Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 15 Sep 2006 09:14:30 -0400
From:      Larry Baird <lab@gta.com>
To:        Scott Ullrich <sullrich@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: FAST_IPSEC NAT-T support
Message-ID:  <20060915091430.A45488@gta.com>
In-Reply-To: <d5992baf0609141843t5b81cf77w4d35a3a36beced1c@mail.gmail.com>; from sullrich@gmail.com on Thu, Sep 14, 2006 at 09:43:38PM -0400
References:  <20060914093034.A83805@gta.com> <d5992baf0609141843t5b81cf77w4d35a3a36beced1c@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Sep 14, 2006 at 09:43:38PM -0400, Scott Ullrich wrote:
> On 9/14/06, Larry Baird <lab@gta.com> wrote:
> > Please find attached two patches for adding FAST_IPSEC NAT-T support to
> > FreeBSD 6.x.  The patch "freebsd6-fastipsec-natt.diff" is dependent
> > upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at
> > http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/.  The second
> > patch "freebsd6-ipsec-fastipsec-natt.diff" is a cumulative patch
> > combining both patches together.
> 
> This is great!   It compiles on FreeBSD 6.1 when you include options
>       IPSEC_NAT_T but when you fail to include this item "options
> IPSEC_NAT_T" in addition to including "options FAST_IPSEC" you end up
> with:
> 
> cc -c -O -pipe  -Wall -Wredundant-decls -Wnested-externs
> -Wstrict-prototypes  -Wmissing-prototypes -Wpointer-arith -Winline
> -Wcast-qual  -fformat-extensions -std=c99 -g -nostdinc -I-  -I.
> -I/usr/src/sys -I/usr/src/sys/contrib/altq
> -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/pf
> -I/usr/src/sys/contrib/dev/ath -I/usr/src/sys/contrib/dev/ath/freebsd
> -I/usr/src/sys/contrib/ngatm -I/usr/src/sys/dev/twa -D_KERNEL
> -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common
> -finline-limit=8000 --param inline-unit-growth=100 --param
> large-function-growth=1000  -mno-align-long-strings
> -mpreferred-stack-boundary=2  -mno-mmx -mno-3dnow -mno-sse -mno-sse2
> -ffreestanding -Werror  /usr/src/sys/netipsec/key.c
> /usr/src/sys/netipsec/key.c: In function `key_spdadd':
> /usr/src/sys/netipsec/key.c:1867: error: `isr' undeclared (first use
> in this function)
> /usr/src/sys/netipsec/key.c:1867: error: (Each undeclared identifier
> is reported only once
> /usr/src/sys/netipsec/key.c:1867: error: for each function it appears in.)
> *** Error code 1
> 
> Stop in /usr/obj/usr/src/sys/pfSense.6.
> *** Error code 1
> 
> Stop in /usr/src.
> *** Error code 1
> 
> Stop in /usr/src.
> 
> Meanwhile I have a new version of pfSense out asking for testing.   We
> seem to have a large base of users requesting this option so hopefully
> I can get some meaningful testing information for you soon.
It looks like the problem code is not needed.  I was so busy focusing
on getting NAT-T working with FAST_IPSEC I didn't notice this part
of the non NAT_T case in the IPSEC NAT_T patch.  Remove the section
starting with "#ifndef IPSEC_NAT_T" at line 1866.  Or run the attached
patch.  I'll update the full patch shortly.

Larry


-- 
------------------------------------------------------------------------
Larry Baird                        | http://www.gta.com
Global Technology Associates, Inc. | Orlando, FL
Email: lab@gta.com                 | TEL 407-380-0220, FAX 407-380-6080

--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="nokey.diff"

Index: key.c
===================================================================
--- key.c	(revision 8199)
+++ key.c	(working copy)
@@ -1876,52 +1876,6 @@
 		return key_senderror(so, m, error);
 	}
 
-#ifndef IPSEC_NAT_T
-	for (isr = newsp->req; isr; isr = isr->next) {
-		struct sockaddr *sa;
-
-		/*
-		 * port spec is not permitted for tunnel mode
-		 */
-		if (isr->saidx.mode == IPSEC_MODE_TUNNEL && src0 && dst0) {
-			sa = (struct sockaddr *)(src0 + 1);
-			switch (sa->sa_family) {
-			case AF_INET:
-				if (((struct sockaddr_in *)sa)->sin_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			case AF_INET6:
-				if (((struct sockaddr_in6 *)sa)->sin6_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			default:
-				break;
-			}
-			sa = (struct sockaddr *)(dst0 + 1);
-			switch (sa->sa_family) {
-			case AF_INET:
-				if (((struct sockaddr_in *)sa)->sin_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			case AF_INET6:
-				if (((struct sockaddr_in6 *)sa)->sin6_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			default:
-				break;
-			}
-		}
-	}
-#endif /* !IPSEC_NAT_T */
-
 	if ((newsp->id = key_getnewspid()) == 0) {
 		_key_delsp(newsp);
 		return key_senderror(so, m, ENOBUFS);

--wac7ysb48OaltWcw--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060915091430.A45488>