diff options
| -rw-r--r-- | regress/sbin/ipsecctl/Makefile | 6 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec19.in | 2 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec19.ok | 8 | ||||
| -rw-r--r-- | sbin/ipsecctl/ike.c | 10 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 18 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 33 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 5 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 88 | ||||
| -rw-r--r-- | sbin/ipsecctl/pfkey.c | 30 |
9 files changed, 137 insertions, 63 deletions
diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile index 414a881bb49..b42b47a164c 100644 --- a/regress/sbin/ipsecctl/Makefile +++ b/regress/sbin/ipsecctl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.14 2006/03/30 13:40:44 reyk Exp $ +# $OpenBSD: Makefile,v 1.15 2006/03/31 13:13:51 markus Exp $ # TARGETS # ipsec: feed ipsecNN.in through ipsecctl and check wether the output matches @@ -7,11 +7,11 @@ # sa: same as above, but for SA rules. # ike: same as above, but for ike rules. -IPSECTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 +IPSECTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 TCPMD5TESTS=1 2 3 SATESTS=1 2 3 4 5 6 7 8 9 10 SAFAIL=1 -IKETESTS=1 2 3 4 5 6 7 8 9 +IKETESTS=1 2 3 4 5 6 7 8 SHELL=/bin/sh diff --git a/regress/sbin/ipsecctl/ipsec19.in b/regress/sbin/ipsecctl/ipsec19.in new file mode 100644 index 00000000000..0e376819ecd --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec19.in @@ -0,0 +1,2 @@ +flow esp proto etherip from 1.1.1.1 to 2.2.2.2 +flow esp proto 97 from 2.2.2.2 to 3.3.3.3 diff --git a/regress/sbin/ipsecctl/ipsec19.ok b/regress/sbin/ipsecctl/ipsec19.ok new file mode 100644 index 00000000000..0c24f6f84df --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec19.ok @@ -0,0 +1,8 @@ +flow esp out proto etherip from 1.1.1.1 to 2.2.2.2 peer 2.2.2.2 + type require +flow esp in proto etherip from 2.2.2.2 to 1.1.1.1 peer 2.2.2.2 + type use +flow esp out proto etherip from 2.2.2.2 to 3.3.3.3 peer 3.3.3.3 + type require +flow esp in proto etherip from 3.3.3.3 to 2.2.2.2 peer 3.3.3.3 + type use diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 223e4877319..05363863287 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.20 2006/03/20 17:09:38 hshoexer Exp $ */ +/* $OpenBSD: ike.c,v 1.21 2006/03/31 13:13:51 markus Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -132,18 +132,18 @@ ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, static int ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, - u_int8_t proto, struct ipsec_transforms *qmxfs, FILE *fd) + u_int8_t satype, struct ipsec_transforms *qmxfs, FILE *fd) { fprintf(fd, SET "[qm-%s-%s]:EXCHANGE_TYPE=QUICK_MODE force\n", src->name, dst->name); fprintf(fd, SET "[qm-%s-%s]:Suites=QM-", src->name, dst->name); - switch (proto) { + switch (satype) { case IPSEC_ESP: fprintf(fd, "ESP"); break; default: - warnx("illegal protocol %d", proto); + warnx("illegal satype %d", satype); return (-1); }; fprintf(fd, "-"); @@ -337,7 +337,7 @@ ike_gen_config(struct ipsec_rule *r, FILE *fd) return (-1); ike_section_ids(r->peer, r->auth, fd, r->ikemode); ike_section_ipsec(r->src, r->dst, r->peer, fd); - if (ike_section_qm(r->src, r->dst, r->proto, r->qmxfs, fd) == -1) + if (ike_section_qm(r->src, r->dst, r->satype, r->qmxfs, fd) == -1) return (-1); ike_section_qmids(r->src, r->dst, fd); diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index bc52eff04ba..7ab9e38ca64 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.35 2006/03/31 09:15:18 jmc Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.36 2006/03/31 13:13:51 markus Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -107,6 +107,19 @@ for this rule and will construct a proper .Ar in rule. Thus packets in both directions will be matched. +.It Ar proto Aq Ar protocol +The optional +.Ar proto +parameter restricts the flow to a specific IP protocol. +Common protocols are +.Xr icmp 4 , +.Xr tcp 4 , +and +.Xr udp 4 . +For a list of all the protocol name to number mappings used by +.Xr ipsecctl 8 , +see the file +.Em /etc/protocols . .It Xo .Ar from .Aq Ar src @@ -536,6 +549,9 @@ flow esp in from 192.168.8.0/24 to 192.168.7.0/24 peer 192.168.3.12 flow esp from 192.168.7.0/24 to 192.168.8.0/24 \e local 192.168.1.1 peer 192.168.3.12 +# Protect remote bridges (IP over ethernet) +flow esp proto etherip from 192.168.100.1 to 192.168.200.1 + # Set up IPsec SAs for flows between 192.168.3.14 and 192.168.3.12 esp from 192.168.3.14 to 192.168.3.12 spi 0xdeadbeef:0xbeefdead \e auth hmac-sha2-256 enc aesctr authkey file "auth14:auth12" \e diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index 4291691484d..e1abb15608a 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.44 2006/03/30 12:44:20 markus Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.45 2006/03/31 13:13:51 markus Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -35,6 +35,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <netdb.h> #include "ipsecctl.h" #include "pfkey.h" @@ -44,6 +45,7 @@ FILE *ipsecctl_fopen(const char *, const char *); int ipsecctl_commit(int, struct ipsecctl *); int ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *); void ipsecctl_print_addr(struct ipsec_addr_wrap *); +void ipsecctl_print_proto(u_int8_t); void ipsecctl_print_key(struct ipsec_key *); void ipsecctl_print_flow(struct ipsec_rule *, int); void ipsecctl_print_sa(struct ipsec_rule *, int); @@ -69,7 +71,7 @@ static const char *showopt_list[] = { static const char *direction[] = {"?", "in", "out"}; static const char *flowtype[] = {"?", "use", "acquire", "require", "deny", "bypass", "dontacq"}; -static const char *proto[] = {"?", "esp", "ah", "ipcomp", "tcpmd5", "ipip"}; +static const char *satype[] = {"?", "esp", "ah", "ipcomp", "tcpmd5", "ipip"}; static const char *tmode[] = {"?", "transport", "tunnel"}; static const char *auth[] = {"?", "psk", "rsa"}; @@ -236,6 +238,17 @@ ipsecctl_print_addr(struct ipsec_addr_wrap *ipa) } void +ipsecctl_print_proto(u_int8_t proto) +{ + struct protoent *p; + + if ((p = getprotobynumber(proto)) != NULL) + printf("%s", p->p_name); + else + printf("%u", proto); +} + +void ipsecctl_print_key(struct ipsec_key *key) { int i; @@ -247,8 +260,12 @@ ipsecctl_print_key(struct ipsec_key *key) void ipsecctl_print_flow(struct ipsec_rule *r, int opts) { - printf("flow %s %s", proto[r->proto], direction[r->direction]); + printf("flow %s %s", satype[r->satype], direction[r->direction]); + if (r->proto) { + printf(" proto "); + ipsecctl_print_proto(r->proto); + } printf(" from "); ipsecctl_print_addr(r->src); printf(" to "); @@ -280,9 +297,9 @@ ipsecctl_print_flow(struct ipsec_rule *r, int opts) void ipsecctl_print_sa(struct ipsec_rule *r, int opts) { - printf("%s ", proto[r->proto]); + printf("%s ", satype[r->satype]); /* tunnel/transport is only meaningful esp/ah/ipcomp */ - if (r->proto != IPSEC_TCPMD5 && r->proto != IPSEC_IPIP) + if (r->satype != IPSEC_TCPMD5 && r->satype != IPSEC_IPIP) printf("%s ", tmode[r->tmode]); printf("from "); ipsecctl_print_addr(r->src); @@ -290,7 +307,7 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) ipsecctl_print_addr(r->dst); printf(" spi 0x%08x", r->spi); - if (r->proto != IPSEC_TCPMD5) { + if (r->satype != IPSEC_TCPMD5) { if (r->xfs && r->xfs->authxf) printf(" auth %s", r->xfs->authxf->name); if (r->xfs && r->xfs->encxf) @@ -299,7 +316,7 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) printf(" comp %s", r->xfs->compxf->name); } if (r->authkey) { - if (r->proto == IPSEC_TCPMD5) + if (r->satype == IPSEC_TCPMD5) printf(" "); else printf("\n\t"); @@ -307,7 +324,7 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) ipsecctl_print_key(r->authkey); } if (r->enckey) { - if (r->proto == IPSEC_TCPMD5) + if (r->satype == IPSEC_TCPMD5) printf(" "); else printf("\n\t"); diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 4854a95453e..1738fe719a5 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.30 2006/03/30 12:44:20 markus Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.31 2006/03/31 13:13:51 markus Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -144,7 +144,8 @@ struct ipsec_rule { struct ipsec_key *authkey; struct ipsec_key *enckey; - u_int8_t proto; + u_int8_t satype; /* encapsulating prococol */ + u_int8_t proto; /* encapsulated protocol */ u_int8_t tmode; u_int8_t direction; u_int8_t flowtype; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 944affc4463..f05c7cdecbc 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.55 2006/03/30 15:30:18 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.56 2006/03/31 13:13:51 markus Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -42,6 +42,7 @@ #include <string.h> #include <syslog.h> #include <unistd.h> +#include <netdb.h> #include "ipsecctl.h" @@ -131,9 +132,9 @@ struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *, struct ipsec_key *); struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, struct ipsec_key *, struct ipsec_key *); -struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, u_int8_t, char *, char *, +struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_addr_wrap *, + struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, + struct ipsec_addr_wrap *, u_int8_t, char *, char *, u_int8_t); struct ipsec_rule *reverse_rule(struct ipsec_rule *); struct ipsec_rule *create_ike(struct ipsec_addr_wrap *, struct @@ -149,7 +150,8 @@ typedef struct { u_int32_t number; u_int8_t ikemode; u_int8_t dir; - u_int8_t protocol; + u_int8_t satype; /* encapsulating prococol */ + u_int8_t proto; /* encapsulated protocol */ u_int8_t tmode; char *string; struct { @@ -194,11 +196,12 @@ typedef struct { %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE %token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC -%token TYPE DENY BYPASS LOCAL +%token TYPE DENY BYPASS LOCAL PROTO %token <v.string> STRING %type <v.string> string %type <v.dir> dir -%type <v.protocol> protocol +%type <v.satype> satype +%type <v.proto> proto %type <v.tmode> tmode %type <v.number> number %type <v.hosts> hosts @@ -273,7 +276,7 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec { } ; -sarule : protocol tmode hosts spispec transforms authkeyspec +sarule : satype tmode hosts spispec transforms authkeyspec enckeyspec { struct ipsec_rule *r; @@ -300,11 +303,11 @@ sarule : protocol tmode hosts spispec transforms authkeyspec } ; -flowrule : FLOW protocol dir hosts local peer ids type { +flowrule : FLOW satype dir proto hosts local peer ids type { struct ipsec_rule *r; - r = create_flow($3, $4.src, $4.dst, $5, $6, $2, - $7.srcid, $7.dstid, $8); + r = create_flow($3, $4, $5.src, $5.dst, $6, $7, $2, + $8.srcid, $8.dstid, $9); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -313,7 +316,7 @@ flowrule : FLOW protocol dir hosts local peer ids type { errx(1, "flowrule: ipsecctl_add_rule"); /* Create and add reverse flow rule. */ - if ($8 == TYPE_UNKNOWN && $3 == IPSEC_INOUT) { + if ($9 == TYPE_UNKNOWN && $3 == IPSEC_INOUT) { r = reverse_rule(r); r->nr = ipsec->rule_nr++; @@ -323,7 +326,7 @@ flowrule : FLOW protocol dir hosts local peer ids type { } ; -ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids ikeauth { +ikerule : IKE ikemode satype hosts peer mmxfs qmxfs ids ikeauth { struct ipsec_rule *r; r = create_ike($4.src, $4.dst, $5, $6, $7, $3, $2, @@ -337,13 +340,32 @@ ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids ikeauth { } ; -protocol : /* empty */ { $$ = IPSEC_ESP; } +satype : /* empty */ { $$ = IPSEC_ESP; } | ESP { $$ = IPSEC_ESP; } | AH { $$ = IPSEC_AH; } | IPCOMP { $$ = IPSEC_IPCOMP; } | IPIP { $$ = IPSEC_IPIP; } ; +proto : /* empty */ { $$ = 0; } + | PROTO STRING { + struct protoent *p; + const char *errstr; + int proto; + + if ((p = getprotobyname($2)) != NULL) { + $$ = p->p_proto; + } else { + errstr = NULL; + proto = strtonum($2, 1, 255, &errstr); + if (errstr) + errx(1, "unknown protocol: %s", $2); + $$ = proto; + } + + } + ; + tmode : /* empty */ { $$ = IPSEC_TUNNEL; } | TUNNEL { $$ = IPSEC_TUNNEL; } | TRANSPORT { $$ = IPSEC_TRANSPORT; } @@ -703,6 +725,7 @@ lookup(char *s) { "out", OUT }, { "passive", PASSIVE }, { "peer", PEER }, + { "proto", PROTO }, { "psk", PSK }, { "quick", QUICK }, { "rsa", RSA }, @@ -1367,7 +1390,7 @@ copytransforms(const struct ipsec_transforms *xfs) } int -validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, +validate_sa(u_int32_t spi, u_int8_t satype, struct ipsec_transforms *xfs, struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode) { /* Sanity checks */ @@ -1375,7 +1398,7 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, yyerror("no SPI specified"); return (0); } - if (protocol == IPSEC_AH) { + if (satype == IPSEC_AH) { if (!xfs) { yyerror("no transforms specified"); return (0); @@ -1391,7 +1414,7 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, return (0); } } - if (protocol == IPSEC_ESP) { + if (satype == IPSEC_ESP) { if (!xfs) { yyerror("no transforms specified"); return (0); @@ -1405,7 +1428,7 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, if (!xfs->encxf) xfs->encxf = &encxfs[ENCXF_AESCTR]; } - if (protocol == IPSEC_IPCOMP) { + if (satype == IPSEC_IPCOMP) { if (!xfs) { yyerror("no transform specified"); return (0); @@ -1417,7 +1440,7 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, if (!xfs->compxf) xfs->compxf = &compxfs[COMPXF_DEFLATE]; } - if (protocol == IPSEC_IPIP) { + if (satype == IPSEC_IPIP) { if (!xfs) { yyerror("no transform specified"); return (0); @@ -1428,7 +1451,7 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, return (0); } } - if (protocol == IPSEC_TCPMD5 && authkey == NULL && tmode != + if (satype == IPSEC_TCPMD5 && authkey == NULL && tmode != IPSEC_TRANSPORT) { yyerror("authentication key needed for tcpmd5"); return (0); @@ -1467,13 +1490,13 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, } struct ipsec_rule * -create_sa(u_int8_t protocol, u_int8_t tmode, struct ipsec_addr_wrap *src, struct +create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey, struct ipsec_key *enckey) { struct ipsec_rule *r; - if (validate_sa(spi, protocol, xfs, authkey, enckey, tmode) == 0) + if (validate_sa(spi, satype, xfs, authkey, enckey, tmode) == 0) return (NULL); r = calloc(1, sizeof(struct ipsec_rule)); @@ -1481,7 +1504,7 @@ create_sa(u_int8_t protocol, u_int8_t tmode, struct ipsec_addr_wrap *src, struct err(1, "create_sa: calloc"); r->type |= RULE_SA; - r->proto = protocol; + r->satype = satype; r->tmode = tmode; r->src = src; r->dst = dst; @@ -1499,7 +1522,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, { struct ipsec_rule *reverse; - if (validate_sa(spi, rule->proto, rule->xfs, authkey, enckey, + if (validate_sa(spi, rule->satype, rule->xfs, authkey, enckey, rule->tmode) == 0) return (NULL); @@ -1508,7 +1531,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, err(1, "reverse_sa: calloc"); reverse->type |= RULE_SA; - reverse->proto = rule->proto; + reverse->satype = rule->satype; reverse->tmode = rule->tmode; reverse->src = copyhost(rule->dst); reverse->dst = copyhost(rule->src); @@ -1521,9 +1544,10 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, } struct ipsec_rule * -create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap - *dst, struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer, - u_int8_t proto, char *srcid, char *dstid, u_int8_t type) +create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_addr_wrap *src, + struct ipsec_addr_wrap *dst, struct ipsec_addr_wrap *local, + struct ipsec_addr_wrap *peer, u_int8_t satype, char *srcid, char *dstid, + u_int8_t type) { struct ipsec_rule *r; @@ -1538,6 +1562,7 @@ create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap else r->direction = dir; + r->satype = satype; r->proto = proto; r->src = src; r->dst = dst; @@ -1616,7 +1641,8 @@ reverse_rule(struct ipsec_rule *rule) if (rule->local) reverse->local = copyhost(rule->local); reverse->peer = copyhost(rule->peer); - reverse->proto = (u_int8_t)rule->proto; + reverse->satype = rule->satype; + reverse->proto = rule->proto; reverse->auth = calloc(1, sizeof(struct ipsec_auth)); if (reverse->auth == NULL) @@ -1636,7 +1662,7 @@ reverse_rule(struct ipsec_rule *rule) struct ipsec_rule * create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct ipsec_addr_wrap * peer, struct ipsec_transforms *mmxfs, struct - ipsec_transforms *qmxfs, u_int8_t proto, u_int8_t mode, char *srcid, char + ipsec_transforms *qmxfs, u_int8_t satype, u_int8_t mode, char *srcid, char *dstid, struct ike_auth *authtype) { struct ipsec_rule *r; @@ -1668,7 +1694,7 @@ create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct } else r->peer = peer; - r->proto = proto; + r->satype = satype; r->ikemode = mode; r->mmxfs = mmxfs; r->qmxfs = qmxfs; diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index c4d169e12dd..b455866c9ab 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.34 2006/03/30 12:44:20 markus Exp $ */ +/* $OpenBSD: pfkey.c,v 1.35 2006/03/31 13:13:51 markus Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -41,7 +41,7 @@ static int fd; static u_int32_t sadb_msg_seq = 1; -static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t, +static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t, u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_auth *, u_int8_t); @@ -57,7 +57,7 @@ int pfkey_init(void); static int pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, - struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, + u_int8_t proto, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer, struct ipsec_auth *auth, u_int8_t flowtype) { @@ -174,7 +174,7 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8; sa_protocol.sadb_protocol_direction = 0; - sa_protocol.sadb_protocol_proto = IPPROTO_IP; + sa_protocol.sadb_protocol_proto = proto; bzero(&sa_src, sizeof(sa_src)); sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW; @@ -615,16 +615,16 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) switch (msg->sadb_msg_satype) { case SADB_SATYPE_ESP: - rule->proto = IPSEC_ESP; + rule->satype = IPSEC_ESP; break; case SADB_SATYPE_AH: - rule->proto = IPSEC_AH; + rule->satype = IPSEC_AH; break; case SADB_X_SATYPE_IPCOMP: - rule->proto = IPSEC_IPCOMP; + rule->satype = IPSEC_IPCOMP; break; case SADB_X_SATYPE_IPIP: - rule->proto = IPSEC_IPIP; + rule->satype = IPSEC_IPIP; break; default: return (1); @@ -718,7 +718,9 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) break; case SADB_X_EXT_PROTOCOL: - /* XXX nothing yet? */ + sproto = (struct sadb_protocol *)ext; + if (sproto->sadb_protocol_direction == 0) + rule->proto = sproto->sadb_protocol_proto; break; case SADB_X_EXT_FLOW_TYPE: @@ -870,7 +872,7 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) u_int8_t satype, direction; if (r->type == RULE_FLOW) { - switch (r->proto) { + switch (r->satype) { case IPSEC_ESP: satype = SADB_SATYPE_ESP; break; @@ -901,18 +903,20 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) switch (action) { case ACTION_ADD: ret = pfkey_flow(fd, satype, SADB_X_ADDFLOW, direction, - r->src, r->dst, r->local, r->peer, r->auth, r->flowtype); + r->proto, r->src, r->dst, r->local, r->peer, r->auth, + r->flowtype); break; case ACTION_DELETE: /* No peer for flow deletion. */ ret = pfkey_flow(fd, satype, SADB_X_DELFLOW, direction, - r->src, r->dst, NULL, NULL, NULL, r->flowtype); + r->proto, r->src, r->dst, NULL, NULL, NULL, + r->flowtype); break; default: return -1; } } else if (r->type == RULE_SA) { - switch (r->proto) { + switch (r->satype) { case IPSEC_AH: satype = SADB_SATYPE_AH; break; |