Date: Tue, 22 Jul 2008 11:52:30 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: FreeBSD NAT-T patch integration [CFR/CFT] Message-ID: <20080722095230.GA14962@zen.inc> In-Reply-To: <4884AC65.7020605@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721083110.GA21786@zen.inc> <20080721141327.GA24677@zen.inc> <4884AC65.7020605@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 21, 2008 at 08:33:57AM -0700, Sam Leffler wrote:
> VANHULLEBUS Yvan wrote:
[....]
> >After some more testing, I found another issue: in udp4_espdecap(),
> >when payload <= sizeof(uint64_t) + sizeof(struct esp), packet should
> >not be discarded, but just returned for normal processing.
> >
>
> Please edit the sam_nat_t branch in p4 or send a patch I can apply.
As Perforce is really really new for me, here is the patch:
--- sys/netinet/udp_usrreq.c Tue Jul 22 11:04:30 2008
+++ sys/netinet/udp_usrreq.c Mon Jul 21 21:30:52 2008
@@ -797,8 +797,8 @@ udp_ctloutput(struct socket *so, struct
if (INP_CHECK_SOCKAF(so, AF_INET6)) {
INP_WUNLOCK(inp);
error = ip6_ctloutput(so, sopt);
-#endif
} else {
+#endif
INP_WUNLOCK(inp);
error = ip_ctloutput(so, sopt);
#ifdef INET6
@@ -846,7 +846,9 @@ udp_ctloutput(struct socket *so, struct
case SOPT_GET:
switch (sopt->sopt_name) {
case UDP_ENCAP:
+#ifdef IPSEC_NAT_T
optval = inp->inp_flags & INP_ESPINUDP_ALL;
+#endif
INP_WUNLOCK(inp);
error = sooptcopyout(sopt, &optval, sizeof optval);
break;
@@ -1236,11 +1238,9 @@ udp4_espdecap(struct socket *so, struct
} else {
uint64_t marker;
- if (payload <= sizeof(uint64_t) + sizeof(struct esp)) {
- udpstat.udps_hdrops++; /* XXX? */
- m_freem(m);
- return NULL; /* discard */
- }
+ if (payload <= sizeof(uint64_t) + sizeof(struct esp))
+ return m; /* NB: no decap */
+
bcopy(data + off, &marker, sizeof(uint64_t));
if (marker != 0)
return m; /* NB: no decap */
<<< end of diff
There is an extra #ifdef, which I noticed yesterday when I tried to
compile using a wrong kernel conf file (without NAT_T support).
[...]
> The original code from you permitted both flags to be set but the code
> that handled the encap/decap assumed only one was set.
>
> >Sam, did you have a good reason to change that part of the code, or
> >was it mostly to have a more compliant coding style ?
>
> See above.
Ok, removed from my sources ang got back to your version of that code.
> >Updated patches are available for HEAD, RELENG7 and RELENG63 (yeah :-)
> >here:
> >http://people.freebsd.org/~vanhu/NAT-T/
> >
> >Please all notice that there is still the word "test" in patches
> >names.....
> >
>
> Sorry again I don't understand what you write.
That was for other people who may be interested in those patches.
Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080722095230.GA14962>