netipsec

Bjoern A. Zeeb Sat, 16 Aug 2014 06:56:21 -0700

Author: bz
Date: Sat Aug 16 13:55:44 2014
New Revision: 270053
URL: http://svnweb.freebsd.org/changeset/base/270053


Log:
  MFC r266606:
  
   Only do a ports check if this is a NAT-T SA.  Otherwise other
   lookups providing ports may get unexpected results.

Modified:
  stable/10/sys/netipsec/key.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netipsec/key.c
==============================================================================
--- stable/10/sys/netipsec/key.c        Sat Aug 16 13:53:05 2014        
(r270052)
+++ stable/10/sys/netipsec/key.c        Sat Aug 16 13:55:44 2014        
(r270053)
@@ -1085,7 +1085,9 @@ key_allocsa(
        struct secasvar *sav;
        u_int stateidx, arraysize, state;
        const u_int *saorder_state_valid;
-       int chkport;
+#ifdef IPSEC_NAT_T
+       int natt_chkport;
+#endif
 
        IPSEC_ASSERT(dst != NULL, ("null dst address"));
 
@@ -1093,11 +1095,9 @@ key_allocsa(
                printf("DP %s from %s:%u\n", __func__, where, tag));
 
 #ifdef IPSEC_NAT_T
-        chkport = (dst->sa.sa_family == AF_INET &&
+        natt_chkport = (dst->sa.sa_family == AF_INET &&
            dst->sa.sa_len == sizeof(struct sockaddr_in) &&
            dst->sin.sin_port != 0);
-#else
-       chkport = 0;
 #endif
 
        /*
@@ -1115,6 +1115,8 @@ key_allocsa(
                arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
        }
        LIST_FOREACH(sah, &V_sahtree, chain) {
+               int checkport;
+
                /* search valid state */
                for (stateidx = 0; stateidx < arraysize; stateidx++) {
                        state = saorder_state_valid[stateidx];
@@ -1129,13 +1131,25 @@ key_allocsa(
                                        continue;
                                if (spi != sav->spi)
                                        continue;
+                               checkport = 0;
+#ifdef IPSEC_NAT_T
+                               /*
+                                * Really only check ports when this is a NAT-T
+                                * SA.  Otherwise other lookups providing ports
+                                * might suffer.
+                                */
+                               if (sav->natt_type && natt_chkport)
+                                       checkport = 1;
+#endif
 #if 0  /* don't check src */
                                /* check src address */
-                               if (key_sockaddrcmp(&src->sa, 
&sav->sah->saidx.src.sa, chkport) != 0)
+                               if (key_sockaddrcmp(&src->sa,   
+                                   &sav->sah->saidx.src.sa, checkport) != 0)
                                        continue;
 #endif
                                /* check dst address */
-                               if (key_sockaddrcmp(&dst->sa, 
&sav->sah->saidx.dst.sa, chkport) != 0)
+                               if (key_sockaddrcmp(&dst->sa,
+                                   &sav->sah->saidx.dst.sa, checkport) != 0)
                                        continue;
                                sa_addref(sav);
                                goto done;
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r270053 - stable/10/sys/netipsec

Reply via email to