On Sun, Dec 24, 2023 at 05:17:12PM -0500, Paul Wouters wrote:
>
> Hi,
>
> Antony added the following code:
>
> +#if defined(HAVE_NFTABLES)
> + if (spd->local->child->has_cat) {
> + ip_selector client =
> selector_from_address(spd->local->host->addr);
> +
> + if (!raw_policy(KERNEL_POLICY_OP_ADD,
> + DIRECTION_INBOUND,
> + EXPECT_KERNEL_POLICY_OK,
> + &kernel_policy.src.route, /*
> src_client */
> + &client,
> + &kernel_policy, /* "
> */
> + deltatime(0), /* lifetime */
> + kernel_policy.sa_marks,
> + kernel_policy.xfrmi,
> + kernel_policy.id,
> + kernel_policy.sec_label,
> + st->st_logger,
> + "%s() add inbound Child SA",
> __func__)) {
> + selector_pair_buf spb;
> + llog(RC_LOG, st->st_logger,
> + "kernel: %s() failed to add SPD for %s",
> + __func__,
> +
> str_selector_pair(&kernel_policy.src.client, &kernel_policy.dst.client,
> &spb));
> + }
> +
> + }
> +#endif
>
> I do not understand why we need another XFRM policy for the in/fwd set?
compare the iptables vas nftables output? "nft list ruleset" output and
"iptables-save" As I recollect the nftable rule is using diffrent entry
point than iptables. May be there are ways to avoid extra xfrm policy.
> What makes nftables that much different from iptables for this ?
I don't remember,Did you look at the rules? You can still run pluto with
iptables:)
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
