Message ID | 20190608114809.9480-3-avalentin@marcant.net |
---|---|
State | Accepted |
Delegated to: | Hans Dedecker |
Headers | show |
Series | Add xfrm interface support | expand |
On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote: > > This package adds scripts for xfrm interfaces support. > Example configuration via /etc/config/network: > > config interface 'xfrm0' > option proto 'xfrm' > option mtu '1300' > option zone 'VPN' > option tunlink 'wan' > option ifid 30 > > config interface 'xfrm0_static' > option proto 'static' > option ifname '@xfrm0' > option ip6addr 'fe80::1/64' > option ipaddr '10.0.0.1/30' > > Now set in strongswan IPsec policy: > if_id_in = 30 > if_id_out = 30 > --- > package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ > package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++ > 2 files changed, 103 insertions(+) > create mode 100644 package/network/config/xfrm/Makefile > create mode 100755 package/network/config/xfrm/files/xfrm.sh > > diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile > new file mode 100644 > index 0000000000..efc90cf318 > --- /dev/null > +++ b/package/network/config/xfrm/Makefile > @@ -0,0 +1,38 @@ > + > +include $(TOPDIR)/rules.mk > + > +PKG_NAME:=xfrm > +PKG_VERSION:=1 > +PKG_RELEASE:=1 > +PKG_LICENSE:=GPL-2.0 > + > +include $(INCLUDE_DIR)/package.mk > + > +define Package/xfrm/Default > + SECTION:=net > + CATEGORY:=Network > + MAINTAINER:=Andre Valentin <avalentin@marcant.net> > +endef > + > +define Package/xfrm > +$(call Package/xfrm/Default) > + TITLE:=XFRM IPsec Tunnel Interface config support > + DEPENDS:=+kmod-xfrm-interface > +endef > + > +define Package/xfrm/description > + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. > +endef > + > +define Build/Compile > +endef > + > +define Build/Configure > +endef > + > +define Package/xfrm/install > + $(INSTALL_DIR) $(1)/lib/netifd/proto > + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh > +endef > + > +$(eval $(call BuildPackage,xfrm)) > diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh > new file mode 100755 > index 0000000000..df28d38613 > --- /dev/null > +++ b/package/network/config/xfrm/files/xfrm.sh > @@ -0,0 +1,65 @@ > +#!/bin/sh > + > +[ -n "$INCLUDE_ONLY" ] || { > + . /lib/functions.sh > + . /lib/functions/network.sh > + . ../netifd-proto.sh > + init_proto "$@" > +} > + > +proto_xfrm_setup() { > + local cfg="$1" > + local mode="xfrm" > + > + local tunlink ifid mtu zone > + json_get_vars tunlink ifid mtu zone > + > + proto_init_update "$cfg" 1 > + > + proto_add_tunnel > + json_add_string mode "$mode" > + json_add_int mtu "${mtu:-1280}" > + > + [ -z "$tunlink" ] && { > + proto_notify_error "$cfg" NO_TUNLINK > + proto_block_restart "$cfg" > + exit > + } > + json_add_string link "$tunlink" > + > + [ -z "$ifid" ] && { > + proto_notify_error "$cfg" NO_IFID > + proto_block_restart "$cfg" > + exit > + } > + json_add_object 'data' > + [ -n "$ifid" ] && json_add_int ifid "$ifid" > + json_close_object > + > + proto_close_tunnel > + > + proto_add_data > + [ -n "$zone" ] && json_add_string zone "$zone" > + proto_close_data > + > + proto_send_update "$cfg" > +} > + > +proto_xfrm_teardown() { > + local cfg="$1" > +} > + > +proto_xfrm_init_config() { > + no_device=1 > + available=1 > + > + proto_config_add_int "mtu" > + proto_config_add_string "tunlink" > + proto_config_add_string "zone" > + proto_config_add_int "ifid" > +} > + > + > +[ -n "$INCLUDE_ONLY" ] || { > + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm I missed the check for /sys/module/xfrm_interface in my initial review; is there any specific reason for this additional check beside the xfrm_interface.ko check ? Hans > +} > -- > 2.11.0 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Hi Hans! Am 09.06.19 um 21:27 schrieb Hans Dedecker: > On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote: >> >> This package adds scripts for xfrm interfaces support. >> Example configuration via /etc/config/network: >> >> config interface 'xfrm0' >> option proto 'xfrm' >> option mtu '1300' >> option zone 'VPN' >> option tunlink 'wan' >> option ifid 30 >> >> config interface 'xfrm0_static' >> option proto 'static' >> option ifname '@xfrm0' >> option ip6addr 'fe80::1/64' >> option ipaddr '10.0.0.1/30' >> >> Now set in strongswan IPsec policy: >> if_id_in = 30 >> if_id_out = 30 >> --- >> package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ >> package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++ >> 2 files changed, 103 insertions(+) >> create mode 100644 package/network/config/xfrm/Makefile >> create mode 100755 package/network/config/xfrm/files/xfrm.sh >> >> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile >> new file mode 100644 >> index 0000000000..efc90cf318 >> --- /dev/null >> +++ b/package/network/config/xfrm/Makefile >> @@ -0,0 +1,38 @@ >> + >> +include $(TOPDIR)/rules.mk >> + >> +PKG_NAME:=xfrm >> +PKG_VERSION:=1 >> +PKG_RELEASE:=1 >> +PKG_LICENSE:=GPL-2.0 >> + >> +include $(INCLUDE_DIR)/package.mk >> + >> +define Package/xfrm/Default >> + SECTION:=net >> + CATEGORY:=Network >> + MAINTAINER:=Andre Valentin <avalentin@marcant.net> >> +endef >> + >> +define Package/xfrm >> +$(call Package/xfrm/Default) >> + TITLE:=XFRM IPsec Tunnel Interface config support >> + DEPENDS:=+kmod-xfrm-interface >> +endef >> + >> +define Package/xfrm/description >> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. >> +endef >> + >> +define Build/Compile >> +endef >> + >> +define Build/Configure >> +endef >> + >> +define Package/xfrm/install >> + $(INSTALL_DIR) $(1)/lib/netifd/proto >> + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh >> +endef >> + >> +$(eval $(call BuildPackage,xfrm)) >> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh >> new file mode 100755 >> index 0000000000..df28d38613 >> --- /dev/null >> +++ b/package/network/config/xfrm/files/xfrm.sh >> @@ -0,0 +1,65 @@ >> +#!/bin/sh >> + >> +[ -n "$INCLUDE_ONLY" ] || { >> + . /lib/functions.sh >> + . /lib/functions/network.sh >> + . ../netifd-proto.sh >> + init_proto "$@" >> +} >> + >> +proto_xfrm_setup() { >> + local cfg="$1" >> + local mode="xfrm" >> + >> + local tunlink ifid mtu zone >> + json_get_vars tunlink ifid mtu zone >> + >> + proto_init_update "$cfg" 1 >> + >> + proto_add_tunnel >> + json_add_string mode "$mode" >> + json_add_int mtu "${mtu:-1280}" >> + >> + [ -z "$tunlink" ] && { >> + proto_notify_error "$cfg" NO_TUNLINK >> + proto_block_restart "$cfg" >> + exit >> + } >> + json_add_string link "$tunlink" >> + >> + [ -z "$ifid" ] && { >> + proto_notify_error "$cfg" NO_IFID >> + proto_block_restart "$cfg" >> + exit >> + } >> + json_add_object 'data' >> + [ -n "$ifid" ] && json_add_int ifid "$ifid" >> + json_close_object >> + >> + proto_close_tunnel >> + >> + proto_add_data >> + [ -n "$zone" ] && json_add_string zone "$zone" >> + proto_close_data >> + >> + proto_send_update "$cfg" >> +} >> + >> +proto_xfrm_teardown() { >> + local cfg="$1" >> +} >> + >> +proto_xfrm_init_config() { >> + no_device=1 >> + available=1 >> + >> + proto_config_add_int "mtu" >> + proto_config_add_string "tunlink" >> + proto_config_add_string "zone" >> + proto_config_add_int "ifid" >> +} >> + >> + >> +[ -n "$INCLUDE_ONLY" ] || { >> + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm > I missed the check for /sys/module/xfrm_interface in my initial > review; is there any specific reason for this additional check beside > the xfrm_interface.ko check ? Of course. I often test or run these images inside containers. In that case, all modules are preloaded on the host. The check would fail cause of different kernel versions and not allow to use xfrm interfaces. Kind regards, André
Hi Hans, after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels. 1) xfrm tunnel interfaces cannot be replaced with netlink 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted This leads to some errors and a loop in interface creation. With the changes below, it works smoothly when not bound to ppp interfaces (using lan instead), see: Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error and so on What do you think? Kind regards, André Am 09.06.19 um 21:27 schrieb Hans Dedecker: > On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote: >> >> This package adds scripts for xfrm interfaces support. >> Example configuration via /etc/config/network: >> >> config interface 'xfrm0' >> option proto 'xfrm' >> option mtu '1300' >> option zone 'VPN' >> option tunlink 'wan' >> option ifid 30 >> >> config interface 'xfrm0_static' >> option proto 'static' >> option ifname '@xfrm0' >> option ip6addr 'fe80::1/64' >> option ipaddr '10.0.0.1/30' >> >> Now set in strongswan IPsec policy: >> if_id_in = 30 >> if_id_out = 30 >> --- >> package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ >> package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++ >> 2 files changed, 103 insertions(+) >> create mode 100644 package/network/config/xfrm/Makefile >> create mode 100755 package/network/config/xfrm/files/xfrm.sh >> >> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile >> new file mode 100644 >> index 0000000000..efc90cf318 >> --- /dev/null >> +++ b/package/network/config/xfrm/Makefile >> @@ -0,0 +1,38 @@ >> + >> +include $(TOPDIR)/rules.mk >> + >> +PKG_NAME:=xfrm >> +PKG_VERSION:=1 >> +PKG_RELEASE:=1 >> +PKG_LICENSE:=GPL-2.0 >> + >> +include $(INCLUDE_DIR)/package.mk >> + >> +define Package/xfrm/Default >> + SECTION:=net >> + CATEGORY:=Network >> + MAINTAINER:=Andre Valentin <avalentin@marcant.net> >> +endef >> + >> +define Package/xfrm >> +$(call Package/xfrm/Default) >> + TITLE:=XFRM IPsec Tunnel Interface config support >> + DEPENDS:=+kmod-xfrm-interface >> +endef >> + >> +define Package/xfrm/description >> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. >> +endef >> + >> +define Build/Compile >> +endef >> + >> +define Build/Configure >> +endef >> + >> +define Package/xfrm/install >> + $(INSTALL_DIR) $(1)/lib/netifd/proto >> + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh >> +endef >> + >> +$(eval $(call BuildPackage,xfrm)) >> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh >> new file mode 100755 >> index 0000000000..df28d38613 >> --- /dev/null >> +++ b/package/network/config/xfrm/files/xfrm.sh >> @@ -0,0 +1,65 @@ >> +#!/bin/sh >> + >> +[ -n "$INCLUDE_ONLY" ] || { >> + . /lib/functions.sh >> + . /lib/functions/network.sh >> + . ../netifd-proto.sh >> + init_proto "$@" >> +} >> + >> +proto_xfrm_setup() { >> + local cfg="$1" >> + local mode="xfrm" >> + >> + local tunlink ifid mtu zone >> + json_get_vars tunlink ifid mtu zone >> + if exists .. ip link del "$cfg" >> + proto_init_update "$cfg" 1 >> + >> + proto_add_tunnel >> + json_add_string mode "$mode" >> + json_add_int mtu "${mtu:-1280}" >> + >> + [ -z "$tunlink" ] && { >> + proto_notify_error "$cfg" NO_TUNLINK >> + proto_block_restart "$cfg" >> + exit >> + } >> + json_add_string link "$tunlink" >> + >> + [ -z "$ifid" ] && { >> + proto_notify_error "$cfg" NO_IFID >> + proto_block_restart "$cfg" >> + exit >> + } >> + json_add_object 'data' >> + [ -n "$ifid" ] && json_add_int ifid "$ifid" >> + json_close_object >> + >> + proto_close_tunnel >> + >> + proto_add_data >> + [ -n "$zone" ] && json_add_string zone "$zone" >> + proto_close_data >> + >> + proto_send_update "$cfg" >> +} >> + >> +proto_xfrm_teardown() { >> + local cfg="$1" ip link del "$cfg" >> +} >> + >> +proto_xfrm_init_config() { >> + no_device=1 >> + available=1 >> + >> + proto_config_add_int "mtu" >> + proto_config_add_string "tunlink" >> + proto_config_add_string "zone" >> + proto_config_add_int "ifid" >> +} >> + >> + >> +[ -n "$INCLUDE_ONLY" ] || { >> + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm > I missed the check for /sys/module/xfrm_interface in my initial > review; is there any specific reason for this additional check beside > the xfrm_interface.ko check ? > > Hans >> +} >> -- >> 2.11.0 >> >> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel >
Hi, On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote: > > Hi Hans, > > after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels. > 1) xfrm tunnel interfaces cannot be replaced with netlink > 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted > > This leads to some errors and a loop in interface creation. With the changes below, > it works smoothly when not bound to ppp interfaces (using lan instead), see: > Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error > Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down > Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now > Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error > and so on > > What do you think? The description is a bit cryptic to me; could you explain what works and what does not work and why ? Hans > > Kind regards, > > André > > > Am 09.06.19 um 21:27 schrieb Hans Dedecker: > > On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote: > >> > >> This package adds scripts for xfrm interfaces support. > >> Example configuration via /etc/config/network: > >> > >> config interface 'xfrm0' > >> option proto 'xfrm' > >> option mtu '1300' > >> option zone 'VPN' > >> option tunlink 'wan' > >> option ifid 30 > >> > >> config interface 'xfrm0_static' > >> option proto 'static' > >> option ifname '@xfrm0' > >> option ip6addr 'fe80::1/64' > >> option ipaddr '10.0.0.1/30' > >> > >> Now set in strongswan IPsec policy: > >> if_id_in = 30 > >> if_id_out = 30 > >> --- > >> package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ > >> package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++ > >> 2 files changed, 103 insertions(+) > >> create mode 100644 package/network/config/xfrm/Makefile > >> create mode 100755 package/network/config/xfrm/files/xfrm.sh > >> > >> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile > >> new file mode 100644 > >> index 0000000000..efc90cf318 > >> --- /dev/null > >> +++ b/package/network/config/xfrm/Makefile > >> @@ -0,0 +1,38 @@ > >> + > >> +include $(TOPDIR)/rules.mk > >> + > >> +PKG_NAME:=xfrm > >> +PKG_VERSION:=1 > >> +PKG_RELEASE:=1 > >> +PKG_LICENSE:=GPL-2.0 > >> + > >> +include $(INCLUDE_DIR)/package.mk > >> + > >> +define Package/xfrm/Default > >> + SECTION:=net > >> + CATEGORY:=Network > >> + MAINTAINER:=Andre Valentin <avalentin@marcant.net> > >> +endef > >> + > >> +define Package/xfrm > >> +$(call Package/xfrm/Default) > >> + TITLE:=XFRM IPsec Tunnel Interface config support > >> + DEPENDS:=+kmod-xfrm-interface > >> +endef > >> + > >> +define Package/xfrm/description > >> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. > >> +endef > >> + > >> +define Build/Compile > >> +endef > >> + > >> +define Build/Configure > >> +endef > >> + > >> +define Package/xfrm/install > >> + $(INSTALL_DIR) $(1)/lib/netifd/proto > >> + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh > >> +endef > >> + > >> +$(eval $(call BuildPackage,xfrm)) > >> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh > >> new file mode 100755 > >> index 0000000000..df28d38613 > >> --- /dev/null > >> +++ b/package/network/config/xfrm/files/xfrm.sh > >> @@ -0,0 +1,65 @@ > >> +#!/bin/sh > >> + > >> +[ -n "$INCLUDE_ONLY" ] || { > >> + . /lib/functions.sh > >> + . /lib/functions/network.sh > >> + . ../netifd-proto.sh > >> + init_proto "$@" > >> +} > >> + > >> +proto_xfrm_setup() { > >> + local cfg="$1" > >> + local mode="xfrm" > >> + > >> + local tunlink ifid mtu zone > >> + json_get_vars tunlink ifid mtu zone > >> + > if exists .. ip link del "$cfg" > > >> + proto_init_update "$cfg" 1 > >> + > >> + proto_add_tunnel > >> + json_add_string mode "$mode" > >> + json_add_int mtu "${mtu:-1280}" > >> + > >> + [ -z "$tunlink" ] && { > >> + proto_notify_error "$cfg" NO_TUNLINK > >> + proto_block_restart "$cfg" > >> + exit > >> + } > >> + json_add_string link "$tunlink" > >> + > >> + [ -z "$ifid" ] && { > >> + proto_notify_error "$cfg" NO_IFID > >> + proto_block_restart "$cfg" > >> + exit > >> + } > >> + json_add_object 'data' > >> + [ -n "$ifid" ] && json_add_int ifid "$ifid" > >> + json_close_object > >> + > >> + proto_close_tunnel > >> + > >> + proto_add_data > >> + [ -n "$zone" ] && json_add_string zone "$zone" > >> + proto_close_data > >> + > >> + proto_send_update "$cfg" > >> +} > >> + > >> +proto_xfrm_teardown() { > >> + local cfg="$1" > ip link del "$cfg" > >> +} > >> + > >> +proto_xfrm_init_config() { > >> + no_device=1 > >> + available=1 > >> + > >> + proto_config_add_int "mtu" > >> + proto_config_add_string "tunlink" > >> + proto_config_add_string "zone" > >> + proto_config_add_int "ifid" > >> +} > >> + > >> + > >> +[ -n "$INCLUDE_ONLY" ] || { > >> + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm > > I missed the check for /sys/module/xfrm_interface in my initial > > review; is there any specific reason for this additional check beside > > the xfrm_interface.ko check ? > > > > Hans > >> +} > >> -- > >> 2.11.0 > >> > >> > >> _______________________________________________ > >> openwrt-devel mailing list > >> openwrt-devel@lists.openwrt.org > >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > _______________________________________________ > > openwrt-devel mailing list > > openwrt-devel@lists.openwrt.org > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > > -- > Mit freundlichen Grüßen > André Valentin > > Systemadministration - Projektkoordination > > > -- > MarcanT AG, Herforder Straße 163a, D - 33609 Bielefeld > Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18 > URL: http://www.marcant.net <http://www.marcant.net/> | http://www.global-m2m.com <http://www.global-m2m.com/> > > Internet * Netzwerk * Mobile Daten > > Vorstand: > Thorsten Hojas (Vorsitzender) > Marc-Henrik Delker > Dr. Anja-Christina Padberg > Handelsregister: AG Bielefeld, HRB 42260 USt-ID Nr.: DE 190203238 > > > > ___________________________________________________________ > Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis > 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen > gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen > mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung. > Sie können natürlich auch gerne jederzeit unter support@marcant.net ein > Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird. > > > >
On 8/06/19 14:48, André Valentin wrote: > This package adds scripts for xfrm interfaces support. > Example configuration via /etc/config/network: > > config interface 'xfrm0' > option proto 'xfrm' > option mtu '1300' > option zone 'VPN' > option tunlink 'wan' > option ifid 30 > > config interface 'xfrm0_static' > option proto 'static' > option ifname '@xfrm0' > option ip6addr 'fe80::1/64' > option ipaddr '10.0.0.1/30' > Is there really no simpler way to do this? Can't we combine these into 1 config interface 'xxx' section? Stijn
Hi Hans!! Am 11.06.19 um 22:16 schrieb Hans Dedecker: > Hi, > > On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote: >> >> Hi Hans, >> >> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels. >> 1) xfrm tunnel interfaces cannot be replaced with netlink >> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted >> >> This leads to some errors and a loop in interface creation. With the changes below, >> it works smoothly when not bound to ppp interfaces (using lan instead), see: >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error >> and so on >>>> What do you think? > The description is a bit cryptic to me; could you explain what works > and what does not work and why ? Sorry for being cryptic, I tend to that;-) Okay, I do the following: # ifup xfrm0 ... use it # ifdown xfrm0 The interface still exists (checked with ip link) Now I'll do ifup again and this happens endlessly: >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails. The result is the upper error repeating. That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call. André > > Hans >> >> Kind regards, >> >> André >> >> >> Am 09.06.19 um 21:27 schrieb Hans Dedecker: >>> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote: >>>> >>>> This package adds scripts for xfrm interfaces support. >>>> Example configuration via /etc/config/network: >>>> >>>> config interface 'xfrm0' >>>> option proto 'xfrm' >>>> option mtu '1300' >>>> option zone 'VPN' >>>> option tunlink 'wan' >>>> option ifid 30 >>>> >>>> config interface 'xfrm0_static' >>>> option proto 'static' >>>> option ifname '@xfrm0' >>>> option ip6addr 'fe80::1/64' >>>> option ipaddr '10.0.0.1/30' >>>> >>>> Now set in strongswan IPsec policy: >>>> if_id_in = 30 >>>> if_id_out = 30 >>>> --- >>>> package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ >>>> package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++ >>>> 2 files changed, 103 insertions(+) >>>> create mode 100644 package/network/config/xfrm/Makefile >>>> create mode 100755 package/network/config/xfrm/files/xfrm.sh >>>> >>>> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile >>>> new file mode 100644 >>>> index 0000000000..efc90cf318 >>>> --- /dev/null >>>> +++ b/package/network/config/xfrm/Makefile >>>> @@ -0,0 +1,38 @@ >>>> + >>>> +include $(TOPDIR)/rules.mk >>>> + >>>> +PKG_NAME:=xfrm >>>> +PKG_VERSION:=1 >>>> +PKG_RELEASE:=1 >>>> +PKG_LICENSE:=GPL-2.0 >>>> + >>>> +include $(INCLUDE_DIR)/package.mk >>>> + >>>> +define Package/xfrm/Default >>>> + SECTION:=net >>>> + CATEGORY:=Network >>>> + MAINTAINER:=Andre Valentin <avalentin@marcant.net> >>>> +endef >>>> + >>>> +define Package/xfrm >>>> +$(call Package/xfrm/Default) >>>> + TITLE:=XFRM IPsec Tunnel Interface config support >>>> + DEPENDS:=+kmod-xfrm-interface >>>> +endef >>>> + >>>> +define Package/xfrm/description >>>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. >>>> +endef >>>> + >>>> +define Build/Compile >>>> +endef >>>> + >>>> +define Build/Configure >>>> +endef >>>> + >>>> +define Package/xfrm/install >>>> + $(INSTALL_DIR) $(1)/lib/netifd/proto >>>> + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh >>>> +endef >>>> + >>>> +$(eval $(call BuildPackage,xfrm)) >>>> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh >>>> new file mode 100755 >>>> index 0000000000..df28d38613 >>>> --- /dev/null >>>> +++ b/package/network/config/xfrm/files/xfrm.sh >>>> @@ -0,0 +1,65 @@ >>>> +#!/bin/sh >>>> + >>>> +[ -n "$INCLUDE_ONLY" ] || { >>>> + . /lib/functions.sh >>>> + . /lib/functions/network.sh >>>> + . ../netifd-proto.sh >>>> + init_proto "$@" >>>> +} >>>> + >>>> +proto_xfrm_setup() { >>>> + local cfg="$1" >>>> + local mode="xfrm" >>>> + >>>> + local tunlink ifid mtu zone >>>> + json_get_vars tunlink ifid mtu zone >>>> + >> if exists .. ip link del "$cfg" >> >>>> + proto_init_update "$cfg" 1 >>>> + >>>> + proto_add_tunnel >>>> + json_add_string mode "$mode" >>>> + json_add_int mtu "${mtu:-1280}" >>>> + >>>> + [ -z "$tunlink" ] && { >>>> + proto_notify_error "$cfg" NO_TUNLINK >>>> + proto_block_restart "$cfg" >>>> + exit >>>> + } >>>> + json_add_string link "$tunlink" >>>> + >>>> + [ -z "$ifid" ] && { >>>> + proto_notify_error "$cfg" NO_IFID >>>> + proto_block_restart "$cfg" >>>> + exit >>>> + } >>>> + json_add_object 'data' >>>> + [ -n "$ifid" ] && json_add_int ifid "$ifid" >>>> + json_close_object >>>> + >>>> + proto_close_tunnel >>>> + >>>> + proto_add_data >>>> + [ -n "$zone" ] && json_add_string zone "$zone" >>>> + proto_close_data >>>> + >>>> + proto_send_update "$cfg" >>>> +} >>>> + >>>> +proto_xfrm_teardown() { >>>> + local cfg="$1" >> ip link del "$cfg" >>>> +} >>>> + >>>> +proto_xfrm_init_config() { >>>> + no_device=1 >>>> + available=1 >>>> + >>>> + proto_config_add_int "mtu" >>>> + proto_config_add_string "tunlink" >>>> + proto_config_add_string "zone" >>>> + proto_config_add_int "ifid" >>>> +} >>>> + >>>> + >>>> +[ -n "$INCLUDE_ONLY" ] || { >>>> + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm >>> I missed the check for /sys/module/xfrm_interface in my initial >>> review; is there any specific reason for this additional check beside >>> the xfrm_interface.ko check ? >>> >>> Hans >>>> +} >>>> -- >>>> 2.11.0 >>>>
Hi, On Wed, Jun 12, 2019 at 8:28 PM Andre Valentin <avalentin@marcant.net> wrote: > > Hi Hans!! > Am 11.06.19 um 22:16 schrieb Hans Dedecker: > > Hi, > > > > On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote: > >> > >> Hi Hans, > >> > >> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels. > >> 1) xfrm tunnel interfaces cannot be replaced with netlink > >> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted > >> > >> This leads to some errors and a loop in interface creation. With the changes below, > >> it works smoothly when not bound to ppp interfaces (using lan instead), see: > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error > >> and so on > >>>> What do you think? > > The description is a bit cryptic to me; could you explain what works > > and what does not work and why ? > Sorry for being cryptic, I tend to that;-) Okay, I do the following: > # ifup xfrm0 > ... use it > # ifdown xfrm0 > The interface still exists (checked with ip link) > > Now I'll do ifup again and this happens endlessly: > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now > >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error > > In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails. > The result is the upper error repeating. > That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call. Adding the ip link calls does not make sense to me as netifd should take care of deleting the xfrm interfaces Are you sure the xfrm interfaces can be deleted by the ioctl call SIOCDELTUNNEL as is the case now ? For the other tunnel interfaces like vti/gre deletion is done via the netlink interface. Next to that I noticed a tunlink is specified in xfrm.sh but no proto_add_host_dependency is added; is this on purpose ? Hans > > André > > > > > > Hans > >> > >> Kind regards, > >> > >> André > >> > >> > >> Am 09.06.19 um 21:27 schrieb Hans Dedecker: > >>> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote: > >>>> > >>>> This package adds scripts for xfrm interfaces support. > >>>> Example configuration via /etc/config/network: > >>>> > >>>> config interface 'xfrm0' > >>>> option proto 'xfrm' > >>>> option mtu '1300' > >>>> option zone 'VPN' > >>>> option tunlink 'wan' > >>>> option ifid 30 > >>>> > >>>> config interface 'xfrm0_static' > >>>> option proto 'static' > >>>> option ifname '@xfrm0' > >>>> option ip6addr 'fe80::1/64' > >>>> option ipaddr '10.0.0.1/30' > >>>> > >>>> Now set in strongswan IPsec policy: > >>>> if_id_in = 30 > >>>> if_id_out = 30 > >>>> --- > >>>> package/network/config/xfrm/Makefile | 38 ++++++++++++++++++ > >>>> package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++ > >>>> 2 files changed, 103 insertions(+) > >>>> create mode 100644 package/network/config/xfrm/Makefile > >>>> create mode 100755 package/network/config/xfrm/files/xfrm.sh > >>>> > >>>> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile > >>>> new file mode 100644 > >>>> index 0000000000..efc90cf318 > >>>> --- /dev/null > >>>> +++ b/package/network/config/xfrm/Makefile > >>>> @@ -0,0 +1,38 @@ > >>>> + > >>>> +include $(TOPDIR)/rules.mk > >>>> + > >>>> +PKG_NAME:=xfrm > >>>> +PKG_VERSION:=1 > >>>> +PKG_RELEASE:=1 > >>>> +PKG_LICENSE:=GPL-2.0 > >>>> + > >>>> +include $(INCLUDE_DIR)/package.mk > >>>> + > >>>> +define Package/xfrm/Default > >>>> + SECTION:=net > >>>> + CATEGORY:=Network > >>>> + MAINTAINER:=Andre Valentin <avalentin@marcant.net> > >>>> +endef > >>>> + > >>>> +define Package/xfrm > >>>> +$(call Package/xfrm/Default) > >>>> + TITLE:=XFRM IPsec Tunnel Interface config support > >>>> + DEPENDS:=+kmod-xfrm-interface > >>>> +endef > >>>> + > >>>> +define Package/xfrm/description > >>>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. > >>>> +endef > >>>> + > >>>> +define Build/Compile > >>>> +endef > >>>> + > >>>> +define Build/Configure > >>>> +endef > >>>> + > >>>> +define Package/xfrm/install > >>>> + $(INSTALL_DIR) $(1)/lib/netifd/proto > >>>> + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh > >>>> +endef > >>>> + > >>>> +$(eval $(call BuildPackage,xfrm)) > >>>> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh > >>>> new file mode 100755 > >>>> index 0000000000..df28d38613 > >>>> --- /dev/null > >>>> +++ b/package/network/config/xfrm/files/xfrm.sh > >>>> @@ -0,0 +1,65 @@ > >>>> +#!/bin/sh > >>>> + > >>>> +[ -n "$INCLUDE_ONLY" ] || { > >>>> + . /lib/functions.sh > >>>> + . /lib/functions/network.sh > >>>> + . ../netifd-proto.sh > >>>> + init_proto "$@" > >>>> +} > >>>> + > >>>> +proto_xfrm_setup() { > >>>> + local cfg="$1" > >>>> + local mode="xfrm" > >>>> + > >>>> + local tunlink ifid mtu zone > >>>> + json_get_vars tunlink ifid mtu zone > >>>> + > >> if exists .. ip link del "$cfg" > >> > >>>> + proto_init_update "$cfg" 1 > >>>> + > >>>> + proto_add_tunnel > >>>> + json_add_string mode "$mode" > >>>> + json_add_int mtu "${mtu:-1280}" > >>>> + > >>>> + [ -z "$tunlink" ] && { > >>>> + proto_notify_error "$cfg" NO_TUNLINK > >>>> + proto_block_restart "$cfg" > >>>> + exit > >>>> + } > >>>> + json_add_string link "$tunlink" > >>>> + > >>>> + [ -z "$ifid" ] && { > >>>> + proto_notify_error "$cfg" NO_IFID > >>>> + proto_block_restart "$cfg" > >>>> + exit > >>>> + } > >>>> + json_add_object 'data' > >>>> + [ -n "$ifid" ] && json_add_int ifid "$ifid" > >>>> + json_close_object > >>>> + > >>>> + proto_close_tunnel > >>>> + > >>>> + proto_add_data > >>>> + [ -n "$zone" ] && json_add_string zone "$zone" > >>>> + proto_close_data > >>>> + > >>>> + proto_send_update "$cfg" > >>>> +} > >>>> + > >>>> +proto_xfrm_teardown() { > >>>> + local cfg="$1" > >> ip link del "$cfg" > >>>> +} > >>>> + > >>>> +proto_xfrm_init_config() { > >>>> + no_device=1 > >>>> + available=1 > >>>> + > >>>> + proto_config_add_int "mtu" > >>>> + proto_config_add_string "tunlink" > >>>> + proto_config_add_string "zone" > >>>> + proto_config_add_int "ifid" > >>>> +} > >>>> + > >>>> + > >>>> +[ -n "$INCLUDE_ONLY" ] || { > >>>> + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm > >>> I missed the check for /sys/module/xfrm_interface in my initial > >>> review; is there any specific reason for this additional check beside > >>> the xfrm_interface.ko check ? > >>> > >>> Hans > >>>> +} > >>>> -- > >>>> 2.11.0 > >>>> >
Hi! On 13.06.19 08:44, Hans Dedecker wrote: > Hi, > > On Wed, Jun 12, 2019 at 8:28 PM Andre Valentin <avalentin@marcant.net> wrote: >> >> Hi Hans!! >> Am 11.06.19 um 22:16 schrieb Hans Dedecker: >>> Hi, >>> >>> On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote: >>>> >>>> Hi Hans, >>>> >>>> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels. >>>> 1) xfrm tunnel interfaces cannot be replaced with netlink >>>> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted >>>> >>>> This leads to some errors and a loop in interface creation. With the changes below, >>>> it works smoothly when not bound to ppp interfaces (using lan instead), see: >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error >>>> and so on >>>>>> What do you think? >>> The description is a bit cryptic to me; could you explain what works >>> and what does not work and why ? >> Sorry for being cryptic, I tend to that;-) Okay, I do the following: >> # ifup xfrm0 >> ... use it >> # ifdown xfrm0 >> The interface still exists (checked with ip link) >> >> Now I'll do ifup again and this happens endlessly: >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error >> >> In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails. >> The result is the upper error repeating. >> That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call. > Adding the ip link calls does not make sense to me as netifd should > take care of deleting the xfrm interfaces > Are you sure the xfrm interfaces can be deleted by the ioctl call > SIOCDELTUNNEL as is the case now ? > For the other tunnel interfaces like vti/gre deletion is done via the > netlink interface. Good point, I will check that. > > Next to that I noticed a tunlink is specified in xfrm.sh but no > proto_add_host_dependency is added; is this on purpose ? Yes, that is on purpose. The tunlink specified is a must, but is noted used for decrypting and encrypting packets. It works on every interface. Also the XFRM interface has no IP endpoint, so there no possibility to add this to the interface, it would be only cosmetical. Thanks, André
On Thu, Jun 13, 2019 at 9:18 AM Andre Valentin <avalentin@marcant.net> wrote: > > Hi! > > On 13.06.19 08:44, Hans Dedecker wrote: > > Hi, > > > > On Wed, Jun 12, 2019 at 8:28 PM Andre Valentin <avalentin@marcant.net> wrote: > >> > >> Hi Hans!! > >> Am 11.06.19 um 22:16 schrieb Hans Dedecker: > >>> Hi, > >>> > >>> On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote: > >>>> > >>>> Hi Hans, > >>>> > >>>> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels. > >>>> 1) xfrm tunnel interfaces cannot be replaced with netlink > >>>> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted > >>>> > >>>> This leads to some errors and a loop in interface creation. With the changes below, > >>>> it works smoothly when not bound to ppp interfaces (using lan instead), see: > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error > >>>> and so on > >>>>>> What do you think? > >>> The description is a bit cryptic to me; could you explain what works > >>> and what does not work and why ? > >> Sorry for being cryptic, I tend to that;-) Okay, I do the following: > >> # ifup xfrm0 > >> ... use it > >> # ifdown xfrm0 > >> The interface still exists (checked with ip link) > >> > >> Now I'll do ifup again and this happens endlessly: > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now > >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error > >> > >> In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails. > >> The result is the upper error repeating. > >> That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call. > > Adding the ip link calls does not make sense to me as netifd should > > take care of deleting the xfrm interfaces > > Are you sure the xfrm interfaces can be deleted by the ioctl call > > SIOCDELTUNNEL as is the case now ? > > For the other tunnel interfaces like vti/gre deletion is done via the > > netlink interface. > > Good point, I will check that. > > > > Next to that I noticed a tunlink is specified in xfrm.sh but no > > proto_add_host_dependency is added; is this on purpose ? > Yes, that is on purpose. The tunlink specified is a must, but is noted > used for decrypting and encrypting packets. It works on every interface. > > Also the XFRM interface has no IP endpoint, so there no possibility to > add this to the interface, it would be only cosmetical. You can install a proto_add_host_dependency on an interface (tunlink in this case); so it's not required to have an IP endpoint. Hans > > Thanks, > > André
diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile new file mode 100644 index 0000000000..efc90cf318 --- /dev/null +++ b/package/network/config/xfrm/Makefile @@ -0,0 +1,38 @@ + +include $(TOPDIR)/rules.mk + +PKG_NAME:=xfrm +PKG_VERSION:=1 +PKG_RELEASE:=1 +PKG_LICENSE:=GPL-2.0 + +include $(INCLUDE_DIR)/package.mk + +define Package/xfrm/Default + SECTION:=net + CATEGORY:=Network + MAINTAINER:=Andre Valentin <avalentin@marcant.net> +endef + +define Package/xfrm +$(call Package/xfrm/Default) + TITLE:=XFRM IPsec Tunnel Interface config support + DEPENDS:=+kmod-xfrm-interface +endef + +define Package/xfrm/description + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. +endef + +define Build/Compile +endef + +define Build/Configure +endef + +define Package/xfrm/install + $(INSTALL_DIR) $(1)/lib/netifd/proto + $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh +endef + +$(eval $(call BuildPackage,xfrm)) diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh new file mode 100755 index 0000000000..df28d38613 --- /dev/null +++ b/package/network/config/xfrm/files/xfrm.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +[ -n "$INCLUDE_ONLY" ] || { + . /lib/functions.sh + . /lib/functions/network.sh + . ../netifd-proto.sh + init_proto "$@" +} + +proto_xfrm_setup() { + local cfg="$1" + local mode="xfrm" + + local tunlink ifid mtu zone + json_get_vars tunlink ifid mtu zone + + proto_init_update "$cfg" 1 + + proto_add_tunnel + json_add_string mode "$mode" + json_add_int mtu "${mtu:-1280}" + + [ -z "$tunlink" ] && { + proto_notify_error "$cfg" NO_TUNLINK + proto_block_restart "$cfg" + exit + } + json_add_string link "$tunlink" + + [ -z "$ifid" ] && { + proto_notify_error "$cfg" NO_IFID + proto_block_restart "$cfg" + exit + } + json_add_object 'data' + [ -n "$ifid" ] && json_add_int ifid "$ifid" + json_close_object + + proto_close_tunnel + + proto_add_data + [ -n "$zone" ] && json_add_string zone "$zone" + proto_close_data + + proto_send_update "$cfg" +} + +proto_xfrm_teardown() { + local cfg="$1" +} + +proto_xfrm_init_config() { + no_device=1 + available=1 + + proto_config_add_int "mtu" + proto_config_add_string "tunlink" + proto_config_add_string "zone" + proto_config_add_int "ifid" +} + + +[ -n "$INCLUDE_ONLY" ] || { + [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm +}