[Swan-commit] Changes to ref refs/heads/main

Andrew Cagney cagney at vault.libreswan.fi
Mon Dec 6 01:52:23 EET 2021


New commits:
commit 126deedda1ca53ecfeb3cae6429a7cb89ac39768
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sun Dec 5 18:51:37 2021 -0500

    testing: add ikev2-crossing-streams-03-iface to github #557

commit c7bd35409df26094447ce60bf861514b6d3c5c77
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sun Dec 5 10:24:51 2021 -0500

    sec_label (ikev2): try to narrow hybrid template-instance sec_label connections
    
    If the IKE SA's sec_label connection isn't an exact match try to narrow it.
    
    Some notes are in order:
    
    - initially there's a sec_label CK_TEMPLATE with remote=%any
    
    - the IKE SA narrows that by seeting remote=..., but it is still a template
      (lets call it hybrid template-instance; perhaps things should have started
       with CK_GROUP?)
    
    - then the Child SA instantiates that adding details such as the negotiated
      sec_label and selctors, creating a CK_INSTANCE
    
      the code wasn't letting this narrow the hybrid template-instance
    
    - the code doesn't go down the find a better template path
      It doesn't seem to fit: with sec_labels, the kernel policy was installed
      during IKE_AUTH so really can't be changed with a new template.

commit 69dbfb70cb72edea429e956593b28ac128711f42
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sun Dec 5 10:58:39 2021 -0500

    testing: add ikev2-labeled-ipsec-08-narrow-ike-*/



More information about the Swan-commit mailing list