components/network/openvpn/patches/02-ipsec-bypass.patch

   1 --- openvpn-2.4.3/src/openvpn/socket.c.~1~      2017-06-20 14:07:22.000000000 +0000
   2 +++ openvpn-2.4.3/src/openvpn/socket.c  2017-10-09 22:09:30.283191827 +0000
   3 @@ -870,6 +870,55 @@
   4      }
   5  }
   6
   7 +#ifdef IP_SEC_OPT
   8 +/*
   9 + * On Solarish systems (Illumos distros, Oracle Solaris), have the socket
  10 + * bypass systemwide IPsec policy.  Useful if OpenVPN lives on a server that
  11 + * is also acting as an IPsec gateway.  (Note the correct capitalization of
  12 + * IPsec.)
  13 + */
  14 +static void
  15 +set_ipsec_bypass(int sock, const sa_family_t ai_family)
  16 +{
  17 +  ipsec_req_t ipsr;
  18 +  int result = 0;
  19 +
  20 +  /* Don't bother if the socket is a failure.  Caller never checks... */
  21 +  if (sock == -1)
  22 +    return;
  23 +
  24 +  /* Don't bother if it is not IPv4/IPv6 socket... */
  25 +  if (ai_family != AF_INET && ai_family != AF_INET6)
  26 +    return;
  27 +
  28 +  ipsr.ipsr_ah_req = IPSEC_PREF_NEVER;
  29 +  ipsr.ipsr_esp_req = IPSEC_PREF_NEVER;
  30 +  ipsr.ipsr_self_encap_req = IPSEC_PREF_NEVER;
  31 +  ipsr.ipsr_auth_alg = 0;
  32 +  ipsr.ipsr_esp_alg = 0;
  33 +  ipsr.ipsr_esp_auth_alg = 0;
  34 +
  35 +  if (ai_family == AF_INET) {
  36 +    result = setsockopt(sock, IPPROTO_IP, IP_SEC_OPT, &ipsr, sizeof (ipsr));
  37 +  } else { /* AF_INET6 */
  38 +    result = setsockopt(sock, IPPROTO_IPV6, IPV6_SEC_OPT, &ipsr, sizeof (ipsr));
  39 +  }
  40 +  if (result == -1) {
  41 +    switch (errno) {
  42 +    case EPROTONOSUPPORT:
  43 +      dmsg (D_SOCKET_DEBUG, "IPsec not loaded.");
  44 +      break;
  45 +    case EPERM:
  46 +      msg (M_ERR, "Need more privilege for IPsec bypass.");
  47 +      break;
  48 +    default:
  49 +      msg (M_ERR|M_ERRNO, "Can't set IPsec bypass.");
  50 +      break;
  51 +    }
  52 +  }
  53 +}
  54 +#endif /* IP_SEC_OPT */
  55 +
  56  /*
  57   * SOCKET INITALIZATION CODE.
  58   * Create a TCP/UDP socket
  59 @@ -900,6 +949,10 @@
  60      }
  61  #endif
  62
  63 +#ifdef IP_SEC_OPT
  64 +    set_ipsec_bypass(sd, addrinfo->ai_family);
  65 +#endif
  66 +
  67      /* set socket file descriptor to not pass across execs, so that
  68       * scripts don't have access to it */
  69      set_cloexec(sd);
  70 @@ -980,6 +1033,10 @@
  71                          "TCP/UDP", sock->info.bind_ipv6_only);
  72          }
  73      }
  74 +
  75 +#ifdef IP_SEC_OPT
  76 +  set_ipsec_bypass(sock->sd, ai_family);
  77 +#endif
  78  }
  79
  80  static void