multiple ipsec-nat-t clients behind same ip address (pr 5562)

Mikolaj Kucharski Mon, 06 Dec 2010 05:01:10 -0800

Hi,

I had a chance to test pr 5562 and would like to confirm that on OpenBSD
current the issue is still present.


OpenBSD 4.8-current (GENERIC) #510: Sat Dec  4 12:03:30 MST 2010
    dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC


After applying attached patch (taken from url in pr 5562) issue is
resolved. See reference urls for more detailed explanation.


Would be possible to get this patch commited?


References
 1. http://marc.info/?t=120168048500001&r=1&w=2
 2. http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=5562
 3. http://www.bzero.se/patches/isakmpd-multi-nat-peers-patch.diff

-- 
best regards
q#
Index: sa.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/sa.c,v
retrieving revision 1.110
diff -u -r1.110 sa.c
--- sa.c        24 Nov 2006 13:52:14 -0000      1.110
+++ sa.c        17 Aug 2007 14:31:04 -0000
@@ -199,7 +199,18 @@
                return 0;
 
        sa->transport->vtbl->get_dst(sa->transport, &dst);
-       return (net_addrcmp(dst, addr->addr) == 0);
+       if (net_addrcmp(dst, addr->addr) != 0)
+               return 0;
+
+       /* same family, length and address, check port if inet/inet6 */
+       switch (dst->sa_family) {
+       case AF_INET:
+               return ((struct sockaddr_in *)dst)->sin_port == ((struct 
sockaddr_in *)addr->addr)->sin_port;
+       case AF_INET6:
+               return ((struct sockaddr_in6 *)dst)->sin6_port == ((struct 
sockaddr_in6 *)addr->addr)->sin6_port;
+       }
+
+       return 1;
 }
 
 struct dst_isakmpspi_arg {

multiple ipsec-nat-t clients behind same ip address (pr 5562)

Reply via email to