Add sadb_x_sa2 extension to SADB_ACQUIRE requests.
SADB_ACQUIRE requests are send by kernel, when security policy doesn't have corresponding security association for outbound packet. IKE daemon usually registers its handler for such messages and when the kernel asks for SA it can handle this request. Now such requests will contain additional fields that can help IKE daemon to create SA. And IKE now can create SAs using only information from SADB_ACQUIRE request, this is useful when many if_ipsec(4) interfaces are in use and IKE doesn track security policies that was installed by kernel. Obtained from: Yandex LLC MFC after: 3 weeks Sponsored by: Yandex LLC
This commit is contained in:
parent
8e0b6f937e
commit
0a6e5e5857
@ -6685,7 +6685,9 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
|
||||
|
||||
/* XXX proxy address (optional) */
|
||||
|
||||
/* set sadb_x_policy */
|
||||
/*
|
||||
* Set sadb_x_policy. This is KAME extension to RFC2367.
|
||||
*/
|
||||
if (sp != NULL) {
|
||||
m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id,
|
||||
sp->priority);
|
||||
@ -6696,6 +6698,18 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp)
|
||||
m_cat(result, m);
|
||||
}
|
||||
|
||||
/*
|
||||
* Set sadb_x_sa2 extension if saidx->reqid is not zero.
|
||||
* This is FreeBSD extension to RFC2367.
|
||||
*/
|
||||
if (saidx->reqid != 0) {
|
||||
m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid);
|
||||
if (m == NULL) {
|
||||
error = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
m_cat(result, m);
|
||||
}
|
||||
/* XXX identity (optional) */
|
||||
#if 0
|
||||
if (idexttype && fqdn) {
|
||||
|
Loading…
Reference in New Issue
Block a user