[Swan-dev] binstats - connection_state() using IKEv1 only defines

Paul Wouters paul at nohats.ca
Thu Oct 22 23:51:19 UTC 2020

connection_state() is used to go over all connections, whether IKEv1 or IKEv2.

It contains:

                         if (IS_ISAKMP_ENCRYPTED(st->st_state->kind) &&
                             lc->phase1 < p1_encrypt)
                                 lc->phase1 = p1_encrypt;
                         if (IS_ISAKMP_AUTHENTICATED(st->st_state) &&
                             lc->phase1 < p1_auth)
                                 lc->phase1 = p1_auth;

However, these two IS_ISAMP_ defines only operate on IKEv1 states. This
is most certainly not what is intended.

The p1_encrypt and p1_auth states don't really make sense for IKEv2

Note this code is for the "binstats" statistics, which is really
obsoleted for "ipsec whack --globalstatus".

Should we just remove binstats support completely? I feel we should have
done this for libreswan 4.0 anyway.


More information about the Swan-dev mailing list