[Swan] ?==?utf-8?q? ?==?utf-8?q? ?= No ipsec0 device with XFRM

Thu Jul 30 13:04:22 UTC 2020

Am Donnerstag, 30. Juli 2020 08:56 CEST, schrieb "Wolfgang Nothdurft" <wolfgang at linogate.de>: 

> Am Donnerstag, 30. Juli 2020 03:44 CEST, schrieb Paul Wouters <paul at nohats.ca>: 
>  
> > On Wed, 29 Jul 2020, Wolfgang Nothdurft wrote:
> > 
> > > Am Dienstag, 28. Juli 2020 20:25 CEST, schrieb Antony Antony <antony at phenome.org>:
> > >
> > >> ipsec-interface=0 would translate to
> > >>
> > >> ip link add ipsec0 type xfrm dev enp0s5 if_id 0
> > >>
> > >> when I started adding xfrmi I wasn't sure xfrm if_id 0 would work properly.
> > >> if_id is a lookup key to find policy and state. I wonder if 0 would mean
> > >> also a policy with no xfrmi if_id.
> > 
> > AFAIK, if_id 0 means the same as "no if_id mark". So it cannot be used.
> > 
> > >> and also to avoid confusion from klips.
> > 
> > That was a reason too, but as Wolfgang points out, perhaps the wrong
> > consideration to have made.
> > 
> > > I think the problem with if_id 0 could be the fwmark that is used to route the encrypted packets on the base interface.
> > >
> > > 100:    from all to 10.0.12.2 fwmark 0x1 lookup 50
> > >
> > > With fwmark 0x0 all unmarked traffic to the destination would go through the base interface instead of the ipsec interface.
> > 
> > I thought fwmark and if_id were different type of marks?
> >
> > > But ipsec-interface=0 for ipsec0 would be very useful. All our customers use ipsec0 for the first ipsec device, so the change from klips to xfrmi would either confusing for them or a technical problem that we have to solve.
> > >
> > > At the moment I test patching libreswan to map if_id to device name if_id-1, which works properly.
> > 
> > That is not a patch we could easilly carry. And as an option it is a bit
> > confusing. How about mapping ipsec0 to max(if_id) - 1  ?
> 
> Tthat would also be a solution I could work with.
> 
> > > But the next problem is that we use the lower 24 bit fwmarks for our firewall rule set. The upper 8 bit was reserved for ipsec (saref) long time ago. So the next problem is that actual the fwmark is not configurable and I have also to patch either libreswan or overwork our complete rule set to reserve the lower bits for ipsec devices.
> > > Maybe a configurable minimal fwmark could be a nice feature.
> > 
> > I don't think if_id marks are related to fwmarks ?
> 
> At the moment it is statically mapped:
> 
> /* XFRMA_SET_MARK =  XFRMA_IF_ID/0xffffffff */
> 
> The  a simple solution I test for me at the moment is to add a minimal mark to the netlink call and  for the environment variable.
>  
> attr->rta_type = XFRMA_SET_MARK + 0xfff;
> ........
> jam(buf, "PLUTO_XFRMI_FWMARK='%" PRIu32 "/0xffffffff' ",
>         c->xfrmi->if_id + 0xfff);

 Sorry, what I have written this morning is of course wrong. That's what happens when you write in the morning without thinking. ;)

The attached patch uses a static base value for fwmark. The static value could also be replaced by a variable to make this configurable.

Wolfgang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-xfrmi-fwmark.patch
Type: text/x-patch
Size: 2069 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200730/020ab490/attachment.bin>