[Swan-dev] expirimental : ipsec device/interface aka XFRMi

Antony Antony antony at phenome.org
Thu Jan 30 09:54:23 UTC 2020 

Here is my proposed patch to compile xfrmi on CentOS8.
Any adjustments?

make USE_XFRM_INTERFACE_IFLA_HEADER=true USE_XFRM_INTERFACE=true programs

On Fri, Jan 24, 2020 at 07:29:13AM -0500, Paul Wouters wrote:
> On Thu, 23 Jan 2020, Antony Antony wrote:

> > 
> > Tested outputs welcome than guessing!
> 
> 036 ipsec-interface=1 not supported. may be missing CONFIG_XFRM_INTERFACE support in kernel
> 
> Note that it is using a whack error code in the wrong range. And "may
> be" should be "maybe".
> 
> > > I'm okay with a manual flag to add. That way we can put the compile
> > > error in the FAQ with the workaround.
> > 
> > I would add only after a clear testing -ve cases. What happens when running
> > pluto which is compiled with USE_XFRM_HEADER_XFRMI=yes on older kernel? I
> > want to see the output.
> 
> See above. Note that we already default to using a copy of the xfrm.h by
> default via USE_XFRM_HEADER_COPY?=true
> 
> Because we know we are often on newer kernels than the installed
> combination of xfrm.h/kernel-headers/glibc and we know XFRM people
> only add to the API and not modify the API. So using an updated
> header file works fine.

this is not in xfrm.h. this is from linux/if_link.h It is not a good idea to 
keep a full copy of if_link.h. if_link.h may drag in more if_*.h  
dependencies; and there are a lot of them.

ls -lt /usr/include/linux/if_*.h |wc -l
31

> > Say test with standard CentOS8 and CentOS7 kernel.
> > So, lets add it after few tests.
> 
> I tested using kernel-2.6.32-696.16.1.el6.x86_64 on centos6

thanks for testing. I added it to the commit message.
It would be nice to test on CentOS8/7 too. I think those two are most 
important, 2.6.32-696 gives a bottom line.

Here is my proposed patch to able to compile xfrmi on CentOS8. Just create a 
optional .h file just for this enum. 

-------------- next part --------------
>From ad3db344bc1916dbca286e89f6a1cffeb34c6d53 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 29 Jan 2020 14:31:20 +0000
Subject: [PATCH] pluto: add extra enum for xfrmi interface to compile on
 CentOS 6,7,8

Add enum to compile xfrmi interface on older distribution.

to compile
make USE_XFRM_INTERFACE_IFLA_HEADER=true USE_XFRM_INTERFACE=true programs

Compile error:
/root/rpmbuild/BUILD/libreswan-3.28rc1494_g7c7a490_xfrmi/programs/pluto/xfrm_interface.c:176:30: error:
'IFLA_XFRM_IF_ID' undeclared (first use in this function)
  nl_addattr32(&req->n, 1024, IFLA_XFRM_IF_ID, if_id);

Once it is compiled to run you need kernel with xfrmi support, 4.19
If the kernel does not support xfrmi, e.g on kernel-2.6.32-696.16.1.el6.x86_64 on centos6
036 ipsec-interface=1 not supported. may be missing CONFIG_XFRM_INTERFACE support in kernel
Tested by Paul

diff --git a/mk/config.mk b/mk/config.mk
index 26c819ac20..ac430473fa 100644
--- a/mk/config.mk
+++ b/mk/config.mk
@@ -264,6 +264,8 @@ endif
 USE_XFRM_HEADER_COPY?=true
 XFRM_LIFETIME_DEFAULT?=30
 
+USE_XFRM_INTERFACE_IFLA_HEADER?=false
+
 # Some systems have a bogus combination of glibc and kernel-headers which
 # causes a conflict in the IPv6 defines. Try enabling this option as a workaround
 # when you see errors related to 'struct in6_addr'

diff --git a/programs/pluto/Makefile b/programs/pluto/Makefile
index 011492dc95..a09be32f26 100644
--- a/programs/pluto/Makefile
+++ b/programs/pluto/Makefile
@@ -67,6 +67,12 @@ ifeq ($(USE_XFRM_HEADER_COPY),true)
 CFLAGS+=-I ${LIBRESWANSRCDIR}/programs/pluto/linux-copy
 endif
 
+ifeq ($(USE_XFRM_INTERFACE), true)
+ifeq ($(USE_XFRM_INTERFACE_IFLA_HEADER), true)
+CFLAGS+=-I ${LIBRESWANSRCDIR}/programs/pluto/linux-extra-if-link -DUSE_XFRM_INTERFACE_IFLA_HEADER
+endif
+endif
+
 ifeq ($(USE_GLIBC_KERN_FLIP_HEADERS),true)
 CFLAGS+=-DGLIBC_KERN_FLIP_HEADERS
 endif

diff --git a/programs/pluto/kernel_xfrm_interface.h b/programs/pluto/kernel_xfrm_interface.h
index d918190c33..381fa345d6 100644
--- a/programs/pluto/kernel_xfrm_interface.h
+++ b/programs/pluto/kernel_xfrm_interface.h
@@ -1,4 +1,7 @@
 #include <linux/if_link.h>
+#if defined(USE_XFRM_INTERFACE_IFLA_HEADER)
+# include "if_link_extra.h"
+#endif
 #include "linux/xfrm.h"
 #include "err.h"
 
diff --git a/programs/pluto/linux-extra-if-link/if_link_extra.h b/programs/pluto/linux-extra-if-link/if_link_extra.h
new file mode 100644
index 0000000000..03271df6e0
--- /dev/null
+++ b/programs/pluto/linux-extra-if-link/if_link_extra.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note
+ * this is from linux/if_link.h commit f203b76d7
+ */
+
+/* XFRM section */
+enum {
+        IFLA_XFRM_UNSPEC,
+        IFLA_XFRM_LINK,
+        IFLA_XFRM_IF_ID,
+        __IFLA_XFRM_MAX
+};

More information about the Swan-dev mailing list