Move pinhole to after the mechanism chain elements in both client and server. #265
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Both client and server chain elements make decisions and set parameters (say for mechanisms)
on the downward path of the call chain, and take action on the return path of the call chain.
For this reason, pinhole should open a 'pinhole' in any ACL before on the return chain
before the mechanism takes action to create a remote mechanism.
For vxlan this doesn't matter, as it is stateless.
For wireguard, which sends an initiator message on peer creation, it matters a lot.
If pinhole is misplaced (as it was previously), wireguard's initial initiator message
that is sent on peer creation is blocked as there is no pinhole for it. Retries occur
after 5 seconds. If pinhole is properly placed in the chain (as in this PR), then the initial
initiator message goes out, and the wireguard tunnel comes up within milliseconds.
Also update to the latest github.com/edwarnicke/govpp which contains wireguard API
enhancement to allow us to 'wait' till peers are up.
Signed-off-by: Ed Warnicke hagbard@gmail.com