Not for a while. U should. Just use ip xfrm. I needed to use setkey for historical reasons
----- Original Message -----
From: Philip A. Prindeville <philipp_subx@...>
To: Paul Moore
Cc: ipsec-tools-devel@... <ipsec-tools-devel@...>
Sent: Fri Jun 12 16:35:16 2009
Subject: Re: [Ipsec-tools-devel] Adding policy-based tunnel selection
How likely is it that your changes to use the xfrm interface will get in, and when?
I can send you the diffs that I have...
Paul Moore wrote:
> you will not be able to get the kernel devs to change the PF_KEY API,
> they consider it dead
> you can of course mod its yourself - the code (PF_KEY to xfrm bridge) is
> in kernel/net/key/af_key.c, its a loadable module
> I have (pending submission) a version of setkey that uses the xfrm
> interface for the same reason
> your best bet is to use ip xfrm
> -----Original Message-----
> From: Philip Prindeville [mailto:philipp_subx@...]
> Sent: Friday, June 12, 2009 11:17 AM
> To: ipsec-tools-devel@...
> Subject: [Ipsec-tools-devel] Adding policy-based tunnel selection
> I was trying to extend the "spdadd" command to take an input device
> selector (as one can do with "ip xfrm policy add ... dev xxx" with
> iproute2), and started coding it up...
> Unfortunately, ipsec-tools doesn't use the same API as iproute2, and the
> "struct sadb_x_policy" doesn't include an ifindex.
> I've got the changes to setkey mostly coded up. What would be involved
> in changing the kernel API?
> And how generically useful would this be? (Or should I bail on this and
> just forgo using "setkey" and set up all my spd's via "ip xfrm policy
> add ..." instead?)
> We have a case where (due to virtualization) we reuse a lot of the same
> address space, and a single router/firewall will need to have an
> interface on a subnet with a non-unique network number (typically
> 10.x.x.0/24)... the only way to make sure packets go over the correct
> tunnel is to include the ingress-interface as part of the tunnel
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> Ipsec-tools-devel mailing list