Module Name:    src
Committed By:   knakahara
Date:           Tue Aug  9 08:03:22 UTC 2022

Modified Files:
        src/share/man/man7: sysctl.7
        src/sys/netipsec: key.c key_var.h

Log Message:
Add sysctl entry to improve interconnectivity to some VPN appliances, pointed 
out by seil-team@IIJ.

If we want to allow different identifier types on IDii and IDir, set
net.key.allow_different_idtype=1.  Default(=0) is the same as before.


To generate a diff of this commit:
cvs rdiff -u -r1.157 -r1.158 src/share/man/man7/sysctl.7
cvs rdiff -u -r1.275 -r1.276 src/sys/netipsec/key.c
cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/key_var.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/man/man7/sysctl.7
diff -u src/share/man/man7/sysctl.7:1.157 src/share/man/man7/sysctl.7:1.158
--- src/share/man/man7/sysctl.7:1.157	Mon Jul 25 14:46:53 2022
+++ src/share/man/man7/sysctl.7	Tue Aug  9 08:03:22 2022
@@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.7,v 1.157 2022/07/25 14:46:53 pgoyette Exp $
+.\"	$NetBSD: sysctl.7,v 1.158 2022/08/09 08:03:22 knakahara Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
 .\"
-.Dd July 25, 2022
+.Dd August 9, 2022
 .Dt SYSCTL 7
 .Os
 .Sh NAME
@@ -2143,6 +2143,7 @@ The currently defined variable and names
 .It esp_keymin	integer	yes
 .It esp_auth	integer	yes
 .It ah_keymin	integer	yes
+.It allow_different_idtype	boolean	yes
 .El
 The variables are as follows:
 .Bl -tag -width "123456"
@@ -2192,6 +2193,10 @@ on ACQUIRE PF_KEY message.
 Minimum AH key length, in bits,
 The value is used when the kernel creates proposal payload
 on ACQUIRE PF_KEY message.
+.It Li allow_different_idtype
+A boolean that allow or disallow different identifier types
+on IDii and IDir.
+Allowing that can improve interconnectivity to some VPN appliances.
 .El
 .It Li net.local ( Dv PF_LOCAL )
 Get or set various global information about

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.275 src/sys/netipsec/key.c:1.276
--- src/sys/netipsec/key.c:1.275	Tue May 24 20:50:20 2022
+++ src/sys/netipsec/key.c	Tue Aug  9 08:03:22 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.275 2022/05/24 20:50:20 andvar Exp $	*/
+/*	$NetBSD: key.c,v 1.276 2022/08/09 08:03:22 knakahara Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.275 2022/05/24 20:50:20 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.276 2022/08/09 08:03:22 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -534,6 +534,7 @@ static const int maxsize[] = {
 static int ipsec_esp_keymin = 256;
 static int ipsec_esp_auth = 0;
 static int ipsec_ah_keymin = 128;
+static bool ipsec_allow_different_idtype = false;
 
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
@@ -6171,7 +6172,14 @@ key_setident(struct secashead *sah, stru
 	if (idsrc->sadb_ident_type != iddst->sadb_ident_type) {
 		IPSECLOG(LOG_DEBUG, "ident type mismatched src %u, dst %u.\n",
 		    idsrc->sadb_ident_type, iddst->sadb_ident_type);
-		return EINVAL;
+		/*
+		 * Some VPN appliances(e.g. NetScreen) can send different
+		 * identifier types on IDii and IDir, so be able to allow
+		 * such message.
+		 */
+		if (!ipsec_allow_different_idtype) {
+			return EINVAL;
+		}
 	}
 
 	switch (idsrc->sadb_ident_type) {
@@ -9034,6 +9042,11 @@ sysctl_net_keyv2_setup(struct sysctllog 
 		       SYSCTL_DESCR("PF_KEY statistics"),
 		       sysctl_net_key_stats, 0, NULL, 0,
 		       CTL_NET, IPSEC_PFKEY, CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_BOOL, "allow_different_idtype", NULL,
+		       NULL, 0, &ipsec_allow_different_idtype, 0,
+		       CTL_NET, IPSEC_PFKEY, KEYCTL_ALLOW_DIFFERENT_IDTYPE, CTL_EOL);
 }
 
 /*

Index: src/sys/netipsec/key_var.h
diff -u src/sys/netipsec/key_var.h:1.5 src/sys/netipsec/key_var.h:1.6
--- src/sys/netipsec/key_var.h:1.5	Sat Apr 28 13:23:17 2018
+++ src/sys/netipsec/key_var.h	Tue Aug  9 08:03:22 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_var.h,v 1.5 2018/04/28 13:23:17 maxv Exp $	*/
+/*	$NetBSD: key_var.h,v 1.6 2022/08/09 08:03:22 knakahara Exp $	*/
 /*	$FreeBSD: key_var.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$KAME: key_var.h,v 1.11 2001/09/12 23:05:07 sakane Exp $	*/
 
@@ -49,7 +49,8 @@
 #define KEYCTL_PREFERED_OLDSA		12
 #define KEYCTL_DUMPSA			13
 #define KEYCTL_DUMPSP			14
-#define KEYCTL_MAXID			15
+#define KEYCTL_ALLOW_DIFFERENT_IDTYPE	15
+#define KEYCTL_MAXID			16
 
 #ifdef _KERNEL
 #define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))

Reply via email to