Re: [Swan-dev] better name for {left,right}ifaceip?

Wed, 29 Jan 2020 01:07:22 -0800 

On Wed, 29 Jan 2020, Antony Antony wrote:


summary s/iface-ip/interface-ip/
Disable the keyword  until the functionality is added.
syntax interface-ip=1.2.3.3/24


does that mean it would no longer be left/right? Or do you mean it will
become leftinterface-ip= and rightinterface-ip= ?


Antony foresee new type ttipcider(), as there are objections to reuse
subnet(). We will see when we add the code. If the subnet is left alone
without port and protocol it can used for ttipcider().

Additionally:
suggests to  leave subnet as without ports and protocol, and create
traffic_selectior() for parsing keyword subnet from our config.


Seems reasonable. Although for now I am also okay with using ip_subnet
as was done for the vti case.

Paul


On Mon, Jan 27, 2020 at 02:56:02PM -0500, Andrew Cagney wrote:

On Mon, 27 Jan 2020 at 11:39, Antony Antony <[email protected]> wrote:


first quick answer to Hugh's follow up questions.

On Mon, Jan 27, 2020 at 10:58:45AM -0500, D. Hugh Redelmeier wrote:

Has iface-ip been advertised?


no. code is incomplete. We can change at this point. I would be happy to.
Though Paul may have signoff. My recollection is, he want something similar to
leftvti=10.0.1.254/24 for ipsec-ineterface/xfrmi, so when we kill VTI this
new IP address can take leftvti's function. I argued it is also useful for
non ipsec-inetrface case.


Perhaps the keyword should be disabled for now.


Andrew's points all seem valid too.  But I haven't thought deeply about
this.


There request was to add something like VTI usecase.  We need an IP
address/mask (not same as subnet, no port and broadcast and network address
should be invalid).

sourceip != iface-ip. Sourceip is only allowed with /32 or /128 prefix
length.  With source ip there will be a route with that IP address as the
source, for source address selection based on route.


Right.  The limitation seems to be largely historic.

If there's an option, perhaps called sourceip=, perhaps called
something else that accepts any of (subnet, endpoint, address, see
below, ...) does iface-ip and/or vti become redundant?


leftvti=192.0.1.254/24 will conflict with interface-ip=192.0.1.254

vti has its own lifecycle. Last I herd was, remove VTI completely, soon, as
soon as 3.31?
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev


_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev






















					Reply via email to