diff options
author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-11-06 10:52:28 +0000 |
---|---|---|
committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-11-06 10:52:28 +0000 |
commit | 0ed7cc68d000b132c08c7d2818ca200320af2e11 (patch) | |
tree | 76056a3e3ac9ead47599b7c46bf378c1081765c4 /sbin/ipsecctl | |
parent | 53c1a0a9cb11d56e4f92519803feafce9f050ac8 (diff) |
better handling of ip addresses, prepare for v6. Partially derived from diff
by todd@. Work in progress.
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r-- | sbin/ipsecctl/ike.c | 6 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 19 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 14 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 11 | ||||
-rw-r--r-- | sbin/ipsecctl/pfkey.c | 58 |
5 files changed, 67 insertions, 41 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 88afca8bba5..def5d1fcc05 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.6 2005/10/28 07:18:47 hshoexer Exp $ */ +/* $OpenBSD: ike.c,v 1.7 2005/11/06 10:52:27 hshoexer Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -239,7 +239,7 @@ ike_section_qmids(struct ipsec_addr *src, struct ipsec_addr *dst, FILE *fd) char *mask, *network, *p; if (src->netaddress) { - mask = inet_ntoa(src->v4mask.mask); + mask = inet_ntoa(src->mask.v4); if ((network = strdup(src->name)) == NULL) err(1, "ike_section_qmids: strdup"); if ((p = strrchr(network, '/')) != NULL) @@ -259,7 +259,7 @@ ike_section_qmids(struct ipsec_addr *src, struct ipsec_addr *dst, FILE *fd) src->name); } if (dst->netaddress) { - mask = inet_ntoa(dst->v4mask.mask); + mask = inet_ntoa(dst->mask.v4); if ((network = strdup(dst->name)) == NULL) err(1, "ike_section_qmids: strdup"); if ((p = strrchr(network, '/')) != NULL) diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index 80ad8e7c81f..12a2c04da2c 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.29 2005/10/30 19:50:23 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.30 2005/11/06 10:52:27 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -30,6 +30,7 @@ #include <err.h> #include <errno.h> #include <fcntl.h> +#include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> @@ -197,24 +198,22 @@ ipsecctl_add_rule(struct ipsecctl *ipsec, struct ipsec_rule *r) void ipsecctl_print_addr(struct ipsec_addr *ipa) { - u_int32_t mask; - char buf[48]; + char buf[NI_MAXHOST]; if (ipa == NULL) { printf("?"); return; } - if (inet_ntop(ipa->af, &ipa->v4, buf, sizeof(buf)) == NULL) + if (inet_ntop(ipa->af, &ipa->address, buf, sizeof(buf)) == NULL) printf("?"); else printf("%s", buf); - if (ipa->v4mask.mask32 != 0xffffffff) { - mask = ntohl(ipa->v4mask.mask32); - if (mask == 0) - printf("/0"); - else - printf("/%d", 32 - ffs((int) mask) + 1); + switch (ipa->af) { + case AF_INET: + if (ipa->prefixlen != 32) + printf("/%d", ipa->prefixlen); + break; } } diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 88725c879ee..7a5178b1f1d 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.18 2005/10/30 19:50:23 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.19 2005/11/06 10:52:27 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -69,11 +69,15 @@ enum { }; struct ipsec_addr { - struct in_addr v4; union { - struct in_addr mask; - u_int32_t mask32; - } v4mask; + struct in_addr v4; + u_int32_t addr32; + } address; + union { + struct in_addr v4; + u_int32_t mask32; + } mask; + u_int8_t prefixlen; int netaddress; sa_family_t af; char *name; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 74bc45cd570..1501bc73142 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.31 2005/10/30 20:42:11 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.32 2005/11/06 10:52:27 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -1073,21 +1073,22 @@ host_v4(const char *s, int mask) if (ipa == NULL) err(1, "host_v4: calloc"); - ipa->v4 = ina; + ipa->address.v4 = ina; ipa->name = strdup(s); if (ipa->name == NULL) err(1, "host_v4: strdup"); ipa->af = AF_INET; if (bits == 32) { - ipa->v4mask.mask32 = 0xffffffff; + ipa->mask.mask32 = 0xffffffff; ipa->netaddress = 0; } else { for (i = 31; i > 31 - bits; i--) - ipa->v4mask.mask32 |= (1 << i); - ipa->v4mask.mask32 = htonl(ipa->v4mask.mask32); + ipa->mask.mask32 |= (1 << i); + ipa->mask.mask32 = htonl(ipa->mask.mask32); ipa->netaddress = 1; } + ipa->prefixlen = bits; return (ipa); } diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index 6b71fea466c..292771201e8 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.26 2005/10/30 19:50:24 hshoexer Exp $ */ +/* $OpenBSD: pfkey.c,v 1.27 2005/11/06 10:52:27 hshoexer Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -49,6 +49,7 @@ static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t, struct ipsec_transforms *, struct ipsec_key *, struct ipsec_key *); static int pfkey_reply(int); +static u_int8_t mask2prefixlen(const in_addr_t); int pfkey_parse(struct sadb_msg *, struct ipsec_rule *); int pfkey_ipsec_flush(void); int pfkey_ipsec_establish(int, struct ipsec_rule *); @@ -74,10 +75,10 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, bzero(&smask, sizeof(smask)); switch (src->af) { case AF_INET: - ((struct sockaddr_in *)&ssrc)->sin_addr = src->v4; + ((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4; ssrc.ss_len = sizeof(struct sockaddr_in); ssrc.ss_family = AF_INET; - ((struct sockaddr_in *)&smask)->sin_addr = src->v4mask.mask; + ((struct sockaddr_in *)&smask)->sin_addr = src->mask.v4; break; case AF_INET6: default: @@ -91,10 +92,10 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, bzero(&dmask, sizeof(dmask)); switch (dst->af) { case AF_INET: - ((struct sockaddr_in *)&sdst)->sin_addr = dst->v4; + ((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4; sdst.ss_len = sizeof(struct sockaddr_in); sdst.ss_family = AF_INET; - ((struct sockaddr_in *)&dmask)->sin_addr = dst->v4mask.mask; + ((struct sockaddr_in *)&dmask)->sin_addr = dst->mask.v4; break; case AF_INET6: default: @@ -108,7 +109,8 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, if (peer) { switch (peer->af) { case AF_INET: - ((struct sockaddr_in *)&speer)->sin_addr = peer->v4; + ((struct sockaddr_in *)&speer)->sin_addr = + peer->address.v4; speer.ss_len = sizeof(struct sockaddr_in); speer.ss_family = AF_INET; break; @@ -319,7 +321,7 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct bzero(&ssrc, sizeof(ssrc)); switch (src->af) { case AF_INET: - ((struct sockaddr_in *)&ssrc)->sin_addr = src->v4; + ((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4; ssrc.ss_len = sizeof(struct sockaddr_in); ssrc.ss_family = AF_INET; break; @@ -332,7 +334,7 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct bzero(&sdst, sizeof(sdst)); switch (dst->af) { case AF_INET: - ((struct sockaddr_in *)&sdst)->sin_addr = dst->v4; + ((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4; sdst.ss_len = sizeof(struct sockaddr_in); sdst.ss_family = AF_INET; break; @@ -559,6 +561,15 @@ pfkey_reply(int sd) return 0; } +static u_int8_t +mask2prefixlen(const in_addr_t ina) +{ + if (ina == 0) + return 0; + else + return (33 - ffs(ntohl(ina))); +} + int pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) { @@ -567,6 +578,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) struct sadb_protocol *sproto; struct sadb_ident *sident; struct sockaddr *sa; + struct sockaddr_in *sa_in; int len; switch (msg->sadb_msg_satype) { @@ -601,10 +613,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) switch (sa->sa_family) { case AF_INET: bcopy(&((struct sockaddr_in *)sa)->sin_addr, - &rule->local->v4, sizeof(struct in_addr)); - memset(&rule->local->v4mask, 0xff, + &rule->local->addressv4, + sizeof(struct in_addr)); + memset(&rule->local->mask.mask32, 0xff, sizeof(u_int32_t)); rule->local->af = AF_INET; + rule->local->prefixlen = 32; break; default: return (1); @@ -624,10 +638,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) switch (sa->sa_family) { case AF_INET: bcopy(&((struct sockaddr_in *)sa)->sin_addr, - &rule->peer->v4, sizeof(struct in_addr)); - memset(&rule->peer->v4mask, 0xff, + &rule->peer->address.v4, + sizeof(struct in_addr)); + memset(&rule->peer->mask.mask32, 0xff, sizeof(u_int32_t)); rule->peer->af = AF_INET; + rule->peer->prefixlen = 32; break; default: return (1); @@ -728,7 +744,8 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) switch (sa->sa_family) { case AF_INET: bcopy(&((struct sockaddr_in *)sa)->sin_addr, - &rule->src->v4, sizeof(struct in_addr)); + &rule->src->address.v4, + sizeof(struct in_addr)); rule->src->af = AF_INET; break; default: @@ -750,7 +767,8 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) switch (sa->sa_family) { case AF_INET: bcopy(&((struct sockaddr_in *)sa)->sin_addr, - &rule->dst->v4, sizeof(struct in_addr)); + &rule->dst->address.v4, + sizeof(struct in_addr)); rule->dst->af = AF_INET; break; @@ -773,10 +791,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) switch (sa->sa_family) { case AF_INET: - bcopy(&((struct sockaddr_in *)sa)->sin_addr, - &rule->src->v4mask.mask, + sa_in = (struct sockaddr_in *)sa; + bcopy(&sa_in->sin_addr, &rule->src->mask.v4, sizeof(struct in_addr)); rule->src->af = AF_INET; + rule->src->prefixlen = + mask2prefixlen(sa_in->sin_addr.s_addr); break; default: @@ -797,10 +817,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) switch (sa->sa_family) { case AF_INET: - bcopy(&((struct sockaddr_in *)sa)->sin_addr, - &rule->dst->v4mask.mask, + sa_in = (struct sockaddr_in *)sa; + bcopy(&sa_in->sin_addr, &rule->dst->mask.v4, sizeof(struct in_addr)); rule->dst->af = AF_INET; + rule->dst->prefixlen = + mask2prefixlen(sa_in->sin_addr.s_addr); break; default: |