diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-07-07 22:00:37 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-07-07 22:00:37 +0000 |
| commit | 6fb2eddb8f3f64886c1e5af28d9ce141f683c154 (patch) | |
| tree | f251452209b87dc406d29a528256120d6dfd9f1b /sbin/ipsecctl | |
| parent | cc14e57b56cc8938c5a3aad6319c89aaa6593336 (diff) | |
set flow type (use, require, etc.) when a rule is created. Up to now this was
done while crafting the corresponding pfkey message.
Diffstat (limited to 'sbin/ipsecctl')
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 4 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 16 | ||||
| -rw-r--r-- | sbin/ipsecctl/pfkey.c | 21 |
3 files changed, 28 insertions, 13 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index b1a562e7aed..c5466c216c4 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.15 2005/07/07 21:13:00 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.16 2005/07/07 22:00:36 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -213,7 +213,7 @@ ipsecctl_print_rule(struct ipsec_rule *r, int opts) printf("\n\tdstid %s", r->auth.dstid); if (r->auth.type > 0) printf("\n\t%s", auth[r->auth.type]); - printf("\n\ttype %s", type[r->type]); + printf("\n\ttype %s", type[r->flowtype]); } printf("\n"); } diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 339e46a2f22..a4fc1b1b7fc 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.5 2005/07/07 21:00:08 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.6 2005/07/07 22:00:36 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -659,12 +659,17 @@ create_rule(u_int8_t dir, struct ipsec_addr *src, struct ipsec_addr *dst, if (r == NULL) err(1, "calloc"); + r->type = RULE_FLOW; + if (dir == IPSEC_INOUT) r->direction = IPSEC_OUT; else r->direction = dir; - r->type = RULE_FLOW; + if (r->direction == IPSEC_IN) + r->flowtype = TYPE_USE; + else + r->flowtype = TYPE_REQUIRE; r->src = src; r->dst = dst; @@ -720,10 +725,13 @@ reverse_rule(struct ipsec_rule *rule) reverse->type = RULE_FLOW; - if (rule->direction == (u_int8_t)IPSEC_OUT) + if (rule->direction == (u_int8_t)IPSEC_OUT) { reverse->direction = (u_int8_t)IPSEC_IN; - else + reverse->flowtype = TYPE_USE; + } else { reverse->direction = (u_int8_t)IPSEC_OUT; + reverse->flowtype = TYPE_REQUIRE; + } reverse->src = copyhost(rule->dst); reverse->dst = copyhost(rule->src); diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index 2d61022eccb..fe84e08a3e0 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.12 2005/07/07 21:13:00 hshoexer Exp $ */ +/* $OpenBSD: pfkey.c,v 1.13 2005/07/07 22:00:36 hshoexer Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -43,7 +43,7 @@ static u_int32_t sadb_msg_seq = 1; static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t, struct ipsec_addr *, struct ipsec_addr *, struct ipsec_addr *, - struct ipsec_auth); + struct ipsec_auth, u_int8_t); static int pfkey_reply(int); int pfkey_parse(struct sadb_msg *, struct ipsec_rule *); int pfkey_ipsec_flush(void); @@ -53,7 +53,7 @@ int pfkey_init(void); static int pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, struct ipsec_addr *src, struct ipsec_addr *dst, struct ipsec_addr *peer, - struct ipsec_auth auth) + struct ipsec_auth auth, u_int8_t flowtype) { struct sadb_msg smsg; struct sadb_address sa_src, sa_dst, sa_peer, sa_smask, sa_dmask; @@ -128,10 +128,17 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; sa_flowtype.sadb_protocol_direction = direction; - if (direction == IPSP_DIRECTION_IN) + switch (flowtype) { + case TYPE_USE: sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; - else + break; + case TYPE_REQUIRE: sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; + break; + default: + warnx("unsupported flowtype %d", flowtype); + return -1; + } bzero(&sa_protocol, sizeof(sa_protocol)); sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; @@ -599,12 +606,12 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) switch (action) { case PFK_ACTION_ADD: ret = pfkey_flow(fd, satype, SADB_X_ADDFLOW, direction, r->src, - r->dst, r->peer, r->auth); + r->dst, r->peer, r->auth, r->flowtype); break; case PFK_ACTION_DELETE: /* No peer for flow deletion. */ ret = pfkey_flow(fd, satype, SADB_X_DELFLOW, direction, r->src, - r->dst, NULL, r->auth); + r->dst, NULL, r->auth, r->flowtype); break; default: return -1; |