Hi Hans!! Am 11.06.19 um 22:16 schrieb Hans Dedecker: > Hi, > > On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <[email protected]> wrote: >> >> Hi Hans, >> >> after testing xfrm tunnels a bit I found to big differences compared to >> other convential tunnels. >> 1) xfrm tunnel interfaces cannot be replaced with netlink >> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted >> >> This leads to some errors and a loop in interface creation. With the changes >> below, >> it works smoothly when not bound to ppp interfaces (using lan instead), see: >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command >> failed: Unknown error >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting >> up now >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command >> failed: Unknown error >> and so on >>>> What do you think? > The description is a bit cryptic to me; could you explain what works > and what does not work and why ? Sorry for being cryptic, I tend to that;-) Okay, I do the following: # ifup xfrm0 ... use it # ifdown xfrm0 The interface still exists (checked with ip link)
Now I'll do ifup again and this happens endlessly: >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command >> failed: Unknown error >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting >> up now >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command >> failed: Unknown error In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails. The result is the upper error repeating. That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call. André > > Hans >> >> Kind regards, >> >> André >> >> >> Am 09.06.19 um 21:27 schrieb Hans Dedecker: >>> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <[email protected]> wrote: >>>> >>>> This package adds scripts for xfrm interfaces support. >>>> Example configuration via /etc/config/network: >>>> >>>> config interface 'xfrm0' >>>> option proto 'xfrm' >>>> option mtu '1300' >>>> option zone 'VPN' >>>> option tunlink 'wan' >>>> option ifid 30 >>>> >>>> config interface 'xfrm0_static' >>>> option proto 'static' >>>> option ifname '@xfrm0' >>>> option ip6addr 'fe80::1/64' >>>> option ipaddr '10.0.0.1/30' >>>> >>>> Now set in strongswan IPsec policy: >>>> if_id_in = 30 >>>> if_id_out = 30 >>>> --- >>>> package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ >>>> package/network/config/xfrm/files/xfrm.sh | 65 >>>> +++++++++++++++++++++++++++++++ >>>> 2 files changed, 103 insertions(+) >>>> create mode 100644 package/network/config/xfrm/Makefile >>>> create mode 100755 package/network/config/xfrm/files/xfrm.sh >>>> >>>> diff --git a/package/network/config/xfrm/Makefile >>>> b/package/network/config/xfrm/Makefile >>>> new file mode 100644 >>>> index 0000000000..efc90cf318 >>>> --- /dev/null >>>> +++ b/package/network/config/xfrm/Makefile >>>> @@ -0,0 +1,38 @@ >>>> + >>>> +include $(TOPDIR)/rules.mk >>>> + >>>> +PKG_NAME:=xfrm >>>> +PKG_VERSION:=1 >>>> +PKG_RELEASE:=1 >>>> +PKG_LICENSE:=GPL-2.0 >>>> + >>>> +include $(INCLUDE_DIR)/package.mk >>>> + >>>> +define Package/xfrm/Default >>>> + SECTION:=net >>>> + CATEGORY:=Network >>>> + MAINTAINER:=Andre Valentin <[email protected]> >>>> +endef >>>> + >>>> +define Package/xfrm >>>> +$(call Package/xfrm/Default) >>>> + TITLE:=XFRM IPsec Tunnel Interface config support >>>> + DEPENDS:=+kmod-xfrm-interface >>>> +endef >>>> + >>>> +define Package/xfrm/description >>>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in >>>> /etc/config/network. >>>> +endef >>>> + >>>> +define Build/Compile >>>> +endef >>>> + >>>> +define Build/Configure >>>> +endef >>>> + >>>> +define Package/xfrm/install >>>> + $(INSTALL_DIR) $(1)/lib/netifd/proto >>>> + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh >>>> +endef >>>> + >>>> +$(eval $(call BuildPackage,xfrm)) >>>> diff --git a/package/network/config/xfrm/files/xfrm.sh >>>> b/package/network/config/xfrm/files/xfrm.sh >>>> new file mode 100755 >>>> index 0000000000..df28d38613 >>>> --- /dev/null >>>> +++ b/package/network/config/xfrm/files/xfrm.sh >>>> @@ -0,0 +1,65 @@ >>>> +#!/bin/sh >>>> + >>>> +[ -n "$INCLUDE_ONLY" ] || { >>>> + . /lib/functions.sh >>>> + . /lib/functions/network.sh >>>> + . ../netifd-proto.sh >>>> + init_proto "$@" >>>> +} >>>> + >>>> +proto_xfrm_setup() { >>>> + local cfg="$1" >>>> + local mode="xfrm" >>>> + >>>> + local tunlink ifid mtu zone >>>> + json_get_vars tunlink ifid mtu zone >>>> + >> if exists .. ip link del "$cfg" >> >>>> + proto_init_update "$cfg" 1 >>>> + >>>> + proto_add_tunnel >>>> + json_add_string mode "$mode" >>>> + json_add_int mtu "${mtu:-1280}" >>>> + >>>> + [ -z "$tunlink" ] && { >>>> + proto_notify_error "$cfg" NO_TUNLINK >>>> + proto_block_restart "$cfg" >>>> + exit >>>> + } >>>> + json_add_string link "$tunlink" >>>> + >>>> + [ -z "$ifid" ] && { >>>> + proto_notify_error "$cfg" NO_IFID >>>> + proto_block_restart "$cfg" >>>> + exit >>>> + } >>>> + json_add_object 'data' >>>> + [ -n "$ifid" ] && json_add_int ifid "$ifid" >>>> + json_close_object >>>> + >>>> + proto_close_tunnel >>>> + >>>> + proto_add_data >>>> + [ -n "$zone" ] && json_add_string zone "$zone" >>>> + proto_close_data >>>> + >>>> + proto_send_update "$cfg" >>>> +} >>>> + >>>> +proto_xfrm_teardown() { >>>> + local cfg="$1" >> ip link del "$cfg" >>>> +} >>>> + >>>> +proto_xfrm_init_config() { >>>> + no_device=1 >>>> + available=1 >>>> + >>>> + proto_config_add_int "mtu" >>>> + proto_config_add_string "tunlink" >>>> + proto_config_add_string "zone" >>>> + proto_config_add_int "ifid" >>>> +} >>>> + >>>> + >>>> +[ -n "$INCLUDE_ONLY" ] || { >>>> + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d >>>> /sys/module/xfrm_interface ] && add_protocol xfrm >>> I missed the check for /sys/module/xfrm_interface in my initial >>> review; is there any specific reason for this additional check beside >>> the xfrm_interface.ko check ? >>> >>> Hans >>>> +} >>>> -- >>>> 2.11.0 >>>>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
