[OpenWrt-Devel] [PATCH v3 2/3] network/config: add xfrm interface support scripts

Hans Dedecker dedeckeh at gmail.com
Tue Jun 11 16:16:24 EDT 2019 

Hi,

On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin at marcant.net> wrote:
>
> Hi Hans,
>
> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
> 1) xfrm tunnel interfaces cannot be replaced with netlink
> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted
>
> This leads to some errors and a loop in interface creation. With the changes below,
> it works smoothly when not bound to ppp interfaces (using lan instead), see:
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
> and so on
>
> What do you think?
The description is a bit cryptic to me; could you explain what works
and what does not work and why ?

Hans
>
> Kind regards,
>
> André
>
>
> Am 09.06.19 um 21:27 schrieb Hans Dedecker:
> > On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin at marcant.net> wrote:
> >>
> >> This package adds scripts for xfrm interfaces support.
> >> Example configuration via /etc/config/network:
> >>
> >> config interface 'xfrm0'
> >>         option proto 'xfrm'
> >>         option mtu '1300'
> >>         option zone 'VPN'
> >>         option tunlink 'wan'
> >>         option ifid 30
> >>
> >> config interface 'xfrm0_static'
> >>         option proto 'static'
> >>         option ifname '@xfrm0'
> >>         option ip6addr 'fe80::1/64'
> >>         option ipaddr '10.0.0.1/30'
> >>
> >> Now set in strongswan IPsec policy:
> >>         if_id_in = 30
> >>         if_id_out = 30
> >> ---
> >>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
> >>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
> >>  2 files changed, 103 insertions(+)
> >>  create mode 100644 package/network/config/xfrm/Makefile
> >>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
> >>
> >> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
> >> new file mode 100644
> >> index 0000000000..efc90cf318
> >> --- /dev/null
> >> +++ b/package/network/config/xfrm/Makefile
> >> @@ -0,0 +1,38 @@
> >> +
> >> +include $(TOPDIR)/rules.mk
> >> +
> >> +PKG_NAME:=xfrm
> >> +PKG_VERSION:=1
> >> +PKG_RELEASE:=1
> >> +PKG_LICENSE:=GPL-2.0
> >> +
> >> +include $(INCLUDE_DIR)/package.mk
> >> +
> >> +define Package/xfrm/Default
> >> +  SECTION:=net
> >> +  CATEGORY:=Network
> >> +  MAINTAINER:=Andre Valentin <avalentin at marcant.net>
> >> +endef
> >> +
> >> +define Package/xfrm
> >> +$(call Package/xfrm/Default)
> >> +  TITLE:=XFRM IPsec Tunnel Interface config support
> >> +  DEPENDS:=+kmod-xfrm-interface
> >> +endef
> >> +
> >> +define Package/xfrm/description
> >> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
> >> +endef
> >> +
> >> +define Build/Compile
> >> +endef
> >> +
> >> +define Build/Configure
> >> +endef
> >> +
> >> +define Package/xfrm/install
> >> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
> >> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
> >> +endef
> >> +
> >> +$(eval $(call BuildPackage,xfrm))
> >> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
> >> new file mode 100755
> >> index 0000000000..df28d38613
> >> --- /dev/null
> >> +++ b/package/network/config/xfrm/files/xfrm.sh
> >> @@ -0,0 +1,65 @@
> >> +#!/bin/sh
> >> +
> >> +[ -n "$INCLUDE_ONLY" ] || {
> >> +       . /lib/functions.sh
> >> +       . /lib/functions/network.sh
> >> +       . ../netifd-proto.sh
> >> +       init_proto "$@"
> >> +}
> >> +
> >> +proto_xfrm_setup() {
> >> +       local cfg="$1"
> >> +       local mode="xfrm"
> >> +
> >> +       local tunlink ifid mtu zone
> >> +       json_get_vars tunlink ifid mtu zone
> >> +
> if exists .. ip link del "$cfg"
>
> >> +       proto_init_update "$cfg" 1
> >> +
> >> +       proto_add_tunnel
> >> +       json_add_string mode "$mode"
> >> +       json_add_int mtu "${mtu:-1280}"
> >> +
> >> +       [ -z "$tunlink" ] && {
> >> +               proto_notify_error "$cfg" NO_TUNLINK
> >> +               proto_block_restart "$cfg"
> >> +               exit
> >> +       }
> >> +       json_add_string link "$tunlink"
> >> +
> >> +       [ -z "$ifid" ] && {
> >> +               proto_notify_error "$cfg" NO_IFID
> >> +               proto_block_restart "$cfg"
> >> +               exit
> >> +       }
> >> +       json_add_object 'data'
> >> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
> >> +       json_close_object
> >> +
> >> +       proto_close_tunnel
> >> +
> >> +       proto_add_data
> >> +       [ -n "$zone" ] && json_add_string zone "$zone"
> >> +       proto_close_data
> >> +
> >> +       proto_send_update "$cfg"
> >> +}
> >> +
> >> +proto_xfrm_teardown() {
> >> +       local cfg="$1"
> ip link del "$cfg"
> >> +}
> >> +
> >> +proto_xfrm_init_config() {
> >> +       no_device=1
> >> +       available=1
> >> +
> >> +       proto_config_add_int "mtu"
> >> +       proto_config_add_string "tunlink"
> >> +       proto_config_add_string "zone"
> >> +       proto_config_add_int "ifid"
> >> +}
> >> +
> >> +
> >> +[ -n "$INCLUDE_ONLY" ] || {
> >> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
> > I missed the check for /sys/module/xfrm_interface in my initial
> > review; is there any specific reason for this additional check beside
> > the xfrm_interface.ko check ?
> >
> > Hans
> >> +}
> >> --
> >> 2.11.0
> >>
> >>
> >> _______________________________________________
> >> openwrt-devel mailing list
> >> openwrt-devel at lists.openwrt.org
> >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel at lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >
>
>
> --
> Mit freundlichen Grüßen
> André Valentin
>
> Systemadministration - Projektkoordination
>
>
> --
> MarcanT AG, Herforder Straße 163a, D - 33609 Bielefeld
> Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
> URL: http://www.marcant.net <http://www.marcant.net/> | http://www.global-m2m.com <http://www.global-m2m.com/>
>
> Internet * Netzwerk * Mobile Daten
>
> Vorstand:
> Thorsten Hojas (Vorsitzender)
> Marc-Henrik Delker
> Dr. Anja-Christina Padberg
> Handelsregister: AG Bielefeld, HRB 42260 USt-ID Nr.: DE 190203238
>
>
>
> ___________________________________________________________
> Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis
> 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen
> gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
> mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
> Sie können natürlich auch gerne jederzeit unter support at marcant.net ein
> Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.
>
>
>
>

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list