Log address family of ESP packets sent/received

author Daniel Lenski <dlenski@gmail.com>

Fri, 23 Apr 2021 20:35:17 +0000 (13:35 -0700)

committer David Woodhouse <dwmw2@infradead.org>

Wed, 28 Apr 2021 10:15:39 +0000 (11:15 +0100)
author Daniel Lenski <dlenski@gmail.com>
Fri, 23 Apr 2021 20:35:17 +0000 (13:35 -0700)
committer David Woodhouse <dwmw2@infradead.org>
Wed, 28 Apr 2021 10:15:39 +0000 (11:15 +0100)
diff --git a/esp.c b/esp.c

index 30743cdd2f1e8f6eb4d0b870afb185fcd0f414ae..e5230c283430b197017b3b559b93d10e47b64c4e 100644 (file)
--- a/esp.c
+++ b/esp.c
@@ -167,8 +167,6 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
                 if (len <= 0)
                         break;
  
-               vpn_progress(vpninfo, PRG_TRACE, _("Received ESP packet of %d bytes\n"),
-                            len);
                 work_done = 1;
  
                 /* both supported algos (SHA1 and MD5) have 12-byte MAC lengths (RFC2403 and RFC2404) */
@@ -198,13 +196,21 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
                 /* Possible values of the Next Header field are:
                    0x04: IP[v4]-in-IP
                    0x05: supposed to mean Internet Stream Protocol
-                        (XXX: but used for LZO compressed packets by Juniper)
+                        (XXX: but used for LZO compressed IPv4 packets by Juniper)
                    0x29: IPv6 encapsulation */
-               if (pkt->data[len - 1] != 0x04 && pkt->data[len - 1] != 0x29 &&
-                   pkt->data[len - 1] != 0x05) {
+               if (pkt->data[len - 1] == 0x04)
+                       vpn_progress(vpninfo, PRG_TRACE, _("Received ESP Legacy IP packet of %d bytes\n"),
+                                    len);
+               else if (pkt->data[len - 1] == 0x05)
+                       vpn_progress(vpninfo, PRG_TRACE, _("Received ESP Legacy IP packet of %d bytes (LZO-compressed)\n"),
+                                    len);
+               else if (pkt->data[len - 1] == 0x29)
+                       vpn_progress(vpninfo, PRG_TRACE, _("Received ESP IPv6 packet of %d bytes\n"),
+                                    len);
+               else {
                         vpn_progress(vpninfo, PRG_ERR,
-                                    _("Received ESP packet with unrecognised payload type %02x\n"),
-                                    pkt->data[len-1]);
+                                    _("Received ESP packet of %d bytes with unrecognised payload type %02x\n"),
+                                    len, pkt->data[len-1]);
                         continue;
                 }
  
@@ -295,14 +301,17 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
         }
         while (1) {
                 int len;
+               int ip_version;
  
                 if (vpninfo->deflate_pkt) {
                         this = vpninfo->deflate_pkt;
                         len = this->len;
+                       ip_version = this->data[0] >> 4;
                 } else {
                         this = dequeue_packet(&vpninfo->outgoing_queue);
                         if (!this)
                                 break;
+                       ip_version = this->data[0] >> 4;
  
                         if (vpninfo->proto->proto == PROTO_NC ||
                             vpninfo->proto->proto == PROTO_PULSE) {
@@ -311,11 +320,11 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
                                 /* Pulse/NC can only accept ESP of the same protocol as the one
                                  * you connected to it with. The other has to go over IF-T/TLS. */
                                 if (vpninfo->dtls_addr->sa_family == AF_INET6)
-                                       dontsend = 0x40;
+                                       dontsend = 4;
                                 else
-                                       dontsend = 0x60;
+                                       dontsend = 6;
  
-                               if ( (this->data[0] & 0xf0) == dontsend) {
+                               if (ip_version == dontsend) {
                                         store_be32(&this->pulse.vendor, 0xa4c);
                                         store_be32(&this->pulse.type, 4);
                                         store_be32(&this->pulse.len, this->len + 16);
@@ -362,8 +371,8 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
                 } else {
                         vpninfo->dtls_times.last_tx = time(NULL);
  
-                       vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP packet of %d bytes\n"),
-                                    len);
+                       vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP IPv%d packet of %d bytes\n"),
+                                    ip_version, len);
                 }
                 if (this == vpninfo->deflate_pkt) {
                         unmonitor_write_fd(vpninfo, dtls);
author	Daniel Lenski <dlenski@gmail.com>
	Fri, 23 Apr 2021 20:35:17 +0000 (13:35 -0700)
committer	David Woodhouse <dwmw2@infradead.org>
	Wed, 28 Apr 2021 10:15:39 +0000 (11:15 +0100)