Date: Thu, 28 Nov 2013 14:31:11 -0500 From: Antoine =?utf-8?Q?Beaupr=C3=A9?= <anarcat@koumbit.org> To: Ermal =?utf-8?Q?Lu=C3=A7i?= <eri@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: OpenBGPd + TCP-MD5 sig fails after a few weeks Message-ID: <87bo14pbls.fsf@marcos.anarc.at> In-Reply-To: <CAPBZQG28ZLpU7bgGgj2_SynVeVr5k59_Ydd8d=PD-%2BqNCZwn9g@mail.gmail.com> References: <87zjoqu3wr.fsf@marcos.anarc.at> <CAPBZQG192HxfHfCj7zkWO-Ot95%2BY7vr8VJ47OyzNhD2jxuZTKg@mail.gmail.com> <874n6xu31q.fsf@marcos.anarc.at> <CAPBZQG17w218wB3SsJ8rvCLzP4hKz4N5=zE-YLnMws5H-x2_FQ@mail.gmail.com> <87ob54pndw.fsf@marcos.anarc.at> <CAPBZQG28ZLpU7bgGgj2_SynVeVr5k59_Ydd8d=PD-%2BqNCZwn9g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2013-11-28 13:14:18, Ermal Lu=C3=A7i wrote: > Can you show your related config to this! > The only other thing i can think of is that since the daemon is inserting > policies you have to define > local-address $your-local-ip > > So the SPD policy is generated correctly. Ah! That was it!!! Without local-address, I get this: pfkey: Invalid argument neighbor 38.104.152.101 (Cogent): pfkey setup failed With local-address, it just works! > You can verify the generated policy using setkey utility. I confirm the policy is properly installed by the pfsense port, if and only if local-address is specified. Next step would be to file a PR to update the port! I have tried to factor in a patch that merges the pfsense port in the FreeBSD port with minimal changes, would you mind reviewing it before I send it? Here's the patch to the FreeBSD port: --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=fbsd-openbgpd-port-setkey.patch Content-Transfer-Encoding: quoted-printable diff --git a/Makefile b/Makefile old mode 100644 new mode 100755 index d39d87d..5c0513a =2D-- a/Makefile +++ b/Makefile @@ -1,4 +1,5 @@ =2D# $FreeBSD: net/openbgpd/Makefile 330656 2013-10-17 16:47:58Z ohauer $ +# Created by: Florent Thoumie <flz@FreeBSD.org> +# $FreeBSD: ports/net/openbgpd/Makefile,v 1.35 2012/12/24 12:56:29 svnexp = Exp $ =20 PORTNAME=3D openbgpd PORTVERSION=3D 5.2.20121209 @@ -8,6 +9,7 @@ MASTER_SITE_SUBDIR=3D OpenBGPD DISTNAME=3D ${PORTNAME}-4.6 EXTRACT_SUFX=3D .tgz DIST_SUBDIR=3D ${PORTNAME} +NO_STAGE=3D yes =20 MAINTAINER=3D hrs@FreeBSD.org COMMENT=3D Free implementation of the Border Gateway Protocol, Version 4 @@ -15,13 +17,16 @@ COMMENT=3D Free implementation of the Border Gateway Pr= otocol, Version 4 CONFLICTS=3D zebra-[0-9]* quagga-[0-9]* =20 WRKSRC=3D ${WRKDIR} +MANCOMPRESSED=3D yes USE_RC_SUBR=3D ${PORTNAME} =2DPLIST_FILES=3D sbin/bgpctl sbin/bgpd man/man5/bgpd.conf.5.gz \ =2D man/man8/bgpctl.8.gz man/man8/bgpd.8.gz +PLIST_FILES=3D sbin/bgpctl sbin/bgpd SUB_FILES=3D pkg-message USERS=3D _bgpd GROUPS=3D _bgpd =20 +MAN5=3D bgpd.conf.5 +MAN8=3D bgpctl.8 bgpd.8 + OPTIONS_DEFINE=3D IPV6LLPEER OPTIONS_DEFAULT=3DIPV6LLPEER IPV6LLPEER_DESC=3DSupport nexthop using IPv6 link-local address diff --git a/files/openbgpd.in b/files/openbgpd.in index f1b904e..fc6642e 100644 =2D-- a/files/openbgpd.in +++ b/files/openbgpd.in @@ -1,6 +1,6 @@ #!/bin/sh # =2D# $FreeBSD: net/openbgpd/files/openbgpd.in 302141 2012-08-05 23:19:36Z d= ougb $ +# $FreeBSD: ports/net/openbgpd/files/openbgpd.in,v 1.2 2012/11/17 06:00:08= svnexp Exp $ # =20 # PROVIDE: bgpd diff --git a/files/patch-bgpd_Makefile b/files/patch-bgpd_Makefile index f946c92..fc27014 100644 =2D-- a/files/patch-bgpd_Makefile +++ b/files/patch-bgpd_Makefile @@ -1,11 +1,5 @@ =2DIndex: bgpd/Makefile =2D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =2DRCS file: /home/cvs/private/hrs/openbgpd/bgpd/Makefile,v =2Dretrieving revision 1.1.1.2 =2Dretrieving revision 1.9 =2Ddiff -u -p -r1.1.1.2 -r1.9 =2D--- bgpd/Makefile 9 Jul 2009 16:49:54 -0000 1.1.1.2 =2D+++ bgpd/Makefile 13 Oct 2012 18:36:00 -0000 1.9 +--- bgpd/Makefile.orig 2013-02-21 19:20:05.000000000 +0000 ++++ bgpd/Makefile 2013-02-21 19:20:54.000000000 +0000 @@ -1,15 +1,25 @@ # $OpenBSD: Makefile,v 1.28 2009/06/25 14:14:54 deraadt Exp $ =20=20 @@ -17,9 +11,8 @@ diff -u -p -r1.1.1.2 -r1.9 -SRCS=3D bgpd.c buffer.c session.c log.c parse.y config.c imsg.c \ +SRCS=3D bgpd.c session.c log.c parse.y config.c \ rde.c rde_rib.c rde_decide.c rde_prefix.c mrt.c kroute.c \ =2D- control.c pfkey.c rde_update.c rde_attr.c printconf.c \ + control.c pfkey.c rde_update.c rde_attr.c printconf.c \ - rde_filter.c pftable.c name2id.c util.c carp.c timer.c =2D+ control.c pfkey_compat.c rde_update.c rde_attr.c printconf.c \ + rde_filter.c pftable.c name2id.c util.c carp.c timer.c \ + imsg.c imsg-buffer.c CFLAGS+=3D -Wall -I${.CURDIR} diff --git a/files/patch-bgpd_pfkey.c b/files/patch-bgpd_pfkey.c index 7ad7548..224298f 100644 =2D-- a/files/patch-bgpd_pfkey.c +++ b/files/patch-bgpd_pfkey.c @@ -1,26 +1,41 @@ =2DIndex: bgpd/pfkey.c =2D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =2DRCS file: /home/cvs/private/hrs/openbgpd/bgpd/pfkey.c,v =2Dretrieving revision 1.1.1.6 =2Dretrieving revision 1.1.1.9 =2Ddiff -u -p -r1.1.1.6 -r1.1.1.9 =2D--- bgpd/pfkey.c 14 Feb 2010 20:19:57 -0000 1.1.1.6 =2D+++ bgpd/pfkey.c 13 Oct 2012 18:22:44 -0000 1.1.1.9 +diff -ur bgpd.orig/pfkey.c bgpd/pfkey.c +--- bgpd.orig/pfkey.c 2013-03-15 12:07:16.000000000 +0000 ++++ bgpd/pfkey.c 2013-03-15 12:07:47.000000000 +0000 @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.37 2009/04/21 15:25:52 henning Exp $ */ +/* $OpenBSD: pfkey.c,v 1.40 2009/12/14 17:38:18 claudio Exp $ */ =20=20 /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> =2D@@ -74,6 +74,7 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -21,7 +21,7 @@ + #include <sys/socket.h> + #include <sys/uio.h> + #include <net/pfkeyv2.h> +-#include <netinet/ip_ipsp.h> ++//#include <netinet/ip_ipsp.h> + #include <ctype.h> + #include <errno.h> + #include <limits.h> +@@ -65,15 +65,15 @@ + { + struct sadb_msg smsg; + struct sadb_sa sa; +- struct sadb_address sa_src, sa_dst, sa_peer, sa_smask, sa_dmask; ++ struct sadb_address sa_src, sa_dst; + struct sadb_key sa_akey, sa_ekey; + struct sadb_spirange sa_spirange; +- struct sadb_protocol sa_flowtype, sa_protocol; + struct iovec iov[IOV_CNT]; + ssize_t n; int len =3D 0; int iov_cnt; =2D struct sockaddr_storage ssrc, sdst, speer, smask, dmask; +- struct sockaddr_storage ssrc, sdst, speer, smask, dmask; ++ struct sockaddr_storage ssrc, sdst, smask, dmask; + struct sockaddr *saptr; =20=20 if (!pid) pid =3D getpid(); =2D@@ -81,22 +82,17 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -81,22 +81,17 @@ /* we need clean sockaddr... no ports set */ bzero(&ssrc, sizeof(ssrc)); bzero(&smask, sizeof(smask)); @@ -49,7 +64,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 ssrc.ss_len =3D sizeof(struct sockaddr); break; default: =2D@@ -107,22 +103,17 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -107,22 +102,17 @@ =20=20 bzero(&sdst, sizeof(sdst)); bzero(&dmask, sizeof(dmask)); @@ -78,7 +93,84 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 sdst.ss_len =3D sizeof(struct sockaddr); break; default: =2D@@ -220,8 +211,8 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -135,7 +125,7 @@ + smsg.sadb_msg_version =3D PF_KEY_V2; + smsg.sadb_msg_seq =3D ++sadb_msg_seq; + smsg.sadb_msg_pid =3D pid; +- smsg.sadb_msg_len =3D sizeof(smsg) / 8; ++ smsg.sadb_msg_len =3D PFKEY_UNIT64(sizeof(smsg)); + smsg.sadb_msg_type =3D mtype; + smsg.sadb_msg_satype =3D satype; +=20 +@@ -143,7 +133,7 @@ + case SADB_GETSPI: + bzero(&sa_spirange, sizeof(sa_spirange)); + sa_spirange.sadb_spirange_exttype =3D SADB_EXT_SPIRANGE; +- sa_spirange.sadb_spirange_len =3D sizeof(sa_spirange) / 8; ++ sa_spirange.sadb_spirange_len =3D PFKEY_UNIT64(sizeof(sa_spirange)); + sa_spirange.sadb_spirange_min =3D 0x100; + sa_spirange.sadb_spirange_max =3D 0xffffffff; + sa_spirange.sadb_spirange_reserved =3D 0; +@@ -153,11 +143,12 @@ + case SADB_DELETE: + bzero(&sa, sizeof(sa)); + sa.sadb_sa_exttype =3D SADB_EXT_SA; +- sa.sadb_sa_len =3D sizeof(sa) / 8; ++ sa.sadb_sa_len =3D PFKEY_UNIT64(sizeof(sa)); + sa.sadb_sa_replay =3D 0; + sa.sadb_sa_spi =3D spi; + sa.sadb_sa_state =3D SADB_SASTATE_MATURE; + break; ++#if 0 + case SADB_X_ADDFLOW: + case SADB_X_DELFLOW: + bzero(&sa_flowtype, sizeof(sa_flowtype)); +@@ -172,35 +163,37 @@ + sa_protocol.sadb_protocol_direction =3D 0; + sa_protocol.sadb_protocol_proto =3D 6; + break; ++#endif + } +=20 + bzero(&sa_src, sizeof(sa_src)); + sa_src.sadb_address_exttype =3D SADB_EXT_ADDRESS_SRC; +- sa_src.sadb_address_len =3D (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; ++ sa_src.sadb_address_len =3D PFKEY_UNIT64(sizeof(sa_src) + ROUNDUP(ssrc.s= s_len)); +=20 + bzero(&sa_dst, sizeof(sa_dst)); + sa_dst.sadb_address_exttype =3D SADB_EXT_ADDRESS_DST; +- sa_dst.sadb_address_len =3D (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; ++ sa_dst.sadb_address_len =3D PFKEY_UNIT64(sizeof(sa_dst) + ROUNDUP(sdst.s= s_len)); +=20 + sa.sadb_sa_auth =3D aalg; +- sa.sadb_sa_encrypt =3D SADB_X_EALG_AES; /* XXX */ ++ sa.sadb_sa_encrypt =3D ealg; /* XXX */ +=20 + switch (mtype) { + case SADB_ADD: + case SADB_UPDATE: + bzero(&sa_akey, sizeof(sa_akey)); + sa_akey.sadb_key_exttype =3D SADB_EXT_KEY_AUTH; +- sa_akey.sadb_key_len =3D (sizeof(sa_akey) + +- ((alen + 7) / 8) * 8) / 8; ++ sa_akey.sadb_key_len =3D PFKEY_UNIT64(sizeof(sa_akey) + ++ (PFKEY_ALIGN8(alen))); + sa_akey.sadb_key_bits =3D 8 * alen; +=20 + bzero(&sa_ekey, sizeof(sa_ekey)); + sa_ekey.sadb_key_exttype =3D SADB_EXT_KEY_ENCRYPT; +- sa_ekey.sadb_key_len =3D (sizeof(sa_ekey) + +- ((elen + 7) / 8) * 8) / 8; ++ sa_ekey.sadb_key_len =3D PFKEY_UNIT64(sizeof(sa_ekey) + ++ (PFKEY_ALIGN8(elen))); + sa_ekey.sadb_key_bits =3D 8 * elen; +=20 + break; ++#if 0 + case SADB_X_ADDFLOW: + case SADB_X_DELFLOW: + /* sa_peer always points to the remote machine */ +@@ -220,8 +213,8 @@ sa_dst.sadb_address_exttype =3D SADB_X_EXT_DST_FLOW; =20=20 bzero(&smask, sizeof(smask)); @@ -89,7 +181,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 smask.ss_len =3D sizeof(struct sockaddr_in); smask.ss_family =3D AF_INET; memset(&((struct sockaddr_in *)&smask)->sin_addr, =2D@@ -233,7 +224,7 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -233,7 +226,7 @@ htons(0xffff); } break; @@ -98,7 +190,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 smask.ss_len =3D sizeof(struct sockaddr_in6); smask.ss_family =3D AF_INET6; memset(&((struct sockaddr_in6 *)&smask)->sin6_addr, =2D@@ -247,8 +238,8 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -247,8 +240,8 @@ break; } bzero(&dmask, sizeof(dmask)); @@ -109,7 +201,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 dmask.ss_len =3D sizeof(struct sockaddr_in); dmask.ss_family =3D AF_INET; memset(&((struct sockaddr_in *)&dmask)->sin_addr, =2D@@ -260,7 +251,7 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -260,7 +253,7 @@ htons(0xffff); } break; @@ -118,7 +210,57 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 dmask.ss_len =3D sizeof(struct sockaddr_in6); dmask.ss_family =3D AF_INET6; memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr, =2D@@ -411,6 +402,33 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -284,6 +277,7 @@ + sa_dmask.sadb_address_len =3D + (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; + break; ++#endif + } +=20 + iov_cnt =3D 0; +@@ -310,6 +304,7 @@ + smsg.sadb_msg_len +=3D sa_spirange.sadb_spirange_len; + iov_cnt++; + break; ++#if 0 + case SADB_X_ADDFLOW: + /* sa_peer always points to the remote machine */ + iov[iov_cnt].iov_base =3D &sa_peer; +@@ -351,6 +346,7 @@ + smsg.sadb_msg_len +=3D sa_dmask.sadb_address_len; + iov_cnt++; + break; ++#endif + } +=20 + /* dest addr */ +@@ -380,7 +376,7 @@ + iov[iov_cnt].iov_len =3D sizeof(sa_akey); + iov_cnt++; + iov[iov_cnt].iov_base =3D akey; +- iov[iov_cnt].iov_len =3D ((alen + 7) / 8) * 8; ++ iov[iov_cnt].iov_len =3D PFKEY_ALIGN8(alen); + smsg.sadb_msg_len +=3D sa_akey.sadb_key_len; + iov_cnt++; + } +@@ -390,14 +386,14 @@ + iov[iov_cnt].iov_len =3D sizeof(sa_ekey); + iov_cnt++; + iov[iov_cnt].iov_base =3D ekey; +- iov[iov_cnt].iov_len =3D ((elen + 7) / 8) * 8; ++ iov[iov_cnt].iov_len =3D PFKEY_ALIGN8(elen); + smsg.sadb_msg_len +=3D sa_ekey.sadb_key_len; + iov_cnt++; + } + break; + } +=20 +- len =3D smsg.sadb_msg_len * 8; ++ len =3D PFKEY_UNUNIT64(smsg.sadb_msg_len); + do { + n =3D writev(sd, iov, iov_cnt); + } while (n =3D=3D -1 && (errno =3D=3D EAGAIN || errno =3D=3D EINTR)); +@@ -411,6 +407,33 @@ } =20=20 int @@ -152,7 +294,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 pfkey_reply(int sd, u_int32_t *spip) { struct sadb_msg hdr, *msg; =2D@@ -418,23 +436,13 @@ pfkey_reply(int sd, u_int32_t *spip) +@@ -418,27 +441,17 @@ struct sadb_sa *sa; u_int8_t *data; ssize_t len; @@ -161,10 +303,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 - for (;;) { - if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) !=3D sizeof(hdr)) { - log_warn("pfkey peek"); =2D+ do { =2D+ rv =3D pfkey_read(sd, &hdr); =2D+ if (rv =3D=3D -1) =2D return (-1); +- return (-1); - } - - if (hdr.sadb_msg_seq =3D=3D sadb_msg_seq && @@ -174,14 +313,148 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 - /* not ours, discard */ - if (read(sd, &hdr, sizeof(hdr)) =3D=3D -1) { - log_warn("pfkey read"); =2D- return (-1); ++ do { ++ rv =3D pfkey_read(sd, &hdr); ++ if (rv =3D=3D -1) + return (-1); - } - } + } while (rv); =20=20 if (hdr.sadb_msg_errno !=3D 0) { errno =3D hdr.sadb_msg_errno; =2D@@ -730,11 +738,9 @@ pfkey_init(struct bgpd_sysdep *sysdep) +- if (errno =3D=3D ESRCH) ++ if (errno =3D=3D ESRCH || errno =3D=3D EEXIST) + return (0); + else { + log_warn("pfkey"); +@@ -486,13 +499,8 @@ + pfkey_sa_add(struct bgpd_addr *src, struct bgpd_addr *dst, u_int8_t keyle= n, + char *key, u_int32_t *spi) + { +- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_GETSPI, 0, +- src, dst, 0, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) +- return (-1); +- if (pfkey_reply(fd, spi) < 0) +- return (-1); +- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_UPDATE, 0, +- src, dst, *spi, 0, keylen, key, 0, 0, NULL, 0, 0) < 0) ++ if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_ADD, 0, ++ src, dst, *spi, SADB_X_AALG_TCP_MD5, keylen, key, SADB_EALG_NONE, 0, NU= LL, 0, 0) < 0) + return (-1); + if (pfkey_reply(fd, NULL) < 0) + return (-1); +@@ -503,7 +511,7 @@ + pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *= spi) + { + if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_DELETE, 0, +- src, dst, *spi, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) ++ src, dst, *spi, SADB_X_AALG_TCP_MD5, 0, NULL, 0, 0, NULL, 0, 0) < 0) + return (-1); + if (pfkey_reply(fd, NULL) < 0) + return (-1); +@@ -511,37 +519,37 @@ + return (0); + } +=20 ++#define TCP_SIG_SPI 0x1000 + int + pfkey_md5sig_establish(struct peer *p) + { + sleep(1); +=20 +- if (!p->auth.spi_out) +- if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr, +- p->conf.auth.md5key_len, p->conf.auth.md5key, +- &p->auth.spi_out) =3D=3D -1) +- return (-1); +- if (!p->auth.spi_in) +- if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr, +- p->conf.auth.md5key_len, p->conf.auth.md5key, +- &p->auth.spi_in) =3D=3D -1) +- return (-1); ++ p->auth.spi_out =3D htonl(TCP_SIG_SPI); ++ if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr, ++ p->conf.auth.md5key_len, p->conf.auth.md5key, ++ &p->auth.spi_out) =3D=3D -1) ++ return (-1); ++ p->auth.spi_in =3D htonl(TCP_SIG_SPI); ++ if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr, ++ p->conf.auth.md5key_len, p->conf.auth.md5key, ++ &p->auth.spi_out) =3D=3D -1) ++ return (-1); +=20 + p->auth.established =3D 1; + return (0); + } ++#undef TCP_SIG_SPI +=20 + int + pfkey_md5sig_remove(struct peer *p) + { +- if (p->auth.spi_out) +- if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr, +- &p->auth.spi_out) =3D=3D -1) +- return (-1); +- if (p->auth.spi_in) +- if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr, +- &p->auth.spi_in) =3D=3D -1) +- return (-1); ++ if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr, ++ &p->auth.spi_out) =3D=3D -1) ++ return (-1); ++ if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr, ++ &p->auth.spi_in) =3D=3D -1) ++ return (-1); +=20 + p->auth.established =3D 0; + return (0); +@@ -550,6 +558,7 @@ + int + pfkey_ipsec_establish(struct peer *p) + { ++#if 0 + uint8_t satype =3D SADB_SATYPE_ESP; +=20 + switch (p->auth.method) { +@@ -621,6 +630,9 @@ +=20 + p->auth.established =3D 1; + return (0); ++#else ++ return (-1); ++#endif + } +=20 + int +@@ -660,6 +672,7 @@ + break; + } +=20 ++#if 0 + if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT, + &p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0) + return (-1); +@@ -681,6 +694,7 @@ + if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN, + &p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0) + return (-1); ++#endif + if (pfkey_reply(fd, NULL) < 0) + return (-1); +=20 +@@ -715,9 +729,7 @@ + int + pfkey_remove(struct peer *p) + { +- if (!p->auth.established) +- return (0); +- else if (p->auth.method =3D=3D AUTH_MD5SIG) ++ if (p->auth.method =3D=3D AUTH_MD5SIG) + return (pfkey_md5sig_remove(p)); + else + return (pfkey_ipsec_remove(p)); +@@ -730,11 +742,9 @@ if (errno =3D=3D EPROTONOSUPPORT) { log_warnx("PF_KEY not available, disabling ipsec"); sysdep->no_pfkey =3D 1; diff --git a/files/patch-bgpd_session.c b/files/patch-bgpd_session.c index d043c44..66c05a9 100644 =2D-- a/files/patch-bgpd_session.c +++ b/files/patch-bgpd_session.c @@ -123,7 +123,7 @@ diff -u -p -r1.1.1.8 -r1.13 + int s; + + /* Check if TCP_MD5SIG is supported. */ =2D+ s =3D socket(PF_LOCAL, SOCK_STREAM, 0); ++ s =3D socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); + if (s < 0) + fatal("socket open for TCP_MD5SIG check"); + opt =3D TF_SIGNATURE; --=-=-= And here's the diff between my final version of the FreeBSD port (above) and the original pfsense port: --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=fbsd-openbgpd-port-interdiff.patch Content-Transfer-Encoding: quoted-printable commit 0683cf3740e8971be752a8b6e8d67eac5903e9c6 Author: Antoine Beaupr=C3=A9 <anarcat@koumbit.org> Date: Thu Nov 28 14:24:02 2013 -0500 minimise changes with existing FreeBSD port diff --git a/Makefile b/Makefile index 205ae89..5c0513a 100755 =2D-- a/Makefile +++ b/Makefile @@ -16,16 +16,6 @@ COMMENT=3D Free implementation of the Border Gateway Pro= tocol, Version 4 =20 CONFLICTS=3D zebra-[0-9]* quagga-[0-9]* =20 =2DOPTIONS_DEFINE=3D IPV6LLPEER =2DOPTIONS_DEFAULT=3DIPV6LLPEER =2DIPV6LLPEER_DESC=3DSupport nexthop using IPv6 link-local address =2D =2D.include <bsd.port.pre.mk> =2D =2D.if ${OSVERSION} < 700000 =2DBROKEN=3D does not build =2D.endif =2D WRKSRC=3D ${WRKDIR} MANCOMPRESSED=3D yes USE_RC_SUBR=3D ${PORTNAME} @@ -37,7 +27,13 @@ GROUPS=3D _bgpd MAN5=3D bgpd.conf.5 MAN8=3D bgpctl.8 bgpd.8 =20 =2D.if !defined(WITHOUT_IPV6LLPEER) +OPTIONS_DEFINE=3D IPV6LLPEER +OPTIONS_DEFAULT=3DIPV6LLPEER +IPV6LLPEER_DESC=3DSupport nexthop using IPv6 link-local address + +.include <bsd.port.options.mk> + +.if ${PORT_OPTIONS:MIPV6LLPEER} MAKE_ARGS=3D -DIPV6_LINKLOCAL_PEER .endif =20 @@ -47,7 +43,4 @@ post-patch: ${WRKSRC}/bgpd/bgpd.conf.5 \ ${WRKSRC}/bgpctl/bgpctl.8 =20 =2Dpost-install: =2D @${CAT} ${PKGMESSAGE} =2D =2D.include <bsd.port.post.mk> +.include <bsd.port.mk> --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable This was done to avoid introducing unnecessary changes into the port. I confirm the port works with or without that patch, however, so I am not sure it is necessary. Last thoughts before I file that pr? A. =2D-=20 C'est trop facile quand les guerres sont finies D'aller gueuler que c'=C3=A9tait la derni=C3=A8re Amis bourgeois vous me faites envie Ne voyez vous pas donc point vos cimeti=C3=A8res? - Jaques Brel --=-=-=-- --==-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJSl5n/AAoJEHkhUlJ7dZIeoBwP/3ROOOwyBMJEswUbN60js46S KM9W5vryPul8EK/YxpttBkLVEQTaTyT2+xYxVlB56YDWwBWfIjs1cQT8w8wnNvRD w006HmpH+y3UIn6nRzg+f57nYnSyE827Y9MbHYBNzLV6wBWlTzfRH28XNzAvd5jp hm/VNQtDDeyuaCyqjCO1KAps+R0tz5cVEbZIUq9qT6xqUt1fRZfogzaSKeWx2mR7 zvEm59jHUBSaRSiQQ12Xjn1KMtRWWg1N1RaJKWs9GqCO6q8MbBg/P018SOJE3eRE 73UcYKWOIYEqQzeDGppE912Y5ogUzS6BeXnmtmQodRo986faYYpWUshqr+sBoNIx jvdsXu5WRsUHbPAj7F5dMEcIkqGd3BAPvBl06jsXFG4mWGeNV1ZBLedNiY6g4Ev8 YJnSXVG/AfERlmsvRUKjYke4Of4wb2zy+QShSc3vx2TMiROniGSUGYEzPUUelFaZ A0cWYd7GoBojs9EBTUp10G9aJA7xsvrAdfVY9aOP2aP0TKOEtAKPRf0dh5Qyz9nU vyI8RWSetSK+bZvvToeZy4ko1WMkwO5rEn6rGRwwuBFHsV7PefOqOzzhXyhxZQug O4/8PWy75C1UWC71ZRGlRQLdfFvQdj+uXsesYMYTbNDJQRjU8yvlXpHjY/Uubuak 89fEEeRtmxUYOPLdiWOh =zLkC -----END PGP SIGNATURE----- --==-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87bo14pbls.fsf>