diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-28 16:46:28 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-28 16:46:28 +0000 |
| commit | 2c5bb099d663a07329518f9c553e5232cb2f3abb (patch) | |
| tree | 466fe4821907b5e3aa973aa5bf9b0d440605f692 /sys | |
| parent | f38031e63fc64201054602063f8d5af21da3aacc (diff) | |
Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pfkeyv2.c | 20 | ||||
| -rw-r--r-- | sys/net/pfkeyv2.h | 6 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_convert.c | 12 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_parsemessage.c | 16 |
4 files changed, 42 insertions, 12 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 02aa0e3219e..5ff3eba4c40 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.152 2017/02/24 18:36:33 bluhm Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.153 2017/02/28 16:46:27 bluhm Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -556,6 +556,13 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) } } + if (sa->tdb_onext) { + i += sizeof(struct sadb_sa); + i += sizeof(struct sadb_address) + + PADUP(SA_LEN(&sa->tdb_onext->tdb_dst.sa)); + i += sizeof(struct sadb_protocol); + } + if (sa->tdb_udpencap_port) i += sizeof(struct sadb_x_udpencap); @@ -634,6 +641,15 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) export_flow(&p, IPSP_IPSEC_USE, &sa->tdb_filter, &sa->tdb_filtermask, headers); + if (sa->tdb_onext) { + headers[SADB_X_EXT_SA2] = p; + export_sa(&p, sa->tdb_onext); + headers[SADB_X_EXT_DST2] = p; + export_address(&p, &sa->tdb_onext->tdb_dst.sa); + headers[SADB_X_EXT_SATYPE2] = p; + export_satype(&p, sa->tdb_onext); + } + /* Export UDP encapsulation port, if present */ if (sa->tdb_udpencap_port) { headers[SADB_X_EXT_UDPENCAP] = p; @@ -1368,7 +1384,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2]; sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] + sizeof(struct sadb_address)); - sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]); + sa_proto = (struct sadb_protocol *) headers[SADB_X_EXT_SATYPE2]; tdb2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp, SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto)); diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index f2319b422e4..f43f698d85f 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.h,v 1.73 2017/01/24 10:08:30 krw Exp $ */ +/* $OpenBSD: pfkeyv2.h,v 1.74 2017/02/28 16:46:27 bluhm Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) January 1998 * @@ -261,7 +261,8 @@ struct sadb_x_tap { #define SADB_X_EXT_LIFETIME_LASTUSE 32 #define SADB_X_EXT_TAG 33 #define SADB_X_EXT_TAP 34 -#define SADB_EXT_MAX 34 +#define SADB_X_EXT_SATYPE2 35 +#define SADB_EXT_MAX 35 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */ #define SADB_SATYPE_UNSPEC 0 @@ -427,6 +428,7 @@ void export_key(void **, struct tdb *, int); void export_udpencap(void **, struct tdb *); void export_tag(void **, struct tdb *); void export_tap(void **, struct tdb *); +void export_satype(void **, struct tdb *); void import_address(struct sockaddr *, struct sadb_address *); void import_identities(struct ipsec_ids **, int, struct sadb_ident *, diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c index 7a810e7edad..9109f07f65c 100644 --- a/sys/net/pfkeyv2_convert.c +++ b/sys/net/pfkeyv2_convert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_convert.c,v 1.58 2017/01/24 10:08:30 krw Exp $ */ +/* $OpenBSD: pfkeyv2_convert.c,v 1.59 2017/02/28 16:46:27 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) * @@ -887,4 +887,14 @@ export_tap(void **p, struct tdb *tdb) stag->sadb_x_tap_len = sizeof(struct sadb_x_tap) / sizeof(uint64_t); *p += sizeof(struct sadb_x_tap); } + +void +export_satype(void **p, struct tdb *tdb) +{ + struct sadb_protocol *sab = *p; + + sab->sadb_protocol_len = sizeof(struct sadb_protocol) / + sizeof(uint64_t); + sab->sadb_protocol_proto = tdb->tdb_satype; +} #endif diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index 8cb4b3cc327..547532fa7b4 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.50 2017/01/24 10:08:30 krw Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.51 2017/02/28 16:46:27 bluhm Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -125,6 +125,7 @@ #define BITMAP_X_LIFETIME_LASTUSE (1LL << SADB_X_EXT_LIFETIME_LASTUSE) #define BITMAP_X_TAG (1LL << SADB_X_EXT_TAG) #define BITMAP_X_TAP (1LL << SADB_X_EXT_TAP) +#define BITMAP_X_SATYPE2 (1LL << SADB_X_EXT_SATYPE2) uint64_t sadb_exts_allowed_in[SADB_MAX+1] = { @@ -157,7 +158,7 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_FLOW, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_ASKPOLICY */ BITMAP_X_POLICY, }; @@ -193,7 +194,7 @@ uint64_t sadb_exts_required_in[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_ASKPOLICY */ BITMAP_X_POLICY, }; @@ -229,7 +230,7 @@ uint64_t sadb_exts_allowed_out[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_ASKPOLICY */ BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE | BITMAP_X_POLICY, }; @@ -265,7 +266,7 @@ uint64_t sadb_exts_required_out[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_REPPOLICY */ BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE, }; @@ -434,9 +435,10 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) break; case SADB_X_EXT_PROTOCOL: case SADB_X_EXT_FLOW_TYPE: + case SADB_X_EXT_SATYPE2: if (i != sizeof(struct sadb_protocol)) { - DPRINTF(("pfkeyv2_parsemessage: bad " - "PROTOCOL/FLOW header length in extension " + DPRINTF(("pfkeyv2_parsemessage: bad PROTOCOL/" + "FLOW/SATYPE2 header length in extension " "header %d\n", sadb_ext->sadb_ext_type)); return (EINVAL); } |