svn commit: r438782 - in head/security/ipsec-tools: . files
Eugene Grosbein
eugen at FreeBSD.org
Tue Apr 18 14:36:09 UTC 2017
Author: eugen
Date: Tue Apr 18 14:36:08 2017
New Revision: 438782
URL: https://svnweb.freebsd.org/changeset/ports/438782
Log:
This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948.
The natt.diff patch contains the following changes:
* added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages;
* used NAT address instead of original for SAs created by racoon;
* NAT-T keep-alives now sends only by NATed host.
Tested with 11.0-STABLE after projects/ipsec merge.
PR: 217131
Submitted by: Andrey V. Elsukov
Approved by: VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor)
Added:
head/security/ipsec-tools/files/natt.diff (contents, props changed)
Modified:
head/security/ipsec-tools/Makefile
Modified: head/security/ipsec-tools/Makefile
==============================================================================
--- head/security/ipsec-tools/Makefile Tue Apr 18 14:31:32 2017 (r438781)
+++ head/security/ipsec-tools/Makefile Tue Apr 18 14:36:08 2017 (r438782)
@@ -8,7 +8,7 @@
PORTNAME= ipsec-tools
PORTVERSION= 0.8.2
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security
MASTER_SITES= SF
@@ -39,7 +39,7 @@ OPTIONS_DEFAULT= DEBUG DPD NATT FRAG HYB
ADMINPORT_DESC= Enable Admin port
STATS_DESC= Statistics logging function
DPD_DESC= Dead Peer Detection
-NATT_DESC= NAT-Traversal (kernel-patch required)
+NATT_DESC= NAT-Traversal (kernel-patch required before 11.0-STABLE)
NATTF_DESC= require NAT-Traversal (fail without kernel-patch)
FRAG_DESC= IKE fragmentation payload support
HYBRID_DESC= Hybrid, Xauth and Mode-cfg support
@@ -61,7 +61,7 @@ STATS_CONFIGURE_ENABLE= stats
DPD_CONFIGURE_ENABLE= dpd
NATTF_VARS= NATT=yes
NATTF_VARS_OFF= NATT=kernel
-NATT_CONFIGURE_ON= --enable-natt=${NATT}
+NATT_CONFIGURE_ON= --enable-natt=${NATT} --enable-natt-versions=rfc
NATT_CONFIGURE_OFF= --disable-natt
FRAG_CONFIGURE_ENABLE= frag
HYBRID_CONFIGURE_ENABLE=hybrid
@@ -78,6 +78,7 @@ SAUNSPEC_CONFIGURE_ENABLE= samode-unspec
RC5_CONFIGURE_ENABLE= rc5
IDEA_CONFIGURE_ENABLE= idea
WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff
+NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff
post-patch:
@${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure
Added: head/security/ipsec-tools/files/natt.diff
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/ipsec-tools/files/natt.diff Tue Apr 18 14:36:08 2017 (r438782)
@@ -0,0 +1,153 @@
+--- src/libipsec/libpfkey.h
++++ src/libipsec/libpfkey.h
+@@ -85,7 +85,7 @@ struct pfkey_send_sa_args {
+ u_int32_t seq;
+ u_int8_t l_natt_type;
+ u_int16_t l_natt_sport, l_natt_dport;
+- struct sockaddr *l_natt_oa;
++ struct sockaddr *l_natt_oai, *l_natt_oar;
+ u_int16_t l_natt_frag;
+ u_int8_t ctxdoi, ctxalg; /* Security context DOI and algorithm */
+ caddr_t ctxstr; /* Security context string */
+--- src/libipsec/pfkey.c
++++ src/libipsec/pfkey.c
+@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args
+ len += sizeof(struct sadb_x_nat_t_type);
+ len += sizeof(struct sadb_x_nat_t_port);
+ len += sizeof(struct sadb_x_nat_t_port);
+- if (sa_parms->l_natt_oa)
++ if (sa_parms->l_natt_oai)
+ len += sizeof(struct sadb_address) +
+- PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
++ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai));
++ if (sa_parms->l_natt_oar)
++ len += sizeof(struct sadb_address) +
++ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar));
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ if (sa_parms->l_natt_frag)
+ len += sizeof(struct sadb_x_nat_t_frag);
+@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args
+ return -1;
+ }
+
+- if (sa_parms->l_natt_oa) {
+- p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
+- sa_parms->l_natt_oa,
+- (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
++ if (sa_parms->l_natt_oai) {
++ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI,
++ sa_parms->l_natt_oai,
++ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)),
++ IPSEC_ULPROTO_ANY);
++ if (!p) {
++ free(newmsg);
++ return -1;
++ }
++ }
++
++ if (sa_parms->l_natt_oar) {
++ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR,
++ sa_parms->l_natt_oar,
++ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)),
+ IPSEC_ULPROTO_ANY);
+ if (!p) {
+ free(newmsg);
+@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_
+ case SADB_X_EXT_NAT_T_TYPE:
+ case SADB_X_EXT_NAT_T_SPORT:
+ case SADB_X_EXT_NAT_T_DPORT:
+- case SADB_X_EXT_NAT_T_OA:
++ case SADB_X_EXT_NAT_T_OAI:
++ case SADB_X_EXT_NAT_T_OAR:
+ #endif
+ #ifdef SADB_X_EXT_TAG
+ case SADB_X_EXT_TAG:
+@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty
+ psaa.l_natt_type = l_natt_type;
+ psaa.l_natt_sport = l_natt_sport;
+ psaa.l_natt_dport = l_natt_dport;
+- psaa.l_natt_oa = l_natt_oa;
++ psaa.l_natt_oar = l_natt_oa;
+ psaa.l_natt_frag = l_natt_frag;
+
+ return pfkey_send_update2(&psaa);
+@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype,
+ psaa.l_natt_type = l_natt_type;
+ psaa.l_natt_sport = l_natt_sport;
+ psaa.l_natt_dport = l_natt_dport;
+- psaa.l_natt_oa = l_natt_oa;
++ psaa.l_natt_oai = l_natt_oa;
+ psaa.l_natt_frag = l_natt_frag;
+
+ return pfkey_send_add2(&psaa);
+--- src/racoon/isakmp_quick.c
++++ src/racoon/isakmp_quick.c
+@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
+ spidx.src.ss_family, spidx.dst.ss_family,
+ _XIDT(iph2->id_p),idi2type);
+ }
++#ifdef ENABLE_NATT
++ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
++ u_int16_t port;
++
++ port = extract_port(&spidx.src);
++ memcpy(&spidx.src, iph2->ph1->remote,
++ sysdep_sa_len(iph2->ph1->remote));
++ set_port(&spidx.src, port);
++ switch (spidx.src.ss_family) {
++ case AF_INET:
++ spidx.prefs = sizeof(struct in_addr) << 3;
++ break;
++#ifdef INET6
++ case AF_INET6:
++ spidx.prefs = sizeof(struct in6_addr) << 3;
++ break;
++#endif
++ default:
++ spidx.prefs = 0;
++ break;
++ }
++ plog(LLV_DEBUG, LOCATION,
++ NULL, "use NAT address %s as src\n",
++ saddr2str((struct sockaddr *)&spidx.src));
++ }
++#endif
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "get a source address of SP index from Phase 1"
+--- src/racoon/nattraversal.c
++++ src/racoon/nattraversal.c
+@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle
+ {
+ int ret = 0;
+
+- /* Should only the NATed host send keepalives?
+- If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
+- to the following condition. */
+- if (iph1->natt_flags & NAT_DETECTED &&
++ if (iph1->natt_flags & NAT_DETECTED_ME &&
+ ! (iph1->natt_flags & NAT_KA_QUEUED)) {
+ ret = natt_keepalive_add (iph1->local, iph1->remote);
+ if (ret == 0)
+--- src/racoon/pfkey.c
++++ src/racoon/pfkey.c
+@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2)
+ sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
+ sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
+ sa_args.l_natt_dport = extract_port(iph2->ph1->local);
+- sa_args.l_natt_oa = iph2->natoa_src;
++ /* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */
++ sa_args.l_natt_oai = iph2->natoa_dst;
++ /* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */
++ sa_args.l_natt_oar = iph2->natoa_src;
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
+ #endif
+@@ -1477,7 +1480,6 @@ pk_sendadd(iph2)
+ sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
+ sa_args.l_natt_sport = extract_port(iph2->ph1->local);
+ sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
+- sa_args.l_natt_oa = iph2->natoa_dst;
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
+ #endif
More information about the svn-ports-head
mailing list