Module Name: src
Committed By: tteras
Date: Tue Sep 1 12:22:09 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: nattraversal.c racoon.conf.5
vendorid.c
Log Message:
Check nat_traversal configuration from remote configuration candidates
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.57 -r1.58 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/vendorid.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.12 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c Tue Sep 1 12:22:09 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: nattraversal.c,v 1.12 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: nattraversal.c,v 1.13 2009/09/01 12:22:09 tteras Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -308,9 +308,28 @@
natt_keepalive_add_ph1 (iph1);
}
+static int
+natt_is_enabled (struct remoteconf *rmconf, void *args)
+{
+ if (rmconf->nat_traversal)
+ return 1;
+ return 0;
+}
+
void
natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric)
{
+ if (iph1->rmconf == NULL) {
+ /* Check if any candidate remote conf allows nat-t */
+ struct rmconfselector rmconf;
+ rmconf_selector_from_ph1(&rmconf, iph1);
+ if (enumrmconf(&rmconf, natt_is_enabled, NULL) == 0)
+ return;
+ } else {
+ if (!iph1->rmconf->nat_traversal)
+ return;
+ }
+
if (! iph1->natt_options)
iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options));
Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.57 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.58
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.57 Tue Sep 1 09:24:21 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Tue Sep 1 12:22:09 2009
@@ -1,4 +1,4 @@
-.\" $NetBSD: racoon.conf.5,v 1.57 2009/09/01 09:24:21 tteras Exp $
+.\" $NetBSD: racoon.conf.5,v 1.58 2009/09/01 12:22:09 tteras Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@@ -420,6 +420,9 @@
parameter specifies whether or not remote block matches.
.El
.Pp
+Similarly, NAT-T is enabled if any of the initial remote configuration
+candidates allow NAT-T.
+.Pp
Sections with
.Ic inherit Ar parent
statements (where
Index: src/crypto/dist/ipsec-tools/src/racoon/vendorid.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/vendorid.c:1.7 src/crypto/dist/ipsec-tools/src/racoon/vendorid.c:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/vendorid.c:1.7 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/vendorid.c Tue Sep 1 12:22:09 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: vendorid.c,v 1.7 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: vendorid.c,v 1.8 2009/09/01 12:22:09 tteras Exp $ */
/* Id: vendorid.c,v 1.10 2006/02/22 16:10:21 vanhu Exp */
@@ -260,8 +260,7 @@
iph1->vendorid_mask |= BIT(vid_numeric);
#ifdef ENABLE_NATT
- if ((iph1->rmconf == NULL || iph1->rmconf->nat_traversal) &&
- natt_vendorid(vid_numeric))
+ if (natt_vendorid(vid_numeric))
natt_handle_vendorid(iph1, vid_numeric);
#endif
#ifdef ENABLE_HYBRID
