diff --git a/libreswan-4.15-ondemand-tcp.patch b/libreswan-4.15-ondemand-tcp.patch new file mode 100644 index 0000000..11689a6 --- /dev/null +++ b/libreswan-4.15-ondemand-tcp.patch @@ -0,0 +1,52 @@ +From 0b91406427cf7292d61900991fd665f076b6d43f Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 2 Jul 2024 20:37:07 +0900 +Subject: [PATCH] tcp: call kernel_ops->poke_ipsec_policy_hole before connect + +This fixes ondemand initiation with TCP. Without the policy hole, a +TCP handshake will not complete, as it cannot receive SYN-ACK packet +in plaintext and thus connect blocks until timeout. + +Signed-off-by: Daiki Ueno +Signed-off-by: Andrew Cagney +--- + programs/pluto/iface_tcp.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c +index c63e8bfe4d..55fe639174 100644 +--- a/programs/pluto/iface_tcp.c ++++ b/programs/pluto/iface_tcp.c +@@ -473,6 +473,15 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev, + return NULL; + } + ++ /* This needs to be called before connect, so TCP handshake ++ * (in plaintext) completes. */ ++ if (kernel_ops->poke_ipsec_policy_hole != NULL && ++ !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) { ++ /* already logged */ ++ close(fd); ++ return NULL; ++ } ++ + /* + * Connect + * +@@ -551,13 +560,6 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev, + } + } + +- if (kernel_ops->poke_ipsec_policy_hole != NULL && +- !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) { +- /* already logged */ +- close(fd); +- return NULL; +- } +- + struct iface_endpoint *ifp = + alloc_iface_endpoint(fd, local_dev, &iketcp_iface_io, + /*esp_encapsulation_enabled*/true, +-- +2.45.2 + diff --git a/libreswan.spec b/libreswan.spec index e30653e..3c6c925 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -31,7 +31,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script Version: 4.15 -Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} +Release: 2 License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -41,6 +41,7 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch +Patch: libreswan-4.15-ondemand-tcp.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -196,6 +197,9 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog +* Tue Aug 6 2024 Daiki Ueno - 4.15-2 +- Fix auto=ondemand connection initialization with TCP (RHEL-51879) + * Tue Jul 30 2024 Daiki Ueno - 4.15-1 - Update to 4.15 (RHEL-50006)