On Thu, Jan 15, 2015 at 04:00:20PM +0100, Vincent Gross wrote: > Hello folks, > > This patch brings nat capabilites into iked, the same way that mpf@ did > with isakmpd about 6 years ago. > > Comments ?
bumpity bump bump.
Any comments on this ?
>
> Tested with the following setup, with icmp, udp and tcp:
>
> >> Local pf.conf:
> table <homev4> { 172.23.0.0/23 }
>
> set skip on lo
>
> match out on enc0 from ! <homev4> to <homev4> nat-to 172.23.50.1
>
> block return
> pass
> block return in on ! lo0 proto tcp to port 6000:6010
>
> >> Local iked.conf:
> ikev2 active esp \
> from 172.23.50.1 (0.0.0.0/0) to 172.23.0.0/23 peer 79.143.250.153 \
> srcid 'spinoza.kilob.yt' dstid 'brouwer.kilob.yt'
>
> >> Local ip address:
> ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
> priority: 0
> groups: ppp egress
> inet 100.97.217.112 --> 10.64.64.64 netmask 0xff000000
>
> >> Remote pf.conf:
> [...]
> pass on enc0
> [...]
>
> >> Remote iked.conf:
> ikev2 esp \
> from 172.23.0.0/23 to 172.23.50.1 peer any \
> srcid 'brouwer.kilob.yt' dstid 'spinoza.kilob.yt'
>
>
>
>
> Index: iked.h
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.h,v
> retrieving revision 1.82
> diff -u -p -r1.82 iked.h
> --- iked.h 18 Aug 2014 09:43:02 -0000 1.82
> +++ iked.h 15 Jan 2015 13:54:46 -0000
> @@ -139,6 +139,8 @@ struct iked_flow {
> struct iked_addr flow_src;
> struct iked_addr flow_dst;
> u_int flow_dir; /* in/out */
> + struct iked_addr flow_prenat; /* pre-nat source */
> + u_int flow_usenat;
>
> u_int flow_loaded; /* pfkey done */
>
> Index: parse.y
> ===================================================================
> RCS file: /cvs/src/sbin/iked/parse.y,v
> retrieving revision 1.43
> diff -u -p -r1.43 parse.y
> --- parse.y 12 Jan 2015 11:24:58 -0000 1.43
> +++ parse.y 15 Jan 2015 13:54:47 -0000
> @@ -2401,7 +2401,7 @@ create_ike(char *name, int af, u_int8_t
> {
> char idstr[IKED_ID_SIZE];
> u_int idtype = IKEV2_ID_NONE;
> - struct ipsec_addr_wrap *ipa, *ipb;
> + struct ipsec_addr_wrap *ipa, *ipb, *ipn;
> struct iked_policy pol;
> struct iked_proposal prop[2];
> u_int j;
> @@ -2622,6 +2622,16 @@ create_ike(char *name, int af, u_int8_t
> flows[j].flow_dst.addr_mask = ipb->mask;
> flows[j].flow_dst.addr_net = ipb->netaddress;
> flows[j].flow_dst.addr_port = hosts->dport;
> +
> + ipn = ipa->srcnat;
> + if (ipn) {
> + memcpy(&flows[j].flow_prenat.addr, &ipn->address,
> + sizeof(ipn->address));
> + flows[j].flow_prenat.addr_af = ipn->af;
> + flows[j].flow_prenat.addr_mask = ipn->mask;
> + flows[j].flow_prenat.addr_net = ipn->netaddress;
> + flows[j].flow_usenat = 1;
> + }
>
> flows[j].flow_ipproto = ipproto;
>
> Index: pfkey.c
> ===================================================================
> RCS file: /cvs/src/sbin/iked/pfkey.c,v
> retrieving revision 1.40
> diff -u -p -r1.40 pfkey.c
> --- pfkey.c 29 Oct 2014 06:26:39 -0000 1.40
> +++ pfkey.c 15 Jan 2015 13:54:47 -0000
> @@ -180,6 +180,7 @@ int
> pfkey_flow(int sd, u_int8_t satype, u_int8_t action, struct iked_flow *flow)
> {
> struct sadb_msg smsg;
> + struct iked_addr *flow_src, *flow_dst;
> struct sadb_address sa_src, sa_dst, sa_local, sa_peer, sa_smask,
> sa_dmask;
> struct sadb_protocol sa_flowtype, sa_protocol;
> @@ -192,58 +193,76 @@ pfkey_flow(int sd, u_int8_t satype, u_in
> sport = dport = 0;
> sa_srcid = sa_dstid = NULL;
>
> + flow_src = &flow->flow_src;
> + flow_dst = &flow->flow_dst;
> +
> + if (flow->flow_usenat)
> + switch (flow->flow_type) {
> + case SADB_X_FLOW_TYPE_USE:
> + flow_dst = &flow->flow_prenat;
> + break;
> + case SADB_X_FLOW_TYPE_REQUIRE:
> + flow_src = &flow->flow_prenat;
> + break;
> + case 0:
> + if (flow->flow_dir == IPSP_DIRECTION_IN)
> + flow_dst = &flow->flow_prenat;
> + else
> + flow_src = &flow->flow_prenat;
> + }
> +
> bzero(&ssrc, sizeof(ssrc));
> bzero(&smask, sizeof(smask));
> - memcpy(&ssrc, &flow->flow_src.addr, sizeof(ssrc));
> - memcpy(&smask, &flow->flow_src.addr, sizeof(smask));
> - if ((sport = flow->flow_src.addr_port) != 0)
> + memcpy(&ssrc, &flow_src->addr, sizeof(ssrc));
> + memcpy(&smask, &flow_src->addr, sizeof(smask));
> + if ((sport = flow_src->addr_port) != 0)
> dport = 0xffff;
> socket_af((struct sockaddr *)&ssrc, sport);
> socket_af((struct sockaddr *)&smask, dport);
>
> - switch (flow->flow_src.addr_af) {
> + switch (flow_src->addr_af) {
> case AF_INET:
> ((struct sockaddr_in *)&smask)->sin_addr.s_addr =
> - prefixlen2mask(flow->flow_src.addr_net ?
> - flow->flow_src.addr_mask : 32);
> + prefixlen2mask(flow_src->addr_net ?
> + flow_src->addr_mask : 32);
> break;
> case AF_INET6:
> - prefixlen2mask6(flow->flow_src.addr_net ?
> - flow->flow_src.addr_mask : 128,
> + prefixlen2mask6(flow_src->addr_net ?
> + flow_src->addr_mask : 128,
> (u_int32_t *)((struct sockaddr_in6 *)
> &smask)->sin6_addr.s6_addr);
> break;
> default:
> log_warnx("%s: unsupported address family %d",
> - __func__, flow->flow_src.addr_af);
> + __func__, flow_src->addr_af);
> return (-1);
> }
> smask.ss_len = ssrc.ss_len;
>
> bzero(&sdst, sizeof(sdst));
> bzero(&dmask, sizeof(dmask));
> - memcpy(&sdst, &flow->flow_dst.addr, sizeof(sdst));
> - memcpy(&dmask, &flow->flow_dst.addr, sizeof(dmask));
> - if ((sport = flow->flow_dst.addr_port) != 0)
> + memcpy(&sdst, &flow_dst->addr, sizeof(sdst));
> + memcpy(&dmask, &flow_dst->addr, sizeof(dmask));
> + if ((sport = flow_dst->addr_port) != 0)
> dport = 0xffff;
> socket_af((struct sockaddr *)&sdst, sport);
> socket_af((struct sockaddr *)&dmask, dport);
>
> - switch (flow->flow_dst.addr_af) {
> + switch (flow_dst->addr_af) {
> case AF_INET:
> ((struct sockaddr_in *)&dmask)->sin_addr.s_addr =
> - prefixlen2mask(flow->flow_dst.addr_net ?
> - flow->flow_dst.addr_mask : 32);
> + prefixlen2mask(flow_dst->addr_net ?
> + flow_dst->addr_mask : 32);
> break;
> case AF_INET6:
> - prefixlen2mask6(flow->flow_dst.addr_net ?
> - flow->flow_dst.addr_mask : 128,
> + prefixlen2mask6(flow_dst->addr_net ?
> + flow_dst->addr_mask : 128,
> (u_int32_t *)((struct sockaddr_in6 *)
> &dmask)->sin6_addr.s6_addr);
> break;
> default:
> log_warnx("%s: unsupported address family %d",
> - __func__, flow->flow_dst.addr_af);
> + __func__, flow_dst->addr_af);
> return (-1);
> }
> dmask.ss_len = sdst.ss_len;
pgpQgCFijqihb.pgp
Description: PGP signature
