[Swan-dev] ref-counting xfrmi interfaces
Paul Wouters
paul at nohats.ca
Thu Mar 2 19:15:32 EET 2023
On Thu, 2 Mar 2023, Brady Johnson wrote:
(CC:ing dev list, because why not)
> I have started looking into how to ref count the IP addresses. It looks like currently the IP addresses are set on the interfaces in
> the updown shell script with the "up-client" verb. Currently the addresses are never deleted from the interfaces. I verified this
> when manually testing my previous patch.
> To refcount when addresses are added, I could just add code to the do_updown() function in programs/pluto/updown.c. But for
> deleting, I could also control that in the do_updown() function, but I guess I would also need to modify the updown script to
> actually remove the IP from the interface.
>
> This is all on Linux with xfrmi/vti interfaces.
It should not be too tightly coupled with "updown", because we are
thinking of trying to make leftupdown= optional with a default to no,
and move all the "standard" things into pluto.
Most of the things we do in "updown" are related to IP addresses,
routing and DNS settings. When we split DNS into its own helper, it
avoids all those calls/checks when there is no need.
Similarly, when no IP addresses are being removed / added or routes
changed (or MTUs set via route changes), we hope to avoid calling
updown (which is very expensive to call)
Note also that updown as a "verb", giving it different meanings. It
can be: up/down host, up/down client, up/down route. The route mostly
stems from KLIPS that triggered the IPsec kernel code by routing into
"ipsecX" interfaces. KLIPS was removed and usually those route calls
are no longer needed.
So while the locations where updown is called by pluto might be good
spots to add your refcounting call, I wouldn't couple it too tightly
to updown itself.
Paul
More information about the Swan-dev
mailing list