[Swan] No ipsec0 device with XFRMi
Antony Antony
antony at phenome.org
Mon Aug 10 21:22:15 UTC 2020
I would leave it as ipsec1 but if others think ipsec0 is better I would
apply this patch. I don't have a strong opinion for either.
One minor reason I didn't use ipsec was exising comments/assumptions in code
about ipsec0. If we apply this patch we should fix those comments. xfrmi
ipsec0 is not the same as KLIPS ipsec0.
Paul commented something here. However, I wonder that message is after this
patch or before.
https://lists.libreswan.org/pipermail/swan/2020/003616.html
Paul what do you think of applying this patch?
-antony
On Thu, Jul 30, 2020 at 08:42:57AM +0200, Wolfgang Nothdurft wrote:
> We don't use marks specifically for klips, but for our whole
> netfilter/ebtables rule set and for policy based routing.
> We mark/connmark to identify special protocols, incoming interfaces, etc.
>
> --- a/programs/pluto/kernel_xfrm_interface.c.orig 2020-07-28 15:18:37.770298639 +0200
> +++ b/programs/pluto/kernel_xfrm_interface.c 2020-07-28 15:18:42.878298858 +0200
> @@ -563,7 +563,7 @@
> */
> static char *fmt_xfrmi_ifname(uint32_t if_id) {
> char *if_name = alloc_things(char, IFNAMSIZ, "xfrmi name");
> - int n = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id);
> + int n = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id - 1);
> passert(n < IFNAMSIZ);
> return if_name;
> }
> @@ -573,7 +573,7 @@
> err_t err = NULL; /* success */
>
> if (xfrm_interface_support == 0) {
> - char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID);
> + char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID - 1);
> char lo[] ="lo";
>
> if (dev_exist_check(lo, true /* ignore error */)) {
> @@ -755,7 +755,7 @@
> */
>
> char if_name[IFNAMSIZ];
> - snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* first one ipsec1 */
> + snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* first one ipsec1 */
>
> unsigned int if_id = if_nametoindex(if_name);
> if (if_id != 0) {
> @@ -776,7 +776,7 @@
> void free_xfrmi_ipsec1(void)
> {
> char if_name[IFNAMSIZ];
> - snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* gloabl ipsec1 */
> + snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* gloabl ipsec1 */
> unsigned int if_id = if_nametoindex(if_name);
>
> if (if_id > 0) {
More information about the Swan
mailing list