[Swan-dev] leftikeport= does not set tcp port
Andrew Cagney
andrew.cagney at gmail.com
Wed Sep 16 14:33:48 UTC 2020
Yea, here's the relevant code (the encap comment is out-of-date):
static bool orient_new_iface_port(struct connection *c, struct fd *whackfd,
bool this)
/*
* assume UDP for now
*
* A custom IKEPORT should not float away to port 4500. For
* now leave ADD_IKE_ENCAPSULATION_PREFIX clear so it can talk
* to port 500. Perhaps it doesn't belong in iface?
*/
struct iface_port *ifp = bind_iface_port(dev, &udp_iface_io,
ip_hport(end->raw.host.ikeport),
true/*esp_encapsulation_enabled*/,
false/*float_nat_initiator*/);
Here are some random thoughts:
I think {left,right}tcpport would be a better name than
{left,right}tcpikeport - all traffic, not just ike, will flow through it.
However, for the sake of consistency, we'll want to have:
lefttcpport=100
righttcpport=2000
open a tcp connection between LEFT:100 to RIGHT:2000. This could be a good
thing?
I've a hunch that overloading {left,right}ikeport will come back to haunt
us. In addition to the above consistency, I suspect it will cause problems
with configurations such as:
- UDP only on a custom port (not 500 and not 4500)
- TCP only on a custom port (not 4500)
(mumble something about {left,right}udpport).
Does listen-tcp=yes|no and listen-udp=yes|no only disable the default port?
Adding tcp-localport might be quickest. OTOH the udp equivalent was only
just deleted.
On Wed, 16 Sep 2020 at 09:02, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 16 Sep 2020, Andrew Cagney wrote:
>
> > There is {left,right}ikeport?
>
> Yes, but it does not seem to affect TCP :)
>
> Paul
>
> > On Tue, 15 Sep 2020 at 22:48, Paul Wouters <paul at nohats.ca> wrote:
> >
> > Some changes were made a while ago to the TCP port handling. You no
> > longer specify a port in 'config setup'. Instead there is
> > listen-tcp=yes|no and listen-udp=yes|no
> >
> > For UDP, you can set custom ikeport's using leftikeport= and
> > rightikeport.
> >
> > For TCP, you can set the port to connect to using tcp-remoteport=
> >
> > But for the responder/server, we have no way now to specify a
> > non-default TCP port. Current default is 4500.
> >
> > Should leftikeport/rightikeport be changed to also set the TCP
> > port? Or should we introduce a lefttcpikeport= and
> righttcpikeport= ?
> >
> > Or should we add a config setup tcp-ports= option that defaults to
> 4500
> > but can be set to like 4500,443 ?
> >
> > Note that we currently do not bind connections to ports. The
> connections
> > might open the specific port, but than any connection can use it.
> So
> > perhaps tcp-ports= is the easiest and cleanest solution ?
> >
> > Paul
> > _______________________________________________
> > Swan-dev mailing list
> > Swan-dev at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan-dev
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200916/7609d409/attachment.html>
More information about the Swan-dev
mailing list