[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri Sep 4 02:00:26 EEST 2015
New commits:
commit 2b99eda962886889189cbbcc05ff094b318f91b7
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Sep 3 18:54:34 2015 -0400
pluto: IKEv2 don't log bogus RC_SERIOUS log message
Due to the redesign in how ikev2parent_inI1outR1() called
ikev2_find_host_connection() we had a logging artifact that for AUTH_NULL
would log the following RC_LOG_SERIOUS messages before successfully
establishing a tunnel:
Sep 3 15:55:48: packet from 10.236.54.80:500: initial parent SA message received on 10.236.54.8:500 but no connection has
been authorized with policy RSASIG+IKEV2_ALLOW
Sep 3 15:55:48: packet from 10.236.54.80:500: initial parent SA message received on 10.236.54.8:500 but no connection has
been authorized with policy PSK+IKEV2_ALLOW
Sep 3 15:55:48: "private-or-clear#10.0.0.0/8"[2] ...10.236.54.80 #5: negotiated tunnel [10.236.54.8,10.236.54.8:0-65535 0
] -> [10.236.54.80,10.236.54.80:0-65535 0]
This commit changes those RC_LOG_SERIOUS messages into DBG messages,
and adds a more generic RC_LOG_SERIOUS log message in the caller:
"initial parent SA message received on %s:%u but no suitable connection found with IKEv2 policy of RSASIG, PSK or AUTH_NULL",
I'm not sure if we should even keep this as a RC_LOG_SERIOUS message
though, as it is a denial of service on the logs, and we have turned
most of these into DBG messages. But turning this into DBG might result
in a complete lack of understanding when run without debugging.
commit 8d6aa89c6288030de8661145492f573976f48ef9
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Sep 3 18:25:43 2015 -0400
updated CHANGES
More information about the Swan-commit
mailing list