diff options
-rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 47 |
1 files changed, 37 insertions, 10 deletions
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index a30e5cb4fac..7b279dea344 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.16 1999/12/04 23:31:42 angelos Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.17 2000/01/13 06:42:26 angelos Exp $ */ /* $EOM: pf_key_v2.c,v 1.19 1999/07/16 00:29:11 niklas Exp $ */ /* @@ -972,7 +972,7 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming) static int pf_key_v2_flow (in_addr_t laddr, in_addr_t lmask, in_addr_t raddr, in_addr_t rmask, u_int8_t *spi, u_int8_t proto, - in_addr_t dst, int delete) + in_addr_t dst, int delete, int ingress) { #if defined (SADB_X_ADDFLOW) && defined (SADB_X_DELFLOW) struct sadb_msg msg; @@ -1011,6 +1011,8 @@ pf_key_v2_flow (in_addr_t laddr, in_addr_t lmask, in_addr_t raddr, ssa.sadb_sa_flags = 0; if (!delete) ssa.sadb_sa_flags |= SADB_X_SAFLAGS_REPLACEFLOW; + if (ingress) + ssa.sadb_sa_flags |= SADB_X_SAFLAGS_INGRESS_FLOW; if (pf_key_v2_msg_add (flow, (struct sadb_ext *)&ssa, 0) == -1) goto cleanup; @@ -1166,14 +1168,27 @@ pf_key_v2_enable_sa (struct sa *sa) { struct ipsec_sa *isa = sa->data; struct sockaddr *dst; - int dstlen; + int dstlen, error; struct proto *proto = TAILQ_FIRST (&sa->protos); sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); - return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, - isa->dst_mask, proto->spi[0], proto->proto, - ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0); + error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, + isa->dst_mask, proto->spi[0], proto->proto, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0, 0); + + if (error) + return error; + + /* Ingress flow */ + while (TAILQ_NEXT(proto, link)) + proto = TAILQ_NEXT(proto, link); + + sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen); + + return pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net, + isa->src_mask, proto->spi[1], proto->proto, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0, 1); } /* Disable a flow given a SA. */ @@ -1182,14 +1197,26 @@ pf_key_v2_disable_sa (struct sa *sa) { struct ipsec_sa *isa = sa->data; struct sockaddr *dst; - int dstlen; + int dstlen, error; struct proto *proto = TAILQ_FIRST (&sa->protos); sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); - return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, - isa->dst_mask, proto->spi[0], proto->proto, - ((struct sockaddr_in *)dst)->sin_addr.s_addr, 1); + error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, + isa->dst_mask, proto->spi[0], proto->proto, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, 1, 0); + if (error) + return error; + + /* Ingress flow */ + while (TAILQ_NEXT(proto, link)) + proto = TAILQ_NEXT(proto, link); + + sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen); + + return pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net, + isa->src_mask, proto->spi[1], proto->proto, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, 1, 1); } /* |