Am Donnerstag, 30. Juli 2020 07:57 CEST, schrieb Antony Antony <ant...@phenome.org>:
> On Wed, Jul 29, 2020 at 11:32:58AM +0200, Wolfgang Nothdurft wrote: > > Am Dienstag, 28. Juli 2020 20:25 CEST, schrieb Antony Antony > > <ant...@phenome.org>: > > > > > ipsec-interface=0 would translate to > > > > > > ip link add ipsec0 type xfrm dev enp0s5 if_id 0 > > > > > > when I started adding xfrmi I wasn't sure xfrm if_id 0 would work > > > properly. > > > if_id is a lookup key to find policy and state. I wonder if 0 would mean > > > also a policy with no xfrmi if_id. > > > > > > xfrm if_id 0 was confusing to me. I decided ipsec1 to start with. May be > > > time to review it while xfrmi is still expirimental. > > > > > > and also to avoid confusion from klips. > > > > > > I think the problem with if_id 0 could be the fwmark that is used to route > > the encrypted packets on the base interface. > > > > 100: from all to 10.0.12.2 fwmark 0x1 lookup 50 > > > > With fwmark 0x0 all unmarked traffic to the destination would go through > > the base interface instead of the ipsec interface. > > > > But ipsec-interface=0 for ipsec0 would be very useful. All our customers > > use ipsec0 for the first ipsec device, so the change from klips to xfrmi > > would either confusing for them or a technical problem that we have to > > solve. > > > > At the moment I test patching libreswan to map if_id to device name > > if_id-1, which works properly. > > are you proposing to keep name ipsec0 (the interface name), while internally > f_id = 0x1 and fwmark would be 0x1 (by default)? I had one version of the > code which did this. UINT32_MAX meant no xfrmi inside pluto. It appeared > complicated and I dicthed it. At this stage it is probably easy to go back > to ipsec0. Currently ipsec-interface=X is the if_id and the mark. > Yes, at the moment I use the attached patch to lower the interface number by one, so the ipsec interfaces starts with ipsec0. > > But the next problem is that we use the lower 24 bit fwmarks for our > > firewall rule set. The upper 8 bit was reserved for ipsec (saref) long > > time ago. So the next problem is that actual the fwmark is not > > configurable and I have also to patch either libreswan or overwork our > > complete rule set to reserve the lower bits for ipsec devices. > > Maybe a configurable minimal fwmark could be a nice feature. > > the output mark on the ESP packet is not configurable yet. One confusion was > keywords for the new output mark. Note the conflict with mark-out; used by > VTI?. The VTI mark-out is a different XFRM attribute than the one needed to > work with xfrmi. May be I can have different meaning for > mark-out when there is xfrm interface. > > or add ipsec-interface-output-mark= as the third mark? because > XFRM has now 3 marks. AFIK mark-out was never used in VTI case. > I don't want to break VTI usecases. > > Can you can help create a testcase with fwmark and xfrmi? you are using > marks with KLIPS? so it is not really configured in ipsec.conf? I wonder how > that would translate one-to-one. > We don't use marks specifically for klips, but for our whole netfilter/ebtables rule set and for policy based routing. We mark/connmark to identify special protocols, incoming interfaces, etc.
--- a/programs/pluto/kernel_xfrm_interface.c.orig 2020-07-28 15:18:37.770298639 +0200 +++ b/programs/pluto/kernel_xfrm_interface.c 2020-07-28 15:18:42.878298858 +0200 @@ -563,7 +563,7 @@ */ static char *fmt_xfrmi_ifname(uint32_t if_id) { char *if_name = alloc_things(char, IFNAMSIZ, "xfrmi name"); - int n = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id); + int n = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id - 1); passert(n < IFNAMSIZ); return if_name; } @@ -573,7 +573,7 @@ err_t err = NULL; /* success */ if (xfrm_interface_support == 0) { - char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID); + char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID - 1); char lo[] ="lo"; if (dev_exist_check(lo, true /* ignore error */)) { @@ -755,7 +755,7 @@ */ char if_name[IFNAMSIZ]; - snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* first one ipsec1 */ + snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* first one ipsec1 */ unsigned int if_id = if_nametoindex(if_name); if (if_id != 0) { @@ -776,7 +776,7 @@ void free_xfrmi_ipsec1(void) { char if_name[IFNAMSIZ]; - snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* gloabl ipsec1 */ + snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* gloabl ipsec1 */ unsigned int if_id = if_nametoindex(if_name); if (if_id > 0) {
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan