[Swan-dev] "ip: add .any_port to ip_protoport, seems tcp/0 and tcp/%any are subtly"
Andrew Cagney
andrew.cagney at gmail.com
Sun May 24 19:43:39 UTC 2020
There are two things kicking around - what range of ports is
acceptable and what is allowed when there isn't an exact match.
%any - narrow to single port in range 0-65536 so a single port is ok,
but anything else gets chopped to something random
0 - don't narrow, must be 0-65535?
%narrow - 0-65535 but can be less?
presumably addresses have the same problem.
On Sun, 24 May 2020 at 12:19, Paul Wouters <paul at nohats.ca> wrote:
>
> On Sun, 24 May 2020, Tuomo Soini wrote:
>
> > On Fri, 22 May 2020 14:00:54 -0400 (EDT)
> > Paul Wouters <paul at nohats.ca> wrote:
> >
> >>> ip: add .any_port to ip_protoport, seems tcp/0 and tcp/%any are
> >>> subtly different
> >>
> >> Warning. A connection containing %any (i think even in protoports=)
> >> become a template and therefor cannot initiate. That's a limit in
> >> our implementation. I think most of the tcp/0 is really a tcp/%any but
> >> we need to be able to initiate" workaround.
> >
> > tcp/%any means any single port proposed by remote.
>
> Ah that is true actually. But how does the initiator say the same thing?
> It cannot use %any because the connection would not be able to initiate
> as it would become a template. I guess we might only support using an
> ephemeral port in the responder, and assume the initiator always uses
> a static port?
>
> Paul
>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list