[Swan-dev] adding nft support

Antony Antony antony at phenome.org
Wed Jun 8 21:39:20 EEST 2022 

Breaking down task of adding nft support.

On Wed, Jun 08, 2022 at 10:38:16AM -0400, Andrew Cagney wrote:
> this week it is https://github.com/libreswan/libreswan/issues/116

I am in favor of adding nft support along with iptable support. Add  build 
variable? Any thoughts on how to add nft support while keeping iptables 
support?

There are different use iptables. Some are easy to replace with nft. May be 
we can add nft support slowly one by one

1. programs/barf/barf.in : used for diagnostics? this is probably easy to 
replace. nft list or something.

3. programs/ipsec/ipsec.8.xml : documentation
5.  programs/ipsec/ipsec.in : NFLOG and CAT support. I will see if I can 
figure out the exact syntax. nft sees to support NFLOG.

Any nft experts here who would like helpo? How to translate the following 
rules to nft

iptables -I INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
iptables -I INPUT  -m policy --dir out  --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec

and of course deleting rules. Which I think is one of the biggest difference 
between nft and iptables? How do I  get the "handle"? which is needed to 
delete the rule. I usually delte the able and re-create:)

iptables -D INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group  50 --nflog-prefix all-ipsec
iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group  50 --nflog-prefix all-ipsec

CAT rules are:

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \
            -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \
            -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
	    -j DNAT --to-destination ${PLUTO_ME}

iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec  \
            -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
            -j DNAT --to-destination ${PLUTO_ME}
iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \
	    -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source 
	    ${PLUTO_MY_CLIENT_NET}

4. programs/_updown.xfrm/_updown.xfrm.in it seems similar to the above. I 
wonder why we need CAT and NFLOG in two places!

5. programs/look/look.in : seems diagnostics only? I not sure why it is 
adding mangle table.

6. programs/pluto/plutomain.c : just a comment
7. programs/verify/verify.in : a runtime check. May be this what is actually 
failing in Debian testing/building. I suspect they run "ipsec verify"?

More information about the Swan-dev mailing list