diff options
-rw-r--r-- | sbin/ipsec/ipsecadm/Makefile | 4 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/ipsecadm.1 | 77 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/ipsecadm.c | 131 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/kernel.c | 28 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_ah_new.c | 30 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_ah_old.c | 30 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_delspi.c | 30 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_esp_new.c | 30 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_esp_old.c | 30 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_flow.c | 155 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_grp.c | 32 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_ip4.c | 30 | ||||
-rw-r--r-- | sbin/ipsec/rt/Makefile | 5 | ||||
-rw-r--r-- | sbin/ipsec/rt/rt.1 | 107 | ||||
-rw-r--r-- | sbin/ipsec/rt/rt.c | 147 | ||||
-rw-r--r-- | sbin/ipsec/rtdelete/Makefile | 5 | ||||
-rw-r--r-- | sbin/ipsec/rtdelete/rtdelete.1 | 83 | ||||
-rw-r--r-- | sbin/ipsec/rtdelete/rtdelete.c | 119 |
18 files changed, 464 insertions, 609 deletions
diff --git a/sbin/ipsec/ipsecadm/Makefile b/sbin/ipsec/ipsecadm/Makefile index 040631724fc..32591c7c004 100644 --- a/sbin/ipsec/ipsecadm/Makefile +++ b/sbin/ipsec/ipsecadm/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.7 1997/11/18 00:13:43 provos Exp $ +# $OpenBSD: Makefile,v 1.8 1998/05/24 13:28:58 provos Exp $ PROG= ipsecadm SRCS= ipsecadm.c kernel.c xf_esp_new.c xf_esp_old.c xf_ah_old.c xf_ah_new.c \ - xf_delspi.c xf_grp.c xf_ip4.c + xf_delspi.c xf_grp.c xf_ip4.c xf_flow.c .include <bsd.prog.mk> diff --git a/sbin/ipsec/ipsecadm/ipsecadm.1 b/sbin/ipsec/ipsecadm/ipsecadm.1 index ae0e0394506..babe86b4240 100644 --- a/sbin/ipsec/ipsecadm/ipsecadm.1 +++ b/sbin/ipsec/ipsecadm/ipsecadm.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsecadm.1,v 1.9 1998/05/19 13:33:19 provos Exp $ +.\" $OpenBSD: ipsecadm.1,v 1.10 1998/05/24 13:29:00 provos Exp $ .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -43,7 +43,7 @@ The .Nm ipsecadm utility allows to setup security associations in the kernel -to be used with +to be used with .Xr ipsec 4 . It can be used to specify the encryption and authentication algorithms and key material for the network layer security @@ -53,7 +53,7 @@ The possible commands are: .Bl -tag -width new_esp .It new esp Setup a SPI which uses the new esp transforms. -Encryption and authentication algorithms can be applied. +Encryption and authentication algorithms can be applied. This is the default mode. Allowed modifiers are: @@ -76,7 +76,7 @@ encryption algorithms can be applied. Allowed modifiers are: .Fl spi , .Fl tunnel , .Fl enc , -.Fl iv +.Fl iv and .Fl key . .It new ah @@ -117,9 +117,28 @@ Group two SA's together. Allowed modifiers are: .Fl spi2 , and .Fl proto2 . +.It flow +Create a flow determining which packets are routed via which Security +Association. Allowed modifiers are: +.Fl dst , +.Fl spi , +.Fl proto , +.Fl addr , +.Fl transport , +.Fl sport , +.Fl dport , +.FL local , +.Fl delete . +The +.Xr netstat 1 +command shows the existing flows. .El .Pp -The modifiers have the following meanings: +If no command is given +.Xr ipsecadm 1 +defaults to new esp mode. +.Pp +The modifiers have the following meanings: .Bl -tag -width newpadding -offset indent .It src The source IP address for the SPI. @@ -130,11 +149,11 @@ The unique Security Parameter Index (SPI). .It tunnel The source and destination IP addresses for the external IP header. .It newpadding -For new ESP, specify new style self-describing padding should be used. Ignored everywhere else. +For new ESP, specify new style self-describing padding should be used. .It enc The encryption algorithm to be used with the SPI. Possible values are: -.Nm des +.Nm des and .Nm 3des for both old and new esp. @@ -154,7 +173,7 @@ for both old and new ah and also new esp. Also for both new ah and esp. .It key The secret symmetric key used for encryption and authentication. The size -for +for .Nm des and .Nm 3des @@ -164,7 +183,7 @@ or .Nm blf the key length can be variable. .It authkey -The secret key material used for authentication +The secret key material used for authentication if additional authentication in new esp mode is required. For old or new ah the key material for authentication is passed with the .Nm key @@ -176,15 +195,16 @@ the iv has to be eight bytes for .Nm cast and .Nm blf . -The other transforms can either use an eight byte iv or will derive one +The other transforms can either use an eight byte iv or will derive one when none is specified with .Xr ipsecadm 1 . .It proto The security protocol needed by -.Nm delspi +.Nm delspi , +.Nm flow or .Nm group -to uniquely specifiy the SA. +to uniquely specify the SA. The default value is 50 which means .Nm IPPROTO_ESP . .It chain @@ -198,18 +218,45 @@ The second SPI used by .It proto2 The second security protocol used by .Nm group . +It defaults to +.Nm IPPROTO_AH . +.It addr +The source address, source network mask, destination address and destination +network mask against which packets need to match to use the specified +Security Association. +.It transport +The protocol number which packets need to match to use the specified +Security Association. Per default the protocol number is not used for +matching. +.It sport +The source port which packets have to match for the flow. +Per default the source port is not used for matching. +.It dport +The destination port which packets have to match for the flow. +Per default the source port is not used for matching. +.It local +The +.Nm flow +command also creates a flow which matches local packets. This is aquivalent +to using a source address of 0.0.0.0 and a source network mask of +255.255.255.0. +.It delete +Instead of creating a flow, an existing flow is deleted. .El .Sh EXAMPLE Setup a SPI which uses new esp with 3des encryption and HMAC-SHA1 authentication: -.Pp +.Bd -literal ipsecadm -enc 3des -auth sha1 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 -key 638063806380638063806380638063806380638063806380 -authp 1234123412341234 +.Ed .Pp Setup a SPI for authentication with old ah only: -.Pp -ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 +.Bd -literal +ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 -key 12341234deadbeef +.Ed .Sh SEE ALSO +.Xr netstat 1 , .Xr ipsec 4 , .Xr photurisd 8 . diff --git a/sbin/ipsec/ipsecadm/ipsecadm.c b/sbin/ipsec/ipsecadm/ipsecadm.c index 603024d7255..9c387ae088e 100644 --- a/sbin/ipsec/ipsecadm/ipsecadm.c +++ b/sbin/ipsec/ipsecadm/ipsecadm.c @@ -1,24 +1,32 @@ -/* $OpenBSD: ipsecadm.c,v 1.14 1998/04/04 22:48:28 provos Exp $ */ +/* $OpenBSD: ipsecadm.c,v 1.15 1998/05/24 13:29:01 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. + * by Angelos D. Keromytis. * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. + * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. @@ -52,18 +60,19 @@ #include "netinet/ip_ipsp.h" #include "netinet/ip_esp.h" -#define ESP_OLD 0x01 -#define ESP_NEW 0x02 -#define AH_OLD 0x04 -#define AH_NEW 0x08 +#define ESP_OLD 0x01 +#define ESP_NEW 0x02 +#define AH_OLD 0x04 +#define AH_NEW 0x08 -#define XF_ENC 0x10 -#define XF_AUTH 0x20 -#define DEL_SPI 0x30 -#define GRP_SPI 0x40 -#define ENC_IP 0x80 +#define XF_ENC 0x10 +#define XF_AUTH 0x20 +#define DEL_SPI 0x30 +#define GRP_SPI 0x40 +#define FLOW 0x50 +#define ENC_IP 0x80 -#define CMD_MASK 0xf0 +#define CMD_MASK 0xf0 #define isencauth(x) ((x)&~CMD_MASK) #define iscmd(x,y) (((x) & CMD_MASK) == (y)) @@ -74,19 +83,20 @@ typedef struct { } transform; int xf_esp_new __P((struct in_addr, struct in_addr, u_int32_t, int, int, - u_char *, u_char *, u_char *, struct in_addr, - struct in_addr, int)); + u_char *, u_char *, u_char *, struct in_addr, struct in_addr, int)); int xf_esp_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, - u_char *, struct in_addr, struct in_addr)); + u_char *, struct in_addr, struct in_addr)); int xf_ah_new __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, - struct in_addr, struct in_addr)); + struct in_addr, struct in_addr)); int xf_ah_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, - struct in_addr, struct in_addr)); + struct in_addr, struct in_addr)); int xf_delspi __P((struct in_addr, u_int32_t, int, int)); int xf_grp __P((struct in_addr, u_int32_t, int, struct in_addr, u_int32_t, int)); +int xf_flow __P((struct in_addr, u_int32_t, int, struct in_addr, + struct in_addr, struct in_addr, struct in_addr, int, int, int, int, int)); int xf_ip4 __P((struct in_addr, struct in_addr, u_int32_t, - struct in_addr, struct in_addr)); + struct in_addr, struct in_addr)); transform xf[] = { {"des", ALG_ENC_DES, XF_ENC |ESP_OLD|ESP_NEW}, @@ -117,12 +127,13 @@ isvalid(char *option, int type, int mode) int i; for (i = sizeof(xf) / sizeof(transform) - 1; i >= 0; i--) - if (!strcmp(option, xf[i].name)) + if (!strcmp(option, xf[i].name)) { if ((xf[i].flags & CMD_MASK) == type && (xf[i].flags & mode)) return xf[i].id; else return 0; + } return 0; } @@ -130,7 +141,7 @@ void usage() { fprintf( stderr, "usage: ipsecadm [command] <modifier...>\n" - "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4\n" + "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4, flow\n" "\tPossible modifiers:\n" "\t\t-enc <alg>\t encryption algorithm\n" "\t\t-auth <alg>\t authentication algorithm\n" @@ -144,6 +155,10 @@ usage() "\t\t-proto <val>\t security protocol\n" "\t\t-chain\t\t SPI chain delete\n" "\t\t-newpadding\t new style padding for new ESP\n" + "\t\t-transport <val>\t protocol number for flow\n" + "\t\t-addr <ip> <net> <ip> <net>\t subnets for flow\n" + "\t\t-delete\t\t delete specified flow\n" + "\t\t-local\t\t also create a local flow\n" "\talso: dst2, spi2, proto2\n" ); } @@ -157,12 +172,15 @@ main(argc, argv) int mode = ESP_NEW, new = 1, flag = 0, newpadding = 0; int auth = 0, enc = 0, ivlen = 0, klen = 0, alen = 0; int proto = IPPROTO_ESP, proto2 = IPPROTO_AH; + int dport = -1, sport = -1, tproto = -1; + int delete = 0, local = 0; int chain = 0; u_int32_t spi = 0, spi2 = 0; - struct in_addr src, dst, dst2, osrc, odst; + struct in_addr src, dst, dst2, osrc, odst, osmask, odmask; u_char *ivp = NULL, *keyp = NULL, *authp = NULL; osrc.s_addr = odst.s_addr = src.s_addr = dst.s_addr = dst2.s_addr = 0; + osmask.s_addr = odmask.s_addr = 0; if (argc < 2) { usage(); @@ -188,6 +206,9 @@ main(argc, argv) } else if (!strcmp(argv[i], "group") && flag < 2) { flag = 2; mode = GRP_SPI; + } else if (!strcmp(argv[i], "flow") && flag < 2) { + flag = 2; + mode = FLOW; } else if (!strcmp(argv[i], "ip4") && flag < 2) { flag = 2; mode = ENC_IP; @@ -255,13 +276,36 @@ main(argc, argv) } else if (!strcmp(argv[i]+1, "src") && i+1 < argc) { src.s_addr = inet_addr(argv[i+1]); i++; - } else if (!strcmp(argv[i]+1, "newpadding")) { + } else if (!strcmp(argv[i]+1, "newpadding") && (mode & ESP_NEW)) { newpadding = 1; - } else if (!strcmp(argv[i]+1, "tunnel") && i+2 < argc) { + } else if (!strcmp(argv[i]+1, "delete") && iscmd(mode, FLOW)) { + delete = 1; + } else if (!strcmp(argv[i]+1, "local") && iscmd(mode, FLOW)) { + local = 1; + } else if (!strcmp(argv[i]+1, "tunnel") && + isencauth(mode) && i+2 < argc) { osrc.s_addr = inet_addr(argv[i+1]); i++; odst.s_addr = inet_addr(argv[i+1]); i++; + } else if (!strcmp(argv[i]+1, "addr") && + iscmd(mode, FLOW) && i+4 < argc) { + osrc.s_addr = inet_addr(argv[i+1]); i++; + osmask.s_addr = inet_addr(argv[i+1]); i++; + odst.s_addr = inet_addr(argv[i+1]); i++; + odmask.s_addr = inet_addr(argv[i+1]); i++; + } else if (!strcmp(argv[i]+1, "transport") && + iscmd(mode, FLOW) && i+1 < argc) { + tproto = atoi(argv[i+1]); + i++; + } else if (!strcmp(argv[i]+1, "sport") && + iscmd(mode, FLOW) && i+1 < argc) { + sport = atoi(argv[i+1]); + i++; + } else if (!strcmp(argv[i]+1, "dport") && + iscmd(mode, FLOW) && i+1 < argc) { + dport = atoi(argv[i+1]); + i++; } else if (!strcmp(argv[i]+1, "dst") && i+1 < argc) { dst.s_addr = inet_addr(argv[i+1]); i++; @@ -298,7 +342,7 @@ main(argc, argv) } else if (isencauth(mode) && keyp == NULL) { fprintf(stderr, "%s: No key material specified\n", argv[0]); exit(1); - } else if ((mode & ESP_NEW) && auth & authp == NULL) { + } else if ((mode & ESP_NEW) && auth && authp == NULL) { fprintf(stderr, "%s: No auth key material specified\n", argv[0]); exit(1); } else if (spi == 0) { @@ -311,12 +355,14 @@ main(argc, argv) src.s_addr == 0) { fprintf(stderr, "%s: No source address specified\n", argv[0]); exit(1); - } else if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI)) - && proto == 0) { - fprintf(stderr, "%s: No security protocol specified\n", argv[0]); + } else if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) || + iscmd(mode, FLOW)) && + proto != IPPROTO_ESP && proto != IPPROTO_AH) { + fprintf(stderr, "%s: Security protocol is neither AH or ESP\n", argv[0]); exit(1); - } else if (iscmd(mode, GRP_SPI) && proto2 == 0) { - fprintf(stderr, "%s: No security protocol2 specified\n", argv[0]); + } else if (iscmd(mode, GRP_SPI) && + proto2 != IPPROTO_ESP && proto2 != IPPROTO_AH) { + fprintf(stderr, "%s: Security protocol2 is neither AH or ESP\n", argv[0]); exit(1); } else if (dst.s_addr == 0) { fprintf(stderr, "%s: No destination address specified\n", @@ -327,13 +373,18 @@ main(argc, argv) fprintf(stderr, "%s: No tunnel addresses specified\n", argv[0]); exit(1); + } else if (iscmd(mode, FLOW) && + (((odst.s_addr & odmask.s_addr) == 0) || + ((osrc.s_addr & osmask.s_addr) == 0))) { + fprintf(stderr, "%s: No subnets for flow specified\n", + argv[0]); + exit(1); } else if (iscmd(mode, GRP_SPI) && dst2.s_addr == 0) { fprintf(stderr, "%s: No destination address2 specified\n", argv[0]); exit(1); } - if (isencauth(mode)) { switch(mode) { case ESP_NEW: @@ -361,6 +412,10 @@ main(argc, argv) case ENC_IP: xf_ip4(src, dst, spi, osrc, odst); break; + case FLOW: + xf_flow(dst, spi, proto, osrc, osmask, odst, odmask, tproto, + sport, dport, delete, local); + break; } } diff --git a/sbin/ipsec/ipsecadm/kernel.c b/sbin/ipsec/ipsecadm/kernel.c index 6bec2d17cc6..b96ca8f8bea 100644 --- a/sbin/ipsec/ipsecadm/kernel.c +++ b/sbin/ipsec/ipsecadm/kernel.c @@ -1,24 +1,32 @@ -/* $OpenBSD: kernel.c,v 1.2 1997/08/26 12:04:36 provos Exp $ */ +/* $OpenBSD: kernel.c,v 1.3 1998/05/24 13:29:02 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. + * by Angelos D. Keromytis. * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. diff --git a/sbin/ipsec/ipsecadm/xf_ah_new.c b/sbin/ipsec/ipsecadm/xf_ah_new.c index 55c21e59653..1046eaef491 100644 --- a/sbin/ipsec/ipsecadm/xf_ah_new.c +++ b/sbin/ipsec/ipsecadm/xf_ah_new.c @@ -1,24 +1,32 @@ -/* $OpenBSD: xf_ah_new.c,v 1.2 1997/09/23 21:41:00 angelos Exp $ */ +/* $OpenBSD: xf_ah_new.c,v 1.3 1998/05/24 13:29:03 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. diff --git a/sbin/ipsec/ipsecadm/xf_ah_old.c b/sbin/ipsec/ipsecadm/xf_ah_old.c index bd58587e486..f82ac8bc202 100644 --- a/sbin/ipsec/ipsecadm/xf_ah_old.c +++ b/sbin/ipsec/ipsecadm/xf_ah_old.c @@ -1,24 +1,32 @@ -/* $OpenBSD: xf_ah_old.c,v 1.2 1997/09/23 21:41:00 angelos Exp $ */ +/* $OpenBSD: xf_ah_old.c,v 1.3 1998/05/24 13:29:04 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * by Angelos D. Keromytis. * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. + * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. diff --git a/sbin/ipsec/ipsecadm/xf_delspi.c b/sbin/ipsec/ipsecadm/xf_delspi.c index da70a5883f8..3d352d8131d 100644 --- a/sbin/ipsec/ipsecadm/xf_delspi.c +++ b/sbin/ipsec/ipsecadm/xf_delspi.c @@ -1,24 +1,32 @@ -/* $OpenBSD: xf_delspi.c,v 1.5 1997/08/26 12:04:41 provos Exp $ */ +/* $OpenBSD: xf_delspi.c,v 1.6 1998/05/24 13:29:06 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. diff --git a/sbin/ipsec/ipsecadm/xf_esp_new.c b/sbin/ipsec/ipsecadm/xf_esp_new.c index 7df6976433e..adda7f02dd0 100644 --- a/sbin/ipsec/ipsecadm/xf_esp_new.c +++ b/sbin/ipsec/ipsecadm/xf_esp_new.c @@ -1,24 +1,32 @@ -/* $OpenBSD: xf_esp_new.c,v 1.6 1998/04/04 22:48:30 provos Exp $ */ +/* $OpenBSD: xf_esp_new.c,v 1.7 1998/05/24 13:29:07 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. diff --git a/sbin/ipsec/ipsecadm/xf_esp_old.c b/sbin/ipsec/ipsecadm/xf_esp_old.c index ec1ac975dcc..f7d7acd0deb 100644 --- a/sbin/ipsec/ipsecadm/xf_esp_old.c +++ b/sbin/ipsec/ipsecadm/xf_esp_old.c @@ -1,24 +1,32 @@ -/* $OpenBSD: xf_esp_old.c,v 1.2 1997/09/23 21:41:01 angelos Exp $ */ +/* $OpenBSD: xf_esp_old.c,v 1.3 1998/05/24 13:29:08 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. diff --git a/sbin/ipsec/ipsecadm/xf_flow.c b/sbin/ipsec/ipsecadm/xf_flow.c new file mode 100644 index 00000000000..86ea21fca85 --- /dev/null +++ b/sbin/ipsec/ipsecadm/xf_flow.c @@ -0,0 +1,155 @@ +/* $OpenBSD: xf_flow.c,v 1.1 1998/05/24 13:29:10 provos Exp $ */ +/* + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). + * + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. + * + * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. + * + * Permission to use, copy, and modify this software without fee + * is hereby granted, provided that this entire notice is included in + * all copies of any software which is or includes a copy or + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ + + +#include <sys/param.h> +#include <sys/file.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <sys/mbuf.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/route.h> +#include <net/if_dl.h> +#include <netinet/in.h> +#include <netns/ns.h> +#include <netiso/iso.h> +#include <netccitt/x25.h> +#include <arpa/inet.h> +#include <netdb.h> + +#include <errno.h> +#include <unistd.h> +#include <stdio.h> +#include <ctype.h> +#include <stdlib.h> +#include <string.h> +#include <paths.h> +#include "net/encap.h" + +extern char buf[]; + +int +xf_flow(struct in_addr dst, u_int32_t spi, int proto, + struct in_addr osrc, struct in_addr osmask, + struct in_addr odst, struct in_addr odmask, + int tproto, int sport, int dport, int delete, int local) +{ + struct sockaddr_encap *ddst, *msk, *gw; + struct rt_msghdr *rtm; + int sd, off; + + sd = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); + if (sd < 0) { + perror("socket"); + return 0; + } + + bzero(buf, sizeof(*rtm) + SENT_IP4_LEN + SENT_IPSP_LEN + SENT_IP4_LEN); + + rtm = (struct rt_msghdr *)(&buf[0]); + ddst = (struct sockaddr_encap *) (&buf[sizeof (*rtm)]); + off = sizeof(*rtm) + SENT_IP4_LEN; + if (!delete) { + gw = (struct sockaddr_encap *) (&buf[off]); + off += SENT_IPSP_LEN; + } + msk = (struct sockaddr_encap *) (&buf[off]); + + rtm->rtm_version = RTM_VERSION; + rtm->rtm_type = delete ? RTM_DELETE : RTM_ADD; + rtm->rtm_index = 0; + rtm->rtm_pid = getpid(); + rtm->rtm_addrs = RTA_DST | (delete ? 0 : RTA_GATEWAY) | RTA_NETMASK; + rtm->rtm_errno = 0; + rtm->rtm_flags = RTF_UP | (delete ? 0 : RTF_GATEWAY) | RTF_STATIC; + rtm->rtm_inits = 0; + + ddst->sen_len = SENT_IP4_LEN; + ddst->sen_family = AF_ENCAP; + ddst->sen_type = SENT_IP4; + ddst->sen_ip_src.s_addr = osrc.s_addr; + ddst->sen_ip_dst.s_addr = odst.s_addr; + ddst->sen_proto = ddst->sen_sport = ddst->sen_dport = 0; + + if (tproto > 0) { + ddst->sen_proto = tproto; + msk->sen_proto = 0xff; + + if (sport > 0) { + ddst->sen_sport = sport; + msk->sen_sport = 0xffff; + } + + if (dport > 0) { + ddst->sen_dport = dport; + msk->sen_dport = 0xffff; + } + } + + if (!delete) { + gw->sen_len = SENT_IPSP_LEN; + gw->sen_family = AF_ENCAP; + gw->sen_type = SENT_IPSP; + gw->sen_ipsp_dst.s_addr = dst.s_addr; + gw->sen_ipsp_spi = spi; + gw->sen_ipsp_sproto = proto; + } + + msk->sen_len = SENT_IP4_LEN; + msk->sen_family = AF_ENCAP; + msk->sen_type = SENT_IP4; + msk->sen_ip_src.s_addr = osmask.s_addr; + msk->sen_ip_dst.s_addr = odmask.s_addr; + + rtm->rtm_msglen = sizeof(*rtm) + ddst->sen_len + + (delete ? 0 : gw->sen_len) + msk->sen_len; + + if (write(sd, (caddr_t) buf, rtm->rtm_msglen) < 0) { + perror("write"); + return 0; + } + + /* Additionally create/delete a flow for local packets */ + if (local) { + ddst->sen_ip_src.s_addr = 0; + msk->sen_ip_src.s_addr = INADDR_ANY; + if (write(sd, (caddr_t) buf, rtm->rtm_msglen) < 0) { + perror("write"); + return 0; + } + } + return 1; +} diff --git a/sbin/ipsec/ipsecadm/xf_grp.c b/sbin/ipsec/ipsecadm/xf_grp.c index 4b2c647f119..7ccf0eed1d9 100644 --- a/sbin/ipsec/ipsecadm/xf_grp.c +++ b/sbin/ipsec/ipsecadm/xf_grp.c @@ -1,24 +1,32 @@ -/* $OpenBSD: xf_grp.c,v 1.8 1997/09/14 10:37:47 deraadt Exp $ */ +/* $OpenBSD: xf_grp.c,v 1.9 1998/05/24 13:29:10 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. @@ -51,7 +59,7 @@ #include "net/encap.h" #include "netinet/ip_ipsp.h" -extern buf[]; +extern char buf[]; int xf_set __P(( struct encap_msghdr *)); int x2i __P((char *)); diff --git a/sbin/ipsec/ipsecadm/xf_ip4.c b/sbin/ipsec/ipsecadm/xf_ip4.c index 69fbd3a4308..d8d35f15d2a 100644 --- a/sbin/ipsec/ipsecadm/xf_ip4.c +++ b/sbin/ipsec/ipsecadm/xf_ip4.c @@ -1,24 +1,32 @@ -/* $OpenBSD: xf_ip4.c,v 1.4 1997/11/18 00:13:45 provos Exp $ */ +/* $OpenBSD: xf_ip4.c,v 1.5 1998/05/24 13:29:11 provos Exp $ */ /* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written for BSD/OS in Athens, Greece, in November 1995. + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by - * Niels Provos in Germany. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and - * Niels Provos. + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. * * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR * PURPOSE. diff --git a/sbin/ipsec/rt/Makefile b/sbin/ipsec/rt/Makefile deleted file mode 100644 index 746123c1975..00000000000 --- a/sbin/ipsec/rt/Makefile +++ /dev/null @@ -1,5 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 1997/09/05 10:07:25 provos Exp $ - -PROG= rt - -.include <bsd.prog.mk> diff --git a/sbin/ipsec/rt/rt.1 b/sbin/ipsec/rt/rt.1 deleted file mode 100644 index 3445dc67625..00000000000 --- a/sbin/ipsec/rt/rt.1 +++ /dev/null @@ -1,107 +0,0 @@ -.\" $OpenBSD: rt.1,v 1.2 1998/03/05 09:30:52 provos Exp $ -.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Niels Provos. -.\" 4. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd September 5, 1997 -.Dt RT 1 -.Os -.Sh NAME -.Nm rt -.Nd create IPSec routing entries -.Sh SYNOPSIS -.Nm rt -.Ar isrc -.Ar isrcmask -.Ar idst -.Ar idstmask -.Ar tproto -.Ar sport -.Ar dport -.Ar raddr -.Ar spi -.Ar fespah -.Sh DESCRIPTION -The -.Nm rt -utility creates a routing entry for IPSec. A Security association -must already be established with either -.Xr photurisd 8 -or -.Xr ipsecadm 1 . -The arguments are: -.Pp -.Bl -tag -width idstmask_ -.It isrc -The initial source address. -.It isrcmask -The network mask for the initial source address. The source -address of outgoing packets has to match the address range -specified by -.Nm isrc -and -.Nm isrcmask -to be routed through IPSec. -.It idst -The initial destination address. -.It idstmask -The network mask for the initial destination address. The destination -address of outgoing packets has to match the address range -specified by -.Nm idst -and -.Nm idstmask -to be routed through IPSec. -.It tproto -The protocol number packets have to match to be routed. -Specify -1 as wildcard. -.It sport -The source port of a packet if applicable. Specify -1 as wildcard. -.It dport -The destination port aof a packet if applicable. Specify -1 as wildcard. -.It raddr -The destination address of the security association. If you dont -use tunnel mode that will be the same as -.Nm idst . -.It spi -The Security Parameter Index of the security association. -.It fespah -Specifies the security protocol of the SA. Use either 0 for AH or -1 for ESP. -.El -.Sh EXAMPLE -Route packets for ESP in transport mode: -.Pp -rt 0.0.0.0 255.255.255.255 remote 255.255.255.255 -1 -1 -1 remote SPI 1 -.Pp -rt localip 255.255.255.255 remote 255.255.255.255 -1 -1 -1 remote SPI 1 -.Sh SEE ALSO -.Xr ipsecadm 1 , -.Xr netstat 1 , -.Xr photurisd 8 . diff --git a/sbin/ipsec/rt/rt.c b/sbin/ipsec/rt/rt.c deleted file mode 100644 index 3e4cfd3129a..00000000000 --- a/sbin/ipsec/rt/rt.c +++ /dev/null @@ -1,147 +0,0 @@ -/* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). - * - * This code was written for BSD/OS in Athens, Greece, in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis and Angelos D. Keromytis. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> - - -#define INET -#include "net/encap.h" - -char buf[2048]; - -int -main(int argc, char **argv) -{ - struct sockaddr_encap *dst, *msk, *gw; - struct rt_msghdr *rtm; - int sd, proto; - - if (argc != 11) - fprintf(stderr, "usage: %s isrc isrcmask idst idstmask tproto sport dport raddr spi fespah\n", argv[0]), exit(1); - - switch(argv[10][0]) { - case '0': - proto = IPPROTO_AH; - break; - case '1': - proto = IPPROTO_ESP; - break; - case '-': - proto = 0; - break; - case 'p': - proto = atoi(argv[10]+1); - break; - default: - fprintf(stderr, "flag fespah: wrong value %s\n", argv[10]); - exit(-1); - } - - - sd = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); - if (sd < 0) - perror("socket"), exit(1); - - rtm = (struct rt_msghdr *)(&buf[0]); - dst = (struct sockaddr_encap *) (&buf[sizeof (*rtm)]); - gw = (struct sockaddr_encap *) (&buf[sizeof (*rtm) + SENT_IP4_LEN]); - msk = (struct sockaddr_encap *) (&buf[sizeof (*rtm) + SENT_IP4_LEN + - SENT_IPSP_LEN]); - - rtm->rtm_version = RTM_VERSION; - rtm->rtm_type = RTM_ADD; - rtm->rtm_index = 0; - rtm->rtm_pid = getpid(); - rtm->rtm_addrs = RTA_DST | RTA_GATEWAY | RTA_NETMASK /* | RTA_IFP */; - rtm->rtm_errno = 0; - rtm->rtm_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC; - rtm->rtm_inits = 0; - - dst->sen_len = SENT_IP4_LEN; - dst->sen_family = AF_ENCAP; - dst->sen_type = SENT_IP4; - dst->sen_ip_src.s_addr = inet_addr(argv[1]); - dst->sen_ip_dst.s_addr = inet_addr(argv[3]); - dst->sen_proto = dst->sen_sport = dst->sen_dport = 0; - - if (atoi(argv[5]) > 0) - { - dst->sen_proto = atoi(argv[5]); - msk->sen_proto = 0xff; - - if (atoi(argv[6]) > 0) - { - dst->sen_sport = atoi(argv[6]); - msk->sen_sport = 0xffff; - } - - if (atoi(argv[7]) > 0) - { - dst->sen_dport = atoi(argv[7]); - msk->sen_dport = 0xffff; - } - } - - gw->sen_len = SENT_IPSP_LEN; - gw->sen_family = AF_ENCAP; - gw->sen_type = SENT_IPSP; - gw->sen_ipsp_dst.s_addr = inet_addr(argv[8]); - gw->sen_ipsp_spi = htonl(strtoul(argv[9], NULL, 16)); - gw->sen_ipsp_sproto = proto; - - msk->sen_len = SENT_IP4_LEN; - msk->sen_family = AF_ENCAP; - msk->sen_type = SENT_IP4; - msk->sen_ip_src.s_addr = inet_addr(argv[2]); - msk->sen_ip_dst.s_addr = inet_addr(argv[4]); - - rtm->rtm_msglen = sizeof(*rtm) + dst->sen_len + gw->sen_len + - msk->sen_len; - - if (write(sd, (caddr_t) buf, rtm->rtm_msglen) < 0) - perror("write"); - exit(0); -} diff --git a/sbin/ipsec/rtdelete/Makefile b/sbin/ipsec/rtdelete/Makefile deleted file mode 100644 index d8e1af3df02..00000000000 --- a/sbin/ipsec/rtdelete/Makefile +++ /dev/null @@ -1,5 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 1997/09/05 10:07:31 provos Exp $ - -PROG= rtdelete - -.include <bsd.prog.mk> diff --git a/sbin/ipsec/rtdelete/rtdelete.1 b/sbin/ipsec/rtdelete/rtdelete.1 deleted file mode 100644 index d8fce359b76..00000000000 --- a/sbin/ipsec/rtdelete/rtdelete.1 +++ /dev/null @@ -1,83 +0,0 @@ -.\" $OpenBSD: rtdelete.1,v 1.2 1998/03/05 09:30:54 provos Exp $ -.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Niels Provos. -.\" 4. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd September 5, 1997 -.Dt RTDELETE 1 -.Os -.Sh NAME -.Nm rtdelete -.Nd delete IPSec routing entries -.Sh SYNOPSIS -.Nm rt -.Ar isrc -.Ar isrcmask -.Ar idst -.Ar idstmask -.Ar proto -.Ar sport -.Ar dport -.Sh DESCRIPTION -The -.Nm rtdelete -utility deletes a routing entry for IPSec created by -.Xr rt 1 . -The arguments are: -.Pp -.Bl -tag -width idstmask_ -.It isrc -The initial source address as given to -.Xr rt 1 . -.It isrcmask -The network mask for the initial source address. -.It idst -The initial destination address. -.It idstmask -The network mask for the initial destination address. -.It proto -The protocol number given to -.Xr rt 1 . -.It sport -The source port of a packet if applicable. Specify -1 as wildcard. -.It dport -The destination port aof a packet if applicable. Specify -1 as wildcard. -.El -.Sh EXAMPLE -Delete routing entry for ESP in transport mode: -.Pp -rt 0.0.0.0 255.255.255.255 remote 255.255.255.255 -1 -1 -1 -.Pp -rt localip 255.255.255.255 remote 255.255.255.255 -1 -1 -1 -.Sh SEE ALSO -.Xr ipsecadm 1 , -.Xr netstat 1 , -.Xr photurisd 8 , -.Xr rt 1 , -.Xr route 8 . diff --git a/sbin/ipsec/rtdelete/rtdelete.c b/sbin/ipsec/rtdelete/rtdelete.c deleted file mode 100644 index f203e627397..00000000000 --- a/sbin/ipsec/rtdelete/rtdelete.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * The author of this code is John Ioannidis, ji@tla.org, - * (except when noted otherwise). - * - * This code was written for BSD/OS in Athens, Greece, in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis, kermit@forthnet.gr. - * - * Copyright (C) 1995, 1996, 1997 by John Ioannidis and Angelos D. Keromytis. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/mbuf.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/if_dl.h> -#include <netinet/in.h> -#include <netns/ns.h> -#include <netiso/iso.h> -#include <netccitt/x25.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> - -#define INET -#include "net/encap.h" - -char buf[2048]; - -int -main(int argc, char **argv) -{ - struct sockaddr_encap *dst, *msk; - struct rt_msghdr *rtm; - int sd; - - if (argc != 8) - fprintf(stderr, - "usage: %s isrc isrcmask idst idstmask proto sport dport\n", - argv[0]), exit(1); - - sd = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); - if (sd < 0) - perror("socket"), exit(1); - - rtm = (struct rt_msghdr *) (&buf[0]); - dst = (struct sockaddr_encap *) (&buf[sizeof(*rtm)]); - msk = (struct sockaddr_encap *) (&buf[sizeof(*rtm) + SENT_IP4_LEN]); - - rtm->rtm_version = RTM_VERSION; - rtm->rtm_type = RTM_DELETE; - rtm->rtm_index = 0; - rtm->rtm_pid = getpid(); - rtm->rtm_addrs = RTA_DST | RTA_NETMASK /* | RTA_IFP */; - rtm->rtm_errno = 0; - rtm->rtm_flags = RTF_UP | RTF_STATIC; - rtm->rtm_inits = 0; - - dst->sen_len = SENT_IP4_LEN; - dst->sen_family = AF_ENCAP; - dst->sen_type = SENT_IP4; - dst->sen_ip_src.s_addr = inet_addr(argv[1]); - dst->sen_ip_dst.s_addr = inet_addr(argv[3]); - dst->sen_proto = dst->sen_sport = dst->sen_dport = 0; - - if (atoi(argv[5]) > 0) - { - dst->sen_proto = atoi(argv[5]); - msk->sen_proto = 0xff; - - if (atoi(argv[6]) > 0) - { - dst->sen_sport = atoi(argv[6]); - msk->sen_sport = 0xffff; - } - - if (atoi(argv[7]) > 0) - { - dst->sen_dport = atoi(argv[7]); - msk->sen_dport = 0xffff; - } - } - - msk->sen_len = SENT_IP4_LEN; - msk->sen_family = AF_ENCAP; - msk->sen_type = SENT_IP4; - msk->sen_ip_src.s_addr = inet_addr(argv[2]); - msk->sen_ip_dst.s_addr = inet_addr(argv[4]); - - rtm->rtm_msglen = sizeof(*rtm) + dst->sen_len + msk->sen_len; - - if (write(sd, (caddr_t) buf, rtm->rtm_msglen) < 0) - perror("write"); - exit(0); -} |