[Swan-dev] sanitizer and ephemeral ports .. Re: [Swan-commit]
Antony Antony
antony at phenome.org
Sat Jan 25 20:28:51 UTC 2020
First, I noticed sanitizers have improved a lot. Thanks.
I know iptable change was discused a while ago[1].
Now we are sanitizing sport and dport when it is not default, however, for
some tests like mobike it is not a good idea.
I am still thinking how to change the tests to preserve the ports when we
want them to, and sanitize when we should not care. I guess using different
NAT port ranges would help. I red the comments in ephemeral-ports.sed.
Andrew,www
I have a feeling the following commit along with other ephemeral-ports.sed
changes have gone a bit too far some tests.
We should keep ports of ip xfrm state in mobike and few other tests, crypto
values are not important in mobike. That is why it is not an "ipsec look".
Also ip xfrm state is called several times in those tests, "ipsec look"
output would be too long and we are likely to overlook changes/regression.
https://testing.libreswan.org/v3.28-1508-gca5c702fb3-master/ikev2-mobike-06/OUTPUT/east.console.diff
eg these are not important in mobike
+ replay-window 32 flag af-unspec
+ auth-trunc hmac(sha256) 0xHASHKEY 128
this line should be there.
+ encap type espinudp sport 4500 dport EPHEMERAL addr 0.0.0.0
I have a feeling that dport EPHEMERAL is important in this test and
shouldn't be sanitized. I will take a closer look when working on the
sanitizer.
I will try to fix them, however, do not want to fight with your changes.
I think, some how the ephemeral ports should kept in mobike tests. Which
possibly means on nic specify NAT sports to be bellow 30K?
if nic has narrow range, with 2 or 3 ports then mobike tests should get
predicable port. Atleast that is the theory we will see.
May be revert this commit for mobikes tests?
On Fri, Jan 24, 2020 at 03:56:45PM +0000, Andrew Cagney wrote:
> New commits:
> commit 66e89c481c051c30a2ef0fe2d905702fa4344523
> Author: Andrew Cagney <cagney at gnu.org>
> Date: Fri Jan 24 10:43:25 2020 -0500
>
> testing: avoid optional ip-xfrm.sed sanitizer
>
> Let sanitizers such as guest-ip-xfrm-state.sed deal with command
> specific sanitization.
>
> Follow-up e03853f86d6deb1078a59515329ed7cbf136cfad.
PS:
[1] has iptables SNAT started assigning random ports?
https://www.mail-archive.com/swan-dev@lists.libreswan.org/msg03376.html
More information about the Swan-dev
mailing list