summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-11-06 10:52:28 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-11-06 10:52:28 +0000
commit0ed7cc68d000b132c08c7d2818ca200320af2e11 (patch)
tree76056a3e3ac9ead47599b7c46bf378c1081765c4 /sbin/ipsecctl
parent53c1a0a9cb11d56e4f92519803feafce9f050ac8 (diff)
better handling of ip addresses, prepare for v6. Partially derived from diff
by todd@. Work in progress.
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r--sbin/ipsecctl/ike.c6
-rw-r--r--sbin/ipsecctl/ipsecctl.c19
-rw-r--r--sbin/ipsecctl/ipsecctl.h14
-rw-r--r--sbin/ipsecctl/parse.y11
-rw-r--r--sbin/ipsecctl/pfkey.c58
5 files changed, 67 insertions, 41 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 88afca8bba5..def5d1fcc05 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike.c,v 1.6 2005/10/28 07:18:47 hshoexer Exp $ */
+/* $OpenBSD: ike.c,v 1.7 2005/11/06 10:52:27 hshoexer Exp $ */
/*
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -239,7 +239,7 @@ ike_section_qmids(struct ipsec_addr *src, struct ipsec_addr *dst, FILE *fd)
char *mask, *network, *p;
if (src->netaddress) {
- mask = inet_ntoa(src->v4mask.mask);
+ mask = inet_ntoa(src->mask.v4);
if ((network = strdup(src->name)) == NULL)
err(1, "ike_section_qmids: strdup");
if ((p = strrchr(network, '/')) != NULL)
@@ -259,7 +259,7 @@ ike_section_qmids(struct ipsec_addr *src, struct ipsec_addr *dst, FILE *fd)
src->name);
}
if (dst->netaddress) {
- mask = inet_ntoa(dst->v4mask.mask);
+ mask = inet_ntoa(dst->mask.v4);
if ((network = strdup(dst->name)) == NULL)
err(1, "ike_section_qmids: strdup");
if ((p = strrchr(network, '/')) != NULL)
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index 80ad8e7c81f..12a2c04da2c 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.29 2005/10/30 19:50:23 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.30 2005/11/06 10:52:27 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -30,6 +30,7 @@
#include <err.h>
#include <errno.h>
#include <fcntl.h>
+#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
@@ -197,24 +198,22 @@ ipsecctl_add_rule(struct ipsecctl *ipsec, struct ipsec_rule *r)
void
ipsecctl_print_addr(struct ipsec_addr *ipa)
{
- u_int32_t mask;
- char buf[48];
+ char buf[NI_MAXHOST];
if (ipa == NULL) {
printf("?");
return;
}
- if (inet_ntop(ipa->af, &ipa->v4, buf, sizeof(buf)) == NULL)
+ if (inet_ntop(ipa->af, &ipa->address, buf, sizeof(buf)) == NULL)
printf("?");
else
printf("%s", buf);
- if (ipa->v4mask.mask32 != 0xffffffff) {
- mask = ntohl(ipa->v4mask.mask32);
- if (mask == 0)
- printf("/0");
- else
- printf("/%d", 32 - ffs((int) mask) + 1);
+ switch (ipa->af) {
+ case AF_INET:
+ if (ipa->prefixlen != 32)
+ printf("/%d", ipa->prefixlen);
+ break;
}
}
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 88725c879ee..7a5178b1f1d 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.18 2005/10/30 19:50:23 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.19 2005/11/06 10:52:27 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -69,11 +69,15 @@ enum {
};
struct ipsec_addr {
- struct in_addr v4;
union {
- struct in_addr mask;
- u_int32_t mask32;
- } v4mask;
+ struct in_addr v4;
+ u_int32_t addr32;
+ } address;
+ union {
+ struct in_addr v4;
+ u_int32_t mask32;
+ } mask;
+ u_int8_t prefixlen;
int netaddress;
sa_family_t af;
char *name;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 74bc45cd570..1501bc73142 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.31 2005/10/30 20:42:11 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.32 2005/11/06 10:52:27 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1073,21 +1073,22 @@ host_v4(const char *s, int mask)
if (ipa == NULL)
err(1, "host_v4: calloc");
- ipa->v4 = ina;
+ ipa->address.v4 = ina;
ipa->name = strdup(s);
if (ipa->name == NULL)
err(1, "host_v4: strdup");
ipa->af = AF_INET;
if (bits == 32) {
- ipa->v4mask.mask32 = 0xffffffff;
+ ipa->mask.mask32 = 0xffffffff;
ipa->netaddress = 0;
} else {
for (i = 31; i > 31 - bits; i--)
- ipa->v4mask.mask32 |= (1 << i);
- ipa->v4mask.mask32 = htonl(ipa->v4mask.mask32);
+ ipa->mask.mask32 |= (1 << i);
+ ipa->mask.mask32 = htonl(ipa->mask.mask32);
ipa->netaddress = 1;
}
+ ipa->prefixlen = bits;
return (ipa);
}
diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index 6b71fea466c..292771201e8 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.26 2005/10/30 19:50:24 hshoexer Exp $ */
+/* $OpenBSD: pfkey.c,v 1.27 2005/11/06 10:52:27 hshoexer Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
* Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
@@ -49,6 +49,7 @@ static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t,
struct ipsec_transforms *, struct ipsec_key *,
struct ipsec_key *);
static int pfkey_reply(int);
+static u_int8_t mask2prefixlen(const in_addr_t);
int pfkey_parse(struct sadb_msg *, struct ipsec_rule *);
int pfkey_ipsec_flush(void);
int pfkey_ipsec_establish(int, struct ipsec_rule *);
@@ -74,10 +75,10 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,
bzero(&smask, sizeof(smask));
switch (src->af) {
case AF_INET:
- ((struct sockaddr_in *)&ssrc)->sin_addr = src->v4;
+ ((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4;
ssrc.ss_len = sizeof(struct sockaddr_in);
ssrc.ss_family = AF_INET;
- ((struct sockaddr_in *)&smask)->sin_addr = src->v4mask.mask;
+ ((struct sockaddr_in *)&smask)->sin_addr = src->mask.v4;
break;
case AF_INET6:
default:
@@ -91,10 +92,10 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,
bzero(&dmask, sizeof(dmask));
switch (dst->af) {
case AF_INET:
- ((struct sockaddr_in *)&sdst)->sin_addr = dst->v4;
+ ((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
sdst.ss_len = sizeof(struct sockaddr_in);
sdst.ss_family = AF_INET;
- ((struct sockaddr_in *)&dmask)->sin_addr = dst->v4mask.mask;
+ ((struct sockaddr_in *)&dmask)->sin_addr = dst->mask.v4;
break;
case AF_INET6:
default:
@@ -108,7 +109,8 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,
if (peer) {
switch (peer->af) {
case AF_INET:
- ((struct sockaddr_in *)&speer)->sin_addr = peer->v4;
+ ((struct sockaddr_in *)&speer)->sin_addr =
+ peer->address.v4;
speer.ss_len = sizeof(struct sockaddr_in);
speer.ss_family = AF_INET;
break;
@@ -319,7 +321,7 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct
bzero(&ssrc, sizeof(ssrc));
switch (src->af) {
case AF_INET:
- ((struct sockaddr_in *)&ssrc)->sin_addr = src->v4;
+ ((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4;
ssrc.ss_len = sizeof(struct sockaddr_in);
ssrc.ss_family = AF_INET;
break;
@@ -332,7 +334,7 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct
bzero(&sdst, sizeof(sdst));
switch (dst->af) {
case AF_INET:
- ((struct sockaddr_in *)&sdst)->sin_addr = dst->v4;
+ ((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
sdst.ss_len = sizeof(struct sockaddr_in);
sdst.ss_family = AF_INET;
break;
@@ -559,6 +561,15 @@ pfkey_reply(int sd)
return 0;
}
+static u_int8_t
+mask2prefixlen(const in_addr_t ina)
+{
+ if (ina == 0)
+ return 0;
+ else
+ return (33 - ffs(ntohl(ina)));
+}
+
int
pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
{
@@ -567,6 +578,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
struct sadb_protocol *sproto;
struct sadb_ident *sident;
struct sockaddr *sa;
+ struct sockaddr_in *sa_in;
int len;
switch (msg->sadb_msg_satype) {
@@ -601,10 +613,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
switch (sa->sa_family) {
case AF_INET:
bcopy(&((struct sockaddr_in *)sa)->sin_addr,
- &rule->local->v4, sizeof(struct in_addr));
- memset(&rule->local->v4mask, 0xff,
+ &rule->local->addressv4,
+ sizeof(struct in_addr));
+ memset(&rule->local->mask.mask32, 0xff,
sizeof(u_int32_t));
rule->local->af = AF_INET;
+ rule->local->prefixlen = 32;
break;
default:
return (1);
@@ -624,10 +638,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
switch (sa->sa_family) {
case AF_INET:
bcopy(&((struct sockaddr_in *)sa)->sin_addr,
- &rule->peer->v4, sizeof(struct in_addr));
- memset(&rule->peer->v4mask, 0xff,
+ &rule->peer->address.v4,
+ sizeof(struct in_addr));
+ memset(&rule->peer->mask.mask32, 0xff,
sizeof(u_int32_t));
rule->peer->af = AF_INET;
+ rule->peer->prefixlen = 32;
break;
default:
return (1);
@@ -728,7 +744,8 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
switch (sa->sa_family) {
case AF_INET:
bcopy(&((struct sockaddr_in *)sa)->sin_addr,
- &rule->src->v4, sizeof(struct in_addr));
+ &rule->src->address.v4,
+ sizeof(struct in_addr));
rule->src->af = AF_INET;
break;
default:
@@ -750,7 +767,8 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
switch (sa->sa_family) {
case AF_INET:
bcopy(&((struct sockaddr_in *)sa)->sin_addr,
- &rule->dst->v4, sizeof(struct in_addr));
+ &rule->dst->address.v4,
+ sizeof(struct in_addr));
rule->dst->af = AF_INET;
break;
@@ -773,10 +791,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
switch (sa->sa_family) {
case AF_INET:
- bcopy(&((struct sockaddr_in *)sa)->sin_addr,
- &rule->src->v4mask.mask,
+ sa_in = (struct sockaddr_in *)sa;
+ bcopy(&sa_in->sin_addr, &rule->src->mask.v4,
sizeof(struct in_addr));
rule->src->af = AF_INET;
+ rule->src->prefixlen =
+ mask2prefixlen(sa_in->sin_addr.s_addr);
break;
default:
@@ -797,10 +817,12 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
switch (sa->sa_family) {
case AF_INET:
- bcopy(&((struct sockaddr_in *)sa)->sin_addr,
- &rule->dst->v4mask.mask,
+ sa_in = (struct sockaddr_in *)sa;
+ bcopy(&sa_in->sin_addr, &rule->dst->mask.v4,
sizeof(struct in_addr));
rule->dst->af = AF_INET;
+ rule->dst->prefixlen =
+ mask2prefixlen(sa_in->sin_addr.s_addr);
break;
default: