445e6acd20
1) RFC2367 says in 2.3.3 Address Extension: "All non-address information in the sockaddrs, such as sin_zero for AF_INET sockaddrs, and sin6_flowinfo for AF_INET6 sockaddrs, MUST be zeroed out." the IPSEC_NAT_T code was expecting the port information it needs to be conveyed in the sockaddr instead of exclusively by SADB_X_EXT_NAT_T_SPORT and SADB_X_EXT_NAT_T_DPORT, and was not zeroing out the port information in the non-nat-traversal case. Since it was expecting the port information to reside in the sockaddr it could get away with (re)setting the ports after starting to use them. -> Set the natt ports before setting the SA mature. 2) RFC3947 has two Original Address fields, initiator and responder, so we need SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR and not just SADB_X_EXT_NAT_T_OA The change has been created using vanhu's patch for FreeBSD as reference. Note that establishing actual nat-t sessions has not yet been tested. Likely fixes the following: PR bin/41757 PR net/42592 PR net/42606 |
||
---|---|---|
.. | ||
Makefile | ||
ah.h | ||
ah_var.h | ||
esp.h | ||
esp_var.h | ||
files.netipsec | ||
ipcomp.h | ||
ipcomp_var.h | ||
ipip_var.h | ||
ipsec.c | ||
ipsec.h | ||
ipsec6.h | ||
ipsec_input.c | ||
ipsec_mbuf.c | ||
ipsec_netbsd.c | ||
ipsec_osdep.h | ||
ipsec_output.c | ||
ipsec_private.h | ||
ipsec_var.h | ||
key.c | ||
key.h | ||
key_debug.c | ||
key_debug.h | ||
key_var.h | ||
keydb.h | ||
keysock.c | ||
keysock.h | ||
xform.h | ||
xform_ah.c | ||
xform_esp.c | ||
xform_ipcomp.c | ||
xform_ipip.c | ||
xform_tcp.c |