There are two things kicking around - what range of ports is acceptable and what is allowed when there isn't an exact match.
%any - narrow to single port in range 0-65536 so a single port is ok, but anything else gets chopped to something random 0 - don't narrow, must be 0-65535? %narrow - 0-65535 but can be less? presumably addresses have the same problem. On Sun, 24 May 2020 at 12:19, Paul Wouters <[email protected]> wrote: > > On Sun, 24 May 2020, Tuomo Soini wrote: > > > On Fri, 22 May 2020 14:00:54 -0400 (EDT) > > Paul Wouters <[email protected]> wrote: > > > >>> ip: add .any_port to ip_protoport, seems tcp/0 and tcp/%any are > >>> subtly different > >> > >> Warning. A connection containing %any (i think even in protoports=) > >> become a template and therefor cannot initiate. That's a limit in > >> our implementation. I think most of the tcp/0 is really a tcp/%any but > >> we need to be able to initiate" workaround. > > > > tcp/%any means any single port proposed by remote. > > Ah that is true actually. But how does the initiator say the same thing? > It cannot use %any because the connection would not be able to initiate > as it would become a template. I guess we might only support using an > ephemeral port in the responder, and assume the initiator always uses > a static port? > > Paul > > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
