From 48e173e619472dce9fa16a21cb6fb6ac6a9e3d24 Mon Sep 17 00:00:00 2001 From: Hakan Olsson Date: Tue, 22 Jun 2004 03:44:56 +0000 Subject: The NAT-T drafts suggest we should drop incoming messages arriving on the old port (500) after we've switched to the new one. --- sbin/isakmpd/virtual.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/sbin/isakmpd/virtual.c b/sbin/isakmpd/virtual.c index 629d50119af..d8aff3ad9d4 100644 --- a/sbin/isakmpd/virtual.c +++ b/sbin/isakmpd/virtual.c @@ -1,4 +1,4 @@ -/* $OpenBSD: virtual.c,v 1.3 2004/06/21 18:40:01 ho Exp $ */ +/* $OpenBSD: virtual.c,v 1.4 2004/06/22 03:44:55 ho Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -606,6 +606,20 @@ virtual_handle_message(struct transport *t) return; } + /* + * As per the NAT-T draft, in case we have already switched ports, + * any messages recieved on the old (500) port SHOULD be discarded. + * (Actually, while phase 1 messages should be discarded, + * informational exchanges MAY be processed normally. For now, we + * discard them all.) + */ + if (((struct virtual_transport *)t->virtual)->encap_is_active && + ((struct virtual_transport *)t->virtual)->main == t) { + LOG_DBG((LOG_MESSAGE, 10, "virtual_handle_message: " + "message on old port discarded")); + return; + } + t->vtbl->handle_message(t); } -- cgit v1.2.3