amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard

Published 20 hours ago verified publisher icon amazonlinux

[Feature Request] - XFRM Interfaces Kernel module

Open mantoine96 opened this issue 9 months ago • 0 comments

Is your feature request related to a problem? Please describe.

We operate Strongswan/Libreswan based VPNs on AWS. We would like to operate route-based VPN tunnels based on XFRM interfaces (see Strongswan documentation)

AL2023 (and even AL2) use a compatible kernel version + iproute version, but unfortunately the xfrm_interface kernel module is neither built nor available. We also cannot build it ourself as understandably AL2023 requires kernel modules to be signed.

Describe the solution you'd like

I would like for the xfrm_interface kernel module to be made available, so I can load it into my instance's kernel

Describe alternatives you've considered

  • Using Ubuntu: latest ubuntu builds this module. We want to remain with AL2023 if possible
  • Building module ourselves: can't load it into the kernel without signing, or disabling module signature verification

Additional context

AL2023:

$ find /lib/modules/6.1.87-99.174.amzn2023.aarch64/ -type f -name '*.ko'  | grep net | grep xfrm
/lib/modules/6.1.87-99.174.amzn2023.aarch64/kernel/net/ipv4/xfrm4_tunnel.ko
/lib/modules/6.1.87-99.174.amzn2023.aarch64/kernel/net/ipv6/xfrm6_tunnel.ko
/lib/modules/6.1.87-99.174.amzn2023.aarch64/kernel/net/netfilter/nft_xfrm.ko
/lib/modules/6.1.87-99.174.amzn2023.aarch64/kernel/net/xfrm/xfrm_algo.ko
/lib/modules/6.1.87-99.174.amzn2023.aarch64/kernel/net/xfrm/xfrm_ipcomp.ko
/lib/modules/6.1.87-99.174.amzn2023.aarch64/kernel/net/xfrm/xfrm_user.ko

Ubuntu 22.04:

root@ubuntu:/home/ubuntu# find /lib/modules/5.15.0-94-generic/ -type f -name '*.ko' | grep net | grep xfrm
/lib/modules/5.15.0-94-generic/kernel/net/xfrm/xfrm_user.ko
/lib/modules/5.15.0-94-generic/kernel/net/xfrm/xfrm_algo.ko
/lib/modules/5.15.0-94-generic/kernel/net/xfrm/xfrm_ipcomp.ko
/lib/modules/5.15.0-94-generic/kernel/net/xfrm/xfrm_interface.ko
/lib/modules/5.15.0-94-generic/kernel/net/netfilter/nft_xfrm.ko
/lib/modules/5.15.0-94-generic/kernel/net/ipv6/xfrm6_tunnel.ko
/lib/modules/5.15.0-94-generic/kernel/net/ipv4/xfrm4_tunnel.ko

mantoine96 avatar May 07 '24 08:05 mantoine96