diff options
author | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:33:19 -0600 |
---|---|---|
committer | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:33:19 -0600 |
commit | d5d10e4185496ca8044ec0453c93da00ec176f75 (patch) | |
tree | 7e41bf1d0588ae41aa9b44792fa68ebde6cfd133 | |
parent | a631092e193ac7a3aa5b4b9d554c494e6d43bf7b (diff) | |
download | FreeBSD-src-d5d10e4185496ca8044ec0453c93da00ec176f75.zip FreeBSD-src-d5d10e4185496ca8044ec0453c93da00ec176f75.tar.gz |
Importing pfSense patch patch_bugzilla_192774.diff
-rw-r--r-- | sys/netipsec/key.c | 61 |
1 files changed, 56 insertions, 5 deletions
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 2792915..b589172 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -6279,6 +6279,9 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp) u_int8_t satype; int error = -1; u_int32_t seq; + u_int16_t ul_proto; + union sockaddr_union addr; + u_int8_t mask; IPSEC_ASSERT(saidx != NULL, ("null saidx")); satype = key_proto2satype(saidx->proto); @@ -6320,17 +6323,65 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp) * anything related to NAT-T at this time. */ - /* set sadb_address for saidx's. */ - m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, - &saidx->src.sa, FULLMASK, IPSEC_ULPROTO_ANY); + /* + * set sadb_address for saidx's. + * + * Note that if sp is supplied, then we're being called from + * key_checkrequest and should supply port and protocol information. + */ + ul_proto = IPSEC_ULPROTO_ANY; + if (sp && (sp->spidx.ul_proto == IPPROTO_TCP + || sp->spidx.ul_proto == IPPROTO_UDP)) + ul_proto = sp->spidx.ul_proto; + + addr = saidx->src; + mask = FULLMASK; + if (ul_proto != IPSEC_ULPROTO_ANY) { + switch (sp->spidx.src.sa.sa_family) { + case AF_INET: + if (sp->spidx.src.sin.sin_port != IPSEC_PORT_ANY) { + addr.sin.sin_port = sp->spidx.src.sin.sin_port; + mask = sp->spidx.prefs; + } + break; + case AF_INET6: + if (sp->spidx.src.sin6.sin6_port != IPSEC_PORT_ANY) { + addr.sin6.sin6_port = sp->spidx.src.sin6.sin6_port; + mask = sp->spidx.prefs; + } + break; + default: + break; + } + } + m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &addr.sa, mask, ul_proto); if (!m) { error = ENOBUFS; goto fail; } m_cat(result, m); - m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, - &saidx->dst.sa, FULLMASK, IPSEC_ULPROTO_ANY); + addr = saidx->dst; + mask = FULLMASK; + if (ul_proto != IPSEC_ULPROTO_ANY) { + switch (sp->spidx.dst.sa.sa_family) { + case AF_INET: + if (sp->spidx.dst.sin.sin_port != IPSEC_PORT_ANY) { + addr.sin.sin_port = sp->spidx.dst.sin.sin_port; + mask = sp->spidx.prefd; + } + break; + case AF_INET6: + if (sp->spidx.dst.sin6.sin6_port != IPSEC_PORT_ANY) { + addr.sin6.sin6_port = sp->spidx.dst.sin6.sin6_port; + mask = sp->spidx.prefd; + } + break; + default: + break; + } + } + m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &addr.sa, mask, ul_proto); if (!m) { error = ENOBUFS; goto fail; |