diff -up ipsec-tools-0.7.2/src/racoon/isakmp_inf.c.natt-linux ipsec-tools-0.7.2/src/racoon/isakmp_inf.c
--- ipsec-tools-0.7.2/src/racoon/isakmp_inf.c.natt-linux 2009-04-20 15:35:36.000000000 +0200
+++ ipsec-tools-0.7.2/src/racoon/isakmp_inf.c 2009-04-23 14:46:55.000000000 +0200
@@ -1144,7 +1144,6 @@ purge_ipsec_spi(dst0, proto, spi, n)
caddr_t mhp[SADB_EXT_MAX + 1];
#ifdef ENABLE_NATT
struct sadb_x_nat_t_type *natt_type;
- struct sadb_x_nat_t_port *natt_port;
#endif
plog(LLV_DEBUG2, LOCATION, NULL,
@@ -1200,17 +1199,8 @@ purge_ipsec_spi(dst0, proto, spi, n)
}
#ifdef ENABLE_NATT
natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
- if (natt_type && natt_type->sadb_x_nat_t_type_type) {
- /* NAT-T is enabled for this SADB entry; copy
- * the ports from NAT-T extensions */
- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
- if (extract_port(src) == 0 && natt_port != NULL)
- set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
-
- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
- if (extract_port(dst) == 0 && natt_port != NULL)
- set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
- }else{
+ if (natt_type == NULL ||
+ ! natt_type->sadb_x_nat_t_type_type) {
/* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation
*/
set_port(src, PORT_ISAKMP);
diff -up ipsec-tools-0.7.2/src/racoon/pfkey.c.natt-linux ipsec-tools-0.7.2/src/racoon/pfkey.c
--- ipsec-tools-0.7.2/src/racoon/pfkey.c.natt-linux 2009-04-23 14:40:08.000000000 +0200
+++ ipsec-tools-0.7.2/src/racoon/pfkey.c 2009-04-23 14:40:08.000000000 +0200
@@ -290,6 +290,13 @@ pfkey_dump_sadb(satype)
struct sadb_msg *msg = NULL;
size_t bl, ml;
int len;
+#if defined(__linux__) && defined(ENABLE_NATT)
+ caddr_t mhp[SADB_EXT_MAX + 1];
+ struct sadb_sa *sa;
+ struct sockaddr *src, *dst;
+ struct sadb_x_nat_t_type *natt_type;
+ struct sadb_x_nat_t_port *natt_port;
+#endif
if ((s = privsep_pfkey_open()) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
@@ -325,6 +332,45 @@ pfkey_dump_sadb(satype)
continue;
}
+#if defined(__linux__) && defined(ENABLE_NATT)
+ /*
+ * NetBSD returns the NAT-T ports in the src and dst sockaddrs
+ * in addition to the SADB_X_EXT_NAT_T_*PORT structs.
+ *
+ * Linux only returns them in the SADB_X_EXT_NAT_T_*PORT
+ * structs. The racoon codebase is making the assumption that
+ * the NAT-T ports are reflected by the ports in the src and
+ * dst sockaddrs. We stick that information into those structs
+ * here to meet the assumptions elsewhere.
+ */
+ if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "pfkey_check (%s)\n", ipsec_strerror());
+ goto no_fixup;
+ }
+
+ sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
+ if (!sa || !mhp[SADB_EXT_ADDRESS_SRC] || !mhp[SADB_EXT_ADDRESS_DST]) {
+ goto no_fixup;
+ }
+
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+
+ natt_type = (struct sadb_x_nat_t_type *)(mhp[SADB_X_EXT_NAT_T_TYPE]);
+
+ if (natt_type && natt_type->sadb_x_nat_t_type_type) {
+ /* set the src and dst ports */
+ natt_port = (struct sadb_x_nat_t_port *)(mhp[SADB_X_EXT_NAT_T_SPORT]);
+ if (natt_port != NULL && extract_port(src) == 0)
+ set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
+
+ natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
+ if (natt_port != NULL && extract_port(dst) == 0)
+ set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
+ }
+no_fixup:
+#endif /* __linux__ && ENABLE_NATT */
ml = msg->sadb_msg_len << 3;
bl = buf ? buf->l : 0;
distrib
>
Mandriva
>
2009.1
>
x86_64
>
media
>
main-updates-src
>
by-pkgid
>
04a194a09b3d0c936d3a5ccca0fde2a7
>
files
>
11
