[Swan-dev] protoport=0/1234

Paul Wouters paul at nohats.ca
Fri May 22 17:39:57 UTC 2020

On Fri, 22 May 2020, Andrew Cagney wrote:

> Here's the next subtle issue.  From netkey-passthrough-03:
> conn west-east-passthrough-a
>        also=west-east
>        leftprotoport=tcp/0
>        rightprotoport=tcp/222
>        type=passthrough
>        authby=never
> First:
> tcp/0 is interpreted as:
>       prot=tcp
>       port=0
>       wild=false
> and creates a permanent connection (but with seemingly wild ports - 0-65535).
> This is subtly different to tcp/%any which is interpreted as:
>       proto=tcp
>       port=0
>       wild=true
> and creates a template connection
> Is this the intent?

It's complicated.....

The wildcard setting is meant for those connection configurations that
could lead to more than one connection, and thus should be a template
requiring instantiation. So if the 0 means "could become X in one
connection and Y in another connection" then it should become a

So tcp/0 could mean multiple TCP connections to different ports, or
it could mean one TCP connection to all ports. So tcp/%any should
be a wildcard (port 0-65535) where tcp/0 in theory should mean only port 0.
But I think people use both to mean the first :/

This does not make much sense ofcourse for TCP. But since this also
maps subtypes, and subtypes might start at 0, someone could in
theory do something like protoport=1/0 to only allow ICMP(1) with
Echo Reply (0)

Since it is relatively harmless to instantiate, it's probably better
to over-interpret as wildcard.

> Second, this hits ikev2_ts.c:
> - the TS code flip-flops between using:
>    if (e->port == 0 || e->has_port_wildcard) {
> and just:
>    int end_high = end->port == 0 ? 65535 : end->port;
> to decide if the port is really a negotiable range
> The problem I see is with permanent connections (i.e., tcp/0).  The
> negotiated port is scribbled all over the connection's .port so the
> magic value 0 is lost - a re-connect will be forced to use the
> previous port value (but again perhaps that is the intent).

Yeah. Possibly, we should just add some more logic here. If the protocol
is udp or tcp, interpret as ports, if icmp, interpret 0 as subtype. But
what to do for unknown protocol numbers?


More information about the Swan-dev mailing list