Index: src/libipsec/libpfkey.h =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h,v retrieving revision 1.15 diff -u -p -r1.15 libpfkey.h --- src/libipsec/libpfkey.h 5 Dec 2008 06:02:20 -0000 1.15 +++ src/libipsec/libpfkey.h 11 Dec 2008 16:29:54 -0000 @@ -115,8 +115,11 @@ char *ipsec_dump_policy __P((ipsec_polic u_int pfkey_set_softrate __P((u_int, u_int)); u_int pfkey_get_softrate __P((u_int)); -int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); +int pfkey_send_getspi_nat __P((int, u_int, u_int, struct sockaddr *, + struct sockaddr *, u_int8_t, u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); +#define pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) \ + pfkey_send_getspi_nat(so, satype, mode, src, dst, 0, 0, 0, min, max, reqid, seq) + int pfkey_send_update2 __P((struct pfkey_send_sa_args *)); int pfkey_send_add2 __P((struct pfkey_send_sa_args *)); int pfkey_send_delete __P((int, u_int, u_int, @@ -155,6 +158,14 @@ int pfkey_send_migrate __P((int, struct caddr_t, int, u_int32_t)); #endif +/* XXX should be somewhere else !!! + */ +#ifdef SADB_X_NAT_T_NEW_MAPPING +#define PFKEY_ADDR_X_PORT(ext) (ntohs(((struct sadb_x_nat_t_port *)ext)->sadb_x_nat_t_port_port)) +#define PFKEY_ADDR_X_NATTYPE(ext) ( ext != NULL && ((struct sadb_x_nat_t_type *)ext)->sadb_x_nat_t_type_type ) +#endif + + int pfkey_open __P((void)); void pfkey_close __P((int)); int pfkey_set_buffer_size __P((int, int)); Index: src/libipsec/pfkey.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c,v retrieving revision 1.18 diff -u -p -r1.18 pfkey.c --- src/libipsec/pfkey.c 5 Dec 2008 06:02:20 -0000 1.18 +++ src/libipsec/pfkey.c 11 Dec 2008 16:30:00 -0000 @@ -380,10 +380,12 @@ pfkey_get_softrate(type) * -1 : error occured, and set errno. */ int -pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) +pfkey_send_getspi_nat(so, satype, mode, src, dst, natt_type, sport, dport, min, max, reqid, seq) int so; u_int satype, mode; struct sockaddr *src, *dst; + u_int8_t natt_type; + u_int16_t sport, dport; u_int32_t min, max, reqid, seq; { struct sadb_msg *newmsg; @@ -431,6 +433,14 @@ pfkey_send_getspi(so, satype, mode, src, len += sizeof(struct sadb_spirange); } +#ifdef SADB_X_EXT_NAT_T_TYPE + if(natt_type||sport||dport){ + len += sizeof(struct sadb_x_nat_t_type); + len += sizeof(struct sadb_x_nat_t_port); + len += sizeof(struct sadb_x_nat_t_port); + } +#endif + if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { __ipsec_set_strerror(strerror(errno)); return -1; @@ -466,6 +476,32 @@ pfkey_send_getspi(so, satype, mode, src, return -1; } +#ifdef SADB_X_EXT_NAT_T_TYPE + /* Add nat-t messages */ + if (natt_type) { + p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, + natt_type); + if (!p) { + free(newmsg); + return -1; + } + + p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT, + sport); + if (!p) { + free(newmsg); + return -1; + } + + p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT, + dport); + if (!p) { + free(newmsg); + return -1; + } + } +#endif + /* proccessing spi range */ if (need_spirange) { struct sadb_spirange spirange; @@ -1581,6 +1617,7 @@ pfkey_send_x2(so, type, satype, mode, sr } p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen, IPSEC_ULPROTO_ANY); + if (!p || p != ep) { free(newmsg); return -1; Index: src/racoon/isakmp.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v retrieving revision 1.46 diff -u -p -r1.46 isakmp.c --- src/racoon/isakmp.c 11 Dec 2008 15:33:59 -0000 1.46 +++ src/racoon/isakmp.c 11 Dec 2008 16:30:05 -0000 @@ -3378,6 +3378,17 @@ purge_remote(iph1) src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); +#ifdef SADB_X_NAT_T_NEW_MAPPING + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif + if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && sa->sadb_sa_state != SADB_SASTATE_MATURE && sa->sadb_sa_state != SADB_SASTATE_DYING) { Index: src/racoon/isakmp_inf.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v retrieving revision 1.34 diff -u -p -r1.34 isakmp_inf.c --- src/racoon/isakmp_inf.c 19 Sep 2008 11:14:49 -0000 1.34 +++ src/racoon/isakmp_inf.c 11 Dec 2008 16:30:08 -0000 @@ -1140,8 +1140,7 @@ purge_ipsec_spi(dst0, proto, spi, n) size_t i; caddr_t mhp[SADB_EXT_MAX + 1]; #ifdef ENABLE_NATT - struct sadb_x_nat_t_type *natt_type; - struct sadb_x_nat_t_port *natt_port; + int natt_port_forced; #endif plog(LLV_DEBUG2, LOCATION, NULL, @@ -1196,22 +1195,31 @@ purge_ipsec_spi(dst0, proto, spi, n) continue; } #ifdef ENABLE_NATT - natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE]; - if (natt_type && natt_type->sadb_x_nat_t_type_type) { + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { /* NAT-T is enabled for this SADB entry; copy * the ports from NAT-T extensions */ - natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT]; - if (extract_port(src) == 0 && natt_port != NULL) + if (extract_port(src) == 0 && mhp[SADB_X_EXT_NAT_T_SPORT] != NULL){ +#if 0 set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port)); +#else + set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); +#endif + } - natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT]; - if (extract_port(dst) == 0 && natt_port != NULL) + if (extract_port(dst) == 0 && mhp[SADB_X_EXT_NAT_T_DPORT] != NULL){ +#if 0 set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port)); +#else + set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); +#endif + } + natt_port_forced=0; }else{ /* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation */ set_port(src, PORT_ISAKMP); set_port(dst, PORT_ISAKMP); + natt_port_forced=1; } #endif plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); @@ -1227,8 +1235,7 @@ purge_ipsec_spi(dst0, proto, spi, n) } #ifdef ENABLE_NATT - if (natt_type == NULL || - ! natt_type->sadb_x_nat_t_type_type) { + if (natt_port_forced) { /* Set back port to 0 if it was forced to default UDP port */ set_port(src, 0); Index: src/racoon/pfkey.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v retrieving revision 1.39 diff -u -p -r1.39 pfkey.c --- src/racoon/pfkey.c 8 Dec 2008 06:00:53 -0000 1.39 +++ src/racoon/pfkey.c 11 Dec 2008 16:30:14 -0000 @@ -862,6 +862,10 @@ pk_sendgetspi(iph2) struct saprop *pp; struct saproto *pr; u_int32_t minspi, maxspi; +#ifdef ENABLE_NATT + u_int8_t natt_type; + u_int16_t sport, dport; +#endif if (iph2->side == INITIATOR) pp = iph2->proposal; @@ -915,19 +919,27 @@ pk_sendgetspi(iph2) } #ifdef ENABLE_NATT - if (! pr->udp_encap) { - /* Remove port information, that SA doesn't use it */ - set_port(iph2->src, 0); - set_port(iph2->dst, 0); + if (pr->udp_encap) { + natt_type = iph2->ph1->natt_options->encaps_type; + sport=extract_port(src); + dport=extract_port(dst); } #endif + /* Always remove port information, it will be sent in + * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ + set_port(src, 0); + set_port(dst, 0); + plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); - if (pfkey_send_getspi( + if (pfkey_send_getspi_nat( lcconf->sock_pfkey, satype, mode, dst, /* src of SA */ src, /* dst of SA */ + natt_type, + dport, + sport, minspi, maxspi, pr->reqid_in, iph2->seq) < 0) { plog(LLV_ERROR, LOCATION, NULL, @@ -975,7 +987,19 @@ pk_recvgetspi(mhp) sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + } +#else + set_port(src, 0); + set_port(dst, 0); +#endif /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { plog(LLV_DEBUG, LOCATION, NULL, @@ -1153,13 +1177,13 @@ pk_sendupdate(iph2) #ifdef SADB_X_EXT_NAT_T_FRAG sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; #endif - } else { - /* Remove port information, that SA doesn't use it */ - set_port(sa_args.src, 0); - set_port(sa_args.dst, 0); } - #endif + /* Always remove port information, it will be sent in + * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ + set_port(sa_args.src, 0); + set_port(sa_args.dst, 0); + /* more info to fill in */ sa_args.spi = pr->spi; sa_args.reqid = pr->reqid_in; @@ -1234,6 +1258,11 @@ pk_recvupdate(mhp) msg = (struct sadb_msg *)mhp[0]; src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); +#ifdef ENAABLE_NATT + /* src/dst are not used anymore in this function, so we actually + * don't care about SADB_X_EXT_NAT_T_[S|D]PORT + */ +#endif sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; sa_mode = mhp[SADB_X_EXT_SA2] == NULL @@ -1452,17 +1481,12 @@ pk_sendadd(iph2) #ifdef SADB_X_EXT_NAT_T_FRAG sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; #endif - } else { - /* Remove port information, that SA doesn't use it */ - set_port(sa_args.src, 0); - set_port(sa_args.dst, 0); } - -#else - /* Remove port information, it is not used without NAT-T */ +#endif + /* Always remove port information, it will be sent in + * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ set_port(sa_args.src, 0); set_port(sa_args.dst, 0); -#endif /* more info to fill in */ sa_args.spi = pr->spi_p; @@ -1530,6 +1554,11 @@ pk_recvadd(mhp) msg = (struct sadb_msg *)mhp[0]; src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); +#ifdef ENABLE_NATT + /* src/dst are not used anymore in this function, so we actually + * don't care about SADB_X_EXT_NAT_T_[S|D]PORT + */ +#endif sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; sa_mode = mhp[SADB_X_EXT_SA2] == NULL @@ -1594,6 +1623,16 @@ pk_recvexpire(mhp) sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif sa_mode = mhp[SADB_X_EXT_SA2] == NULL ? IPSEC_MODE_ANY @@ -1710,6 +1749,16 @@ pk_recvacquire(mhp) xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port(sp_src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port(sp_dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif #ifdef HAVE_SECCTX m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; @@ -1977,6 +2026,16 @@ pk_recvdelete(mhp) sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif /* the message has to be processed or not ? */ if (msg->sadb_msg_pid == getpid()) { @@ -2278,6 +2337,17 @@ pk_recvspdupdate(mhp) } saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port((struct sockaddr *)saddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port((struct sockaddr *)daddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif + xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; if(lt != NULL) @@ -2416,6 +2486,17 @@ pk_recvspdadd(mhp) } saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port((struct sockaddr *)saddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port((struct sockaddr *)daddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif + xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; if(lt != NULL) @@ -2548,6 +2629,17 @@ pk_recvspddelete(mhp) } saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port((struct sockaddr *)saddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port((struct sockaddr *)daddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif + xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; if(lt != NULL) @@ -2624,6 +2716,17 @@ pk_recvspdexpire(mhp) } saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port((struct sockaddr *)saddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port((struct sockaddr *)daddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif + xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; if(lt != NULL) @@ -2716,6 +2819,17 @@ pk_recvspddump(mhp) saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port((struct sockaddr *)saddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port((struct sockaddr *)daddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif + xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; if(lt != NULL) @@ -3609,6 +3723,17 @@ addnewsp(mhp, local, remote) saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; +#ifdef ENABLE_NATT + if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { + /* NAT-T is enabled for this SADB entry; copy + * the ports from NAT-T extensions */ + if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) + set_port((struct sockaddr *)saddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); + if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) + set_port((struct sockaddr *)daddr, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); + } +#endif + xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; if(lt != NULL)