prepare for new sysctl interface, not used yet

4 files changed, 252 insertions, 7 deletions

diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index fdd5a185dfb..dd8bb185bd4 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.c,v 1.6 2005/05/23 22:48:17 kjell Exp $	*/
+/*	$OpenBSD: ipsecctl.c,v 1.7 2005/05/25 17:10:26 hshoexer Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -36,6 +36,7 @@
 #include <unistd.h>
 
 #include "ipsecctl.h"
+#include "pfkey.h"
 
 int		 ipsecctl_rules(char *, int);
 FILE		*ipsecctl_fopen(const char *, const char *);
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index e8fef4fec6b..2a7be598c06 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.h,v 1.3 2005/05/23 20:25:54 kjell Exp $	*/
+/*	$OpenBSD: ipsecctl.h,v 1.4 2005/05/25 17:10:26 hshoexer Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -81,8 +81,5 @@ struct ipsecctl {
 int	parse_rules(FILE *, struct ipsecctl *);
 int	ipsecctl_add_rule(struct ipsecctl * ipsec, struct ipsec_rule *);
 void	ipsecctl_get_rules(struct ipsecctl *);
-int	pfkey_ipsec_establish(struct ipsec_rule *);
-int	pfkey_ipsec_flush(void);
-int	pfkey_init(void);
 
 #endif				/* _IPSECCTL_H_ */
diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index 8e809a9179e..8600842614d 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.2 2005/04/04 22:22:55 hshoexer Exp $	*/
+/*	$OpenBSD: pfkey.c,v 1.3 2005/05/25 17:10:26 hshoexer Exp $	*/
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
  * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
@@ -33,8 +33,8 @@
 #include <unistd.h>
 
 #include "ipsecctl.h"
+#include "pfkey.h"
 
-#define PFKEYV2_CHUNK sizeof(u_int64_t)
 #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1))
 #define IOV_CNT 20
 
@@ -317,6 +317,225 @@ pfkey_reply(int sd)
 }
 
 int
+pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
+{
+	struct sadb_ext		*ext;
+	struct sadb_address	*saddr;
+	struct sadb_protocol	*sproto;
+	struct sadb_ident	*sident;
+	struct sockaddr		*sa;
+	int			 len;
+
+	switch (msg->sadb_msg_satype) {
+	case IPPROTO_ESP:
+		rule->proto = IPSEC_ESP;
+		break;
+	case IPPROTO_AH:
+		rule->proto = IPSEC_AH;
+		break;
+	case IPPROTO_IPCOMP:
+	default:
+		return (1);
+	}
+
+	for (ext = (struct sadb_ext *)(msg + 1);
+	    (size_t)((u_int8_t *)ext - (u_int8_t *)msg) <
+	    msg->sadb_msg_len * PFKEYV2_CHUNK;
+	    ext = (struct sadb_ext *)((u_int8_t *)ext + 
+	    ext->sadb_ext_len * PFKEYV2_CHUNK)) {
+
+		switch (ext->sadb_ext_type) {
+		case SADB_EXT_ADDRESS_SRC:
+#if 0
+			saddr = (struct sadb_address *)ext;
+			sa = (struct sockaddr *)(saddr + 1);
+
+			rule->peer = calloc(1, sizeof(struct ipsec_addr));
+			if (rule->peer == NULL)
+				err(1, "malloc");
+
+			switch (sa->sa_family) {
+			case AF_INET:
+				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
+				    &rule->peer->v4, sizeof(struct in_addr));
+				memset(&rule->peer->v4mask, 0xff,
+				    sizeof(u_int32_t));
+				rule->peer->af = AF_INET;
+				break;
+			default:
+				return (1);
+			}
+#endif
+			break;
+
+
+		case SADB_EXT_ADDRESS_DST:
+			saddr = (struct sadb_address *)ext;
+			sa = (struct sockaddr *)(saddr + 1);
+
+			rule->peer = calloc(1, sizeof(struct ipsec_addr));
+			if (rule->peer == NULL)
+				err(1, "malloc");
+
+			switch (sa->sa_family) {
+			case AF_INET:
+				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
+				    &rule->peer->v4, sizeof(struct in_addr));
+				memset(&rule->peer->v4mask, 0xff,
+				    sizeof(u_int32_t));
+				rule->peer->af = AF_INET;
+				break;
+			default:
+				return (1);
+			}
+			break;
+
+		case SADB_EXT_IDENTITY_SRC:
+			sident = (struct sadb_ident *)ext;
+			len = (sident->sadb_ident_len * sizeof(uint64_t)) -
+			    sizeof(struct sadb_ident);
+
+			rule->auth.srcid = calloc(1, len);
+			if (rule->auth.srcid == NULL)
+				err(1, "calloc");
+
+			strlcpy(rule->auth.srcid, (char *)(sident + 1), len);
+			break;
+
+		case SADB_EXT_IDENTITY_DST:
+			sident = (struct sadb_ident *)ext;
+			len = (sident->sadb_ident_len * sizeof(uint64_t)) -
+			    sizeof(struct sadb_ident);
+
+			rule->auth.dstid = calloc(1, len);
+			if (rule->auth.dstid == NULL)
+				err(1, "calloc");
+
+			strlcpy(rule->auth.dstid, (char *)(sident + 1), len);
+			break;
+
+		case SADB_X_EXT_PROTOCOL:
+			/* XXX nothing yet? */
+			break;
+
+		case SADB_X_EXT_FLOW_TYPE:
+			sproto = (struct sadb_protocol *)ext;
+
+			switch (sproto->sadb_protocol_direction) {
+			case IPSP_DIRECTION_IN:
+				rule->direction = IPSEC_IN;
+				break;
+			case IPSP_DIRECTION_OUT:
+				rule->direction = IPSEC_OUT;
+				break;
+			default:
+				return (1);
+			}
+			break;
+
+		case SADB_X_EXT_SRC_FLOW:
+			saddr = (struct sadb_address *)ext;
+			sa = (struct sockaddr *)(saddr + 1);
+
+			if (rule->src == NULL) {
+				rule->src = calloc(1,
+				    sizeof(struct ipsec_addr));
+				if (rule->src == NULL)
+					err(1, "calloc");
+			}
+
+			switch (sa->sa_family) {
+			case AF_INET:
+				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
+				    &rule->src->v4, sizeof(struct in_addr));
+				rule->src->af = AF_INET;
+				break;
+			default:
+				return (1);
+			}
+			break;
+
+		case SADB_X_EXT_DST_FLOW:
+			saddr = (struct sadb_address *)ext;
+			sa = (struct sockaddr *)(saddr + 1);
+
+			if (rule->dst == NULL) {
+				rule->dst = calloc(1,
+				    sizeof(struct ipsec_addr));
+				if (rule->dst == NULL)
+					err(1, "calloc");
+			}
+
+			switch (sa->sa_family) {
+			case AF_INET:
+				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
+				    &rule->dst->v4, sizeof(struct in_addr));
+				rule->dst->af = AF_INET;
+				break;
+
+			default:
+				return (1);
+			}
+			break;
+
+
+		case SADB_X_EXT_SRC_MASK:
+			saddr = (struct sadb_address *)ext;
+			sa = (struct sockaddr *)(saddr + 1);
+
+			if (rule->src == NULL) {
+				rule->src = calloc(1,
+				    sizeof(struct ipsec_addr));
+				if (rule->src == NULL)
+					err(1, "calloc");
+			}
+
+			switch (sa->sa_family) {
+			case AF_INET:
+				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
+				    &rule->src->v4mask.mask,
+				    sizeof(struct in_addr));
+				rule->src->af = AF_INET;
+				break;
+
+			default:
+				return (1);
+			}
+			break;
+
+		case SADB_X_EXT_DST_MASK:
+			saddr = (struct sadb_address *)ext;
+			sa = (struct sockaddr *)(saddr + 1);
+
+			if (rule->dst == NULL) {
+				rule->dst = calloc(1,
+				    sizeof(struct ipsec_addr));
+				if (rule->dst == NULL)
+					err(1, "calloc");
+			}
+
+			switch (sa->sa_family) {
+			case AF_INET:
+				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
+				    &rule->dst->v4mask.mask,
+				    sizeof(struct in_addr));
+				rule->dst->af = AF_INET;
+				break;
+
+			default:
+				return (1);
+			}
+			break;
+		
+		default:
+			return (1);
+		}
+	}
+
+	return (0);
+}
+
+int
 pfkey_ipsec_establish(struct ipsec_rule *r)
 {
 	u_int8_t	satype;
diff --git a/sbin/ipsecctl/pfkey.h b/sbin/ipsecctl/pfkey.h
new file mode 100644
index 00000000000..94853c9580a
--- /dev/null
+++ b/sbin/ipsecctl/pfkey.h
@@ -0,0 +1,28 @@
+/*	$OpenBSD: pfkey.h,v 1.1 2005/05/25 17:10:26 hshoexer Exp $	*/
+/*
+ * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PFKEY_H_
+#define _PFKEY_H_
+
+#define PFKEYV2_CHUNK sizeof(u_int64_t)
+
+int	pfkey_parse(struct sadb_msg *, struct ipsec_rule *);
+int	pfkey_ipsec_establish(struct ipsec_rule *);
+int	pfkey_ipsec_flush(void);
+int	pfkey_init(void);
+
+#endif	/* _PFKEY_H_ */