Module Name: src
Committed By: knakahara
Date: Wed Dec 26 08:55:14 UTC 2018
Modified Files:
src/sys/net: if_ipsec.c
src/sys/netipsec: key.c
Log Message:
Remove unnecessary addresses in PF_KEY message.
MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
====================
5. SPD Update
// snip
SADB_X_SPDADD:
// snip
sadb_x_ipsecrequest_reqid:
An ID for that SA can be passed to the kernel in the
sadb_x_ipsecrequest_reqid field.
If tunnel mode is specified, the sadb_x_ipsecrequest structure is
followed by two sockaddr structures that define the tunnel
endpoint addresses. In the case that transport mode is used, no
additional addresses are specified.
====================
see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01
ipsecif(4) uses transport mode, so it should not add addresses.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/sys/net/if_ipsec.c
cvs rdiff -u -r1.258 -r1.259 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_ipsec.c
diff -u src/sys/net/if_ipsec.c:1.19 src/sys/net/if_ipsec.c:1.20
--- src/sys/net/if_ipsec.c:1.19 Fri Dec 7 05:09:39 2018
+++ src/sys/net/if_ipsec.c Wed Dec 26 08:55:14 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $ */
+/* $NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1595,14 +1595,7 @@ if_ipsec_add_sp0(struct sockaddr *src, i
padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl);
if (policy == IPSEC_POLICY_IPSEC) {
if_ipsec_add_mbuf(m, &xisr, sizeof(xisr));
- /*
- * secpolicy.req->saidx.{src, dst} must be set port number,
- * when it is used for NAT-T.
- */
- if_ipsec_add_mbuf_addr_port(m, src, sport, false);
- if_ipsec_add_mbuf_addr_port(m, dst, dport, false);
padlen -= PFKEY_ALIGN8(sizeof(xisr));
- padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len);
}
if_ipsec_add_pad(m, padlen);
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.258 src/sys/netipsec/key.c:1.259
--- src/sys/netipsec/key.c:1.258 Sat Dec 22 14:28:57 2018
+++ src/sys/netipsec/key.c Wed Dec 26 08:55:14 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $ */
+/* $NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $ */
/* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $");
/*
* This code is referred to RFC 2367
@@ -1972,6 +1972,20 @@ _key_msg2sp(const struct sadb_x_policy *
(*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
/* set IP addresses if there */
+ /*
+ * NOTE:
+ * MOBIKE Extensions for PF_KEY draft says:
+ * If tunnel mode is specified, the sadb_x_ipsecrequest
+ * structure is followed by two sockaddr structures that
+ * define the tunnel endpoint addresses. In the case that
+ * transport mode is used, no additional addresses are
+ * specified.
+ * see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01
+ *
+ * And then, the IP addresses will be set by
+ * ipsec_fill_saidx_bymbuf() from packet in transport mode.
+ * This behavior is used by NAT-T enabled ipsecif(4).
+ */
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
const struct sockaddr *paddr;
