From owner-freebsd-net@FreeBSD.ORG  Fri Sep 15 13:14:32 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2DE3F16A403
	for <freebsd-net@freebsd.org>; Fri, 15 Sep 2006 13:14:32 +0000 (UTC)
	(envelope-from lab@gta.com)
Received: from gta.com (gta-edge-199-20.gta.com [199.120.225.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 688D443D45
	for <freebsd-net@freebsd.org>; Fri, 15 Sep 2006 13:14:31 +0000 (GMT)
	(envelope-from lab@gta.com)
Received: (qmail 63933 invoked by uid 1000); 15 Sep 2006 13:14:30 -0000
Date: Fri, 15 Sep 2006 09:14:30 -0400
From: Larry Baird <lab@gta.com>
To: Scott Ullrich <sullrich@gmail.com>
Message-ID: <20060915091430.A45488@gta.com>
References: <20060914093034.A83805@gta.com>
	<d5992baf0609141843t5b81cf77w4d35a3a36beced1c@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="wac7ysb48OaltWcw"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <d5992baf0609141843t5b81cf77w4d35a3a36beced1c@mail.gmail.com>;
	from sullrich@gmail.com on Thu, Sep 14, 2006 at 09:43:38PM -0400
Cc: freebsd-net@freebsd.org
Subject: Re: FAST_IPSEC NAT-T support
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2006 13:14:32 -0000


--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Sep 14, 2006 at 09:43:38PM -0400, Scott Ullrich wrote:
> On 9/14/06, Larry Baird <lab@gta.com> wrote:
> > Please find attached two patches for adding FAST_IPSEC NAT-T support to
> > FreeBSD 6.x.  The patch "freebsd6-fastipsec-natt.diff" is dependent
> > upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at
> > http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/.  The second
> > patch "freebsd6-ipsec-fastipsec-natt.diff" is a cumulative patch
> > combining both patches together.
> 
> This is great!   It compiles on FreeBSD 6.1 when you include options
>       IPSEC_NAT_T but when you fail to include this item "options
> IPSEC_NAT_T" in addition to including "options FAST_IPSEC" you end up
> with:
> 
> cc -c -O -pipe  -Wall -Wredundant-decls -Wnested-externs
> -Wstrict-prototypes  -Wmissing-prototypes -Wpointer-arith -Winline
> -Wcast-qual  -fformat-extensions -std=c99 -g -nostdinc -I-  -I.
> -I/usr/src/sys -I/usr/src/sys/contrib/altq
> -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/pf
> -I/usr/src/sys/contrib/dev/ath -I/usr/src/sys/contrib/dev/ath/freebsd
> -I/usr/src/sys/contrib/ngatm -I/usr/src/sys/dev/twa -D_KERNEL
> -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common
> -finline-limit=8000 --param inline-unit-growth=100 --param
> large-function-growth=1000  -mno-align-long-strings
> -mpreferred-stack-boundary=2  -mno-mmx -mno-3dnow -mno-sse -mno-sse2
> -ffreestanding -Werror  /usr/src/sys/netipsec/key.c
> /usr/src/sys/netipsec/key.c: In function `key_spdadd':
> /usr/src/sys/netipsec/key.c:1867: error: `isr' undeclared (first use
> in this function)
> /usr/src/sys/netipsec/key.c:1867: error: (Each undeclared identifier
> is reported only once
> /usr/src/sys/netipsec/key.c:1867: error: for each function it appears in.)
> *** Error code 1
> 
> Stop in /usr/obj/usr/src/sys/pfSense.6.
> *** Error code 1
> 
> Stop in /usr/src.
> *** Error code 1
> 
> Stop in /usr/src.
> 
> Meanwhile I have a new version of pfSense out asking for testing.   We
> seem to have a large base of users requesting this option so hopefully
> I can get some meaningful testing information for you soon.
It looks like the problem code is not needed.  I was so busy focusing
on getting NAT-T working with FAST_IPSEC I didn't notice this part
of the non NAT_T case in the IPSEC NAT_T patch.  Remove the section
starting with "#ifndef IPSEC_NAT_T" at line 1866.  Or run the attached
patch.  I'll update the full patch shortly.

Larry


-- 
------------------------------------------------------------------------
Larry Baird                        | http://www.gta.com
Global Technology Associates, Inc. | Orlando, FL
Email: lab@gta.com                 | TEL 407-380-0220, FAX 407-380-6080

--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="nokey.diff"

Index: key.c
===================================================================
--- key.c	(revision 8199)
+++ key.c	(working copy)
@@ -1876,52 +1876,6 @@
 		return key_senderror(so, m, error);
 	}
 
-#ifndef IPSEC_NAT_T
-	for (isr = newsp->req; isr; isr = isr->next) {
-		struct sockaddr *sa;
-
-		/*
-		 * port spec is not permitted for tunnel mode
-		 */
-		if (isr->saidx.mode == IPSEC_MODE_TUNNEL && src0 && dst0) {
-			sa = (struct sockaddr *)(src0 + 1);
-			switch (sa->sa_family) {
-			case AF_INET:
-				if (((struct sockaddr_in *)sa)->sin_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			case AF_INET6:
-				if (((struct sockaddr_in6 *)sa)->sin6_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			default:
-				break;
-			}
-			sa = (struct sockaddr *)(dst0 + 1);
-			switch (sa->sa_family) {
-			case AF_INET:
-				if (((struct sockaddr_in *)sa)->sin_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			case AF_INET6:
-				if (((struct sockaddr_in6 *)sa)->sin6_port) {
-					keydb_delsecpolicy(newsp);
-					return key_senderror(so, m, EINVAL);
-				}
-				break;
-			default:
-				break;
-			}
-		}
-	}
-#endif /* !IPSEC_NAT_T */
-
 	if ((newsp->id = key_getnewspid()) == 0) {
 		_key_delsp(newsp);
 		return key_senderror(so, m, ENOBUFS);

--wac7ysb48OaltWcw--