[Swan-dev] CAT and NFTABLES?
Antony Antony
antony at phenome.org
Tue Dec 26 18:03:00 EET 2023
On Sun, Dec 24, 2023 at 05:17:12PM -0500, Paul Wouters wrote:
>
> Hi,
>
> Antony added the following code:
>
> +#if defined(HAVE_NFTABLES)
> + if (spd->local->child->has_cat) {
> + ip_selector client = selector_from_address(spd->local->host->addr);
> +
> + if (!raw_policy(KERNEL_POLICY_OP_ADD,
> + DIRECTION_INBOUND,
> + EXPECT_KERNEL_POLICY_OK,
> + &kernel_policy.src.route, /* src_client */
> + &client,
> + &kernel_policy, /* " */
> + deltatime(0), /* lifetime */
> + kernel_policy.sa_marks,
> + kernel_policy.xfrmi,
> + kernel_policy.id,
> + kernel_policy.sec_label,
> + st->st_logger,
> + "%s() add inbound Child SA", __func__)) {
> + selector_pair_buf spb;
> + llog(RC_LOG, st->st_logger,
> + "kernel: %s() failed to add SPD for %s",
> + __func__,
> + str_selector_pair(&kernel_policy.src.client, &kernel_policy.dst.client, &spb));
> + }
> +
> + }
> +#endif
>
> I do not understand why we need another XFRM policy for the in/fwd set?
compare the iptables vas nftables output? "nft list ruleset" output and
"iptables-save" As I recollect the nftable rule is using diffrent entry
point than iptables. May be there are ways to avoid extra xfrm policy.
> What makes nftables that much different from iptables for this ?
I don't remember,Did you look at the rules? You can still run pluto with
iptables:)
More information about the Swan-dev
mailing list