Module Name: src Committed By: knakahara Date: Tue Aug 9 08:03:22 UTC 2022
Modified Files: src/share/man/man7: sysctl.7 src/sys/netipsec: key.c key_var.h Log Message: Add sysctl entry to improve interconnectivity to some VPN appliances, pointed out by seil-team@IIJ. If we want to allow different identifier types on IDii and IDir, set net.key.allow_different_idtype=1. Default(=0) is the same as before. To generate a diff of this commit: cvs rdiff -u -r1.157 -r1.158 src/share/man/man7/sysctl.7 cvs rdiff -u -r1.275 -r1.276 src/sys/netipsec/key.c cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/key_var.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/share/man/man7/sysctl.7 diff -u src/share/man/man7/sysctl.7:1.157 src/share/man/man7/sysctl.7:1.158 --- src/share/man/man7/sysctl.7:1.157 Mon Jul 25 14:46:53 2022 +++ src/share/man/man7/sysctl.7 Tue Aug 9 08:03:22 2022 @@ -1,4 +1,4 @@ -.\" $NetBSD: sysctl.7,v 1.157 2022/07/25 14:46:53 pgoyette Exp $ +.\" $NetBSD: sysctl.7,v 1.158 2022/08/09 08:03:22 knakahara Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 .\" -.Dd July 25, 2022 +.Dd August 9, 2022 .Dt SYSCTL 7 .Os .Sh NAME @@ -2143,6 +2143,7 @@ The currently defined variable and names .It esp_keymin integer yes .It esp_auth integer yes .It ah_keymin integer yes +.It allow_different_idtype boolean yes .El The variables are as follows: .Bl -tag -width "123456" @@ -2192,6 +2193,10 @@ on ACQUIRE PF_KEY message. Minimum AH key length, in bits, The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message. +.It Li allow_different_idtype +A boolean that allow or disallow different identifier types +on IDii and IDir. +Allowing that can improve interconnectivity to some VPN appliances. .El .It Li net.local ( Dv PF_LOCAL ) Get or set various global information about Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.275 src/sys/netipsec/key.c:1.276 --- src/sys/netipsec/key.c:1.275 Tue May 24 20:50:20 2022 +++ src/sys/netipsec/key.c Tue Aug 9 08:03:22 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.275 2022/05/24 20:50:20 andvar Exp $ */ +/* $NetBSD: key.c,v 1.276 2022/08/09 08:03:22 knakahara Exp $ */ /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.275 2022/05/24 20:50:20 andvar Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.276 2022/08/09 08:03:22 knakahara Exp $"); /* * This code is referred to RFC 2367 @@ -534,6 +534,7 @@ static const int maxsize[] = { static int ipsec_esp_keymin = 256; static int ipsec_esp_auth = 0; static int ipsec_ah_keymin = 128; +static bool ipsec_allow_different_idtype = false; #ifdef SYSCTL_DECL SYSCTL_DECL(_net_key); @@ -6171,7 +6172,14 @@ key_setident(struct secashead *sah, stru if (idsrc->sadb_ident_type != iddst->sadb_ident_type) { IPSECLOG(LOG_DEBUG, "ident type mismatched src %u, dst %u.\n", idsrc->sadb_ident_type, iddst->sadb_ident_type); - return EINVAL; + /* + * Some VPN appliances(e.g. NetScreen) can send different + * identifier types on IDii and IDir, so be able to allow + * such message. + */ + if (!ipsec_allow_different_idtype) { + return EINVAL; + } } switch (idsrc->sadb_ident_type) { @@ -9034,6 +9042,11 @@ sysctl_net_keyv2_setup(struct sysctllog SYSCTL_DESCR("PF_KEY statistics"), sysctl_net_key_stats, 0, NULL, 0, CTL_NET, IPSEC_PFKEY, CTL_CREATE, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_BOOL, "allow_different_idtype", NULL, + NULL, 0, &ipsec_allow_different_idtype, 0, + CTL_NET, IPSEC_PFKEY, KEYCTL_ALLOW_DIFFERENT_IDTYPE, CTL_EOL); } /* Index: src/sys/netipsec/key_var.h diff -u src/sys/netipsec/key_var.h:1.5 src/sys/netipsec/key_var.h:1.6 --- src/sys/netipsec/key_var.h:1.5 Sat Apr 28 13:23:17 2018 +++ src/sys/netipsec/key_var.h Tue Aug 9 08:03:22 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: key_var.h,v 1.5 2018/04/28 13:23:17 maxv Exp $ */ +/* $NetBSD: key_var.h,v 1.6 2022/08/09 08:03:22 knakahara Exp $ */ /* $FreeBSD: key_var.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: key_var.h,v 1.11 2001/09/12 23:05:07 sakane Exp $ */ @@ -49,7 +49,8 @@ #define KEYCTL_PREFERED_OLDSA 12 #define KEYCTL_DUMPSA 13 #define KEYCTL_DUMPSP 14 -#define KEYCTL_MAXID 15 +#define KEYCTL_ALLOW_DIFFERENT_IDTYPE 15 +#define KEYCTL_MAXID 16 #ifdef _KERNEL #define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))