[strongSwan] Using %any as protoport
Andreas Steffen
andreas.steffen at strongswan.org
Mon Nov 12 09:19:18 CET 2012
Hello Divya,
with strongSwan 5.0, the libfreeswan code has been removed from
our distribution and is not maintained any more. Please update
to our latest strongswan-5.0.1 release which offers the same
IKEv1 functionality but with [hopefully] superior code.
Best regards
Andreas
On 12.11.2012 06:27, divya mohan wrote:
> Hi,
>
>
> In file libfreeswan/ttoprotoport.c, function ttoprotoport(),
>
> ------------------------------------------------------------------------------------------------------
> /* extract protocol by trying to resolve it by name */
> protocol = getprotobyname(proto_name);
> if (protocol != NULL) {
> *proto = protocol->p_proto;
> }
> else /* failed, now try it by number */
> {
> l = strtol(proto_name, &end, 0);
>
> if (*proto_name && *end)
> return "<protocol> is neither a number nor a valid name";
>
> if (l < 0 || l > 0xff)
> return "<protocol> must be between 0 and 255";
>
> *proto = (u_int8_t)l;
> }
>
> /* is there a port wildcard? */
> *has_port_wildcard = (strcmp(service_name, "%any") == 0);
> ------------------------------------------------------------------------------------------------------
>
> In above piece of code, shouldn't comparing with "%any" be done before
> checking whether protocol is a valid protocol name/number?
> Say, if I have leftprotoport=%any in my config file, this function
> will return with err "<protocol> is neither a number nor a valid
> name"; without modifying value of has_port_wildcard.
>
>
> Now, in file starter/confread.c, function kw_end(),
> ------------------------------------------------------------------------------------------------------
> bool has_port_wildcard;
> .
> .
> .
> case KW_PROTOPORT:
> ugh = ttoprotoport(value, 0, &end->protocol, &end->port,
> &has_port_wildcard);
> end->has_port_wildcard = has_port_wildcard;
> break;
> ------------------------------------------------------------------------------------------------------
>
> the variable has_port_wildcard is not initialized, and may contain random value.
>
> The problem I was facing is that - initially I had a configuration
> having one connection with leftprotoport=%any.
> Then I added another connection, and sent 'ipsec update'. (The initial
> connection configuration has not changed.)
> Starter compares the configuration of first connection between old and
> new config files - and erroneously reports that they are different.
> (This is because bool has_port_wildcard might have had some non zero
> value), Hence the first connection gets terminated, though there is no
> need for this.
>
>
> Could you please check whether this is a bug.
>
>
> Regards,
> Divya Mohan M
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121112/ecbbf4e2/attachment.bin>
More information about the Users
mailing list