[Swan-dev] protoport don't work with klips in 3.31

[Paul Wouters]

On Tue, 19 May 2020, Wolfgang Nothdurft wrote:

> Unfortunately there is another problem in the last KLIPS version 3.31, in which protoport no longer works with KLIPS.
>
> Unfortunately I can't find which change or which commit is responsible for it.

We have not made any changes to KLIPS for a few releases, so you should
be able to run git bisect between 3.27 and 3.31 for just the userland 
install and be able to determine the offending commit. You shouldn't
need to recompile klips during such a git bisect.

> I know KLIPS should no longer be used, but since XFRMi is not yet fully usable for us and implementing it still requires a lot of effort, we have to rely on KLIPS again.

I'm sorry you haven't been able to migrate to XFRMi yet. We know there
are some issues left (mostly with rekeying causing packets to not
arrive) and we are looking into that. If you have other issues, it
would be good to report those so we can fix things in parallel instead
of one after the other. The git master tree already has KLIPS fully
removed. The 3.31 and 3.32 were branches of 3.30 while git master
moved on.

> So at the moment I only have the option to stay at 3.27 and possibly use the most important patches and maybe some ikve2 fixes, or patch the KLIPS module, ignore the ports and if necessary, use iptables to block all connections that do not match the protoport.

Unfortunately, one of the reasons for dropping KLIPS is that we don't
have the resources to maintain it. It is a lot of work we did in the
last decade, mostly not-funded because it's not something people
would generally fund due to it being old/obsolete technology.

If you can do the git bisect to find the commit causing this, we can
have a look at writing a patch for you.

Paul