Linux ip xfrm: What is the purpose of the tmpl?

linux-networking ipsec

Solution 1:

It tells the kernel how to process packets (for out policies), or where packets must come from (for in policies) when traffic matches this policy (fwd policies are a bit special as they might apply in both directions depending on the selector, see this answer). In your example the policy will send traffic through the ESP tunnel mode SA with endpoint IP addresses $SRC and $DST, and reqid $ID.

Why do we need to repeat them in the tmpl?

To actually find the SA/state. These are stored in a hashtable and the addresses (in particular the destination address) are part of the hash value. For tunnel mode SAs the addresses of the packet that matched the outbound policy don't necessarily match the addresses of the SA (for transport mode you might not have to add the addresses to the template).

And what is the meaning of calling it a "template"?

Not sure, but could be related to acquires, that is, if no matching SA has yet been established the information serves as template for the keying daemon when creating a new SA.

Related

BIND/named: zone sigilhosting.com/IN: not loaded due to errors
Audit ALL Sudo users and show the users UID( ) not root's UID (0)
Make apt ignore a single recommendation
Don't start systemctl service, like Docker, unless a control file is present
How can I authorize a MS365 user for remote desktop connections to an Azure-AD joined Windows 10 PC?
Available Memory SNMP MIB for post-2016 kernel/CentOS 7+?
Apache is serving SSL when its not in the vhost configuration [duplicate]
Intermittent HTTP 502 error with Amazon (AWS) load balancher and Apache
Docker-Swarm 1.13 with 3 Nodes acting as Master/Worker
Ridiculous Number of Files in a Directory
Set default pulseaudio volume
problem after apt-get update command