CVS commit: src/sys/net

Thu, 24 May 2018 00:00:55 -0700 

Module Name:    src
Committed By:   knakahara
Date:           Thu May 24 07:00:28 UTC 2018

Modified Files:
        src/sys/net: if_ipsec.c

Log Message:
ipsecif(4) must not set port number to spidx even if NAT-T. Pointed out by 
ohishi@IIJ, thanks.


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/sys/net/if_ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/if_ipsec.c
diff -u src/sys/net/if_ipsec.c:1.13 src/sys/net/if_ipsec.c:1.14
--- src/sys/net/if_ipsec.c:1.13	Fri Apr 27 09:55:27 2018
+++ src/sys/net/if_ipsec.c	Thu May 24 07:00:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ipsec.c,v 1.13 2018/04/27 09:55:27 knakahara Exp $  */
+/*	$NetBSD: if_ipsec.c,v 1.14 2018/05/24 07:00:28 knakahara Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.13 2018/04/27 09:55:27 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.14 2018/05/24 07:00:28 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1574,13 +1574,18 @@ if_ipsec_add_sp0(struct sockaddr *src, i
 	m_copyback(m, 0, sizeof(msg), &msg);
 
 	if_ipsec_add_mbuf(m, &xsrc, sizeof(xsrc));
-	if_ipsec_add_mbuf_addr_port(m, src, sport, true);
+	/*
+	 * secpolicy.spidx.{src, dst} must not be set port number,
+	 * even if it is used for NAT-T.
+	 */
+	if_ipsec_add_mbuf_addr_port(m, src, 0, true);
 	padlen = PFKEY_UNUNIT64(xsrc.sadb_address_len)
 		- (sizeof(xsrc) + PFKEY_ALIGN8(src->sa_len));
 	if_ipsec_add_pad(m, padlen);
 
 	if_ipsec_add_mbuf(m, &xdst, sizeof(xdst));
-	if_ipsec_add_mbuf_addr_port(m, dst, dport, true);
+	/* ditto */
+	if_ipsec_add_mbuf_addr_port(m, dst, 0, true);
 	padlen = PFKEY_UNUNIT64(xdst.sadb_address_len)
 		- (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len));
 	if_ipsec_add_pad(m, padlen);
@@ -1588,6 +1593,10 @@ if_ipsec_add_sp0(struct sockaddr *src, i
 	if_ipsec_add_mbuf(m, &xpl, sizeof(xpl));
 	if (policy == IPSEC_POLICY_IPSEC) {
 		if_ipsec_add_mbuf(m, &xisr, sizeof(xisr));
+		/*
+		 * secpolicy.req->saidx.{src, dst} must be set port number,
+		 * when it is used for NAT-T.
+		 */
 		if_ipsec_add_mbuf_addr_port(m, src, sport, false);
 		if_ipsec_add_mbuf_addr_port(m, dst, dport, false);
 	}

Reply via email to