[Swan-dev] nat: ikeport commit broke DDNS tests

Andrew Cagney andrew.cagney at gmail.com
Mon Sep 21 18:34:38 UTC 2020


On Mon, 21 Sep 2020 at 13:53, Paul Wouters <paul at nohats.ca> wrote:

> On Sun, 20 Sep 2020, Paul Wouters wrote:
>
> > Subject: [Swan-dev] nat: ikeport commit broke DDNS tests
>
> Fixed with commit 82ffa122d2500bb7a4
>
> That's probably a bandaid and not the best solution, but it can be
> cleaned up later when we cleanup the port variables more.
>
>
There's more to this.   The original commit moved:

@@ -818,14 +833,6 @@ static int extract_end(struct fd *whackfd,
    leftright, src->host_ikeport);
  dst->raw.host.ikeport = 0;
  }
- /*
- * XXX: When DST is the peer setting .host_port to PLUTO_PORT
- * (our port) is wrong.  IKE_UDP_PORT is the next best thing.
- *
- * But what if DST is THIS?  .host_port gets ignored?
- */
- dst->host_port = (dst->raw.host.ikeport ? dst->raw.host.ikeport :
IKE_UDP_PORT);

to:

+ /*
+ * XXX: When DST is the peer setting .host_port to PLUTO_PORT
+ * (our port) is wrong.  IKE_UDP_PORT is the next best thing.
+ *
+ * But what if DST is THIS?  .host_port gets ignored?
+ *
+ * If one end has an ikeport, the other must use ikport or nat
+ * port.
+ */
+ e->host_port = (e->raw.host.ikeport ? e->raw.host.ikeport :
+ remote_port ? NAT_IKE_UDP_PORT :
+ IKE_UDP_PORT);
+ dbg("%s host_port %d", leftright, e->host_port);

where REMOTE_PORT is the other END's ikeport as specified in the config
file.

Putting back the original assignment means there's code using a wrong value.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200921/350a90cd/attachment.html>


More information about the Swan-dev mailing list