On Wed, 12 May 2021 19:11:09 +0900 (JST)
YASUOKA Masahiko <yasu...@openbsd.org> wrote:
> Radek reported a problem to misc@ that multiple Windows clients behind
> a NAT cannot use a L2TP/IPsec server simultaneously.
>
> https://marc.info/?t=160996816100001&r=1&w=2
>
> There is two problems. First is pipex(4) doesn't pass the proper
> ipsecflowinfo to ip_output(). Second is the IPsec policy check which
> is done by ipsp_spd_lookup() returns -1 (EINVAL) if the given tdb is
> not cached. This happens when its flow is shared by another tdb (for
> another client of the same NAT).
>
> The following 2 diffs fix these problem.
>
> comment?
> ok?
>
> diff #1
>
> Fix IPsec NAT-T work with pipex.
The original diff #1 used m_tag to specify the ipsecflowinfo.
I noticed "ph_cookie" is usable instead of the m_tag. It seems simpler.
Is it better?
Index: sys/net/if_etherip.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/net/if_etherip.c,v
retrieving revision 1.48
diff -u -p -r1.48 if_etherip.c
--- sys/net/if_etherip.c 9 Jan 2021 21:00:58 -0000 1.48
+++ sys/net/if_etherip.c 12 May 2021 23:29:41 -0000
@@ -547,7 +547,7 @@ ip_etherip_output(struct ifnet *ifp, str
etheripstat_pkt(etherips_opackets, etherips_obytes, m->m_pkthdr.len -
(sizeof(struct ip) + sizeof(struct etherip_header)));
- ip_send(m);
+ ip_send(m, 0);
return (0);
}
Index: sys/net/if_gif.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/net/if_gif.c,v
retrieving revision 1.132
diff -u -p -r1.132 if_gif.c
--- sys/net/if_gif.c 20 Feb 2021 04:58:29 -0000 1.132
+++ sys/net/if_gif.c 12 May 2021 23:29:45 -0000
@@ -340,7 +340,7 @@ gif_send(struct gif_softc *sc, struct mb
ip->ip_src = sc->sc_tunnel.t_src4;
ip->ip_dst = sc->sc_tunnel.t_dst4;
- ip_send(m);
+ ip_send(m, 0);
break;
}
#ifdef INET6
Index: sys/net/if_gre.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/net/if_gre.c,v
retrieving revision 1.171
diff -u -p -r1.171 if_gre.c
--- sys/net/if_gre.c 10 Mar 2021 10:21:47 -0000 1.171
+++ sys/net/if_gre.c 12 May 2021 23:29:52 -0000
@@ -1999,7 +1999,7 @@ gre_ip_output(const struct gre_tunnel *t
switch (tunnel->t_af) {
case AF_INET:
- ip_send(m);
+ ip_send(m, 0);
break;
#ifdef INET6
case AF_INET6:
Index: sys/net/pf.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/net/pf.c,v
retrieving revision 1.1116
diff -u -p -r1.1116 pf.c
--- sys/net/pf.c 27 Apr 2021 09:38:29 -0000 1.1116
+++ sys/net/pf.c 12 May 2021 23:29:56 -0000
@@ -2896,7 +2896,7 @@ pf_send_tcp(const struct pf_rule *r, sa_
switch (af) {
case AF_INET:
- ip_send(m);
+ ip_send(m, 0);
break;
#ifdef INET6
case AF_INET6:
Index: sys/net/pipex.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/net/pipex.c,v
retrieving revision 1.132
diff -u -p -r1.132 pipex.c
--- sys/net/pipex.c 10 Mar 2021 10:21:48 -0000 1.132
+++ sys/net/pipex.c 12 May 2021 23:31:24 -0000
@@ -1258,7 +1258,7 @@ pipex_pptp_output(struct mbuf *m0, struc
gre->flags = htons(gre->flags);
m0->m_pkthdr.ph_ifidx = session->ifindex;
- ip_send(m0);
+ ip_send(m0, 0);
if (len > 0) { /* network layer only */
/* countup statistics */
session->stat.opackets++;
@@ -1704,7 +1704,7 @@ pipex_l2tp_output(struct mbuf *m0, struc
ip->ip_tos = 0;
ip->ip_off = 0;
- ip_send(m0);
+ ip_send(m0, session->proto.l2tp.ipsecflowinfo);
break;
#ifdef INET6
case AF_INET6:
Index: sys/netinet/ip_icmp.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.186
diff -u -p -r1.186 ip_icmp.c
--- sys/netinet/ip_icmp.c 30 Mar 2021 08:37:10 -0000 1.186
+++ sys/netinet/ip_icmp.c 12 May 2021 23:31:57 -0000
@@ -860,7 +860,7 @@ icmp_send(struct mbuf *m, struct mbuf *o
ipstat_inc(ips_localout);
ip_send_raw(m);
} else
- ip_send(m);
+ ip_send(m, 0);
}
u_int32_t
Index: sys/netinet/ip_input.c
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/netinet/ip_input.c,v
retrieving revision 1.359
diff -u -p -r1.359 ip_input.c
--- sys/netinet/ip_input.c 30 Apr 2021 13:52:48 -0000 1.359
+++ sys/netinet/ip_input.c 12 May 2021 23:29:01 -0000
@@ -1790,6 +1790,7 @@ ip_send_do_dispatch(void *xmq, int flags
struct mbuf_queue *mq = xmq;
struct mbuf *m;
struct mbuf_list ml;
+ u_int32_t ipsecflowinfo;
mq_delist(mq, &ml);
if (ml_empty(&ml))
@@ -1797,7 +1798,8 @@ ip_send_do_dispatch(void *xmq, int flags
NET_LOCK();
while ((m = ml_dequeue(&ml)) != NULL) {
- ip_output(m, NULL, NULL, flags, NULL, NULL, 0);
+ ipsecflowinfo = (uintptr_t)m->m_pkthdr.ph_cookie;
+ ip_output(m, NULL, NULL, flags, NULL, NULL, ipsecflowinfo);
}
NET_UNLOCK();
}
@@ -1815,8 +1817,9 @@ ip_send_dispatch(void *xmq)
}
void
-ip_send(struct mbuf *m)
+ip_send(struct mbuf *m, u_int32_t ipsecflowinfo)
{
+ m->m_pkthdr.ph_cookie = (void *)(uintptr_t)ipsecflowinfo;
mq_enqueue(&ipsend_mq, m);
task_add(net_tq(0), &ipsend_task);
}
Index: sys/netinet/ip_var.h
===================================================================
RCS file: /disk/cvs/openbsd/src/sys/netinet/ip_var.h,v
retrieving revision 1.88
diff -u -p -r1.88 ip_var.h
--- sys/netinet/ip_var.h 30 Mar 2021 08:37:11 -0000 1.88
+++ sys/netinet/ip_var.h 12 May 2021 23:28:44 -0000
@@ -239,7 +239,7 @@ struct mbuf *
ip_reass(struct ipqent *, struct ipq *);
u_int16_t
ip_randomid(void);
-void ip_send(struct mbuf *);
+void ip_send(struct mbuf *, u_int32_t);
void ip_send_raw(struct mbuf *);
void ip_slowtimo(void);
struct mbuf *
