Am Dienstag, 19. Mai 2020 17:10 CEST, schrieb Paul Wouters <[email protected]>:
> On Tue, 19 May 2020, Wolfgang Nothdurft wrote: > > > Unfortunately there is another problem in the last KLIPS version 3.31, in > > which protoport no longer works with KLIPS. > > > > Unfortunately I can't find which change or which commit is responsible for > > it. > > We have not made any changes to KLIPS for a few releases, so you should > be able to run git bisect between 3.27 and 3.31 for just the userland > install and be able to determine the offending commit. You shouldn't > need to recompile klips during such a git bisect. > > > I know KLIPS should no longer be used, but since XFRMi is not yet fully > > usable for us and implementing it still requires a lot of effort, we have > > to rely on KLIPS again. > > I'm sorry you haven't been able to migrate to XFRMi yet. We know there > are some issues left (mostly with rekeying causing packets to not > arrive) and we are looking into that. If you have other issues, it > would be good to report those so we can fix things in parallel instead > of one after the other. The git master tree already has KLIPS fully > removed. The 3.31 and 3.32 were branches of 3.30 while git master > moved on. > > > So at the moment I only have the option to stay at 3.27 and possibly use > > the most important patches and maybe some ikve2 fixes, or patch the KLIPS > > module, ignore the ports and if necessary, use iptables to block all > > connections that do not match the protoport. > > Unfortunately, one of the reasons for dropping KLIPS is that we don't > have the resources to maintain it. It is a lot of work we did in the > last decade, mostly not-funded because it's not something people > would generally fund due to it being old/obsolete technology. > > If you can do the git bisect to find the commit causing this, we can > have a look at writing a patch for you. > > Paul > Fortunately, I managed to find the responsible change now, doing some "brute force" biscect. commit 708a5d571e10c75718833147dae404fe3ad9b169 (refs/bisect/bad) Author: Andrew Cagney <[email protected]> Date: Tue Sep 3 10:21:47 2019 -0400 ip: replace subnet_endpoint() with subnet_prefix(), test (as in the subnet's routing prefix, but that's a little long) My fix for klips is attached, if someone need it. Wolfgang
diff --git a/programs/pluto/kernel_pfkey.c b/programs/pluto/kernel_pfkey.c index 4467ee914d..d404757b57 100644 --- a/programs/pluto/kernel_pfkey.c +++ b/programs/pluto/kernel_pfkey.c @@ -921,11 +921,11 @@ bool pfkey_raw_eroute(const ip_address *this_host, int dport = subnet_hport(that_client); int satype; - ip_address sflow_ska = subnet_prefix(this_client); + ip_address sflow_ska = this_client->addr; ip_address smask_ska = subnet_mask(this_client); setportof(sport ? ~0 : 0, &smask_ska); - ip_address dflow_ska = subnet_prefix(that_client); + ip_address dflow_ska = that_client->addr; ip_address dmask_ska = subnet_mask(that_client); setportof(dport ? ~0 : 0, &dmask_ska);
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
