[Swan-dev] expirimental : ipsec device/interface aka XFRMi
Paul Wouters
paul at nohats.ca
Wed Jan 22 20:08:45 UTC 2020
On Wed, 22 Jan 2020, Antony Antony wrote:
>> I still believe yes/no is not appropriate here. As for using numbers or
>> %unique, we already have that being used for the mark keyword(s) in the
>> parser. So that functionality is already there.
>
> I disagree. I think no|yes|<n> is cleaner for this kind of option.
> Hence I choose the new convention.
As no other people are weighing in, I'll stop objecting provided the
parser crashers are resolved.
>> https://lists.libreswan.org/pipermail/swan-dev/2020-January/003540.html
>
>> I just checked and the code has not changed. I will try later today or
>> tomorrow to confirm the patch is still needed but it seems very likely.
>>
> thanks for digging out the patch.
> as far as I see the code changed. next hop and route issues you mentioned
> are resolved.
>
> Please test with latest code and let me know. It is better to investigate
> before the merge.
I grabbed the latest code.
It still has this issue on machines with newer kernel but older glibc
(and thus older kernel-haeders):
-c /root/rpmbuild/BUILD/libreswan-3.28rc1494_g7c7a490_xfrmi/programs/pluto/xfrm_interface.c
/root/rpmbuild/BUILD/libreswan-3.28rc1494_g7c7a490_xfrmi/programs/pluto/xfrm_interface.c: In function 'link_add_nl_msg':
/root/rpmbuild/BUILD/libreswan-3.28rc1494_g7c7a490_xfrmi/programs/pluto/xfrm_interface.c:176:30: error: 'IFLA_XFRM_IF_ID' undeclared (first use in this function)
nl_addattr32(&req->n, 1024, IFLA_XFRM_IF_ID, if_id);
^
/root/rpmbuild/BUILD/libreswan-3.28rc1494_g7c7a490_xfrmi/programs/pluto/
My fix was:
diff --git a/include/libreswan.h b/include/libreswan.h
index c3bab15..b134435 100644
--- a/include/libreswan.h
+++ b/include/libreswan.h
@@ -18,6 +18,9 @@
#ifndef _LIBRESWAN_H
#define _LIBRESWAN_H /* seen it, no need to see it again */
+#define IFLA_XFRM_IF_ID 2
+#define IFLA_XFRM_LINK 1
+
#include "err.h"
#include <stdbool.h>
It should probably do an ifndef check first. And possibly do this not in
libreswan.h but in kernel_netlink.h.
Otherwise, the branch compiled and ran, and no longer needs my patch.
Traffic flows from/to the VPN client properly.
Paul
More information about the Swan-dev
mailing list