[network-manager-vpnc/NM_0_8] core: use 'Local Port 0' configuration option to use random IKE source port (rh #514071)



commit 9985c53c57f0a2814066a7d53113b169b805ae6e
Author: JiÅ?í KlimeÅ¡ <jklimes redhat com>
Date:   Fri Oct 15 14:49:50 2010 +0200

    core: use 'Local Port 0' configuration option to use random IKE source port (rh #514071)
    
    vpnc uses source IKE port 500 by default. This may cause clashes
    when some other process claimed that port before. So use random
    port by default. When VPN setting contains 'Local Port' VPN data
    use that value instead. This VPN data is not present in GUI.
    Moreover import/export UseLegacyIKEPort pcf option.

 properties/nm-vpnc.c  |   38 +++++++++++++++++++++++++++++++++++++-
 src/nm-vpnc-service.c |   13 +++++++++++++
 src/nm-vpnc-service.h |    3 ++-
 3 files changed, 52 insertions(+), 2 deletions(-)
---
diff --git a/properties/nm-vpnc.c b/properties/nm-vpnc.c
index b0286ed..d4aaadb 100644
--- a/properties/nm-vpnc.c
+++ b/properties/nm-vpnc.c
@@ -6,6 +6,7 @@
  *
  * Copyright (C) 2005 David Zeuthen, <davidz redhat com>
  * Copyright (C) 2005 - 2008 Dan Williams, <dcbw redhat com>
+ * Copyright (C) 2005 - 2010 Red Hat, Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -62,6 +63,8 @@
 #define PW_TYPE_ASK	   1
 #define PW_TYPE_UNUSED 2
 
+#define NM_VPNC_LOCAL_PORT_DEFAULT 500
+
 /************** plugin class **************/
 
 static void vpnc_plugin_ui_interface_init (NMVpnPluginUiInterface *iface_class);
@@ -574,7 +577,7 @@ update_connection (NMVpnPluginUiWidgetInterface *iface,
 {
 	VpncPluginUiWidget *self = VPNC_PLUGIN_UI_WIDGET (iface);
 	VpncPluginUiWidgetPrivate *priv = VPNC_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
-	NMSettingVPN *s_vpn;
+	NMSettingVPN *s_vpn, *s_vpn_orig;
 	GtkWidget *widget;
 	char *str;
 	GtkTreeModel *model;
@@ -667,6 +670,16 @@ update_connection (NMVpnPluginUiWidgetInterface *iface,
 			nm_setting_vpn_add_secret (s_vpn, NM_VPNC_KEY_SECRET, str);
 	}
 
+	/* Local Port is not in GUI (yet?). So when present in the connection,
+	 * copy it from the old VPN setting to the new one to preserve it.
+	 */
+	s_vpn_orig = (NMSettingVPN *) nm_connection_get_setting (connection, NM_TYPE_SETTING_VPN);
+	if (s_vpn_orig) {
+		const char *local_port = nm_setting_vpn_get_data_item (s_vpn_orig, NM_VPNC_KEY_LOCAL_PORT);
+		if (local_port && strlen (local_port))
+			nm_setting_vpn_add_data_item (s_vpn, NM_VPNC_KEY_LOCAL_PORT, local_port);
+	}
+
 	nm_connection_add_setting (connection, NM_SETTING (s_vpn));
 	return TRUE;
 }
@@ -984,6 +997,7 @@ import (NMVpnPluginUiInterface *iface, const char *path, GError **error)
 	gboolean bool_value;
 	NMSettingIP4Config *s_ip4;
 	gint val;
+	gboolean found;
 
 	pcf = pcf_file_load (path);
 	if (!pcf) {
@@ -1144,6 +1158,18 @@ import (NMVpnPluginUiInterface *iface, const char *path, GError **error)
 		}
 	}
 
+	/* UseLegacyIKEPort=0 uses dynamic source IKE port instead of 500.
+	 * http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfdc.html#1192555
+	 * See also: http://support.microsoft.com/kb/928310
+	 */
+	found = pcf_file_lookup_int (pcf, "main", "UseLegacyIKEPort", &val);
+	if (!found || val != 0) {
+		char *tmp;
+		tmp = g_strdup_printf ("%d", (gint) NM_VPNC_LOCAL_PORT_DEFAULT); /* Use default vpnc local port: 500 */
+		nm_setting_vpn_add_data_item (s_vpn, NM_VPNC_KEY_LOCAL_PORT, tmp);
+		g_free (tmp);
+	}
+
 	g_hash_table_destroy (pcf);
 
 	return connection;
@@ -1169,6 +1195,7 @@ export (NMVpnPluginUiInterface *iface,
 	const char *peertimeout = NULL;
 	const char *dhgroup = NULL;
 	GString *routes = NULL;
+	GString *uselegacyikeport = NULL;
 	gboolean success = FALSE;
 	guint32 routes_count = 0;
 	gboolean save_password = FALSE;
@@ -1267,6 +1294,11 @@ export (NMVpnPluginUiInterface *iface,
 		routes = NULL;
 	}
 
+	uselegacyikeport = g_string_new ("");
+	value = nm_setting_vpn_get_data_item (s_vpn, NM_VPNC_KEY_LOCAL_PORT);
+	if (!value || !strcmp (value, "0"))
+		g_string_assign (uselegacyikeport, "UseLegacyIKEPort=0\n");
+
 	fprintf (f, 
 		 "[main]\n"
 		 "Description=%s\n"
@@ -1305,6 +1337,7 @@ export (NMVpnPluginUiInterface *iface,
 		 "EnableSplitDNS=1\n"
 		 "SingleDES=%s\n"
 		 "SPPhonebook=\n"
+		 "%s"
 		 "X-NM-Use-NAT-T=%s\n"
 		 "X-NM-Force-NAT-T=%s\n"
 		 "%s\n",
@@ -1318,6 +1351,7 @@ export (NMVpnPluginUiInterface *iface,
 		 /* NTDomain */      domain != NULL ? domain : "",
 		 /* PeerTimeout */   peertimeout != NULL ? peertimeout : "0",
 		 /* SingleDES */     singledes ? "1" : "0",
+		 /* UseLegacyIKEPort */ (uselegacyikeport->len) ? uselegacyikeport->str : "",
 		 /* X-NM-Use-NAT-T */ use_natt ? "1" : "0",
 		 /* X-NM-Force-NAT-T */ use_force_natt ? "1" : "0",
 		 /* X-NM-Routes */   (routes && routes->str) ? routes->str : "");
@@ -1327,6 +1361,8 @@ export (NMVpnPluginUiInterface *iface,
 done:
 	if (routes)
 		g_string_free (routes, TRUE);
+	if (uselegacyikeport)
+		g_string_free (uselegacyikeport, TRUE);
 	fclose (f);
 	return success;
 }
diff --git a/src/nm-vpnc-service.c b/src/nm-vpnc-service.c
index c278dc5..f933a66 100644
--- a/src/nm-vpnc-service.c
+++ b/src/nm-vpnc-service.c
@@ -60,6 +60,7 @@ static const char *vpnc_binary_paths[] =
 
 #define NM_VPNC_HELPER_PATH		LIBEXECDIR"/nm-vpnc-service-vpnc-helper"
 #define NM_VPNC_UDP_ENCAPSULATION_PORT	0 /* random port */
+#define NM_VPNC_LOCAL_PORT_ISAKMP	0 /* random port */
 
 typedef struct {
 	const char *name;
@@ -84,6 +85,7 @@ static ValidProperty valid_properties[] = {
 	{ NM_VPNC_KEY_DPD_IDLE_TIMEOUT,      G_TYPE_INT, 0, 86400 },
 	{ NM_VPNC_KEY_NAT_TRAVERSAL_MODE,    G_TYPE_STRING, 0, 0 },
 	{ NM_VPNC_KEY_CISCO_UDP_ENCAPS_PORT, G_TYPE_INT, 0, 65535 },
+	{ NM_VPNC_KEY_LOCAL_PORT,            G_TYPE_INT, 0, 65535 },
 	/* Ignored option for internal use */
 	{ NM_VPNC_KEY_SECRET_TYPE,           G_TYPE_NONE, 0, 0 },
 	{ NM_VPNC_KEY_XAUTH_PASSWORD_TYPE,   G_TYPE_NONE, 0, 0 },
@@ -417,6 +419,7 @@ nm_vpnc_config_write (gint vpnc_fd,
 	const char *props_natt_mode;
 	const char *default_username;
 	const char *pw_type;
+	const char *local_port;
 
 	default_username = nm_setting_vpn_get_user_name (s_vpn);
 
@@ -429,6 +432,16 @@ nm_vpnc_config_write (gint vpnc_fd,
 	                     NM_VPNC_KEY_CISCO_UDP_ENCAPS_PORT " %d\n",
 	                     NM_VPNC_UDP_ENCAPSULATION_PORT);
 
+	local_port = nm_setting_vpn_get_data_item (s_vpn, NM_VPNC_KEY_LOCAL_PORT);
+	if (!local_port) {
+		/* Configure 'Local Port' to 0 (random port) if the value is not set in the setting.
+		 * Otherwise vpnc would try to use 500 and could clash with other IKE processes.
+		 */
+		write_config_option (vpnc_fd,
+		                     NM_VPNC_KEY_LOCAL_PORT " %d\n",
+		                     NM_VPNC_LOCAL_PORT_ISAKMP);
+	}
+
 	/* Fill username if it's not present */
 	props_username = nm_setting_vpn_get_data_item (s_vpn, NM_VPNC_KEY_XAUTH_USER);
 	if (   default_username
diff --git a/src/nm-vpnc-service.h b/src/nm-vpnc-service.h
index da4c2b7..293d9ca 100644
--- a/src/nm-vpnc-service.h
+++ b/src/nm-vpnc-service.h
@@ -15,7 +15,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  *
- * (C) Copyright 2005 - 2008 Red Hat, Inc.
+ * (C) Copyright 2005 - 2010 Red Hat, Inc.
  * (C) Copyright 2007 - 2008 Novell, Inc.
  */
 
@@ -54,6 +54,7 @@
 #define NM_VPNC_KEY_NAT_TRAVERSAL_MODE "NAT Traversal Mode"
 #define NM_VPNC_KEY_DPD_IDLE_TIMEOUT "DPD idle timeout (our side)"
 #define NM_VPNC_KEY_CISCO_UDP_ENCAPS_PORT "Cisco UDP Encapsulation Port"
+#define NM_VPNC_KEY_LOCAL_PORT "Local Port"
 
 #define NM_VPNC_NATT_MODE_NATT        "natt"
 #define NM_VPNC_NATT_MODE_NONE        "none"



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]