[Swan-dev] expirimental : ipsec device/interface aka XFRMi

Paul Wouters paul at nohats.ca
Wed Jan 22 10:50:27 UTC 2020

On Wed, 22 Jan 2020, Antony Antony wrote:

> this morning in a testrun I noticed a bunch of coredump from addcon
> https://swantest.libreswan.fi/s2/v3.28-1487-g3d33747478-testrun-xfrmi/
> I will investigate addcon crash today.

> current configuration option is
> ipsec-interface=no|yes|<n> where n = 1..UINT32_MAX

I think it might be due to its value being both a number and not. It is
not following our rules about numbers, time based units, etc. Again, I
would recommend we only allow regular numbers > 0. No "yes|no" and no
implied hex (all our parsers treat 0xNNN as hsex, 0sNNN as base64, and
no prefix as decimal. This should not be different)

> Note 0x is necessary.

That is not how our parser works normally.

> IPv6 and xfrmi may not work in all cases. ipv6 up-down script need more
> work.

Sure. I think it is okay to postpone that for after the merge.

> My plan resolve addconn issue is, a new testrun. If there are no major
> issues I will merge.

While you mention looking at the issue I found, you didn't answer about
my provided patch. Is it correct? Is it wrong? Is there a better way?
Will it be okay to use before merge?


More information about the Swan-dev mailing list