On Wed, 29 Jul 2020, Wolfgang Nothdurft wrote:
Am Dienstag, 28. Juli 2020 20:25 CEST, schrieb Antony Antony
<[email protected]>:
ipsec-interface=0 would translate to
ip link add ipsec0 type xfrm dev enp0s5 if_id 0
when I started adding xfrmi I wasn't sure xfrm if_id 0 would work properly.
if_id is a lookup key to find policy and state. I wonder if 0 would mean
also a policy with no xfrmi if_id.
AFAIK, if_id 0 means the same as "no if_id mark". So it cannot be used.
and also to avoid confusion from klips.
That was a reason too, but as Wolfgang points out, perhaps the wrong
consideration to have made.
I think the problem with if_id 0 could be the fwmark that is used to route the
encrypted packets on the base interface.
100: from all to 10.0.12.2 fwmark 0x1 lookup 50
With fwmark 0x0 all unmarked traffic to the destination would go through the
base interface instead of the ipsec interface.
I thought fwmark and if_id were different type of marks?
But ipsec-interface=0 for ipsec0 would be very useful. All our customers use
ipsec0 for the first ipsec device, so the change from klips to xfrmi would
either confusing for them or a technical problem that we have to solve.
At the moment I test patching libreswan to map if_id to device name if_id-1,
which works properly.
That is not a patch we could easilly carry. And as an option it is a bit
confusing. How about mapping ipsec0 to max(if_id) - 1 ?
But the next problem is that we use the lower 24 bit fwmarks for our firewall
rule set. The upper 8 bit was reserved for ipsec (saref) long time ago. So the
next problem is that actual the fwmark is not configurable and I have also to
patch either libreswan or overwork our complete rule set to reserve the lower
bits for ipsec devices.
Maybe a configurable minimal fwmark could be a nice feature.
I don't think if_id marks are related to fwmarks ?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
