[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Mon Dec 6 01:52:23 EET 2021
New commits:
commit 126deedda1ca53ecfeb3cae6429a7cb89ac39768
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Dec 5 18:51:37 2021 -0500
testing: add ikev2-crossing-streams-03-iface to github #557
commit c7bd35409df26094447ce60bf861514b6d3c5c77
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Dec 5 10:24:51 2021 -0500
sec_label (ikev2): try to narrow hybrid template-instance sec_label connections
If the IKE SA's sec_label connection isn't an exact match try to narrow it.
Some notes are in order:
- initially there's a sec_label CK_TEMPLATE with remote=%any
- the IKE SA narrows that by seeting remote=..., but it is still a template
(lets call it hybrid template-instance; perhaps things should have started
with CK_GROUP?)
- then the Child SA instantiates that adding details such as the negotiated
sec_label and selctors, creating a CK_INSTANCE
the code wasn't letting this narrow the hybrid template-instance
- the code doesn't go down the find a better template path
It doesn't seem to fit: with sec_labels, the kernel policy was installed
during IKE_AUTH so really can't be changed with a new template.
commit 69dbfb70cb72edea429e956593b28ac128711f42
Author: Andrew Cagney <cagney at gnu.org>
Date: Sun Dec 5 10:58:39 2021 -0500
testing: add ikev2-labeled-ipsec-08-narrow-ike-*/
More information about the Swan-commit
mailing list