Add 'ipsecadm flush' to do what 'route flush -encap' doesn't manage.

Sync manpage and fix a couple of typos.

2 files changed, 95 insertions, 18 deletions

diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8
index 2c4f869032c..a925f8ca69d 100644
--- a/sbin/ipsecadm/ipsecadm.8
+++ b/sbin/ipsecadm/ipsecadm.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.8,v 1.11 1999/07/09 13:35:49 aaron Exp $
+.\" $OpenBSD: ipsecadm.8,v 1.12 1999/08/05 22:02:05 ho Exp $
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
 .\"
@@ -139,7 +139,7 @@ Allowed modifiers are:
 and
 .Fl chain .
 .It group
-Group two SA's together. Allowed modifiers are:
+Group two SAs together. Allowed modifiers are:
 .Fl dst ,
 .Fl spi ,
 .Fl proto ,
@@ -163,7 +163,7 @@ The
 .Xr netstat 1
 command shows the existing flows.
 .It bind
-Associate an incoming Security Assoication with and outgoing Security
+Associate an incoming Security Association with an outgoing Security
 Association. When a socket receives packets secured by the incoming
 SA all responses will be processed by the outgoing SA. Allowed modifiers
 are:
@@ -180,6 +180,17 @@ and
 .Fl dst .
 This can be useful while travelling where the IP address of potential
 clients is not known.
+.It flush
+Flush SAs from from kernel. This includes flushing any flows and 
+routing entries associated with the SAs. Allowed modifiers are:
+.Fl ah ,
+.Fl esp ,
+.Fl oldah ,
+.Fl oldesp ,
+and
+.Fl ip4 .
+Default action is to flush all types of security associations 
+from the kernel.
 .El
 .Pp
 If no command is given
@@ -365,9 +376,29 @@ The
 .Nm flow
 command also creates a flow which matches local packets. This is aquivalent
 to using a source address of 0.0.0.0 and a source network mask of
-255.255.255.0.
+255.255.255.255.
 .It delete
 Instead of creating a flow, an existing flow is deleted.
+.It ah
+For
+.Nm flush ,
+only flush SAs of type ah.
+.It esp
+For
+.Nm flush ,
+only flush SAs of type esp.
+.It oldah
+For
+.Nm flush ,
+only flush SAs of type old ah.
+.It oldesp
+For
+.Nm flush ,
+only flush SAs of type old esp.
+.It ip4
+For
+.Nm flush ,
+only flush SAs of type ip4.
 .El
 .Sh EXAMPLE
 Setup a SA which uses new esp with 3des encryption and HMAC-SHA1
@@ -384,6 +415,11 @@ Setup a SA for authentication with old ah only:
 ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 \e\ 
 	-key 12341234deadbeef
 .Ed
+.Pp
+Delete all esp SAs and their flows and routing information:
+.Bd -literal
+ipsecadm flush -esp
+.Ed
 .Sh SEE ALSO
 .Xr netstat 1 ,
 .Xr ipsec 4 ,
diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c
index 889d44166fb..c728c614fd1 100644
--- a/sbin/ipsecadm/ipsecadm.c
+++ b/sbin/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.21 1999/07/15 14:56:26 niklas Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.22 1999/08/05 22:02:04 ho Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and 
@@ -73,6 +73,7 @@
 #define GRP_SPI		0x40
 #define FLOW		0x50
 #define BINDSA		0x60
+#define FLUSH		0x70
 #define ENC_IP		0x80
 
 #define CMD_MASK	0xf0
@@ -178,7 +179,7 @@ usage()
 {
     fprintf(stderr, "usage: ipsecadm [command] <modifier...>\n"
 	    "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4\n"
-	    "\t\t  flow, bind\n"
+	    "\t\t  flow, bind, flush\n"
 	    "\tPossible modifiers:\n"
 	    "\t  -enc <alg>\t\t\t encryption algorithm\n"
 	    "\t  -auth <alg>\t\t\t authentication algorithm\n"
@@ -196,6 +197,7 @@ usage()
 	    "\t  -addr <ip> <net> <ip> <net>\t subnets for flow\n"
 	    "\t  -delete\t\t\t delete specified flow\n"
 	    "\t  -local\t\t\t also create a local flow\n"
+	    "\t  -[ah|esp|oldah|oldesp|ip4]\t to flush a particular protocol\n"
 	    "\talso: dst2, spi2, proto2\n"
 	);
 }
@@ -366,18 +368,27 @@ main(int argc, char **argv)
 		  i++;
 	      }
 	      else
-		if (!strcmp(argv[1], "ip4"))
+		if (!strcmp(argv[1], "flush"))
 		{
-		    mode = ENC_IP;
-		    smsg.sadb_msg_type = SADB_ADD;
-		    smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP;
+		    mode = FLUSH;
+		    smsg.sadb_msg_type = SADB_FLUSH;
+		    smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
 		    i++;
 		}
-		else
-		{
-		    fprintf(stderr, "%s: unknown command: %s", argv[0], argv[1]);
-		    exit(1);
-		}
+		else 
+		  if (!strcmp(argv[1], "ip4"))
+		  {
+		      mode = ENC_IP;
+		      smsg.sadb_msg_type = SADB_ADD;
+		      smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP;
+		      i++;
+		  }
+		  else
+		  {
+		      fprintf(stderr, "%s: unknown command: %s", argv[0], 
+			      argv[1]);
+		      exit(1);
+		  }
     
     for (i++; i < argc; i++)
     {
@@ -469,6 +480,32 @@ main(int argc, char **argv)
 	    continue;
 	}
 
+	if (iscmd(mode, FLUSH) && smsg.sadb_msg_satype == SADB_SATYPE_UNSPEC)
+	{
+	    if(!strcmp(argv[i] + 1, "esp"))
+	        smsg.sadb_msg_satype = SADB_SATYPE_ESP;
+	    else 
+	      if(!strcmp(argv[i] + 1, "ah"))
+	          smsg.sadb_msg_satype = SADB_SATYPE_AH;
+	      else 
+		if(!strcmp(argv[i] + 1, "oldesp"))
+		    smsg.sadb_msg_satype = SADB_X_SATYPE_ESP_OLD;
+		else 
+		  if(!strcmp(argv[i] + 1, "oldah"))
+		      smsg.sadb_msg_satype = SADB_X_SATYPE_AH_OLD;
+		  else 
+		    if(!strcmp(argv[i] + 1, "ip4"))
+		        smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP;
+		    else
+		    {
+		      fprintf(stderr, "%s: invalid SA type %s\n", argv[0],
+			      argv[i + 1]);
+		      exit(1);
+		    }
+	    i++;
+	    continue;
+	}
+
 	if (!strcmp(argv[i] + 1, "spi") && spi == SPI_RESERVED_MIN &&
 	    (i + 1 < argc))
 	{
@@ -889,7 +926,7 @@ main(int argc, char **argv)
 	exit(1);
     }
 
-    if (spi == SPI_RESERVED_MIN)
+    if (spi == SPI_RESERVED_MIN && !iscmd(mode, FLUSH))
     {
 	fprintf(stderr, "%s: no SPI specified\n", argv[0]);
 	exit(1);
@@ -926,7 +963,7 @@ main(int argc, char **argv)
 	exit(1);
     }
 
-    if (!dstset)
+    if (!dstset && !iscmd(mode, FLUSH))
     {
 	fprintf(stderr, "%s: no destination address for the SA specified\n", 
 		argv[0]);
@@ -1178,10 +1215,14 @@ main(int argc, char **argv)
 		 iov[cnt++].iov_len = sizeof(struct sockaddr_in);
 		 smsg.sadb_msg_len += sad7.sadb_address_len;
 		 break;
+
+	    case FLUSH:
+		 /* No more work needed. */
+		 break;
+	  
 	}
     }
 
     xf_set(iov, cnt, smsg.sadb_msg_len * 8);
     exit (0);
 }
-