sounds like something to unit test
On Tue, 17 Dec 2019 at 23:45, Paul Wouters <[email protected]> wrote: > > > One of the recent bugs in transport mode OE connections turns out to > have been due to a bad IPsec SA priority calculation. There was a check > for tunnel mode, which then looked at other bits than for transport > mode. Unfortunately, it meant that for transport mode the template > conn (eg private-or-clear#192.1.2.0/24) would get the same priority as the > instance > of that (eg private-or-clear#192.1.2.0/24-192.1.2.23). Wether due to > changed kernel behaviour or something else, the two conns having the > same priority lead to packet drops when it hit the template out policy. > > Additionally, when I reviewed my change with Hugh, he found a bug > where a /32 template and instance would also get the same priority. > This might not cause a problem, since we handle duplicate eroute's > specially, but just to be safe we gave Template vs Instance another > bit in the IPsec SA priority calculation. > > This means that all ip xfrm priorities visible changed. I've gotten most > of these fixed up in the following testing commit. But some IPv6 tests > failed to run on my laptop, so I'm letting testing.libreswan.org run > those and fix those up tomorrow. I might have missed a few regardless, > so if you spot one, ping me with the testname (and/or the old and new > priority value) > > Paul > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
