[Swan-dev] heads up: sa priority update

Andrew Cagney andrew.cagney at gmail.com
Wed Dec 18 20:00:48 UTC 2019


sounds like something to unit test

On Tue, 17 Dec 2019 at 23:45, Paul Wouters <paul at nohats.ca> wrote:
>
>
> One of the recent bugs in transport mode OE connections turns out to
> have been due to a bad IPsec SA priority calculation. There was a check
> for tunnel mode, which then looked at other bits than for transport
> mode. Unfortunately, it meant that for transport mode the template
> conn (eg private-or-clear#192.1.2.0/24) would get the same priority as the instance
> of that (eg private-or-clear#192.1.2.0/24-192.1.2.23). Wether due to
> changed kernel behaviour or something else, the two conns having the
> same priority lead to packet drops when it hit the template out policy.
>
> Additionally, when I reviewed my change with Hugh, he found a bug
> where a /32 template and instance would also get the same priority.
> This might not cause a problem, since we handle duplicate eroute's
> specially, but just to be safe we gave Template vs Instance another
> bit in the IPsec SA priority calculation.
>
> This means that all ip xfrm priorities visible changed. I've gotten most
> of these fixed up in the following testing commit. But some IPv6 tests
> failed to run on my laptop, so I'm letting testing.libreswan.org run
> those and fix those up tomorrow. I might have missed a few regardless,
> so if you spot one, ping me with the testname (and/or the old and new
> priority value)
>
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev


More information about the Swan-dev mailing list