[Swan-dev] what is nat_traversal_new_mapping(nfo_st, ...) looking for?
Paul Wouters
paul at nohats.ca
Thu Jul 4 16:49:10 UTC 2019
On Thu, 4 Jul 2019, Andrew Cagney wrote:
> The code is roughly:
>
> for st in all states do:
> if ((IS_CHILD_SA(nfo_st) &&
> (st->st_serialno == nfo_st->st_clonedfrom ||
> st->st_clonedfrom == nfo_st->st_clonedfrom)) ||
> st->st_serialno == nfo_st->st_serialno) {
> do stuff
> }
>
> if I transform the if() I get:
>
> if ((IS_CHILD_SA(nfo_st) && st->st_serialno == nfo_st->st_clonedfrom) ||
> (IS_CHILD_SA(nfo_st) && st->st_clonedfrom == nfo_st->st_clonedfrom) ||
> st->st_serialno == nfo_st->st_serialno)
>
> which makes me suspect it is looking for:
>
> - nfo_st's IKE SA
> - nfo_st's siblings
> - and of course nfo_st
>
> or in other words it wants to 'do stuff' on ST's entire family? I
> guess that makes sense, just not very efficient.
I think this case is when the initial IKE packet comes from a different
port. The client is behind NAT, uses port 500 and gets NAT'ed to port
3276x. And then it detects NAT and switches to port 4500, but then of
course the NAT gateway will NAT it to another port.
My guess is this code updates the ports in the struct st for that,
although it is a bit scary it might also update the IP address. And
the child states should never use the state port/interface anything I
think - it should only be stored in the actual IKE states that need it.
Paul
More information about the Swan-dev
mailing list