Attachment #180110 for bug #217131

View | Details | Raw Unified | Return to bug 217131 | Differences between
Collapse All | Expand All




--- src/libipsec/libpfkey.h
+++ src/libipsec/libpfkey.h
@@ -85,7 +85,7 @@ struct pfkey_send_sa_args {
 	u_int32_t	seq;
 	u_int8_t	l_natt_type;
 	u_int16_t	l_natt_sport, l_natt_dport;
-	struct sockaddr *l_natt_oa;
+	struct sockaddr *l_natt_oai, *l_natt_oar;
 	u_int16_t	l_natt_frag;
 	u_int8_t ctxdoi, ctxalg;	/* Security context DOI and algorithm */
 	caddr_t ctxstr;			/* Security context string */
--- src/libipsec/pfkey.c
+++ src/libipsec/pfkey.c
@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args 
 		len += sizeof(struct sadb_x_nat_t_type);
 		len += sizeof(struct sadb_x_nat_t_port);
 		len += sizeof(struct sadb_x_nat_t_port);
-		if (sa_parms->l_natt_oa)
+		if (sa_parms->l_natt_oai)
 			len += sizeof(struct sadb_address) +
-			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
+			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai));
+		if (sa_parms->l_natt_oar)
+			len += sizeof(struct sadb_address) +
+			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar));
 #ifdef SADB_X_EXT_NAT_T_FRAG
 		if (sa_parms->l_natt_frag)
 			len += sizeof(struct sadb_x_nat_t_frag);
@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args 
 			return -1;
 		}
 
-		if (sa_parms->l_natt_oa) {
-			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
-					      sa_parms->l_natt_oa,
-					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
+		if (sa_parms->l_natt_oai) {
+			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI,
+					      sa_parms->l_natt_oai,
+					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)),
+					      IPSEC_ULPROTO_ANY);
+			if (!p) {
+				free(newmsg);
+				return -1;
+			}
+		}
+
+		if (sa_parms->l_natt_oar) {
+			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR,
+					      sa_parms->l_natt_oar,
+					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)),
 					      IPSEC_ULPROTO_ANY);
 			if (!p) {
 				free(newmsg);
@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_
 		case SADB_X_EXT_NAT_T_TYPE:
 		case SADB_X_EXT_NAT_T_SPORT:
 		case SADB_X_EXT_NAT_T_DPORT:
-		case SADB_X_EXT_NAT_T_OA:
+		case SADB_X_EXT_NAT_T_OAI:
+		case SADB_X_EXT_NAT_T_OAR:
 #endif
 #ifdef SADB_X_EXT_TAG
 		case SADB_X_EXT_TAG:
@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty
 	psaa.l_natt_type = l_natt_type;
 	psaa.l_natt_sport = l_natt_sport;
 	psaa.l_natt_dport = l_natt_dport;
-	psaa.l_natt_oa = l_natt_oa;
+	psaa.l_natt_oar = l_natt_oa;
 	psaa.l_natt_frag = l_natt_frag;
 
 	return pfkey_send_update2(&psaa);
@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype,
 	psaa.l_natt_type = l_natt_type;
 	psaa.l_natt_sport = l_natt_sport;
 	psaa.l_natt_dport = l_natt_dport;
-	psaa.l_natt_oa = l_natt_oa;
+	psaa.l_natt_oai = l_natt_oa;
 	psaa.l_natt_frag = l_natt_frag;
 
 	return pfkey_send_add2(&psaa);
--- src/racoon/isakmp_quick.c
+++ src/racoon/isakmp_quick.c
@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
 			     spidx.src.ss_family, spidx.dst.ss_family,
 			     _XIDT(iph2->id_p),idi2type);
 		}
+#ifdef ENABLE_NATT
+		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
+			u_int16_t port;
+
+			port = extract_port(&spidx.src);
+			memcpy(&spidx.src, iph2->ph1->remote,
+			    sysdep_sa_len(iph2->ph1->remote));
+			set_port(&spidx.src, port);
+			switch (spidx.src.ss_family) {
+			case AF_INET:
+				spidx.prefs = sizeof(struct in_addr) << 3;
+				break;
+#ifdef INET6
+			case AF_INET6:
+				spidx.prefs = sizeof(struct in6_addr) << 3;
+				break;
+#endif
+			default:
+				spidx.prefs = 0;
+				break;
+			}
+			plog(LLV_DEBUG, LOCATION,
+				NULL, "use NAT address %s as src\n",
+				saddr2str((struct sockaddr *)&spidx.src));
+		}
+#endif
 	} else {
 		plog(LLV_DEBUG, LOCATION, NULL,
 		     "get a source address of SP index from Phase 1"
--- src/racoon/nattraversal.c
+++ src/racoon/nattraversal.c
@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle
 {
   int ret = 0;
   
-  /* Should only the NATed host send keepalives?
-     If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
-     to the following condition. */
-  if (iph1->natt_flags & NAT_DETECTED &&
+  if (iph1->natt_flags & NAT_DETECTED_ME &&
       ! (iph1->natt_flags & NAT_KA_QUEUED)) {
     ret = natt_keepalive_add (iph1->local, iph1->remote);
     if (ret == 0)
--- src/racoon/pfkey.c
+++ src/racoon/pfkey.c
@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2)
 			sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
 			sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
 			sa_args.l_natt_dport = extract_port(iph2->ph1->local);
-			sa_args.l_natt_oa = iph2->natoa_src;
+			/* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */
+				sa_args.l_natt_oai = iph2->natoa_dst;
+			/* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */
+				sa_args.l_natt_oar = iph2->natoa_src;
 #ifdef SADB_X_EXT_NAT_T_FRAG
 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
 #endif
@@ -1477,7 +1480,6 @@ pk_sendadd(iph2)
 			sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
 			sa_args.l_natt_sport = extract_port(iph2->ph1->local);
 			sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
-			sa_args.l_natt_oa = iph2->natoa_dst;
 #ifdef SADB_X_EXT_NAT_T_FRAG
 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
 #endif





PORTNAME=	ipsec-tools
PORTVERSION=	0.8.2
PORTREVISION=	2
CATEGORIES=	security
MASTER_SITES=	SF


DPD_CONFIGURE_ENABLE=	dpd
NATTF_VARS=		NATT=yes
NATTF_VARS_OFF=		NATT=kernel
NATT_CONFIGURE_ON=	--enable-natt=${NATT} --enable-natt-versions=rfc
NATT_CONFIGURE_OFF=	--disable-natt
FRAG_CONFIGURE_ENABLE=	frag
HYBRID_CONFIGURE_ENABLE=hybrid

RC5_CONFIGURE_ENABLE=		rc5
IDEA_CONFIGURE_ENABLE=		idea
WCPSKEY_EXTRA_PATCHES=		${FILESDIR}/wildcard-psk.diff
NATT_EXTRA_PATCHES=		${FILESDIR}/natt.diff

post-patch:
	@${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure

Return to bug 217131

Line 0 Link Here

(-)ipsec-tools/files/natt.diff (+153 lines)
		1	--- src/libipsec/libpfkey.h
		2	+++ src/libipsec/libpfkey.h
		3	@@ -85,7 +85,7 @@ struct pfkey_send_sa_args {
		4	u_int32_t seq;
		5	u_int8_t l_natt_type;
		6	u_int16_t l_natt_sport, l_natt_dport;
		7	- struct sockaddr *l_natt_oa;
		8	+ struct sockaddr l_natt_oai, l_natt_oar;
		9	u_int16_t l_natt_frag;
		10	u_int8_t ctxdoi, ctxalg; /* Security context DOI and algorithm */
		11	caddr_t ctxstr; /* Security context string */
		12	--- src/libipsec/pfkey.c
		13	+++ src/libipsec/pfkey.c
		14	@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args
		15	len += sizeof(struct sadb_x_nat_t_type);
		16	len += sizeof(struct sadb_x_nat_t_port);
		17	len += sizeof(struct sadb_x_nat_t_port);
		18	- if (sa_parms->l_natt_oa)
		19	+ if (sa_parms->l_natt_oai)
		20	len += sizeof(struct sadb_address) +
		21	- PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
		22	+ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai));
		23	+ if (sa_parms->l_natt_oar)
		24	+ len += sizeof(struct sadb_address) +
		25	+ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar));
		26	#ifdef SADB_X_EXT_NAT_T_FRAG
		27	if (sa_parms->l_natt_frag)
		28	len += sizeof(struct sadb_x_nat_t_frag);
		29	@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args
		30	return -1;
		31	}
		32
		33	- if (sa_parms->l_natt_oa) {
		34	- p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
		35	- sa_parms->l_natt_oa,
		36	- (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
		37	+ if (sa_parms->l_natt_oai) {
		38	+ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI,
		39	+ sa_parms->l_natt_oai,
		40	+ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)),
		41	+ IPSEC_ULPROTO_ANY);
		42	+ if (!p) {
		43	+ free(newmsg);
		44	+ return -1;
		45	+ }
		46	+ }
		47	+
		48	+ if (sa_parms->l_natt_oar) {
		49	+ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR,
		50	+ sa_parms->l_natt_oar,
		51	+ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)),
		52	IPSEC_ULPROTO_ANY);
		53	if (!p) {
		54	free(newmsg);
		55	@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_
		56	case SADB_X_EXT_NAT_T_TYPE:
		57	case SADB_X_EXT_NAT_T_SPORT:
		58	case SADB_X_EXT_NAT_T_DPORT:
		59	- case SADB_X_EXT_NAT_T_OA:
		60	+ case SADB_X_EXT_NAT_T_OAI:
		61	+ case SADB_X_EXT_NAT_T_OAR:
		62	#endif
		63	#ifdef SADB_X_EXT_TAG
		64	case SADB_X_EXT_TAG:
65	@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty
66	psaa.l_natt_type = l_natt_type;
67	psaa.l_natt_sport = l_natt_sport;
68	psaa.l_natt_dport = l_natt_dport;
69	- psaa.l_natt_oa = l_natt_oa;
70	+ psaa.l_natt_oar = l_natt_oa;
71	psaa.l_natt_frag = l_natt_frag;
72
73	return pfkey_send_update2(&psaa);
74	@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype,
75	psaa.l_natt_type = l_natt_type;
76	psaa.l_natt_sport = l_natt_sport;
77	psaa.l_natt_dport = l_natt_dport;
78	- psaa.l_natt_oa = l_natt_oa;
79	+ psaa.l_natt_oai = l_natt_oa;
80	psaa.l_natt_frag = l_natt_frag;
81
82	return pfkey_send_add2(&psaa);
83	--- src/racoon/isakmp_quick.c
84	+++ src/racoon/isakmp_quick.c
85	@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
86	spidx.src.ss_family, spidx.dst.ss_family,
87	_XIDT(iph2->id_p),idi2type);
88	}
89	+#ifdef ENABLE_NATT
90	+ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
91	+ u_int16_t port;
92	+
93	+ port = extract_port(&spidx.src);
94	+ memcpy(&spidx.src, iph2->ph1->remote,
95	+ sysdep_sa_len(iph2->ph1->remote));
96	+ set_port(&spidx.src, port);
97	+ switch (spidx.src.ss_family) {
98	+ case AF_INET:
99	+ spidx.prefs = sizeof(struct in_addr) << 3;
100	+ break;
101	+#ifdef INET6
102	+ case AF_INET6:
103	+ spidx.prefs = sizeof(struct in6_addr) << 3;
104	+ break;
105	+#endif
106	+ default:
107	+ spidx.prefs = 0;
108	+ break;
109	+ }
110	+ plog(LLV_DEBUG, LOCATION,
111	+ NULL, "use NAT address %s as src\n",
112	+ saddr2str((struct sockaddr *)&spidx.src));
113	+ }
114	+#endif
115	} else {
116	plog(LLV_DEBUG, LOCATION, NULL,
117	"get a source address of SP index from Phase 1"
118	--- src/racoon/nattraversal.c
119	+++ src/racoon/nattraversal.c
120	@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle
121	{
122	int ret = 0;
123
124	- /* Should only the NATed host send keepalives?
125	- If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
126	- to the following condition. */
127	- if (iph1->natt_flags & NAT_DETECTED &&
128	+ if (iph1->natt_flags & NAT_DETECTED_ME &&
129	! (iph1->natt_flags & NAT_KA_QUEUED)) {
130	ret = natt_keepalive_add (iph1->local, iph1->remote);
131	if (ret == 0)
132	--- src/racoon/pfkey.c
133	+++ src/racoon/pfkey.c
134	@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2)
135	sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
136	sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
137	sa_args.l_natt_dport = extract_port(iph2->ph1->local);
138	- sa_args.l_natt_oa = iph2->natoa_src;
139	+ /* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */
140	+ sa_args.l_natt_oai = iph2->natoa_dst;
141	+ /* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */
142	+ sa_args.l_natt_oar = iph2->natoa_src;
143	#ifdef SADB_X_EXT_NAT_T_FRAG
144	sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
145	#endif
146	@@ -1477,7 +1480,6 @@ pk_sendadd(iph2)
147	sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
148	sa_args.l_natt_sport = extract_port(iph2->ph1->local);
149	sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
150	- sa_args.l_natt_oa = iph2->natoa_dst;
151	#ifdef SADB_X_EXT_NAT_T_FRAG
152	sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
153	#endif

Lines 8-14 Link Here

(-)ipsec-tools/Makefile (-2 / +3 lines)
8		8
9	PORTNAME= ipsec-tools	9	PORTNAME= ipsec-tools
10	PORTVERSION= 0.8.2	10	PORTVERSION= 0.8.2
11	PORTREVISION= 1	11	PORTREVISION= 2
12	CATEGORIES= security	12	CATEGORIES= security
13	MASTER_SITES= SF	13	MASTER_SITES= SF
14		14
Lines 62-68 Link Here
62	DPD_CONFIGURE_ENABLE= dpd	62	DPD_CONFIGURE_ENABLE= dpd
63	NATTF_VARS= NATT=yes	63	NATTF_VARS= NATT=yes
64	NATTF_VARS_OFF= NATT=kernel	64	NATTF_VARS_OFF= NATT=kernel
65	NATT_CONFIGURE_ON= --enable-natt=${NATT}	65	NATT_CONFIGURE_ON= --enable-natt=${NATT} --enable-natt-versions=rfc
66	NATT_CONFIGURE_OFF= --disable-natt	66	NATT_CONFIGURE_OFF= --disable-natt
67	FRAG_CONFIGURE_ENABLE= frag	67	FRAG_CONFIGURE_ENABLE= frag
68	HYBRID_CONFIGURE_ENABLE=hybrid	68	HYBRID_CONFIGURE_ENABLE=hybrid
Lines 79-84 Link Here
79	RC5_CONFIGURE_ENABLE= rc5	79	RC5_CONFIGURE_ENABLE= rc5
80	IDEA_CONFIGURE_ENABLE= idea	80	IDEA_CONFIGURE_ENABLE= idea
81	WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff	81	WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff
		82	NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff
82		83
83	post-patch:	84	post-patch:
84	@${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure	85	@${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure