svn commit: r339533 - head/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sun Oct 21 14:19:17 UTC 2018
Author: ae
Date: Sun Oct 21 14:19:16 2018
New Revision: 339533
URL: https://svnweb.freebsd.org/changeset/base/339533
Log:
Add sadb_x_sa2 extension to SADB_ACQUIRE requests.
SADB_ACQUIRE requests are send by kernel, when security policy doesn't
have corresponding security association for outbound packet. IKE daemon
usually registers its handler for such messages and when the kernel asks
for SA it can handle this request. Now such requests will contain
additional fields that can help IKE daemon to create SA. And IKE now
can create SAs using only information from SADB_ACQUIRE request, this
is useful when many if_ipsec(4) interfaces are in use and IKE doesn track
security policies that was installed by kernel.
Obtained from: Yandex LLC
MFC after: 3 weeks
Sponsored by: Yandex LLC
Modified:
head/sys/netipsec/key.c
Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c Sun Oct 21 12:39:00 2018 (r339532)
+++ head/sys/netipsec/key.c Sun Oct 21 14:19:16 2018 (r339533)
@@ -6685,7 +6685,9 @@ key_acquire(const struct secasindex *saidx, struct sec
/* XXX proxy address (optional) */
- /* set sadb_x_policy */
+ /*
+ * Set sadb_x_policy. This is KAME extension to RFC2367.
+ */
if (sp != NULL) {
m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id,
sp->priority);
@@ -6696,6 +6698,18 @@ key_acquire(const struct secasindex *saidx, struct sec
m_cat(result, m);
}
+ /*
+ * Set sadb_x_sa2 extension if saidx->reqid is not zero.
+ * This is FreeBSD extension to RFC2367.
+ */
+ if (saidx->reqid != 0) {
+ m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid);
+ if (m == NULL) {
+ error = ENOBUFS;
+ goto fail;
+ }
+ m_cat(result, m);
+ }
/* XXX identity (optional) */
#if 0
if (idexttype && fqdn) {
More information about the svn-src-head
mailing list