<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 24 Sep 2020 at 20:56, Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, 24 Sep 2020, Andrew Cagney wrote:<br>
<br>
> -> the config file has right[host]=%any<br>
> -> update_ends_from_this_host_addr() (nee default_end()) sees this and does nothing (right.end.client.maskbits==0)<br>
> (before it would think %any was valid and set .end.client to %any/32 -> right.end.client.maskbits==32; oops)<br>
> - set_policy_prio() computes c->prio using right.end.client.maskbits, hence 32,32(old) or 32,0(new)<br>
<br>
Ahh. But conn_prio shouldn't be just maskbits ?<br></blockquote><div><br></div><div>Probably. I just noticed it was using .client.maskbits.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> -> when that.host_addr=%any, I think the new priority is correct<br>
> for instance, the narrower <a href="http://1.2.0.0/16" rel="noreferrer" target="_blank">1.2.0.0/16</a> now has higher priority than %any<br>
<br>
Right.<br>
<br>
> -> however, I suspect, when .host_addr is changed (ex, ddns), c->prio should be re-computed<br>
<br>
But that should be the same weight regardless the IP address? Only the<br>
subnets really change the weight calculation ? But I guess if we have<br>
policies that are a /32 those should match before a 0/0 policy.<br></blockquote><div><br></div><div>This is separate to %any.</div><div><br></div><div>Once ddns resolves a name it updates .host_addr (from AF_UNSPEC to a valid address).</div><div>This, in turn, can update .client to .host_addr/32.</div><div>And updating .client changes .maskbits from 0 to 32, say.</div><div>Since c->prio is based on .maskbits, should it too be updated?</div><div><br></div><div>For instance, when the client isn't specified:</div><div> right=foo</div><div>should end up using 32 while, per above:</div><div> right=%any</div><div>would stick to 0.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> The other possibility is that the change is too aggressive and update_ends_from_this_host_addr() should selectively<br>
> update fields (for instance, when %any, skip .host_port and skip that.host_nexthop)<br></blockquote><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I thought the conn prio only changed based on the IPsec policy policy,<br>
so ports only come in play with leftprotoport= and the host_port is<br>
completely unrelated to that ?<br></blockquote><div><br></div><div>Yes. It isn't used to compute the priority.</div><div>It is one of a number of connection fields that should be updated once the address is known.</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Paul<br>
</blockquote></div></div>