[Openswan dev] address mangling with KH_IPHOSTNAME

[Avesh Agarwal]

On 05/26/2011 04:25 PM, Paul Wouters wrote:
> On Wed, 25 May 2011, Avesh Agarwal wrote:
>
>> 1. Broken AH support with NETKEY since ages (perhaps since 2.6.15/16) 
>> (rhbz# 704548): AH protocol does not work when setting as phase2=ah, 
>> leading to unsuccessful connection. This ends with error "unknown 
>> encryption algorithm".
>
> I applied this one.
>
Thanks.
>> 2. Protocol port issue when using hostnames instead of ipaddress in 
>> connection definitions (rhbz# 703473): leftprotoport/rightprotoport 
>> option does not work when using hostnames with ipv4.
>
> This is odd. Looking at your patch I can see how in some cases the ipv6
> case (which calls ttoaddr() which can call initaddr()) which causes
> things to get wiped. I am not sure I can see this for the ipv4 case 
> though.
>
With ipv4, if you specify:

left=hostname #so that the name needs to be resolved.
leftprotoport=some_protocol/some_port

Then, it should be possible to reproduce it.

> Actually, It seems tryname() can cause this to happen as well. 
> I guess
> we really need to ha some ldns/libunbound code to properly do DNS instead
> of using these ancient functions.
>
> I'm applying your workaround to git now. thanks!
>
Thanks a lot.
>> With ipv6, this issue can be reproduced even with ipv6 addresses, if 
>> you dont specify "connaddrfamily=ipv6" in the connection definition.  
>> The reason is that the ipv6 address is considered as string and is 
>> tried for name resolution leading to wiping of ports from the 
>> connection. However, the ipv6 connection gets established. IOW that 
>> to make an ipv6 work, it is not really needed to specify 
>> "connaddrfamily=ipv6", however breaks protocol/port stuff.
>>
>> I have attached the patches for the above issue. I would appreciate 
>> any feedback on these patches.
>>
>> Thanks and Regards
>> Avesh
>

-- 
Thanks and Regards
Avesh