[Swan-dev] Re v2 remove pfkey checks from pluto and startup scripts
Antony Antony
antony at phenome.org
Fri May 3 17:58:31 UTC 2019
here are the revised 3 patches for master.
to test it make sure pfkey is removed properly, recomendation re-compile
krenel with the following.
[1] in .config it is called CONFIG_NET_KEY
│ Location: │
│ -> Networking support (NET [=y]) │
│ -> Networking options
| -> PF_KEY sockets [=n]
check .config for
# CONFIG_NET_KEY is not set
-antony
-------------- next part --------------
>From 01bbd1695d8535dd0de0efc6117e42337b156351 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Thu, 2 May 2019 15:15:26 +0000
Subject: [PATCH 1/3] pluto: xfrm don not check for /proc/net/pfkey
instead check /proc/net/xfrm_stat, from Paul's patch.
since b248daa35 and related commits pluto should not need
/proc/net/pfkey
---
programs/pluto/kernel.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index a94874b22..b263009dc 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2659,9 +2659,8 @@ void init_kernel(void)
switch (kern_interface) {
#if defined(NETKEY_SUPPORT)
case USE_NETKEY:
- if (stat("/proc/net/pfkey", &buf) != 0) {
- libreswan_log(
- "No XFRM/NETKEY kernel interface detected");
+ if (stat("/proc/net/xfrm_stat", &buf) != 0) {
+ libreswan_log("No XFRM kernel interface detected");
exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
}
libreswan_log(
--
2.20.1
-------------- next part --------------
>From e8b3dc7599458f8eccf5ce90afd78ac1ce8d0c9c Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Fri, 3 May 2019 13:34:28 +0000
Subject: [PATCH 2/3] pluto: kernel_netlink.c remove unnecessary include
pfekey2.h
Jacob two two was in action - pfekey2.h was twice.
---
programs/pluto/kernel_netlink.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 0bba1b5d6..a902ea68f 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -40,7 +40,6 @@
#include <sys/types.h>
#include <sys/ioctl.h>
#include <stdint.h>
-#include <linux/pfkeyv2.h>
#include <linux/ethtool.h>
#include <linux/sockios.h>
#include <unistd.h>
@@ -60,9 +59,6 @@
# include "linux/xfrm.h" /* local (if configured) or system copy */
#endif
-#include "libreswan/pfkeyv2.h"
-#include "libreswan/pfkey.h"
-
#include "sysdep.h"
#include "socketwrapper.h"
#include "constants.h"
--
2.20.1
-------------- next part --------------
>From 4fa06aecebfaac4408464b006f1e1276eee3833d Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Fri, 3 May 2019 16:12:58 +0000
Subject: [PATCH 3/3] pluto: xfrm replace pf_key options with xfrrm when poking
policy holes
setsockopt used pfkey, IP_IPSEC_POLICY, replace it with
appropriate xfrm, IP_XFRM_POLICY options.
---
programs/pluto/kernel_netlink.c | 33 ++++++++++++++-------------------
1 file changed, 14 insertions(+), 19 deletions(-)
diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index a902ea68f..21c7f765b 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -2808,37 +2808,32 @@ static err_t netlink_migrate_sa_check(void)
static bool netlink_poke_ipsec_policy_hole(struct raw_iface *ifp, int fd)
{
- struct sadb_x_policy policy;
- int level, opt;
+ int opt, sol;
+ struct xfrm_userpolicy_info policy;
zero(&policy);
- policy.sadb_x_policy_len = sizeof(policy) /
- IPSEC_PFKEYv2_ALIGN;
- policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
- policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
- policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
- policy.sadb_x_policy_id = 0;
+ policy.action = XFRM_POLICY_ALLOW;
+ policy.sel.family = addrtypeof(&ifp->addr);
if (addrtypeof(&ifp->addr) == AF_INET6) {
- level = IPPROTO_IPV6;
- opt = IPV6_IPSEC_POLICY;
+ sol = IPPROTO_IPV6;
+ opt = IPV6_XFRM_POLICY;
} else {
- level = IPPROTO_IP;
- opt = IP_IPSEC_POLICY;
+ sol = SOL_IP;
+ opt = IP_XFRM_POLICY;
}
- if (setsockopt(fd, level, opt,
- &policy, sizeof(policy)) < 0) {
- LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in process_raw_ifaces()");
+ policy.dir = XFRM_POLICY_IN;
+ if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+ LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_IN in process_raw_ifaces();");
close(fd);
return false;
}
- policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+ policy.dir = XFRM_POLICY_OUT;
- if (setsockopt(fd, level, opt,
- &policy, sizeof(policy)) < 0) {
- LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in process_raw_ifaces()");
+ if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+ LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_OUT in process_raw_ifaces() XFRM_POLICY_OUT");
close(fd);
return false;
}
--
2.20.1
More information about the Swan-dev
mailing list