[Swan-dev] no-port vs zero port
Paul Wouters
paul at nohats.ca
Mon Sep 9 13:53:00 UTC 2019
On Wed, 4 Sep 2019, Andrew Cagney wrote:
> Using 0 for protocols or ports always means "all of it" in IKE/IPsec and
> never means "none". So this is not a bug that needs fixing.
>
> Our code isn't so sure:
>
> /*
> * if port is %any or 0 we mean all ports (or all iccmp/icmpv6)
> * See RFC-5996 Section 3.13.1 handling for ICMP(1) and ICMPv6(58)
> * we only support providing Type, not Code, eg protoport=1/1
> */
> if (e->port == 0 || e->has_port_wildcard) {
> ts.startport = 0;
> ts.endport = 65535;
That's part of the RFC. We map ICMP types onto ports. But for all
practical purposes, this can be treated as ports, eg our code and the
RFC does not really differ if this is read as "protocol 1, port 8"
versus "ICMP echo".
> so while port 0 is a real bad idea, and should indicate "all", we'd be on safer ground if ip_subnet used something unambiguous to indicate
> "all ports". For instance a port outside of the range 0..65535, or a separate bool.
I don't think we should change anything. In any config file or webgui,
you will need or be instructed to set the protocol/port to set specific
icmp/type traffic selectors. Which is unwise anyway to do, because
accepting only few ICMPs would lead to weird connections, broken path
MTU, etc.
> http://google.com:0/ anyone?
> https://daniel.haxx.se/blog/2014/10/25/pretending-port-zero-is-a-normal-one/
That just shows anything using really port 0 is a bad hack. I have no
problem not supporting that.
Paul
>
>
More information about the Swan-dev
mailing list