diff options
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 81 |
1 files changed, 9 insertions, 72 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index beb040f3f1c..39ead47825e 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.8 2005/05/27 05:19:55 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.9 2005/05/27 15:33:49 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -225,7 +225,7 @@ ipsecctl_flush(int opts) void ipsecctl_get_rules(struct ipsecctl *ipsec) { - struct ipsec_policy *ipo; + struct sadb_msg *msg; struct ipsec_rule *rule; int mib[4]; size_t need; @@ -238,90 +238,27 @@ ipsecctl_get_rules(struct ipsecctl *ipsec) if (sysctl(mib, 4, NULL, &need, NULL, 0) == -1) err(1, "sysctl"); - if (need == 0) return; if ((buf = malloc(need)) == NULL) err(1, "malloc"); if (sysctl(mib, 4, buf, &need, NULL, 0) == -1) err(1, "sysctl"); - lim = buf + need; - for (next = buf; next < lim; next += sizeof(struct ipsec_policy)) { - ipo = (struct ipsec_policy *)next; - /* - * We only want static policies and are not interrested in - * policies attached to sockets. - */ - if (ipo->ipo_flags & IPSP_POLICY_SOCKET) - continue; + for (next = buf; next < lim; next += msg->sadb_msg_len * + PFKEYV2_CHUNK) { + msg = (struct sadb_msg *)next; + if (msg->sadb_msg_len == 0) + break; rule = calloc(1, sizeof(struct ipsec_rule)); if (rule == NULL) err(1, "malloc"); rule->nr = ipsec->rule_nr++; - /* Source and destination. */ - if (ipo->ipo_addr.sen_type == SENT_IP4) { - rule->src = calloc(1, sizeof(struct ipsec_addr)); - if (rule->src == NULL) - err(1, "calloc"); - rule->src->af = AF_INET; - - bcopy(&ipo->ipo_addr.sen_ip_src.s_addr, &rule->src->v4, - sizeof(struct in_addr)); - bcopy(&ipo->ipo_mask.sen_ip_src.s_addr, - &rule->src->v4mask.mask, sizeof(struct in_addr)); - - rule->dst = calloc(1, sizeof(struct ipsec_addr)); - if (rule->dst == NULL) - err(1, "calloc"); - rule->dst->af = AF_INET; - - bcopy(&ipo->ipo_addr.sen_ip_dst.s_addr, &rule->dst->v4, - sizeof(struct in_addr)); - bcopy(&ipo->ipo_mask.sen_ip_dst.s_addr, - &rule->dst->v4mask.mask, sizeof(struct in_addr)); - } else - warnx("unsupported encapsulation policy type %d", - ipo->ipo_addr.sen_type); - - /* IPsec gateway. */ - if (ipo->ipo_dst.sa.sa_family == AF_INET) { - rule->peer = calloc(1, sizeof(struct ipsec_addr)); - if (rule->peer == NULL) - err(1, "calloc"); - rule->peer->af = AF_INET; - - bcopy(&((struct sockaddr_in *)&ipo->ipo_dst.sa)->sin_addr, - &rule->peer->v4, sizeof(struct in_addr)); - - /* No netmask for peer. */ - memset(&rule->peer->v4mask, 0xff, sizeof(u_int32_t)); - - if (ipo->ipo_sproto == IPPROTO_ESP) - rule->proto = IPSEC_ESP; - else if (ipo->ipo_sproto == IPPROTO_AH) - rule->proto = IPSEC_AH; - else { - rule->proto = PROTO_UNKNOWN; - warnx("unsupported protocol %d", - ipo->ipo_sproto); - } - - if (ipo->ipo_addr.sen_direction == IPSP_DIRECTION_OUT) - rule->direction = IPSEC_OUT; - else if (ipo->ipo_addr.sen_direction == IPSP_DIRECTION_IN) - rule->direction = IPSEC_IN; - else { - rule->direction = DIRECTION_UNKNOWN; - warnx("bogus direction %d", - ipo->ipo_addr.sen_direction); - } - } else - warnx("unsupported address family %d", - ipo->ipo_dst.sa.sa_family); + if (pfkey_parse(msg, rule)) + errx(1, "failed to parse pfkey message"); ipsecctl_add_rule(ipsec, rule); } |