This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948.

The natt.diff patch contains the following changes:
* added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages;
* used NAT address instead of original for SAs created by racoon;
* NAT-T keep-alives now sends only by NATed host.

Tested with 11.0-STABLE after projects/ipsec merge.

PR:		217131
Submitted by:	Andrey V. Elsukov
Approved by:	VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor)

2 files changed, 157 insertions, 3 deletions

diff --git a/security/ipsec-tools/Makefile b/security/ipsec-tools/Makefile
index 7771b5116906..b58924286398 100644
--- a/security/ipsec-tools/Makefile
+++ b/security/ipsec-tools/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	ipsec-tools
 PORTVERSION=	0.8.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	SF
 
@@ -39,7 +39,7 @@ OPTIONS_DEFAULT=	DEBUG DPD NATT FRAG HYBRID
 ADMINPORT_DESC=	Enable Admin port
 STATS_DESC=	Statistics logging function
 DPD_DESC=	Dead Peer Detection
-NATT_DESC=	NAT-Traversal (kernel-patch required)
+NATT_DESC=	NAT-Traversal (kernel-patch required before 11.0-STABLE)
 NATTF_DESC=	require NAT-Traversal (fail without kernel-patch)
 FRAG_DESC=	IKE fragmentation payload support
 HYBRID_DESC=	Hybrid, Xauth and Mode-cfg support
@@ -61,7 +61,7 @@ STATS_CONFIGURE_ENABLE=	stats
 DPD_CONFIGURE_ENABLE=	dpd
 NATTF_VARS=		NATT=yes
 NATTF_VARS_OFF=		NATT=kernel
-NATT_CONFIGURE_ON=	--enable-natt=${NATT}
+NATT_CONFIGURE_ON=	--enable-natt=${NATT} --enable-natt-versions=rfc
 NATT_CONFIGURE_OFF=	--disable-natt
 FRAG_CONFIGURE_ENABLE=	frag
 HYBRID_CONFIGURE_ENABLE=hybrid
@@ -78,6 +78,7 @@ SAUNSPEC_CONFIGURE_ENABLE=	samode-unspec
 RC5_CONFIGURE_ENABLE=		rc5
 IDEA_CONFIGURE_ENABLE=		idea
 WCPSKEY_EXTRA_PATCHES=		${FILESDIR}/wildcard-psk.diff
+NATT_EXTRA_PATCHES=		${FILESDIR}/natt.diff
 
 post-patch:
 	@${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure
diff --git a/security/ipsec-tools/files/natt.diff b/security/ipsec-tools/files/natt.diff
new file mode 100644
index 000000000000..0b1c0c26938f
--- /dev/null
+++ b/security/ipsec-tools/files/natt.diff
@@ -0,0 +1,153 @@
+--- src/libipsec/libpfkey.h
++++ src/libipsec/libpfkey.h
+@@ -85,7 +85,7 @@ struct pfkey_send_sa_args {
+ 	u_int32_t	seq;
+ 	u_int8_t	l_natt_type;
+ 	u_int16_t	l_natt_sport, l_natt_dport;
+-	struct sockaddr *l_natt_oa;
++	struct sockaddr *l_natt_oai, *l_natt_oar;
+ 	u_int16_t	l_natt_frag;
+ 	u_int8_t ctxdoi, ctxalg;	/* Security context DOI and algorithm */
+ 	caddr_t ctxstr;			/* Security context string */
+--- src/libipsec/pfkey.c
++++ src/libipsec/pfkey.c
+@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args 
+ 		len += sizeof(struct sadb_x_nat_t_type);
+ 		len += sizeof(struct sadb_x_nat_t_port);
+ 		len += sizeof(struct sadb_x_nat_t_port);
+-		if (sa_parms->l_natt_oa)
++		if (sa_parms->l_natt_oai)
+ 			len += sizeof(struct sadb_address) +
+-			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
++			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai));
++		if (sa_parms->l_natt_oar)
++			len += sizeof(struct sadb_address) +
++			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar));
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ 		if (sa_parms->l_natt_frag)
+ 			len += sizeof(struct sadb_x_nat_t_frag);
+@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args 
+ 			return -1;
+ 		}
+ 
+-		if (sa_parms->l_natt_oa) {
+-			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
+-					      sa_parms->l_natt_oa,
+-					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
++		if (sa_parms->l_natt_oai) {
++			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI,
++					      sa_parms->l_natt_oai,
++					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)),
++					      IPSEC_ULPROTO_ANY);
++			if (!p) {
++				free(newmsg);
++				return -1;
++			}
++		}
++
++		if (sa_parms->l_natt_oar) {
++			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR,
++					      sa_parms->l_natt_oar,
++					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)),
+ 					      IPSEC_ULPROTO_ANY);
+ 			if (!p) {
+ 				free(newmsg);
+@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_
+ 		case SADB_X_EXT_NAT_T_TYPE:
+ 		case SADB_X_EXT_NAT_T_SPORT:
+ 		case SADB_X_EXT_NAT_T_DPORT:
+-		case SADB_X_EXT_NAT_T_OA:
++		case SADB_X_EXT_NAT_T_OAI:
++		case SADB_X_EXT_NAT_T_OAR:
+ #endif
+ #ifdef SADB_X_EXT_TAG
+ 		case SADB_X_EXT_TAG:
+@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty
+ 	psaa.l_natt_type = l_natt_type;
+ 	psaa.l_natt_sport = l_natt_sport;
+ 	psaa.l_natt_dport = l_natt_dport;
+-	psaa.l_natt_oa = l_natt_oa;
++	psaa.l_natt_oar = l_natt_oa;
+ 	psaa.l_natt_frag = l_natt_frag;
+ 
+ 	return pfkey_send_update2(&psaa);
+@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype,
+ 	psaa.l_natt_type = l_natt_type;
+ 	psaa.l_natt_sport = l_natt_sport;
+ 	psaa.l_natt_dport = l_natt_dport;
+-	psaa.l_natt_oa = l_natt_oa;
++	psaa.l_natt_oai = l_natt_oa;
+ 	psaa.l_natt_frag = l_natt_frag;
+ 
+ 	return pfkey_send_add2(&psaa);
+--- src/racoon/isakmp_quick.c
++++ src/racoon/isakmp_quick.c
+@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
+ 			     spidx.src.ss_family, spidx.dst.ss_family,
+ 			     _XIDT(iph2->id_p),idi2type);
+ 		}
++#ifdef ENABLE_NATT
++		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
++			u_int16_t port;
++
++			port = extract_port(&spidx.src);
++			memcpy(&spidx.src, iph2->ph1->remote,
++			    sysdep_sa_len(iph2->ph1->remote));
++			set_port(&spidx.src, port);
++			switch (spidx.src.ss_family) {
++			case AF_INET:
++				spidx.prefs = sizeof(struct in_addr) << 3;
++				break;
++#ifdef INET6
++			case AF_INET6:
++				spidx.prefs = sizeof(struct in6_addr) << 3;
++				break;
++#endif
++			default:
++				spidx.prefs = 0;
++				break;
++			}
++			plog(LLV_DEBUG, LOCATION,
++				NULL, "use NAT address %s as src\n",
++				saddr2str((struct sockaddr *)&spidx.src));
++		}
++#endif
+ 	} else {
+ 		plog(LLV_DEBUG, LOCATION, NULL,
+ 		     "get a source address of SP index from Phase 1"
+--- src/racoon/nattraversal.c
++++ src/racoon/nattraversal.c
+@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle
+ {
+   int ret = 0;
+   
+-  /* Should only the NATed host send keepalives?
+-     If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
+-     to the following condition. */
+-  if (iph1->natt_flags & NAT_DETECTED &&
++  if (iph1->natt_flags & NAT_DETECTED_ME &&
+       ! (iph1->natt_flags & NAT_KA_QUEUED)) {
+     ret = natt_keepalive_add (iph1->local, iph1->remote);
+     if (ret == 0)
+--- src/racoon/pfkey.c
++++ src/racoon/pfkey.c
+@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2)
+ 			sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
+ 			sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
+ 			sa_args.l_natt_dport = extract_port(iph2->ph1->local);
+-			sa_args.l_natt_oa = iph2->natoa_src;
++			/* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */
++				sa_args.l_natt_oai = iph2->natoa_dst;
++			/* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */
++				sa_args.l_natt_oar = iph2->natoa_src;
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
+ #endif
+@@ -1477,7 +1480,6 @@ pk_sendadd(iph2)
+ 			sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
+ 			sa_args.l_natt_sport = extract_port(iph2->ph1->local);
+ 			sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
+-			sa_args.l_natt_oa = iph2->natoa_dst;
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
+ #endif