[Swan-dev] leftikeport= does not set tcp port

Andrew Cagney andrew.cagney at gmail.com
Thu Sep 24 14:35:24 UTC 2020 

I pushed:

commit d106052012c6a7b7a5d65e25e9c9fe0c32e34c1d (HEAD -> main, origin/main,
origin/HEAD)
Author: Andrew Cagney <cagney at gnu.org>
Date:   Wed Sep 23 19:36:49 2020 -0400

    connections: call update_ends_from_this_host_addr() from
connection_check_ddns1()

    Replace "a small bit of code from default_end to fixup the end point".
    Except, once .host_port code is included, there are now three small
    bits of code.  Hmm, enemy action.

    A likely reason for not using default_end() was that, instead of
    propagating the updated [remote] .host_addr into the peer's [local]
    .host_nexthop, it did the reverse.  update_ends_from_this_host_addr(),
    which replaced default_end(), reversing this polarity.

    Remove (again) code updating .host_port in extract_end() - it doesn't
    have complete information, and ends up setting the port on the %any
    address.



On Wed, 16 Sep 2020 at 10:33, Andrew Cagney <andrew.cagney at gmail.com> wrote:

> Yea, here's the relevant code (the encap comment is out-of-date):
>
> static bool orient_new_iface_port(struct connection *c, struct fd
> *whackfd, bool this)
>         /*
>          * assume UDP for now
>          *
>          * A custom IKEPORT should not float away to port 4500.  For
>          * now leave ADD_IKE_ENCAPSULATION_PREFIX clear so it can talk
>          * to port 500.  Perhaps it doesn't belong in iface?
>          */
>         struct iface_port *ifp = bind_iface_port(dev, &udp_iface_io,
>
>  ip_hport(end->raw.host.ikeport),
>
>  true/*esp_encapsulation_enabled*/,
>
>  false/*float_nat_initiator*/);
>
> Here are some random thoughts:
>
> I  think {left,right}tcpport would be a better name than
> {left,right}tcpikeport - all traffic, not just ike, will flow through it.
> However, for the sake of consistency, we'll want to have:
>     lefttcpport=100
>     righttcpport=2000
> open a tcp connection between LEFT:100 to RIGHT:2000.  This could be a
> good thing?
>
> I've a hunch that overloading {left,right}ikeport will come back to haunt
> us.  In addition to the above consistency, I suspect it will cause problems
> with configurations such as:
>   - UDP only on a custom port (not 500 and not 4500)
>   - TCP only on a custom port (not 4500)
> (mumble something about {left,right}udpport).
>
> Does listen-tcp=yes|no and listen-udp=yes|no only disable the default port?
>
> Adding tcp-localport might be quickest.  OTOH the udp equivalent was only
> just deleted.
>
>
> On Wed, 16 Sep 2020 at 09:02, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Wed, 16 Sep 2020, Andrew Cagney wrote:
>>
>> > There is {left,right}ikeport?
>>
>> Yes, but it does not seem to affect TCP :)
>>
>> Paul
>>
>> > On Tue, 15 Sep 2020 at 22:48, Paul Wouters <paul at nohats.ca> wrote:
>> >
>> >       Some changes were made a while ago to the TCP port handling. You
>> no
>> >       longer specify a port in 'config setup'. Instead there is
>> >       listen-tcp=yes|no and listen-udp=yes|no
>> >
>> >       For UDP, you can set custom ikeport's using leftikeport= and
>> >       rightikeport.
>> >
>> >       For TCP, you can set the port to connect to using tcp-remoteport=
>> >
>> >       But for the responder/server, we have no way now to specify a
>> >       non-default TCP port. Current default is 4500.
>> >
>> >       Should leftikeport/rightikeport be changed to also set the TCP
>> >       port? Or should we introduce a lefttcpikeport= and
>> righttcpikeport= ?
>> >
>> >       Or should we add a config setup tcp-ports= option that defaults
>> to 4500
>> >       but can be set to like 4500,443 ?
>> >
>> >       Note that we currently do not bind connections to ports. The
>> connections
>> >       might open the specific port, but than any connection can use it.
>> So
>> >       perhaps tcp-ports= is the easiest and cleanest solution ?
>> >
>> >       Paul
>> >       _______________________________________________
>> >       Swan-dev mailing list
>> >       Swan-dev at lists.libreswan.org
>> >       https://lists.libreswan.org/mailman/listinfo/swan-dev
>> >
>> >
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200924/6be1cbc3/attachment.html>

More information about the Swan-dev mailing list