[Swan-dev] no-port vs zero port
Andrew Cagney
andrew.cagney at gmail.com
Thu Sep 5 03:49:27 UTC 2019
On Wed, 4 Sep 2019 at 10:40, Paul Wouters <paul at nohats.ca> wrote:
> >
> >
> > New commits:
> > commit 4972d0201f054b6c5de8804a20fc56679a72c8bd
> > Author: Andrew Cagney <cagney at gnu.org>
> > Date: Wed Sep 4 09:50:35 2019 -0400
> >
> > ip: add jam_subnet_port() et.al., test
> >
> > Note the long standing bug: because the port is stored as a uint16_t
> > in a sockaddr(1), it isn't possible to differentiate between no-port
> > and zero port. Since this is going to replace:
> >
> > "%s:%d", str_subnet(), subnet_hport()
> >
> > it mimics that behaviour, at least for now (don't be fooled by the
> > preemptive hport<0 check).
>
> Using 0 for protocols or ports always means "all of it" in IKE/IPsec and
> never means "none". So this is not a bug that needs fixing.
>
Our code isn't so sure:
/*
* if port is %any or 0 we mean all ports (or all iccmp/icmpv6)
* See RFC-5996 Section 3.13.1 handling for ICMP(1) and ICMPv6(58)
* we only support providing Type, not Code, eg protoport=1/1
*/
if (e->port == 0 || e->has_port_wildcard) {
ts.startport = 0;
ts.endport = 65535;
so while port 0 is a real bad idea, and should indicate "all", we'd be on
safer ground if ip_subnet used something unambiguous to indicate "all
ports". For instance a port outside of the range 0..65535, or a separate
bool.
http://google.com:0/ anyone?
https://daniel.haxx.se/blog/2014/10/25/pretending-port-zero-is-a-normal-one/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20190904/f982e20a/attachment.html>
More information about the Swan-dev
mailing list