[Swan-dev] what is nat_traversal_new_mapping(nfo_st, ...) looking for?

Andrew Cagney andrew.cagney at gmail.com
Thu Jul 4 19:44:23 UTC 2019


On Thu, 4 Jul 2019 at 12:49, Paul Wouters <paul at nohats.ca> wrote:
>
> On Thu, 4 Jul 2019, Andrew Cagney wrote:
>
> > The code is roughly:
> >
> >  for st in all states do:
> >    if ((IS_CHILD_SA(nfo_st) &&
> >        (st->st_serialno == nfo_st->st_clonedfrom ||
> >         st->st_clonedfrom == nfo_st->st_clonedfrom)) ||
> >        st->st_serialno == nfo_st->st_serialno) {
> >            do stuff
> >    }
> >
> > if I transform the if() I get:
> >
> >    if ((IS_CHILD_SA(nfo_st) && st->st_serialno == nfo_st->st_clonedfrom) ||
> >        (IS_CHILD_SA(nfo_st) && st->st_clonedfrom == nfo_st->st_clonedfrom) ||
> >        st->st_serialno == nfo_st->st_serialno)
> >
> > which makes me suspect it is looking for:
> >
> > - nfo_st's IKE SA
> > - nfo_st's siblings
> > - and of course nfo_st
> >
> > or in other words it wants to 'do stuff' on ST's entire family?  I
> > guess that makes sense, just not very efficient.
>
> I think this case is when the initial IKE packet comes from a different
> port. The client is behind NAT, uses port 500 and gets NAT'ed to port
> 3276x. And then it detects NAT and switches to port 4500, but then of
> course the NAT gateway will NAT it to another port.
>
> My guess is this code updates the ports in the struct st for that,
> although it is a bit scary it might also update the IP address. And
> the child states should never use the state port/interface anything I
> think - it should only be stored in the actual IKE states that need it.

I suspect it updates children as, in IKEv1 they are allowed to out
live their parent.


More information about the Swan-dev mailing list