ports/100814: [PATCH] security/vpnc - add NAT keepalive capability

Tue Jul 25 18:50:38 UTC 2006

>Number:         100814
>Category:       ports
>Synopsis:       [PATCH] security/vpnc - add NAT keepalive capability
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 25 18:50:12 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Roethlisberger
>Release:        FreeBSD 6.1-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD marvin.roe 6.1-RELEASE-p1 FreeBSD 6.1-RELEASE-p1 #3: Wed Jun 7 23:57:16 CEST 2006 root at marvin.roe:/usr/obj/usr/src/sys/IBMTPX40 i386
>Description:

Add files/patch-tunip.c

This patch gives vpnc NAT keepalive capability as per RFC 3947.  It will make
vpnc automatically send NAT keepalives if UDP encapsulation is used, which will
prevent NAT mappings to time out on NAT routers.

A similar patch has been pending for upstream inclusion since January, so I
think it makes sense to at least give FreeBSD users a more NAT-T compliant
vpnc.  Upstream developers don't seem to be actively working on vpnc at the
moment.

>How-To-Repeat:
>Fix:

--- vpnc-0.3.3_2-nat-keepalives.diff begins here ---
diff -ruN vpnc.bak/Makefile vpnc/Makefile
--- vpnc.bak/Makefile	Sat May 13 06:15:18 2006
+++ vpnc/Makefile	Tue Jul 25 20:16:06 2006
@@ -7,7 +7,7 @@
 
 PORTNAME=	vpnc
 PORTVERSION=	0.3.3
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	http://www.unix-ag.uni-kl.de/~massar/vpnc/
 
diff -ruN vpnc.bak/files/patch-tunip.c vpnc/files/patch-tunip.c
--- vpnc.bak/files/patch-tunip.c	Thu Jan  1 01:00:00 1970
+++ vpnc/files/patch-tunip.c	Tue Jul 25 20:11:13 2006
@@ -0,0 +1,48 @@
+Index: tunip.c
+===================================================================
+--- tunip.c	(revision 67)
++++ tunip.c	(working copy)
+@@ -3,6 +3,7 @@
+    Copyright (C) 2002      Geoffrey Keating
+    Copyright (C) 2003-2005 Maurice Massar
+    Copyright (C) 2004      Tomas Mraz
++   Copyright (C) 2006      Daniel Roethlisberger
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -776,7 +777,16 @@
+ {
+ 	int sock;
+ 	struct pollfd pollfds[2];
++	int enable_keepalives;
++	int poll_timeout;
+ 
++	/* non-esp marker, nat keepalive payload (0xFF) */
++	char keepalive[5] = { 0x00, 0x00, 0x00, 0x00, 0xFF };
++
++	/* send keepalives if UDP encapsulation is enabled */
++	enable_keepalives = !strcmp(meth->name, "udpesp");
++	poll_timeout = enable_keepalives ? 20000 : -1;
++
+ 	pollfds[0].fd = tun_fd;
+ 	pollfds[0].events = POLLIN;
+ 	pollfds[1].fd = encap_get_fd(meth);
+@@ -786,8 +796,16 @@
+ 		int presult;
+ 
+ 		do {
+-			presult = poll(pollfds, sizeof(pollfds) / sizeof(pollfds[0]), -1);
+-		} while (presult == -1 && errno == EINTR && !do_kill);
++			presult = poll(pollfds, sizeof(pollfds) / sizeof(pollfds[0]), poll_timeout);
++			if (presult == 0 && enable_keepalives) {
++				/* send nat keepalive packet */
++				if(sendto(meth->fd, keepalive, sizeof(keepalive), 0,
++					(struct sockaddr*)&peer->remote_sa->dest,
++					sizeof(peer->remote_sa->dest)) == -1) {
++					syslog(LOG_ERR, "sendto: %m");
++				}
++			}
++		} while ((presult == 0 || (presult == -1 && errno == EINTR)) && !do_kill);
+ 		if (presult == -1) {
+ 			syslog(LOG_ERR, "poll: %m");
+ 			continue;
--- vpnc-0.3.3_2-nat-keepalives.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

