Comments on: Linux XFRM Framework Selectors http://evolution-systems.co.uk/2008/04/17/linux-xfrm-framework-selectors-2/ Web Development, Software Development and Linux Consultancy services Fri, 04 Apr 2014 15:43:11 +0000 hourly 1 https://wordpress.org/?v=4.1.42 By: william johnson http://evolution-systems.co.uk/2008/04/17/linux-xfrm-framework-selectors-2/#comment-6697 Mon, 12 Aug 2013 21:07:47 +0000 http://evolution-systems.co.uk/wordpress/?p=507#comment-6697 Hi
I will appreciate if someone will explain xfrm templates. What are they used for ? Struct xfrm_template
Wlliam

]]> By: nima0102 http://evolution-systems.co.uk/2008/04/17/linux-xfrm-framework-selectors-2/#comment-249 Thu, 29 Dec 2011 10:21:10 +0000 http://evolution-systems.co.uk/wordpress/?p=507#comment-249 Hi
Thanks for sharing your knowledge.
I am some confused about Netfilter and XFRM framework.
Can anybody difference between these frameworks?

Thanks in advance

]]> By: ThePoliteGuy http://evolution-systems.co.uk/2008/04/17/linux-xfrm-framework-selectors-2/#comment-89 Tue, 08 Mar 2011 18:27:22 +0000 http://evolution-systems.co.uk/wordpress/?p=507#comment-89 In my previous replay some symbols were removed: It should be read like this: “Basically SAref tracking allows you to write your own IP address mapper in linux kernel module: SAref_id+non_unique_natted_ip to unique_ip; and unique_ip to SAref_id+non_unique_natted_ip”

]]> By: The PoliteGuy http://evolution-systems.co.uk/2008/04/17/linux-xfrm-framework-selectors-2/#comment-88 Tue, 08 Mar 2011 18:23:54 +0000 http://evolution-systems.co.uk/wordpress/?p=507#comment-88 I would like to implement SAref tracking for IPsec NETKEY stack (it is implemented with XFRM). Currently only KLIPS IPsec stack supports this feature, but that one has scalability problems on multiqueue NICs. So we decided rather to patch NETKEY stack.

Basically SAref tracking allows you to write your own IP address mapper in linux kernel module, whic is SAref_id+non_unique_natted_ipunique_ip. The SArefId should be stored in SKB. The problem SAref tracking solves is that two IPsec clients with overlapping subnets will be able to connect to the same IPsec server.

]]> By: MattJakeman http://evolution-systems.co.uk/2008/04/17/linux-xfrm-framework-selectors-2/#comment-87 Tue, 08 Mar 2011 17:19:00 +0000 http://evolution-systems.co.uk/wordpress/?p=507#comment-87 Hi, unfortunately I was unable to find much more documentation about XFRM when I was using it. What sort of selectors are you wishing to use? From memory the only parameters you are able to use for a selector are the ones specified in this struct.

It’s likely that it would be easier to write a kernel module for your purposes but it’s hard to tell without more details about what you are trying to accomplish.

]]> By: ThePoliteGuy http://evolution-systems.co.uk/2008/04/17/linux-xfrm-framework-selectors-2/#comment-86 Tue, 08 Mar 2011 16:44:45 +0000 http://evolution-systems.co.uk/wordpress/?p=507#comment-86 Thank you, it was very helpful! Now it is 2011 (3 years have passed since you wrote this) but this framework still haven’t been documented …

So did you had a chance to write something that explains xfrm in more details? Maybe you were able to find some good documentation somewhere else?

What we are trying to accomplish is that Selector would be able to choose packets by some other means than just source/destination IP/Port.

]]>