src - OpenBSD base system

diff options


context:
space:
mode:

author	Chad Loder <cloder@cvs.openbsd.org>	2005-04-05 18:06:07 +0000
committer	Chad Loder <cloder@cvs.openbsd.org>	2005-04-05 18:06:07 +0000
commit	50223d187ce118cb0122d63e17afdf6e066a2ac8 (patch)
tree	655194bf2c023512d77ad589821a4270f89bb7a4
parent	f6a4b7ab951c5c6d94a997ab3660aa7d0d64377f (diff)

Add -T flag to isakmpd to disable NAT-T support from the command line.

This lets binat setups work again without having to recompile isakmpd. OK ho, hshoexer.

Diffstat

-rw-r--r--

sbin/isakmpd/isakmpd.8

-rw-r--r--

sbin/isakmpd/isakmpd.c

-rw-r--r--

sbin/isakmpd/nat_traversal.c

-rw-r--r--

sbin/isakmpd/nat_traversal.h

-rw-r--r--

sbin/isakmpd/virtual.c

5 files changed, 83 insertions, 45 deletions

diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8
index 92901762b38..883be194a2b 100644
--- a/sbin/isakmpd/isakmpd.8
+++ b/sbin/isakmpd/isakmpd.8

@@ -1,4 +1,4 @@

-.\" $OpenBSD: isakmpd.8,v 1.67 2005/02/25 14:14:31 hshoexer Exp $

+.\" $OpenBSD: isakmpd.8,v 1.68 2005/04/05 18:06:05 cloder Exp $

.\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $

.\"

@@ -55,6 +55,7 @@

.Op Fl l Ar packetlog-file

.Op Fl r Ar seed

.Op Fl R Ar report-file

+.Op Fl T

.Op Fl v

.Ek

.Sh DESCRIPTION

@@ -267,6 +268,10 @@ but this can be changed by feeding

the file name as an argument to the

.Fl R

flag.

+.It Fl T

+When this option is given, NAT-Traversal will disabled and

+.Nm

+will not advertise support for NAT-Traversal to its peers.

.It Fl v

Enables verbose logging.

Normally,

@@ -580,6 +585,8 @@ The ISAKMP/Oakley key management protocol is described in the RFCs

.%T RFC 2408

and

.%T RFC 2409 .

+NAT-Traversal is described in

+.%T RFC 3947 .

This implementation was done 1998 by Niklas Hallqvist and Niels Provos,

sponsored by Ericsson Radio Systems.

.Sh CAVEATS

diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c
index 2e889b9770f..1c68c8e0a4c 100644
--- a/sbin/isakmpd/isakmpd.c
+++ b/sbin/isakmpd/isakmpd.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: isakmpd.c,v 1.75 2005/04/04 19:31:11 deraadt Exp $ */

+/* $OpenBSD: isakmpd.c,v 1.76 2005/04/05 18:06:06 cloder Exp $ */

/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */

@@ -52,7 +52,9 @@

#include "init.h"

#include "libcrypto.h"

#include "log.h"

+#include "message.h"

#include "monitor.h"

+#include "nat_traversal.h"

#include "sa.h"

#include "timer.h"

#include "transport.h"

@@ -121,7 +123,7 @@ usage(void)

"usage: %s [-4] [-6] [-a] [-c config-file] [-d] [-D class=level]\n"

" [-f fifo] [-i pid-file] [-K] [-n] [-N udpencap-port]\n"

" [-p listen-port] [-L] [-l packetlog-file] [-r seed]\n"

- " [-R report-file] [-v]\n",

+ " [-R report-file] [-T] [-v]\n",

sysdep_progname());

exit(1);

}

@@ -136,7 +138,7 @@ parse_args(int argc, char *argv[])

int do_packetlog = 0;

#endif

- while ((ch = getopt(argc, argv, "46ac:dD:f:i:KnN:p:Ll:r:R:v")) != -1) {

+ while ((ch = getopt(argc, argv, "46ac:dD:f:i:KnN:p:Ll:r:R:Tv")) != -1) {

switch (ch) {

case '4':

bind_family |= BIND_FAMILY_INET4;

@@ -191,7 +193,7 @@ parse_args(int argc, char *argv[])

app_none++;

break;

-#ifdef USE_NAT_TRAVERSAL

+#if defined(USE_NAT_TRAVERSAL)

case 'N':

udp_encap_default_port = optarg;

break;

@@ -224,6 +226,12 @@ parse_args(int argc, char *argv[])

report_file = optarg;

break;

+#if defined(USE_NAT_TRAVERSAL)

+ case 'T':

+ disable_nat_t = 1;

+ break;

+#endif

case 'v':

verbose_logging = 1;

break;

diff --git a/sbin/isakmpd/nat_traversal.c b/sbin/isakmpd/nat_traversal.c
index db4aebc12bc..3862e1c5101 100644
--- a/sbin/isakmpd/nat_traversal.c
+++ b/sbin/isakmpd/nat_traversal.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: nat_traversal.c,v 1.11 2005/04/04 19:31:11 deraadt Exp $ */

+/* $OpenBSD: nat_traversal.c,v 1.12 2005/04/05 18:06:06 cloder Exp $ */

@@ -48,6 +48,8 @@

#include "util.h"

#include "virtual.h"

+int disable_nat_t = 0;

* NAT-T capability of the other peer is determined by a particular vendor

* ID sent in the first message. This vendor ID string is supposed to be a

@@ -146,6 +148,9 @@ nat_t_add_vendor_payload(struct message *msg, char *hash)

size_t buflen = nat_t_hashsize + ISAKMP_GEN_SZ;

u_int8_t *buf;

+ if (disable_nat_t)

+ return 0;

buf = malloc(buflen);

if (!buf) {

log_error("nat_t_add_vendor_payload: malloc (%lu) failed",

@@ -168,6 +173,9 @@ nat_t_add_vendor_payloads(struct message *msg)

{

int i = 0;

+ if (disable_nat_t)

+ return 0;

if (!nat_t_hashes)

if (nat_t_setup_hashes())

return 0; /* XXX should this be an error? */

@@ -187,6 +195,9 @@ nat_t_check_vendor_payload(struct message *msg, struct payload *p)

size_t vlen;

int i = 0;

+ if (disable_nat_t)

+ return;

/* Already checked? */

if (p->flags & PL_MARK ||

msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)

diff --git a/sbin/isakmpd/nat_traversal.h b/sbin/isakmpd/nat_traversal.h
index f31da981b67..984d825603f 100644
--- a/sbin/isakmpd/nat_traversal.h
+++ b/sbin/isakmpd/nat_traversal.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $ */

+/* $OpenBSD: nat_traversal.h,v 1.3 2005/04/05 18:06:06 cloder Exp $ */

@@ -27,6 +27,11 @@

#ifndef _NAT_TRAVERSAL_H_

#define _NAT_TRAVERSAL_H_

+/*

+ * Set if -T is given on the command line to disable NAT-T support.

+ */

+extern int disable_nat_t;

void nat_t_init(void);

int nat_t_add_vendor_payloads(struct message *);

void nat_t_check_vendor_payload(struct message *, struct payload *);

diff --git a/sbin/isakmpd/virtual.c b/sbin/isakmpd/virtual.c
index 7653a3817b9..f7fd328c7d3 100644
--- a/sbin/isakmpd/virtual.c
+++ b/sbin/isakmpd/virtual.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: virtual.c,v 1.14 2005/04/04 19:31:11 deraadt Exp $ */

+/* $OpenBSD: virtual.c,v 1.15 2005/04/05 18:06:06 cloder Exp $ */

@@ -44,6 +44,8 @@

#include "if.h"

#include "exchange.h"

#include "log.h"

+#include "message.h"

+#include "nat_traversal.h"

#include "transport.h"

#include "virtual.h"

#include "udp.h"

@@ -259,27 +261,30 @@ virtual_bind(const struct sockaddr *addr)

((struct transport *)v->main)->virtual = (struct transport *)v;

#if defined (USE_NAT_TRAVERSAL)

- memcpy(&tmp_sa, addr, sysdep_sa_len((struct sockaddr *)addr));

- /* Get port. */

- stport = udp_encap_default_port

- ? udp_encap_default_port : UDP_ENCAP_DEFAULT_PORT_STR;

- port = text2port(stport);

- if (port == 0) {

- log_print("virtual_bind: bad encap port \"%s\"", stport);

- v->main->vtbl->remove(v->main);

- free(v);

- return 0;

- }

+ if (!disable_nat_t) {

+ memcpy(&tmp_sa, addr, sysdep_sa_len((struct sockaddr *)addr));

+ /* Get port. */

+ stport = udp_encap_default_port

+ ? udp_encap_default_port : UDP_ENCAP_DEFAULT_PORT_STR;

+ port = text2port(stport);

+ if (port == 0) {

+ log_print("virtual_bind: bad encap port \"%s\"",

+ stport);

+ v->main->vtbl->remove(v->main);

+ free(v);

+ return 0;

+ }

- sockaddr_set_port((struct sockaddr *)&tmp_sa, port);

- v->encap = udp_encap_bind((struct sockaddr *)&tmp_sa);

- if (!v->encap) {

- v->main->vtbl->remove(v->main);

- free(v);

- return 0;

+ sockaddr_set_port((struct sockaddr *)&tmp_sa, port);

+ v->encap = udp_encap_bind((struct sockaddr *)&tmp_sa);

+ if (!v->encap) {

+ v->main->vtbl->remove(v->main);

+ free(v);

+ return 0;

+ }

+ ((struct transport *)v->encap)->virtual = (struct transport *)v;

}

- ((struct transport *)v->encap)->virtual = (struct transport *)v;

#endif

v->encap_is_active = 0;

@@ -516,18 +521,20 @@ virtual_clone(struct transport *vt, struct sockaddr *raddr)

v2->main->virtual = (struct transport *)v2;

}

#if defined (USE_NAT_TRAVERSAL)

- stport = udp_encap_default_port ? udp_encap_default_port :

- UDP_ENCAP_DEFAULT_PORT_STR;

- port = text2port(stport);

- if (port == 0) {

- log_print("virtual_clone: port string \"%s\" not convertible "

- "to in_port_t", stport);

- free(t);

- return 0;

+ if (!disable_nat_t) {

+ stport = udp_encap_default_port ? udp_encap_default_port :

+ UDP_ENCAP_DEFAULT_PORT_STR;

+ port = text2port(stport);

+ if (port == 0) {

+ log_print("virtual_clone: port string \"%s\" not convertible "

+ "to in_port_t", stport);

+ free(t);

+ return 0;

+ }

+ sockaddr_set_port(raddr, port);

+ v2->encap = v->encap->vtbl->clone(v->encap, raddr);

+ v2->encap->virtual = (struct transport *)v2;

}

- sockaddr_set_port(raddr, port);

- v2->encap = v->encap->vtbl->clone(v->encap, raddr);

- v2->encap->virtual = (struct transport *)v2;

#endif

LOG_DBG((LOG_TRANSPORT, 50, "virtual_clone: old %p new %p (%s is %p)",

v, t, v->encap_is_active ? "encap" : "main",

@@ -542,20 +549,20 @@ static struct transport *

virtual_create(char *name)

{

struct virtual_transport *v;

- struct transport *t, *t2;

+ struct transport *t, *t2 = 0;

t = transport_create("udp_physical", name);

if (!t)

return 0;

#if defined (USE_NAT_TRAVERSAL)

- t2 = transport_create("udp_encap", name);

- if (!t2) {

- t->vtbl->remove(t);

- return 0;

+ if (!disable_nat_t) {

+ t2 = transport_create("udp_encap", name);

+ if (!t2) {

+ t->vtbl->remove(t);

+ return 0;

+ }

}

-#else

- t2 = 0;

#endif

v = (struct virtual_transport *)calloc(1, sizeof *v);