svn commit: r266606 - head/sys/netipsec

Bjoern A. Zeeb bz at FreeBSD.org
Sat May 24 09:29:24 UTC 2014 

Author: bz
Date: Sat May 24 09:29:23 2014
New Revision: 266606
URL: http://svnweb.freebsd.org/changeset/base/266606

Log:
  Only do a ports check if this is a NAT-T SA.  Otherwise other
  lookups providing ports may get unexpected results.
  
  MFC After:	2 weeks

Modified:
  head/sys/netipsec/key.c

Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c	Sat May 24 06:05:21 2014	(r266605)
+++ head/sys/netipsec/key.c	Sat May 24 09:29:23 2014	(r266606)
@@ -1086,7 +1086,9 @@ key_allocsa(
 	struct secasvar *sav;
 	u_int stateidx, arraysize, state;
 	const u_int *saorder_state_valid;
-	int chkport;
+#ifdef IPSEC_NAT_T
+	int natt_chkport;
+#endif
 
 	IPSEC_ASSERT(dst != NULL, ("null dst address"));
 
@@ -1094,11 +1096,9 @@ key_allocsa(
 		printf("DP %s from %s:%u\n", __func__, where, tag));
 
 #ifdef IPSEC_NAT_T
-        chkport = (dst->sa.sa_family == AF_INET &&
+        natt_chkport = (dst->sa.sa_family == AF_INET &&
 	    dst->sa.sa_len == sizeof(struct sockaddr_in) &&
 	    dst->sin.sin_port != 0);
-#else
-	chkport = 0;
 #endif
 
 	/*
@@ -1116,6 +1116,8 @@ key_allocsa(
 		arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
 	}
 	LIST_FOREACH(sah, &V_sahtree, chain) {
+		int checkport;
+
 		/* search valid state */
 		for (stateidx = 0; stateidx < arraysize; stateidx++) {
 			state = saorder_state_valid[stateidx];
@@ -1130,13 +1132,25 @@ key_allocsa(
 					continue;
 				if (spi != sav->spi)
 					continue;
+				checkport = 0;
+#ifdef IPSEC_NAT_T
+				/*
+				 * Really only check ports when this is a NAT-T
+				 * SA.  Otherwise other lookups providing ports
+				 * might suffer.
+				 */
+				if (sav->natt_type && natt_chkport)
+					checkport = 1;
+#endif
 #if 0	/* don't check src */
 				/* check src address */
-				if (key_sockaddrcmp(&src->sa, &sav->sah->saidx.src.sa, chkport) != 0)
+				if (key_sockaddrcmp(&src->sa,	
+				    &sav->sah->saidx.src.sa, checkport) != 0)
 					continue;
 #endif
 				/* check dst address */
-				if (key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, chkport) != 0)
+				if (key_sockaddrcmp(&dst->sa,
+				    &sav->sah->saidx.dst.sa, checkport) != 0)
 					continue;
 				sa_addref(sav);
 				goto done;

More information about the svn-src-head mailing list