FreeBSD Bugzilla – Attachment 180110 Details for
Bug 217131
[patch] security/ipsec-tools add patch for better NAT-T support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
ipsec-tools.diff (text/plain), 6.34 KB, created by
Andrey V. Elsukov
on 2017-02-18 16:05:07 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Andrey V. Elsukov
Created:
2017-02-18 16:05:07 UTC
Size:
6.34 KB
patch
obsolete
>diff -burN ipsec-tools.orig/files/natt.diff ipsec-tools/files/natt.diff >--- ipsec-tools.orig/files/natt.diff 1970-01-01 03:00:00.000000000 +0300 >+++ ipsec-tools/files/natt.diff 2017-02-16 12:56:28.507061000 +0300 >@@ -0,0 +1,153 @@ >+--- src/libipsec/libpfkey.h >++++ src/libipsec/libpfkey.h >+@@ -85,7 +85,7 @@ struct pfkey_send_sa_args { >+ u_int32_t seq; >+ u_int8_t l_natt_type; >+ u_int16_t l_natt_sport, l_natt_dport; >+- struct sockaddr *l_natt_oa; >++ struct sockaddr *l_natt_oai, *l_natt_oar; >+ u_int16_t l_natt_frag; >+ u_int8_t ctxdoi, ctxalg; /* Security context DOI and algorithm */ >+ caddr_t ctxstr; /* Security context string */ >+--- src/libipsec/pfkey.c >++++ src/libipsec/pfkey.c >+@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args >+ len += sizeof(struct sadb_x_nat_t_type); >+ len += sizeof(struct sadb_x_nat_t_port); >+ len += sizeof(struct sadb_x_nat_t_port); >+- if (sa_parms->l_natt_oa) >++ if (sa_parms->l_natt_oai) >+ len += sizeof(struct sadb_address) + >+- PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)); >++ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)); >++ if (sa_parms->l_natt_oar) >++ len += sizeof(struct sadb_address) + >++ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)); >+ #ifdef SADB_X_EXT_NAT_T_FRAG >+ if (sa_parms->l_natt_frag) >+ len += sizeof(struct sadb_x_nat_t_frag); >+@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args >+ return -1; >+ } >+ >+- if (sa_parms->l_natt_oa) { >+- p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA, >+- sa_parms->l_natt_oa, >+- (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)), >++ if (sa_parms->l_natt_oai) { >++ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI, >++ sa_parms->l_natt_oai, >++ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)), >++ IPSEC_ULPROTO_ANY); >++ if (!p) { >++ free(newmsg); >++ return -1; >++ } >++ } >++ >++ if (sa_parms->l_natt_oar) { >++ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR, >++ sa_parms->l_natt_oar, >++ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)), >+ IPSEC_ULPROTO_ANY); >+ if (!p) { >+ free(newmsg); >+@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_ >+ case SADB_X_EXT_NAT_T_TYPE: >+ case SADB_X_EXT_NAT_T_SPORT: >+ case SADB_X_EXT_NAT_T_DPORT: >+- case SADB_X_EXT_NAT_T_OA: >++ case SADB_X_EXT_NAT_T_OAI: >++ case SADB_X_EXT_NAT_T_OAR: >+ #endif >+ #ifdef SADB_X_EXT_TAG >+ case SADB_X_EXT_TAG: >+@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty >+ psaa.l_natt_type = l_natt_type; >+ psaa.l_natt_sport = l_natt_sport; >+ psaa.l_natt_dport = l_natt_dport; >+- psaa.l_natt_oa = l_natt_oa; >++ psaa.l_natt_oar = l_natt_oa; >+ psaa.l_natt_frag = l_natt_frag; >+ >+ return pfkey_send_update2(&psaa); >+@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype, >+ psaa.l_natt_type = l_natt_type; >+ psaa.l_natt_sport = l_natt_sport; >+ psaa.l_natt_dport = l_natt_dport; >+- psaa.l_natt_oa = l_natt_oa; >++ psaa.l_natt_oai = l_natt_oa; >+ psaa.l_natt_frag = l_natt_frag; >+ >+ return pfkey_send_add2(&psaa); >+--- src/racoon/isakmp_quick.c >++++ src/racoon/isakmp_quick.c >+@@ -2390,6 +2390,32 @@ get_proposal_r(iph2) >+ spidx.src.ss_family, spidx.dst.ss_family, >+ _XIDT(iph2->id_p),idi2type); >+ } >++#ifdef ENABLE_NATT >++ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { >++ u_int16_t port; >++ >++ port = extract_port(&spidx.src); >++ memcpy(&spidx.src, iph2->ph1->remote, >++ sysdep_sa_len(iph2->ph1->remote)); >++ set_port(&spidx.src, port); >++ switch (spidx.src.ss_family) { >++ case AF_INET: >++ spidx.prefs = sizeof(struct in_addr) << 3; >++ break; >++#ifdef INET6 >++ case AF_INET6: >++ spidx.prefs = sizeof(struct in6_addr) << 3; >++ break; >++#endif >++ default: >++ spidx.prefs = 0; >++ break; >++ } >++ plog(LLV_DEBUG, LOCATION, >++ NULL, "use NAT address %s as src\n", >++ saddr2str((struct sockaddr *)&spidx.src)); >++ } >++#endif >+ } else { >+ plog(LLV_DEBUG, LOCATION, NULL, >+ "get a source address of SP index from Phase 1" >+--- src/racoon/nattraversal.c >++++ src/racoon/nattraversal.c >+@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle >+ { >+ int ret = 0; >+ >+- /* Should only the NATed host send keepalives? >+- If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)' >+- to the following condition. */ >+- if (iph1->natt_flags & NAT_DETECTED && >++ if (iph1->natt_flags & NAT_DETECTED_ME && >+ ! (iph1->natt_flags & NAT_KA_QUEUED)) { >+ ret = natt_keepalive_add (iph1->local, iph1->remote); >+ if (ret == 0) >+--- src/racoon/pfkey.c >++++ src/racoon/pfkey.c >+@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2) >+ sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; >+ sa_args.l_natt_sport = extract_port(iph2->ph1->remote); >+ sa_args.l_natt_dport = extract_port(iph2->ph1->local); >+- sa_args.l_natt_oa = iph2->natoa_src; >++ /* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */ >++ sa_args.l_natt_oai = iph2->natoa_dst; >++ /* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */ >++ sa_args.l_natt_oar = iph2->natoa_src; >+ #ifdef SADB_X_EXT_NAT_T_FRAG >+ sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; >+ #endif >+@@ -1477,7 +1480,6 @@ pk_sendadd(iph2) >+ sa_args.l_natt_type = UDP_ENCAP_ESPINUDP; >+ sa_args.l_natt_sport = extract_port(iph2->ph1->local); >+ sa_args.l_natt_dport = extract_port(iph2->ph1->remote); >+- sa_args.l_natt_oa = iph2->natoa_dst; >+ #ifdef SADB_X_EXT_NAT_T_FRAG >+ sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; >+ #endif >diff -burN ipsec-tools.orig/Makefile ipsec-tools/Makefile >--- ipsec-tools.orig/Makefile 2017-02-16 12:56:17.995652000 +0300 >+++ ipsec-tools/Makefile 2017-02-16 13:07:55.477587000 +0300 >@@ -8,7 +8,7 @@ > > PORTNAME= ipsec-tools > PORTVERSION= 0.8.2 >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= security > MASTER_SITES= SF > >@@ -62,7 +62,7 @@ > DPD_CONFIGURE_ENABLE= dpd > NATTF_VARS= NATT=yes > NATTF_VARS_OFF= NATT=kernel >-NATT_CONFIGURE_ON= --enable-natt=${NATT} >+NATT_CONFIGURE_ON= --enable-natt=${NATT} --enable-natt-versions=rfc > NATT_CONFIGURE_OFF= --disable-natt > FRAG_CONFIGURE_ENABLE= frag > HYBRID_CONFIGURE_ENABLE=hybrid >@@ -79,6 +79,7 @@ > RC5_CONFIGURE_ENABLE= rc5 > IDEA_CONFIGURE_ENABLE= idea > WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff >+NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff > > post-patch: > @${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=180110">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 217131
:
180038
| 180110