libnl and IPsec/XFRM

Thomas Graf tgraf at infradead.org
Fri Feb 17 09:30:28 EST 2012


On Fri, Feb 17, 2012 at 04:44:22AM -0800, Joerg Pommnitz wrote:
> > You can always implement your own netlink calls using  the "generic 
> > netlink" lib
> > http://www.infradead.org/~tgr/libnl/doc/api/group__genl.html 
> > <http://www.infradead.org/%7Etgr/libnl/doc/api/group__genl.html>
> 
> Can I? I wasn't sure. I thought generic netlink is something distinct from the specialized netlink protocols like routing and XFRM. And anyway, I was looking for something with the convenience methods that come with direct libnl support.

xfrm does not use generic netlink so you can't use genl. xfrm uses netlink
via its own netlink family XFRM_NETLINK.

> > I'm not very familiar with NETLINK_XFRM   What are you trying to do that  
> > libipsec can't do? http://ipsec-tools.sourceforge.net/
> 
> AFAIK libipsec sits on top of PF_KEY, which is deprecated. I'm just looking at my options to figure out how to proceed.
> 
> What I need is a painless way to manipulate and read the IPsec SPD an SAD.

libnl currently does not provide a high level interface for xfrm. Openswan uses
the xfrm netlink interface so you may want to check there if they provide some
sort of library.

Thomas



More information about the libnl mailing list