diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2025-05-16 09:02:12 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2025-05-16 09:02:12 +0000 |
| commit | 2f8c013b537b6eed12b95c81e9098b240ce1eaa5 (patch) | |
| tree | 4951ac9ec85171ebef81fa63a941794804b5f11e /smoketest/scripts/cli/test_qos.py | |
| parent | 1268ebb05e909027ecf1b9b4af4a6282d944efa7 (diff) | |
| download | vyos-1x-2f8c013b537b6eed12b95c81e9098b240ce1eaa5.tar.gz vyos-1x-2f8c013b537b6eed12b95c81e9098b240ce1eaa5.zip | |
T7458: Fix VPN IPsec unexpected passthrough logic bug
VPN IPsec unexpected passthrough logic bug was introduced in this
commit https://github.com/vyos/vyos-1x/commit/f480346bb8e934b1ce2e0fc3be23f7168273bba1
The correct behaviour of the `cidr_fit` was replaced with the
incorrect `overlap`
This way, the passthrough option is used every time when networks overlap.
```
>>> from ipaddress import ip_network
>>>
>>> a = ip_network('192.0.2.0/24')
>>> b = ip_network('192.0.2.100/30')
>>>
>>> a.overlaps(b)
True
>>>
>>> b.overlaps(a)
True
>>>
```
But there should be `subnet_of`:
```
>>> a.subnet_of(b)
False
>>>
>>> b.subnet_of(a)
True
>>>
```
In configuration it looks like
```
set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '192.0.2.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '192.0.2.100/30'
```
The StrongSwan unexpected configuration:
```
RIGHT-tunnel-0-passthrough {
local_ts = 192.0.2.0/24
remote_ts = 192.0.2.0/24
start_action = trap
mode = pass
}
```
So all outcoming traffic to the 192.0.2.0/24 pass through the main routing
table instead of out SA
Use `subnet_of` to fix this
Diffstat (limited to 'smoketest/scripts/cli/test_qos.py')
0 files changed, 0 insertions, 0 deletions