FAST_IPSEC NAT-T support
Larry Baird
lab at gta.com
Fri Sep 15 06:14:32 PDT 2006
On Thu, Sep 14, 2006 at 09:43:38PM -0400, Scott Ullrich wrote:
> On 9/14/06, Larry Baird <lab at gta.com> wrote:
> > Please find attached two patches for adding FAST_IPSEC NAT-T support to
> > FreeBSD 6.x. The patch "freebsd6-fastipsec-natt.diff" is dependent
> > upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at
> > http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/. The second
> > patch "freebsd6-ipsec-fastipsec-natt.diff" is a cumulative patch
> > combining both patches together.
>
> This is great! It compiles on FreeBSD 6.1 when you include options
> IPSEC_NAT_T but when you fail to include this item "options
> IPSEC_NAT_T" in addition to including "options FAST_IPSEC" you end up
> with:
>
> cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs
> -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline
> -Wcast-qual -fformat-extensions -std=c99 -g -nostdinc -I- -I.
> -I/usr/src/sys -I/usr/src/sys/contrib/altq
> -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/pf
> -I/usr/src/sys/contrib/dev/ath -I/usr/src/sys/contrib/dev/ath/freebsd
> -I/usr/src/sys/contrib/ngatm -I/usr/src/sys/dev/twa -D_KERNEL
> -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common
> -finline-limit=8000 --param inline-unit-growth=100 --param
> large-function-growth=1000 -mno-align-long-strings
> -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2
> -ffreestanding -Werror /usr/src/sys/netipsec/key.c
> /usr/src/sys/netipsec/key.c: In function `key_spdadd':
> /usr/src/sys/netipsec/key.c:1867: error: `isr' undeclared (first use
> in this function)
> /usr/src/sys/netipsec/key.c:1867: error: (Each undeclared identifier
> is reported only once
> /usr/src/sys/netipsec/key.c:1867: error: for each function it appears in.)
> *** Error code 1
>
> Stop in /usr/obj/usr/src/sys/pfSense.6.
> *** Error code 1
>
> Stop in /usr/src.
> *** Error code 1
>
> Stop in /usr/src.
>
> Meanwhile I have a new version of pfSense out asking for testing. We
> seem to have a large base of users requesting this option so hopefully
> I can get some meaningful testing information for you soon.
It looks like the problem code is not needed. I was so busy focusing
on getting NAT-T working with FAST_IPSEC I didn't notice this part
of the non NAT_T case in the IPSEC NAT_T patch. Remove the section
starting with "#ifndef IPSEC_NAT_T" at line 1866. Or run the attached
patch. I'll update the full patch shortly.
Larry
--
------------------------------------------------------------------------
Larry Baird | http://www.gta.com
Global Technology Associates, Inc. | Orlando, FL
Email: lab at gta.com | TEL 407-380-0220, FAX 407-380-6080
-------------- next part --------------
Index: key.c
===================================================================
--- key.c (revision 8199)
+++ key.c (working copy)
@@ -1876,52 +1876,6 @@
return key_senderror(so, m, error);
}
-#ifndef IPSEC_NAT_T
- for (isr = newsp->req; isr; isr = isr->next) {
- struct sockaddr *sa;
-
- /*
- * port spec is not permitted for tunnel mode
- */
- if (isr->saidx.mode == IPSEC_MODE_TUNNEL && src0 && dst0) {
- sa = (struct sockaddr *)(src0 + 1);
- switch (sa->sa_family) {
- case AF_INET:
- if (((struct sockaddr_in *)sa)->sin_port) {
- keydb_delsecpolicy(newsp);
- return key_senderror(so, m, EINVAL);
- }
- break;
- case AF_INET6:
- if (((struct sockaddr_in6 *)sa)->sin6_port) {
- keydb_delsecpolicy(newsp);
- return key_senderror(so, m, EINVAL);
- }
- break;
- default:
- break;
- }
- sa = (struct sockaddr *)(dst0 + 1);
- switch (sa->sa_family) {
- case AF_INET:
- if (((struct sockaddr_in *)sa)->sin_port) {
- keydb_delsecpolicy(newsp);
- return key_senderror(so, m, EINVAL);
- }
- break;
- case AF_INET6:
- if (((struct sockaddr_in6 *)sa)->sin6_port) {
- keydb_delsecpolicy(newsp);
- return key_senderror(so, m, EINVAL);
- }
- break;
- default:
- break;
- }
- }
- }
-#endif /* !IPSEC_NAT_T */
-
if ((newsp->id = key_getnewspid()) == 0) {
_key_delsp(newsp);
return key_senderror(so, m, ENOBUFS);
More information about the freebsd-net
mailing list