[Swan-dev] protoport=0/1234
Andrew Cagney
andrew.cagney at gmail.com
Fri May 22 16:57:07 UTC 2020
Here's the next subtle issue. From netkey-passthrough-03:
conn west-east-passthrough-a
also=west-east
leftprotoport=tcp/0
rightprotoport=tcp/222
type=passthrough
authby=never
First:
tcp/0 is interpreted as:
prot=tcp
port=0
wild=false
and creates a permanent connection (but with seemingly wild ports - 0-65535).
This is subtly different to tcp/%any which is interpreted as:
proto=tcp
port=0
wild=true
and creates a template connection
Is this the intent?
Second, this hits ikev2_ts.c:
- the TS code flip-flops between using:
if (e->port == 0 || e->has_port_wildcard) {
and just:
int end_high = end->port == 0 ? 65535 : end->port;
to decide if the port is really a negotiable range
The problem I see is with permanent connections (i.e., tcp/0). The
negotiated port is scribbled all over the connection's .port so the
magic value 0 is lost - a re-connect will be forced to use the
previous port value (but again perhaps that is the intent).
On Wed, 20 May 2020 at 12:56, Paul Wouters <paul at nohats.ca> wrote:
>
> On May 20, 2020, at 11:55, Tuomo Soini <tis at foobar.fi> wrote:
> >
> > On Wed, 20 May 2020 11:03:57 -0400 (EDT)
> > Paul Wouters <paul at nohats.ca> wrote:
> >
> >> reject connections with protoport=0/non-zero
> >
> > I think that is best choise.
>
> Done
>
> Paul
>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list