diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-01-13 22:55:49 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-01-13 22:55:49 +0000 |
| commit | 6f0835951e333cc44698b9f79710df43b2e9d70a (patch) | |
| tree | 087ce64af47bf9bb16e9ed7865a76a1bdc02a0e6 /sbin | |
| parent | 1fbdf753dd73e19a3cf293c26a16d92de00de9a8 (diff) | |
Interim ingress flows when doing linked SAs.
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 42 |
1 files changed, 31 insertions, 11 deletions
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index 7b279dea344..2daad1994d9 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.17 2000/01/13 06:42:26 angelos Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.18 2000/01/13 22:55:48 angelos Exp $ */ /* $EOM: pf_key_v2.c,v 1.19 1999/07/16 00:29:11 niklas Exp $ */ /* @@ -1167,11 +1167,13 @@ int pf_key_v2_enable_sa (struct sa *sa) { struct ipsec_sa *isa = sa->data; - struct sockaddr *dst; + struct sockaddr *dst, *src; int dstlen, error; struct proto *proto = TAILQ_FIRST (&sa->protos); + in_addr_t hostmask = 0xffffffff; /* XXX IPv4 specific */ sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); + sa->transport->vtbl->get_src (sa->transport, &src, &dstlen); error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, isa->dst_mask, proto->spi[0], proto->proto, @@ -1182,13 +1184,21 @@ pf_key_v2_enable_sa (struct sa *sa) /* Ingress flow */ while (TAILQ_NEXT(proto, link)) - proto = TAILQ_NEXT(proto, link); - - sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen); + { + error = pf_key_v2_flow(((struct sockaddr_in *)dst)->sin_addr.s_addr, + hostmask, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + hostmask, proto->spi[1], proto->proto, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + 0, 1); + if (error) + return error; + proto = TAILQ_NEXT(proto, link); + } return pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net, isa->src_mask, proto->spi[1], proto->proto, - ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0, 1); + ((struct sockaddr_in *)src)->sin_addr.s_addr, 0, 1); } /* Disable a flow given a SA. */ @@ -1196,11 +1206,13 @@ static int pf_key_v2_disable_sa (struct sa *sa) { struct ipsec_sa *isa = sa->data; - struct sockaddr *dst; + struct sockaddr *dst, *src; int dstlen, error; struct proto *proto = TAILQ_FIRST (&sa->protos); + in_addr_t hostmask = 0xffffffff; /* XXX IPv4 specific */ sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); + sa->transport->vtbl->get_src (sa->transport, &src, &dstlen); error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, isa->dst_mask, proto->spi[0], proto->proto, @@ -1210,13 +1222,21 @@ pf_key_v2_disable_sa (struct sa *sa) /* Ingress flow */ while (TAILQ_NEXT(proto, link)) - proto = TAILQ_NEXT(proto, link); - - sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen); + { + error = pf_key_v2_flow(((struct sockaddr_in *)dst)->sin_addr.s_addr, + hostmask, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + hostmask, proto->spi[1], proto->proto, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + 1, 1); + if (error) + return error; + proto = TAILQ_NEXT(proto, link); + } return pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net, isa->src_mask, proto->spi[1], proto->proto, - ((struct sockaddr_in *)dst)->sin_addr.s_addr, 1, 1); + ((struct sockaddr_in *)src)->sin_addr.s_addr, 1, 1); } /* |