svn commit: r340527 - stable/12/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sat Nov 17 23:54:20 UTC 2018
Author: ae
Date: Sat Nov 17 23:54:19 2018
New Revision: 340527
URL: https://svnweb.freebsd.org/changeset/base/340527
Log:
MFC r339533:
Add sadb_x_sa2 extension to SADB_ACQUIRE requests.
SADB_ACQUIRE requests are send by kernel, when security policy doesn't
have corresponding security association for outbound packet. IKE daemon
usually registers its handler for such messages and when the kernel asks
for SA it can handle this request. Now such requests will contain
additional fields that can help IKE daemon to create SA. And IKE now
can create SAs using only information from SADB_ACQUIRE request, this
is useful when many if_ipsec(4) interfaces are in use and IKE doesn track
security policies that was installed by kernel.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Modified:
stable/12/sys/netipsec/key.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netipsec/key.c
==============================================================================
--- stable/12/sys/netipsec/key.c Sat Nov 17 23:52:56 2018 (r340526)
+++ stable/12/sys/netipsec/key.c Sat Nov 17 23:54:19 2018 (r340527)
@@ -6685,7 +6685,9 @@ key_acquire(const struct secasindex *saidx, struct sec
/* XXX proxy address (optional) */
- /* set sadb_x_policy */
+ /*
+ * Set sadb_x_policy. This is KAME extension to RFC2367.
+ */
if (sp != NULL) {
m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id,
sp->priority);
@@ -6696,6 +6698,18 @@ key_acquire(const struct secasindex *saidx, struct sec
m_cat(result, m);
}
+ /*
+ * Set sadb_x_sa2 extension if saidx->reqid is not zero.
+ * This is FreeBSD extension to RFC2367.
+ */
+ if (saidx->reqid != 0) {
+ m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid);
+ if (m == NULL) {
+ error = ENOBUFS;
+ goto fail;
+ }
+ m_cat(result, m);
+ }
/* XXX identity (optional) */
#if 0
if (idexttype && fqdn) {
More information about the svn-src-stable-12
mailing list