Am Donnerstag, 30. Juli 2020 07:57 CEST, schrieb Antony Antony
<ant...@phenome.org>:
> On Wed, Jul 29, 2020 at 11:32:58AM +0200, Wolfgang Nothdurft wrote:
> > Am Dienstag, 28. Juli 2020 20:25 CEST, schrieb Antony Antony
> > <ant...@phenome.org>:
> >
> > > ipsec-interface=0 would translate to
> > >
> > > ip link add ipsec0 type xfrm dev enp0s5 if_id 0
> > >
> > > when I started adding xfrmi I wasn't sure xfrm if_id 0 would work
> > > properly.
> > > if_id is a lookup key to find policy and state. I wonder if 0 would mean
> > > also a policy with no xfrmi if_id.
> > >
> > > xfrm if_id 0 was confusing to me. I decided ipsec1 to start with. May be
> > > time to review it while xfrmi is still expirimental.
> > >
> > > and also to avoid confusion from klips.
> >
> >
> > I think the problem with if_id 0 could be the fwmark that is used to route
> > the encrypted packets on the base interface.
> >
> > 100: from all to 10.0.12.2 fwmark 0x1 lookup 50
> >
> > With fwmark 0x0 all unmarked traffic to the destination would go through
> > the base interface instead of the ipsec interface.
> >
> > But ipsec-interface=0 for ipsec0 would be very useful. All our customers
> > use ipsec0 for the first ipsec device, so the change from klips to xfrmi
> > would either confusing for them or a technical problem that we have to
> > solve.
> >
> > At the moment I test patching libreswan to map if_id to device name
> > if_id-1, which works properly.
>
> are you proposing to keep name ipsec0 (the interface name), while internally
> f_id = 0x1 and fwmark would be 0x1 (by default)? I had one version of the
> code which did this. UINT32_MAX meant no xfrmi inside pluto. It appeared
> complicated and I dicthed it. At this stage it is probably easy to go back
> to ipsec0. Currently ipsec-interface=X is the if_id and the mark.
>
Yes, at the moment I use the attached patch to lower the interface number by
one, so the ipsec interfaces starts with ipsec0.
> > But the next problem is that we use the lower 24 bit fwmarks for our
> > firewall rule set. The upper 8 bit was reserved for ipsec (saref) long
> > time ago. So the next problem is that actual the fwmark is not
> > configurable and I have also to patch either libreswan or overwork our
> > complete rule set to reserve the lower bits for ipsec devices.
> > Maybe a configurable minimal fwmark could be a nice feature.
>
> the output mark on the ESP packet is not configurable yet. One confusion was
> keywords for the new output mark. Note the conflict with mark-out; used by
> VTI?. The VTI mark-out is a different XFRM attribute than the one needed to
> work with xfrmi. May be I can have different meaning for
> mark-out when there is xfrm interface.
>
> or add ipsec-interface-output-mark= as the third mark? because
> XFRM has now 3 marks. AFIK mark-out was never used in VTI case.
> I don't want to break VTI usecases.
>
> Can you can help create a testcase with fwmark and xfrmi? you are using
> marks with KLIPS? so it is not really configured in ipsec.conf? I wonder how
> that would translate one-to-one.
>
We don't use marks specifically for klips, but for our whole netfilter/ebtables
rule set and for policy based routing.
We mark/connmark to identify special protocols, incoming interfaces, etc.
--- a/programs/pluto/kernel_xfrm_interface.c.orig 2020-07-28 15:18:37.770298639 +0200
+++ b/programs/pluto/kernel_xfrm_interface.c 2020-07-28 15:18:42.878298858 +0200
@@ -563,7 +563,7 @@
*/
static char *fmt_xfrmi_ifname(uint32_t if_id) {
char *if_name = alloc_things(char, IFNAMSIZ, "xfrmi name");
- int n = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id);
+ int n = snprintf(if_name, IFNAMSIZ, XFRMI_DEV_FORMAT, if_id - 1);
passert(n < IFNAMSIZ);
return if_name;
}
@@ -573,7 +573,7 @@
err_t err = NULL; /* success */
if (xfrm_interface_support == 0) {
- char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID);
+ char *if_name = fmt_xfrmi_ifname(IPSEC1_XFRM_IF_ID - 1);
char lo[] ="lo";
if (dev_exist_check(lo, true /* ignore error */)) {
@@ -755,7 +755,7 @@
*/
char if_name[IFNAMSIZ];
- snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* first one ipsec1 */
+ snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* first one ipsec1 */
unsigned int if_id = if_nametoindex(if_name);
if (if_id != 0) {
@@ -776,7 +776,7 @@
void free_xfrmi_ipsec1(void)
{
char if_name[IFNAMSIZ];
- snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID); /* gloabl ipsec1 */
+ snprintf(if_name, sizeof(if_name), XFRMI_DEV_FORMAT, IPSEC1_XFRM_IF_ID - 1); /* gloabl ipsec1 */
unsigned int if_id = if_nametoindex(if_name);
if (if_id > 0) {
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
