[Swan-dev] Finding connections with %any fails due to only searching hostpair
Paul Wouters
paul at nohats.ca
Wed Mar 17 03:19:27 UTC 2021
I've looked again at this bug: https://bugs.libreswan.org/show_bug.cgi?id=298
I've recreated the issue in ikev2-connswitch-03
The issue is:
diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
index 9db2d91fab..3e47a7fcf8 100644
--- a/programs/pluto/ikev2_ts.c
+++ b/programs/pluto/ikev2_ts.c
@@ -1142,9 +1142,7 @@ bool v2_process_ts_request(struct child_sa *child,
if (hp == NULL)
continue;
- for (struct connection *d = hp->connections;
- d != NULL; d = d->hp_next) {
+ for (struct connection *d = connections; d != NULL; d = d->ac_next) {
/* groups are templates instantiated as GROUPINSTANCE */
if (d->policy & POLICY_GROUP) {
continue;
}
There are three connections, which only differ in left/rightsubnet. So
they have a shared IKE SA. But east is configured with right=%any and
all three conns have the same rightid=
When west connects to east, east picks one of its static conns. If this
happens to _not_ match the subnets of the connection west picked to
initiate first, the original code does not find the other conns with
subnets because those are right=%any and not considered as part of
the hostpair.
The above fix to just look through every connection fixes this. The
question is, should east have tried to add these right=%any connections
to its host pair? These connections have the same leftid and rightid.
Or should we, if we tried the hostpair listings, _then_ fall back to
try all connections ?
Is hostpair still a useful construct at all, or should we slowly phase
it out ?
Paul
More information about the Swan-dev
mailing list