[OpenWrt-Devel] [PATCH v3 2/3] network/config: add xfrm interface support scripts

Andre Valentin avalentin at marcant.net
Mon Jun 10 14:10:24 EDT 2019 

Hi Hans,

after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
1) xfrm tunnel interfaces cannot be replaced with netlink
2) xfrm tunnel interfaces DO NOT vanish if parent is deleted

This leads to some errors and a loop in interface creation. With the changes below,
it works smoothly when not bound to ppp interfaces (using lan instead), see:
Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
and so on

What do you think?

Kind regards,

André


Am 09.06.19 um 21:27 schrieb Hans Dedecker:
> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin at marcant.net> wrote:
>>
>> This package adds scripts for xfrm interfaces support.
>> Example configuration via /etc/config/network:
>>
>> config interface 'xfrm0'
>>         option proto 'xfrm'
>>         option mtu '1300'
>>         option zone 'VPN'
>>         option tunlink 'wan'
>>         option ifid 30
>>
>> config interface 'xfrm0_static'
>>         option proto 'static'
>>         option ifname '@xfrm0'
>>         option ip6addr 'fe80::1/64'
>>         option ipaddr '10.0.0.1/30'
>>
>> Now set in strongswan IPsec policy:
>>         if_id_in = 30
>>         if_id_out = 30
>> ---
>>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
>>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
>>  2 files changed, 103 insertions(+)
>>  create mode 100644 package/network/config/xfrm/Makefile
>>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
>>
>> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
>> new file mode 100644
>> index 0000000000..efc90cf318
>> --- /dev/null
>> +++ b/package/network/config/xfrm/Makefile
>> @@ -0,0 +1,38 @@
>> +
>> +include $(TOPDIR)/rules.mk
>> +
>> +PKG_NAME:=xfrm
>> +PKG_VERSION:=1
>> +PKG_RELEASE:=1
>> +PKG_LICENSE:=GPL-2.0
>> +
>> +include $(INCLUDE_DIR)/package.mk
>> +
>> +define Package/xfrm/Default
>> +  SECTION:=net
>> +  CATEGORY:=Network
>> +  MAINTAINER:=Andre Valentin <avalentin at marcant.net>
>> +endef
>> +
>> +define Package/xfrm
>> +$(call Package/xfrm/Default)
>> +  TITLE:=XFRM IPsec Tunnel Interface config support
>> +  DEPENDS:=+kmod-xfrm-interface
>> +endef
>> +
>> +define Package/xfrm/description
>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
>> +endef
>> +
>> +define Build/Compile
>> +endef
>> +
>> +define Build/Configure
>> +endef
>> +
>> +define Package/xfrm/install
>> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
>> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
>> +endef
>> +
>> +$(eval $(call BuildPackage,xfrm))
>> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
>> new file mode 100755
>> index 0000000000..df28d38613
>> --- /dev/null
>> +++ b/package/network/config/xfrm/files/xfrm.sh
>> @@ -0,0 +1,65 @@
>> +#!/bin/sh
>> +
>> +[ -n "$INCLUDE_ONLY" ] || {
>> +       . /lib/functions.sh
>> +       . /lib/functions/network.sh
>> +       . ../netifd-proto.sh
>> +       init_proto "$@"
>> +}
>> +
>> +proto_xfrm_setup() {
>> +       local cfg="$1"
>> +       local mode="xfrm"
>> +
>> +       local tunlink ifid mtu zone
>> +       json_get_vars tunlink ifid mtu zone
>> +
if exists .. ip link del "$cfg"

>> +       proto_init_update "$cfg" 1
>> +
>> +       proto_add_tunnel
>> +       json_add_string mode "$mode"
>> +       json_add_int mtu "${mtu:-1280}"
>> +
>> +       [ -z "$tunlink" ] && {
>> +               proto_notify_error "$cfg" NO_TUNLINK
>> +               proto_block_restart "$cfg"
>> +               exit
>> +       }
>> +       json_add_string link "$tunlink"
>> +
>> +       [ -z "$ifid" ] && {
>> +               proto_notify_error "$cfg" NO_IFID
>> +               proto_block_restart "$cfg"
>> +               exit
>> +       }
>> +       json_add_object 'data'
>> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
>> +       json_close_object
>> +
>> +       proto_close_tunnel
>> +
>> +       proto_add_data
>> +       [ -n "$zone" ] && json_add_string zone "$zone"
>> +       proto_close_data
>> +
>> +       proto_send_update "$cfg"
>> +}
>> +
>> +proto_xfrm_teardown() {
>> +       local cfg="$1"
ip link del "$cfg"
>> +}
>> +
>> +proto_xfrm_init_config() {
>> +       no_device=1
>> +       available=1
>> +
>> +       proto_config_add_int "mtu"
>> +       proto_config_add_string "tunlink"
>> +       proto_config_add_string "zone"
>> +       proto_config_add_int "ifid"
>> +}
>> +
>> +
>> +[ -n "$INCLUDE_ONLY" ] || {
>> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
> I missed the check for /sys/module/xfrm_interface in my initial
> review; is there any specific reason for this additional check beside
> the xfrm_interface.ko check ?
> 
> Hans
>> +}
>> --
>> 2.11.0
>>
>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 


-- 
Mit freundlichen Grüßen
André Valentin

Systemadministration - Projektkoordination


--
MarcanT AG, Herforder Straße 163a, D - 33609 Bielefeld
Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
URL: http://www.marcant.net <http://www.marcant.net/> | http://www.global-m2m.com <http://www.global-m2m.com/>

Internet * Netzwerk * Mobile Daten

Vorstand:
Thorsten Hojas (Vorsitzender)
Marc-Henrik Delker
Dr. Anja-Christina Padberg
Handelsregister: AG Bielefeld, HRB 42260 USt-ID Nr.: DE 190203238



___________________________________________________________
Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis
17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen
gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
Sie können natürlich auch gerne jederzeit unter support at marcant.net ein
Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.

 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4058 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20190610/3107b240/attachment.p7s>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list