From owner-svn-ports-all@freebsd.org Wed Mar 27 08:56:38 2019 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 107D51548AC5; Wed, 27 Mar 2019 08:56:38 +0000 (UTC) (envelope-from eugen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CCB3B6C5FD; Wed, 27 Mar 2019 08:56:36 +0000 (UTC) (envelope-from eugen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B88654F75; Wed, 27 Mar 2019 08:56:35 +0000 (UTC) (envelope-from eugen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2R8uZBZ040310; Wed, 27 Mar 2019 08:56:35 GMT (envelope-from eugen@FreeBSD.org) Received: (from eugen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2R8uZhC040308; Wed, 27 Mar 2019 08:56:35 GMT (envelope-from eugen@FreeBSD.org) Message-Id: <201903270856.x2R8uZhC040308@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: eugen set sender to eugen@FreeBSD.org using -f From: Eugene Grosbein Date: Wed, 27 Mar 2019 08:56:35 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r496938 - in head/security/ipsec-tools: . files X-SVN-Group: ports-head X-SVN-Commit-Author: eugen X-SVN-Commit-Paths: in head/security/ipsec-tools: . files X-SVN-Commit-Revision: 496938 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: CCB3B6C5FD X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.991,0]; NEURAL_HAM_SHORT(-0.97)[-0.968,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 08:56:38 -0000 Author: eugen Date: Wed Mar 27 08:56:35 2019 New Revision: 496938 URL: https://svnweb.freebsd.org/changeset/ports/496938 Log: security/ipsec-tools: small correction NATT patch This change fixes rare case for "site to site" IPSec tunnel mode when remote peer is behind NAT and has its own LAN behind. Now this works too (previously NATT worked only for single host behind NAT). Modified: head/security/ipsec-tools/Makefile head/security/ipsec-tools/files/natt.diff Modified: head/security/ipsec-tools/Makefile ============================================================================== --- head/security/ipsec-tools/Makefile Wed Mar 27 08:36:30 2019 (r496937) +++ head/security/ipsec-tools/Makefile Wed Mar 27 08:56:35 2019 (r496938) @@ -8,7 +8,7 @@ PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MASTER_SITES= SF Modified: head/security/ipsec-tools/files/natt.diff ============================================================================== --- head/security/ipsec-tools/files/natt.diff Wed Mar 27 08:36:30 2019 (r496937) +++ head/security/ipsec-tools/files/natt.diff Wed Mar 27 08:56:35 2019 (r496938) @@ -82,12 +82,14 @@ return pfkey_send_add2(&psaa); --- src/racoon/isakmp_quick.c +++ src/racoon/isakmp_quick.c -@@ -2390,6 +2390,32 @@ get_proposal_r(iph2) +@@ -2390,6 +2390,34 @@ spidx.src.ss_family, spidx.dst.ss_family, _XIDT(iph2->id_p),idi2type); } +#ifdef ENABLE_NATT -+ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { ++ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER ++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV4_ADDR_SUBNET ++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV6_ADDR_SUBNET) { + u_int16_t port; + + port = extract_port(&spidx.src);