ports/184545: OpenBGPd fails to initiate TCP MD5 sig connexions
Antoine Beaupré
anarcat at koumbit.org
Fri Dec 6 16:20:03 UTC 2013
>Number: 184545
>Category: ports
>Synopsis: OpenBGPd fails to initiate TCP MD5 sig connexions
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 06 16:20:02 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Antoine Beaupré
>Release: FreeBSD 9.1
>Organization:
Koumbit
>Environment:
FreeBSD rtr0.koumbit.net 9.1-RELEASE-p7 FreeBSD 9.1-RELEASE-p7 #0: Mon Sep 9 21:34:37 UTC 2013 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
This stems from a discussion that started here:
http://lists.freebsd.org/pipermail/freebsd-net/2013-November/037133.html
Basically, while it is possible to hack your way through it, the FreeBSD port of OpenBGPd doesn't support MD5 passwords. The way to hack around it is to add SPD policies with setkey, but then it doesn't work when initiating connexions.
This was also reported here first:
http://lists.freebsd.org/pipermail/freebsd-net/2012-January/030921.html
>How-To-Repeat:
Configure two FreeBSD OpenBGPd routers, set a ipsec policy as such:
add -n 38.104.152.101 38.104.152.102 tcp 0x1000 -A tcp-md5 "[...]";
add -n 38.104.152.102 38.104.152.101 tcp 0x1000 -A tcp-md5 "[...]";
and with the following kernel config:
options IPSEC #IP security
options TCP_SIGNATURE
device crypto
options DEVICE_POLLING
device carp
It will work with netcat:
nc -v -S 10.0.0.2 179
.. but not with openbgpd.
>Fix:
The fix is to use pfSense's OpenBGPd port. I built a patch which imports from both ports and figures out the best of both worlds, attached.
Patch attached with submission follows:
diff --git a/Makefile b/Makefile
old mode 100644
new mode 100755
index d39d87d..5c0513a
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,5 @@
-# $FreeBSD: net/openbgpd/Makefile 330656 2013-10-17 16:47:58Z ohauer $
+# Created by: Florent Thoumie <flz at FreeBSD.org>
+# $FreeBSD: ports/net/openbgpd/Makefile,v 1.35 2012/12/24 12:56:29 svnexp Exp $
PORTNAME= openbgpd
PORTVERSION= 5.2.20121209
@@ -8,6 +9,7 @@ MASTER_SITE_SUBDIR= OpenBGPD
DISTNAME= ${PORTNAME}-4.6
EXTRACT_SUFX= .tgz
DIST_SUBDIR= ${PORTNAME}
+NO_STAGE= yes
MAINTAINER= hrs at FreeBSD.org
COMMENT= Free implementation of the Border Gateway Protocol, Version 4
@@ -15,13 +17,16 @@ COMMENT= Free implementation of the Border Gateway Protocol, Version 4
CONFLICTS= zebra-[0-9]* quagga-[0-9]*
WRKSRC= ${WRKDIR}
+MANCOMPRESSED= yes
USE_RC_SUBR= ${PORTNAME}
-PLIST_FILES= sbin/bgpctl sbin/bgpd man/man5/bgpd.conf.5.gz \
- man/man8/bgpctl.8.gz man/man8/bgpd.8.gz
+PLIST_FILES= sbin/bgpctl sbin/bgpd
SUB_FILES= pkg-message
USERS= _bgpd
GROUPS= _bgpd
+MAN5= bgpd.conf.5
+MAN8= bgpctl.8 bgpd.8
+
OPTIONS_DEFINE= IPV6LLPEER
OPTIONS_DEFAULT=IPV6LLPEER
IPV6LLPEER_DESC=Support nexthop using IPv6 link-local address
diff --git a/files/openbgpd.in b/files/openbgpd.in
index f1b904e..fc6642e 100644
--- a/files/openbgpd.in
+++ b/files/openbgpd.in
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $FreeBSD: net/openbgpd/files/openbgpd.in 302141 2012-08-05 23:19:36Z dougb $
+# $FreeBSD: ports/net/openbgpd/files/openbgpd.in,v 1.2 2012/11/17 06:00:08 svnexp Exp $
#
# PROVIDE: bgpd
diff --git a/files/patch-bgpd_Makefile b/files/patch-bgpd_Makefile
index f946c92..fc27014 100644
--- a/files/patch-bgpd_Makefile
+++ b/files/patch-bgpd_Makefile
@@ -1,11 +1,5 @@
-Index: bgpd/Makefile
-===================================================================
-RCS file: /home/cvs/private/hrs/openbgpd/bgpd/Makefile,v
-retrieving revision 1.1.1.2
-retrieving revision 1.9
-diff -u -p -r1.1.1.2 -r1.9
---- bgpd/Makefile 9 Jul 2009 16:49:54 -0000 1.1.1.2
-+++ bgpd/Makefile 13 Oct 2012 18:36:00 -0000 1.9
+--- bgpd/Makefile.orig 2013-02-21 19:20:05.000000000 +0000
++++ bgpd/Makefile 2013-02-21 19:20:54.000000000 +0000
@@ -1,15 +1,25 @@
# $OpenBSD: Makefile,v 1.28 2009/06/25 14:14:54 deraadt Exp $
@@ -17,9 +11,8 @@ diff -u -p -r1.1.1.2 -r1.9
-SRCS= bgpd.c buffer.c session.c log.c parse.y config.c imsg.c \
+SRCS= bgpd.c session.c log.c parse.y config.c \
rde.c rde_rib.c rde_decide.c rde_prefix.c mrt.c kroute.c \
-- control.c pfkey.c rde_update.c rde_attr.c printconf.c \
+ control.c pfkey.c rde_update.c rde_attr.c printconf.c \
- rde_filter.c pftable.c name2id.c util.c carp.c timer.c
-+ control.c pfkey_compat.c rde_update.c rde_attr.c printconf.c \
+ rde_filter.c pftable.c name2id.c util.c carp.c timer.c \
+ imsg.c imsg-buffer.c
CFLAGS+= -Wall -I${.CURDIR}
diff --git a/files/patch-bgpd_pfkey.c b/files/patch-bgpd_pfkey.c
index 7ad7548..224298f 100644
--- a/files/patch-bgpd_pfkey.c
+++ b/files/patch-bgpd_pfkey.c
@@ -1,26 +1,41 @@
-Index: bgpd/pfkey.c
-===================================================================
-RCS file: /home/cvs/private/hrs/openbgpd/bgpd/pfkey.c,v
-retrieving revision 1.1.1.6
-retrieving revision 1.1.1.9
-diff -u -p -r1.1.1.6 -r1.1.1.9
---- bgpd/pfkey.c 14 Feb 2010 20:19:57 -0000 1.1.1.6
-+++ bgpd/pfkey.c 13 Oct 2012 18:22:44 -0000 1.1.1.9
+diff -ur bgpd.orig/pfkey.c bgpd/pfkey.c
+--- bgpd.orig/pfkey.c 2013-03-15 12:07:16.000000000 +0000
++++ bgpd/pfkey.c 2013-03-15 12:07:47.000000000 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.37 2009/04/21 15:25:52 henning Exp $ */
+/* $OpenBSD: pfkey.c,v 1.40 2009/12/14 17:38:18 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning at openbsd.org>
-@@ -74,6 +74,7 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -21,7 +21,7 @@
+ #include <sys/socket.h>
+ #include <sys/uio.h>
+ #include <net/pfkeyv2.h>
+-#include <netinet/ip_ipsp.h>
++//#include <netinet/ip_ipsp.h>
+ #include <ctype.h>
+ #include <errno.h>
+ #include <limits.h>
+@@ -65,15 +65,15 @@
+ {
+ struct sadb_msg smsg;
+ struct sadb_sa sa;
+- struct sadb_address sa_src, sa_dst, sa_peer, sa_smask, sa_dmask;
++ struct sadb_address sa_src, sa_dst;
+ struct sadb_key sa_akey, sa_ekey;
+ struct sadb_spirange sa_spirange;
+- struct sadb_protocol sa_flowtype, sa_protocol;
+ struct iovec iov[IOV_CNT];
+ ssize_t n;
int len = 0;
int iov_cnt;
- struct sockaddr_storage ssrc, sdst, speer, smask, dmask;
+- struct sockaddr_storage ssrc, sdst, speer, smask, dmask;
++ struct sockaddr_storage ssrc, sdst, smask, dmask;
+ struct sockaddr *saptr;
if (!pid)
pid = getpid();
-@@ -81,22 +82,17 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -81,22 +81,17 @@
/* we need clean sockaddr... no ports set */
bzero(&ssrc, sizeof(ssrc));
bzero(&smask, sizeof(smask));
@@ -49,7 +64,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
ssrc.ss_len = sizeof(struct sockaddr);
break;
default:
-@@ -107,22 +103,17 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -107,22 +102,17 @@
bzero(&sdst, sizeof(sdst));
bzero(&dmask, sizeof(dmask));
@@ -78,7 +93,84 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
sdst.ss_len = sizeof(struct sockaddr);
break;
default:
-@@ -220,8 +211,8 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -135,7 +125,7 @@
+ smsg.sadb_msg_version = PF_KEY_V2;
+ smsg.sadb_msg_seq = ++sadb_msg_seq;
+ smsg.sadb_msg_pid = pid;
+- smsg.sadb_msg_len = sizeof(smsg) / 8;
++ smsg.sadb_msg_len = PFKEY_UNIT64(sizeof(smsg));
+ smsg.sadb_msg_type = mtype;
+ smsg.sadb_msg_satype = satype;
+
+@@ -143,7 +133,7 @@
+ case SADB_GETSPI:
+ bzero(&sa_spirange, sizeof(sa_spirange));
+ sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+- sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8;
++ sa_spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(sa_spirange));
+ sa_spirange.sadb_spirange_min = 0x100;
+ sa_spirange.sadb_spirange_max = 0xffffffff;
+ sa_spirange.sadb_spirange_reserved = 0;
+@@ -153,11 +143,12 @@
+ case SADB_DELETE:
+ bzero(&sa, sizeof(sa));
+ sa.sadb_sa_exttype = SADB_EXT_SA;
+- sa.sadb_sa_len = sizeof(sa) / 8;
++ sa.sadb_sa_len = PFKEY_UNIT64(sizeof(sa));
+ sa.sadb_sa_replay = 0;
+ sa.sadb_sa_spi = spi;
+ sa.sadb_sa_state = SADB_SASTATE_MATURE;
+ break;
++#if 0
+ case SADB_X_ADDFLOW:
+ case SADB_X_DELFLOW:
+ bzero(&sa_flowtype, sizeof(sa_flowtype));
+@@ -172,35 +163,37 @@
+ sa_protocol.sadb_protocol_direction = 0;
+ sa_protocol.sadb_protocol_proto = 6;
+ break;
++#endif
+ }
+
+ bzero(&sa_src, sizeof(sa_src));
+ sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+- sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
++ sa_src.sadb_address_len = PFKEY_UNIT64(sizeof(sa_src) + ROUNDUP(ssrc.ss_len));
+
+ bzero(&sa_dst, sizeof(sa_dst));
+ sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+- sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
++ sa_dst.sadb_address_len = PFKEY_UNIT64(sizeof(sa_dst) + ROUNDUP(sdst.ss_len));
+
+ sa.sadb_sa_auth = aalg;
+- sa.sadb_sa_encrypt = SADB_X_EALG_AES; /* XXX */
++ sa.sadb_sa_encrypt = ealg; /* XXX */
+
+ switch (mtype) {
+ case SADB_ADD:
+ case SADB_UPDATE:
+ bzero(&sa_akey, sizeof(sa_akey));
+ sa_akey.sadb_key_exttype = SADB_EXT_KEY_AUTH;
+- sa_akey.sadb_key_len = (sizeof(sa_akey) +
+- ((alen + 7) / 8) * 8) / 8;
++ sa_akey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_akey) +
++ (PFKEY_ALIGN8(alen)));
+ sa_akey.sadb_key_bits = 8 * alen;
+
+ bzero(&sa_ekey, sizeof(sa_ekey));
+ sa_ekey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
+- sa_ekey.sadb_key_len = (sizeof(sa_ekey) +
+- ((elen + 7) / 8) * 8) / 8;
++ sa_ekey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_ekey) +
++ (PFKEY_ALIGN8(elen)));
+ sa_ekey.sadb_key_bits = 8 * elen;
+
+ break;
++#if 0
+ case SADB_X_ADDFLOW:
+ case SADB_X_DELFLOW:
+ /* sa_peer always points to the remote machine */
+@@ -220,8 +213,8 @@
sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;
bzero(&smask, sizeof(smask));
@@ -89,7 +181,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
smask.ss_len = sizeof(struct sockaddr_in);
smask.ss_family = AF_INET;
memset(&((struct sockaddr_in *)&smask)->sin_addr,
-@@ -233,7 +224,7 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -233,7 +226,7 @@
htons(0xffff);
}
break;
@@ -98,7 +190,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
smask.ss_len = sizeof(struct sockaddr_in6);
smask.ss_family = AF_INET6;
memset(&((struct sockaddr_in6 *)&smask)->sin6_addr,
-@@ -247,8 +238,8 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -247,8 +240,8 @@
break;
}
bzero(&dmask, sizeof(dmask));
@@ -109,7 +201,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
dmask.ss_len = sizeof(struct sockaddr_in);
dmask.ss_family = AF_INET;
memset(&((struct sockaddr_in *)&dmask)->sin_addr,
-@@ -260,7 +251,7 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -260,7 +253,7 @@
htons(0xffff);
}
break;
@@ -118,7 +210,57 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
dmask.ss_len = sizeof(struct sockaddr_in6);
dmask.ss_family = AF_INET6;
memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr,
-@@ -411,6 +402,33 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -284,6 +277,7 @@
+ sa_dmask.sadb_address_len =
+ (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
+ break;
++#endif
+ }
+
+ iov_cnt = 0;
+@@ -310,6 +304,7 @@
+ smsg.sadb_msg_len += sa_spirange.sadb_spirange_len;
+ iov_cnt++;
+ break;
++#if 0
+ case SADB_X_ADDFLOW:
+ /* sa_peer always points to the remote machine */
+ iov[iov_cnt].iov_base = &sa_peer;
+@@ -351,6 +346,7 @@
+ smsg.sadb_msg_len += sa_dmask.sadb_address_len;
+ iov_cnt++;
+ break;
++#endif
+ }
+
+ /* dest addr */
+@@ -380,7 +376,7 @@
+ iov[iov_cnt].iov_len = sizeof(sa_akey);
+ iov_cnt++;
+ iov[iov_cnt].iov_base = akey;
+- iov[iov_cnt].iov_len = ((alen + 7) / 8) * 8;
++ iov[iov_cnt].iov_len = PFKEY_ALIGN8(alen);
+ smsg.sadb_msg_len += sa_akey.sadb_key_len;
+ iov_cnt++;
+ }
+@@ -390,14 +386,14 @@
+ iov[iov_cnt].iov_len = sizeof(sa_ekey);
+ iov_cnt++;
+ iov[iov_cnt].iov_base = ekey;
+- iov[iov_cnt].iov_len = ((elen + 7) / 8) * 8;
++ iov[iov_cnt].iov_len = PFKEY_ALIGN8(elen);
+ smsg.sadb_msg_len += sa_ekey.sadb_key_len;
+ iov_cnt++;
+ }
+ break;
+ }
+
+- len = smsg.sadb_msg_len * 8;
++ len = PFKEY_UNUNIT64(smsg.sadb_msg_len);
+ do {
+ n = writev(sd, iov, iov_cnt);
+ } while (n == -1 && (errno == EAGAIN || errno == EINTR));
+@@ -411,6 +407,33 @@
}
int
@@ -152,7 +294,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
pfkey_reply(int sd, u_int32_t *spip)
{
struct sadb_msg hdr, *msg;
-@@ -418,23 +436,13 @@ pfkey_reply(int sd, u_int32_t *spip)
+@@ -418,27 +441,17 @@
struct sadb_sa *sa;
u_int8_t *data;
ssize_t len;
@@ -161,10 +303,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
- for (;;) {
- if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
- log_warn("pfkey peek");
-+ do {
-+ rv = pfkey_read(sd, &hdr);
-+ if (rv == -1)
- return (-1);
+- return (-1);
- }
-
- if (hdr.sadb_msg_seq == sadb_msg_seq &&
@@ -174,14 +313,148 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
- /* not ours, discard */
- if (read(sd, &hdr, sizeof(hdr)) == -1) {
- log_warn("pfkey read");
-- return (-1);
++ do {
++ rv = pfkey_read(sd, &hdr);
++ if (rv == -1)
+ return (-1);
- }
- }
+ } while (rv);
if (hdr.sadb_msg_errno != 0) {
errno = hdr.sadb_msg_errno;
-@@ -730,11 +738,9 @@ pfkey_init(struct bgpd_sysdep *sysdep)
+- if (errno == ESRCH)
++ if (errno == ESRCH || errno == EEXIST)
+ return (0);
+ else {
+ log_warn("pfkey");
+@@ -486,13 +499,8 @@
+ pfkey_sa_add(struct bgpd_addr *src, struct bgpd_addr *dst, u_int8_t keylen,
+ char *key, u_int32_t *spi)
+ {
+- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_GETSPI, 0,
+- src, dst, 0, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
+- return (-1);
+- if (pfkey_reply(fd, spi) < 0)
+- return (-1);
+- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_UPDATE, 0,
+- src, dst, *spi, 0, keylen, key, 0, 0, NULL, 0, 0) < 0)
++ if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_ADD, 0,
++ src, dst, *spi, SADB_X_AALG_TCP_MD5, keylen, key, SADB_EALG_NONE, 0, NULL, 0, 0) < 0)
+ return (-1);
+ if (pfkey_reply(fd, NULL) < 0)
+ return (-1);
+@@ -503,7 +511,7 @@
+ pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *spi)
+ {
+ if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_DELETE, 0,
+- src, dst, *spi, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
++ src, dst, *spi, SADB_X_AALG_TCP_MD5, 0, NULL, 0, 0, NULL, 0, 0) < 0)
+ return (-1);
+ if (pfkey_reply(fd, NULL) < 0)
+ return (-1);
+@@ -511,37 +519,37 @@
+ return (0);
+ }
+
++#define TCP_SIG_SPI 0x1000
+ int
+ pfkey_md5sig_establish(struct peer *p)
+ {
+ sleep(1);
+
+- if (!p->auth.spi_out)
+- if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
+- p->conf.auth.md5key_len, p->conf.auth.md5key,
+- &p->auth.spi_out) == -1)
+- return (-1);
+- if (!p->auth.spi_in)
+- if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
+- p->conf.auth.md5key_len, p->conf.auth.md5key,
+- &p->auth.spi_in) == -1)
+- return (-1);
++ p->auth.spi_out = htonl(TCP_SIG_SPI);
++ if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
++ p->conf.auth.md5key_len, p->conf.auth.md5key,
++ &p->auth.spi_out) == -1)
++ return (-1);
++ p->auth.spi_in = htonl(TCP_SIG_SPI);
++ if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
++ p->conf.auth.md5key_len, p->conf.auth.md5key,
++ &p->auth.spi_out) == -1)
++ return (-1);
+
+ p->auth.established = 1;
+ return (0);
+ }
++#undef TCP_SIG_SPI
+
+ int
+ pfkey_md5sig_remove(struct peer *p)
+ {
+- if (p->auth.spi_out)
+- if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
+- &p->auth.spi_out) == -1)
+- return (-1);
+- if (p->auth.spi_in)
+- if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
+- &p->auth.spi_in) == -1)
+- return (-1);
++ if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
++ &p->auth.spi_out) == -1)
++ return (-1);
++ if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
++ &p->auth.spi_in) == -1)
++ return (-1);
+
+ p->auth.established = 0;
+ return (0);
+@@ -550,6 +558,7 @@
+ int
+ pfkey_ipsec_establish(struct peer *p)
+ {
++#if 0
+ uint8_t satype = SADB_SATYPE_ESP;
+
+ switch (p->auth.method) {
+@@ -621,6 +630,9 @@
+
+ p->auth.established = 1;
+ return (0);
++#else
++ return (-1);
++#endif
+ }
+
+ int
+@@ -660,6 +672,7 @@
+ break;
+ }
+
++#if 0
+ if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT,
+ &p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)
+ return (-1);
+@@ -681,6 +694,7 @@
+ if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN,
+ &p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0)
+ return (-1);
++#endif
+ if (pfkey_reply(fd, NULL) < 0)
+ return (-1);
+
+@@ -715,9 +729,7 @@
+ int
+ pfkey_remove(struct peer *p)
+ {
+- if (!p->auth.established)
+- return (0);
+- else if (p->auth.method == AUTH_MD5SIG)
++ if (p->auth.method == AUTH_MD5SIG)
+ return (pfkey_md5sig_remove(p));
+ else
+ return (pfkey_ipsec_remove(p));
+@@ -730,11 +742,9 @@
if (errno == EPROTONOSUPPORT) {
log_warnx("PF_KEY not available, disabling ipsec");
sysdep->no_pfkey = 1;
diff --git a/files/patch-bgpd_session.c b/files/patch-bgpd_session.c
index d043c44..66c05a9 100644
--- a/files/patch-bgpd_session.c
+++ b/files/patch-bgpd_session.c
@@ -123,7 +123,7 @@ diff -u -p -r1.1.1.8 -r1.13
+ int s;
+
+ /* Check if TCP_MD5SIG is supported. */
-+ s = socket(PF_LOCAL, SOCK_STREAM, 0);
++ s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+ if (s < 0)
+ fatal("socket open for TCP_MD5SIG check");
+ opt = TF_SIGNATURE;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list