Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net ipsecif(4) must not set port number to spidx even if...
details: https://anonhg.NetBSD.org/src/rev/ed164e459b5a
branches: trunk
changeset: 319291:ed164e459b5a
user: knakahara <knakahara%NetBSD.org@localhost>
date: Thu May 24 07:00:28 2018 +0000
description:
ipsecif(4) must not set port number to spidx even if NAT-T. Pointed out by ohishi@IIJ, thanks.
diffstat:
sys/net/if_ipsec.c | 17 +++++++++++++----
1 files changed, 13 insertions(+), 4 deletions(-)
diffs (50 lines):
diff -r 61cbe4c35a37 -r ed164e459b5a sys/net/if_ipsec.c
--- a/sys/net/if_ipsec.c Thu May 24 05:27:29 2018 +0000
+++ b/sys/net/if_ipsec.c Thu May 24 07:00:28 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_ipsec.c,v 1.13 2018/04/27 09:55:27 knakahara Exp $ */
+/* $NetBSD: if_ipsec.c,v 1.14 2018/05/24 07:00:28 knakahara Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.13 2018/04/27 09:55:27 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.14 2018/05/24 07:00:28 knakahara Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1574,13 +1574,18 @@
m_copyback(m, 0, sizeof(msg), &msg);
if_ipsec_add_mbuf(m, &xsrc, sizeof(xsrc));
- if_ipsec_add_mbuf_addr_port(m, src, sport, true);
+ /*
+ * secpolicy.spidx.{src, dst} must not be set port number,
+ * even if it is used for NAT-T.
+ */
+ if_ipsec_add_mbuf_addr_port(m, src, 0, true);
padlen = PFKEY_UNUNIT64(xsrc.sadb_address_len)
- (sizeof(xsrc) + PFKEY_ALIGN8(src->sa_len));
if_ipsec_add_pad(m, padlen);
if_ipsec_add_mbuf(m, &xdst, sizeof(xdst));
- if_ipsec_add_mbuf_addr_port(m, dst, dport, true);
+ /* ditto */
+ if_ipsec_add_mbuf_addr_port(m, dst, 0, true);
padlen = PFKEY_UNUNIT64(xdst.sadb_address_len)
- (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len));
if_ipsec_add_pad(m, padlen);
@@ -1588,6 +1593,10 @@
if_ipsec_add_mbuf(m, &xpl, sizeof(xpl));
if (policy == IPSEC_POLICY_IPSEC) {
if_ipsec_add_mbuf(m, &xisr, sizeof(xisr));
+ /*
+ * secpolicy.req->saidx.{src, dst} must be set port number,
+ * when it is used for NAT-T.
+ */
if_ipsec_add_mbuf_addr_port(m, src, sport, false);
if_ipsec_add_mbuf_addr_port(m, dst, dport, false);
}
Home |
Main Index |
Thread Index |
Old Index