[Swan-dev] when is ttosubnet(addr/mask:port) valid?

Paul Wouters paul at nohats.ca
Sun Jan 3 17:34:36 UTC 2021

On Thu, 31 Dec 2020, Andrew Cagney wrote:

> One of the quirks of ttosubnet() is that it will parse:

I do not know of any place where this is considered a valid value?

>  {left,right}subnet=... as ttosubnet() and one_subnet_from_string()
>  --client <subnet>
>    if anything these are selectors and could allow a port; but
> perhaps only protoport= is ever used?

I don't think it should be allows there.

> virtual-private= aka virtual_ip.c:read_subnet()
>  maybe?

That was only to limit CIDR's from being allowed/disallowed, nothing
more granular.

> read_foodgroup() (the policies files)
>   perhaps

OE uses this syntax for protoport specific selectors in /etc/ipsec.d/policies: tcp 0 22

So I don't think there is any reason for ttosubnet() to allow CIDR:num


More information about the Swan-dev mailing list