Issue #2302
drop policy affects interfaces where IP set in "left" is not bound to
Description
I have a single instance of charon and starter that services 4 independent interfaces. This is on Strongswan 5.2.0
I have defined the following:
strongswan.conf
interfaces_use=eth0,eth1
interfaces_ignore=eth2,eth3
Additionally, I have defined the following policies on eth0 and eth1
conn CloseAll
left=IP_eth0
right=%any
type=drop
auto=route
However, when the above connection is enabled, it seems to be affecting eth1, eth2 and eth3
Any information how the type=drop is intended to work. Just read that left and leftauth is not checked at all.
The IP IP_eth0 is where I want to apply the drop type only while not affecting eth1, eth2 and eth3.
History
#1 Updated by Harshal Haridas almost 4 years ago
The policy provided should be only read to be on eth0.
#2 Updated by Noel Kuntze almost 4 years ago
- Status changed from New to Feedback
- Priority changed from Immediate to Normal
Harshal Haridas wrote:
I have defined the following:
strongswan.conf
interfaces_use=eth0,eth1
interfaces_ignore=eth2,eth3
That is irrelevant for any XFRM policies. It only pertains the userspace daemon "charon", and not anything that the kernel does.
Additionally, I have defined the following policies on eth0 and eth1
conn CloseAll
left=IP_eth0
right=%any
type=drop
auto=route
That drops all packets from that IP to any other host (0.0.0.0/0).
However, when the above connection is enabled, it seems to be affecting eth1, eth2 and eth3
Duh. Explained above.
Any information how the type=drop is intended to work. Just read that left and leftauth is not checked at all.
Drops the packets that match the traffic selector, just like any other ipsec policy type works with what the TS defines.
The IP IP_eth0 is where I want to apply the drop type only while not affecting eth1, eth2 and eth3.
Are you talking about the primary IP address of eth0 and do you want the drop policy to not affect any traffic that has any IP on eth1, eth2 or eth3 in the source or destination fields?
You need to be exact in your use of language. eth0 is a physical interface. The primary IP of eth0 is an IP. XFRM only cares about IPs, not about interfaces.
You can disable the policy lookup for specific interfaces by setting disable_policy to 1 in sysctl for the traffic on those interfaces you don't want any IPsec policies to be applied on.
#3 Updated by Harshal Haridas almost 4 years ago
Noel Kuntze wrote:
Harshal Haridas wrote:
The IP IP_eth0 is where I want to apply the drop type only while not affecting eth1, eth2 and eth3.
Are you talking about the primary IP address of eth0 and do you want the drop policy to not affect any traffic that has any IP on eth1, eth2 or eth3 in the source or destination fields?
IP_eth0 is the primary IP of eth0. Yes, I want drop policy on this IP only and to not affect traffic on eth1, eth2 or eth3
You need to be exact in your use of language. eth0 is a physical interface. The primary IP of eth0 is an IP. XFRM only cares about IPs, not about interfaces.
You can disable the policy lookup for specific interfaces by setting
disable_policyto 1 in sysctl for the traffic on those interfaces you don't want any IPsec policies to be applied on.
Thank you. You can mark this issue resolved.
#4 Updated by Noel Kuntze almost 4 years ago
- Category changed from charon to configuration
- Status changed from Feedback to Closed
- Resolution set to No change required
#5 Updated by Noel Kuntze almost 4 years ago
- Subject changed from How does type=drop policy works (Strongswan 5.2.0)? to drop policy affects interfaces where IP set in "left" is not bound to