diff options
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 6 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 68 | ||||
-rw-r--r-- | sbin/ipsecctl/pfkey.c | 8 |
3 files changed, 53 insertions, 29 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index ada8e694ad5..0e8b8847266 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.41 2006/04/19 15:49:49 hshoexer Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.42 2006/04/19 16:10:50 hshoexer Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -155,6 +155,10 @@ the specification can be left out. .It Ar type Aq Ar modifier This optional parameter sets up special flows using the modifiers +.Ar require , +.Ar use , +.Ar acquire , +.Ar dontacq , .Ar bypass or .Ar deny . diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index e17f70e7933..ecca830ffe2 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.59 2006/04/19 15:49:49 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.60 2006/04/19 16:10:50 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -202,7 +202,7 @@ typedef struct { %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE %token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC -%token TYPE DENY BYPASS LOCAL PROTO +%token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ %token <v.string> STRING %type <v.string> string %type <v.dir> dir @@ -322,7 +322,7 @@ flowrule : FLOW satype dir proto hosts peers ids type { errx(1, "flowrule: ipsecctl_add_rule"); /* Create and add reverse flow rule. */ - if ($8 == TYPE_UNKNOWN && $3 == IPSEC_INOUT) { + if ($3 == IPSEC_INOUT) { r = reverse_rule(r); r->nr = ipsec->rule_nr++; @@ -480,7 +480,16 @@ ids : /* empty */ { ; type : /* empty */ { - $$ = TYPE_UNKNOWN; + $$ = TYPE_REQUIRE; + } + | TYPE USE { + $$ = TYPE_USE; + } + | TYPE ACQUIRE { + $$ = TYPE_ACQUIRE; + } + | TYPE REQUIRE { + $$ = TYPE_REQUIRE; } | TYPE DENY { $$ = TYPE_DENY; @@ -488,6 +497,9 @@ type : /* empty */ { | TYPE BYPASS { $$ = TYPE_BYPASS; } + | TYPE DONTACQ { + $$ = TYPE_DONTACQ; + } ; id : STRING { $$ = $1; } @@ -718,6 +730,7 @@ lookup(char *s) { /* this has to be sorted always */ static const struct keywords keywords[] = { + { "acquire", ACQUIRE }, { "active", ACTIVE }, { "ah", AH }, { "any", ANY }, @@ -726,6 +739,7 @@ lookup(char *s) { "bypass", BYPASS }, { "comp", COMPXF }, { "deny", DENY }, + { "dontacq", DONTACQ }, { "dstid", DSTID }, { "dynamic", DYNAMIC }, { "enc", ENCXF }, @@ -746,6 +760,7 @@ lookup(char *s) { "proto", PROTO }, { "psk", PSK }, { "quick", QUICK }, + { "require", REQUIRE }, { "rsa", RSA }, { "spi", SPI }, { "srcid", SRCID }, @@ -754,6 +769,7 @@ lookup(char *s) { "transport", TRANSPORT }, { "tunnel", TUNNEL }, { "type", TYPE }, + { "use", USE } }; const struct keywords *p; @@ -1628,16 +1644,12 @@ create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_addr_wrap *src, r->src = src; r->dst = dst; - if (type != TYPE_UNKNOWN) { + if (type == TYPE_DENY || type == TYPE_BYPASS) { r->flowtype = type; return (r); } - if (r->direction == IPSEC_IN) - r->flowtype = TYPE_USE; - else - r->flowtype = TYPE_REQUIRE; - + r->flowtype = type; r->local = local; if (peer == NULL) { /* Set peer to remote host. Must be a host address. */ @@ -1689,33 +1701,35 @@ reverse_rule(struct ipsec_rule *rule) reverse->type |= RULE_FLOW; - if (rule->direction == (u_int8_t)IPSEC_OUT) { + /* Reverse direction */ + if (rule->direction == (u_int8_t)IPSEC_OUT) reverse->direction = (u_int8_t)IPSEC_IN; - reverse->flowtype = TYPE_USE; - } else { + else reverse->direction = (u_int8_t)IPSEC_OUT; - reverse->flowtype = TYPE_REQUIRE; - } + reverse->flowtype = rule->flowtype; reverse->src = copyhost(rule->dst); reverse->dst = copyhost(rule->src); if (rule->local) reverse->local = copyhost(rule->local); - reverse->peer = copyhost(rule->peer); + if (rule->peer) + reverse->peer = copyhost(rule->peer); reverse->satype = rule->satype; reverse->proto = rule->proto; - reverse->auth = calloc(1, sizeof(struct ipsec_auth)); - if (reverse->auth == NULL) - err(1, "reverse_rule: calloc"); - if (rule->auth->dstid && (reverse->auth->dstid = - strdup(rule->auth->dstid)) == NULL) - err(1, "reverse_rule: strdup"); - if (rule->auth->srcid && (reverse->auth->srcid = - strdup(rule->auth->srcid)) == NULL) - err(1, "reverse_rule: strdup"); - reverse->auth->idtype = rule->auth->idtype; - reverse->auth->type = rule->auth->type; + if (rule->auth) { + reverse->auth = calloc(1, sizeof(struct ipsec_auth)); + if (reverse->auth == NULL) + err(1, "reverse_rule: calloc"); + if (rule->auth->dstid && (reverse->auth->dstid = + strdup(rule->auth->dstid)) == NULL) + err(1, "reverse_rule: strdup"); + if (rule->auth->srcid && (reverse->auth->srcid = + strdup(rule->auth->srcid)) == NULL) + err(1, "reverse_rule: strdup"); + reverse->auth->idtype = rule->auth->idtype; + reverse->auth->type = rule->auth->type; + } return reverse; } diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index b455866c9ab..3418e74e4ea 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.35 2006/03/31 13:13:51 markus Exp $ */ +/* $OpenBSD: pfkey.c,v 1.36 2006/04/19 16:10:50 hshoexer Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -156,6 +156,9 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, case TYPE_USE: sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; break; + case TYPE_ACQUIRE: + sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE; + break; case TYPE_REQUIRE: sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; break; @@ -165,6 +168,9 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, case TYPE_BYPASS: sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS; break; + case TYPE_DONTACQ: + sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ; + break; default: warnx("unsupported flowtype %d", flowtype); return -1; |