Date: Tue, 25 Jul 2006 20:46:20 +0200 (CEST) From: Daniel Roethlisberger <daniel@roe.ch> To: FreeBSD-gnats-submit@FreeBSD.org Cc: daniel@roe.ch Subject: ports/100814: [PATCH] security/vpnc - add NAT keepalive capability Message-ID: <200607251846.k6PIkK7p006937@marvin.roe> Resent-Message-ID: <200607251850.k6PIoFru093834@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 100814 >Category: ports >Synopsis: [PATCH] security/vpnc - add NAT keepalive capability >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Jul 25 18:50:12 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Daniel Roethlisberger >Release: FreeBSD 6.1-RELEASE-p1 i386 >Organization: >Environment: System: FreeBSD marvin.roe 6.1-RELEASE-p1 FreeBSD 6.1-RELEASE-p1 #3: Wed Jun 7 23:57:16 CEST 2006 root@marvin.roe:/usr/obj/usr/src/sys/IBMTPX40 i386 >Description: Add files/patch-tunip.c This patch gives vpnc NAT keepalive capability as per RFC 3947. It will make vpnc automatically send NAT keepalives if UDP encapsulation is used, which will prevent NAT mappings to time out on NAT routers. A similar patch has been pending for upstream inclusion since January, so I think it makes sense to at least give FreeBSD users a more NAT-T compliant vpnc. Upstream developers don't seem to be actively working on vpnc at the moment. >How-To-Repeat: >Fix: --- vpnc-0.3.3_2-nat-keepalives.diff begins here --- diff -ruN vpnc.bak/Makefile vpnc/Makefile --- vpnc.bak/Makefile Sat May 13 06:15:18 2006 +++ vpnc/Makefile Tue Jul 25 20:16:06 2006 @@ -7,7 +7,7 @@ PORTNAME= vpnc PORTVERSION= 0.3.3 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= http://www.unix-ag.uni-kl.de/~massar/vpnc/ diff -ruN vpnc.bak/files/patch-tunip.c vpnc/files/patch-tunip.c --- vpnc.bak/files/patch-tunip.c Thu Jan 1 01:00:00 1970 +++ vpnc/files/patch-tunip.c Tue Jul 25 20:11:13 2006 @@ -0,0 +1,48 @@ +Index: tunip.c +=================================================================== +--- tunip.c (revision 67) ++++ tunip.c (working copy) +@@ -3,6 +3,7 @@ + Copyright (C) 2002 Geoffrey Keating + Copyright (C) 2003-2005 Maurice Massar + Copyright (C) 2004 Tomas Mraz ++ Copyright (C) 2006 Daniel Roethlisberger + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -776,7 +777,16 @@ + { + int sock; + struct pollfd pollfds[2]; ++ int enable_keepalives; ++ int poll_timeout; + ++ /* non-esp marker, nat keepalive payload (0xFF) */ ++ char keepalive[5] = { 0x00, 0x00, 0x00, 0x00, 0xFF }; ++ ++ /* send keepalives if UDP encapsulation is enabled */ ++ enable_keepalives = !strcmp(meth->name, "udpesp"); ++ poll_timeout = enable_keepalives ? 20000 : -1; ++ + pollfds[0].fd = tun_fd; + pollfds[0].events = POLLIN; + pollfds[1].fd = encap_get_fd(meth); +@@ -786,8 +796,16 @@ + int presult; + + do { +- presult = poll(pollfds, sizeof(pollfds) / sizeof(pollfds[0]), -1); +- } while (presult == -1 && errno == EINTR && !do_kill); ++ presult = poll(pollfds, sizeof(pollfds) / sizeof(pollfds[0]), poll_timeout); ++ if (presult == 0 && enable_keepalives) { ++ /* send nat keepalive packet */ ++ if(sendto(meth->fd, keepalive, sizeof(keepalive), 0, ++ (struct sockaddr*)&peer->remote_sa->dest, ++ sizeof(peer->remote_sa->dest)) == -1) { ++ syslog(LOG_ERR, "sendto: %m"); ++ } ++ } ++ } while ((presult == 0 || (presult == -1 && errno == EINTR)) && !do_kill); + if (presult == -1) { + syslog(LOG_ERR, "poll: %m"); + continue; --- vpnc-0.3.3_2-nat-keepalives.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607251846.k6PIkK7p006937>