On Sun, 10 Jun 2018, D. Hugh Redelmeier wrote:
(1) it isn't clear to me why the streq(best->name, t->name) is not negated
Could someone add a comment expaining this? Paul? Antony?
929 if (LIN(POLICY_GROUPINSTANCE, t->policy) && (t->kind == CK_TEMPLATE)) {
930 /* ??? clang 6.0.0 thinks best might be NULL but I don't see
how */
931 if (!streq(t->foodgroup, best->foodgroup) ||
932 streq(best->name, t->name) ||
933 !subnetinsubnet(&best->spd.that.client,
&t->spd.that.client) ||
934 !sameaddr(&best->spd.this.client.addr,
&t->spd.this.client.addr))
935 continue;
936
937 /* ??? why require best->name and t->name to be different */
You can find the explanation in the commit:
IKEv2: Allow switching between OE group instances with different protoport
settings
This fixes newoe-18-poc-cop-port22-both-reorder
From that's description.txt:
Compared to newoe-18-poc-cop-port22-both, the order of the
clear-or-private
policies on east is reversed. This causes east to initiately pick the
wrong clear-or-private group to instantiate, and it needs to switch
during IKE_AUTH
The test is there to ensure if we find the _same_ conn, we do NOT select
it, but "continue" looking for something better that our current
instance or its template.
(2) the comment in the following code explains what I don't understand.
Can someone explain why we can assume that tsi_n and tsr_n are both one?
We simply haven't written the code to handle more than one.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
