[Swan-dev] what is INTERFACE_IP / ifaceip / interface-ip= for?

Andrew Cagney andrew.cagney at gmail.com
Wed Jan 6 14:33:12 UTC 2021 

On Mon, 4 Jan 2021 at 11:06, Antony Antony <antony at phenome.org> wrote:
>
> On Sun, Jan 03, 2021 at 11:54:30AM -0500, Paul Wouters wrote:
> > On Sun, 3 Jan 2021, Andrew Cagney wrote:
> >
> > > Subject: [Swan-dev] what is INTERFACE_IP / ifaceip / interface-ip= for?
> >
> > > I suspect it has something to do with XFRMI.  As best I can, in the
> > > current code, it is simply being passed to up-down scripts as
> > > INTERFACE_IP=...?
>
> Yes the idea was to add that IP address/prefix to the xfrm interface.
> The unfinished feature is inherited from VTI model(possibly hack?). In VTI
> the IP address was added in updwon script. In xfrmi, I would like to add the
> IP from pluto using netlink calls, c functions, instead of calling external
> command "ip". This way the pluto can ref count how many connections share
> interface or IP address. In the VTI model two connections with same
> interface-ip address could be an issue. Bringing up two two connections
> could work, we need a bit shell script to ignore the error from "ip" address
> exist.
> However, when one connection goes down, the shell script would delete the ip
> address. Then the remaining connection would loose the ip address.

So it's an address/mask so the CIDR's host-identifer can be non zero
vis: ::1/127.

What restrictions are there on the address?  The parser accepts:
   ::/0 ::/1 ::/2 ...
but then later, INTERFACE_IP is only exported when the address isn't
::/0.  If ::/0 isn't allowed then it should probably be rejected when
parsing the config file.

I'm guessing vti ip is the same.




>
> In xauth, or ikev2 cp, when deleting sourceaddress we use a shell script
> trick -- check if the ip address is in use by another route. This trick
> won't work for VTI/XFRMi ip address.
>
> Another detail: even if pluto is adding the ip address there was a request
> to pass it to the updown script for advanced routing use cases.
>
> May be rethink is this feature still relevant?
> May be the users are using systemd or other scripts to configure interface
> ip?
>
> > Yes. It is the value of interface-ip= passed to updown. It can be used
> > to configure an IP address. It should really do this action in the
> > default updown script when passed.
>
> I advise against using updrown script for adding the ip address! I think
> adding from pluto is better. Also now the KLIPS is gone, it would be easier
> from pluto.
>
> > The name interface-ip= was chosen after a long discussion. We wanted to
> > make it implementation agnostic (so not call it anything xfrm) and it
> > couldn't clash with the existing VTI code that uses VTI_IP.
> >
> > I think the code that uses VTI_IP in updown should also check for
> > INTERFACE_IP and documentation should be added to _updown.xfrm.in about
> > these options.
> >
> > > While the name ifaceip leads me to think it's got something to do with
> > > the host interfaces, I suspect it is connected to the XFRMI client
> > > interface IP (if this is true I'll rename the field to
> > > client_interface_ip)?
> >
> > Please do not rename it. Especially not anything "client" as our pluto
> > code uses "client" to refer to left/rightsubnets and non-developers
> > think of client-interface-ip as something at the remote vpn clients.
> >
> > Paul
> > _______________________________________________
> > Swan-dev mailing list
> > Swan-dev at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list