Module Name: src Committed By: knakahara Date: Wed Dec 26 08:55:14 UTC 2018
Modified Files: src/sys/net: if_ipsec.c src/sys/netipsec: key.c Log Message: Remove unnecessary addresses in PF_KEY message. MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says ==================== 5. SPD Update // snip SADB_X_SPDADD: // snip sadb_x_ipsecrequest_reqid: An ID for that SA can be passed to the kernel in the sadb_x_ipsecrequest_reqid field. If tunnel mode is specified, the sadb_x_ipsecrequest structure is followed by two sockaddr structures that define the tunnel endpoint addresses. In the case that transport mode is used, no additional addresses are specified. ==================== see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01 ipsecif(4) uses transport mode, so it should not add addresses. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/sys/net/if_ipsec.c cvs rdiff -u -r1.258 -r1.259 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/if_ipsec.c diff -u src/sys/net/if_ipsec.c:1.19 src/sys/net/if_ipsec.c:1.20 --- src/sys/net/if_ipsec.c:1.19 Fri Dec 7 05:09:39 2018 +++ src/sys/net/if_ipsec.c Wed Dec 26 08:55:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $ */ +/* $NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1595,14 +1595,7 @@ if_ipsec_add_sp0(struct sockaddr *src, i padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); if (policy == IPSEC_POLICY_IPSEC) { if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); - /* - * secpolicy.req->saidx.{src, dst} must be set port number, - * when it is used for NAT-T. - */ - if_ipsec_add_mbuf_addr_port(m, src, sport, false); - if_ipsec_add_mbuf_addr_port(m, dst, dport, false); padlen -= PFKEY_ALIGN8(sizeof(xisr)); - padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len); } if_ipsec_add_pad(m, padlen); Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.258 src/sys/netipsec/key.c:1.259 --- src/sys/netipsec/key.c:1.258 Sat Dec 22 14:28:57 2018 +++ src/sys/netipsec/key.c Wed Dec 26 08:55:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $ */ +/* $NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $ */ /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $"); /* * This code is referred to RFC 2367 @@ -1972,6 +1972,20 @@ _key_msg2sp(const struct sadb_x_policy * (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; /* set IP addresses if there */ + /* + * NOTE: + * MOBIKE Extensions for PF_KEY draft says: + * If tunnel mode is specified, the sadb_x_ipsecrequest + * structure is followed by two sockaddr structures that + * define the tunnel endpoint addresses. In the case that + * transport mode is used, no additional addresses are + * specified. + * see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01 + * + * And then, the IP addresses will be set by + * ipsec_fill_saidx_bymbuf() from packet in transport mode. + * This behavior is used by NAT-T enabled ipsecif(4). + */ if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { const struct sockaddr *paddr;