aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec
diff options
context:
space:
mode:
authorAndrey V. Elsukov <ae@FreeBSD.org>2018-10-21 14:19:16 +0000
committerAndrey V. Elsukov <ae@FreeBSD.org>2018-10-21 14:19:16 +0000
commitadc7bb22378fc098d092514f4fd16b1b3af67b7c (patch)
treeb880514c278db9a9f3343a64b21d5225ccc99e53 /sys/netipsec
parent0a27163f8d09c4d542b796d579fcb2d9786cb6da (diff)
downloadsrc-adc7bb22378fc098d092514f4fd16b1b3af67b7c.tar.gz
src-adc7bb22378fc098d092514f4fd16b1b3af67b7c.zip
Add sadb_x_sa2 extension to SADB_ACQUIRE requests.
SADB_ACQUIRE requests are send by kernel, when security policy doesn't have corresponding security association for outbound packet. IKE daemon usually registers its handler for such messages and when the kernel asks for SA it can handle this request. Now such requests will contain additional fields that can help IKE daemon to create SA. And IKE now can create SAs using only information from SADB_ACQUIRE request, this is useful when many if_ipsec(4) interfaces are in use and IKE doesn track security policies that was installed by kernel. Obtained from: Yandex LLC MFC after: 3 weeks Sponsored by: Yandex LLC
Notes
Notes: svn path=/head/; revision=339533
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/key.c16
1 files changed, 15 insertions, 1 deletions
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 1e027bf6076e..09e067ce2609 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -6685,7 +6685,9 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
/* XXX proxy address (optional) */
- /* set sadb_x_policy */
+ /*
+ * Set sadb_x_policy. This is KAME extension to RFC2367.
+ */
if (sp != NULL) {
m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id,
sp->priority);
@@ -6696,6 +6698,18 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
m_cat(result, m);
}
+ /*
+ * Set sadb_x_sa2 extension if saidx->reqid is not zero.
+ * This is FreeBSD extension to RFC2367.
+ */
+ if (saidx->reqid != 0) {
+ m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid);
+ if (m == NULL) {
+ error = ENOBUFS;
+ goto fail;
+ }
+ m_cat(result, m);
+ }
/* XXX identity (optional) */
#if 0
if (idexttype && fqdn) {