diff mbox series

[OpenWrt-Devel,v3,2/3] network/config: add xfrm interface support scripts

Message ID 20190608114809.9480-3-avalentin@marcant.net
State Accepted
Delegated to: Hans Dedecker
Headers show
Series Add xfrm interface support | expand

Commit Message

André Valentin June 8, 2019, 11:48 a.m. UTC 
This package adds scripts for xfrm interfaces support.
Example configuration via /etc/config/network:

config interface 'xfrm0'
        option proto 'xfrm'
        option mtu '1300'
        option zone 'VPN'
        option tunlink 'wan'
        option ifid 30

config interface 'xfrm0_static'
        option proto 'static'
        option ifname '@xfrm0'
        option ip6addr 'fe80::1/64'
        option ipaddr '10.0.0.1/30'

Now set in strongswan IPsec policy:
 	if_id_in = 30
	if_id_out = 30
---
 package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
 package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+)
 create mode 100644 package/network/config/xfrm/Makefile
 create mode 100755 package/network/config/xfrm/files/xfrm.sh

Comments

Hans Dedecker June 9, 2019, 7:27 p.m. UTC | #1 
On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote:
>
> This package adds scripts for xfrm interfaces support.
> Example configuration via /etc/config/network:
>
> config interface 'xfrm0'
>         option proto 'xfrm'
>         option mtu '1300'
>         option zone 'VPN'
>         option tunlink 'wan'
>         option ifid 30
>
> config interface 'xfrm0_static'
>         option proto 'static'
>         option ifname '@xfrm0'
>         option ip6addr 'fe80::1/64'
>         option ipaddr '10.0.0.1/30'
>
> Now set in strongswan IPsec policy:
>         if_id_in = 30
>         if_id_out = 30
> ---
>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
>  2 files changed, 103 insertions(+)
>  create mode 100644 package/network/config/xfrm/Makefile
>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
>
> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
> new file mode 100644
> index 0000000000..efc90cf318
> --- /dev/null
> +++ b/package/network/config/xfrm/Makefile
> @@ -0,0 +1,38 @@
> +
> +include $(TOPDIR)/rules.mk
> +
> +PKG_NAME:=xfrm
> +PKG_VERSION:=1
> +PKG_RELEASE:=1
> +PKG_LICENSE:=GPL-2.0
> +
> +include $(INCLUDE_DIR)/package.mk
> +
> +define Package/xfrm/Default
> +  SECTION:=net
> +  CATEGORY:=Network
> +  MAINTAINER:=Andre Valentin <avalentin@marcant.net>
> +endef
> +
> +define Package/xfrm
> +$(call Package/xfrm/Default)
> +  TITLE:=XFRM IPsec Tunnel Interface config support
> +  DEPENDS:=+kmod-xfrm-interface
> +endef
> +
> +define Package/xfrm/description
> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
> +endef
> +
> +define Build/Compile
> +endef
> +
> +define Build/Configure
> +endef
> +
> +define Package/xfrm/install
> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
> +endef
> +
> +$(eval $(call BuildPackage,xfrm))
> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
> new file mode 100755
> index 0000000000..df28d38613
> --- /dev/null
> +++ b/package/network/config/xfrm/files/xfrm.sh
> @@ -0,0 +1,65 @@
> +#!/bin/sh
> +
> +[ -n "$INCLUDE_ONLY" ] || {
> +       . /lib/functions.sh
> +       . /lib/functions/network.sh
> +       . ../netifd-proto.sh
> +       init_proto "$@"
> +}
> +
> +proto_xfrm_setup() {
> +       local cfg="$1"
> +       local mode="xfrm"
> +
> +       local tunlink ifid mtu zone
> +       json_get_vars tunlink ifid mtu zone
> +
> +       proto_init_update "$cfg" 1
> +
> +       proto_add_tunnel
> +       json_add_string mode "$mode"
> +       json_add_int mtu "${mtu:-1280}"
> +
> +       [ -z "$tunlink" ] && {
> +               proto_notify_error "$cfg" NO_TUNLINK
> +               proto_block_restart "$cfg"
> +               exit
> +       }
> +       json_add_string link "$tunlink"
> +
> +       [ -z "$ifid" ] && {
> +               proto_notify_error "$cfg" NO_IFID
> +               proto_block_restart "$cfg"
> +               exit
> +       }
> +       json_add_object 'data'
> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
> +       json_close_object
> +
> +       proto_close_tunnel
> +
> +       proto_add_data
> +       [ -n "$zone" ] && json_add_string zone "$zone"
> +       proto_close_data
> +
> +       proto_send_update "$cfg"
> +}
> +
> +proto_xfrm_teardown() {
> +       local cfg="$1"
> +}
> +
> +proto_xfrm_init_config() {
> +       no_device=1
> +       available=1
> +
> +       proto_config_add_int "mtu"
> +       proto_config_add_string "tunlink"
> +       proto_config_add_string "zone"
> +       proto_config_add_int "ifid"
> +}
> +
> +
> +[ -n "$INCLUDE_ONLY" ] || {
> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
I missed the check for /sys/module/xfrm_interface in my initial
review; is there any specific reason for this additional check beside
the xfrm_interface.ko check ?

Hans
> +}
> --
> 2.11.0
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
André Valentin June 9, 2019, 8:10 p.m. UTC | #2 
Hi Hans!

Am 09.06.19 um 21:27 schrieb Hans Dedecker:
> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote:
>>
>> This package adds scripts for xfrm interfaces support.
>> Example configuration via /etc/config/network:
>>
>> config interface 'xfrm0'
>>         option proto 'xfrm'
>>         option mtu '1300'
>>         option zone 'VPN'
>>         option tunlink 'wan'
>>         option ifid 30
>>
>> config interface 'xfrm0_static'
>>         option proto 'static'
>>         option ifname '@xfrm0'
>>         option ip6addr 'fe80::1/64'
>>         option ipaddr '10.0.0.1/30'
>>
>> Now set in strongswan IPsec policy:
>>         if_id_in = 30
>>         if_id_out = 30
>> ---
>>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
>>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
>>  2 files changed, 103 insertions(+)
>>  create mode 100644 package/network/config/xfrm/Makefile
>>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
>>
>> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
>> new file mode 100644
>> index 0000000000..efc90cf318
>> --- /dev/null
>> +++ b/package/network/config/xfrm/Makefile
>> @@ -0,0 +1,38 @@
>> +
>> +include $(TOPDIR)/rules.mk
>> +
>> +PKG_NAME:=xfrm
>> +PKG_VERSION:=1
>> +PKG_RELEASE:=1
>> +PKG_LICENSE:=GPL-2.0
>> +
>> +include $(INCLUDE_DIR)/package.mk
>> +
>> +define Package/xfrm/Default
>> +  SECTION:=net
>> +  CATEGORY:=Network
>> +  MAINTAINER:=Andre Valentin <avalentin@marcant.net>
>> +endef
>> +
>> +define Package/xfrm
>> +$(call Package/xfrm/Default)
>> +  TITLE:=XFRM IPsec Tunnel Interface config support
>> +  DEPENDS:=+kmod-xfrm-interface
>> +endef
>> +
>> +define Package/xfrm/description
>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
>> +endef
>> +
>> +define Build/Compile
>> +endef
>> +
>> +define Build/Configure
>> +endef
>> +
>> +define Package/xfrm/install
>> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
>> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
>> +endef
>> +
>> +$(eval $(call BuildPackage,xfrm))
>> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
>> new file mode 100755
>> index 0000000000..df28d38613
>> --- /dev/null
>> +++ b/package/network/config/xfrm/files/xfrm.sh
>> @@ -0,0 +1,65 @@
>> +#!/bin/sh
>> +
>> +[ -n "$INCLUDE_ONLY" ] || {
>> +       . /lib/functions.sh
>> +       . /lib/functions/network.sh
>> +       . ../netifd-proto.sh
>> +       init_proto "$@"
>> +}
>> +
>> +proto_xfrm_setup() {
>> +       local cfg="$1"
>> +       local mode="xfrm"
>> +
>> +       local tunlink ifid mtu zone
>> +       json_get_vars tunlink ifid mtu zone
>> +
>> +       proto_init_update "$cfg" 1
>> +
>> +       proto_add_tunnel
>> +       json_add_string mode "$mode"
>> +       json_add_int mtu "${mtu:-1280}"
>> +
>> +       [ -z "$tunlink" ] && {
>> +               proto_notify_error "$cfg" NO_TUNLINK
>> +               proto_block_restart "$cfg"
>> +               exit
>> +       }
>> +       json_add_string link "$tunlink"
>> +
>> +       [ -z "$ifid" ] && {
>> +               proto_notify_error "$cfg" NO_IFID
>> +               proto_block_restart "$cfg"
>> +               exit
>> +       }
>> +       json_add_object 'data'
>> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
>> +       json_close_object
>> +
>> +       proto_close_tunnel
>> +
>> +       proto_add_data
>> +       [ -n "$zone" ] && json_add_string zone "$zone"
>> +       proto_close_data
>> +
>> +       proto_send_update "$cfg"
>> +}
>> +
>> +proto_xfrm_teardown() {
>> +       local cfg="$1"
>> +}
>> +
>> +proto_xfrm_init_config() {
>> +       no_device=1
>> +       available=1
>> +
>> +       proto_config_add_int "mtu"
>> +       proto_config_add_string "tunlink"
>> +       proto_config_add_string "zone"
>> +       proto_config_add_int "ifid"
>> +}
>> +
>> +
>> +[ -n "$INCLUDE_ONLY" ] || {
>> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
> I missed the check for /sys/module/xfrm_interface in my initial
> review; is there any specific reason for this additional check beside
> the xfrm_interface.ko check ?

Of course. I often test or run these images inside containers. In that case, all modules are preloaded on the host.
The check would fail cause of different kernel versions and not allow to use xfrm interfaces.

Kind regards,

André
André Valentin June 10, 2019, 6:10 p.m. UTC | #3 
Hi Hans,

after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
1) xfrm tunnel interfaces cannot be replaced with netlink
2) xfrm tunnel interfaces DO NOT vanish if parent is deleted

This leads to some errors and a loop in interface creation. With the changes below,
it works smoothly when not bound to ppp interfaces (using lan instead), see:
Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
and so on

What do you think?

Kind regards,

André


Am 09.06.19 um 21:27 schrieb Hans Dedecker:
> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote:
>>
>> This package adds scripts for xfrm interfaces support.
>> Example configuration via /etc/config/network:
>>
>> config interface 'xfrm0'
>>         option proto 'xfrm'
>>         option mtu '1300'
>>         option zone 'VPN'
>>         option tunlink 'wan'
>>         option ifid 30
>>
>> config interface 'xfrm0_static'
>>         option proto 'static'
>>         option ifname '@xfrm0'
>>         option ip6addr 'fe80::1/64'
>>         option ipaddr '10.0.0.1/30'
>>
>> Now set in strongswan IPsec policy:
>>         if_id_in = 30
>>         if_id_out = 30
>> ---
>>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
>>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
>>  2 files changed, 103 insertions(+)
>>  create mode 100644 package/network/config/xfrm/Makefile
>>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
>>
>> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
>> new file mode 100644
>> index 0000000000..efc90cf318
>> --- /dev/null
>> +++ b/package/network/config/xfrm/Makefile
>> @@ -0,0 +1,38 @@
>> +
>> +include $(TOPDIR)/rules.mk
>> +
>> +PKG_NAME:=xfrm
>> +PKG_VERSION:=1
>> +PKG_RELEASE:=1
>> +PKG_LICENSE:=GPL-2.0
>> +
>> +include $(INCLUDE_DIR)/package.mk
>> +
>> +define Package/xfrm/Default
>> +  SECTION:=net
>> +  CATEGORY:=Network
>> +  MAINTAINER:=Andre Valentin <avalentin@marcant.net>
>> +endef
>> +
>> +define Package/xfrm
>> +$(call Package/xfrm/Default)
>> +  TITLE:=XFRM IPsec Tunnel Interface config support
>> +  DEPENDS:=+kmod-xfrm-interface
>> +endef
>> +
>> +define Package/xfrm/description
>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
>> +endef
>> +
>> +define Build/Compile
>> +endef
>> +
>> +define Build/Configure
>> +endef
>> +
>> +define Package/xfrm/install
>> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
>> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
>> +endef
>> +
>> +$(eval $(call BuildPackage,xfrm))
>> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
>> new file mode 100755
>> index 0000000000..df28d38613
>> --- /dev/null
>> +++ b/package/network/config/xfrm/files/xfrm.sh
>> @@ -0,0 +1,65 @@
>> +#!/bin/sh
>> +
>> +[ -n "$INCLUDE_ONLY" ] || {
>> +       . /lib/functions.sh
>> +       . /lib/functions/network.sh
>> +       . ../netifd-proto.sh
>> +       init_proto "$@"
>> +}
>> +
>> +proto_xfrm_setup() {
>> +       local cfg="$1"
>> +       local mode="xfrm"
>> +
>> +       local tunlink ifid mtu zone
>> +       json_get_vars tunlink ifid mtu zone
>> +
if exists .. ip link del "$cfg"

>> +       proto_init_update "$cfg" 1
>> +
>> +       proto_add_tunnel
>> +       json_add_string mode "$mode"
>> +       json_add_int mtu "${mtu:-1280}"
>> +
>> +       [ -z "$tunlink" ] && {
>> +               proto_notify_error "$cfg" NO_TUNLINK
>> +               proto_block_restart "$cfg"
>> +               exit
>> +       }
>> +       json_add_string link "$tunlink"
>> +
>> +       [ -z "$ifid" ] && {
>> +               proto_notify_error "$cfg" NO_IFID
>> +               proto_block_restart "$cfg"
>> +               exit
>> +       }
>> +       json_add_object 'data'
>> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
>> +       json_close_object
>> +
>> +       proto_close_tunnel
>> +
>> +       proto_add_data
>> +       [ -n "$zone" ] && json_add_string zone "$zone"
>> +       proto_close_data
>> +
>> +       proto_send_update "$cfg"
>> +}
>> +
>> +proto_xfrm_teardown() {
>> +       local cfg="$1"
ip link del "$cfg"
>> +}
>> +
>> +proto_xfrm_init_config() {
>> +       no_device=1
>> +       available=1
>> +
>> +       proto_config_add_int "mtu"
>> +       proto_config_add_string "tunlink"
>> +       proto_config_add_string "zone"
>> +       proto_config_add_int "ifid"
>> +}
>> +
>> +
>> +[ -n "$INCLUDE_ONLY" ] || {
>> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
> I missed the check for /sys/module/xfrm_interface in my initial
> review; is there any specific reason for this additional check beside
> the xfrm_interface.ko check ?
> 
> Hans
>> +}
>> --
>> 2.11.0
>>
>>
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel@lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
Hans Dedecker June 11, 2019, 8:16 p.m. UTC | #4 
Hi,

On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote:
>
> Hi Hans,
>
> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
> 1) xfrm tunnel interfaces cannot be replaced with netlink
> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted
>
> This leads to some errors and a loop in interface creation. With the changes below,
> it works smoothly when not bound to ppp interfaces (using lan instead), see:
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
> and so on
>
> What do you think?
The description is a bit cryptic to me; could you explain what works
and what does not work and why ?

Hans
>
> Kind regards,
>
> André
>
>
> Am 09.06.19 um 21:27 schrieb Hans Dedecker:
> > On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote:
> >>
> >> This package adds scripts for xfrm interfaces support.
> >> Example configuration via /etc/config/network:
> >>
> >> config interface 'xfrm0'
> >>         option proto 'xfrm'
> >>         option mtu '1300'
> >>         option zone 'VPN'
> >>         option tunlink 'wan'
> >>         option ifid 30
> >>
> >> config interface 'xfrm0_static'
> >>         option proto 'static'
> >>         option ifname '@xfrm0'
> >>         option ip6addr 'fe80::1/64'
> >>         option ipaddr '10.0.0.1/30'
> >>
> >> Now set in strongswan IPsec policy:
> >>         if_id_in = 30
> >>         if_id_out = 30
> >> ---
> >>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
> >>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
> >>  2 files changed, 103 insertions(+)
> >>  create mode 100644 package/network/config/xfrm/Makefile
> >>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
> >>
> >> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
> >> new file mode 100644
> >> index 0000000000..efc90cf318
> >> --- /dev/null
> >> +++ b/package/network/config/xfrm/Makefile
> >> @@ -0,0 +1,38 @@
> >> +
> >> +include $(TOPDIR)/rules.mk
> >> +
> >> +PKG_NAME:=xfrm
> >> +PKG_VERSION:=1
> >> +PKG_RELEASE:=1
> >> +PKG_LICENSE:=GPL-2.0
> >> +
> >> +include $(INCLUDE_DIR)/package.mk
> >> +
> >> +define Package/xfrm/Default
> >> +  SECTION:=net
> >> +  CATEGORY:=Network
> >> +  MAINTAINER:=Andre Valentin <avalentin@marcant.net>
> >> +endef
> >> +
> >> +define Package/xfrm
> >> +$(call Package/xfrm/Default)
> >> +  TITLE:=XFRM IPsec Tunnel Interface config support
> >> +  DEPENDS:=+kmod-xfrm-interface
> >> +endef
> >> +
> >> +define Package/xfrm/description
> >> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
> >> +endef
> >> +
> >> +define Build/Compile
> >> +endef
> >> +
> >> +define Build/Configure
> >> +endef
> >> +
> >> +define Package/xfrm/install
> >> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
> >> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
> >> +endef
> >> +
> >> +$(eval $(call BuildPackage,xfrm))
> >> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
> >> new file mode 100755
> >> index 0000000000..df28d38613
> >> --- /dev/null
> >> +++ b/package/network/config/xfrm/files/xfrm.sh
> >> @@ -0,0 +1,65 @@
> >> +#!/bin/sh
> >> +
> >> +[ -n "$INCLUDE_ONLY" ] || {
> >> +       . /lib/functions.sh
> >> +       . /lib/functions/network.sh
> >> +       . ../netifd-proto.sh
> >> +       init_proto "$@"
> >> +}
> >> +
> >> +proto_xfrm_setup() {
> >> +       local cfg="$1"
> >> +       local mode="xfrm"
> >> +
> >> +       local tunlink ifid mtu zone
> >> +       json_get_vars tunlink ifid mtu zone
> >> +
> if exists .. ip link del "$cfg"
>
> >> +       proto_init_update "$cfg" 1
> >> +
> >> +       proto_add_tunnel
> >> +       json_add_string mode "$mode"
> >> +       json_add_int mtu "${mtu:-1280}"
> >> +
> >> +       [ -z "$tunlink" ] && {
> >> +               proto_notify_error "$cfg" NO_TUNLINK
> >> +               proto_block_restart "$cfg"
> >> +               exit
> >> +       }
> >> +       json_add_string link "$tunlink"
> >> +
> >> +       [ -z "$ifid" ] && {
> >> +               proto_notify_error "$cfg" NO_IFID
> >> +               proto_block_restart "$cfg"
> >> +               exit
> >> +       }
> >> +       json_add_object 'data'
> >> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
> >> +       json_close_object
> >> +
> >> +       proto_close_tunnel
> >> +
> >> +       proto_add_data
> >> +       [ -n "$zone" ] && json_add_string zone "$zone"
> >> +       proto_close_data
> >> +
> >> +       proto_send_update "$cfg"
> >> +}
> >> +
> >> +proto_xfrm_teardown() {
> >> +       local cfg="$1"
> ip link del "$cfg"
> >> +}
> >> +
> >> +proto_xfrm_init_config() {
> >> +       no_device=1
> >> +       available=1
> >> +
> >> +       proto_config_add_int "mtu"
> >> +       proto_config_add_string "tunlink"
> >> +       proto_config_add_string "zone"
> >> +       proto_config_add_int "ifid"
> >> +}
> >> +
> >> +
> >> +[ -n "$INCLUDE_ONLY" ] || {
> >> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
> > I missed the check for /sys/module/xfrm_interface in my initial
> > review; is there any specific reason for this additional check beside
> > the xfrm_interface.ko check ?
> >
> > Hans
> >> +}
> >> --
> >> 2.11.0
> >>
> >>
> >> _______________________________________________
> >> openwrt-devel mailing list
> >> openwrt-devel@lists.openwrt.org
> >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >
>
>
> --
> Mit freundlichen Grüßen
> André Valentin
>
> Systemadministration - Projektkoordination
>
>
> --
> MarcanT AG, Herforder Straße 163a, D - 33609 Bielefeld
> Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
> URL: http://www.marcant.net <http://www.marcant.net/> | http://www.global-m2m.com <http://www.global-m2m.com/>
>
> Internet * Netzwerk * Mobile Daten
>
> Vorstand:
> Thorsten Hojas (Vorsitzender)
> Marc-Henrik Delker
> Dr. Anja-Christina Padberg
> Handelsregister: AG Bielefeld, HRB 42260 USt-ID Nr.: DE 190203238
>
>
>
> ___________________________________________________________
> Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis
> 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen
> gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
> mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
> Sie können natürlich auch gerne jederzeit unter support@marcant.net ein
> Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.
>
>
>
>
Stijn Tintel June 11, 2019, 10:10 p.m. UTC | #5 
On 8/06/19 14:48, André Valentin wrote:
> This package adds scripts for xfrm interfaces support.
> Example configuration via /etc/config/network:
>
> config interface 'xfrm0'
>         option proto 'xfrm'
>         option mtu '1300'
>         option zone 'VPN'
>         option tunlink 'wan'
>         option ifid 30
>
> config interface 'xfrm0_static'
>         option proto 'static'
>         option ifname '@xfrm0'
>         option ip6addr 'fe80::1/64'
>         option ipaddr '10.0.0.1/30'
>
Is there really no simpler way to do this? Can't we combine these into 1
config interface 'xxx' section?

Stijn
André Valentin June 12, 2019, 6:28 p.m. UTC | #6 
Hi Hans!!
Am 11.06.19 um 22:16 schrieb Hans Dedecker:
> Hi,
> 
> On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote:
>>
>> Hi Hans,
>>
>> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
>> 1) xfrm tunnel interfaces cannot be replaced with netlink
>> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted
>>
>> This leads to some errors and a loop in interface creation. With the changes below,
>> it works smoothly when not bound to ppp interfaces (using lan instead), see:
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
>> and so on
>>>> What do you think?
> The description is a bit cryptic to me; could you explain what works
> and what does not work and why ?
Sorry for being cryptic, I tend to that;-) Okay, I do the following:
# ifup xfrm0
... use it
# ifdown xfrm0
The interface still exists (checked with ip link)

Now I'll do ifup again and this happens endlessly:
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error

In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails.
The result is the upper error repeating.
That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call.

André


> 
> Hans
>>
>> Kind regards,
>>
>> André
>>
>>
>> Am 09.06.19 um 21:27 schrieb Hans Dedecker:
>>> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote:
>>>>
>>>> This package adds scripts for xfrm interfaces support.
>>>> Example configuration via /etc/config/network:
>>>>
>>>> config interface 'xfrm0'
>>>>         option proto 'xfrm'
>>>>         option mtu '1300'
>>>>         option zone 'VPN'
>>>>         option tunlink 'wan'
>>>>         option ifid 30
>>>>
>>>> config interface 'xfrm0_static'
>>>>         option proto 'static'
>>>>         option ifname '@xfrm0'
>>>>         option ip6addr 'fe80::1/64'
>>>>         option ipaddr '10.0.0.1/30'
>>>>
>>>> Now set in strongswan IPsec policy:
>>>>         if_id_in = 30
>>>>         if_id_out = 30
>>>> ---
>>>>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
>>>>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
>>>>  2 files changed, 103 insertions(+)
>>>>  create mode 100644 package/network/config/xfrm/Makefile
>>>>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
>>>>
>>>> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
>>>> new file mode 100644
>>>> index 0000000000..efc90cf318
>>>> --- /dev/null
>>>> +++ b/package/network/config/xfrm/Makefile
>>>> @@ -0,0 +1,38 @@
>>>> +
>>>> +include $(TOPDIR)/rules.mk
>>>> +
>>>> +PKG_NAME:=xfrm
>>>> +PKG_VERSION:=1
>>>> +PKG_RELEASE:=1
>>>> +PKG_LICENSE:=GPL-2.0
>>>> +
>>>> +include $(INCLUDE_DIR)/package.mk
>>>> +
>>>> +define Package/xfrm/Default
>>>> +  SECTION:=net
>>>> +  CATEGORY:=Network
>>>> +  MAINTAINER:=Andre Valentin <avalentin@marcant.net>
>>>> +endef
>>>> +
>>>> +define Package/xfrm
>>>> +$(call Package/xfrm/Default)
>>>> +  TITLE:=XFRM IPsec Tunnel Interface config support
>>>> +  DEPENDS:=+kmod-xfrm-interface
>>>> +endef
>>>> +
>>>> +define Package/xfrm/description
>>>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
>>>> +endef
>>>> +
>>>> +define Build/Compile
>>>> +endef
>>>> +
>>>> +define Build/Configure
>>>> +endef
>>>> +
>>>> +define Package/xfrm/install
>>>> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
>>>> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
>>>> +endef
>>>> +
>>>> +$(eval $(call BuildPackage,xfrm))
>>>> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
>>>> new file mode 100755
>>>> index 0000000000..df28d38613
>>>> --- /dev/null
>>>> +++ b/package/network/config/xfrm/files/xfrm.sh
>>>> @@ -0,0 +1,65 @@
>>>> +#!/bin/sh
>>>> +
>>>> +[ -n "$INCLUDE_ONLY" ] || {
>>>> +       . /lib/functions.sh
>>>> +       . /lib/functions/network.sh
>>>> +       . ../netifd-proto.sh
>>>> +       init_proto "$@"
>>>> +}
>>>> +
>>>> +proto_xfrm_setup() {
>>>> +       local cfg="$1"
>>>> +       local mode="xfrm"
>>>> +
>>>> +       local tunlink ifid mtu zone
>>>> +       json_get_vars tunlink ifid mtu zone
>>>> +
>> if exists .. ip link del "$cfg"
>>
>>>> +       proto_init_update "$cfg" 1
>>>> +
>>>> +       proto_add_tunnel
>>>> +       json_add_string mode "$mode"
>>>> +       json_add_int mtu "${mtu:-1280}"
>>>> +
>>>> +       [ -z "$tunlink" ] && {
>>>> +               proto_notify_error "$cfg" NO_TUNLINK
>>>> +               proto_block_restart "$cfg"
>>>> +               exit
>>>> +       }
>>>> +       json_add_string link "$tunlink"
>>>> +
>>>> +       [ -z "$ifid" ] && {
>>>> +               proto_notify_error "$cfg" NO_IFID
>>>> +               proto_block_restart "$cfg"
>>>> +               exit
>>>> +       }
>>>> +       json_add_object 'data'
>>>> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
>>>> +       json_close_object
>>>> +
>>>> +       proto_close_tunnel
>>>> +
>>>> +       proto_add_data
>>>> +       [ -n "$zone" ] && json_add_string zone "$zone"
>>>> +       proto_close_data
>>>> +
>>>> +       proto_send_update "$cfg"
>>>> +}
>>>> +
>>>> +proto_xfrm_teardown() {
>>>> +       local cfg="$1"
>> ip link del "$cfg"
>>>> +}
>>>> +
>>>> +proto_xfrm_init_config() {
>>>> +       no_device=1
>>>> +       available=1
>>>> +
>>>> +       proto_config_add_int "mtu"
>>>> +       proto_config_add_string "tunlink"
>>>> +       proto_config_add_string "zone"
>>>> +       proto_config_add_int "ifid"
>>>> +}
>>>> +
>>>> +
>>>> +[ -n "$INCLUDE_ONLY" ] || {
>>>> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
>>> I missed the check for /sys/module/xfrm_interface in my initial
>>> review; is there any specific reason for this additional check beside
>>> the xfrm_interface.ko check ?
>>>
>>> Hans
>>>> +}
>>>> --
>>>> 2.11.0
>>>>
Hans Dedecker June 13, 2019, 6:44 a.m. UTC | #7 
Hi,

On Wed, Jun 12, 2019 at 8:28 PM Andre Valentin <avalentin@marcant.net> wrote:
>
> Hi Hans!!
> Am 11.06.19 um 22:16 schrieb Hans Dedecker:
> > Hi,
> >
> > On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote:
> >>
> >> Hi Hans,
> >>
> >> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
> >> 1) xfrm tunnel interfaces cannot be replaced with netlink
> >> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted
> >>
> >> This leads to some errors and a loop in interface creation. With the changes below,
> >> it works smoothly when not bound to ppp interfaces (using lan instead), see:
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
> >> and so on
> >>>> What do you think?
> > The description is a bit cryptic to me; could you explain what works
> > and what does not work and why ?
> Sorry for being cryptic, I tend to that;-) Okay, I do the following:
> # ifup xfrm0
> ... use it
> # ifdown xfrm0
> The interface still exists (checked with ip link)
>
> Now I'll do ifup again and this happens endlessly:
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
> >> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
>
> In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails.
> The result is the upper error repeating.
> That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call.
Adding the ip link calls does not make sense to me as netifd should
take care of deleting the xfrm interfaces
Are you sure the xfrm interfaces can be deleted by the ioctl call
SIOCDELTUNNEL as is the case now ?
For the other tunnel interfaces like vti/gre deletion is done via the
netlink interface.

Next to that I noticed a tunlink is specified in xfrm.sh but no
proto_add_host_dependency is added; is this on purpose ?

Hans
>
> André
>
>
> >
> > Hans
> >>
> >> Kind regards,
> >>
> >> André
> >>
> >>
> >> Am 09.06.19 um 21:27 schrieb Hans Dedecker:
> >>> On Sat, Jun 8, 2019 at 1:48 PM André Valentin <avalentin@marcant.net> wrote:
> >>>>
> >>>> This package adds scripts for xfrm interfaces support.
> >>>> Example configuration via /etc/config/network:
> >>>>
> >>>> config interface 'xfrm0'
> >>>>         option proto 'xfrm'
> >>>>         option mtu '1300'
> >>>>         option zone 'VPN'
> >>>>         option tunlink 'wan'
> >>>>         option ifid 30
> >>>>
> >>>> config interface 'xfrm0_static'
> >>>>         option proto 'static'
> >>>>         option ifname '@xfrm0'
> >>>>         option ip6addr 'fe80::1/64'
> >>>>         option ipaddr '10.0.0.1/30'
> >>>>
> >>>> Now set in strongswan IPsec policy:
> >>>>         if_id_in = 30
> >>>>         if_id_out = 30
> >>>> ---
> >>>>  package/network/config/xfrm/Makefile      | 38 ++++++++++++++++++
> >>>>  package/network/config/xfrm/files/xfrm.sh | 65 +++++++++++++++++++++++++++++++
> >>>>  2 files changed, 103 insertions(+)
> >>>>  create mode 100644 package/network/config/xfrm/Makefile
> >>>>  create mode 100755 package/network/config/xfrm/files/xfrm.sh
> >>>>
> >>>> diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
> >>>> new file mode 100644
> >>>> index 0000000000..efc90cf318
> >>>> --- /dev/null
> >>>> +++ b/package/network/config/xfrm/Makefile
> >>>> @@ -0,0 +1,38 @@
> >>>> +
> >>>> +include $(TOPDIR)/rules.mk
> >>>> +
> >>>> +PKG_NAME:=xfrm
> >>>> +PKG_VERSION:=1
> >>>> +PKG_RELEASE:=1
> >>>> +PKG_LICENSE:=GPL-2.0
> >>>> +
> >>>> +include $(INCLUDE_DIR)/package.mk
> >>>> +
> >>>> +define Package/xfrm/Default
> >>>> +  SECTION:=net
> >>>> +  CATEGORY:=Network
> >>>> +  MAINTAINER:=Andre Valentin <avalentin@marcant.net>
> >>>> +endef
> >>>> +
> >>>> +define Package/xfrm
> >>>> +$(call Package/xfrm/Default)
> >>>> +  TITLE:=XFRM IPsec Tunnel Interface config support
> >>>> +  DEPENDS:=+kmod-xfrm-interface
> >>>> +endef
> >>>> +
> >>>> +define Package/xfrm/description
> >>>> + XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
> >>>> +endef
> >>>> +
> >>>> +define Build/Compile
> >>>> +endef
> >>>> +
> >>>> +define Build/Configure
> >>>> +endef
> >>>> +
> >>>> +define Package/xfrm/install
> >>>> +       $(INSTALL_DIR) $(1)/lib/netifd/proto
> >>>> +       $(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
> >>>> +endef
> >>>> +
> >>>> +$(eval $(call BuildPackage,xfrm))
> >>>> diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
> >>>> new file mode 100755
> >>>> index 0000000000..df28d38613
> >>>> --- /dev/null
> >>>> +++ b/package/network/config/xfrm/files/xfrm.sh
> >>>> @@ -0,0 +1,65 @@
> >>>> +#!/bin/sh
> >>>> +
> >>>> +[ -n "$INCLUDE_ONLY" ] || {
> >>>> +       . /lib/functions.sh
> >>>> +       . /lib/functions/network.sh
> >>>> +       . ../netifd-proto.sh
> >>>> +       init_proto "$@"
> >>>> +}
> >>>> +
> >>>> +proto_xfrm_setup() {
> >>>> +       local cfg="$1"
> >>>> +       local mode="xfrm"
> >>>> +
> >>>> +       local tunlink ifid mtu zone
> >>>> +       json_get_vars tunlink ifid mtu zone
> >>>> +
> >> if exists .. ip link del "$cfg"
> >>
> >>>> +       proto_init_update "$cfg" 1
> >>>> +
> >>>> +       proto_add_tunnel
> >>>> +       json_add_string mode "$mode"
> >>>> +       json_add_int mtu "${mtu:-1280}"
> >>>> +
> >>>> +       [ -z "$tunlink" ] && {
> >>>> +               proto_notify_error "$cfg" NO_TUNLINK
> >>>> +               proto_block_restart "$cfg"
> >>>> +               exit
> >>>> +       }
> >>>> +       json_add_string link "$tunlink"
> >>>> +
> >>>> +       [ -z "$ifid" ] && {
> >>>> +               proto_notify_error "$cfg" NO_IFID
> >>>> +               proto_block_restart "$cfg"
> >>>> +               exit
> >>>> +       }
> >>>> +       json_add_object 'data'
> >>>> +       [ -n "$ifid" ] && json_add_int ifid "$ifid"
> >>>> +       json_close_object
> >>>> +
> >>>> +       proto_close_tunnel
> >>>> +
> >>>> +       proto_add_data
> >>>> +       [ -n "$zone" ] && json_add_string zone "$zone"
> >>>> +       proto_close_data
> >>>> +
> >>>> +       proto_send_update "$cfg"
> >>>> +}
> >>>> +
> >>>> +proto_xfrm_teardown() {
> >>>> +       local cfg="$1"
> >> ip link del "$cfg"
> >>>> +}
> >>>> +
> >>>> +proto_xfrm_init_config() {
> >>>> +       no_device=1
> >>>> +       available=1
> >>>> +
> >>>> +       proto_config_add_int "mtu"
> >>>> +       proto_config_add_string "tunlink"
> >>>> +       proto_config_add_string "zone"
> >>>> +       proto_config_add_int "ifid"
> >>>> +}
> >>>> +
> >>>> +
> >>>> +[ -n "$INCLUDE_ONLY" ] || {
> >>>> +       [ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
> >>> I missed the check for /sys/module/xfrm_interface in my initial
> >>> review; is there any specific reason for this additional check beside
> >>> the xfrm_interface.ko check ?
> >>>
> >>> Hans
> >>>> +}
> >>>> --
> >>>> 2.11.0
> >>>>
>
André Valentin June 13, 2019, 7:19 a.m. UTC | #8 
Hi!

On 13.06.19 08:44, Hans Dedecker wrote:
> Hi,
> 
> On Wed, Jun 12, 2019 at 8:28 PM Andre Valentin <avalentin@marcant.net> wrote:
>>
>> Hi Hans!!
>> Am 11.06.19 um 22:16 schrieb Hans Dedecker:
>>> Hi,
>>>
>>> On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote:
>>>>
>>>> Hi Hans,
>>>>
>>>> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
>>>> 1) xfrm tunnel interfaces cannot be replaced with netlink
>>>> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted
>>>>
>>>> This leads to some errors and a loop in interface creation. With the changes below,
>>>> it works smoothly when not bound to ppp interfaces (using lan instead), see:
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
>>>> and so on
>>>>>> What do you think?
>>> The description is a bit cryptic to me; could you explain what works
>>> and what does not work and why ?
>> Sorry for being cryptic, I tend to that;-) Okay, I do the following:
>> # ifup xfrm0
>> ... use it
>> # ifdown xfrm0
>> The interface still exists (checked with ip link)
>>
>> Now I'll do ifup again and this happens endlessly:
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
>>
>> In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails.
>> The result is the upper error repeating.
>> That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call.
> Adding the ip link calls does not make sense to me as netifd should
> take care of deleting the xfrm interfaces
> Are you sure the xfrm interfaces can be deleted by the ioctl call
> SIOCDELTUNNEL as is the case now ?
> For the other tunnel interfaces like vti/gre deletion is done via the
> netlink interface.

Good point, I will check that.
> 
> Next to that I noticed a tunlink is specified in xfrm.sh but no
> proto_add_host_dependency is added; is this on purpose ?
Yes, that is on purpose. The tunlink specified is a must, but is noted 
used for decrypting and encrypting packets. It works on every interface.

Also the XFRM interface has no IP endpoint, so there no possibility to 
add this to the interface, it would be only cosmetical.

Thanks,

André
Hans Dedecker June 13, 2019, 7:24 a.m. UTC | #9 
On Thu, Jun 13, 2019 at 9:18 AM Andre Valentin <avalentin@marcant.net> wrote:
>
> Hi!
>
> On 13.06.19 08:44, Hans Dedecker wrote:
> > Hi,
> >
> > On Wed, Jun 12, 2019 at 8:28 PM Andre Valentin <avalentin@marcant.net> wrote:
> >>
> >> Hi Hans!!
> >> Am 11.06.19 um 22:16 schrieb Hans Dedecker:
> >>> Hi,
> >>>
> >>> On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin@marcant.net> wrote:
> >>>>
> >>>> Hi Hans,
> >>>>
> >>>> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
> >>>> 1) xfrm tunnel interfaces cannot be replaced with netlink
> >>>> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted
> >>>>
> >>>> This leads to some errors and a loop in interface creation. With the changes below,
> >>>> it works smoothly when not bound to ppp interfaces (using lan instead), see:
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
> >>>> and so on
> >>>>>> What do you think?
> >>> The description is a bit cryptic to me; could you explain what works
> >>> and what does not work and why ?
> >> Sorry for being cryptic, I tend to that;-) Okay, I do the following:
> >> # ifup xfrm0
> >> ... use it
> >> # ifdown xfrm0
> >> The interface still exists (checked with ip link)
> >>
> >> Now I'll do ifup again and this happens endlessly:
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
> >>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
> >>
> >> In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails.
> >> The result is the upper error repeating.
> >> That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call.
> > Adding the ip link calls does not make sense to me as netifd should
> > take care of deleting the xfrm interfaces
> > Are you sure the xfrm interfaces can be deleted by the ioctl call
> > SIOCDELTUNNEL as is the case now ?
> > For the other tunnel interfaces like vti/gre deletion is done via the
> > netlink interface.
>
> Good point, I will check that.
> >
> > Next to that I noticed a tunlink is specified in xfrm.sh but no
> > proto_add_host_dependency is added; is this on purpose ?
> Yes, that is on purpose. The tunlink specified is a must, but is noted
> used for decrypting and encrypting packets. It works on every interface.
>
> Also the XFRM interface has no IP endpoint, so there no possibility to
> add this to the interface, it would be only cosmetical.
You can install a proto_add_host_dependency on an interface (tunlink
in this case); so it's not required to have an IP endpoint.

Hans
>
> Thanks,
>
> André
diff mbox series

Patch

diff --git a/package/network/config/xfrm/Makefile b/package/network/config/xfrm/Makefile
new file mode 100644
index 0000000000..efc90cf318
--- /dev/null
+++ b/package/network/config/xfrm/Makefile
@@ -0,0 +1,38 @@ 
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=xfrm
+PKG_VERSION:=1
+PKG_RELEASE:=1
+PKG_LICENSE:=GPL-2.0
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/xfrm/Default
+  SECTION:=net
+  CATEGORY:=Network
+  MAINTAINER:=Andre Valentin <avalentin@marcant.net>
+endef
+
+define Package/xfrm
+$(call Package/xfrm/Default)
+  TITLE:=XFRM IPsec Tunnel Interface config support
+  DEPENDS:=+kmod-xfrm-interface
+endef
+
+define Package/xfrm/description
+ XFRM IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network.
+endef
+
+define Build/Compile
+endef
+
+define Build/Configure
+endef
+
+define Package/xfrm/install
+	$(INSTALL_DIR) $(1)/lib/netifd/proto
+	$(INSTALL_BIN) ./files/xfrm.sh $(1)/lib/netifd/proto/xfrm.sh
+endef
+
+$(eval $(call BuildPackage,xfrm))
diff --git a/package/network/config/xfrm/files/xfrm.sh b/package/network/config/xfrm/files/xfrm.sh
new file mode 100755
index 0000000000..df28d38613
--- /dev/null
+++ b/package/network/config/xfrm/files/xfrm.sh
@@ -0,0 +1,65 @@ 
+#!/bin/sh
+
+[ -n "$INCLUDE_ONLY" ] || {
+	. /lib/functions.sh
+	. /lib/functions/network.sh
+	. ../netifd-proto.sh
+	init_proto "$@"
+}
+
+proto_xfrm_setup() {
+	local cfg="$1"
+	local mode="xfrm"
+
+	local tunlink ifid mtu zone
+	json_get_vars tunlink ifid mtu zone
+
+	proto_init_update "$cfg" 1
+
+	proto_add_tunnel
+	json_add_string mode "$mode"
+	json_add_int mtu "${mtu:-1280}"
+
+	[ -z "$tunlink" ] && {
+		proto_notify_error "$cfg" NO_TUNLINK
+		proto_block_restart "$cfg"
+		exit
+	}
+	json_add_string link "$tunlink"
+
+	[ -z "$ifid" ] && {
+		proto_notify_error "$cfg" NO_IFID
+		proto_block_restart "$cfg"
+		exit
+	}
+	json_add_object 'data'
+	[ -n "$ifid" ] && json_add_int ifid "$ifid"
+	json_close_object
+
+	proto_close_tunnel
+
+	proto_add_data
+	[ -n "$zone" ] && json_add_string zone "$zone"
+	proto_close_data
+
+	proto_send_update "$cfg"
+}
+
+proto_xfrm_teardown() {
+	local cfg="$1"
+}
+
+proto_xfrm_init_config() {
+	no_device=1
+	available=1
+
+	proto_config_add_int "mtu"
+	proto_config_add_string "tunlink"
+	proto_config_add_string "zone"
+	proto_config_add_int "ifid"
+}
+
+
+[ -n "$INCLUDE_ONLY" ] || {
+	[ -f /lib/modules/$(uname -r)/xfrm_interface.ko -o -d /sys/module/xfrm_interface ] && add_protocol xfrm
+}