Add 'ikectl reset id <ID>' command to reset all SAs from policies with

matching destination ID.

ok patrick@ markus@

4 files changed, 33 insertions, 7 deletions

diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8
index 40d30ac0e21..78a057232da 100644
--- a/usr.sbin/ikectl/ikectl.8
+++ b/usr.sbin/ikectl/ikectl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ikectl.8,v 1.25 2015/11/02 10:27:44 jsg Exp $
+.\" $OpenBSD: ikectl.8,v 1.26 2020/03/18 22:12:43 tobhe Exp $
 .\"
 .\" Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 2 2015 $
+.Dd $Mdocdate: March 18 2020 $
 .Dt IKECTL 8
 .Os
 .Sh NAME
@@ -88,6 +88,8 @@ Flush the configured policies.
 Flush the running SAs.
 .It Cm reset user
 Flush the local user database.
+.It Cm reset id Ar ikeid
+Delete all IKE SAs with matching ID.
 .El
 .Sh PKI AND CERTIFICATE AUTHORITY COMMANDS
 In order to use public key based authentication with IKEv2,
diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index dbcf60d70b4..91b3dd317bf 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikectl.c,v 1.23 2015/12/05 13:11:18 claudio Exp $	*/
+/*	$OpenBSD: ikectl.c,v 1.24 2020/03/18 22:12:43 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -291,6 +291,10 @@ main(int argc, char *argv[])
 		imsg_compose(ibuf, IMSG_CTL_RELOAD, 0, 0, -1,
 		    res->path, strlen(res->path));
 		break;
+	case RESET_ID:
+		imsg_compose(ibuf, IMSG_CTL_RESET_ID, 0, 0, -1,
+		    res->id, strlen(res->id));
+		break;
 	case RELOAD:
 		imsg_compose(ibuf, IMSG_CTL_RELOAD, 0, 0, -1, NULL, 0);
 		break;
diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index 05baadb93c9..1d47b98cdb1 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.17 2018/06/18 10:20:19 benno Exp $	*/
+/*	$OpenBSD: parser.c,v 1.18 2020/03/18 22:12:43 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -44,7 +44,8 @@ enum token_type {
 	PEER,
 	ADDRESS,
 	FQDN,
-	PASSWORD
+	PASSWORD,
+	IKEID
 };
 
 struct token {
@@ -56,6 +57,7 @@ struct token {
 
 static const struct token t_main[];
 static const struct token t_reset[];
+static const struct token t_reset_id[];
 static const struct token t_log[];
 static const struct token t_load[];
 static const struct token t_ca[];
@@ -104,6 +106,12 @@ static const struct token t_reset[] = {
 	{ KEYWORD,	"policy",	RESETPOLICY,	NULL },
 	{ KEYWORD,	"sa",		RESETSA,	NULL },
 	{ KEYWORD,	"user",		RESETUSER,	NULL },
+	{ KEYWORD,	"id",		RESET_ID,	t_reset_id },
+	{ ENDTOKEN,	"",		NONE,		NULL }
+};
+
+static const struct token t_reset_id[] = {
+	{ IKEID,	"",		NONE,		NULL },
 	{ ENDTOKEN,	"",		NONE,		NULL }
 };
 
@@ -344,6 +352,13 @@ match_token(char *word, const struct token table[])
 				t = &table[i];
 			}
 			break;
+		case IKEID:
+			if (!match && word != NULL && strlen(word) > 0) {
+				res.id = strdup(word);
+				match++;
+				t = &table[i];
+			}
+			break;
 		case ENDTOKEN:
 			break;
 		}
@@ -393,6 +408,9 @@ show_valid_args(const struct token table[])
 		case FQDN:
 			fprintf(stderr, "  <fqdn>\n");
 			break;
+		case IKEID:
+			fprintf(stderr, "  <ikeid>\n");
+			break;
 		case ENDTOKEN:
 			break;
 		}
diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index f87ee3662ee..35188bcc343 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.h,v 1.14 2015/11/02 10:27:44 jsg Exp $	*/
+/*	$OpenBSD: parser.h,v 1.15 2020/03/18 22:12:43 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -54,7 +54,8 @@ enum actions {
 	CA_KEY_INSTALL,
 	CA_KEY_IMPORT,
 	SHOW_CA,
-	SHOW_CA_CERTIFICATES
+	SHOW_CA_CERTIFICATES,
+	RESET_ID
 };
 
 struct parse_result {
@@ -65,6 +66,7 @@ struct parse_result {
 	char		*pass;
 	char		*host;
 	char		*peer;
+	char		*id;
 	int		 htype;
 	int		 quiet;
 };