diff options
author | Chad Loder <cloder@cvs.openbsd.org> | 2005-04-05 18:06:07 +0000 |
---|---|---|
committer | Chad Loder <cloder@cvs.openbsd.org> | 2005-04-05 18:06:07 +0000 |
commit | 50223d187ce118cb0122d63e17afdf6e066a2ac8 (patch) | |
tree | 655194bf2c023512d77ad589821a4270f89bb7a4 /sbin/isakmpd | |
parent | f6a4b7ab951c5c6d94a997ab3660aa7d0d64377f (diff) |
Add -T flag to isakmpd to disable NAT-T support from the command line.
This lets binat setups work again without having to recompile isakmpd.
OK ho, hshoexer.
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/isakmpd.8 | 9 | ||||
-rw-r--r-- | sbin/isakmpd/isakmpd.c | 16 | ||||
-rw-r--r-- | sbin/isakmpd/nat_traversal.c | 13 | ||||
-rw-r--r-- | sbin/isakmpd/nat_traversal.h | 7 | ||||
-rw-r--r-- | sbin/isakmpd/virtual.c | 83 |
5 files changed, 83 insertions, 45 deletions
diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8 index 92901762b38..883be194a2b 100644 --- a/sbin/isakmpd/isakmpd.8 +++ b/sbin/isakmpd/isakmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.8,v 1.67 2005/02/25 14:14:31 hshoexer Exp $ +.\" $OpenBSD: isakmpd.8,v 1.68 2005/04/05 18:06:05 cloder Exp $ .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ .\" .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. @@ -55,6 +55,7 @@ .Op Fl l Ar packetlog-file .Op Fl r Ar seed .Op Fl R Ar report-file +.Op Fl T .Op Fl v .Ek .Sh DESCRIPTION @@ -267,6 +268,10 @@ but this can be changed by feeding the file name as an argument to the .Fl R flag. +.It Fl T +When this option is given, NAT-Traversal will disabled and +.Nm +will not advertise support for NAT-Traversal to its peers. .It Fl v Enables verbose logging. Normally, @@ -580,6 +585,8 @@ The ISAKMP/Oakley key management protocol is described in the RFCs .%T RFC 2408 and .%T RFC 2409 . +NAT-Traversal is described in +.%T RFC 3947 . This implementation was done 1998 by Niklas Hallqvist and Niels Provos, sponsored by Ericsson Radio Systems. .Sh CAVEATS diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c index 2e889b9770f..1c68c8e0a4c 100644 --- a/sbin/isakmpd/isakmpd.c +++ b/sbin/isakmpd/isakmpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmpd.c,v 1.75 2005/04/04 19:31:11 deraadt Exp $ */ +/* $OpenBSD: isakmpd.c,v 1.76 2005/04/05 18:06:06 cloder Exp $ */ /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ /* @@ -52,7 +52,9 @@ #include "init.h" #include "libcrypto.h" #include "log.h" +#include "message.h" #include "monitor.h" +#include "nat_traversal.h" #include "sa.h" #include "timer.h" #include "transport.h" @@ -121,7 +123,7 @@ usage(void) "usage: %s [-4] [-6] [-a] [-c config-file] [-d] [-D class=level]\n" " [-f fifo] [-i pid-file] [-K] [-n] [-N udpencap-port]\n" " [-p listen-port] [-L] [-l packetlog-file] [-r seed]\n" - " [-R report-file] [-v]\n", + " [-R report-file] [-T] [-v]\n", sysdep_progname()); exit(1); } @@ -136,7 +138,7 @@ parse_args(int argc, char *argv[]) int do_packetlog = 0; #endif - while ((ch = getopt(argc, argv, "46ac:dD:f:i:KnN:p:Ll:r:R:v")) != -1) { + while ((ch = getopt(argc, argv, "46ac:dD:f:i:KnN:p:Ll:r:R:Tv")) != -1) { switch (ch) { case '4': bind_family |= BIND_FAMILY_INET4; @@ -191,7 +193,7 @@ parse_args(int argc, char *argv[]) app_none++; break; -#ifdef USE_NAT_TRAVERSAL +#if defined(USE_NAT_TRAVERSAL) case 'N': udp_encap_default_port = optarg; break; @@ -224,6 +226,12 @@ parse_args(int argc, char *argv[]) report_file = optarg; break; +#if defined(USE_NAT_TRAVERSAL) + case 'T': + disable_nat_t = 1; + break; +#endif + case 'v': verbose_logging = 1; break; diff --git a/sbin/isakmpd/nat_traversal.c b/sbin/isakmpd/nat_traversal.c index db4aebc12bc..3862e1c5101 100644 --- a/sbin/isakmpd/nat_traversal.c +++ b/sbin/isakmpd/nat_traversal.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nat_traversal.c,v 1.11 2005/04/04 19:31:11 deraadt Exp $ */ +/* $OpenBSD: nat_traversal.c,v 1.12 2005/04/05 18:06:06 cloder Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -48,6 +48,8 @@ #include "util.h" #include "virtual.h" +int disable_nat_t = 0; + /* * NAT-T capability of the other peer is determined by a particular vendor * ID sent in the first message. This vendor ID string is supposed to be a @@ -146,6 +148,9 @@ nat_t_add_vendor_payload(struct message *msg, char *hash) size_t buflen = nat_t_hashsize + ISAKMP_GEN_SZ; u_int8_t *buf; + if (disable_nat_t) + return 0; + buf = malloc(buflen); if (!buf) { log_error("nat_t_add_vendor_payload: malloc (%lu) failed", @@ -168,6 +173,9 @@ nat_t_add_vendor_payloads(struct message *msg) { int i = 0; + if (disable_nat_t) + return 0; + if (!nat_t_hashes) if (nat_t_setup_hashes()) return 0; /* XXX should this be an error? */ @@ -187,6 +195,9 @@ nat_t_check_vendor_payload(struct message *msg, struct payload *p) size_t vlen; int i = 0; + if (disable_nat_t) + return; + /* Already checked? */ if (p->flags & PL_MARK || msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) diff --git a/sbin/isakmpd/nat_traversal.h b/sbin/isakmpd/nat_traversal.h index f31da981b67..984d825603f 100644 --- a/sbin/isakmpd/nat_traversal.h +++ b/sbin/isakmpd/nat_traversal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $ */ +/* $OpenBSD: nat_traversal.h,v 1.3 2005/04/05 18:06:06 cloder Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -27,6 +27,11 @@ #ifndef _NAT_TRAVERSAL_H_ #define _NAT_TRAVERSAL_H_ +/* + * Set if -T is given on the command line to disable NAT-T support. + */ +extern int disable_nat_t; + void nat_t_init(void); int nat_t_add_vendor_payloads(struct message *); void nat_t_check_vendor_payload(struct message *, struct payload *); diff --git a/sbin/isakmpd/virtual.c b/sbin/isakmpd/virtual.c index 7653a3817b9..f7fd328c7d3 100644 --- a/sbin/isakmpd/virtual.c +++ b/sbin/isakmpd/virtual.c @@ -1,4 +1,4 @@ -/* $OpenBSD: virtual.c,v 1.14 2005/04/04 19:31:11 deraadt Exp $ */ +/* $OpenBSD: virtual.c,v 1.15 2005/04/05 18:06:06 cloder Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -44,6 +44,8 @@ #include "if.h" #include "exchange.h" #include "log.h" +#include "message.h" +#include "nat_traversal.h" #include "transport.h" #include "virtual.h" #include "udp.h" @@ -259,27 +261,30 @@ virtual_bind(const struct sockaddr *addr) ((struct transport *)v->main)->virtual = (struct transport *)v; #if defined (USE_NAT_TRAVERSAL) - memcpy(&tmp_sa, addr, sysdep_sa_len((struct sockaddr *)addr)); - - /* Get port. */ - stport = udp_encap_default_port - ? udp_encap_default_port : UDP_ENCAP_DEFAULT_PORT_STR; - port = text2port(stport); - if (port == 0) { - log_print("virtual_bind: bad encap port \"%s\"", stport); - v->main->vtbl->remove(v->main); - free(v); - return 0; - } + if (!disable_nat_t) { + memcpy(&tmp_sa, addr, sysdep_sa_len((struct sockaddr *)addr)); + + /* Get port. */ + stport = udp_encap_default_port + ? udp_encap_default_port : UDP_ENCAP_DEFAULT_PORT_STR; + port = text2port(stport); + if (port == 0) { + log_print("virtual_bind: bad encap port \"%s\"", + stport); + v->main->vtbl->remove(v->main); + free(v); + return 0; + } - sockaddr_set_port((struct sockaddr *)&tmp_sa, port); - v->encap = udp_encap_bind((struct sockaddr *)&tmp_sa); - if (!v->encap) { - v->main->vtbl->remove(v->main); - free(v); - return 0; + sockaddr_set_port((struct sockaddr *)&tmp_sa, port); + v->encap = udp_encap_bind((struct sockaddr *)&tmp_sa); + if (!v->encap) { + v->main->vtbl->remove(v->main); + free(v); + return 0; + } + ((struct transport *)v->encap)->virtual = (struct transport *)v; } - ((struct transport *)v->encap)->virtual = (struct transport *)v; #endif v->encap_is_active = 0; @@ -516,18 +521,20 @@ virtual_clone(struct transport *vt, struct sockaddr *raddr) v2->main->virtual = (struct transport *)v2; } #if defined (USE_NAT_TRAVERSAL) - stport = udp_encap_default_port ? udp_encap_default_port : - UDP_ENCAP_DEFAULT_PORT_STR; - port = text2port(stport); - if (port == 0) { - log_print("virtual_clone: port string \"%s\" not convertible " - "to in_port_t", stport); - free(t); - return 0; + if (!disable_nat_t) { + stport = udp_encap_default_port ? udp_encap_default_port : + UDP_ENCAP_DEFAULT_PORT_STR; + port = text2port(stport); + if (port == 0) { + log_print("virtual_clone: port string \"%s\" not convertible " + "to in_port_t", stport); + free(t); + return 0; + } + sockaddr_set_port(raddr, port); + v2->encap = v->encap->vtbl->clone(v->encap, raddr); + v2->encap->virtual = (struct transport *)v2; } - sockaddr_set_port(raddr, port); - v2->encap = v->encap->vtbl->clone(v->encap, raddr); - v2->encap->virtual = (struct transport *)v2; #endif LOG_DBG((LOG_TRANSPORT, 50, "virtual_clone: old %p new %p (%s is %p)", v, t, v->encap_is_active ? "encap" : "main", @@ -542,20 +549,20 @@ static struct transport * virtual_create(char *name) { struct virtual_transport *v; - struct transport *t, *t2; + struct transport *t, *t2 = 0; t = transport_create("udp_physical", name); if (!t) return 0; #if defined (USE_NAT_TRAVERSAL) - t2 = transport_create("udp_encap", name); - if (!t2) { - t->vtbl->remove(t); - return 0; + if (!disable_nat_t) { + t2 = transport_create("udp_encap", name); + if (!t2) { + t->vtbl->remove(t); + return 0; + } } -#else - t2 = 0; #endif v = (struct virtual_transport *)calloc(1, sizeof *v); |