[Swan-dev] whack [-oppotproto <protocol>]

Paul Wouters paul at nohats.ca
Wed Feb 10 15:54:33 UTC 2021 

On Wed, 10 Feb 2021, Andrew Cagney wrote:

>> opphere/oppothere are 25 years old. oppoproto/oppodport just a few
>> years. You match destination port and protocol, not source port, because
>> well, source ports for that tend to be ephemeral. And we don't have OE
>> support for that because basically all those single port outgoing
>> connections, dont really care about source port.
>
> The command should be injecting the exact same information that we'd
> otherwise get from the kernel but because it doesn't ...

That is true. The reason it did not is that KLIPS wouldn't give you
that. You only got source / dest IP in its "acquire" message. So
the input was the same. Then came XFRM and it gave us full details,
and we tried to ignore the ones we didn't use in our KLIPS way of
things. And now we are trying to leverage it in greater details with
protoport support (and soon reqid support)

> cards.  I'm pretty sure that the above can be reduced to:
>
>    if (!routed(sr->routing) ||
>        !endpoint_in_selector(local_client, sr->this.client)) continue
>        !endpoint_in_selector(remote_client, sr->that.client)) continue
>
> but this is only true if the whack command does its job and emulates the kernel.
>
> I'm not seeing any reason to not change this.

Ok, you convinced me :)

>> What _does_ need fixing, which might help reduce your problem, is that
>> we should use the reqid in the ACQUIRE to match packets to inserted
>> policies to connections. So each static conn, when ondemand triggers,
>> you already know based on reqid which connection to match this to.
>
> Different horses.

Yes.

> Between:
> - kernel notifies us of a packet
> - an outgoing opportunistic connection gets instantiated
> there's this huge black box I'm trying to ignore.
>
> My interest is focused on cleaning up silliness such as:
> -               tmp_ip = c->spd.that.host_addr;
> -               tmp_ip.version = c->spd.that.host_addr.version;
> -               tmp_ip.hport = c->spd.that.host_addr.hport;

With KLIPS gone, that can be done. Although for sourceport a default of
0 meany "any" should be fine ?

Paul

More information about the Swan-dev mailing list