2801 esph_ptr = (esph_t *)espmp->b_rptr;
2802
2803 if (is_natt) {
2804 esp3dbg(espstack, ("esp_outbound: NATT"));
2805
2806 udpha = (udpha_t *)espmp->b_rptr;
2807 udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
2808 assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
2809 udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
2810 assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
2811 /*
2812 * Set the checksum to 0, so that the esp_prepare_udp() call
2813 * can do the right thing.
2814 */
2815 udpha->uha_checksum = 0;
2816 esph_ptr = (esph_t *)(udpha + 1);
2817 }
2818
2819 esph_ptr->esph_spi = assoc->ipsa_spi;
2820
2821 esph_ptr->esph_replay = htonl(atomic_add_32_nv(&assoc->ipsa_replay, 1));
2822 if (esph_ptr->esph_replay == 0 && assoc->ipsa_replay_wsize != 0) {
2823 /*
2824 * XXX We have replay counter wrapping.
2825 * We probably want to nuke this SA (and its peer).
2826 */
2827 ipsec_assocfailure(info.mi_idnum, 0, 0,
2828 SL_ERROR | SL_CONSOLE | SL_WARN,
2829 "Outbound ESP SA (0x%x, %s) has wrapped sequence.\n",
2830 esph_ptr->esph_spi, assoc->ipsa_dstaddr, af,
2831 espstack->ipsecesp_netstack);
2832
2833 ESP_BUMP_STAT(espstack, out_discards);
2834 sadb_replay_delete(assoc);
2835 ip_drop_packet(data_mp, B_FALSE, ill,
2836 DROPPER(ipss, ipds_esp_replay),
2837 &espstack->esp_dropper);
2838 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
2839 if (need_refrele)
2840 ixa_refrele(ixa);
2841 return (NULL);
|
2801 esph_ptr = (esph_t *)espmp->b_rptr;
2802
2803 if (is_natt) {
2804 esp3dbg(espstack, ("esp_outbound: NATT"));
2805
2806 udpha = (udpha_t *)espmp->b_rptr;
2807 udpha->uha_src_port = (assoc->ipsa_local_nat_port != 0) ?
2808 assoc->ipsa_local_nat_port : htons(IPPORT_IKE_NATT);
2809 udpha->uha_dst_port = (assoc->ipsa_remote_nat_port != 0) ?
2810 assoc->ipsa_remote_nat_port : htons(IPPORT_IKE_NATT);
2811 /*
2812 * Set the checksum to 0, so that the esp_prepare_udp() call
2813 * can do the right thing.
2814 */
2815 udpha->uha_checksum = 0;
2816 esph_ptr = (esph_t *)(udpha + 1);
2817 }
2818
2819 esph_ptr->esph_spi = assoc->ipsa_spi;
2820
2821 esph_ptr->esph_replay = htonl(atomic_inc_32_nv(&assoc->ipsa_replay));
2822 if (esph_ptr->esph_replay == 0 && assoc->ipsa_replay_wsize != 0) {
2823 /*
2824 * XXX We have replay counter wrapping.
2825 * We probably want to nuke this SA (and its peer).
2826 */
2827 ipsec_assocfailure(info.mi_idnum, 0, 0,
2828 SL_ERROR | SL_CONSOLE | SL_WARN,
2829 "Outbound ESP SA (0x%x, %s) has wrapped sequence.\n",
2830 esph_ptr->esph_spi, assoc->ipsa_dstaddr, af,
2831 espstack->ipsecesp_netstack);
2832
2833 ESP_BUMP_STAT(espstack, out_discards);
2834 sadb_replay_delete(assoc);
2835 ip_drop_packet(data_mp, B_FALSE, ill,
2836 DROPPER(ipss, ipds_esp_replay),
2837 &espstack->esp_dropper);
2838 BUMP_MIB(ill->ill_ip_mib, ipIfStatsOutDiscards);
2839 if (need_refrele)
2840 ixa_refrele(ixa);
2841 return (NULL);
|