Add symbolic names for the -transport and -sport/-dport flags (from

/etc/protocols and /etc/services respectively). Document changes,
document option "ip4".

2 files changed, 70 insertions, 9 deletions

diff --git a/sbin/ipsec/ipsecadm/ipsecadm.1 b/sbin/ipsec/ipsecadm/ipsecadm.1
index 6b1200b177e..6935bac2e08 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.1
+++ b/sbin/ipsec/ipsecadm/ipsecadm.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.1,v 1.14 1998/07/17 17:44:15 angelos Exp $
+.\" $OpenBSD: ipsecadm.1,v 1.15 1998/08/01 06:12:19 angelos Exp $
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
 .\"
@@ -100,6 +100,18 @@ hashes will be used for authentication. Allowed modifiers are:
 .Fl auth ,
 and
 .Fl key .
+.It ip4
+Setup an SPI which uses the IP-in-IP encapsulation protocol. This mode
+offers no security services by itself, but can be used to route other
+(experimental or otherwise) protocols over an IP network. The SPI value
+is not used for anything other than referencing the information, and
+does not appear on the wire. Unlike other setups, like new esp, there
+is no necessary setup in the receiving side. Allowed modifiers are:
+.Fl dst ,
+.Fl src ,
+.Fl spi ,
+and
+.Fl tunnel .
 .It delspi
 The specified Security Association (SA) will be deleted. An SA consists of
 the destination address, SPI and security protocol. Allowed modifiers are:
@@ -217,6 +229,8 @@ or
 to uniquely specify the SA.
 The default value is 50 which means
 .Nm IPPROTO_ESP .
+One can also specify the symbolic names "esp", "ah", and "ip4",
+case insensitive.
 .It chain
 Delete the whole SPI chain, otherwise delete only the SPI given.
 .It dst2
@@ -230,20 +244,30 @@ The second security protocol used by
 .Nm group .
 It defaults to
 .Nm IPPROTO_AH .
+One can also specify the symbolic names "esp", "ah", and "ip4",
+case insensitive.
 .It addr
 The source address, source network mask, destination address and destination
 network mask against which packets need to match to use the specified
 Security Association.
 .It transport
 The protocol number which packets need to match to use the specified
-Security Association. Per default the protocol number is not used for
-matching.
+Security Association. By default the protocol number is not used for
+matching. Instead of a number, a valid protocol name that appears in
+.Xr protocols 5
+can be used.
 .It sport
 The source port which packets have to match for the flow.
-Per default the source port is not used for matching.
+By default the source port is not used for matching.
+Instead of a number, a valid service name that appears in
+.Xr services 5
+can be used.
 .It dport
 The destination port which packets have to match for the flow.
-Per default the source port is not used for matching.
+By default the source port is not used for matching.
+Instead of a number, a valid service name that appears in
+.Xr services 5
+can be used.
 .It local
 The
 .Nm flow
@@ -267,6 +291,9 @@ ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3
 -key 12341234deadbeef
 .Ed
 .Sh SEE ALSO
+.Xr services 5 ,
+.Xr protocols 5 ,
 .Xr netstat 1 ,
 .Xr ipsec 4 ,
+.Xr vpn 8 ,
 .Xr photurisd 8 .
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.c b/sbin/ipsec/ipsecadm/ipsecadm.c
index 4979f6bcba4..29a980b694e 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.c
+++ b/sbin/ipsec/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.17 1998/07/29 21:02:54 angelos Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.18 1998/08/01 06:12:20 angelos Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and 
@@ -178,6 +178,9 @@ main(argc, argv)
 	u_int32_t spi = 0, spi2 = 0;
 	struct in_addr src, dst, dst2, osrc, odst, osmask, odmask;
 	u_char *ivp = NULL, *keyp = NULL, *authp = NULL;
+	struct protoent *tp;
+	struct servent *svp;
+	char *transportproto = NULL;
 
 	osrc.s_addr = odst.s_addr = src.s_addr = dst.s_addr = dst2.s_addr = 0;
 	osmask.s_addr = odmask.s_addr = 0;
@@ -296,15 +299,46 @@ main(argc, argv)
 		  odmask.s_addr = inet_addr(argv[i+1]); i++;
 	     } else if (!strcmp(argv[i]+1, "transport") && 
 			iscmd(mode, FLOW) && i+1 < argc) {
-		  tproto = atoi(argv[i+1]);
+		  if (isalpha(argv[i+1][0])) {
+			tp = getprotobyname(argv[i+1]);
+			if (tp == NULL) {
+				fprintf(stderr, "%s: unknown protocol %s\n", argv[0], argv[i+1]);
+				exit(1);
+			}
+			tproto = tp->p_proto;
+			transportproto = argv[i+1];
+		  } else {
+		  	tproto = atoi(argv[i+1]);
+			tp = getprotobynumber(tproto);
+			if (tp == NULL)
+				transportproto = "UNKNOWN";
+			else
+				transportproto = tp->p_name; /* This is static, but it doesn't matter for this application */
+		  }
 		  i++;
 	     } else if (!strcmp(argv[i]+1, "sport") && 
 			iscmd(mode, FLOW) && i+1 < argc) {
-		  sport = atoi(argv[i+1]);
+		  if (isalpha(argv[i+1][0])) {
+			svp = getservbyname(argv[i+1], transportproto);
+			if (svp == NULL) {
+				fprintf(stderr, "%s: unknown service port %s for protocol %s\n", argv[0], argv[i+1], transportproto);
+				exit(1);
+			}
+			sport = svp->s_port;
+		  } else
+		  	sport = atoi(argv[i+1]);
 		  i++;
 	     } else if (!strcmp(argv[i]+1, "dport") && 
 			iscmd(mode, FLOW) && i+1 < argc) {
-		  dport = atoi(argv[i+1]);
+		  if (isalpha(argv[i+1][0])) {
+			svp = getservbyname(argv[i+1], transportproto);
+			if (svp == NULL) {
+				fprintf(stderr, "%s: unknown service port %s for protocol %s\n", argv[0], argv[i+1], transportproto);
+				exit(1);
+			}
+			dport = svp->s_port;
+		  } else
+		  	dport = atoi(argv[i+1]);
 		  i++;
 	     } else if (!strcmp(argv[i]+1, "dst") && i+1 < argc) {
 		  dst.s_addr = inet_addr(argv[i+1]);