src - OpenBSD base system

diff options


context:
space:
mode:

author	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2005-11-06 22:51:52 +0000
committer	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2005-11-06 22:51:52 +0000
commit	eed8947e2af0f261141c0d993d16945efa384ad4 (patch)
tree	25c78107f8e74d8077afcfae9166535035afd091 /sbin/ipsecctl
parent	747c07a75f4130f3532c23135765feac47017f4b (diff)

Improved address and address mask handling, derived from pfctl stuff.

Diffstat (limited to 'sbin/ipsecctl')

-rw-r--r--

sbin/ipsecctl/ike.c

-rw-r--r--

sbin/ipsecctl/ipsecctl.c

-rw-r--r--

sbin/ipsecctl/ipsecctl.h

-rw-r--r--

sbin/ipsecctl/parse.y

111

-rw-r--r--

sbin/ipsecctl/pfkey.c

5 files changed, 155 insertions, 130 deletions

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index def5d1fcc05..71c845d1d28 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ike.c,v 1.7 2005/11/06 10:52:27 hshoexer Exp $ */

+/* $OpenBSD: ike.c,v 1.8 2005/11/06 22:51:51 hshoexer Exp $ */

@@ -30,19 +30,20 @@

#include "ipsecctl.h"

-static void ike_section_peer(struct ipsec_addr *, FILE *);

-static void ike_section_ids(struct ipsec_addr *, struct ipsec_auth *,

+static void ike_section_peer(struct ipsec_addr_wrap *, FILE *);

+static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,

FILE *);

-static void ike_section_ipsec(struct ipsec_addr *, struct ipsec_addr *,

- struct ipsec_addr *, FILE *);

-static int ike_section_qm(struct ipsec_addr *, struct ipsec_addr *,

- u_int8_t, struct ipsec_transforms *, FILE *);

-static int ike_section_mm(struct ipsec_addr *, struct ipsec_transforms *,

- FILE *);

-static void ike_section_qmids(struct ipsec_addr *, struct ipsec_addr *,

- FILE *);

-static int ike_connect(u_int8_t, struct ipsec_addr *, struct ipsec_addr *,

+static void ike_section_ipsec(struct ipsec_addr_wrap *, struct

+ ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *);

+static int ike_section_qm(struct ipsec_addr_wrap *, struct

+ ipsec_addr_wrap *, u_int8_t, struct ipsec_transforms *,

FILE *);

+static int ike_section_mm(struct ipsec_addr_wrap *, struct

+ ipsec_transforms *, FILE *);

+static void ike_section_qmids(struct ipsec_addr_wrap *, struct

+ ipsec_addr_wrap *, FILE *);

+static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct

+ ipsec_addr_wrap *, FILE *);

static int ike_gen_config(struct ipsec_rule *, FILE *);

static int ike_delete_config(struct ipsec_rule *, FILE *);

@@ -54,7 +55,7 @@ int ike_ipsec_establish(int, struct ipsec_rule *);

#define DELETE "C rms "

static void

-ike_section_peer(struct ipsec_addr *peer, FILE *fd)

+ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd)

{

fprintf(fd, SET "[Phase 1]:%s=peer-%s force\n", peer->name, peer->name);

fprintf(fd, SET "[peer-%s]:Phase=1 force\n", peer->name);

@@ -62,7 +63,7 @@ ike_section_peer(struct ipsec_addr *peer, FILE *fd)

}

static void

-ike_section_ids(struct ipsec_addr *peer, struct ipsec_auth *auth, FILE *fd)

+ike_section_ids(struct ipsec_addr_wrap *peer, struct ipsec_auth *auth, FILE *fd)

{

if (auth == NULL)

return;

@@ -84,8 +85,8 @@ ike_section_ids(struct ipsec_addr *peer, struct ipsec_auth *auth, FILE *fd)

}

static void

-ike_section_ipsec(struct ipsec_addr *src, struct ipsec_addr *dst, struct

- ipsec_addr *peer, FILE *fd)

+ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

+ struct ipsec_addr_wrap *peer, FILE *fd)

{

fprintf(fd, SET "[IPsec-%s-%s]:Phase=2 force\n", src->name, dst->name);

fprintf(fd, SET "[IPsec-%s-%s]:ISAKMP-peer=peer-%s force\n", src->name,

@@ -99,8 +100,8 @@ ike_section_ipsec(struct ipsec_addr *src, struct ipsec_addr *dst, struct

}

static int

-ike_section_qm(struct ipsec_addr *src, struct ipsec_addr *dst, u_int8_t proto,

- struct ipsec_transforms *qmxfs, FILE *fd)

+ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

+ u_int8_t proto, struct ipsec_transforms *qmxfs, FILE *fd)

{

fprintf(fd, SET "[qm-%s-%s]:EXCHANGE_TYPE=QUICK_MODE force\n",

src->name, dst->name);

@@ -175,7 +176,7 @@ ike_section_qm(struct ipsec_addr *src, struct ipsec_addr *dst, u_int8_t proto,

}

static int

-ike_section_mm(struct ipsec_addr *peer, struct ipsec_transforms *mmxfs,

+ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,

FILE *fd)

{

if (!(mmxfs->authxf || mmxfs->encxf))

@@ -234,7 +235,8 @@ ike_section_mm(struct ipsec_addr *peer, struct ipsec_transforms *mmxfs,

}

static void

-ike_section_qmids(struct ipsec_addr *src, struct ipsec_addr *dst, FILE *fd)

+ike_section_qmids(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

+ FILE *fd)

{

char *mask, *network, *p;

@@ -281,8 +283,8 @@ ike_section_qmids(struct ipsec_addr *src, struct ipsec_addr *dst, FILE *fd)

}

static int

-ike_connect(u_int8_t mode, struct ipsec_addr *src, struct ipsec_addr *dst,

- FILE *fd)

+ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap

+ *dst, FILE *fd)

{

switch (mode) {

case IKE_ACTIVE:

diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index 12a2c04da2c..f8641570962 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.c,v 1.30 2005/11/06 10:52:27 hshoexer Exp $ */

+/* $OpenBSD: ipsecctl.c,v 1.31 2005/11/06 22:51:51 hshoexer Exp $ */

@@ -43,7 +43,7 @@ int ipsecctl_rules(char *, int);

FILE *ipsecctl_fopen(const char *, const char *);

int ipsecctl_commit(int, struct ipsecctl *);

int ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *);

-void ipsecctl_print_addr(struct ipsec_addr *);

+void ipsecctl_print_addr(struct ipsec_addr_wrap *);

void ipsecctl_print_key(struct ipsec_key *);

void ipsecctl_print_flow(struct ipsec_rule *, int);

void ipsecctl_print_sa(struct ipsec_rule *, int);

@@ -55,6 +55,7 @@ void ipsecctl_show_flows(int);

void ipsecctl_show_sas(int);

void usage(void);

const char *ipsecctl_lookup_option(char *, const char **);

+static int unmask(struct ipsec_addr *, sa_family_t);

const char *infile; /* Used by parse.y */

const char *showopt;

@@ -196,8 +197,9 @@ ipsecctl_add_rule(struct ipsecctl *ipsec, struct ipsec_rule *r)

}

void

-ipsecctl_print_addr(struct ipsec_addr *ipa)

+ipsecctl_print_addr(struct ipsec_addr_wrap *ipa)

{

+ int bits;

char buf[NI_MAXHOST];

if (ipa == NULL) {

@@ -209,12 +211,9 @@ ipsecctl_print_addr(struct ipsec_addr *ipa)

else

printf("%s", buf);

- switch (ipa->af) {

- case AF_INET:

- if (ipa->prefixlen != 32)

- printf("/%d", ipa->prefixlen);

- break;

- }

+ bits = unmask(&ipa->mask, ipa->af);

+ if (bits != (ipa->af == AF_INET ? 32 : 128))

+ printf("/%d", bits);

}

void

@@ -553,3 +552,21 @@ main(int argc, char *argv[])

exit(error);

}

+static int

+unmask(struct ipsec_addr *ipa, sa_family_t af)

+ int i = 31, j = 0, b = 0;

+ u_int32_t tmp;

+ while (j < 4 && ipa->addr32[j] == 0xffffffff) {

+ b += 32;

+ j++;

+ }

+ if (j < 4) {

+ tmp = ntohl(ipa->addr32[j]);

+ for (i = 31; tmp & (1 << i); --i)

+ b++;

+ }

+ return (b);

diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 7a5178b1f1d..dbda9d40a75 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.h,v 1.19 2005/11/06 10:52:27 hshoexer Exp $ */

+/* $OpenBSD: ipsecctl.h,v 1.20 2005/11/06 22:51:51 hshoexer Exp $ */

@@ -70,17 +70,25 @@ enum {

struct ipsec_addr {

union {

- struct in_addr v4;

- u_int32_t addr32;

- } address;

- union {

- struct in_addr v4;

- u_int32_t mask32;

- } mask;

- u_int8_t prefixlen;

- int netaddress;

- sa_family_t af;

- char *name;

+ struct in_addr v4;

+ struct in6_addr v6;

+ u_int8_t addr8[16];

+ u_int16_t addr16[8];

+ u_int32_t addr32[4];

+ } ipa;

+#define v4 ipa.v4

+#define v6 ipa.v6

+#define addr8 ipa.addr8

+#define addr16 ipa.addr16

+#define addr32 ipa.addr32

+};

+struct ipsec_addr_wrap {

+ struct ipsec_addr address;

+ struct ipsec_addr mask;

+ int netaddress;

+ sa_family_t af;

+ char *name;

};

struct ipsec_auth {

@@ -115,9 +123,9 @@ extern const struct ipsec_xf encxfs[];

struct ipsec_rule {

u_int8_t type;

- struct ipsec_addr *src;

- struct ipsec_addr *dst;

- struct ipsec_addr *peer;

+ struct ipsec_addr_wrap *src;

+ struct ipsec_addr_wrap *dst;

+ struct ipsec_addr_wrap *peer;

struct ipsec_auth *auth;

struct ipsec_transforms *xfs;

struct ipsec_transforms *mmxfs;

diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 1501bc73142..91e8e0d34ad 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.32 2005/11/06 10:52:27 hshoexer Exp $ */

+/* $OpenBSD: parse.y,v 1.33 2005/11/06 22:51:51 hshoexer Exp $ */

@@ -111,29 +111,31 @@ int atospi(char *, u_int32_t *);

u_int8_t x2i(unsigned char *);

struct ipsec_key *parsekey(unsigned char *, size_t);

struct ipsec_key *parsekeyfile(char *);

-struct ipsec_addr *host(const char *);

-struct ipsec_addr *host_v4(const char *, int);

-struct ipsec_addr *copyhost(const struct ipsec_addr *);

+struct ipsec_addr_wrap *host(const char *);

+struct ipsec_addr_wrap *host_v4(const char *, int);

+void set_ipmask(struct ipsec_addr_wrap *, u_int8_t);

+struct ipsec_addr_wrap *copyhost(const struct ipsec_addr_wrap *);

const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *);

struct ipsec_transforms *transforms(const char *, const char *, const char *);

struct ipsec_transforms *copytransforms(const struct ipsec_transforms *);

int validate_sa(u_int32_t, u_int8_t,

struct ipsec_transforms *, struct ipsec_key *,

struct ipsec_key *);

-struct ipsec_rule *create_sa(u_int8_t, struct ipsec_addr *,

- struct ipsec_addr *, u_int32_t,

+struct ipsec_rule *create_sa(u_int8_t, struct ipsec_addr_wrap *,

+ struct ipsec_addr_wrap *, u_int32_t,

struct ipsec_transforms *, struct ipsec_key *,

struct ipsec_key *);

struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t,

struct ipsec_key *, struct ipsec_key *);

-struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr *, struct

- ipsec_addr *, struct ipsec_addr *, u_int8_t,

- char *, char *, u_int16_t);

+struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr_wrap *, struct

+ ipsec_addr_wrap *, struct ipsec_addr_wrap *,

+ u_int8_t, char *, char *, u_int16_t);

struct ipsec_rule *reverse_rule(struct ipsec_rule *);

-struct ipsec_rule *create_ike(struct ipsec_addr *, struct ipsec_addr *,

- struct ipsec_addr *, struct ipsec_transforms *,

- struct ipsec_transforms *, u_int8_t, u_int8_t,

- char *, char *);

+struct ipsec_rule *create_ike(struct ipsec_addr_wrap *, struct

+ ipsec_addr_wrap *, struct ipsec_addr_wrap *,

+ struct ipsec_transforms *, struct

+ ipsec_transforms *, u_int8_t, u_int8_t, char *,

+ char *);

typedef struct {

union {

@@ -143,11 +145,11 @@ typedef struct {

char *string;

u_int8_t protocol;

struct {

- struct ipsec_addr *src;

- struct ipsec_addr *dst;

+ struct ipsec_addr_wrap *src;

+ struct ipsec_addr_wrap *dst;

} hosts;

- struct ipsec_addr *peer;

- struct ipsec_addr *host;

+ struct ipsec_addr_wrap *peer;

+ struct ipsec_addr_wrap *host;

struct {

char *srcid;

char *dstid;

@@ -365,9 +367,9 @@ host : STRING {

free(buf);

}

| ANY {

- struct ipsec_addr *ipa;

+ struct ipsec_addr_wrap *ipa;

- ipa = calloc(1, sizeof(struct ipsec_addr));

+ ipa = calloc(1, sizeof(struct ipsec_addr_wrap));

if (ipa == NULL)

err(1, "host: calloc");

@@ -1007,10 +1009,10 @@ parsekeyfile(char *filename)

return (parsekey(hex, sb.st_size));

}

-struct ipsec_addr *

+struct ipsec_addr_wrap *

host(const char *s)

{

- struct ipsec_addr *ipa = NULL;

+ struct ipsec_addr_wrap *ipa = NULL;

int mask, v4mask, cont = 1;

char *p, *q, *ps;

@@ -1053,12 +1055,12 @@ host(const char *s)

return (ipa);

}

-struct ipsec_addr *

+struct ipsec_addr_wrap *

host_v4(const char *s, int mask)

{

- struct ipsec_addr *ipa = NULL;

+ struct ipsec_addr_wrap *ipa = NULL;

struct in_addr ina;

- int i, bits = 32;

+ int bits = 32;

bzero(&ina, sizeof(struct in_addr));

if (strrchr(s, '/') != NULL) {

@@ -1069,7 +1071,7 @@ host_v4(const char *s, int mask)

return (NULL);

}

- ipa = calloc(1, sizeof(struct ipsec_addr));

+ ipa = calloc(1, sizeof(struct ipsec_addr_wrap));

if (ipa == NULL)

err(1, "host_v4: calloc");

@@ -1079,30 +1081,42 @@ host_v4(const char *s, int mask)

err(1, "host_v4: strdup");

ipa->af = AF_INET;

- if (bits == 32) {

- ipa->mask.mask32 = 0xffffffff;

- ipa->netaddress = 0;

- } else {

- for (i = 31; i > 31 - bits; i--)

- ipa->mask.mask32 |= (1 << i);

- ipa->mask.mask32 = htonl(ipa->mask.mask32);

+ set_ipmask(ipa, bits);

+ if (bits != (ipa->af == AF_INET ? 32 : 128))

ipa->netaddress = 1;

- }

- ipa->prefixlen = bits;

return (ipa);

}

-struct ipsec_addr *

-copyhost(const struct ipsec_addr *src)

+void

+set_ipmask(struct ipsec_addr_wrap *address, u_int8_t b)

+ struct ipsec_addr *ipa;

+ int i, j = 0;

+ ipa = &address->mask;

+ bzero(ipa, sizeof(struct ipsec_addr));

+ while (b >= 32) {

+ ipa->addr32[j++] = 0xffffffff;

+ b -= 32;

+ }

+ for (i = 31; i > 31 - b; --i)

+ ipa->addr32[j] |= (1 << i);

+ if (b)

+ ipa->addr32[j] = htonl(ipa->addr32[j]);

+struct ipsec_addr_wrap *

+copyhost(const struct ipsec_addr_wrap *src)

{

- struct ipsec_addr *dst;

+ struct ipsec_addr_wrap *dst;

- dst = calloc(1, sizeof(struct ipsec_addr));

+ dst = calloc(1, sizeof(struct ipsec_addr_wrap));

if (dst == NULL)

err(1, "copyhost: calloc");

- memcpy(dst, src, sizeof(struct ipsec_addr));

+ memcpy(dst, src, sizeof(struct ipsec_addr_wrap));

if ((dst->name = strdup(src->name)) == NULL)

err(1, "copyhost: strdup");

@@ -1244,9 +1258,9 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,

}

struct ipsec_rule *

-create_sa(u_int8_t protocol, struct ipsec_addr *src, struct ipsec_addr *dst,

- u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey,

- struct ipsec_key *enckey)

+create_sa(u_int8_t protocol, struct ipsec_addr_wrap *src, struct

+ ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_transforms *xfs,

+ struct ipsec_key *authkey, struct ipsec_key *enckey)

{

struct ipsec_rule *r;

@@ -1295,9 +1309,9 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,

}

struct ipsec_rule *

-create_flow(u_int8_t dir, struct ipsec_addr *src, struct ipsec_addr *dst,

- struct ipsec_addr *peer, u_int8_t proto, char *srcid, char *dstid,

- u_int16_t authtype)

+create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap

+ *dst, struct ipsec_addr_wrap *peer, u_int8_t proto, char *srcid, char

+ *dstid, u_int16_t authtype)

{

struct ipsec_rule *r;

@@ -1403,9 +1417,10 @@ reverse_rule(struct ipsec_rule *rule)

}

struct ipsec_rule *

-create_ike(struct ipsec_addr *src, struct ipsec_addr *dst, struct ipsec_addr *

- peer, struct ipsec_transforms *mmxfs, struct ipsec_transforms *qmxfs,

- u_int8_t proto, u_int8_t mode, char *srcid, char *dstid)

+create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct

+ ipsec_addr_wrap * peer, struct ipsec_transforms *mmxfs, struct

+ ipsec_transforms *qmxfs, u_int8_t proto, u_int8_t mode, char *srcid, char

+ *dstid)

{

struct ipsec_rule *r;

diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index 292771201e8..e6299ba0923 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfkey.c,v 1.27 2005/11/06 10:52:27 hshoexer Exp $ */

+/* $OpenBSD: pfkey.c,v 1.28 2005/11/06 22:51:51 hshoexer Exp $ */

@@ -42,14 +42,13 @@ static int fd;

static u_int32_t sadb_msg_seq = 1;

static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t,

- struct ipsec_addr *, struct ipsec_addr *,

- struct ipsec_addr *, struct ipsec_auth *, u_int8_t);

+ struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,

+ struct ipsec_addr_wrap *, struct ipsec_auth *, u_int8_t);

static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t,

- struct ipsec_addr *, struct ipsec_addr *,

+ struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,

struct ipsec_transforms *, struct ipsec_key *,

struct ipsec_key *);

static int pfkey_reply(int);

-static u_int8_t mask2prefixlen(const in_addr_t);

int pfkey_parse(struct sadb_msg *, struct ipsec_rule *);

int pfkey_ipsec_flush(void);

int pfkey_ipsec_establish(int, struct ipsec_rule *);

@@ -57,8 +56,8 @@ int pfkey_init(void);

static int

pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,

- struct ipsec_addr *src, struct ipsec_addr *dst, struct ipsec_addr *peer,

- struct ipsec_auth *auth, u_int8_t flowtype)

+ struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

+ struct ipsec_addr_wrap *peer, struct ipsec_auth *auth, u_int8_t flowtype)

{

struct sadb_msg smsg;

struct sadb_address sa_src, sa_dst, sa_peer, sa_smask, sa_dmask;

@@ -305,9 +304,10 @@ out:

}

static int

-pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct

- ipsec_addr *src, struct ipsec_addr *dst, struct ipsec_transforms *xfs,

- struct ipsec_key *authkey, struct ipsec_key *enckey)

+pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,

+ struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

+ struct ipsec_transforms *xfs, struct ipsec_key *authkey,

+ struct ipsec_key *enckey)

{

struct sadb_msg smsg;

struct sadb_sa sa;

@@ -561,15 +561,6 @@ pfkey_reply(int sd)

return 0;

}

-static u_int8_t

-mask2prefixlen(const in_addr_t ina)

- if (ina == 0)

- return 0;

- else

- return (33 - ffs(ntohl(ina)));

int

pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

{

@@ -606,19 +597,17 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

saddr = (struct sadb_address *)ext;

sa = (struct sockaddr *)(saddr + 1);

- rule->local = calloc(1, sizeof(struct ipsec_addr));

+ rule->local = calloc(1, sizeof(struct ipsec_addr_wrap));

if (rule->local == NULL)

err(1, "pfkey_parse: malloc");

switch (sa->sa_family) {

case AF_INET:

bcopy(&((struct sockaddr_in *)sa)->sin_addr,

- &rule->local->addressv4,

+ &rule->local->address.v4,

sizeof(struct in_addr));

- memset(&rule->local->mask.mask32, 0xff,

- sizeof(u_int32_t));

+ rule->local->mask.addr32[0] = 0xffffffff;

rule->local->af = AF_INET;

- rule->local->prefixlen = 32;

break;

default:

return (1);

@@ -631,7 +620,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

saddr = (struct sadb_address *)ext;

sa = (struct sockaddr *)(saddr + 1);

- rule->peer = calloc(1, sizeof(struct ipsec_addr));

+ rule->peer = calloc(1, sizeof(struct ipsec_addr_wrap));

if (rule->peer == NULL)

err(1, "pfkey_parse: malloc");

@@ -640,10 +629,8 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

bcopy(&((struct sockaddr_in *)sa)->sin_addr,

&rule->peer->address.v4,

sizeof(struct in_addr));

- memset(&rule->peer->mask.mask32, 0xff,

- sizeof(u_int32_t));

+ rule->peer->mask.addr32[0] = 0xffffffff;

rule->peer->af = AF_INET;

- rule->peer->prefixlen = 32;

break;

default:

return (1);

@@ -736,7 +723,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

if (rule->src == NULL) {

rule->src = calloc(1,

- sizeof(struct ipsec_addr));

+ sizeof(struct ipsec_addr_wrap));

if (rule->src == NULL)

err(1, "pfkey_parse: calloc");

}

@@ -759,7 +746,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

if (rule->dst == NULL) {

rule->dst = calloc(1,

- sizeof(struct ipsec_addr));

+ sizeof(struct ipsec_addr_wrap));

if (rule->dst == NULL)

err(1, "pfkey_parse: calloc");

}

@@ -784,7 +771,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

if (rule->src == NULL) {

rule->src = calloc(1,

- sizeof(struct ipsec_addr));

+ sizeof(struct ipsec_addr_wrap));

if (rule->src == NULL)

err(1, "pfkey_parse: calloc");

}

@@ -795,8 +782,6 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

bcopy(&sa_in->sin_addr, &rule->src->mask.v4,

sizeof(struct in_addr));

rule->src->af = AF_INET;

- rule->src->prefixlen =

- mask2prefixlen(sa_in->sin_addr.s_addr);

break;

default:

@@ -810,7 +795,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

if (rule->dst == NULL) {

rule->dst = calloc(1,

- sizeof(struct ipsec_addr));

+ sizeof(struct ipsec_addr_wrap));

if (rule->dst == NULL)

err(1, "pfkey_parse: calloc");

}

@@ -821,8 +806,6 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

bcopy(&sa_in->sin_addr, &rule->dst->mask.v4,

sizeof(struct in_addr));

rule->dst->af = AF_INET;

- rule->dst->prefixlen =

- mask2prefixlen(sa_in->sin_addr.s_addr);

break;

default: