[Swan-dev] expirimental : ipsec device/interface aka XFRMi
paul at nohats.ca
Wed Jan 22 21:32:42 UTC 2020
On Wed, 22 Jan 2020, Antony Antony wrote:
>> As no other people are weighing in, I'll stop objecting provided the
>> parser crashers are resolved.
> thanks! lets give the new idea a shot.
That's not how API's really work. Once we have it, we cannot change it anymore :(
That is why I was trying to resolve this situation before release.
> The crasher is gone since this afternoon. another xauth error appeared.
I have seen this. It seems to be a race condition sometimes.
> Is it from glibc?
> As far as I see it is in kernel-headers-5.4.7-100.fc30.x86_64 If the kernel
> and headers match IFLA_XFRM_IF_ID will be defined.
> grep IFLA_XFRM_IF_ID /usr/include/linux/if_link.h IFLA_XFRM_IF_ID,
> dnf provides /usr/include/linux/if_link.h
Sure, if you want to wait for RHEL9 that will be useful. But if you want
to run a newer kernel, you cannot just install a newer kernel-headers file
because the glibc installed is compiled against the old kernel-headers. so
then you also need to recompile glibc. So then no one can install just a
new kernel, like from the elrepo repository, and compile libreswan.
Since we are only adding a value, it is safe to define it ourselves.
> you can't ifndef check, it is an enum. which means you would need something
Oh right. That's why I hadnt done it in the past. thanks for reminding me.
> which we are resisting so far?
Yes we cannot do that without cross compile complications.
We could add a USE_XFRM_HEADER_XFRMI?=false that people can set to true?
> One concern is if we add a local defination for this enum and compile on
> CentOS7, at run time on old kernel dragons way be woken up:) Try compiling
> with enum defination and run it on CentOS/RHEL 7 or old Fedora.
Well, that should give something like NOTIMP ? :P
I'm okay with a manual flag to add. That way we can put the compile
error in the FAQ with the workaround.
More information about the Swan-dev