rust/cargo-c: update to 0.10.7+cargo-0.84.0
[oi-userland.git] / components / network / openvpn / patches / 02-ipsec-bypass.patch
blob45dd2f03ee8c3095c7f51bad82d24b5b04e32717
1 --- openvpn-2.4.3/src/openvpn/socket.c.~1~ 2017-06-20 14:07:22.000000000 +0000
2 +++ openvpn-2.4.3/src/openvpn/socket.c 2017-10-09 22:09:30.283191827 +0000
3 @@ -870,6 +870,55 @@
7 +#ifdef IP_SEC_OPT
8 +/*
9 + * On Solarish systems (Illumos distros, Oracle Solaris), have the socket
10 + * bypass systemwide IPsec policy. Useful if OpenVPN lives on a server that
11 + * is also acting as an IPsec gateway. (Note the correct capitalization of
12 + * IPsec.)
13 + */
14 +static void
15 +set_ipsec_bypass(int sock, const sa_family_t ai_family)
17 + ipsec_req_t ipsr;
18 + int result = 0;
20 + /* Don't bother if the socket is a failure. Caller never checks... */
21 + if (sock == -1)
22 + return;
24 + /* Don't bother if it is not IPv4/IPv6 socket... */
25 + if (ai_family != AF_INET && ai_family != AF_INET6)
26 + return;
28 + ipsr.ipsr_ah_req = IPSEC_PREF_NEVER;
29 + ipsr.ipsr_esp_req = IPSEC_PREF_NEVER;
30 + ipsr.ipsr_self_encap_req = IPSEC_PREF_NEVER;
31 + ipsr.ipsr_auth_alg = 0;
32 + ipsr.ipsr_esp_alg = 0;
33 + ipsr.ipsr_esp_auth_alg = 0;
35 + if (ai_family == AF_INET) {
36 + result = setsockopt(sock, IPPROTO_IP, IP_SEC_OPT, &ipsr, sizeof (ipsr));
37 + } else { /* AF_INET6 */
38 + result = setsockopt(sock, IPPROTO_IPV6, IPV6_SEC_OPT, &ipsr, sizeof (ipsr));
39 + }
40 + if (result == -1) {
41 + switch (errno) {
42 + case EPROTONOSUPPORT:
43 + dmsg (D_SOCKET_DEBUG, "IPsec not loaded.");
44 + break;
45 + case EPERM:
46 + msg (M_ERR, "Need more privilege for IPsec bypass.");
47 + break;
48 + default:
49 + msg (M_ERR|M_ERRNO, "Can't set IPsec bypass.");
50 + break;
51 + }
52 + }
54 +#endif /* IP_SEC_OPT */
57 * SOCKET INITALIZATION CODE.
58 * Create a TCP/UDP socket
59 @@ -900,6 +949,10 @@
61 #endif
63 +#ifdef IP_SEC_OPT
64 + set_ipsec_bypass(sd, addrinfo->ai_family);
65 +#endif
67 /* set socket file descriptor to not pass across execs, so that
68 * scripts don't have access to it */
69 set_cloexec(sd);
70 @@ -980,6 +1033,10 @@
71 "TCP/UDP", sock->info.bind_ipv6_only);
75 +#ifdef IP_SEC_OPT
76 + set_ipsec_bypass(sock->sd, ai_family);
77 +#endif
80 static void