[Swan-dev] CAT and NFTABLES?
Paul Wouters
paul at nohats.ca
Mon Dec 25 00:17:12 EET 2023
Hi,
Antony added the following code:
+#if defined(HAVE_NFTABLES)
+ if (spd->local->child->has_cat) {
+ ip_selector client = selector_from_address(spd->local->host->addr);
+
+ if (!raw_policy(KERNEL_POLICY_OP_ADD,
+ DIRECTION_INBOUND,
+ EXPECT_KERNEL_POLICY_OK,
+ &kernel_policy.src.route, /* src_client */
+ &client,
+ &kernel_policy, /* " */
+ deltatime(0), /* lifetime */
+ kernel_policy.sa_marks,
+ kernel_policy.xfrmi,
+ kernel_policy.id,
+ kernel_policy.sec_label,
+ st->st_logger,
+ "%s() add inbound Child SA", __func__)) {
+ selector_pair_buf spb;
+ llog(RC_LOG, st->st_logger,
+ "kernel: %s() failed to add SPD for %s",
+ __func__,
+ str_selector_pair(&kernel_policy.src.client, &kernel_policy.dst.client, &spb));
+ }
+
+ }
+#endif
I do not understand why we need another XFRM policy for the in/fwd set?
What makes nftables that much different from iptables for this ?
Paul
More information about the Swan-dev
mailing list