svn commit: r266606 - head/sys/netipsec
Bjoern A. Zeeb
bz at FreeBSD.org
Sat May 24 09:29:24 UTC 2014
Author: bz
Date: Sat May 24 09:29:23 2014
New Revision: 266606
URL: http://svnweb.freebsd.org/changeset/base/266606
Log:
Only do a ports check if this is a NAT-T SA. Otherwise other
lookups providing ports may get unexpected results.
MFC After: 2 weeks
Modified:
head/sys/netipsec/key.c
Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c Sat May 24 06:05:21 2014 (r266605)
+++ head/sys/netipsec/key.c Sat May 24 09:29:23 2014 (r266606)
@@ -1086,7 +1086,9 @@ key_allocsa(
struct secasvar *sav;
u_int stateidx, arraysize, state;
const u_int *saorder_state_valid;
- int chkport;
+#ifdef IPSEC_NAT_T
+ int natt_chkport;
+#endif
IPSEC_ASSERT(dst != NULL, ("null dst address"));
@@ -1094,11 +1096,9 @@ key_allocsa(
printf("DP %s from %s:%u\n", __func__, where, tag));
#ifdef IPSEC_NAT_T
- chkport = (dst->sa.sa_family == AF_INET &&
+ natt_chkport = (dst->sa.sa_family == AF_INET &&
dst->sa.sa_len == sizeof(struct sockaddr_in) &&
dst->sin.sin_port != 0);
-#else
- chkport = 0;
#endif
/*
@@ -1116,6 +1116,8 @@ key_allocsa(
arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
}
LIST_FOREACH(sah, &V_sahtree, chain) {
+ int checkport;
+
/* search valid state */
for (stateidx = 0; stateidx < arraysize; stateidx++) {
state = saorder_state_valid[stateidx];
@@ -1130,13 +1132,25 @@ key_allocsa(
continue;
if (spi != sav->spi)
continue;
+ checkport = 0;
+#ifdef IPSEC_NAT_T
+ /*
+ * Really only check ports when this is a NAT-T
+ * SA. Otherwise other lookups providing ports
+ * might suffer.
+ */
+ if (sav->natt_type && natt_chkport)
+ checkport = 1;
+#endif
#if 0 /* don't check src */
/* check src address */
- if (key_sockaddrcmp(&src->sa, &sav->sah->saidx.src.sa, chkport) != 0)
+ if (key_sockaddrcmp(&src->sa,
+ &sav->sah->saidx.src.sa, checkport) != 0)
continue;
#endif
/* check dst address */
- if (key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, chkport) != 0)
+ if (key_sockaddrcmp(&dst->sa,
+ &sav->sah->saidx.dst.sa, checkport) != 0)
continue;
sa_addref(sav);
goto done;
More information about the svn-src-head
mailing list