[Swan-dev] protoport=0/1234

Andrew Cagney andrew.cagney at gmail.com
Sat May 23 00:01:31 UTC 2020 

On Fri, 22 May 2020 at 13:40, Paul Wouters <paul at nohats.ca> wrote:
>
> On Fri, 22 May 2020, Andrew Cagney wrote:
>
> > Here's the next subtle issue.  From netkey-passthrough-03:
> >
> > conn west-east-passthrough-a
> >        also=west-east
> >        leftprotoport=tcp/0
> >        rightprotoport=tcp/222
> >        type=passthrough
> >        authby=never
> >
> > First:
> >
> > tcp/0 is interpreted as:
> >       prot=tcp
> >       port=0
> >       wild=false
> > and creates a permanent connection (but with seemingly wild ports - 0-65535).
> >
> > This is subtly different to tcp/%any which is interpreted as:
> >       proto=tcp
> >       port=0
> >       wild=true
> > and creates a template connection
> >
> > Is this the intent?
>
> It's complicated.....
>
> The wildcard setting is meant for those connection configurations that
> could lead to more than one connection, and thus should be a template
> requiring instantiation. So if the 0 means "could become X in one
> connection and Y in another connection" then it should become a
> wildcard.
>
> So tcp/0 could mean multiple TCP connections to different ports, or
> it could mean one TCP connection to all ports. So tcp/%any should
> be a wildcard (port 0-65535) where tcp/0 in theory should mean only port 0.
> But I think people use both to mean the first :/
>
> This does not make much sense ofcourse for TCP. But since this also
> maps subtypes, and subtypes might start at 0, someone could in
> theory do something like protoport=1/0 to only allow ICMP(1) with
> Echo Reply (0)
>
> Since it is relatively harmless to instantiate, it's probably better
> to over-interpret as wildcard.

... and that's what I tried.  It broke netkey-passthrough-03.
Because tcp/0 was a "wildcard", the connection was flagged as a
template, and the routing code refused to route it.

Look for "based upon policy, the connection is a template"
https://testing.libreswan.org/v3.30-746-gb530392039-master/netkey-passthrough-03/OUTPUT/west.pluto.log.gz

So I've put things back to the way they were :-/

> > Second, this hits ikev2_ts.c:
> >
> > - the TS code flip-flops between using:
> >    if (e->port == 0 || e->has_port_wildcard) {
> > and just:
> >    int end_high = end->port == 0 ? 65535 : end->port;
> > to decide if the port is really a negotiable range
> >
> > The problem I see is with permanent connections (i.e., tcp/0).  The
> > negotiated port is scribbled all over the connection's .port so the
> > magic value 0 is lost - a re-connect will be forced to use the
> > previous port value (but again perhaps that is the intent).
>
> Yeah. Possibly, we should just add some more logic here. If the protocol
> is udp or tcp, interpret as ports, if icmp, interpret 0 as subtype. But
> what to do for unknown protocol numbers?

If protoport accepts lo-hi then we don't care - just stuff the raw
port values into the relevant fields.

> Paul

More information about the Swan-dev mailing list