[Swan-dev] Re v2 remove pfkey checks from pluto and startup scripts

Antony Antony antony at phenome.org
Fri May 3 17:58:31 UTC 2019


here are the revised 3 patches for master.
to test it make sure pfkey is removed properly, recomendation re-compile 
krenel with the following.

[1] in .config it is called CONFIG_NET_KEY

 │ Location:                                                             │
 │  -> Networking support (NET [=y])                                    │
 │    -> Networking options
 |      -> PF_KEY sockets [=n]

check .config for
# CONFIG_NET_KEY is not set

-antony
-------------- next part --------------
>From 01bbd1695d8535dd0de0efc6117e42337b156351 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Thu, 2 May 2019 15:15:26 +0000
Subject: [PATCH 1/3] pluto: xfrm don not check for /proc/net/pfkey

instead check /proc/net/xfrm_stat, from Paul's patch.
since b248daa35 and related commits pluto should not need
/proc/net/pfkey
---
 programs/pluto/kernel.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index a94874b22..b263009dc 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2659,9 +2659,8 @@ void init_kernel(void)
 	switch (kern_interface) {
 #if defined(NETKEY_SUPPORT)
 	case USE_NETKEY:
-		if (stat("/proc/net/pfkey", &buf) != 0) {
-			libreswan_log(
-				"No XFRM/NETKEY kernel interface detected");
+		if (stat("/proc/net/xfrm_stat", &buf) != 0) {
+			libreswan_log("No XFRM kernel interface detected");
 			exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
 		}
 		libreswan_log(
-- 
2.20.1

-------------- next part --------------
>From e8b3dc7599458f8eccf5ce90afd78ac1ce8d0c9c Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Fri, 3 May 2019 13:34:28 +0000
Subject: [PATCH 2/3] pluto: kernel_netlink.c remove unnecessary include
 pfekey2.h

Jacob two two was in action - pfekey2.h was twice.
---
 programs/pluto/kernel_netlink.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 0bba1b5d6..a902ea68f 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -40,7 +40,6 @@
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <stdint.h>
-#include <linux/pfkeyv2.h>
 #include <linux/ethtool.h>
 #include <linux/sockios.h>
 #include <unistd.h>
@@ -60,9 +59,6 @@
 # include "linux/xfrm.h" /* local (if configured) or system copy */
 #endif
 
-#include "libreswan/pfkeyv2.h"
-#include "libreswan/pfkey.h"
-
 #include "sysdep.h"
 #include "socketwrapper.h"
 #include "constants.h"
-- 
2.20.1

-------------- next part --------------
>From 4fa06aecebfaac4408464b006f1e1276eee3833d Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Fri, 3 May 2019 16:12:58 +0000
Subject: [PATCH 3/3] pluto: xfrm replace pf_key options with xfrrm when poking
 policy holes

setsockopt used pfkey, IP_IPSEC_POLICY, replace it with
appropriate xfrm, IP_XFRM_POLICY options.
---
 programs/pluto/kernel_netlink.c | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index a902ea68f..21c7f765b 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -2808,37 +2808,32 @@ static err_t netlink_migrate_sa_check(void)
 
 static bool netlink_poke_ipsec_policy_hole(struct raw_iface *ifp, int fd)
 {
-	struct sadb_x_policy policy;
-	int level, opt;
+	int opt, sol;
+	struct xfrm_userpolicy_info policy;
 
 	zero(&policy);
-	policy.sadb_x_policy_len = sizeof(policy) /
-		IPSEC_PFKEYv2_ALIGN;
-	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	policy.sadb_x_policy_id = 0;
+	policy.action = XFRM_POLICY_ALLOW;
+	policy.sel.family = addrtypeof(&ifp->addr);
 
 	if (addrtypeof(&ifp->addr) == AF_INET6) {
-		level = IPPROTO_IPV6;
-		opt = IPV6_IPSEC_POLICY;
+		sol = IPPROTO_IPV6;
+		opt = IPV6_XFRM_POLICY;
 	} else {
-		level = IPPROTO_IP;
-		opt = IP_IPSEC_POLICY;
+		sol = SOL_IP;
+		opt = IP_XFRM_POLICY;
 	}
 
-	if (setsockopt(fd, level, opt,
-		       &policy, sizeof(policy)) < 0) {
-		LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in process_raw_ifaces()");
+	policy.dir = XFRM_POLICY_IN;
+	if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+		LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_IN in process_raw_ifaces();");
 		close(fd);
 		return false;
 	}
 
-	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+	policy.dir = XFRM_POLICY_OUT;
 
-	if (setsockopt(fd, level, opt,
-		       &policy, sizeof(policy)) < 0) {
-		LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in process_raw_ifaces()");
+	if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+		LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_OUT in process_raw_ifaces() XFRM_POLICY_OUT");
 		close(fd);
 		return false;
 	}
-- 
2.20.1



More information about the Swan-dev mailing list