[Swan-dev] adding nft support
Antony Antony
antony at phenome.org
Thu Jun 16 12:56:40 EEST 2022
I made iptables optional now. this will allow adding nftables soon.
CAT and NFLOG are optional now, ATM need iptabels. I don't know the syntax
for nft yet.
Also the use of iptbales in "ipsec verify" is optional
do we need iptables in "ipsec look" To me it seems a remenant from KLIPS
mast?
the one barf could be replaced next.
ipsec: --checknflog would only work if the libreswan was built with
iptables.
On Wed, Jun 08, 2022 at 08:39:20PM +0200, Antony Antony wrote:
> Breaking down task of adding nft support.
>
> On Wed, Jun 08, 2022 at 10:38:16AM -0400, Andrew Cagney wrote:
> > this week it is https://github.com/libreswan/libreswan/issues/116
>
> I am in favor of adding nft support along with iptable support. Add build
> variable? Any thoughts on how to add nft support while keeping iptables
> support?
>
> There are different use iptables. Some are easy to replace with nft. May be
> we can add nft support slowly one by one
>
> 1. programs/barf/barf.in : used for diagnostics? this is probably easy to
> replace. nft list or something.
>
> 3. programs/ipsec/ipsec.8.xml : documentation
> 5. programs/ipsec/ipsec.in : NFLOG and CAT support. I will see if I can
> figure out the exact syntax. nft sees to support NFLOG.
>
> Any nft experts here who would like helpo? How to translate the following
> rules to nft
>
> iptables -I INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
> iptables -I INPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
>
> and of course deleting rules. Which I think is one of the biggest difference
> between nft and iptables? How do I get the "handle"? which is needed to
> delete the rule. I usually delte the able and re-create:)
>
> iptables -D INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
> iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec
>
> CAT rules are:
>
> iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \
> -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET}
> iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \
> -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
> -j DNAT --to-destination ${PLUTO_ME}
>
> iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \
> -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \
> -j DNAT --to-destination ${PLUTO_ME}
> iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \
> -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source
> ${PLUTO_MY_CLIENT_NET}
>
> 4. programs/_updown.xfrm/_updown.xfrm.in it seems similar to the above. I
> wonder why we need CAT and NFLOG in two places!
>
> 5. programs/look/look.in : seems diagnostics only? I not sure why it is
> adding mangle table.
>
> 6. programs/pluto/plutomain.c : just a comment
> 7. programs/verify/verify.in : a runtime check. May be this what is actually
> failing in Debian testing/building. I suspect they run "ipsec verify"?
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list