Date: Thu, 28 Nov 2013 14:31:11 -0500 From: Antoine =?utf-8?Q?Beaupr=C3=A9?= <anarcat@koumbit.org> To: Ermal =?utf-8?Q?Lu=C3=A7i?= <eri@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: OpenBGPd + TCP-MD5 sig fails after a few weeks Message-ID: <87bo14pbls.fsf@marcos.anarc.at> In-Reply-To: <CAPBZQG28ZLpU7bgGgj2_SynVeVr5k59_Ydd8d=PD-%2BqNCZwn9g@mail.gmail.com> References: <87zjoqu3wr.fsf@marcos.anarc.at> <CAPBZQG192HxfHfCj7zkWO-Ot95%2BY7vr8VJ47OyzNhD2jxuZTKg@mail.gmail.com> <874n6xu31q.fsf@marcos.anarc.at> <CAPBZQG17w218wB3SsJ8rvCLzP4hKz4N5=zE-YLnMws5H-x2_FQ@mail.gmail.com> <87ob54pndw.fsf@marcos.anarc.at> <CAPBZQG28ZLpU7bgGgj2_SynVeVr5k59_Ydd8d=PD-%2BqNCZwn9g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 2013-11-28 13:14:18, Ermal Lu=C3=A7i wrote:
> Can you show your related config to this!
> The only other thing i can think of is that since the daemon is inserting
> policies you have to define
> local-address $your-local-ip
>
> So the SPD policy is generated correctly.
Ah! That was it!!!
Without local-address, I get this:
pfkey: Invalid argument
neighbor 38.104.152.101 (Cogent): pfkey setup failed
With local-address, it just works!
> You can verify the generated policy using setkey utility.
I confirm the policy is properly installed by the pfsense port, if and
only if local-address is specified.
Next step would be to file a PR to update the port! I have tried to
factor in a patch that merges the pfsense port in the FreeBSD port with
minimal changes, would you mind reviewing it before I send it?
Here's the patch to the FreeBSD port:
--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline; filename=fbsd-openbgpd-port-setkey.patch
Content-Transfer-Encoding: quoted-printable
diff --git a/Makefile b/Makefile
old mode 100644
new mode 100755
index d39d87d..5c0513a
=2D-- a/Makefile
+++ b/Makefile
@@ -1,4 +1,5 @@
=2D# $FreeBSD: net/openbgpd/Makefile 330656 2013-10-17 16:47:58Z ohauer $
+# Created by: Florent Thoumie <flz@FreeBSD.org>
+# $FreeBSD: ports/net/openbgpd/Makefile,v 1.35 2012/12/24 12:56:29 svnexp =
Exp $
=20
PORTNAME=3D openbgpd
PORTVERSION=3D 5.2.20121209
@@ -8,6 +9,7 @@ MASTER_SITE_SUBDIR=3D OpenBGPD
DISTNAME=3D ${PORTNAME}-4.6
EXTRACT_SUFX=3D .tgz
DIST_SUBDIR=3D ${PORTNAME}
+NO_STAGE=3D yes
=20
MAINTAINER=3D hrs@FreeBSD.org
COMMENT=3D Free implementation of the Border Gateway Protocol, Version 4
@@ -15,13 +17,16 @@ COMMENT=3D Free implementation of the Border Gateway Pr=
otocol, Version 4
CONFLICTS=3D zebra-[0-9]* quagga-[0-9]*
=20
WRKSRC=3D ${WRKDIR}
+MANCOMPRESSED=3D yes
USE_RC_SUBR=3D ${PORTNAME}
=2DPLIST_FILES=3D sbin/bgpctl sbin/bgpd man/man5/bgpd.conf.5.gz \
=2D man/man8/bgpctl.8.gz man/man8/bgpd.8.gz
+PLIST_FILES=3D sbin/bgpctl sbin/bgpd
SUB_FILES=3D pkg-message
USERS=3D _bgpd
GROUPS=3D _bgpd
=20
+MAN5=3D bgpd.conf.5
+MAN8=3D bgpctl.8 bgpd.8
+
OPTIONS_DEFINE=3D IPV6LLPEER
OPTIONS_DEFAULT=3DIPV6LLPEER
IPV6LLPEER_DESC=3DSupport nexthop using IPv6 link-local address
diff --git a/files/openbgpd.in b/files/openbgpd.in
index f1b904e..fc6642e 100644
=2D-- a/files/openbgpd.in
+++ b/files/openbgpd.in
@@ -1,6 +1,6 @@
#!/bin/sh
#
=2D# $FreeBSD: net/openbgpd/files/openbgpd.in 302141 2012-08-05 23:19:36Z d=
ougb $
+# $FreeBSD: ports/net/openbgpd/files/openbgpd.in,v 1.2 2012/11/17 06:00:08=
svnexp Exp $
#
=20
# PROVIDE: bgpd
diff --git a/files/patch-bgpd_Makefile b/files/patch-bgpd_Makefile
index f946c92..fc27014 100644
=2D-- a/files/patch-bgpd_Makefile
+++ b/files/patch-bgpd_Makefile
@@ -1,11 +1,5 @@
=2DIndex: bgpd/Makefile
=2D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2DRCS file: /home/cvs/private/hrs/openbgpd/bgpd/Makefile,v
=2Dretrieving revision 1.1.1.2
=2Dretrieving revision 1.9
=2Ddiff -u -p -r1.1.1.2 -r1.9
=2D--- bgpd/Makefile 9 Jul 2009 16:49:54 -0000 1.1.1.2
=2D+++ bgpd/Makefile 13 Oct 2012 18:36:00 -0000 1.9
+--- bgpd/Makefile.orig 2013-02-21 19:20:05.000000000 +0000
++++ bgpd/Makefile 2013-02-21 19:20:54.000000000 +0000
@@ -1,15 +1,25 @@
# $OpenBSD: Makefile,v 1.28 2009/06/25 14:14:54 deraadt Exp $
=20=20
@@ -17,9 +11,8 @@ diff -u -p -r1.1.1.2 -r1.9
-SRCS=3D bgpd.c buffer.c session.c log.c parse.y config.c imsg.c \
+SRCS=3D bgpd.c session.c log.c parse.y config.c \
rde.c rde_rib.c rde_decide.c rde_prefix.c mrt.c kroute.c \
=2D- control.c pfkey.c rde_update.c rde_attr.c printconf.c \
+ control.c pfkey.c rde_update.c rde_attr.c printconf.c \
- rde_filter.c pftable.c name2id.c util.c carp.c timer.c
=2D+ control.c pfkey_compat.c rde_update.c rde_attr.c printconf.c \
+ rde_filter.c pftable.c name2id.c util.c carp.c timer.c \
+ imsg.c imsg-buffer.c
CFLAGS+=3D -Wall -I${.CURDIR}
diff --git a/files/patch-bgpd_pfkey.c b/files/patch-bgpd_pfkey.c
index 7ad7548..224298f 100644
=2D-- a/files/patch-bgpd_pfkey.c
+++ b/files/patch-bgpd_pfkey.c
@@ -1,26 +1,41 @@
=2DIndex: bgpd/pfkey.c
=2D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2DRCS file: /home/cvs/private/hrs/openbgpd/bgpd/pfkey.c,v
=2Dretrieving revision 1.1.1.6
=2Dretrieving revision 1.1.1.9
=2Ddiff -u -p -r1.1.1.6 -r1.1.1.9
=2D--- bgpd/pfkey.c 14 Feb 2010 20:19:57 -0000 1.1.1.6
=2D+++ bgpd/pfkey.c 13 Oct 2012 18:22:44 -0000 1.1.1.9
+diff -ur bgpd.orig/pfkey.c bgpd/pfkey.c
+--- bgpd.orig/pfkey.c 2013-03-15 12:07:16.000000000 +0000
++++ bgpd/pfkey.c 2013-03-15 12:07:47.000000000 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.37 2009/04/21 15:25:52 henning Exp $ */
+/* $OpenBSD: pfkey.c,v 1.40 2009/12/14 17:38:18 claudio Exp $ */
=20=20
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
=2D@@ -74,6 +74,7 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -21,7 +21,7 @@
+ #include <sys/socket.h>
+ #include <sys/uio.h>
+ #include <net/pfkeyv2.h>
+-#include <netinet/ip_ipsp.h>
++//#include <netinet/ip_ipsp.h>
+ #include <ctype.h>
+ #include <errno.h>
+ #include <limits.h>
+@@ -65,15 +65,15 @@
+ {
+ struct sadb_msg smsg;
+ struct sadb_sa sa;
+- struct sadb_address sa_src, sa_dst, sa_peer, sa_smask, sa_dmask;
++ struct sadb_address sa_src, sa_dst;
+ struct sadb_key sa_akey, sa_ekey;
+ struct sadb_spirange sa_spirange;
+- struct sadb_protocol sa_flowtype, sa_protocol;
+ struct iovec iov[IOV_CNT];
+ ssize_t n;
int len =3D 0;
int iov_cnt;
=2D struct sockaddr_storage ssrc, sdst, speer, smask, dmask;
+- struct sockaddr_storage ssrc, sdst, speer, smask, dmask;
++ struct sockaddr_storage ssrc, sdst, smask, dmask;
+ struct sockaddr *saptr;
=20=20
if (!pid)
pid =3D getpid();
=2D@@ -81,22 +82,17 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -81,22 +81,17 @@
/* we need clean sockaddr... no ports set */
bzero(&ssrc, sizeof(ssrc));
bzero(&smask, sizeof(smask));
@@ -49,7 +64,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
ssrc.ss_len =3D sizeof(struct sockaddr);
break;
default:
=2D@@ -107,22 +103,17 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -107,22 +102,17 @@
=20=20
bzero(&sdst, sizeof(sdst));
bzero(&dmask, sizeof(dmask));
@@ -78,7 +93,84 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
sdst.ss_len =3D sizeof(struct sockaddr);
break;
default:
=2D@@ -220,8 +211,8 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -135,7 +125,7 @@
+ smsg.sadb_msg_version =3D PF_KEY_V2;
+ smsg.sadb_msg_seq =3D ++sadb_msg_seq;
+ smsg.sadb_msg_pid =3D pid;
+- smsg.sadb_msg_len =3D sizeof(smsg) / 8;
++ smsg.sadb_msg_len =3D PFKEY_UNIT64(sizeof(smsg));
+ smsg.sadb_msg_type =3D mtype;
+ smsg.sadb_msg_satype =3D satype;
+=20
+@@ -143,7 +133,7 @@
+ case SADB_GETSPI:
+ bzero(&sa_spirange, sizeof(sa_spirange));
+ sa_spirange.sadb_spirange_exttype =3D SADB_EXT_SPIRANGE;
+- sa_spirange.sadb_spirange_len =3D sizeof(sa_spirange) / 8;
++ sa_spirange.sadb_spirange_len =3D PFKEY_UNIT64(sizeof(sa_spirange));
+ sa_spirange.sadb_spirange_min =3D 0x100;
+ sa_spirange.sadb_spirange_max =3D 0xffffffff;
+ sa_spirange.sadb_spirange_reserved =3D 0;
+@@ -153,11 +143,12 @@
+ case SADB_DELETE:
+ bzero(&sa, sizeof(sa));
+ sa.sadb_sa_exttype =3D SADB_EXT_SA;
+- sa.sadb_sa_len =3D sizeof(sa) / 8;
++ sa.sadb_sa_len =3D PFKEY_UNIT64(sizeof(sa));
+ sa.sadb_sa_replay =3D 0;
+ sa.sadb_sa_spi =3D spi;
+ sa.sadb_sa_state =3D SADB_SASTATE_MATURE;
+ break;
++#if 0
+ case SADB_X_ADDFLOW:
+ case SADB_X_DELFLOW:
+ bzero(&sa_flowtype, sizeof(sa_flowtype));
+@@ -172,35 +163,37 @@
+ sa_protocol.sadb_protocol_direction =3D 0;
+ sa_protocol.sadb_protocol_proto =3D 6;
+ break;
++#endif
+ }
+=20
+ bzero(&sa_src, sizeof(sa_src));
+ sa_src.sadb_address_exttype =3D SADB_EXT_ADDRESS_SRC;
+- sa_src.sadb_address_len =3D (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
++ sa_src.sadb_address_len =3D PFKEY_UNIT64(sizeof(sa_src) + ROUNDUP(ssrc.s=
s_len));
+=20
+ bzero(&sa_dst, sizeof(sa_dst));
+ sa_dst.sadb_address_exttype =3D SADB_EXT_ADDRESS_DST;
+- sa_dst.sadb_address_len =3D (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
++ sa_dst.sadb_address_len =3D PFKEY_UNIT64(sizeof(sa_dst) + ROUNDUP(sdst.s=
s_len));
+=20
+ sa.sadb_sa_auth =3D aalg;
+- sa.sadb_sa_encrypt =3D SADB_X_EALG_AES; /* XXX */
++ sa.sadb_sa_encrypt =3D ealg; /* XXX */
+=20
+ switch (mtype) {
+ case SADB_ADD:
+ case SADB_UPDATE:
+ bzero(&sa_akey, sizeof(sa_akey));
+ sa_akey.sadb_key_exttype =3D SADB_EXT_KEY_AUTH;
+- sa_akey.sadb_key_len =3D (sizeof(sa_akey) +
+- ((alen + 7) / 8) * 8) / 8;
++ sa_akey.sadb_key_len =3D PFKEY_UNIT64(sizeof(sa_akey) +
++ (PFKEY_ALIGN8(alen)));
+ sa_akey.sadb_key_bits =3D 8 * alen;
+=20
+ bzero(&sa_ekey, sizeof(sa_ekey));
+ sa_ekey.sadb_key_exttype =3D SADB_EXT_KEY_ENCRYPT;
+- sa_ekey.sadb_key_len =3D (sizeof(sa_ekey) +
+- ((elen + 7) / 8) * 8) / 8;
++ sa_ekey.sadb_key_len =3D PFKEY_UNIT64(sizeof(sa_ekey) +
++ (PFKEY_ALIGN8(elen)));
+ sa_ekey.sadb_key_bits =3D 8 * elen;
+=20
+ break;
++#if 0
+ case SADB_X_ADDFLOW:
+ case SADB_X_DELFLOW:
+ /* sa_peer always points to the remote machine */
+@@ -220,8 +213,8 @@
sa_dst.sadb_address_exttype =3D SADB_X_EXT_DST_FLOW;
=20=20
bzero(&smask, sizeof(smask));
@@ -89,7 +181,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
smask.ss_len =3D sizeof(struct sockaddr_in);
smask.ss_family =3D AF_INET;
memset(&((struct sockaddr_in *)&smask)->sin_addr,
=2D@@ -233,7 +224,7 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -233,7 +226,7 @@
htons(0xffff);
}
break;
@@ -98,7 +190,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
smask.ss_len =3D sizeof(struct sockaddr_in6);
smask.ss_family =3D AF_INET6;
memset(&((struct sockaddr_in6 *)&smask)->sin6_addr,
=2D@@ -247,8 +238,8 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -247,8 +240,8 @@
break;
}
bzero(&dmask, sizeof(dmask));
@@ -109,7 +201,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
dmask.ss_len =3D sizeof(struct sockaddr_in);
dmask.ss_family =3D AF_INET;
memset(&((struct sockaddr_in *)&dmask)->sin_addr,
=2D@@ -260,7 +251,7 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -260,7 +253,7 @@
htons(0xffff);
}
break;
@@ -118,7 +210,57 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
dmask.ss_len =3D sizeof(struct sockaddr_in6);
dmask.ss_family =3D AF_INET6;
memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr,
=2D@@ -411,6 +402,33 @@ pfkey_send(int sd, uint8_t satype, uint8
+@@ -284,6 +277,7 @@
+ sa_dmask.sadb_address_len =3D
+ (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
+ break;
++#endif
+ }
+=20
+ iov_cnt =3D 0;
+@@ -310,6 +304,7 @@
+ smsg.sadb_msg_len +=3D sa_spirange.sadb_spirange_len;
+ iov_cnt++;
+ break;
++#if 0
+ case SADB_X_ADDFLOW:
+ /* sa_peer always points to the remote machine */
+ iov[iov_cnt].iov_base =3D &sa_peer;
+@@ -351,6 +346,7 @@
+ smsg.sadb_msg_len +=3D sa_dmask.sadb_address_len;
+ iov_cnt++;
+ break;
++#endif
+ }
+=20
+ /* dest addr */
+@@ -380,7 +376,7 @@
+ iov[iov_cnt].iov_len =3D sizeof(sa_akey);
+ iov_cnt++;
+ iov[iov_cnt].iov_base =3D akey;
+- iov[iov_cnt].iov_len =3D ((alen + 7) / 8) * 8;
++ iov[iov_cnt].iov_len =3D PFKEY_ALIGN8(alen);
+ smsg.sadb_msg_len +=3D sa_akey.sadb_key_len;
+ iov_cnt++;
+ }
+@@ -390,14 +386,14 @@
+ iov[iov_cnt].iov_len =3D sizeof(sa_ekey);
+ iov_cnt++;
+ iov[iov_cnt].iov_base =3D ekey;
+- iov[iov_cnt].iov_len =3D ((elen + 7) / 8) * 8;
++ iov[iov_cnt].iov_len =3D PFKEY_ALIGN8(elen);
+ smsg.sadb_msg_len +=3D sa_ekey.sadb_key_len;
+ iov_cnt++;
+ }
+ break;
+ }
+=20
+- len =3D smsg.sadb_msg_len * 8;
++ len =3D PFKEY_UNUNIT64(smsg.sadb_msg_len);
+ do {
+ n =3D writev(sd, iov, iov_cnt);
+ } while (n =3D=3D -1 && (errno =3D=3D EAGAIN || errno =3D=3D EINTR));
+@@ -411,6 +407,33 @@
}
=20=20
int
@@ -152,7 +294,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
pfkey_reply(int sd, u_int32_t *spip)
{
struct sadb_msg hdr, *msg;
=2D@@ -418,23 +436,13 @@ pfkey_reply(int sd, u_int32_t *spip)
+@@ -418,27 +441,17 @@
struct sadb_sa *sa;
u_int8_t *data;
ssize_t len;
@@ -161,10 +303,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
- for (;;) {
- if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) !=3D sizeof(hdr)) {
- log_warn("pfkey peek");
=2D+ do {
=2D+ rv =3D pfkey_read(sd, &hdr);
=2D+ if (rv =3D=3D -1)
=2D return (-1);
+- return (-1);
- }
-
- if (hdr.sadb_msg_seq =3D=3D sadb_msg_seq &&
@@ -174,14 +313,148 @@ diff -u -p -r1.1.1.6 -r1.1.1.9
- /* not ours, discard */
- if (read(sd, &hdr, sizeof(hdr)) =3D=3D -1) {
- log_warn("pfkey read");
=2D- return (-1);
++ do {
++ rv =3D pfkey_read(sd, &hdr);
++ if (rv =3D=3D -1)
+ return (-1);
- }
- }
+ } while (rv);
=20=20
if (hdr.sadb_msg_errno !=3D 0) {
errno =3D hdr.sadb_msg_errno;
=2D@@ -730,11 +738,9 @@ pfkey_init(struct bgpd_sysdep *sysdep)
+- if (errno =3D=3D ESRCH)
++ if (errno =3D=3D ESRCH || errno =3D=3D EEXIST)
+ return (0);
+ else {
+ log_warn("pfkey");
+@@ -486,13 +499,8 @@
+ pfkey_sa_add(struct bgpd_addr *src, struct bgpd_addr *dst, u_int8_t keyle=
n,
+ char *key, u_int32_t *spi)
+ {
+- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_GETSPI, 0,
+- src, dst, 0, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
+- return (-1);
+- if (pfkey_reply(fd, spi) < 0)
+- return (-1);
+- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_UPDATE, 0,
+- src, dst, *spi, 0, keylen, key, 0, 0, NULL, 0, 0) < 0)
++ if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_ADD, 0,
++ src, dst, *spi, SADB_X_AALG_TCP_MD5, keylen, key, SADB_EALG_NONE, 0, NU=
LL, 0, 0) < 0)
+ return (-1);
+ if (pfkey_reply(fd, NULL) < 0)
+ return (-1);
+@@ -503,7 +511,7 @@
+ pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *=
spi)
+ {
+ if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_DELETE, 0,
+- src, dst, *spi, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
++ src, dst, *spi, SADB_X_AALG_TCP_MD5, 0, NULL, 0, 0, NULL, 0, 0) < 0)
+ return (-1);
+ if (pfkey_reply(fd, NULL) < 0)
+ return (-1);
+@@ -511,37 +519,37 @@
+ return (0);
+ }
+=20
++#define TCP_SIG_SPI 0x1000
+ int
+ pfkey_md5sig_establish(struct peer *p)
+ {
+ sleep(1);
+=20
+- if (!p->auth.spi_out)
+- if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
+- p->conf.auth.md5key_len, p->conf.auth.md5key,
+- &p->auth.spi_out) =3D=3D -1)
+- return (-1);
+- if (!p->auth.spi_in)
+- if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
+- p->conf.auth.md5key_len, p->conf.auth.md5key,
+- &p->auth.spi_in) =3D=3D -1)
+- return (-1);
++ p->auth.spi_out =3D htonl(TCP_SIG_SPI);
++ if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
++ p->conf.auth.md5key_len, p->conf.auth.md5key,
++ &p->auth.spi_out) =3D=3D -1)
++ return (-1);
++ p->auth.spi_in =3D htonl(TCP_SIG_SPI);
++ if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
++ p->conf.auth.md5key_len, p->conf.auth.md5key,
++ &p->auth.spi_out) =3D=3D -1)
++ return (-1);
+=20
+ p->auth.established =3D 1;
+ return (0);
+ }
++#undef TCP_SIG_SPI
+=20
+ int
+ pfkey_md5sig_remove(struct peer *p)
+ {
+- if (p->auth.spi_out)
+- if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
+- &p->auth.spi_out) =3D=3D -1)
+- return (-1);
+- if (p->auth.spi_in)
+- if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
+- &p->auth.spi_in) =3D=3D -1)
+- return (-1);
++ if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
++ &p->auth.spi_out) =3D=3D -1)
++ return (-1);
++ if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
++ &p->auth.spi_in) =3D=3D -1)
++ return (-1);
+=20
+ p->auth.established =3D 0;
+ return (0);
+@@ -550,6 +558,7 @@
+ int
+ pfkey_ipsec_establish(struct peer *p)
+ {
++#if 0
+ uint8_t satype =3D SADB_SATYPE_ESP;
+=20
+ switch (p->auth.method) {
+@@ -621,6 +630,9 @@
+=20
+ p->auth.established =3D 1;
+ return (0);
++#else
++ return (-1);
++#endif
+ }
+=20
+ int
+@@ -660,6 +672,7 @@
+ break;
+ }
+=20
++#if 0
+ if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT,
+ &p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)
+ return (-1);
+@@ -681,6 +694,7 @@
+ if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN,
+ &p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0)
+ return (-1);
++#endif
+ if (pfkey_reply(fd, NULL) < 0)
+ return (-1);
+=20
+@@ -715,9 +729,7 @@
+ int
+ pfkey_remove(struct peer *p)
+ {
+- if (!p->auth.established)
+- return (0);
+- else if (p->auth.method =3D=3D AUTH_MD5SIG)
++ if (p->auth.method =3D=3D AUTH_MD5SIG)
+ return (pfkey_md5sig_remove(p));
+ else
+ return (pfkey_ipsec_remove(p));
+@@ -730,11 +742,9 @@
if (errno =3D=3D EPROTONOSUPPORT) {
log_warnx("PF_KEY not available, disabling ipsec");
sysdep->no_pfkey =3D 1;
diff --git a/files/patch-bgpd_session.c b/files/patch-bgpd_session.c
index d043c44..66c05a9 100644
=2D-- a/files/patch-bgpd_session.c
+++ b/files/patch-bgpd_session.c
@@ -123,7 +123,7 @@ diff -u -p -r1.1.1.8 -r1.13
+ int s;
+
+ /* Check if TCP_MD5SIG is supported. */
=2D+ s =3D socket(PF_LOCAL, SOCK_STREAM, 0);
++ s =3D socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+ if (s < 0)
+ fatal("socket open for TCP_MD5SIG check");
+ opt =3D TF_SIGNATURE;
--=-=-=
And here's the diff between my final version of the FreeBSD port (above)
and the original pfsense port:
--=-=-=
Content-Type: text/x-diff; charset=utf-8
Content-Disposition: inline; filename=fbsd-openbgpd-port-interdiff.patch
Content-Transfer-Encoding: quoted-printable
commit 0683cf3740e8971be752a8b6e8d67eac5903e9c6
Author: Antoine Beaupr=C3=A9 <anarcat@koumbit.org>
Date: Thu Nov 28 14:24:02 2013 -0500
minimise changes with existing FreeBSD port
diff --git a/Makefile b/Makefile
index 205ae89..5c0513a 100755
=2D-- a/Makefile
+++ b/Makefile
@@ -16,16 +16,6 @@ COMMENT=3D Free implementation of the Border Gateway Pro=
tocol, Version 4
=20
CONFLICTS=3D zebra-[0-9]* quagga-[0-9]*
=20
=2DOPTIONS_DEFINE=3D IPV6LLPEER
=2DOPTIONS_DEFAULT=3DIPV6LLPEER
=2DIPV6LLPEER_DESC=3DSupport nexthop using IPv6 link-local address
=2D
=2D.include <bsd.port.pre.mk>
=2D
=2D.if ${OSVERSION} < 700000
=2DBROKEN=3D does not build
=2D.endif
=2D
WRKSRC=3D ${WRKDIR}
MANCOMPRESSED=3D yes
USE_RC_SUBR=3D ${PORTNAME}
@@ -37,7 +27,13 @@ GROUPS=3D _bgpd
MAN5=3D bgpd.conf.5
MAN8=3D bgpctl.8 bgpd.8
=20
=2D.if !defined(WITHOUT_IPV6LLPEER)
+OPTIONS_DEFINE=3D IPV6LLPEER
+OPTIONS_DEFAULT=3DIPV6LLPEER
+IPV6LLPEER_DESC=3DSupport nexthop using IPv6 link-local address
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MIPV6LLPEER}
MAKE_ARGS=3D -DIPV6_LINKLOCAL_PEER
.endif
=20
@@ -47,7 +43,4 @@ post-patch:
${WRKSRC}/bgpd/bgpd.conf.5 \
${WRKSRC}/bgpctl/bgpctl.8
=20
=2Dpost-install:
=2D @${CAT} ${PKGMESSAGE}
=2D
=2D.include <bsd.port.post.mk>
+.include <bsd.port.mk>
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
This was done to avoid introducing unnecessary changes into the port. I
confirm the port works with or without that patch, however, so I am not
sure it is necessary.
Last thoughts before I file that pr?
A.
=2D-=20
C'est trop facile quand les guerres sont finies
D'aller gueuler que c'=C3=A9tait la derni=C3=A8re
Amis bourgeois vous me faites envie
Ne voyez vous pas donc point vos cimeti=C3=A8res?
- Jaques Brel
--=-=-=--
--==-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJSl5n/AAoJEHkhUlJ7dZIeoBwP/3ROOOwyBMJEswUbN60js46S
KM9W5vryPul8EK/YxpttBkLVEQTaTyT2+xYxVlB56YDWwBWfIjs1cQT8w8wnNvRD
w006HmpH+y3UIn6nRzg+f57nYnSyE827Y9MbHYBNzLV6wBWlTzfRH28XNzAvd5jp
hm/VNQtDDeyuaCyqjCO1KAps+R0tz5cVEbZIUq9qT6xqUt1fRZfogzaSKeWx2mR7
zvEm59jHUBSaRSiQQ12Xjn1KMtRWWg1N1RaJKWs9GqCO6q8MbBg/P018SOJE3eRE
73UcYKWOIYEqQzeDGppE912Y5ogUzS6BeXnmtmQodRo986faYYpWUshqr+sBoNIx
jvdsXu5WRsUHbPAj7F5dMEcIkqGd3BAPvBl06jsXFG4mWGeNV1ZBLedNiY6g4Ev8
YJnSXVG/AfERlmsvRUKjYke4Of4wb2zy+QShSc3vx2TMiROniGSUGYEzPUUelFaZ
A0cWYd7GoBojs9EBTUp10G9aJA7xsvrAdfVY9aOP2aP0TKOEtAKPRf0dh5Qyz9nU
vyI8RWSetSK+bZvvToeZy4ko1WMkwO5rEn6rGRwwuBFHsV7PefOqOzzhXyhxZQug
O4/8PWy75C1UWC71ZRGlRQLdfFvQdj+uXsesYMYTbNDJQRjU8yvlXpHjY/Uubuak
89fEEeRtmxUYOPLdiWOh
=zLkC
-----END PGP SIGNATURE-----
--==-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87bo14pbls.fsf>