[Swan] No ipsec0 device with XFRMi

Antony Antony antony at phenome.org
Mon Aug 10 21:22:15 UTC 2020


I would leave it as ipsec1 but if others think ipsec0 is better I would 
apply this patch. I don't have a strong opinion for either.

One minor reason I didn't use ipsec was exising comments/assumptions in code 
about ipsec0. If we apply this patch we should fix those comments.  xfrmi 
ipsec0 is not the same as KLIPS ipsec0.

Paul commented something here. However, I wonder that message is after this 
patch or before.
https://lists.libreswan.org/pipermail/swan/2020/003616.html 

Paul what do you think of applying this patch? 

-antony

On Thu, Jul 30, 2020 at 08:42:57AM +0200, Wolfgang Nothdurft wrote:
> We don't use marks specifically for klips, but for our whole 
> netfilter/ebtables rule set and for policy based routing.
> We mark/connmark to identify special protocols, incoming interfaces, etc.
> 

> --- a/programs/pluto/kernel_xfrm_interface.c.orig	2020-07-28 15:18:37.770298639 +0200
> +++ b/programs/pluto/kernel_xfrm_interface.c	2020-07-28 15:18:42.878298858 +0200
> @@ -563,7 +563,7 @@
>   */
>  static char *fmt_xfrmi_ifname(uint32_t if_id) {
>  	char *if_name = alloc_things(char, IFNAMSIZ, "xfrmi name");
> -	int n  = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id);
> +	int n  = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id - 1);
>  	passert(n < IFNAMSIZ);
>  	return if_name;
>  }
> @@ -573,7 +573,7 @@
>  	err_t err = NULL; /* success */
>  
>  	if (xfrm_interface_support == 0) {
> -		char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID);
> +		char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID - 1);
>  		char lo[]  ="lo";
>  
>  		if (dev_exist_check(lo, true /* ignore error */)) {
> @@ -755,7 +755,7 @@
>  	 */
>  
>  	char if_name[IFNAMSIZ];
> -	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* first one ipsec1 */
> +	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* first one ipsec1 */
>  
>  	unsigned int if_id = if_nametoindex(if_name);
>  	if (if_id != 0) {
> @@ -776,7 +776,7 @@
>  void free_xfrmi_ipsec1(void)
>  {
>  	char if_name[IFNAMSIZ];
> -	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* gloabl ipsec1 */
> +	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* gloabl ipsec1 */
>  	unsigned int if_id = if_nametoindex(if_name);
>  
>  	if (if_id > 0) {



More information about the Swan mailing list