[Swan-dev] ikev1-hostpair-01 and c->prio
Paul Wouters
paul at nohats.ca
Fri Sep 25 00:56:36 UTC 2020
On Thu, 24 Sep 2020, Andrew Cagney wrote:
> -> the config file has right[host]=%any
> -> update_ends_from_this_host_addr() (nee default_end()) sees this and does nothing (right.end.client.maskbits==0)
> (before it would think %any was valid and set .end.client to %any/32 -> right.end.client.maskbits==32; oops)
> - set_policy_prio() computes c->prio using right.end.client.maskbits, hence 32,32(old) or 32,0(new)
Ahh. But conn_prio shouldn't be just maskbits ?
> -> when that.host_addr=%any, I think the new priority is correct
> for instance, the narrower 1.2.0.0/16 now has higher priority than %any
Right.
> -> however, I suspect, when .host_addr is changed (ex, ddns), c->prio should be re-computed
But that should be the same weight regardless the IP address? Only the
subnets really change the weight calculation ? But I guess if we have
policies that are a /32 those should match before a 0/0 policy.
> The other possibility is that the change is too aggressive and update_ends_from_this_host_addr() should selectively
> update fields (for instance, when %any, skip .host_port and skip that.host_nexthop)
I thought the conn prio only changed based on the IPsec policy policy,
so ports only come in play with leftprotoport= and the host_port is
completely unrelated to that ?
Paul
More information about the Swan-dev
mailing list