diff options
author | David Gwynne <dlg@cvs.openbsd.org> | 2023-08-07 03:35:07 +0000 |
---|---|---|
committer | David Gwynne <dlg@cvs.openbsd.org> | 2023-08-07 03:35:07 +0000 |
commit | dcb53c4e5825c8b08a4f3a71ae5bf9c615ee28d2 (patch) | |
tree | ab5cbc36934744238dc22bb0f98b17ac7ab34a51 /sys/net/pfkeyv2.c | |
parent | 1c1e9bb54a0ab1616559089e5b90ac5ff70f7111 (diff) |
add a struct sadb_x_iface message for interface SAs
this allows userland to install (and see) security associations for
route-based ipsec vpns. if this message is part of an SA, it causes
the TDBF_IFACE flag and associated fields in a tdb to be set.
the interface unit field in this message maps to minor number of
the sec(4) interface you want to the SA to work with. ie, set the
sadb_x_iface_unit field in struct sadb_x_iface to 1 to set up an
SA for use with sec1. the sadb_x_iface_direction in the message
uses IPSP_DIRECTION_IN and IPSP_DIRECTION_OUT to specify in which
direction that SA is supposed to process traffic.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
Diffstat (limited to 'sys/net/pfkeyv2.c')
-rw-r--r-- | sys/net/pfkeyv2.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index cdc5ce2b231..e750ae8bdbe 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.256 2023/04/22 20:51:56 mvs Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.257 2023/08/07 03:35:06 dlg Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -868,6 +868,9 @@ pfkeyv2_get(struct tdb *tdb, void **headers, void **buffer, int *lenp, i += sizeof(struct sadb_x_tap); #endif + if (ISSET(tdb->tdb_flags, TDBF_IFACE)) + i += sizeof(struct sadb_x_iface); + if (lenp) *lenp = i; @@ -979,6 +982,12 @@ pfkeyv2_get(struct tdb *tdb, void **headers, void **buffer, int *lenp, } #endif + /* Export sec(4) interface information, if present */ + if (ISSET(tdb->tdb_flags, TDBF_IFACE)) { + headers[SADB_X_EXT_IFACE] = p; + export_iface(&p, tdb); + } + headers[SADB_X_EXT_COUNTER] = p; export_counter(&p, tdb); @@ -1360,6 +1369,7 @@ pfkeyv2_dosend(struct socket *so, void *message, int len) import_tag(newsa, headers[SADB_X_EXT_TAG]); import_tap(newsa, headers[SADB_X_EXT_TAP]); #endif + import_iface(newsa, headers[SADB_X_EXT_IFACE]); /* Exclude sensitive data from reply message. */ headers[SADB_EXT_KEY_AUTH] = NULL; @@ -1411,6 +1421,8 @@ pfkeyv2_dosend(struct socket *so, void *message, int len) import_tag(sa2, headers[SADB_X_EXT_TAG]); import_tap(sa2, headers[SADB_X_EXT_TAP]); #endif + import_iface(sa2, headers[SADB_X_EXT_IFACE]); + if (headers[SADB_EXT_ADDRESS_SRC] || headers[SADB_EXT_ADDRESS_PROXY]) { mtx_enter(&tdb_sadb_mtx); @@ -1535,6 +1547,7 @@ pfkeyv2_dosend(struct socket *so, void *message, int len) import_tag(newsa, headers[SADB_X_EXT_TAG]); import_tap(newsa, headers[SADB_X_EXT_TAP]); #endif + import_iface(newsa, headers[SADB_X_EXT_IFACE]); /* Exclude sensitive data from reply message. */ headers[SADB_EXT_KEY_AUTH] = NULL; |