New commits:
commit 26f81fe3734825d686bc76bb8831dce452fd975d
Merge: 2e5ab75456 014879cea8
Author: Andrew Cagney <cag...@gnu.org>
Date: Wed Sep 10 16:29:00 2025 -0400
Merge ikev2: trim some dead NAT code
... as in a big if() that just logs a message
commit 014879cea854a8123514e7aa2365e6fba05d8fce
Author: Andrew Cagney <cag...@gnu.org>
Date: Wed Sep 10 14:10:19 2025 -0400
ikev2: in success_v2_state_transition() remove JUST_ESTABLISHED logic
Replace it with the comment:
+ * The IKE SA "establishes" midway through processing the
+ * IKE_AUTH exchange. That is, after the IKE SA has been
+ * authenticated and before any Child SA payloads are
+ * processed. Hence, this isn't the place to handle a
+ * JUST-ESTABLISHED transition.
+ *
+ * Specifically, NATed addresses need to be updated BEFORE
+ * Child SA payloads can be processed and Child SA kernel
+ * state/policy installed (if it doesn't happen, they use the
+ * wrong value).
+ *
+ * Suspect code trying to handle non-MOBIKE NAT (where packet
+ * from new address triggers address change) will need to
+ * update addresses BEFORE processing the triggering packet -
+ * again that packet could be for a new Child SA and, hence,
+ * needs up-to-date address information.
commit 251b6847a9d1e6d7e502705e9ac6d369b67ba9ee
Author: Andrew Cagney <cag...@gnu.org>
Date: Wed Sep 10 14:05:24 2025 -0400
ikev2: in success_v2_state_transition() drop NAT noop code
Remove long convoluted if() statement and comment that does no
more than occasionally debug-log.
commit ff64511fce9e2fa262cfe6a6c7f1aa7d7a591f5e
Author: Andrew Cagney <cag...@gnu.org>
Date: Wed Sep 3 10:10:22 2025 -0400
ikev2 nat: return VOID from detect_ikev2_nat()
Start decoupling nat-detection from port updates.
_______________________________________________
Swan-commit mailing list -- swan-commit@lists.libreswan.org
To unsubscribe send an email to swan-commit-le...@lists.libreswan.org
