diff options
| author | bz <bz@FreeBSD.org> | 2014-05-24 09:29:23 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2014-05-24 09:29:23 +0000 |
| commit | 7d2507a09db7441bf0ec5a2b33729f964a99d074 (patch) | |
| tree | 46c3baf3c113fd81530c2f2c0c756733869e2691 /sys/netipsec/key.c | |
| parent | 27e67c684930841dc6c8c6368797b68b057fbc8d (diff) | |
| download | FreeBSD-src-7d2507a09db7441bf0ec5a2b33729f964a99d074.zip FreeBSD-src-7d2507a09db7441bf0ec5a2b33729f964a99d074.tar.gz | |
Only do a ports check if this is a NAT-T SA. Otherwise other
lookups providing ports may get unexpected results.
MFC After: 2 weeks
Diffstat (limited to 'sys/netipsec/key.c')
| -rw-r--r-- | sys/netipsec/key.c | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 0cc35dd..ea03471 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -1086,7 +1086,9 @@ key_allocsa( struct secasvar *sav; u_int stateidx, arraysize, state; const u_int *saorder_state_valid; - int chkport; +#ifdef IPSEC_NAT_T + int natt_chkport; +#endif IPSEC_ASSERT(dst != NULL, ("null dst address")); @@ -1094,11 +1096,9 @@ key_allocsa( printf("DP %s from %s:%u\n", __func__, where, tag)); #ifdef IPSEC_NAT_T - chkport = (dst->sa.sa_family == AF_INET && + natt_chkport = (dst->sa.sa_family == AF_INET && dst->sa.sa_len == sizeof(struct sockaddr_in) && dst->sin.sin_port != 0); -#else - chkport = 0; #endif /* @@ -1116,6 +1116,8 @@ key_allocsa( arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); } LIST_FOREACH(sah, &V_sahtree, chain) { + int checkport; + /* search valid state */ for (stateidx = 0; stateidx < arraysize; stateidx++) { state = saorder_state_valid[stateidx]; @@ -1130,13 +1132,25 @@ key_allocsa( continue; if (spi != sav->spi) continue; + checkport = 0; +#ifdef IPSEC_NAT_T + /* + * Really only check ports when this is a NAT-T + * SA. Otherwise other lookups providing ports + * might suffer. + */ + if (sav->natt_type && natt_chkport) + checkport = 1; +#endif #if 0 /* don't check src */ /* check src address */ - if (key_sockaddrcmp(&src->sa, &sav->sah->saidx.src.sa, chkport) != 0) + if (key_sockaddrcmp(&src->sa, + &sav->sah->saidx.src.sa, checkport) != 0) continue; #endif /* check dst address */ - if (key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, chkport) != 0) + if (key_sockaddrcmp(&dst->sa, + &sav->sah->saidx.dst.sa, checkport) != 0) continue; sa_addref(sav); goto done; |
