[Swan-dev] heads up: sa priority update
Paul Wouters
paul at nohats.ca
Wed Dec 18 04:45:06 UTC 2019
One of the recent bugs in transport mode OE connections turns out to
have been due to a bad IPsec SA priority calculation. There was a check
for tunnel mode, which then looked at other bits than for transport
mode. Unfortunately, it meant that for transport mode the template
conn (eg private-or-clear#192.1.2.0/24) would get the same priority as the instance
of that (eg private-or-clear#192.1.2.0/24-192.1.2.23). Wether due to
changed kernel behaviour or something else, the two conns having the
same priority lead to packet drops when it hit the template out policy.
Additionally, when I reviewed my change with Hugh, he found a bug
where a /32 template and instance would also get the same priority.
This might not cause a problem, since we handle duplicate eroute's
specially, but just to be safe we gave Template vs Instance another
bit in the IPsec SA priority calculation.
This means that all ip xfrm priorities visible changed. I've gotten most
of these fixed up in the following testing commit. But some IPv6 tests
failed to run on my laptop, so I'm letting testing.libreswan.org run
those and fix those up tomorrow. I might have missed a few regardless,
so if you spot one, ping me with the testname (and/or the old and new
priority value)
Paul
More information about the Swan-dev
mailing list