[Swan-dev] better name for {left,right}ifaceip?

Paul Wouters paul at nohats.ca
Wed Jan 29 09:06:44 UTC 2020 

On Wed, 29 Jan 2020, Antony Antony wrote:

> summary s/iface-ip/interface-ip/
> Disable the keyword  until the functionality is added.
> syntax interface-ip=1.2.3.3/24

does that mean it would no longer be left/right? Or do you mean it will
become leftinterface-ip= and rightinterface-ip= ?

> Antony foresee new type ttipcider(), as there are objections to reuse
> subnet(). We will see when we add the code. If the subnet is left alone
> without port and protocol it can used for ttipcider().
>
> Additionally:
> suggests to  leave subnet as without ports and protocol, and create
> traffic_selectior() for parsing keyword subnet from our config.

Seems reasonable. Although for now I am also okay with using ip_subnet
as was done for the vti case.

Paul

> On Mon, Jan 27, 2020 at 02:56:02PM -0500, Andrew Cagney wrote:
>> On Mon, 27 Jan 2020 at 11:39, Antony Antony <antony at phenome.org> wrote:
>>>
>>> first quick answer to Hugh's follow up questions.
>>>
>>> On Mon, Jan 27, 2020 at 10:58:45AM -0500, D. Hugh Redelmeier wrote:
>>>> Has iface-ip been advertised?
>>>
>>> no. code is incomplete. We can change at this point. I would be happy to.
>>> Though Paul may have signoff. My recollection is, he want something similar to
>>> leftvti=10.0.1.254/24 for ipsec-ineterface/xfrmi, so when we kill VTI this
>>> new IP address can take leftvti's function. I argued it is also useful for
>>> non ipsec-inetrface case.
>>
>> Perhaps the keyword should be disabled for now.
>>
>>>> Andrew's points all seem valid too.  But I haven't thought deeply about
>>>> this.
>>>
>>> There request was to add something like VTI usecase.  We need an IP
>>> address/mask (not same as subnet, no port and broadcast and network address
>>> should be invalid).
>>>
>>> sourceip != iface-ip. Sourceip is only allowed with /32 or /128 prefix
>>> length.  With source ip there will be a route with that IP address as the
>>> source, for source address selection based on route.
>>
>> Right.  The limitation seems to be largely historic.
>>
>> If there's an option, perhaps called sourceip=, perhaps called
>> something else that accepts any of (subnet, endpoint, address, see
>> below, ...) does iface-ip and/or vti become redundant?
>
> leftvti=192.0.1.254/24 will conflict with interface-ip=192.0.1.254
>
> vti has its own lifecycle. Last I herd was, remove VTI completely, soon, as
> soon as 3.31?
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>

More information about the Swan-dev mailing list