[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Check nat_traversal confi...

[tteras <tteras%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a818a890e224
branches:  trunk
changeset: 747075:a818a890e224
user:      tteras <tteras%NetBSD.org@localhost>
date:      Tue Sep 01 12:22:09 2009 +0000

description:
Check nat_traversal configuration from remote configuration candidates
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.

diffstat:

 crypto/dist/ipsec-tools/src/racoon/nattraversal.c |  21 ++++++++++++++++++++-
 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  |   5 ++++-
 crypto/dist/ipsec-tools/src/racoon/vendorid.c     |   5 ++---
 3 files changed, 26 insertions(+), 5 deletions(-)

diffs (76 lines):

diff -r 69654702e02a -r a818a890e224 crypto/dist/ipsec-tools/src/racoon/nattraversal.c
--- a/crypto/dist/ipsec-tools/src/racoon/nattraversal.c Tue Sep 01 09:49:59 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/nattraversal.c Tue Sep 01 12:22:09 2009 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: nattraversal.c,v 1.12 2009/07/03 06:41:46 tteras Exp $ */
+/*     $NetBSD: nattraversal.c,v 1.13 2009/09/01 12:22:09 tteras Exp $ */
 
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -308,9 +308,28 @@
        natt_keepalive_add_ph1 (iph1);
 }
 
+static int
+natt_is_enabled (struct remoteconf *rmconf, void *args)
+{
+  if (rmconf->nat_traversal)
+    return 1;
+  return 0;
+}
+
 void
 natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric)
 {
+  if (iph1->rmconf == NULL) {
+    /* Check if any candidate remote conf allows nat-t */
+    struct rmconfselector rmconf;
+    rmconf_selector_from_ph1(&rmconf, iph1);
+    if (enumrmconf(&rmconf, natt_is_enabled, NULL) == 0)
+      return;
+  } else {
+    if (!iph1->rmconf->nat_traversal)
+      return;
+  }
+
   if (! iph1->natt_options)
     iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options));
 
diff -r 69654702e02a -r a818a890e224 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  Tue Sep 01 09:49:59 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  Tue Sep 01 12:22:09 2009 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: racoon.conf.5,v 1.57 2009/09/01 09:24:21 tteras Exp $
+.\"    $NetBSD: racoon.conf.5,v 1.58 2009/09/01 12:22:09 tteras Exp $
 .\"
 .\"    Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -420,6 +420,9 @@
 parameter specifies whether or not remote block matches.
 .El
 .Pp
+Similarly, NAT-T is enabled if any of the initial remote configuration
+candidates allow NAT-T.
+.Pp
 Sections with
 .Ic inherit Ar parent
 statements (where
diff -r 69654702e02a -r a818a890e224 crypto/dist/ipsec-tools/src/racoon/vendorid.c
--- a/crypto/dist/ipsec-tools/src/racoon/vendorid.c     Tue Sep 01 09:49:59 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/vendorid.c     Tue Sep 01 12:22:09 2009 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vendorid.c,v 1.7 2009/03/12 10:57:26 tteras Exp $      */
+/*     $NetBSD: vendorid.c,v 1.8 2009/09/01 12:22:09 tteras Exp $      */
 
 /* Id: vendorid.c,v 1.10 2006/02/22 16:10:21 vanhu Exp */
 
@@ -260,8 +260,7 @@
        iph1->vendorid_mask |= BIT(vid_numeric);
 
 #ifdef ENABLE_NATT
-       if ((iph1->rmconf == NULL || iph1->rmconf->nat_traversal) &&
-           natt_vendorid(vid_numeric))
+       if (natt_vendorid(vid_numeric))
                natt_handle_vendorid(iph1, vid_numeric);
 #endif
 #ifdef ENABLE_HYBRID