[Swan] No ipsec0 device with XFRMi

Paul Wouters paul at nohats.ca
Wed Aug 12 01:13:46 UTC 2020 

On Mon, 10 Aug 2020, Antony Antony wrote:

> I would leave it as ipsec1 but if others think ipsec0 is better I would
> apply this patch. I don't have a strong opinion for either.

Based on Wolfgang's feedback, I think we should allow ipsec0 for easier
migration from KLIPS to XFRMi.

> Paul commented something here. However, I wonder that message is after this
> patch or before.
> https://lists.libreswan.org/pipermail/swan/2020/003616.html

Before.

Isn't it still true that you cannot use if_id set to 0 because that
means the same as not using if_id. I mean within the kernel, not
within libreswan. Within libreswan we have that problem too, but we
can fix that. If we make the default -2, and ipsec-device=0 maps
to if_id of -1, then we can map ipsec0 to if_if(max-1) so that all
ipsecX maps to if_id == X except for the special ipsec0.

However, if others prefer the simpler ipsecX == if_id + 1, than I'm
okay with that too. I think for almost all users, if_id is magic
under the hood that they will never deal with.

Alternatively, we could make ipsec-device=STRING and allow people
to use any name they want. But I think that requires a little more
from our code since we cannot match on the "ipsec" prefix anymore.
And we would need something for %unique too, although it could keep
using an ipsec prefix and look for the first free one?

> Paul what do you think of applying this patch?

See above. Otherwise, it looks good to me, although I'm still a
little confused about the interaction of the old mark's and this.
But if youare confident and we have test cases, I'm fine.

so please, based on this, go and push one or the other version of
your patch into main.

Paul

> On Thu, Jul 30, 2020 at 08:42:57AM +0200, Wolfgang Nothdurft wrote:
>> We don't use marks specifically for klips, but for our whole
>> netfilter/ebtables rule set and for policy based routing.
>> We mark/connmark to identify special protocols, incoming interfaces, etc.
>>
>
>> --- a/programs/pluto/kernel_xfrm_interface.c.orig	2020-07-28 15:18:37.770298639 +0200
>> +++ b/programs/pluto/kernel_xfrm_interface.c	2020-07-28 15:18:42.878298858 +0200
>> @@ -563,7 +563,7 @@
>>   */
>>  static char *fmt_xfrmi_ifname(uint32_t if_id) {
>>  	char *if_name = alloc_things(char, IFNAMSIZ, "xfrmi name");
>> -	int n  = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id);
>> +	int n  = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id - 1);
>>  	passert(n < IFNAMSIZ);
>>  	return if_name;
>>  }
>> @@ -573,7 +573,7 @@
>>  	err_t err = NULL; /* success */
>>
>>  	if (xfrm_interface_support == 0) {
>> -		char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID);
>> +		char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID - 1);
>>  		char lo[]  ="lo";
>>
>>  		if (dev_exist_check(lo, true /* ignore error */)) {
>> @@ -755,7 +755,7 @@
>>  	 */
>>
>>  	char if_name[IFNAMSIZ];
>> -	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* first one ipsec1 */
>> +	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* first one ipsec1 */
>>
>>  	unsigned int if_id = if_nametoindex(if_name);
>>  	if (if_id != 0) {
>> @@ -776,7 +776,7 @@
>>  void free_xfrmi_ipsec1(void)
>>  {
>>  	char if_name[IFNAMSIZ];
>> -	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* gloabl ipsec1 */
>> +	snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* gloabl ipsec1 */
>>  	unsigned int if_id = if_nametoindex(if_name);
>>
>>  	if (if_id > 0) {
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list