In NAT-T transport mode, allow a client to open a new connection just after

closing another. It worked only in tunnel mode before. Submitted by: Andreas Longwitz <longwitz@incore.de> MFC after: 1M
author: vanhu <vanhu@FreeBSD.org> 2012-09-12 12:14:50 +0000
committer: vanhu <vanhu@FreeBSD.org> 2012-09-12 12:14:50 +0000
commit: 05d54cfa61ef04e334ab3137b05cb4021e4f8515 (patch)
tree: fee41eb2966c532ca3b1c97906ca7cb945bbb1d0 /sys/netipsec
parent: 79c15f9ce38820ed21ddefdf5d13b559194d2ec7 (diff)
download: FreeBSD-src-05d54cfa61ef04e334ab3137b05cb4021e4f8515.zip
FreeBSD-src-05d54cfa61ef04e334ab3137b05cb4021e4f8515.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 0e8e493..bda5d41 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -4055,10 +4055,12 @@ key_cmpsaidx(
 		/*
 		 * If NAT-T is enabled, check ports for tunnel mode.
 		 * Do not check ports if they are set to zero in the SPD.
-		 * Also do not do it for transport mode, as there is no
-		 * port information available in the SP.
+		 * Also do not do it for native transport mode, as there
+		 * is no port information available in the SP.
 		 */
-		if (saidx1->mode == IPSEC_MODE_TUNNEL &&
+		if ((saidx1->mode == IPSEC_MODE_TUNNEL ||
+		     (saidx1->mode == IPSEC_MODE_TRANSPORT &&
+		      saidx1->proto == IPPROTO_ESP)) &&
 		    saidx1->src.sa.sa_family == AF_INET &&
 		    saidx1->dst.sa.sa_family == AF_INET &&
 		    ((const struct sockaddr_in *)(&saidx1->src))->sin_port &&
author	vanhu <vanhu@FreeBSD.org>	2012-09-12 12:14:50 +0000
committer	vanhu <vanhu@FreeBSD.org>	2012-09-12 12:14:50 +0000
commit	05d54cfa61ef04e334ab3137b05cb4021e4f8515 (patch)
tree	fee41eb2966c532ca3b1c97906ca7cb945bbb1d0 /sys/netipsec
parent	79c15f9ce38820ed21ddefdf5d13b559194d2ec7 (diff)
download	FreeBSD-src-05d54cfa61ef04e334ab3137b05cb4021e4f8515.zip FreeBSD-src-05d54cfa61ef04e334ab3137b05cb4021e4f8515.tar.gz