[Swan-dev] adding nft support
Antony Antony
antony at phenome.org
Wed Jun 8 21:39:20 EEST 2022
Breaking down task of adding nft support.
On Wed, Jun 08, 2022 at 10:38:16AM -0400, Andrew Cagney wrote:
> this week it is https://github.com/libreswan/libreswan/issues/116
I am in favor of adding nft support along with iptable support. Add build
variable? Any thoughts on how to add nft support while keeping iptables
support?
There are different use iptables. Some are easy to replace with nft. May be
we can add nft support slowly one by one
1. programs/barf/barf.in : used for diagnostics? this is probably easy to
replace. nft list or something.
3. programs/ipsec/ipsec.8.xml : documentation
5. programs/ipsec/ipsec.in : NFLOG and CAT support. I will see if I can
figure out the exact syntax. nft sees to support NFLOG.
Any nft experts here who would like helpo? How to translate the following
rules to nft
iptables -I INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
iptables -I INPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
and of course deleting rules. Which I think is one of the biggest difference
between nft and iptables? How do I get the "handle"? which is needed to
delete the rule. I usually delte the able and re-create:)
iptables -D INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
CAT rules are:
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \
-d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \
-d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
-j DNAT --to-destination ${PLUTO_ME}
iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \
-d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
-j DNAT --to-destination ${PLUTO_ME}
iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \
-d ${PLUTO_PEER_CLIENT} -j SNAT --to-source
${PLUTO_MY_CLIENT_NET}
4. programs/_updown.xfrm/_updown.xfrm.in it seems similar to the above. I
wonder why we need CAT and NFLOG in two places!
5. programs/look/look.in : seems diagnostics only? I not sure why it is
adding mangle table.
6. programs/pluto/plutomain.c : just a comment
7. programs/verify/verify.in : a runtime check. May be this what is actually
failing in Debian testing/building. I suspect they run "ipsec verify"?
More information about the Swan-dev
mailing list