diff options
author | Eugene Grosbein <eugen@FreeBSD.org> | 2017-04-18 14:36:08 +0000 |
---|---|---|
committer | Eugene Grosbein <eugen@FreeBSD.org> | 2017-04-18 14:36:08 +0000 |
commit | f6007b9495116c3f7919f33734643168d6ec9c81 (patch) | |
tree | 29b2bd6dc8d50ac8a2dd23dff6e038fa5b31301d /security/ipsec-tools | |
parent | 04ddda36a5efdabfe7d55176bf027446f9a08509 (diff) | |
download | ports-f6007b9495116c3f7919f33734643168d6ec9c81.tar.gz ports-f6007b9495116c3f7919f33734643168d6ec9c81.zip |
This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948.
The natt.diff patch contains the following changes:
* added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages;
* used NAT address instead of original for SAs created by racoon;
* NAT-T keep-alives now sends only by NATed host.
Tested with 11.0-STABLE after projects/ipsec merge.
PR: 217131
Submitted by: Andrey V. Elsukov
Approved by: VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor)
Notes
Notes:
svn path=/head/; revision=438782
Diffstat (limited to 'security/ipsec-tools')
-rw-r--r-- | security/ipsec-tools/Makefile | 7 | ||||
-rw-r--r-- | security/ipsec-tools/files/natt.diff | 153 |
2 files changed, 157 insertions, 3 deletions
diff --git a/security/ipsec-tools/Makefile b/security/ipsec-tools/Makefile index 7771b5116906..b58924286398 100644 --- a/security/ipsec-tools/Makefile +++ b/security/ipsec-tools/Makefile @@ -8,7 +8,7 @@ PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= SF @@ -39,7 +39,7 @@ OPTIONS_DEFAULT= DEBUG DPD NATT FRAG HYBRID ADMINPORT_DESC= Enable Admin port STATS_DESC= Statistics logging function DPD_DESC= Dead Peer Detection -NATT_DESC= NAT-Traversal (kernel-patch required) +NATT_DESC= NAT-Traversal (kernel-patch required before 11.0-STABLE) NATTF_DESC= require NAT-Traversal (fail without kernel-patch) FRAG_DESC= IKE fragmentation payload support HYBRID_DESC= Hybrid, Xauth and Mode-cfg support @@ -61,7 +61,7 @@ STATS_CONFIGURE_ENABLE= stats DPD_CONFIGURE_ENABLE= dpd NATTF_VARS= NATT=yes NATTF_VARS_OFF= NATT=kernel -NATT_CONFIGURE_ON= --enable-natt=${NATT} +NATT_CONFIGURE_ON= --enable-natt=${NATT} --enable-natt-versions=rfc NATT_CONFIGURE_OFF= --disable-natt FRAG_CONFIGURE_ENABLE= frag HYBRID_CONFIGURE_ENABLE=hybrid @@ -78,6 +78,7 @@ SAUNSPEC_CONFIGURE_ENABLE= samode-unspec RC5_CONFIGURE_ENABLE= rc5 IDEA_CONFIGURE_ENABLE= idea WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff +NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff post-patch: @${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure diff --git a/security/ipsec-tools/files/natt.diff b/security/ipsec-tools/files/natt.diff new file mode 100644 index 000000000000..0b1c0c26938f --- /dev/null +++ b/security/ipsec-tools/files/natt.diff @@ -0,0 +1,153 @@ +--- src/libipsec/libpfkey.h ++++ src/libipsec/libpfkey.h +@@ -85,7 +85,7 @@ struct pfkey_send_sa_args { + u_int32_t seq; + u_int8_t l_natt_type; + u_int16_t l_natt_sport, l_natt_dport; +- struct sockaddr *l_natt_oa; ++ struct sockaddr *l_natt_oai, *l_natt_oar; + u_int16_t l_natt_frag; + u_int8_t ctxdoi, ctxalg; /* Security context DOI and algorithm */ + caddr_t ctxstr; /* Security context string */ +--- src/libipsec/pfkey.c ++++ src/libipsec/pfkey.c +@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args + len += sizeof(struct sadb_x_nat_t_type); + len += sizeof(struct sadb_x_nat_t_port); + len += sizeof(struct sadb_x_nat_t_port); +- if (sa_parms->l_natt_oa) ++ if (sa_parms->l_natt_oai) + len += sizeof(struct sadb_address) + +- PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)); ++ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)); ++ if (sa_parms->l_natt_oar) ++ len += sizeof(struct sadb_address) + ++ PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)); + #ifdef SADB_X_EXT_NAT_T_FRAG + if (sa_parms->l_natt_frag) + len += sizeof(struct sadb_x_nat_t_frag); +@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args + return -1; + } + +- if (sa_parms->l_natt_oa) { +- p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA, +- sa_parms->l_natt_oa, +- (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)), ++ if (sa_parms->l_natt_oai) { ++ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI, ++ sa_parms->l_natt_oai, ++ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)), ++ IPSEC_ULPROTO_ANY); ++ if (!p) { ++ free(newmsg); ++ return -1; ++ } ++ } ++ ++ if (sa_parms->l_natt_oar) { ++ p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR, ++ sa_parms->l_natt_oar, ++ (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)), + IPSEC_ULPROTO_ANY); + if (!p) { + free(newmsg); +@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_ + case SADB_X_EXT_NAT_T_TYPE: + case SADB_X_EXT_NAT_T_SPORT: + case SADB_X_EXT_NAT_T_DPORT: +- case SADB_X_EXT_NAT_T_OA: ++ case SADB_X_EXT_NAT_T_OAI: ++ case SADB_X_EXT_NAT_T_OAR: + #endif + #ifdef SADB_X_EXT_TAG + case SADB_X_EXT_TAG: +@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty + psaa.l_natt_type = l_natt_type; + psaa.l_natt_sport = l_natt_sport; + psaa.l_natt_dport = l_natt_dport; +- psaa.l_natt_oa = l_natt_oa; ++ psaa.l_natt_oar = l_natt_oa; + psaa.l_natt_frag = l_natt_frag; + + return pfkey_send_update2(&psaa); +@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype, + psaa.l_natt_type = l_natt_type; + psaa.l_natt_sport = l_natt_sport; + psaa.l_natt_dport = l_natt_dport; +- psaa.l_natt_oa = l_natt_oa; ++ psaa.l_natt_oai = l_natt_oa; + psaa.l_natt_frag = l_natt_frag; + + return pfkey_send_add2(&psaa); +--- src/racoon/isakmp_quick.c ++++ src/racoon/isakmp_quick.c +@@ -2390,6 +2390,32 @@ get_proposal_r(iph2) + spidx.src.ss_family, spidx.dst.ss_family, + _XIDT(iph2->id_p),idi2type); + } ++#ifdef ENABLE_NATT ++ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { ++ u_int16_t port; ++ ++ port = extract_port(&spidx.src); ++ memcpy(&spidx.src, iph2->ph1->remote, ++ sysdep_sa_len(iph2->ph1->remote)); ++ set_port(&spidx.src, port); ++ switch (spidx.src.ss_family) { ++ case AF_INET: ++ spidx.prefs = sizeof(struct in_addr) << 3; ++ break; ++#ifdef INET6 ++ case AF_INET6: ++ spidx.prefs = sizeof(struct in6_addr) << 3; ++ break; ++#endif ++ default: ++ spidx.prefs = 0; ++ break; ++ } ++ plog(LLV_DEBUG, LOCATION, ++ NULL, "use NAT address %s as src\n", ++ saddr2str((struct sockaddr *)&spidx.src)); ++ } ++#endif + } else { + plog(LLV_DEBUG, LOCATION, NULL, + "get a source address of SP index from Phase 1" +--- src/racoon/nattraversal.c ++++ src/racoon/nattraversal.c +@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle + { + int ret = 0; + +- /* Should only the NATed host send keepalives? +- If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)' +- to the following condition. */ +- if (iph1->natt_flags & NAT_DETECTED && ++ if (iph1->natt_flags & NAT_DETECTED_ME && + ! (iph1->natt_flags & NAT_KA_QUEUED)) { + ret = natt_keepalive_add (iph1->local, iph1->remote); + if (ret == 0) +--- src/racoon/pfkey.c ++++ src/racoon/pfkey.c +@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2) + sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; + sa_args.l_natt_sport = extract_port(iph2->ph1->remote); + sa_args.l_natt_dport = extract_port(iph2->ph1->local); +- sa_args.l_natt_oa = iph2->natoa_src; ++ /* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */ ++ sa_args.l_natt_oai = iph2->natoa_dst; ++ /* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */ ++ sa_args.l_natt_oar = iph2->natoa_src; + #ifdef SADB_X_EXT_NAT_T_FRAG + sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; + #endif +@@ -1477,7 +1480,6 @@ pk_sendadd(iph2) + sa_args.l_natt_type = UDP_ENCAP_ESPINUDP; + sa_args.l_natt_sport = extract_port(iph2->ph1->local); + sa_args.l_natt_dport = extract_port(iph2->ph1->remote); +- sa_args.l_natt_oa = iph2->natoa_dst; + #ifdef SADB_X_EXT_NAT_T_FRAG + sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; + #endif |