Thanks Noel!
I did go through the source code and found out the exact details. For
the record and to keep this archived, the short summary is:
==> High Priority
Masks : The most specific subnet mask for both source and
destination has higher priority over anything else. The masks of both
the src and dst carry the same priority weight
Port : if masks are equal ports takes precedence over
protocol
Protocol : if everything else is equal, rules with protocol set
take precedence.
==> Low Priority
Applying this to my examples bellow:
Example 1:
Connection 1 :
rightsubnet=10.0.0.1/32
Connection 2 :
rightsubnet=10.0.0.0/24[udp]
udp packet going to 10.0.0.1 will use connection 1 because it has more specific
mask.
Example 2:
Connection 1 :
leftsubnet=10.0.0.1/32
rightsubnet=192.168.0.0/24
Connection 2 :
leftsubnet=10.0.0.0/24
rightsubnet=192.168.0.1/32
For a packet going from 10.0.0.1 to 192.168.0.1: no clear answer. The tow rules are
"entangled" and has the same priority. I tested this and the result is
ambiguous and is different from one run to another depending on the order of operations
and when the connections come up. My conclusion is that this is a bad setup. It should
be simply written as (for example):
Connection 1 :
leftsubnet=10.0.0.1/32
rightsubnet=192.168.0.1/32
Connection 2 :
leftsubnet=10.0.0.0/24
rightsubnet=192.168.0.0/24
--Jafar
On 10/11/2017 9:41 AM, Noel Kuntze wrote:
The prioritiy is determined by the (obviously named) priority field in the
security policies. Charon calculates the priority based on the prefix length
and if protocol selectors are given.
You need to read the source code to find out what exactly it does.
On 10.10.2017 21:38, Jafar Al-Gharaibeh wrote:
Is the behavior documented anywhere?
Thanks,
Jafar
On 10/5/2017 11:24 AM, Jafar Al-Gharaibeh wrote:
Hi,
I know that the most specific rule is applied a given traffic if multiple
overlapping rules exist. But How is the priority determined when rules are
specific in different ways Like the cases below. Not sure if this is a
strongSwan question or a OS Kernel question as it seems this is more of how
the Linux kernel handles it for example, but I hope someone here can shed some
light on this subject.
Example 1:
Connection 1 :
rightsubnet=10.0.0.1/32
Connection 2 :
rightsubnet=10.0.0.0/24[udp]
If a udp packet is going to 10.0.0.1, which connection config will be use? Does
the priority starts with subnet where the most specific subnet takes precedence
before moving to protocols/ports?
What is the priority between the protocols and ports themselves?
Example 2:
Connection 1 :
leftsubnet=10.0.0.1/32
rightsubnet=192.168.0.0/24
Connection 2 :
leftsubnet=10.0.0.0/24
rightsubnet=192.168.0.1/32
For a packet going from 10.0.0.1 to 192.168.0.1, based on the source
connection 1 has higher priority, but based on the destination connection 2 has
a higher priority. How is this handled?
Regards,
Jafar
