[Swan-dev] Finding connections with %any fails due to only searching hostpair

Andrew Cagney andrew.cagney at gmail.com
Wed Mar 17 12:58:55 UTC 2021 

On Tue, 16 Mar 2021 at 23:19, Paul Wouters <paul at nohats.ca> wrote:
>
>
> I've looked again at this bug: https://bugs.libreswan.org/show_bug.cgi?id=298
>
> I've recreated the issue in ikev2-connswitch-03
>
> The issue is:
>
> diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
> index 9db2d91fab..3e47a7fcf8 100644
> --- a/programs/pluto/ikev2_ts.c
> +++ b/programs/pluto/ikev2_ts.c
> @@ -1142,9 +1142,7 @@ bool v2_process_ts_request(struct child_sa *child,
>                  if (hp == NULL)
>                          continue;
>
> -               for (struct connection *d = hp->connections;
> -                    d != NULL; d = d->hp_next) {
> +               for (struct connection *d = connections; d != NULL; d = d->ac_next) {
>                          /* groups are templates instantiated as GROUPINSTANCE */
>                          if (d->policy & POLICY_GROUP) {
>                                  continue;
>                          }
>
>
> There are three connections, which only differ in left/rightsubnet. So
> they have a shared IKE SA. But east is configured with right=%any and
> all three conns have the same rightid=

Can this be expressed in terms of local and remote?

hostpair maintains two tables:
    local=address, remote=address
    local=address, remote=any

> When west connects to east, east picks one of its static conns. If this
> happens to _not_ match the subnets of the connection west picked to
> initiate first, the original code does not find the other conns with
> subnets because those are right=%any and not considered as part of
> the hostpair.
>
> The above fix to just look through every connection fixes this. The
> question is, should east have tried to add these right=%any connections
> to its host pair? These connections have the same leftid and rightid.
>
> Or should we, if we tried the hostpair listings, _then_ fall back to
> try all connections ?
>
> Is hostpair still a useful construct at all, or should we slowly phase
> it out ?
>
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list