[Swan-dev] ?==?utf-8?q? protoport don't work with klips in 3.31

Wolfgang Nothdurft wolfgang at linogate.de
Thu May 21 07:01:03 UTC 2020


Am Dienstag, 19. Mai 2020 17:10 CEST, schrieb Paul Wouters <paul at nohats.ca>: 
 
> On Tue, 19 May 2020, Wolfgang Nothdurft wrote:
> 
> > Unfortunately there is another problem in the last KLIPS version 3.31, in which protoport no longer works with KLIPS.
> >
> > Unfortunately I can't find which change or which commit is responsible for it.
> 
> We have not made any changes to KLIPS for a few releases, so you should
> be able to run git bisect between 3.27 and 3.31 for just the userland 
> install and be able to determine the offending commit. You shouldn't
> need to recompile klips during such a git bisect.
> 
> > I know KLIPS should no longer be used, but since XFRMi is not yet fully usable for us and implementing it still requires a lot of effort, we have to rely on KLIPS again.
> 
> I'm sorry you haven't been able to migrate to XFRMi yet. We know there
> are some issues left (mostly with rekeying causing packets to not
> arrive) and we are looking into that. If you have other issues, it
> would be good to report those so we can fix things in parallel instead
> of one after the other. The git master tree already has KLIPS fully
> removed. The 3.31 and 3.32 were branches of 3.30 while git master
> moved on.
> 
> > So at the moment I only have the option to stay at 3.27 and possibly use the most important patches and maybe some ikve2 fixes, or patch the KLIPS module, ignore the ports and if necessary, use iptables to block all connections that do not match the protoport.
> 
> Unfortunately, one of the reasons for dropping KLIPS is that we don't
> have the resources to maintain it. It is a lot of work we did in the
> last decade, mostly not-funded because it's not something people
> would generally fund due to it being old/obsolete technology.
> 
> If you can do the git bisect to find the commit causing this, we can
> have a look at writing a patch for you.
> 
> Paul
> 
 
Fortunately, I managed to find the responsible change now, doing some "brute force" biscect.

commit 708a5d571e10c75718833147dae404fe3ad9b169 (refs/bisect/bad)
Author: Andrew Cagney <cagney at gnu.org>
Date:   Tue Sep 3 10:21:47 2019 -0400

    ip: replace subnet_endpoint() with subnet_prefix(), test
    
    (as in the subnet's routing prefix, but that's a little long)

My fix for klips is attached, if someone need it.

Wolfgang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-3.31_fix_klips_with_protoport.diff
Type: text/x-patch
Size: 695 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200521/2038605c/attachment.bin>


More information about the Swan-dev mailing list