[Swan-dev] what is

Paul Wouters paul at nohats.ca
Wed Oct 9 04:36:54 UTC 2019

On Tue, 8 Oct 2019, Andrew Cagney wrote:

>  find_connection: looking for policy for connection:
> ->
> perhaps this helps (or confuses)?

Yes, it is the encoding of types/subtypes into ports as per https://tools.ietf.org/html/rfc7296#section-3.13.1

>  subnet from endpoint (in netlink_acquire() at
> kernel_netlink.c:1782)
>  add bare shunt 0x7f943c3fdf78 --1-->
> => %hold 0    %acquire-netlink
> since this is happening when an acquire is triggered by a ping packet,
> 1 is maybe ICMP and 8 is something found in the acquire's .sport
> field (but what?)
> Two problems:
> - the syntax is terrible: :1 isn't a port, /8 isn't a mask - even
> would be better

I guess ideally it would be: --1/8-->

> - there's a subnet kicking round with a bogus port 8, does it get
> scrubbed, or do we get away with this because the IKEv2 TS code is
> instead looking at end.port and that's zero ...

It might get wiped in the "broadening" of the shunt. And it cannot work
without broadening, because you cannot have a narrowed policy for only
1/8 (well it makes no sense, you could only send pings but not ping
replies). The widening for proto 1 should probably be 1/0 (eg no


More information about the Swan-dev mailing list