[Swan-dev] adding nft support

Antony Antony antony at phenome.org
Thu Jun 16 12:56:40 EEST 2022 

I made iptables optional now. this will allow adding nftables soon.

CAT and NFLOG are optional now, ATM need iptabels. I don't know the syntax 
for nft yet.

Also the use of iptbales in "ipsec verify" is optional

do we need iptables in "ipsec look" To me it seems a remenant from KLIPS 
mast?

the one barf could be replaced next.

ipsec: --checknflog would only work if the libreswan was built with 
iptables.

On Wed, Jun 08, 2022 at 08:39:20PM +0200, Antony Antony wrote:
> Breaking down task of adding nft support.
> 
> On Wed, Jun 08, 2022 at 10:38:16AM -0400, Andrew Cagney wrote:
> > this week it is https://github.com/libreswan/libreswan/issues/116
> 
> I am in favor of adding nft support along with iptable support. Add  build 
> variable? Any thoughts on how to add nft support while keeping iptables 
> support?
> 
> There are different use iptables. Some are easy to replace with nft. May be 
> we can add nft support slowly one by one
> 
> 1. programs/barf/barf.in : used for diagnostics? this is probably easy to 
> replace. nft list or something.
> 
> 3. programs/ipsec/ipsec.8.xml : documentation
> 5.  programs/ipsec/ipsec.in : NFLOG and CAT support. I will see if I can 
> figure out the exact syntax. nft sees to support NFLOG.
> 
> Any nft experts here who would like helpo? How to translate the following 
> rules to nft
> 
> iptables -I INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
> iptables -I INPUT  -m policy --dir out  --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
> 
> and of course deleting rules. Which I think is one of the biggest difference 
> between nft and iptables? How do I  get the "handle"? which is needed to 
> delete the rule. I usually delte the able and re-create:)
> 
> iptables -D INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group  50 --nflog-prefix all-ipsec
> iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group  50 --nflog-prefix all-ipsec
> 
> CAT rules are:
> 
> iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \
>             -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
> iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \
>             -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
> 	    -j DNAT --to-destination ${PLUTO_ME}
> 
> iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec  \
>             -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
>             -j DNAT --to-destination ${PLUTO_ME}
> iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \
> 	    -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source 
> 	    ${PLUTO_MY_CLIENT_NET}
> 
> 4. programs/_updown.xfrm/_updown.xfrm.in it seems similar to the above. I 
> wonder why we need CAT and NFLOG in two places!
> 
> 5. programs/look/look.in : seems diagnostics only? I not sure why it is 
> adding mangle table.
> 
> 6. programs/pluto/plutomain.c : just a comment
> 7. programs/verify/verify.in : a runtime check. May be this what is actually 
> failing in Debian testing/building. I suspect they run "ipsec verify"?
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list