summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-01-13 06:42:27 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-01-13 06:42:27 +0000
commit9b40fe3d01c0ebdb029776f36a40155b6e2d98ae (patch)
tree8cebf273d487f25bf10f7df468f79df0982b28c1
parent55ec8ad1db47afa3c351b25550f74478b36eba54 (diff)
Establish ingress flows.
-rw-r--r--sbin/isakmpd/pf_key_v2.c47
1 files changed, 37 insertions, 10 deletions
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index a30e5cb4fac..7b279dea344 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.c,v 1.16 1999/12/04 23:31:42 angelos Exp $ */
+/* $OpenBSD: pf_key_v2.c,v 1.17 2000/01/13 06:42:26 angelos Exp $ */
/* $EOM: pf_key_v2.c,v 1.19 1999/07/16 00:29:11 niklas Exp $ */
/*
@@ -972,7 +972,7 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming)
static int
pf_key_v2_flow (in_addr_t laddr, in_addr_t lmask, in_addr_t raddr,
in_addr_t rmask, u_int8_t *spi, u_int8_t proto,
- in_addr_t dst, int delete)
+ in_addr_t dst, int delete, int ingress)
{
#if defined (SADB_X_ADDFLOW) && defined (SADB_X_DELFLOW)
struct sadb_msg msg;
@@ -1011,6 +1011,8 @@ pf_key_v2_flow (in_addr_t laddr, in_addr_t lmask, in_addr_t raddr,
ssa.sadb_sa_flags = 0;
if (!delete)
ssa.sadb_sa_flags |= SADB_X_SAFLAGS_REPLACEFLOW;
+ if (ingress)
+ ssa.sadb_sa_flags |= SADB_X_SAFLAGS_INGRESS_FLOW;
if (pf_key_v2_msg_add (flow, (struct sadb_ext *)&ssa, 0) == -1)
goto cleanup;
@@ -1166,14 +1168,27 @@ pf_key_v2_enable_sa (struct sa *sa)
{
struct ipsec_sa *isa = sa->data;
struct sockaddr *dst;
- int dstlen;
+ int dstlen, error;
struct proto *proto = TAILQ_FIRST (&sa->protos);
sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
- return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
- isa->dst_mask, proto->spi[0], proto->proto,
- ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0);
+ error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
+ isa->dst_mask, proto->spi[0], proto->proto,
+ ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0, 0);
+
+ if (error)
+ return error;
+
+ /* Ingress flow */
+ while (TAILQ_NEXT(proto, link))
+ proto = TAILQ_NEXT(proto, link);
+
+ sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen);
+
+ return pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net,
+ isa->src_mask, proto->spi[1], proto->proto,
+ ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0, 1);
}
/* Disable a flow given a SA. */
@@ -1182,14 +1197,26 @@ pf_key_v2_disable_sa (struct sa *sa)
{
struct ipsec_sa *isa = sa->data;
struct sockaddr *dst;
- int dstlen;
+ int dstlen, error;
struct proto *proto = TAILQ_FIRST (&sa->protos);
sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
- return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
- isa->dst_mask, proto->spi[0], proto->proto,
- ((struct sockaddr_in *)dst)->sin_addr.s_addr, 1);
+ error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
+ isa->dst_mask, proto->spi[0], proto->proto,
+ ((struct sockaddr_in *)dst)->sin_addr.s_addr, 1, 0);
+ if (error)
+ return error;
+
+ /* Ingress flow */
+ while (TAILQ_NEXT(proto, link))
+ proto = TAILQ_NEXT(proto, link);
+
+ sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen);
+
+ return pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net,
+ isa->src_mask, proto->spi[1], proto->proto,
+ ((struct sockaddr_in *)dst)->sin_addr.s_addr, 1, 1);
}
/*