 @@ -1,14 +1,14 @@
-/*	$NetBSD: ipsec_output.c,v 1.81 2018/11/22 04:48:34 knakahara Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.82 2018/12/26 08:58:51 knakahara Exp $	*/
 /*
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -19,27 +19,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  * $FreeBSD: sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.81 2018/11/22 04:48:34 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.82 2018/12/26 08:58:51 knakahara Exp $");
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
 #include "opt_net_mpsafe.h"
 #endif
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
 #include <sys/domain.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/errno.h>
 @@ -279,67 +279,85 @@ ipsec_process_done(struct mbuf *m, const
 		goto bad;
 	return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family);
 bad:
 	m_freem(m);
 	return error;
+}
 static void
 ipsec_fill_saidx_bymbuf(struct secasindex *saidx, const struct mbuf *m,
     const int af)
+{
 	struct m_tag *mtag;
 	u_int16_t natt_src = IPSEC_PORT_ANY;
 	u_int16_t natt_dst = IPSEC_PORT_ANY;
 	/*
 	 * For NAT-T enabled ipsecif(4), set NAT-T port numbers
 	 * even if the saidx uses transport mode.
+	 *
 	 * See also ipsecif[46]_output().
 	 */
 	mtag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS);
 	if (mtag) {
 		u_int16_t *natt_ports;
 		natt_ports = (u_int16_t *)(mtag + 1);
 		natt_src = natt_ports[1];
 		natt_dst = natt_ports[0];
+	}
 	if (af == AF_INET) {
 		struct sockaddr_in *sin;
 		struct ip *ip = mtod(m, struct ip *);
 		if (saidx->src.sa.sa_len == 0) {
 			sin = &saidx->src.sin;
 			sin->sin_len = sizeof(*sin);
 			sin->sin_family = AF_INET;
-			sin->sin_port = IPSEC_PORT_ANY;
+			sin->sin_port = natt_src;
 			sin->sin_addr = ip->ip_src;
+		}
 		if (saidx->dst.sa.sa_len == 0) {
 			sin = &saidx->dst.sin;
 			sin->sin_len = sizeof(*sin);
 			sin->sin_family = AF_INET;
-			sin->sin_port = IPSEC_PORT_ANY;
+			sin->sin_port = natt_dst;
 			sin->sin_addr = ip->ip_dst;
+		}
 	} else {
 		struct sockaddr_in6 *sin6;
 		struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 		if (saidx->src.sin6.sin6_len == 0) {
 			sin6 = (struct sockaddr_in6 *)&saidx->src;
 			sin6->sin6_len = sizeof(*sin6);
 			sin6->sin6_family = AF_INET6;
-			sin6->sin6_port = IPSEC_PORT_ANY;
+			sin6->sin6_port = natt_src;
 			sin6->sin6_addr = ip6->ip6_src;
 			if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
 				/* fix scope id for comparing SPD */
 				sin6->sin6_addr.s6_addr16[1] = 0;
 				sin6->sin6_scope_id =
 				    ntohs(ip6->ip6_src.s6_addr16[1]);
+			}
+		}
 		if (saidx->dst.sin6.sin6_len == 0) {
 			sin6 = (struct sockaddr_in6 *)&saidx->dst;
 			sin6->sin6_len = sizeof(*sin6);
 			sin6->sin6_family = AF_INET6;
-			sin6->sin6_port = IPSEC_PORT_ANY;
+			sin6->sin6_port = natt_dst;
 			sin6->sin6_addr = ip6->ip6_dst;
 			if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
 				/* fix scope id for comparing SPD */
 				sin6->sin6_addr.s6_addr16[1] = 0;
 				sin6->sin6_scope_id =
 				    ntohs(ip6->ip6_dst.s6_addr16[1]);
+			}
+		}
+	}
+}
 struct secasvar *
 ipsec_lookup_sa(const struct ipsecrequest *isr, const struct mbuf *m)

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ipsecif.c,v 1.12 2018/12/07 09:11:04 knakahara Exp $  */
+/*	$NetBSD: ipsecif.c,v 1.13 2018/12/26 08:58:51 knakahara Exp $  */
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -17,27 +17,27 @@
  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.12 2018/12/07 09:11:04 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.13 2018/12/26 08:58:51 knakahara Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #endif
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
 #include <sys/mbuf.h>
 #include <sys/errno.h>
 #include <sys/ioctl.h>
 @@ -61,26 +61,27 @@ __KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/ip6_private.h>
 #include <netinet6/in6_var.h>
 #include <netinet6/ip6protosw.h> /* for struct ip6ctlparam */
 #include <netinet/ip_ecn.h>
 #endif
 #include <netipsec/key.h>
 #include <netipsec/ipsecif.h>
 #include <net/if_ipsec.h>
 static int ipsecif_set_natt_ports(struct ipsec_variant *, struct mbuf *);
 static void ipsecif4_input(struct mbuf *, int, int, void *);
 static int ipsecif4_output(struct ipsec_variant *, int, struct mbuf *);
 static int ipsecif4_filter4(const struct ip *, struct ipsec_variant *,
 	struct ifnet *);
 #ifdef INET6
 static int ipsecif6_input(struct mbuf **, int *, int, void *);
 static int ipsecif6_output(struct ipsec_variant *, int, struct mbuf *);
 static int ipsecif6_filter6(const struct ip6_hdr *, struct ipsec_variant *,
 	struct ifnet *);
 #endif
 static int ip_ipsec_ttl = IPSEC_TTL;
 @@ -92,26 +93,52 @@ static int ip6_ipsec_copy_tos = 0;
 #endif
 static const struct encapsw ipsecif4_encapsw = {
 	.encapsw4 = {
 		.pr_input = ipsecif4_input,
 		.pr_ctlinput = NULL,
+	}
 };
 #ifdef INET6
 static const struct encapsw ipsecif6_encapsw;
 #endif
 static int
 ipsecif_set_natt_ports(struct ipsec_variant *var, struct mbuf *m)
+{
 	KASSERT(if_ipsec_heldref_variant(var));
 	if (var->iv_sport || var->iv_dport) {
 		struct m_tag *mtag;
 		mtag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS,
 		    sizeof(uint16_t) + sizeof(uint16_t), M_DONTWAIT);
 		if (mtag) {
 			uint16_t *natt_port;
 			natt_port = (uint16_t *)(mtag + 1);
 			natt_port[0] = var->iv_dport;
 			natt_port[1] = var->iv_sport;
 			m_tag_prepend(m, mtag);
 		} else {
 			return ENOBUFS;
+		}
+	}
 	return 0;
+}
 static struct mbuf *
 ipsecif4_prepend_hdr(struct ipsec_variant *var, struct mbuf *m,
     uint8_t proto, uint8_t tos)
+{
 	struct ip *ip;
 	struct sockaddr_in *src, *dst;
 	src = satosin(var->iv_psrc);
 	dst = satosin(var->iv_pdst);
 	if (in_nullhost(src->sin_addr) || in_nullhost(src->sin_addr) ||
 	    src->sin_addr.s_addr == INADDR_BROADCAST ||
 	    dst->sin_addr.s_addr == INADDR_BROADCAST) {
 @@ -384,26 +411,33 @@ ipsecif4_output(struct ipsec_variant *va
+	}
 	/*
 	 * Normal netipsec's NAT-T fragmentation is done in ip_output().
 	 * See "natt_frag" processing.
 	 * However, ipsec(4) interface's one is not done in the same way,
 	 * so we must do NAT-T fragmentation by own code.
 	 */
 	/* NAT-T ESP fragmentation */
 	mtu = ipsecif4_needfrag(m, sp->req);
 	if (mtu > 0)
 		return ipsecif4_fragout(var, family, m, mtu);
 	/* set NAT-T ports */
 	error = ipsecif_set_natt_ports(var, m);
 	if (error) {
 		m_freem(m);
 		goto done;
+	}
 	/* IPsec output */
 	IP_STATINC(IP_STAT_LOCALOUT);
 	error = ipsec4_process_packet(m, sp->req, &sa_mtu);
 	if (error == ENOENT)
 		error = 0;
 	/*
 	 * frangmentation is already done in ipsecif4_fragout(),
 	 * so ipsec4_process_packet() must not do fragmentation here.
 	 */
 	KASSERT(sa_mtu == 0);
 done:
 	return error;
 @@ -576,36 +610,44 @@ ipsecif6_output(struct ipsec_variant *va
 		return ENETUNREACH;
+	}
 	if (rt->rt_ifp == ifp) {
 		rtcache_unref(rt, &iro->ir_ro);
 		rtcache_free(&iro->ir_ro);
 		mutex_exit(iro->ir_lock);
 		percpu_putref(sc->ipsec_ro_percpu);
 		m_freem(m);
 		return ENETUNREACH;
+	}
 	rtcache_unref(rt, &iro->ir_ro);
 	/* set NAT-T ports */
 	error = ipsecif_set_natt_ports(var, m);
 	if (error) {
 		m_freem(m);
 		goto out;
+	}
 	/*
 	 * force fragmentation to minimum MTU, to avoid path MTU discovery.
 	 * it is too painful to ask for resend of inner packet, to achieve
 	 * path MTU discovery for encapsulated packets.
 	 */
 	error = ip6_output(m, 0, &iro->ir_ro,
 	    ip6_ipsec_pmtu ? 0 : IPV6_MINMTU, 0, NULL, NULL);
 out:
 	if (error)
 		rtcache_free(&iro->ir_ro);
 	mutex_exit(iro->ir_lock);
 	percpu_putref(sc->ipsec_ro_percpu);
 	return error;
+}
 #endif /* INET6 */
 static void
 ipsecif4_input(struct mbuf *m, int off, int proto, void *eparg)
+{
 	struct ifnet *ipsecp;
 	struct ipsec_softc *sc = eparg;
 	struct ipsec_variant *var;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $	*/
+/*	$NetBSD: key.c,v 1.260 2018/12/26 08:58:51 knakahara Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -22,27 +22,27 @@
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.260 2018/12/26 08:58:51 knakahara Exp $");
 /*
  * This code is referred to RFC 2367
  */
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_gateway.h"
 #include "opt_net_mpsafe.h"
 #endif
 #include <sys/types.h>
 @@ -4557,33 +4557,33 @@ key_saidx_match(
 		if (flag == CMP_MODE_REQID) {
 			if (saidx0->mode != IPSEC_MODE_ANY &&
 			    saidx0->mode != saidx1->mode)
 				return 0;
+		}
 		sa0src = &saidx0->src.sa;
 		sa0dst = &saidx0->dst.sa;
 		sa1src = &saidx1->src.sa;
 		sa1dst = &saidx1->dst.sa;
 		/*
 		 * If NAT-T is enabled, check ports for tunnel mode.
-		 * Don't do it for transport mode, as there is no
+		 * For ipsecif(4), check ports for transport mode, too.
-		 * port information available in the SP.
+		 * Don't check ports if they are set to zero
 		 * Also don't check ports if they are set to zero
 		 * in the SPD: This means we have a non-generated
 		 * SPD which can't know UDP ports.
 		 */
-		if (saidx1->mode == IPSEC_MODE_TUNNEL)
+		if (saidx1->mode == IPSEC_MODE_TUNNEL ||
 		    saidx1->mode == IPSEC_MODE_TRANSPORT)
 			chkport = PORT_LOOSE;
 		else
 			chkport = PORT_NONE;
 		if (!key_sockaddr_match(sa0src, sa1src, chkport)) {
 			return 0;
+		}
 		if (!key_sockaddr_match(sa0dst, sa1dst, chkport)) {
 			return 0;
+		}
+	}
 	return 1;