kmod-ipsec: enable CONFIG_XFRM_STATISTICS CONFIG_XFRM_MIGRATE

[antonyantony]

ipsec enhancements, @lucize

CONFIG_XFRM_STATISTICS helps debug Strongswan or libreswan
CONFIG_XFRM_MIGRATE used by librewan to support mobike

Signed-off-by: Antony Antony <antony@phenome.org>

[lucize]

@antonyantony maybe more is needed here because it halts at asking

Transformation sub policy support (XFRM_SUB_POLICY) [N/y/?] n
Transformation migrate database (XFRM_MIGRATE) [N/y/?] (NEW) y
Transformation statistics (XFRM_STATISTICS) [N/y/?] (NEW)

[antonyantony]

@antonyantony maybe more is needed here because it halts at asking

Transformation sub policy support (XFRM_SUB_POLICY) [N/y/?] n
Transformation migrate database (XFRM_MIGRATE) [N/y/?] (NEW) y
Transformation statistics (XFRM_STATISTICS) [N/y/?] (NEW)

I am not sure how to fix this patch.
When I try on my existing branch it works. However, on vanilla branch it is missing something.

Any suggestions?

[antonyantony]

it worked for me on sunxi aarch64_cortex-a53, where everything was Y no M(modules)

When I try M on mvebu this does not work, I think because when lbreswan is a module these config options trying to be modules.

.config:6493:warning: symbol value 'm' invalid for XFRM_MIGRATE
.config:6494:warning: symbol value 'm' invalid for XFRM_STATISTICS

These two config options are bool. While the ipsec itself is a module.

how I can force the config options to Y when KernelPackage/ipsec is M.

config XFRM_MIGRATE
bool "Transformation migrate database"
config XFRM_STATISTICS
bool "Transformation statistics"

[jow-]

Like this:

KCONFIG:= \
	CONFIG_NET_KEY \
	CONFIG_XFRM_USER \
	CONFIG_XFRM_STATISTICS=y \
	CONFIG_XFRM_MIGRATE=y \
	CONFIG_INET_IPCOMP \
	CONFIG_XFRM_IPCOMP

If symbols are not suffixed with =n, =y or =m they'll inherit the choice state of the parent kmod package.

[antonyantony]

thanks @jow- I think it work. @lucize would you try again?
I pushed an update to the branch.

[lucize]

@antonyantony
sorry, I don't know how to test this, I could only start xfrmi with strongswan but even then I think something I'm doing wrong as I don't see traffic on the interface (on fortigate I see traffic).
oddly enough I can connect only to the xfrm interface, maybe marking is not working as it should
on libreswan I couldn't find a config for use with xfrmi like if_id_in/out

[antonyantony]

@antonyantony
sorry, I don't know how to test this, I could only start xfrmi with strongswan but even then I think something I'm doing wrong as I don't see traffic on the interface (on fortigate I see traffic).
oddly enough I can connect only to the xfrm interface, maybe marking is not working as it should
on libreswan I couldn't find a config for use with xfrmi like if_id_in/out

this change is to support mobike, RFC 4555. e.g iPhone moving from 4G to WiFi while keeping the tunnel up when moving networks. I think biggest test is would the kernel compile with this change. Then libreswan, userland will/should do the right thing.

[lucize]

the kernel compiles no problem on my test systems

[adschm]

Hi, since this seems to be not a fix, but a feature, and none of the committer seems to be interested in reviewing it for almost a year, I will close it now (i.e. "Won't implement").

I'm sorry, but better crush your remaining hopes now than waiting another year where supposedly nothing different will happen.

[paulwouters]

This is breaking generic IPsec support. Please reconsider. It is a stable feature of billions of kernels out there. It is needed for proper functioning of libreswan and strongswan packages. If you are not confident on XFRM options, at least follow the linus upstream kernel for defaults. Don't manually disable things.

ping @adschm