On Thu, Mar 12, 2009 at 02:31:50PM +0200, Timo Ters wrote:
[NATT patchset cleanup]
> > What I'd actually like to see, and am willing to do is:
> > 1. Get your patch committed (possible with the configure option done)
That's my goal too :-)
> > 2. Remove the CMPSADDR macro, make sure the ports are set properly all over the code
> > so we don't need any hacks for the NAT-T support
I tried first to do the smallest patchset as possible, but it
definitely seems that it would need as much time to deal with all
cases as just cleaning up once for all the cmpsaddr issues.
> > 3. Implement X_NAT_T_NEW_MAPPING message
That's not on my short term TODO list...
> Ok, I've noticed that talk is cheap. I'll just start coding and posting patches.
> I took your latest patch, Yvan, and cleaned it up quite a bit.
> - #define for the getspi replaced with real function
> - replaced the #ifdef block in n+1 places with a function call
> - some other minor things
> I also started on the remove CMPSADDR thingy. The plan is to remove all cmpsaddr
> functions, and replace them with single cmpsaddr that is basically the current
> cmpsaddrwild. The trick is to make sure that the code else where makes sure that
> the ports are either set, or 0 where appropriate. This makes using cmpsaddr so
> much easier.
There are some parts of the code where we DO NEED to use
Actually, 0 can mean "any port, I don't care" or "port 500 with no
NAT-T", so if we have for example one gate to gate tunnel (without
NAT-T), and a roadwarrior natted by one of the gates which also wants
to set up an IPsec tunnel to the other gate (yeah, this is really an
example from the real world !!!), cmpsaddrwild would match addresses
which MUST NOT match !
That's why I added a cmpsaddrmagic (which is probably not a good
solution, but which helped fixing quickly some issues).
> > I also started tracking the CVS tree using Git, so I think I could get those done
> > as a patch series.
> So now I track the CVS tree, and use a stacked-git on a clone of that.
> Now the patch editing flow is relatively ok: I can spend more time on coding,
> than using the patch generation tools.
> I'll put my NAT-T fixup stuff to http://solidboot.com/~fabled/ipsec-tools
> every now and then. I'll post here when something big enough is uploaded there.
Actually, to have racoon works with your cmpsaddr-cleanup patch, we
would have to remove lots of (but not all) set_port([src|dst], 0) in
patch natt-ports-cleanup, and replace them with set_port([src|dst],
So we would ensure that a port value of 0 will *always* mean "don't