0 1 6
> # Short-Description: Start Libreswan IPsec at boot time
> -# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
> +# Description: Enable automatic key management for IPsec (KLIPS and XFRM)
> ### END INIT INFO
> #
> ### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
> @@ -50,7 +50,7 @@ FIXME
> #
> # chkconfig: - 47 76
> # description: IPsec provides encrypted and authenticated communications; \
> -# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
> +# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
>
> # Source function library.
> . /etc/init.d/functions
> diff --git a/initsystems/sysvinit/init.rhel b/initsystems/sysvinit/init.rhel
> index b5d34be..932a5ec 100755
> --- a/initsystems/sysvinit/init.rhel
> +++ b/initsystems/sysvinit/init.rhel
> @@ -8,7 +8,7 @@
> # Default-Start:
> # Default-Stop: 0 1 6
> # Short-Description: Start Libreswan IPsec at boot time
> -# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
> +# Description: Enable automatic key management for IPsec (KLIPS and XFRM)
> ### END INIT INFO
> #
> ### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
> @@ -44,7 +44,7 @@
> #
> # chkconfig: - 47 76
> # description: IPsec provides encrypted and authenticated communications; \
> -# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
> +# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
>
> test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
>
> @@ -82,7 +82,7 @@ lockdir=/var/lock/subsys
> lockfile=ipsec
> lockpath=${lockdir}/${lockfile}
> ipsecversion=/proc/net/ipsec_version
> -kamepfkey=/proc/net/pfkey
> +xfrmstack=/proc/net/xfrm_stat
>
> # /etc/resolv.conf related paths
> LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
> diff --git a/initsystems/sysvinit/ipsec.init.in b/initsystems/sysvinit/ipsec.init.in
> index 705899e..6ef1acb 100755
> --- a/initsystems/sysvinit/ipsec.init.in
> +++ b/initsystems/sysvinit/ipsec.init.in
> @@ -8,7 +8,7 @@
> # Default-Start: @SYSVINIT_DEFAULT_START@
> # Default-Stop: 0 1 6
> # Short-Description: Start Libreswan IPsec at boot time
> -# Description: Enable automatic key management for IPsec (KLIPS and NETKEY)
> +# Description: Enable automatic key management for IPsec (KLIPS and XFRM)
> ### END INIT INFO
> #
> ### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
> @@ -44,7 +44,7 @@
> #
> # chkconfig: - 47 76
> # description: IPsec provides encrypted and authenticated communications; \
> -# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level management daemon.
> +# XFRM or KLIPS is the kernel half of it, Pluto is the user-level management daemon.
>
> test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
>
> @@ -81,7 +81,7 @@ plutoctl=${rundir}/pluto.ctl
> lockdir=@FINALVARDIR@/lock/subsys
> lockfile=${lockdir}/ipsec
> ipsecversion=/proc/net/ipsec_version
> -kamepfkey=/proc/net/pfkey
> +xfrmstack=/proc/net/xfrm_stat
>
> # @FINALSYSCONFDIR@/resolv.conf related paths
> LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
> diff --git a/initsystems/upstart/ipsec.conf.in b/initsystems/upstart/ipsec.conf.in
> index 10e30ac..bbf56bf 100644
> --- a/initsystems/upstart/ipsec.conf.in
> +++ b/initsystems/upstart/ipsec.conf.in
> @@ -1,7 +1,7 @@
> # ipsec - ipsec services and ike demon (pluto)
> #
> # IPsec provides encrypted and authenticated communications;
> -# NETKEY/KLIPS is the kernel half of it, Pluto is the user-level
> +# XFRM or KLIPS is the kernel half of it, Pluto is the user-level
> # management daemon.
>
> description "libreswan ipsec services"
> diff --git a/mk/userland-cflags.mk b/mk/userland-cflags.mk
> index 698ce34..13eae61 100644
> --- a/mk/userland-cflags.mk
> +++ b/mk/userland-cflags.mk
> @@ -67,53 +67,34 @@ endif
> #
> # Kernel support
> #
> -# Order these so that the enabled kernel support can fill in defaults
> -# for rest. For instance, MAST should enable KLIPS which should enble
> -# PFKEYv2. So that Makefile.inc.local can override, the values are
> -# not forced. over However don't force
>
> # support BSD/KAME kernels (on *BSD and OSX)?
> +# Uses PFKEY API but its own version, not the KLIPS one
> USE_BSDKAME?=false
> ifeq ($(USE_BSDKAME),true)
> -USE_NETKEY?=false
> -USE_KLIPS?=false
> -endif
> -
> -# support KLIPS kernel module (KLIPS requires PFKEYv2)
> -USE_KLIPS?=false
> -ifeq ($(USE_KLIPS),true)
> -USE_PFKEYv2?=true
> +USERLAND_CFLAGS+=-DBSD_KAME
> +USE_NETKEY=false
> +USE_KLIPS=false
> +USE_PFKEYv2=false
> endif
>
> -# support Linux kernel's NETLINK_XFRM (aka NETKEY) (aka "native",
> -# "kame"???) (NETLINK does not use PFKEY, but it does share some code.
> -# True?!?)
> +# support Linux kernel's NETLINK_XFRM (aka NETKEY)
> +# This no longer uses PFKEY
> USE_NETKEY?=true
> ifeq ($(USE_NETKEY),true)
> -USE_PFKEYv2=true
> -endif
> -
> -# above should set these
> -USE_PFKEYv2?=false
> -
> -ifeq ($(USE_BSDKAME),true)
> -USERLAND_CFLAGS += -DBSD_KAME
> +USERLAND_CFLAGS+=-DNETKEY_SUPPORT
> +USE_PFKEYv2=false
> +USE_BSDKAME=false
> endif
>
> +# support old style Linux KLIPS kernel module (KLIPS requires PFKEYv2)
> +USE_KLIPS?=false
> ifeq ($(USE_KLIPS),true)
> +USE_PFKEYv2=true
> USERLAND_CFLAGS+=-DKLIPS
> +USE_BSDKAME=false
> endif
>
> -ifeq ($(USE_NETKEY),true)
> -USERLAND_CFLAGS+=-DNETKEY_SUPPORT
> -endif
> -
> -ifeq ($(USE_PFKEYv2),true)
> -USERLAND_CFLAGS+=-DPFKEY
> -endif
> -
> -#
> -
> ifeq ($(USE_DNSSEC),true)
> USERLAND_CFLAGS+=-DUSE_DNSSEC
> UNBOUND_LDFLAGS ?= -lunbound -lldns
> diff --git a/programs/_realsetup.bsd/_realsetup.in b/programs/_realsetup.bsd/_realsetup.in
> index 9e6a193..14dfe5a 100755
> --- a/programs/_realsetup.bsd/_realsetup.in
> +++ b/programs/_realsetup.bsd/_realsetup.in
> @@ -27,7 +27,7 @@ plutoctl=/var/run/pluto/pluto.ctl
> subsyslock=/var/lock/subsys/ipsec
> lock=/var/run/pluto/ipsec_setup.pid
>
> -kamepfkey=/proc/net/pfkey
> +xfrmstack=/proc/net/xfrm_stat
>
> # defaults for "config setup" items
> IPSECuniqueids=${IPSECuniqueids:-yes}
> @@ -183,7 +183,7 @@ case "$1" in
> rm -f /var/run/pluto.pid
>
> # When we exit we clean up (remove) the modules we are using, even the kame'ish ones
> - if test -e ${kamepfkey}; then
> + if test -e ${xfrmstack}; then
> lsmod 2>&1 | grep "^xfrm4_tunnel" > /dev/null && rmmod xfrm4_tunnel
> lsmod 2>&1 | grep "^af_key" > /dev/null && rmmod af_key
> # old name for xfrm4_tunnel
> diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in
> index 16add5a..cb1621a 100644
> --- a/programs/_stackmanager/_stackmanager.in
> +++ b/programs/_stackmanager/_stackmanager.in
> @@ -28,8 +28,8 @@ eval $(ASAN_OPTIONS=detect_leaks=0 ipsec addconn --configsetup | grep -v "#" |
> test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
> MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@"
>
> -kamepfkey=/proc/net/pfkey
> -ipsecpfkey=/proc/net/ipsec/version
> +xfrmstack=/proc/net/xfrm_stat
> +klipsstack=/proc/net/ipsec/version
> action="${1}"
>
> if [ -z "${action}" ]; then
> @@ -44,11 +44,11 @@ stopnetkey() {
> # Validate wait option
> [ "${1}" = "--wait" -o "${1}" = "-w" ] && wait="${1}"
>
> - if [ -f ${kamepfkey} ]; then
> + if [ -f ${xfrmstack} ]; then
> ip xfrm state flush
> ip xfrm policy flush
> if [ -n "$(ip xfrm state)" -o -n "$(ip xfrm policy)" ]; then
> - echo "NETKEY IPsec stack could not be cleared" >&2
> + echo "XFRM IPsec stack could not be cleared" >&2
> fi
>
> if [ -f /proc/modules ]; then
> @@ -61,11 +61,11 @@ stopnetkey() {
> echo 0 >/proc/sys/net/core/xfrm_larval_drop
> fi
> fi
> - # netkey stack found, let's unload.
> + # xfrm stack found, let's unload.
> for mod in xfrm_ipcomp ipcomp ipcomp6 ip_vti xfrm6_tunnel \
> xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro \
> xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel \
> - xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 af_key \
> + xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 \
> xfrm_user xfrm_interface
> do
> # first try and unload the modules without the 10s wait pause
> @@ -114,17 +114,17 @@ startnetkey() {
>
> cryptomodules
>
> - if [ -f ${ipsecpfkey} ]; then
> + if [ -f ${klipsstack} ]; then
> echo "Warning: found KLIPS stack loaded - attempting to unload..." >&2
> stopklips
> - if [ -f ${ipsecpfkey} ]; then
> + if [ -f ${klipsstack} ]; then
> echo "FAILURE to unload KLIPS module" >&2
> exit 1
> fi
> fi
>
> if [ -f /proc/modules ]; then
> - # load all NETKEY modules
> + # load all XFRM modules
> for mod in ipcomp6 xfrm_ipcomp ipcomp xfrm6_tunnel xfrm6_mode_tunnel \
> xfrm6_mode_beet xfrm6_mode_ro xfrm6_mode_transport \
> xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel \
> @@ -150,15 +150,15 @@ startnetkey() {
> echo "WARNING: can not change /proc/sys/net/core/xfrm_acq_expires from ${xcur} to ${xfrmlifetime}" >&2
> fi
>
> - # Fail on error in loading NETKEY/XFRM stack
> + # Fail on error in loading XFRM stack
> if [ ! -f ${kamepfkey} ]; then
> - echo "FAILURE in loading NETKEY/XFRM stack" >&2
> + echo "FAILURE in loading XFRM stack" >&2
> exit 1
> fi
> }
>
> stopklips() {
> - if [ -f ${ipsecpfkey} ]; then
> + if [ -f ${klipsstack} ]; then
> # Bring down ipsecX and mast0 interfaces
> ifl=$(grep -v NULL /proc/net/ipsec_tncfg 2>/dev/null | sed -n -e "/^ipsec/s/ .*//p")
> if [ -n "${ifl}" ]; then
> @@ -182,7 +182,7 @@ stopklips() {
> rmmod ipsec 2>/dev/null
> fi
> fi
> - if [ -f ${ipsecpfkey} -o -n "$(lsmod | grep ^ipsec)" ]; then
> + if [ -f ${klipsstack} -o -n "$(lsmod | grep ^ipsec)" ]; then
> echo "FAILURE to unload KLIPS module" >&2
> exit 1
> fi
> @@ -209,7 +209,7 @@ stop() {
>
> cryptomodules() {
> # load any OCF and CryptoAPI modules we might need for acceleration
> - # (OCF works for NETKEY and KLIPS)
> + # (OCF works for XFRM and KLIPS)
> # OCF cryptosoft is for kernel acceleration (ESP/AH)
> ${MODPROBE} cryptosoft 2>/dev/null
> # We skip cryptodev.ko because we no longer support /dev/crypto offloading
> @@ -259,15 +259,15 @@ startmast() {
>
> startklips() {
> cryptomodules
> - if [ -f ${kamepfkey} ]; then
> - echo "Warning: found NETKEY/XFRM stack loaded - attempting to unload..." >&2
> + if [ -f ${xfrmstack} ]; then
> + echo "Warning: found XFRM stack loaded - attempting to unload..." >&2
> stopnetkey --wait
> - if [ -f ${kamepfkey} ]; then
> + if [ -f ${xfrmstack} ]; then
> echo "FAILURE to unload KLIPS module" >&2
> exit 1
> fi
> fi
> - if [ ! -f ${ipsecpfkey} ]; then
> + if [ ! -f ${klipsstack} ]; then
> # KLIPS-related paths
> bareversion=$(uname -r | sed -e 's/\.nptl//' | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/')
> case ${bareversion} in
> @@ -285,7 +285,7 @@ startklips() {
> ${MODPROBE} ${modulename}
> fi
>
> - if [ ! -f ${ipsecpfkey} ]; then
> + if [ ! -f ${klipsstack} ]; then
> echo "FAILURE to load KLIPS module" >&2
> exit 1
> fi
> @@ -450,14 +450,14 @@ esac
>
> case ${action} in
> stop)
> - # We don't unload NETKEY/XFRM on stop - only when we detect a stack
> + # We don't unload XFRM on stop - only when we detect a stack
> # change.
> - if [ -f ${ipsecpfkey} ]; then
> + if [ -f ${klipsstack} ]; then
> ipsec eroute --clear
> # this clears all IP addresses on ipsecX interfaces by
> # unloading the module
> stopklips
> - elif [ -f ${kamepfkey} ]; then
> + elif [ -f ${xfrmstack} ]; then
> ip xfrm state flush
> ip xfrm policy flush
> # module unloading skipped on purpose - can hang for a long
> diff --git a/programs/barf/barf.in b/programs/barf/barf.in
> index 7cae4e2..bc6f9c9 100755
> --- a/programs/barf/barf.in
> +++ b/programs/barf/barf.in
> @@ -169,10 +169,6 @@ if test -r /proc/net/ipsec_tncfg
> then
> cat /proc/net/ipsec_tncfg
> fi
> -_________________________ /proc/net/pfkey
> -if test -r /proc/net/pfkey
> -then
> - cat /proc/net/pfkey
> _________________________ ip-xfrm-state
> ip xfrm state
> _________________________ ip-xfrm-policy
> @@ -291,7 +287,7 @@ if test -r /proc/net/ipsec_version
> then
> cat /proc/net/ipsec_version
> else
> - if test -r /proc/net/pfkey
> + if test -r /proc/net/xfrm_stat
> then
> echo "NETKEY (`uname -r`) support detected "
> else
> diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c
> index ec2d002..d57b534 100644
> --- a/programs/eroute/eroute.c
> +++ b/programs/eroute/eroute.c
> @@ -494,7 +494,7 @@ int main(int argc, char **argv)
> if (argcount == 1) {
> struct stat sts;
>
> - if (stat("/proc/net/pfkey", &sts) == 0) {
> + if (stat("/proc/net/xfrm_stat", &sts) == 0) {
> fprintf(stderr,
> "%s: NETKEY does not support eroute table.\n",
> progname);
> diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
> index 3dd5509..eb6d76b 100755
> --- a/programs/ipsec/ipsec.in
> +++ b/programs/ipsec/ipsec.in
> @@ -61,7 +61,7 @@ fixversion() {
> stack=" (klips)"
> kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
> else
> - if [ -f /proc/net/pfkey ]; then
> + if [ -f /proc/net/xfrm_stat ]; then
> stack=" (netkey)"
> kv="${version}"
> else
> diff --git a/programs/look/look.in b/programs/look/look.in
> index 50ca0d3..975566e 100755
> --- a/programs/look/look.in
> +++ b/programs/look/look.in
> @@ -71,8 +71,8 @@ if [ -f /proc/net/ipsec_spi ]; then
> sort /proc/net/ipsec_spi
> fi
>
> -# xfrm for netkey
> -if [ -f /proc/net/pfkey ]; then
> +# xfrm
> +if [ -f /proc/net/xfrm_stat ]; then
> echo "XFRM state:"
> ip xfrm state
> echo "XFRM policy:"
> diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
> index 93bbcc6..596d8b0 100644
> --- a/programs/pluto/kernel.c
> +++ b/programs/pluto/kernel.c
> @@ -221,7 +221,7 @@ void record_and_initiate_opportunistic(const ip_subnet *ours,
> * Add the kernel shunt to the pluto bare shunt list.
> * We need to do this because the %hold shunt was installed by kernel
> * and we want to keep track of it inside pluto.
> - * WARNING: there is different behaviour between KLIPS and NETKEY, and
> + * WARNING: there is different behaviour between KLIPS and XFRM, and
> * it might be that netkey causes duplicate acquires when the
> * proc value is different from our internal value?
> */
> @@ -989,7 +989,7 @@ static enum routability could_route(struct connection *c)
> if (!compatible_overlapping_connections(c, ero)) {
> /*
> * Another connection is already using the eroute.
> - * TODO: NETKEY can do this?
> + * TODO: XFRM can do this?
> */
> return route_impossible;
> }
> @@ -1035,7 +1035,7 @@ static enum routability could_route(struct connection *c)
> if (LDISJOINT(POLICY_OVERLAPIP, c->policy | ero->policy)) {
> /*
> * another connection is already using the eroute,
> - * TODO: NETKEY apparently can do this though
> + * TODO: XFRM apparently can do this though
> */
> loglog(RC_LOG_SERIOUS,
> "cannot install eroute -- it is in use for \"%s\"%s #%lu",
> @@ -2648,7 +2648,6 @@ static void kernel_scan_shunts(void)
> void init_kernel(void)
> {
> struct utsname un;
> -
> #if defined(NETKEY_SUPPORT) || defined(KLIPS)
> struct stat buf;
> #endif
> @@ -2660,13 +2659,13 @@ void init_kernel(void)
> switch (kern_interface) {
> #if defined(NETKEY_SUPPORT)
> case USE_NETKEY:
> - if (stat("/proc/net/pfkey", &buf) != 0) {
> - libreswan_log(
> - "No XFRM/NETKEY kernel interface detected");
> - exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
> - }
> + if (stat("/proc/net/xfrm_stat", &buf) != 0) {
> + libreswan_log("No XFRM kernel interface detected");
> + exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
> + }
> +
> libreswan_log(
> - "Using Linux XFRM/NETKEY IPsec interface code on %s",
> + "Using Linux XFRM IPsec interface code on %s",
> kversion);
> kernel_ops = &netkey_kernel_ops;
> break;
> diff --git a/programs/pluto/kernel_pfkey.c b/programs/pluto/kernel_pfkey.c
> index 276d5bc..91a5818 100644
> --- a/programs/pluto/kernel_pfkey.c
> +++ b/programs/pluto/kernel_pfkey.c
> @@ -70,6 +70,10 @@
> #define KLIPS_OP_MASK 0xFF
> #define KLIPS_OP_FLAG_SHIFT 8
>
> +#ifndef USE_KLIPS
> +# error This file is now only used to support the KLIPS PFKEY API
> +#endif
> +
> int pfkeyfd = NULL_FD;
>
> typedef uint32_t pfkey_seq_t;
> diff --git a/programs/setup/setup.in b/programs/setup/setup.in
> index 8d69fc8..a4faaf7 100755
> --- a/programs/setup/setup.in
> +++ b/programs/setup/setup.in
> @@ -109,7 +109,7 @@ case "$1" in
>
> # If stack is non-modular, we want to force clean too
> [ -f /proc/net/pf_key ] && ipsec eroute --clear
> - [ -f /proc/net/pfkey ] && ip xfrm state flush && ip xfrm policy flush
> + [ -f /proc/net/xfrm_stat ] && ip xfrm state flush && ip xfrm policy flush
>
> # Cleaning up backup resolv.conf
> if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
> diff --git a/programs/spi/spi.c b/programs/spi/spi.c
> index 6b46c8f..7126878 100644
> --- a/programs/spi/spi.c
> +++ b/programs/spi/spi.c
> @@ -1133,9 +1133,9 @@ int main(int argc, char *argv[])
> progname);
> }
>
> - if (stat("/proc/net/pfkey", &sts) == 0) {
> + if (stat("/proc/net/xfrm_stat", &sts) == 0) {
> fprintf(stderr,
> - "%s: NETKEY does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
> + "%s: XFRM does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
> progname);
> exit(1);
> }
> diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c
> index 0f3d12e..a8b12c2 100644
> --- a/programs/spigrp/spigrp.c
> +++ b/programs/spigrp/spigrp.c
> @@ -149,9 +149,9 @@ int main(int argc, char **argv)
> if (debug)
> fprintf(stdout, "...After check for --label option.\n");
>
> - if (stat("/proc/net/pfkey", &sts) == 0) {
> + if (stat("/proc/net/xfrm_stat", &sts) == 0) {
> fprintf(stderr,
> - "%s: NETKEY does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",
> + "%s: XFRM does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",
> progname);
> exit(1);
> }
> diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c
> index 8bc9dcd..eca94ed 100644
> --- a/programs/tncfg/tncfg.c
> +++ b/programs/tncfg/tncfg.c
> @@ -257,9 +257,9 @@ int main(int argc, char *argv[])
> }
> }
>
> - if (stat("/proc/net/pfkey", &sts) == 0) {
> + if (stat("/proc/net/xfrm_stat", &sts) == 0) {
> fprintf(stderr,
> - "%s: NETKEY does not support virtual interfaces.\n",
> + "%s: XFRM does not support virtual interfaces.\n",
> progname);
> exit(1);
> }
> diff --git a/programs/verify/verify.in b/programs/verify/verify.in
> index 0708e66..9321631 100755
> --- a/programs/verify/verify.in
> +++ b/programs/verify/verify.in
> @@ -223,7 +223,7 @@ def installstartcheck():
> print_result("FAIL","FAILED")
>
> printfun("Checking for IPsec support in kernel")
> - if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/pfkey"):
> + if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/xfrm_stat"):
> print_result("FAIL","FAILED")
> if "no kernel code presently loaded" in output:
> print("\n The ipsec service should be started before running 'ipsec verify'\n")
-------------- next part --------------
>From 8e6eb56365dbb6857ec58be87f26c6fee9a37a85 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Thu, 2 May 2019 15:15:26 +0000
Subject: [PATCH 1/2] pluto: netkey don't check for /proc/net/pfkey
since b248daa35 and related commits for netkey pluto do not need
/proc/net/pfkey
---
programs/pluto/kernel.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index a4320042f..bd584d089 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2650,7 +2650,7 @@ void init_kernel(void)
{
struct utsname un;
-#if defined(NETKEY_SUPPORT) || defined(KLIPS)
+#if defined(KLIPS)
struct stat buf;
#endif
@@ -2661,11 +2661,6 @@ void init_kernel(void)
switch (kern_interface) {
#if defined(NETKEY_SUPPORT)
case USE_NETKEY:
- if (stat("/proc/net/pfkey", &buf) != 0) {
- libreswan_log(
- "No XFRM/NETKEY kernel interface detected");
- exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
- }
libreswan_log(
"Using Linux XFRM/NETKEY IPsec interface code on %s",
kversion);
--
2.20.1
-------------- next part --------------
>From 209d616186c404b66d7cea3c6fa59a0526c3f1bd Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Thu, 2 May 2019 15:17:13 +0000
Subject: [PATCH 2/2] stackmanager: netkey do not need pfkey since b248daa35
netkey stack manager don't check for /proc/net/pfkey
---
programs/_stackmanager/_stackmanager.in | 6 ------
1 file changed, 6 deletions(-)
diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in
index 2da2d781c..c8b98f81b 100644
--- a/programs/_stackmanager/_stackmanager.in
+++ b/programs/_stackmanager/_stackmanager.in
@@ -149,12 +149,6 @@ startnetkey() {
else
echo "WARNING: can not change /proc/sys/net/core/xfrm_acq_expires from ${xcur} to ${xfrmlifetime}" >&2
fi
-
- # Fail on error in loading NETKEY/XFRM stack
- if [ ! -f ${kamepfkey} ]; then
- echo "FAILURE in loading NETKEY/XFRM stack" >&2
- exit 1
- fi
}
stopklips() {
--
2.20.1
-------------- next part --------------
>From ae1c3d87535437f32ce21d88e241d73fb232b318 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Fri, 3 May 2019 13:34:28 +0000
Subject: [PATCH 1/2] pluto: kernel_netlink.c remove unnecessary pfekey2.h
Jacob two two was in action - pfekey2.h was twice.
---
programs/pluto/kernel_netlink.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 0bba1b5d6..a902ea68f 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -40,7 +40,6 @@
#include <sys/types.h>
#include <sys/ioctl.h>
#include <stdint.h>
-#include <linux/pfkeyv2.h>
#include <linux/ethtool.h>
#include <linux/sockios.h>
#include <unistd.h>
@@ -60,9 +59,6 @@
# include "linux/xfrm.h" /* local (if configured) or system copy */
#endif
-#include "libreswan/pfkeyv2.h"
-#include "libreswan/pfkey.h"
-
#include "sysdep.h"
#include "socketwrapper.h"
#include "constants.h"
--
2.20.1
-------------- next part --------------
>From e10e24ef09600da37bec72aef0cbce746a1fd8e7 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Fri, 3 May 2019 16:12:58 +0000
Subject: [PATCH 2/2] pluto: xfrm replace pf_key options when poking policy
holes with xfrm
setsock options were pfkey,IP_IPSEC_POLICY, replace it with
appropriate native xfrm, IP_XFRM_POLICY
---
programs/pluto/kernel_netlink.c | 33 ++++++++++++++-------------------
1 file changed, 14 insertions(+), 19 deletions(-)
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index a902ea68f..21c7f765b 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -2808,37 +2808,32 @@ static err_t netlink_migrate_sa_check(void)
static bool netlink_poke_ipsec_policy_hole(struct raw_iface *ifp, int fd)
{
- struct sadb_x_policy policy;
- int level, opt;
+ int opt, sol;
+ struct xfrm_userpolicy_info policy;
zero(&policy);
- policy.sadb_x_policy_len = sizeof(policy) /
- IPSEC_PFKEYv2_ALIGN;
- policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
- policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
- policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
- policy.sadb_x_policy_id = 0;
+ policy.action = XFRM_POLICY_ALLOW;
+ policy.sel.family = addrtypeof(&ifp->addr);
if (addrtypeof(&ifp->addr) == AF_INET6) {
- level = IPPROTO_IPV6;
- opt = IPV6_IPSEC_POLICY;
+ sol = IPPROTO_IPV6;
+ opt = IPV6_XFRM_POLICY;
} else {
- level = IPPROTO_IP;
- opt = IP_IPSEC_POLICY;
+ sol = SOL_IP;
+ opt = IP_XFRM_POLICY;
}
- if (setsockopt(fd, level, opt,
- &policy, sizeof(policy)) < 0) {
- LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in process_raw_ifaces()");
+ policy.dir = XFRM_POLICY_IN;
+ if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+ LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_IN in process_raw_ifaces();");
close(fd);
return false;
}
- policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+ policy.dir = XFRM_POLICY_OUT;
- if (setsockopt(fd, level, opt,
- &policy, sizeof(policy)) < 0) {
- LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in process_raw_ifaces()");
+ if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+ LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_OUT in process_raw_ifaces() XFRM_POLICY_OUT");
close(fd);
return false;
}
--
2.20.1
More information about the Swan-dev
mailing list