diff options
| author | Christian Weisgerber <naddy@cvs.openbsd.org> | 2006-06-02 15:43:38 +0000 |
|---|---|---|
| committer | Christian Weisgerber <naddy@cvs.openbsd.org> | 2006-06-02 15:43:38 +0000 |
| commit | 91d71383641fdc673fbe4f3fa8ee5acab22e3bb6 (patch) | |
| tree | 2c00d261d9d24559e3e9e380d9a6a6ed6ee3555e | |
| parent | 16f51895c695dd96d7876b703d69137146fd3da4 (diff) | |
support tcp/udp port modifiers in ike rules
"put it in if it doesn't break regress" hshoexer@
| -rw-r--r-- | sbin/ipsecctl/ike.c | 16 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 24 |
2 files changed, 34 insertions, 6 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 095f3ee7024..3e21ddbdfaf 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.35 2006/06/02 05:59:31 hshoexer Exp $ */ +/* $OpenBSD: ike.c,v 1.36 2006/06/02 15:43:37 naddy Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -44,8 +44,8 @@ static int ike_section_qm(struct ipsec_addr_wrap *, struct FILE *); static int ike_section_mm(struct ipsec_addr_wrap *, struct ipsec_transforms *, FILE *, struct ike_auth *); -static void ike_section_qmids(u_int8_t, struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, FILE *); +static void ike_section_qmids(u_int8_t, struct ipsec_addr_wrap *, + u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *); static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); static int ike_gen_config(struct ipsec_rule *, FILE *); @@ -376,7 +376,7 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, static void ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src, - struct ipsec_addr_wrap *dst, FILE *fd) + u_int16_t sport, struct ipsec_addr_wrap *dst, u_int16_t dport, FILE *fd) { char mask[NI_MAXHOST], *network, *p; struct sockaddr sa; @@ -465,6 +465,12 @@ ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src, fprintf(fd, SET "[lid-%s]:Protocol=%d force\n", src->name, proto); fprintf(fd, SET "[rid-%s]:Protocol=%d force\n", dst->name, proto); } + if (sport) + fprintf(fd, SET "[lid-%s]:Port=%d force\n", src->name, + ntohs(sport)); + if (dport) + fprintf(fd, SET "[rid-%s]:Port=%d force\n", src->name, + ntohs(dport)); } static int @@ -498,7 +504,7 @@ ike_gen_config(struct ipsec_rule *r, FILE *fd) ike_section_ipsec(r->src, r->dst, r->peer, fd); if (ike_section_qm(r->src, r->dst, r->satype, r->qmxfs, fd) == -1) return (-1); - ike_section_qmids(r->proto, r->src, r->dst, fd); + ike_section_qmids(r->proto, r->src, r->sport, r->dst, r->dport, fd); if (ike_connect(r->ikemode, r->src, r->dst, fd) == -1) return (-1); diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index d1bc03cac6f..37aa641c9e8 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.96 2006/06/02 05:59:31 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.97 2006/06/02 15:43:37 naddy Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -2238,7 +2238,29 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, r->proto = proto; r->src = hosts->src; + r->sport = hosts->sport; r->dst = hosts->dst; + r->dport = hosts->dport; + if ((hosts->sport != 0 || hosts->dport != 0) && + (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) { + yyerror("no protocol supplied with source/destination ports"); + free(r); + free(hosts->src); + free(hosts->dst); + if (mainmode) { + free(mainmode->xfs); + free(mainmode->life); + } + if (quickmode) { + free(quickmode->xfs); + free(quickmode->life); + } + if (srcid) + free(srcid); + if (dstid) + free(dstid); + return NULL; + } if (peers->dst == NULL) { /* Set peer to remote host. Must be a host address. */ |