[Swan-dev] Re v2 remove pfkey checks from pluto and startup scripts

Antony Antony Fri, 03 May 2019 10:58:53 -0700

here are the revised 3 patches for master.
to test it make sure pfkey is removed properly, recomendation re-compile 
krenel with the following.


[1] in .config it is called CONFIG_NET_KEY

 │ Location:                                                             │
 │  -> Networking support (NET [=y])                                    │
 │    -> Networking options
 |      -> PF_KEY sockets [=n]

check .config for
# CONFIG_NET_KEY is not set

-antony

>From 01bbd1695d8535dd0de0efc6117e42337b156351 Mon Sep 17 00:00:00 2001
From: Antony Antony <[email protected]>
Date: Thu, 2 May 2019 15:15:26 +0000
Subject: [PATCH 1/3] pluto: xfrm don not check for /proc/net/pfkey

instead check /proc/net/xfrm_stat, from Paul's patch.
since b248daa35 and related commits pluto should not need
/proc/net/pfkey
---
 programs/pluto/kernel.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index a94874b22..b263009dc 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2659,9 +2659,8 @@ void init_kernel(void)
        switch (kern_interface) {
 #if defined(NETKEY_SUPPORT)
        case USE_NETKEY:
-               if (stat("/proc/net/pfkey", &buf) != 0) {
-                       libreswan_log(
-                               "No XFRM/NETKEY kernel interface detected");
+               if (stat("/proc/net/xfrm_stat", &buf) != 0) {
+                       libreswan_log("No XFRM kernel interface detected");
                        exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
                }
                libreswan_log(
-- 
2.20.1

>From e8b3dc7599458f8eccf5ce90afd78ac1ce8d0c9c Mon Sep 17 00:00:00 2001
From: Antony Antony <[email protected]>
Date: Fri, 3 May 2019 13:34:28 +0000
Subject: [PATCH 2/3] pluto: kernel_netlink.c remove unnecessary include
 pfekey2.h

Jacob two two was in action - pfekey2.h was twice.
---
 programs/pluto/kernel_netlink.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 0bba1b5d6..a902ea68f 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -40,7 +40,6 @@
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <stdint.h>
-#include <linux/pfkeyv2.h>
 #include <linux/ethtool.h>
 #include <linux/sockios.h>
 #include <unistd.h>
@@ -60,9 +59,6 @@
 # include "linux/xfrm.h" /* local (if configured) or system copy */
 #endif
 
-#include "libreswan/pfkeyv2.h"
-#include "libreswan/pfkey.h"
-
 #include "sysdep.h"
 #include "socketwrapper.h"
 #include "constants.h"
-- 
2.20.1

>From 4fa06aecebfaac4408464b006f1e1276eee3833d Mon Sep 17 00:00:00 2001
From: Antony Antony <[email protected]>
Date: Fri, 3 May 2019 16:12:58 +0000
Subject: [PATCH 3/3] pluto: xfrm replace pf_key options with xfrrm when poking
 policy holes

setsockopt used pfkey, IP_IPSEC_POLICY, replace it with
appropriate xfrm, IP_XFRM_POLICY options.
---
 programs/pluto/kernel_netlink.c | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index a902ea68f..21c7f765b 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -2808,37 +2808,32 @@ static err_t netlink_migrate_sa_check(void)
 
 static bool netlink_poke_ipsec_policy_hole(struct raw_iface *ifp, int fd)
 {
-       struct sadb_x_policy policy;
-       int level, opt;
+       int opt, sol;
+       struct xfrm_userpolicy_info policy;
 
        zero(&policy);
-       policy.sadb_x_policy_len = sizeof(policy) /
-               IPSEC_PFKEYv2_ALIGN;
-       policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-       policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-       policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-       policy.sadb_x_policy_id = 0;
+       policy.action = XFRM_POLICY_ALLOW;
+       policy.sel.family = addrtypeof(&ifp->addr);
 
        if (addrtypeof(&ifp->addr) == AF_INET6) {
-               level = IPPROTO_IPV6;
-               opt = IPV6_IPSEC_POLICY;
+               sol = IPPROTO_IPV6;
+               opt = IPV6_XFRM_POLICY;
        } else {
-               level = IPPROTO_IP;
-               opt = IP_IPSEC_POLICY;
+               sol = SOL_IP;
+               opt = IP_XFRM_POLICY;
        }
 
-       if (setsockopt(fd, level, opt,
-                      &policy, sizeof(policy)) < 0) {
-               LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in 
process_raw_ifaces()");
+       policy.dir = XFRM_POLICY_IN;
+       if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+               LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_IN in 
process_raw_ifaces();");
                close(fd);
                return false;
        }
 
-       policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+       policy.dir = XFRM_POLICY_OUT;
 
-       if (setsockopt(fd, level, opt,
-                      &policy, sizeof(policy)) < 0) {
-               LOG_ERRNO(errno, "setsockopt IPSEC_POLICY in 
process_raw_ifaces()");
+       if (setsockopt(fd, sol, opt, &policy, sizeof(policy)) < 0) {
+               LOG_ERRNO(errno, "setsockopt IP_XFRM_POLICY XFRM_POLICY_OUT in 
process_raw_ifaces() XFRM_POLICY_OUT");
                close(fd);
                return false;
        }
-- 
2.20.1

_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev

[Swan-dev] Re v2 remove pfkey checks from pluto and startup scripts

Reply via email to