I made iptables optional now. this will allow adding nftables soon. CAT and NFLOG are optional now, ATM need iptabels. I don't know the syntax for nft yet.
Also the use of iptbales in "ipsec verify" is optional do we need iptables in "ipsec look" To me it seems a remenant from KLIPS mast? the one barf could be replaced next. ipsec: --checknflog would only work if the libreswan was built with iptables. On Wed, Jun 08, 2022 at 08:39:20PM +0200, Antony Antony wrote: > Breaking down task of adding nft support. > > On Wed, Jun 08, 2022 at 10:38:16AM -0400, Andrew Cagney wrote: > > this week it is https://github.com/libreswan/libreswan/issues/116 > > I am in favor of adding nft support along with iptable support. Add build > variable? Any thoughts on how to add nft support while keeping iptables > support? > > There are different use iptables. Some are easy to replace with nft. May be > we can add nft support slowly one by one > > 1. programs/barf/barf.in : used for diagnostics? this is probably easy to > replace. nft list or something. > > 3. programs/ipsec/ipsec.8.xml : documentation > 5. programs/ipsec/ipsec.in : NFLOG and CAT support. I will see if I can > figure out the exact syntax. nft sees to support NFLOG. > > Any nft experts here who would like helpo? How to translate the following > rules to nft > > iptables -I INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 > --nflog-prefix all-ipsec > iptables -I INPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 > --nflog-prefix all-ipsec > > and of course deleting rules. Which I think is one of the biggest difference > between nft and iptables? How do I get the "handle"? which is needed to > delete the rule. I usually delte the able and re-create:) > > iptables -D INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 > --nflog-prefix all-ipsec > iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 > --nflog-prefix all-ipsec > > CAT rules are: > > iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \ > -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET} > iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \ > -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ > -j DNAT --to-destination ${PLUTO_ME} > > iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \ > -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ > -j DNAT --to-destination ${PLUTO_ME} > iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \ > -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source > ${PLUTO_MY_CLIENT_NET} > > 4. programs/_updown.xfrm/_updown.xfrm.in it seems similar to the above. I > wonder why we need CAT and NFLOG in two places! > > 5. programs/look/look.in : seems diagnostics only? I not sure why it is > adding mangle table. > > 6. programs/pluto/plutomain.c : just a comment > 7. programs/verify/verify.in : a runtime check. May be this what is actually > failing in Debian testing/building. I suspect they run "ipsec verify"? > _______________________________________________ > Swan-dev mailing list > Swan-dev@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev