Hi, On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <[email protected]> wrote: > > Hi Hans, > > after testing xfrm tunnels a bit I found to big differences compared to other > convential tunnels. > 1) xfrm tunnel interfaces cannot be replaced with netlink > 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted > > This leads to some errors and a loop in interface creation. With the changes > below, > it works smoothly when not bound to ppp interfaces (using lan instead), see: > Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: > Unknown error > Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down > Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting > up now > Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: > Unknown error > and so on > > What do you think? The description is a bit cryptic to me; could you explain what works and what does not work and why ?
Hans > > Kind regards, > > André > > > Am 09.06.19 um 21:27 schrieb Hans Dedecker: > > On Sat, Jun 8, 2019 at 1:48 PM André Valentin <[email protected]> wrote: > >> > >> This package adds scripts for xfrm interfaces support. > >> Example configuration via /etc/config/network: > >> > >> config interface 'xfrm0' > >> option proto 'xfrm' > >> option mtu '1300' > >> option zone 'VPN' > >> option tunlink 'wan' > >> option ifid 30 > >> > >> config interface 'xfrm0_static' > >> option proto 'static' > >> option ifname '@xfrm0' > >> option ip6addr 'fe80::1/64' > >> option ipaddr '10.0.0.1/30' > >> > >> Now set in strongswan IPsec policy: > >> if_id_in = 30 > >> if_id_out = 30 > >> --- > >> package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ > >> package/network/config/xfrm/files/xfrm.sh | 65 > >> +++++++++++++++++++++++++++++++ > >> 2 files changed, 103 insertions(+) > >> create mode 100644 package/network/config/xfrm/Makefile > >> create mode 100755 package/network/config/xfrm/files/xfrm.sh > >> > >> diff --git a/package/network/config/xfrm/Makefile > >> b/package/network/config/xfrm/Makefile > >> new file mode 100644 > >> index 0000000000..efc90cf318 > >> --- /dev/null > >> +++ b/package/network/config/xfrm/Makefile > >> @@ -0,0 +1,38 @@ > >> + > >> +include $(TOPDIR)/rules.mk > >> + > >> +PKG_NAME:=xfrm > >> +PKG_VERSION:=1 > >> +PKG_RELEASE:=1 > >> +PKG_LICENSE:=GPL-2.0 > >> + > >> +include $(INCLUDE_DIR)/package.mk > >> + > >> +define Package/xfrm/Default > >> + SECTION:=net > >> + CATEGORY:=Network > >> + MAINTAINER:=Andre Valentin <[email protected]> > >> +endef > >> + > >> +define Package/xfrm > >> +$(call Package/xfrm/Default) > >> + TITLE:=XFRM IPsec Tunnel Interface config support > >> + DEPENDS:=+kmod-xfrm-interface > >> +endef > >> + > >> +define Package/xfrm/description > >> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in > >> /etc/config/network. > >> +endef > >> + > >> +define Build/Compile > >> +endef > >> + > >> +define Build/Configure > >> +endef > >> + > >> +define Package/xfrm/install > >> + $(INSTALL_DIR) $(1)/lib/netifd/proto > >> + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh > >> +endef > >> + > >> +$(eval $(call BuildPackage,xfrm)) > >> diff --git a/package/network/config/xfrm/files/xfrm.sh > >> b/package/network/config/xfrm/files/xfrm.sh > >> new file mode 100755 > >> index 0000000000..df28d38613 > >> --- /dev/null > >> +++ b/package/network/config/xfrm/files/xfrm.sh > >> @@ -0,0 +1,65 @@ > >> +#!/bin/sh > >> + > >> +[ -n "$INCLUDE_ONLY" ] || { > >> + . /lib/functions.sh > >> + . /lib/functions/network.sh > >> + . ../netifd-proto.sh > >> + init_proto "$@" > >> +} > >> + > >> +proto_xfrm_setup() { > >> + local cfg="$1" > >> + local mode="xfrm" > >> + > >> + local tunlink ifid mtu zone > >> + json_get_vars tunlink ifid mtu zone > >> + > if exists .. ip link del "$cfg" > > >> + proto_init_update "$cfg" 1 > >> + > >> + proto_add_tunnel > >> + json_add_string mode "$mode" > >> + json_add_int mtu "${mtu:-1280}" > >> + > >> + [ -z "$tunlink" ] && { > >> + proto_notify_error "$cfg" NO_TUNLINK > >> + proto_block_restart "$cfg" > >> + exit > >> + } > >> + json_add_string link "$tunlink" > >> + > >> + [ -z "$ifid" ] && { > >> + proto_notify_error "$cfg" NO_IFID > >> + proto_block_restart "$cfg" > >> + exit > >> + } > >> + json_add_object 'data' > >> + [ -n "$ifid" ] && json_add_int ifid "$ifid" > >> + json_close_object > >> + > >> + proto_close_tunnel > >> + > >> + proto_add_data > >> + [ -n "$zone" ] && json_add_string zone "$zone" > >> + proto_close_data > >> + > >> + proto_send_update "$cfg" > >> +} > >> + > >> +proto_xfrm_teardown() { > >> + local cfg="$1" > ip link del "$cfg" > >> +} > >> + > >> +proto_xfrm_init_config() { > >> + no_device=1 > >> + available=1 > >> + > >> + proto_config_add_int "mtu" > >> + proto_config_add_string "tunlink" > >> + proto_config_add_string "zone" > >> + proto_config_add_int "ifid" > >> +} > >> + > >> + > >> +[ -n "$INCLUDE_ONLY" ] || { > >> + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d > >> /sys/module/xfrm_interface ] && add_protocol xfrm > > I missed the check for /sys/module/xfrm_interface in my initial > > review; is there any specific reason for this additional check beside > > the xfrm_interface.ko check ? > > > > Hans > >> +} > >> -- > >> 2.11.0 > >> > >> > >> _______________________________________________ > >> openwrt-devel mailing list > >> [email protected] > >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > _______________________________________________ > > openwrt-devel mailing list > > [email protected] > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > > -- > Mit freundlichen Grüßen > André Valentin > > Systemadministration - Projektkoordination > > > -- > MarcanT AG, Herforder Straße 163a, D - 33609 Bielefeld > Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18 > URL: http://www.marcant.net <http://www.marcant.net/> | > http://www.global-m2m.com <http://www.global-m2m.com/> > > Internet * Netzwerk * Mobile Daten > > Vorstand: > Thorsten Hojas (Vorsitzender) > Marc-Henrik Delker > Dr. Anja-Christina Padberg > Handelsregister: AG Bielefeld, HRB 42260 USt-ID Nr.: DE 190203238 > > > > ___________________________________________________________ > Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis > 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen > gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen > mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung. > Sie können natürlich auch gerne jederzeit unter [email protected] ein > Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird. > > > > _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
