This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948.

The natt.diff patch contains the following changes: * added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages; * used NAT address instead of original for SAs created by racoon; * NAT-T keep-alives now sends only by NATed host. Tested with 11.0-STABLE after projects/ipsec merge. PR: 217131 Submitted by: Andrey V. Elsukov Approved by: VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor)
svn path=/head/; revision=438782
2024-12-25 04:43:33 +00:00 · 2017-04-18 14:36:08 +00:00 · 2017-04-18 14:36:08 +00:00 · f6007b9495 · 2021-03-31 03:12:20 +00:00
commit f6007b9495
parent 04ddda36a5
2 changed files with 157 additions and 3 deletions
--- a/security/ipsec-tools/Makefile
+++ b/security/ipsec-tools/Makefile
@ -8,7 +8,7 @@

 PORTNAME=	ipsec-tools
 PORTVERSION=	0.8.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	SF

@ -39,7 +39,7 @@ OPTIONS_DEFAULT=	DEBUG DPD NATT FRAG HYBRID
 ADMINPORT_DESC=	Enable Admin port
 STATS_DESC=	Statistics logging function
 DPD_DESC=	Dead Peer Detection
-NATT_DESC=	NAT-Traversal (kernel-patch required)
+NATT_DESC=	NAT-Traversal (kernel-patch required before 11.0-STABLE)
 NATTF_DESC=	require NAT-Traversal (fail without kernel-patch)
 FRAG_DESC=	IKE fragmentation payload support
 HYBRID_DESC=	Hybrid, Xauth and Mode-cfg support
@ -61,7 +61,7 @@ STATS_CONFIGURE_ENABLE=	stats
 DPD_CONFIGURE_ENABLE=	dpd
 NATTF_VARS=		NATT=yes
 NATTF_VARS_OFF=		NATT=kernel
-NATT_CONFIGURE_ON=	--enable-natt=${NATT}
+NATT_CONFIGURE_ON=	--enable-natt=${NATT} --enable-natt-versions=rfc
 NATT_CONFIGURE_OFF=	--disable-natt
 FRAG_CONFIGURE_ENABLE=	frag
 HYBRID_CONFIGURE_ENABLE=hybrid
@ -78,6 +78,7 @@ SAUNSPEC_CONFIGURE_ENABLE=	samode-unspec
 RC5_CONFIGURE_ENABLE=		rc5
 IDEA_CONFIGURE_ENABLE=		idea
 WCPSKEY_EXTRA_PATCHES=		${FILESDIR}/wildcard-psk.diff
+NATT_EXTRA_PATCHES=		${FILESDIR}/natt.diff

 post-patch:
 	@${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure
--- a/security/ipsec-tools/files/natt.diff
+++ b/security/ipsec-tools/files/natt.diff
@ -0,0 +1,153 @@
+--- src/libipsec/libpfkey.h
+++ src/libipsec/libpfkey.h
+@@ -85,7 +85,7 @@ struct pfkey_send_sa_args {
+ 	u_int32_t	seq;
+ 	u_int8_t	l_natt_type;
+ 	u_int16_t	l_natt_sport, l_natt_dport;
+-	struct sockaddr *l_natt_oa;
+	struct sockaddr *l_natt_oai, *l_natt_oar;
+ 	u_int16_t	l_natt_frag;
+ 	u_int8_t ctxdoi, ctxalg;	/* Security context DOI and algorithm */
+ 	caddr_t ctxstr;			/* Security context string */
+--- src/libipsec/pfkey.c
+++ src/libipsec/pfkey.c
+@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args 
+ 		len += sizeof(struct sadb_x_nat_t_type);
+ 		len += sizeof(struct sadb_x_nat_t_port);
+ 		len += sizeof(struct sadb_x_nat_t_port);
+-		if (sa_parms->l_natt_oa)
+		if (sa_parms->l_natt_oai)
+ 			len += sizeof(struct sadb_address) +
+-			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
+			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai));
+		if (sa_parms->l_natt_oar)
+			len += sizeof(struct sadb_address) +
+			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar));
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ 		if (sa_parms->l_natt_frag)
+ 			len += sizeof(struct sadb_x_nat_t_frag);
+@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args 
+ 			return -1;
+ 		}
+ 
+-		if (sa_parms->l_natt_oa) {
+-			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
+-					      sa_parms->l_natt_oa,
+-					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
+		if (sa_parms->l_natt_oai) {
+			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI,
+					      sa_parms->l_natt_oai,
+					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)),
+					      IPSEC_ULPROTO_ANY);
+			if (!p) {
+				free(newmsg);
+				return -1;
+			}
+		}
+
+		if (sa_parms->l_natt_oar) {
+			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR,
+					      sa_parms->l_natt_oar,
+					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)),
+ 					      IPSEC_ULPROTO_ANY);
+ 			if (!p) {
+ 				free(newmsg);
+@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_
+ 		case SADB_X_EXT_NAT_T_TYPE:
+ 		case SADB_X_EXT_NAT_T_SPORT:
+ 		case SADB_X_EXT_NAT_T_DPORT:
+-		case SADB_X_EXT_NAT_T_OA:
+		case SADB_X_EXT_NAT_T_OAI:
+		case SADB_X_EXT_NAT_T_OAR:
+ #endif
+ #ifdef SADB_X_EXT_TAG
+ 		case SADB_X_EXT_TAG:
+@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty
+ 	psaa.l_natt_type = l_natt_type;
+ 	psaa.l_natt_sport = l_natt_sport;
+ 	psaa.l_natt_dport = l_natt_dport;
+-	psaa.l_natt_oa = l_natt_oa;
+	psaa.l_natt_oar = l_natt_oa;
+ 	psaa.l_natt_frag = l_natt_frag;
+ 
+ 	return pfkey_send_update2(&psaa);
+@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype,
+ 	psaa.l_natt_type = l_natt_type;
+ 	psaa.l_natt_sport = l_natt_sport;
+ 	psaa.l_natt_dport = l_natt_dport;
+-	psaa.l_natt_oa = l_natt_oa;
+	psaa.l_natt_oai = l_natt_oa;
+ 	psaa.l_natt_frag = l_natt_frag;
+ 
+ 	return pfkey_send_add2(&psaa);
+--- src/racoon/isakmp_quick.c
+++ src/racoon/isakmp_quick.c
+@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
+ 			     spidx.src.ss_family, spidx.dst.ss_family,
+ 			     _XIDT(iph2->id_p),idi2type);
+ 		}
+#ifdef ENABLE_NATT
+		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
+			u_int16_t port;
+
+			port = extract_port(&spidx.src);
+			memcpy(&spidx.src, iph2->ph1->remote,
+			    sysdep_sa_len(iph2->ph1->remote));
+			set_port(&spidx.src, port);
+			switch (spidx.src.ss_family) {
+			case AF_INET:
+				spidx.prefs = sizeof(struct in_addr) << 3;
+				break;
+#ifdef INET6
+			case AF_INET6:
+				spidx.prefs = sizeof(struct in6_addr) << 3;
+				break;
+#endif
+			default:
+				spidx.prefs = 0;
+				break;
+			}
+			plog(LLV_DEBUG, LOCATION,
+				NULL, "use NAT address %s as src\n",
+				saddr2str((struct sockaddr *)&spidx.src));
+		}
+#endif
+ 	} else {
+ 		plog(LLV_DEBUG, LOCATION, NULL,
+ 		     "get a source address of SP index from Phase 1"
+--- src/racoon/nattraversal.c
+++ src/racoon/nattraversal.c
+@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle
+ {
+   int ret = 0;
+   
+-  /* Should only the NATed host send keepalives?
+-     If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
+-     to the following condition. */
+-  if (iph1->natt_flags & NAT_DETECTED &&
+  if (iph1->natt_flags & NAT_DETECTED_ME &&
+       ! (iph1->natt_flags & NAT_KA_QUEUED)) {
+     ret = natt_keepalive_add (iph1->local, iph1->remote);
+     if (ret == 0)
+--- src/racoon/pfkey.c
+++ src/racoon/pfkey.c
+@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2)
+ 			sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
+ 			sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
+ 			sa_args.l_natt_dport = extract_port(iph2->ph1->local);
+-			sa_args.l_natt_oa = iph2->natoa_src;
+			/* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */
+				sa_args.l_natt_oai = iph2->natoa_dst;
+			/* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */
+				sa_args.l_natt_oar = iph2->natoa_src;
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
+ #endif
+@@ -1477,7 +1480,6 @@ pk_sendadd(iph2)
+ 			sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
+ 			sa_args.l_natt_sport = extract_port(iph2->ph1->local);
+ 			sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
+-			sa_args.l_natt_oa = iph2->natoa_dst;
+ #ifdef SADB_X_EXT_NAT_T_FRAG
+ 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
+ #endif