summaryrefslogtreecommitdiff
path: root/sys/net/pfkeyv2.c
diff options
context:
space:
mode:
authorDavid Gwynne <dlg@cvs.openbsd.org>2023-08-07 03:35:07 +0000
committerDavid Gwynne <dlg@cvs.openbsd.org>2023-08-07 03:35:07 +0000
commitdcb53c4e5825c8b08a4f3a71ae5bf9c615ee28d2 (patch)
treeab5cbc36934744238dc22bb0f98b17ac7ab34a51 /sys/net/pfkeyv2.c
parent1c1e9bb54a0ab1616559089e5b90ac5ff70f7111 (diff)
add a struct sadb_x_iface message for interface SAs
this allows userland to install (and see) security associations for route-based ipsec vpns. if this message is part of an SA, it causes the TDBF_IFACE flag and associated fields in a tdb to be set. the interface unit field in this message maps to minor number of the sec(4) interface you want to the SA to work with. ie, set the sadb_x_iface_unit field in struct sadb_x_iface to 1 to set up an SA for use with sec1. the sadb_x_iface_direction in the message uses IPSP_DIRECTION_IN and IPSP_DIRECTION_OUT to specify in which direction that SA is supposed to process traffic. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Diffstat (limited to 'sys/net/pfkeyv2.c')
-rw-r--r--sys/net/pfkeyv2.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index cdc5ce2b231..e750ae8bdbe 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.256 2023/04/22 20:51:56 mvs Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.257 2023/08/07 03:35:06 dlg Exp $ */
/*
* @(#)COPYRIGHT 1.1 (NRL) 17 January 1995
@@ -868,6 +868,9 @@ pfkeyv2_get(struct tdb *tdb, void **headers, void **buffer, int *lenp,
i += sizeof(struct sadb_x_tap);
#endif
+ if (ISSET(tdb->tdb_flags, TDBF_IFACE))
+ i += sizeof(struct sadb_x_iface);
+
if (lenp)
*lenp = i;
@@ -979,6 +982,12 @@ pfkeyv2_get(struct tdb *tdb, void **headers, void **buffer, int *lenp,
}
#endif
+ /* Export sec(4) interface information, if present */
+ if (ISSET(tdb->tdb_flags, TDBF_IFACE)) {
+ headers[SADB_X_EXT_IFACE] = p;
+ export_iface(&p, tdb);
+ }
+
headers[SADB_X_EXT_COUNTER] = p;
export_counter(&p, tdb);
@@ -1360,6 +1369,7 @@ pfkeyv2_dosend(struct socket *so, void *message, int len)
import_tag(newsa, headers[SADB_X_EXT_TAG]);
import_tap(newsa, headers[SADB_X_EXT_TAP]);
#endif
+ import_iface(newsa, headers[SADB_X_EXT_IFACE]);
/* Exclude sensitive data from reply message. */
headers[SADB_EXT_KEY_AUTH] = NULL;
@@ -1411,6 +1421,8 @@ pfkeyv2_dosend(struct socket *so, void *message, int len)
import_tag(sa2, headers[SADB_X_EXT_TAG]);
import_tap(sa2, headers[SADB_X_EXT_TAP]);
#endif
+ import_iface(sa2, headers[SADB_X_EXT_IFACE]);
+
if (headers[SADB_EXT_ADDRESS_SRC] ||
headers[SADB_EXT_ADDRESS_PROXY]) {
mtx_enter(&tdb_sadb_mtx);
@@ -1535,6 +1547,7 @@ pfkeyv2_dosend(struct socket *so, void *message, int len)
import_tag(newsa, headers[SADB_X_EXT_TAG]);
import_tap(newsa, headers[SADB_X_EXT_TAP]);
#endif
+ import_iface(newsa, headers[SADB_X_EXT_IFACE]);
/* Exclude sensitive data from reply message. */
headers[SADB_EXT_KEY_AUTH] = NULL;