On Mon, 4 Jan 2021 at 11:06, Antony Antony <[email protected]> wrote: > > On Sun, Jan 03, 2021 at 11:54:30AM -0500, Paul Wouters wrote: > > On Sun, 3 Jan 2021, Andrew Cagney wrote: > > > > > Subject: [Swan-dev] what is INTERFACE_IP / ifaceip / interface-ip= for? > > > > > I suspect it has something to do with XFRMI. As best I can, in the > > > current code, it is simply being passed to up-down scripts as > > > INTERFACE_IP=...? > > Yes the idea was to add that IP address/prefix to the xfrm interface. > The unfinished feature is inherited from VTI model(possibly hack?). In VTI > the IP address was added in updwon script. In xfrmi, I would like to add the > IP from pluto using netlink calls, c functions, instead of calling external > command "ip". This way the pluto can ref count how many connections share > interface or IP address. In the VTI model two connections with same > interface-ip address could be an issue. Bringing up two two connections > could work, we need a bit shell script to ignore the error from "ip" address > exist. > However, when one connection goes down, the shell script would delete the ip > address. Then the remaining connection would loose the ip address.
So it's an address/mask so the CIDR's host-identifer can be non zero vis: ::1/127. What restrictions are there on the address? The parser accepts: ::/0 ::/1 ::/2 ... but then later, INTERFACE_IP is only exported when the address isn't ::/0. If ::/0 isn't allowed then it should probably be rejected when parsing the config file. I'm guessing vti ip is the same. > > In xauth, or ikev2 cp, when deleting sourceaddress we use a shell script > trick -- check if the ip address is in use by another route. This trick > won't work for VTI/XFRMi ip address. > > Another detail: even if pluto is adding the ip address there was a request > to pass it to the updown script for advanced routing use cases. > > May be rethink is this feature still relevant? > May be the users are using systemd or other scripts to configure interface > ip? > > > Yes. It is the value of interface-ip= passed to updown. It can be used > > to configure an IP address. It should really do this action in the > > default updown script when passed. > > I advise against using updrown script for adding the ip address! I think > adding from pluto is better. Also now the KLIPS is gone, it would be easier > from pluto. > > > The name interface-ip= was chosen after a long discussion. We wanted to > > make it implementation agnostic (so not call it anything xfrm) and it > > couldn't clash with the existing VTI code that uses VTI_IP. > > > > I think the code that uses VTI_IP in updown should also check for > > INTERFACE_IP and documentation should be added to _updown.xfrm.in about > > these options. > > > > > While the name ifaceip leads me to think it's got something to do with > > > the host interfaces, I suspect it is connected to the XFRMI client > > > interface IP (if this is true I'll rename the field to > > > client_interface_ip)? > > > > Please do not rename it. Especially not anything "client" as our pluto > > code uses "client" to refer to left/rightsubnets and non-developers > > think of client-interface-ip as something at the remote vpn clients. > > > > Paul > > _______________________________________________ > > Swan-dev mailing list > > [email protected] > > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
