summaryrefslogtreecommitdiff
path: root/sbin/ipsecadm
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>1999-11-04 11:29:36 +0000
committerHakan Olsson <ho@cvs.openbsd.org>1999-11-04 11:29:36 +0000
commit44a51ab986bf9c0b9c11434059a53b52c04042bd (patch)
tree7abeec702ee0253a7397db064881d90a3f507cba /sbin/ipsecadm
parent260be88a5271a201722faf0e6e8bb0d7a7ca9afa (diff)
Support IPsec bypass flows. (ok angelos@, niklas@)
Diffstat (limited to 'sbin/ipsecadm')
-rw-r--r--sbin/ipsecadm/ipsecadm.841
-rw-r--r--sbin/ipsecadm/ipsecadm.c54
2 files changed, 77 insertions, 18 deletions
diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8
index 9abd302ebfd..c487dd61fa9 100644
--- a/sbin/ipsecadm/ipsecadm.8
+++ b/sbin/ipsecadm/ipsecadm.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.8,v 1.14 1999/10/07 20:54:42 angelos Exp $
+.\" $OpenBSD: ipsecadm.8,v 1.15 1999/11/04 11:29:35 ho Exp $
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -158,10 +158,25 @@ Association. Allowed modifiers are:
.Fl sport ,
.Fl dport ,
.Fl local ,
-.Fl delete .
+.Fl delete ,
+and
+.Fl bypass .
The
.Xr netstat 1
-command shows the existing flows.
+command shows the existing flows. A
+.Nm bypass
+flow is used to specify a flow for which IPSec processing will be
+bypassed, i.e packets will not be processed by any SAs. For
+.Nm bypass
+flows, additional modifiers are restricted to:
+.Fl addr ,
+.Fl transport ,
+.Fl sport ,
+.Fl dport ,
+.Fl local ,
+and
+.Fl delete .
+These flows always have SPI 0, destination 0.0.0.0 and protocol 0.
.It bind
Associate an incoming Security Association with an outgoing Security
Association. When a socket receives packets secured by the incoming
@@ -379,6 +394,14 @@ to using a source address of 0.0.0.0 and a source network mask of
255.255.255.255.
.It delete
Instead of creating a flow, an existing flow is deleted.
+.It bypass
+For
+.Nm flow ,
+create or delete a
+.Nm bypass
+flow. Packets matching this flow will not be processed by IPSec. For
+.Nm flush ,
+only flush SAs of type bypass.
.It ah
For
.Nm flush ,
@@ -416,6 +439,18 @@ ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 \e\
-key 12341234deadbeef
.Ed
.Pp
+Setup a flow using the above SA:
+.Bd -literal
+ipsecadm flow -dst 169.20.12.2 -spi 1001 -proto ah -local \e\
+ -addr 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0.0
+.Ed
+.Pp
+Setup a bypass flow:
+.Bd -literal
+ipsecadm flow -bypass -local \e\
+ -addr 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
+.Ed
+.Pp
Delete all esp SAs and their flows and routing information:
.Bd -literal
ipsecadm flush -esp
diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c
index ed766a75556..155d609951f 100644
--- a/sbin/ipsecadm/ipsecadm.c
+++ b/sbin/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.24 1999/09/07 12:35:27 ho Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.25 1999/11/04 11:29:35 ho Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -197,6 +197,7 @@ usage()
"\t -addr <ip> <net> <ip> <net>\t subnets for flow\n"
"\t -delete\t\t\t delete specified flow\n"
"\t -local\t\t\t also create a local flow\n"
+ "\t -bypass\t\t\t create/delete a bypass flow\n"
"\t -sport\t\t\t source port for flow\n"
"\t -dport\t\t\t destination port for flow\n"
"\t -[ah|esp|oldah|oldesp|ip4]\t to flush a particular protocol\n"
@@ -234,6 +235,7 @@ main(int argc, char **argv)
struct iovec iov[20];
int cnt = 0;
u_char realkey[8192], realakey[8192];
+ int bypass = 0;
if (argc < 2)
{
@@ -500,17 +502,20 @@ main(int argc, char **argv)
if(!strcmp(argv[i] + 1, "ip4"))
smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP;
else
- {
- fprintf(stderr, "%s: invalid SA type %s\n", argv[0],
- argv[i + 1]);
- exit(1);
- }
+ if(!strcmp(argv[i] + 1, "bypass"))
+ smsg.sadb_msg_satype = SADB_X_SATYPE_BYPASS;
+ else
+ {
+ fprintf(stderr, "%s: invalid SA type %s\n", argv[0],
+ argv[i + 1]);
+ exit(1);
+ }
i++;
continue;
}
if (!strcmp(argv[i] + 1, "spi") && spi == SPI_RESERVED_MIN &&
- (i + 1 < argc))
+ (i + 1 < argc) && !bypass)
{
spi = htonl(strtoul(argv[i + 1], NULL, 16));
if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX)
@@ -666,7 +671,25 @@ main(int argc, char **argv)
continue;
}
- if (!strcmp(argv[i] + 1, "transport") &&
+ if (!strcmp(argv[i] + 1, "bypass") && iscmd(mode, FLOW) && !bypass)
+ {
+ /* Setup everything for a bypass flow */
+ bypass = 1;
+ sa.sadb_sa_spi = 0;
+ sprotocol.sadb_protocol_len = 1;
+ sprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
+ sprotocol.sadb_protocol_proto = 0;
+ smsg.sadb_msg_satype = SADB_X_SATYPE_BYPASS;
+ sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ sad2.sadb_address_len = (sizeof(sad2) +
+ sizeof(struct sockaddr_in)) / 8;
+ dst.sin.sin_family = AF_INET;
+ dst.sin.sin_len = sizeof(struct sockaddr_in);
+ dstset = inet_aton("0.0.0.0", &dst.sin.sin_addr) != -1 ? 1 : 0;
+ continue;
+ }
+
+ if (!strcmp(argv[i] + 1, "transport") &&
iscmd(mode, FLOW) && (i + 1 < argc))
{
if (isalpha(argv[i + 1][0]))
@@ -699,7 +722,7 @@ main(int argc, char **argv)
continue;
}
- if (!strcmp(argv[i] + 1, "sport") &&
+ if (!strcmp(argv[i] + 1, "sport") &&
iscmd(mode, FLOW) && (i + 1 < argc))
{
if (isalpha(argv[i + 1][0]))
@@ -724,7 +747,7 @@ main(int argc, char **argv)
continue;
}
- if (!strcmp(argv[i] + 1, "dport") &&
+ if (!strcmp(argv[i] + 1, "dport") &&
iscmd(mode, FLOW) && (i + 1 < argc))
{
if (isalpha(argv[i + 1][0]))
@@ -748,7 +771,7 @@ main(int argc, char **argv)
continue;
}
- if (!strcmp(argv[i] + 1, "dst") && (i + 1 < argc))
+ if (!strcmp(argv[i] + 1, "dst") && (i + 1 < argc) && !bypass)
{
sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
sad2.sadb_address_len = (sizeof(sad2) +
@@ -774,7 +797,7 @@ main(int argc, char **argv)
}
if (!strcmp(argv[i] + 1, "proto") && (i + 1 < argc) &&
- (iscmd(mode, FLOW) || iscmd(mode, GRP_SPI) ||
+ ((iscmd(mode, FLOW) && !bypass) || iscmd(mode, GRP_SPI) ||
iscmd(mode, DEL_SPI) || iscmd(mode, BINDSA)))
{
if (isalpha(argv[i + 1][0]))
@@ -930,7 +953,7 @@ main(int argc, char **argv)
exit(1);
}
- if (spi == SPI_RESERVED_MIN && !iscmd(mode, FLUSH))
+ if (spi == SPI_RESERVED_MIN && !iscmd(mode, FLUSH) && !bypass)
{
fprintf(stderr, "%s: no SPI specified\n", argv[0]);
exit(1);
@@ -949,7 +972,8 @@ main(int argc, char **argv)
exit(1);
}
- if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) || iscmd(mode, FLOW) ||
+ if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) ||
+ (iscmd(mode, FLOW) && !bypass) ||
iscmd(mode, BINDSA)) && proto != IPPROTO_ESP &&
proto != IPPROTO_AH && proto != IPPROTO_IPIP)
{
@@ -980,7 +1004,7 @@ main(int argc, char **argv)
exit(1);
}
- if (iscmd(mode, FLOW) && (sprotocol.sadb_protocol_proto == 0) &&
+ if (iscmd(mode, FLOW) && !bypass && (sprotocol.sadb_protocol_proto == 0) &&
(odst.sin.sin_port || osrc.sin.sin_port))
{
fprintf(stderr, "%s: no transport protocol supplied with source/destination ports\n", argv[0]);