From williamatwood41 at gmail.com Wed Sep 13 22:56:22 2023 From: williamatwood41 at gmail.com (Bill Atwood) Date: Wed, 13 Sep 2023 15:56:22 -0400 Subject: [Swan-dev] Comments/Suggestions for Libreswan Documentation Message-ID: <6a4201d9-cc33-eff8-9793-7a8f402e29a0@gmail.com> Applicable to version 4.12 tarball In README.md 1. For Debian/Ubuntu, the list of packages required includes "xmlto", which installs 95 packages, requiring 726 MB. Is it really necessary to install all of these? It seems unlikely to me that Libreswan needs a complete TeX system, for example. It seems possible (from other reading) that this requirement is only necessary if the man pages are being built. However, attempting to do "make base" when xmlto has not been installed results in an error message. Is there a way to satisfy the needs of a base-only install, without installing all of xmlto? If this is so, a note to this effect, or a revised makefile and instructions, would be useful. 2. Under the heading "Building for DEB based systems", the first line starts "The packaging/Debian directly is used". The word "directly" should be "directory". (Note that this error was reported previously (on 2023-08-06), and the README.md file on the GitHub site has been fixed, but this fix appears not to have propagated to the 4.12 tarball.) 3. Under the heading "Compiling the userland and IKE daemon manually in /usr/local", the first line is "make programs", which returns an error message: "make: *** No rule to make target 'programs'. Stop." (Note: the INSTALL file in the same directory suggests "make all".) In man ipsec.conf(5) 4. In the section "CONN PARAMETERS: GENERAL", under the parameter "left", it explicitly says that "IPv4 and IPv6 IP addresses are supported". However, I can find no IPv6 addresses in *any* of the examples. 5. Under the parameter "left", it says, " The value can also contain the interface name, which will then later be used to obtain the IP address from to fill in. For example %ppp0." For IPv6, which address will be used? An IPv6 interface will typically have several valid addresses. 6. More importantly, if the user needs to specify an IPv6 Link-Local (LL) address, the interface name MUST also be given, because IPv6 LL addresses are unique only on a single medium, and it is not possible to tell which interface to use from the IPv6 address itself. (A typical IPv6 LL address would be specified as fe80::xxxx:xxxx:xxxx:xxxx%eno1. This is going to conflict with the present semantics for %eno1.) 7. Under the parameter "leftsubnet" (and others later on), it says "any form acceptable to ipsec_ttosubnet(3)". However, when I do "man ipsec_ttosubnet", on a system where the "man" pages have been installed, I am told that there is " No manual entry for ipsec_ttosubnet". From paul at nohats.ca Wed Sep 27 04:30:17 2023 From: paul at nohats.ca (Paul Wouters) Date: Tue, 26 Sep 2023 21:30:17 -0400 (EDT) Subject: [Swan-dev] [libreswan/libreswan] IPv6 config fails to get loaded when IPv6 interface is restarted, as there is a delay in IPv6 address update to /proc/net/if_inet6 (Issue #1287) In-Reply-To: References: Message-ID: <84ab8afa-e23a-d7df-5bb8-6f500db1bdde@nohats.ca> On Sun, 24 Sep 2023, Pidda wrote: > find_raw_ifaces6() skips IPv6 addresses in tentative state when read from /proc/net/if_inet6, whenever whack listens. > This is actually a concern because my IPv6 configuration did not get loaded on interface restart. > The IPv6 address assignment happens post DAD (Duplicate Address Detection). During this process the IPv6 addresses if present in /proc/net/if_inet6 > will be marked as tentative. Since libreswan's find_raw_ifaces6() relies on /proc/net/if_inet6 file to read, it will skip the addresses in > tentative state. > > For now, as a workaround, I am polling the /proc/net/if_inet6 file to have IPv6 address for DAD completion. If not done, then the delay imposed by > DAD will affect libreswan reading the IPv6 addresses. > > Let me know if this behavior from libreswan will remain as it is or you have some plans to handle it efficiently? This behaviour should be changed. The pluto deamon should look for IPv6 updates via netlink and then rerun the connection orienting code.