On Sun, Dec 24, 2023 at 05:17:12PM -0500, Paul Wouters wrote: > > Hi, > > Antony added the following code: > > +#if defined(HAVE_NFTABLES) > + if (spd->local->child->has_cat) { > + ip_selector client = > selector_from_address(spd->local->host->addr); > + > + if (!raw_policy(KERNEL_POLICY_OP_ADD, > + DIRECTION_INBOUND, > + EXPECT_KERNEL_POLICY_OK, > + &kernel_policy.src.route, /* > src_client */ > + &client, > + &kernel_policy, /* " > */ > + deltatime(0), /* lifetime */ > + kernel_policy.sa_marks, > + kernel_policy.xfrmi, > + kernel_policy.id, > + kernel_policy.sec_label, > + st->st_logger, > + "%s() add inbound Child SA", > __func__)) { > + selector_pair_buf spb; > + llog(RC_LOG, st->st_logger, > + "kernel: %s() failed to add SPD for %s", > + __func__, > + > str_selector_pair(&kernel_policy.src.client, &kernel_policy.dst.client, > &spb)); > + } > + > + } > +#endif > > I do not understand why we need another XFRM policy for the in/fwd set?
compare the iptables vas nftables output? "nft list ruleset" output and "iptables-save" As I recollect the nftable rule is using diffrent entry point than iptables. May be there are ways to avoid extra xfrm policy. > What makes nftables that much different from iptables for this ? I don't remember,Did you look at the rules? You can still run pluto with iptables:) _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev