[Swan-dev] what is INTERFACE_IP / ifaceip / interface-ip= for?

Antony Antony antony at phenome.org
Mon Jan 4 16:06:33 UTC 2021 

On Sun, Jan 03, 2021 at 11:54:30AM -0500, Paul Wouters wrote:
> On Sun, 3 Jan 2021, Andrew Cagney wrote:
> 
> > Subject: [Swan-dev] what is INTERFACE_IP / ifaceip / interface-ip= for?
> 
> > I suspect it has something to do with XFRMI.  As best I can, in the
> > current code, it is simply being passed to up-down scripts as
> > INTERFACE_IP=...?

Yes the idea was to add that IP address/prefix to the xfrm interface.
The unfinished feature is inherited from VTI model(possibly hack?). In VTI 
the IP address was added in updwon script. In xfrmi, I would like to add the 
IP from pluto using netlink calls, c functions, instead of calling external 
command "ip". This way the pluto can ref count how many connections share 
interface or IP address. In the VTI model two connections with same 
interface-ip address could be an issue. Bringing up two two connections 
could work, we need a bit shell script to ignore the error from "ip" address 
exist.
However, when one connection goes down, the shell script would delete the ip 
address. Then the remaining connection would loose the ip address.

In xauth, or ikev2 cp, when deleting sourceaddress we use a shell script 
trick -- check if the ip address is in use by another route. This trick 
won't work for VTI/XFRMi ip address.

Another detail: even if pluto is adding the ip address there was a request 
to pass it to the updown script for advanced routing use cases.

May be rethink is this feature still relevant?
May be the users are using systemd or other scripts to configure interface 
ip?

> Yes. It is the value of interface-ip= passed to updown. It can be used
> to configure an IP address. It should really do this action in the
> default updown script when passed.

I advise against using updrown script for adding the ip address! I think 
adding from pluto is better. Also now the KLIPS is gone, it would be easier 
from pluto.

> The name interface-ip= was chosen after a long discussion. We wanted to
> make it implementation agnostic (so not call it anything xfrm) and it
> couldn't clash with the existing VTI code that uses VTI_IP.
> 
> I think the code that uses VTI_IP in updown should also check for
> INTERFACE_IP and documentation should be added to _updown.xfrm.in about
> these options.
> 
> > While the name ifaceip leads me to think it's got something to do with
> > the host interfaces, I suspect it is connected to the XFRMI client
> > interface IP (if this is true I'll rename the field to
> > client_interface_ip)?
> 
> Please do not rename it. Especially not anything "client" as our pluto
> code uses "client" to refer to left/rightsubnets and non-developers
> think of client-interface-ip as something at the remote vpn clients.
> 
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list