rpms/ipsec-tools/devel ipsec-tools-0.7.1-purge.patch, NONE, 1.1 ipsec-tools.spec, 1.57, 1.58

Tomáš Mráz (tmraz) fedora-extras-commits at redhat.com
Fri Aug 8 21:01:50 UTC 2008 

Author: tmraz

Update of /cvs/pkgs/rpms/ipsec-tools/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17855

Modified Files:
	ipsec-tools.spec 
Added Files:
	ipsec-tools-0.7.1-purge.patch 
Log Message:
* Fri Aug  8 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-3
- Fix IPSEC SA purge with NAT_T enabled


ipsec-tools-0.7.1-purge.patch:

--- NEW FILE ipsec-tools-0.7.1-purge.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/isakmp.c.purge ipsec-tools-0.7.1/src/racoon/isakmp.c
--- ipsec-tools-0.7.1/src/racoon/isakmp.c.purge	2008-08-08 16:34:53.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp.c	2008-08-08 22:57:00.000000000 +0200
@@ -3194,6 +3194,10 @@ purge_remote(iph1)
 	u_int proto_id;
 	struct ph2handle *iph2;
 	struct ph1handle *new_iph1;
+#ifdef ENABLE_NATT 
+	struct sadb_x_nat_t_type *natt_type;
+	struct sadb_x_nat_t_port *natt_port;
+#endif
 
 	plog(LLV_INFO, LOCATION, NULL,
 		 "purging ISAKMP-SA spi=%s.\n",
@@ -3252,6 +3256,21 @@ purge_remote(iph1)
 			continue;
 		}
 
+#ifdef ENABLE_NATT
+		natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
+		if (natt_type && natt_type->sadb_x_nat_t_type_type) {
+			/* NAT-T is enabled for this SADB entry; copy *
+			 * the ports from NAT-T extensions */
+			natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
+			if (extract_port(src) == 0 && natt_port != NULL)
+				set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
+
+			natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
+			if (extract_port(dst) == 0 && natt_port != NULL)
+				set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
+		}
+#endif
+
 		/*
 		 * check in/outbound SAs.
 		 * Select only SAs where src == local and dst == remote (outgoing)


Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -r1.57 -r1.58
--- ipsec-tools.spec	30 Jul 2008 18:51:56 -0000	1.57
+++ ipsec-tools.spec	8 Aug 2008 21:01:19 -0000	1.58
@@ -1,6 +1,6 @@
 Name: ipsec-tools
 Version: 0.7.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: Tools for configuring and using IPSEC
 License: BSD
 Group: System Environment/Base
@@ -16,6 +16,7 @@
 Patch5: ipsec-tools-0.7-iface.patch
 Patch6: ipsec-tools-0.7-dupsplit.patch
 Patch9: ipsec-tools-0.7-splitcidr.patch
+Patch10: ipsec-tools-0.7.1-purge.patch
 
 BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
 BuildRequires: libselinux-devel >= 1.30.28-2
@@ -38,6 +39,7 @@
 %patch5 -p1 -b .iface
 %patch6 -p1 -b .dupsplit
 %patch9 -p1 -b .splitcidr
+%patch10 -p1 -b .purge
 
 ./bootstrap
 
@@ -116,6 +118,9 @@
 %config(noreplace) /etc/racoon/racoon.conf
 
 %changelog
+* Fri Aug  8 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-3
+- Fix IPSEC SA purge with NAT_T enabled
+
 * Wed Jul 30 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-2
 - Different approach to allow racoon to add loopback SAs for
   labeled IPSec (without ISAKMP)

More information about the fedora-extras-commits mailing list