diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-06-23 00:56:00 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2004-06-23 00:56:00 +0000 |
| commit | 8e90f25e8cf2bb4b4cce48c6fa1dded9f31dc090 (patch) | |
| tree | 7441dfd09ce234abb73bcb4b42333d9e8ccb7094 /sbin | |
| parent | acce9a930be20f29a7dd105778e38c4303d9a07b (diff) | |
Add commandline switch -a / config tag "Acquire-Only" to tell isakmpd to not
touch flows.
initial work by markus
ok markus@ ho@ henning@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/isakmpd/ipsec.c | 10 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.c | 13 |
2 files changed, 17 insertions, 6 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 1ebbffc77a0..dc12db6b796 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.100 2004/06/21 23:27:10 ho Exp $ */ +/* $OpenBSD: ipsec.c,v 1.101 2004/06/23 00:55:59 hshoexer Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -72,6 +72,8 @@ #include "util.h" #include "x509.h" +extern int acquire_only; + /* Backwards compatibility. */ #ifndef NI_MAXHOST #define NI_MAXHOST 1025 @@ -420,8 +422,10 @@ ipsec_finalize_exchange(struct message *msg) * kernel, it needs to have a SPD entry * (a.k.a. flow) set up. */ - if (!(sa->flags & SA_FLAG_ONDEMAND) && - sysdep_ipsec_enable_sa(sa, isakmp_sa)) + if (!(sa->flags & SA_FLAG_ONDEMAND || + conf_get_str("General", "Acquire-Only") + || acquire_only) + && sysdep_ipsec_enable_sa(sa, isakmp_sa)) /* XXX Tear down this exchange. */ return; diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c index 6d0f6cf246f..bb871fe9da9 100644 --- a/sbin/isakmpd/isakmpd.c +++ b/sbin/isakmpd/isakmpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmpd.c,v 1.65 2004/06/20 15:03:35 ho Exp $ */ +/* $OpenBSD: isakmpd.c,v 1.66 2004/06/23 00:55:59 hshoexer Exp $ */ /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ /* @@ -73,6 +73,9 @@ static void usage(void); */ int debug = 0; +/* Set when no policy file is found. */ +int acquire_only = 0; + /* * If we receive a SIGHUP signal, this flag gets set to show we need to * reconfigure ASAP. @@ -114,7 +117,7 @@ static void usage(void) { fprintf(stderr, - "usage: %s [-4] [-6] [-c config-file] [-d] [-D class=level]\n" + "usage: %s [-4] [-6] [-a] [-c config-file] [-d] [-D class=level]\n" " [-f fifo] [-i pid-file] [-n] [-p listen-port]\n" " [-P local-port] [-L] [-l packetlog-file] [-r seed]\n" " [-R report-file] [-v]\n", @@ -132,7 +135,7 @@ parse_args(int argc, char *argv[]) int do_packetlog = 0; #endif - while ((ch = getopt(argc, argv, "46c:dD:f:i:np:P:Ll:r:R:v")) != -1) { + while ((ch = getopt(argc, argv, "46ac:dD:f:i:np:P:Ll:r:R:v")) != -1) { switch (ch) { case '4': bind_family |= BIND_FAMILY_INET4; @@ -142,6 +145,10 @@ parse_args(int argc, char *argv[]) bind_family |= BIND_FAMILY_INET6; break; + case 'a': + acquire_only++; + break; + case 'c': conf_path = optarg; break; |