From nobody Mon Jun 05 08:35:59 2023
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QZRlM6TVdz4bLyP;
	Mon,  5 Jun 2023 08:35:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QZRlM5l4Yz3wrV;
	Mon,  5 Jun 2023 08:35:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1685954159;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6Xw0DZ+kh/xlgMplJ8R4kER0gwMD/JjeuqHXuVvWDqo=;
	b=vxNdGKBBvt0ECGw7eyNLcxFWath2bLQpFErvYXWKiaegTjAcx2g4jswHDl305YsJWUknjf
	yWXIbUCg3e1Z/edbYtLs4fI2ZFHOa2W74N7MYAYT2jR4YGCQAL5C2+tbnEktS28hbUpeN0
	jsKyiaoY0XdeWuEDfnjZK0SM/dTu6UpPkU7xo6l9kf2rfXNl4FF4NtY/pO+qoDC92Htzcn
	CWqwGS91B2WzArZa++YTxkvCFQLf50PjD0kMRNnhTwKxniBaXAHHdopZLVU8PxSzlkcEKa
	QaOF4wYQH2koSOTFnXLHTsAjkZIoFHR+B6AaZOxa9D8xkC5YMWHiOj8/bfIXsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1685954159;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6Xw0DZ+kh/xlgMplJ8R4kER0gwMD/JjeuqHXuVvWDqo=;
	b=vCKWfuxTP7/P8hcKX8AuJ8//s0tI6pYoTOnTsssY5JIGDGd5JcD+ciuw35yuK7W7pj5FJm
	JFgMtOm6CzDLg1DQCghKJogIIZlcoGqXJvadhT2UWuTD4nAz94JUFtw7Unoy0DvAkVryBj
	fJSLyv8DbuIy+NiIidhFco5fm7VeRExuWClwH1ND01sCLOFmfAG2K1sc//ACzt2lhTaWST
	Wa7dIziPKoGHG8LBVt4i20tS0AbBkhesBVFDrJ8HTJNJ1MMyFXw6gzvXQI3AosqCOOV0az
	4JGRHWuDhsF7YF93JHeyCsdCxkskz/clE3tE4e7eZHxr0KRaMydXZmQ2PLbpyw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685954159; a=rsa-sha256; cv=none;
	b=KvorQ20l2of9NkYIS1jbGKhR54fqoY7NzH6hmzwMxk8GVI2cTmggcHD80q6dBSczROSkr5
	yrSoxQkdDb6NQQYzU2Kc4p84ZtHPI6mWO+pM+n4tNSUpskgPQQM1RL1zyxnVbZgmZc0DNp
	wnrp6SSvISUNQ5k7kYPg6Bb1PA8G5Qilmhjk+sT7jBRYQujWhkvibJXUjVRRcNsU+R/s8C
	9MzhcOaHpyGYKlIOVzQRu4crb3KzqClrD8jZFjt48jBMeNhYV0ALnlqMi5JlMatmrD2nOb
	s6Yrof4BXx4J/Bo/piP2vi6x4PIBQGZG+Vk7/4EJIFzgIYxKhI77MurpcTqyWg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QZRlM4BCGzgMN;
	Mon,  5 Jun 2023 08:35:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 3558Zx6d024306;
	Mon, 5 Jun 2023 08:35:59 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 3558Zxls024305;
	Mon, 5 Jun 2023 08:35:59 GMT
	(envelope-from git)
Date: Mon, 5 Jun 2023 08:35:59 GMT
Message-Id: <202306050835.3558Zxls024305@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: 447af6361cec - stable/13 - setkey(8): NAT-T manual configuration support
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 447af6361cec48b2d6e5955e7b2284620cb50ece
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=447af6361cec48b2d6e5955e7b2284620cb50ece

commit 447af6361cec48b2d6e5955e7b2284620cb50ece
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-05-25 10:41:15 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-06-05 08:35:00 +0000

    setkey(8): NAT-T manual configuration support
    
    (cherry picked from commit 2fa1b8617fdf68d0043efb7ae7c524702afba27c)
---
 sbin/setkey/parse.y | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 sbin/setkey/token.l |  2 ++
 2 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index d279546fada6..8e4866e7e848 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -43,6 +43,7 @@
 #include <netipsec/key_var.h>
 #include <netipsec/ipsec.h>
 #include <arpa/inet.h>
+#include <netinet/udp.h>
 
 #include <string.h>
 #include <unistd.h>
@@ -64,6 +65,10 @@ u_int32_t p_reqid;
 u_int p_key_enc_len, p_key_auth_len;
 caddr_t p_key_enc, p_key_auth;
 time_t p_lt_hard, p_lt_soft;
+u_int p_natt_type;
+struct addrinfo *p_natt_oai, *p_natt_oar;
+int p_natt_sport, p_natt_dport;
+int p_natt_fraglen;
 
 static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
 
@@ -110,7 +115,7 @@ extern void yyerror(const char *);
 	/* SPD management */
 %token SPDADD SPDDELETE SPDDUMP SPDFLUSH
 %token F_POLICY PL_REQUESTS
-%token F_AIFLAGS
+%token F_AIFLAGS F_NATT F_NATT_MTU
 %token TAGGED
 
 %type <num> prefix protocol_spec upper_spec
@@ -521,6 +526,20 @@ extension
 		}
 	|	F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
 	|	F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
+	|	F_NATT ipaddr BLCL DECSTRING ELCL ipaddr BLCL DECSTRING ELCL
+		{
+			p_natt_type = UDP_ENCAP_ESPINUDP;
+			p_natt_oai = $2;
+			p_natt_oar = $6;
+			if (p_natt_oai == NULL || p_natt_oar == NULL)
+				return (-1);
+			p_natt_sport = $4;
+			p_natt_dport = $8;
+		}
+	|	F_NATT_MTU DECSTRING
+		{
+			p_natt_fraglen = $2;
+		}
 	;
 
 	/* definition about command for SPD management */
@@ -1019,6 +1038,9 @@ setkeymsg_add(unsigned type, unsigned satype, struct addrinfo *srcs,
 	struct sadb_address m_addr;
 	struct sadb_x_sa_replay m_replay;
 	struct addrinfo *s, *d;
+	struct sadb_x_nat_t_type m_natt_type;
+	struct sadb_x_nat_t_port m_natt_port;
+	struct sadb_x_nat_t_frag m_natt_frag;
 	int n;
 	int plen;
 	struct sockaddr *sa;
@@ -1128,6 +1150,64 @@ setkeymsg_add(unsigned type, unsigned satype, struct addrinfo *srcs,
 		memcpy(buf + l, &m_replay, len);
 		l += len;
 	}
+
+	if (p_natt_type != 0) {
+		len = sizeof(m_natt_type);
+		memset(&m_natt_type, 0, sizeof(m_natt_type));
+		m_natt_type.sadb_x_nat_t_type_len = PFKEY_UNIT64(len);
+		m_natt_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+		m_natt_type.sadb_x_nat_t_type_type = p_natt_type;
+		memcpy(buf + l, &m_natt_type, len);
+		l += len;
+
+		memset(&m_addr, 0, sizeof(m_addr));
+		m_addr.sadb_address_exttype = SADB_X_EXT_NAT_T_OAI;
+		sa = p_natt_oai->ai_addr;
+		salen = p_natt_oai->ai_addr->sa_len;
+		m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
+		    PFKEY_ALIGN8(salen));
+		m_addr.sadb_address_prefixlen = setkeymsg_plen(p_natt_oai);
+		setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+		    sizeof(m_addr), (caddr_t)sa, salen);
+
+		len = sizeof(m_natt_port);
+		memset(&m_natt_port, 0, sizeof(m_natt_port));
+		m_natt_port.sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
+		m_natt_port.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+		m_natt_port.sadb_x_nat_t_port_port = htons(p_natt_sport);
+		memcpy(buf + l, &m_natt_port, len);
+		l += len;
+
+		memset(&m_addr, 0, sizeof(m_addr));
+		m_addr.sadb_address_exttype = SADB_X_EXT_NAT_T_OAR;
+		sa = p_natt_oar->ai_addr;
+		salen = p_natt_oar->ai_addr->sa_len;
+		m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
+		    PFKEY_ALIGN8(salen));
+		m_addr.sadb_address_prefixlen = setkeymsg_plen(p_natt_oar);
+		setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+		    sizeof(m_addr), (caddr_t)sa, salen);
+
+		len = sizeof(m_natt_port);
+		memset(&m_natt_port, 0, sizeof(m_natt_port));
+		m_natt_port.sadb_x_nat_t_port_len = PFKEY_UNIT64(len);
+		m_natt_port.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+		m_natt_port.sadb_x_nat_t_port_port = htons(p_natt_dport);
+		memcpy(buf + l, &m_natt_port, len);
+		l += len;
+
+		if (p_natt_fraglen != -1) {
+			len = sizeof(m_natt_frag);
+			memset(&m_natt_port, 0, sizeof(m_natt_frag));
+			m_natt_frag.sadb_x_nat_t_frag_len = PFKEY_UNIT64(len);
+			m_natt_frag.sadb_x_nat_t_frag_exttype =
+			    SADB_X_EXT_NAT_T_FRAG;
+			m_natt_frag.sadb_x_nat_t_frag_fraglen = p_natt_fraglen;
+			memcpy(buf + l, &m_natt_frag, len);
+			l += len;
+		}
+	}
+
 	l0 = l;
 	n = 0;
 
@@ -1271,6 +1351,11 @@ parse_init(void)
 
 	p_aiflags = 0;
 	p_aifamily = PF_UNSPEC;
+
+	p_natt_type = 0;
+	p_natt_oai = p_natt_oar = NULL;
+	p_natt_sport = p_natt_dport = 0;
+	p_natt_fraglen = -1;
 }
 
 void
diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l
index 180493d76b05..f5ccb4297d33 100644
--- a/sbin/setkey/token.l
+++ b/sbin/setkey/token.l
@@ -184,6 +184,8 @@ nocyclic-seq	{ return(NOCYCLICSEQ); }
 {hyphen}r	{ return(F_REPLAY); }
 {hyphen}lh	{ return(F_LIFETIME_HARD); }
 {hyphen}ls	{ return(F_LIFETIME_SOFT); }
+{hyphen}natt	{ return(F_NATT); }
+{hyphen}natt_mtu { return(F_NATT_MTU); }
 
 	/* ... */
 any		{ return(ANY); }