[Swan] No ipsec0 device with XFRMi

Paul Wouters paul at nohats.ca
Wed Aug 26 20:16:13 UTC 2020

On Wed, 26 Aug 2020, Antony Antony wrote:

>> Isn't it still true that you cannot use if_id set to 0 because that
>> means the same as not using if_id. I mean within the kernel, not
> no, I know if_id 0 works in some situations. now iproute allow if_id 0 and
> strongswan allow if_id 0. I think now, 5.4 or later,xfrmi does not need
> physcial dev ethX associated with it.

So in that case, perhaps we should just map the number configured to the
kernel and for the userland parser set the default to maxint and treat
that one as "dont send if_id to kernel" ?

Then the "yes" option can remain the equivalent to "1".

> In general I am not in favor of configurable xfrmi device name, ipsecX is
> simple:)

I agree it would be nice to keep it like that - at least for now.

>> so please, based on this, go and push one or the other version of
>> your patch into main.
> ok.
> My plan is first the output mark patch. Then later on ipsec0 patch. This
> will need many smaller test updates, both script and output.
> I will have to rebase my branch. Recent logger changes broke my branch.

Sorry about the big churn there from Andrew. It is to add support for
minimal logging where each connection at most logs 1 success or 1


More information about the Swan mailing list