summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r--sbin/ipsecctl/ipsecctl.c81
1 files changed, 9 insertions, 72 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index beb040f3f1c..39ead47825e 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.8 2005/05/27 05:19:55 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.9 2005/05/27 15:33:49 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -225,7 +225,7 @@ ipsecctl_flush(int opts)
void
ipsecctl_get_rules(struct ipsecctl *ipsec)
{
- struct ipsec_policy *ipo;
+ struct sadb_msg *msg;
struct ipsec_rule *rule;
int mib[4];
size_t need;
@@ -238,90 +238,27 @@ ipsecctl_get_rules(struct ipsecctl *ipsec)
if (sysctl(mib, 4, NULL, &need, NULL, 0) == -1)
err(1, "sysctl");
-
if (need == 0)
return;
if ((buf = malloc(need)) == NULL)
err(1, "malloc");
if (sysctl(mib, 4, buf, &need, NULL, 0) == -1)
err(1, "sysctl");
-
lim = buf + need;
- for (next = buf; next < lim; next += sizeof(struct ipsec_policy)) {
- ipo = (struct ipsec_policy *)next;
- /*
- * We only want static policies and are not interrested in
- * policies attached to sockets.
- */
- if (ipo->ipo_flags & IPSP_POLICY_SOCKET)
- continue;
+ for (next = buf; next < lim; next += msg->sadb_msg_len *
+ PFKEYV2_CHUNK) {
+ msg = (struct sadb_msg *)next;
+ if (msg->sadb_msg_len == 0)
+ break;
rule = calloc(1, sizeof(struct ipsec_rule));
if (rule == NULL)
err(1, "malloc");
rule->nr = ipsec->rule_nr++;
- /* Source and destination. */
- if (ipo->ipo_addr.sen_type == SENT_IP4) {
- rule->src = calloc(1, sizeof(struct ipsec_addr));
- if (rule->src == NULL)
- err(1, "calloc");
- rule->src->af = AF_INET;
-
- bcopy(&ipo->ipo_addr.sen_ip_src.s_addr, &rule->src->v4,
- sizeof(struct in_addr));
- bcopy(&ipo->ipo_mask.sen_ip_src.s_addr,
- &rule->src->v4mask.mask, sizeof(struct in_addr));
-
- rule->dst = calloc(1, sizeof(struct ipsec_addr));
- if (rule->dst == NULL)
- err(1, "calloc");
- rule->dst->af = AF_INET;
-
- bcopy(&ipo->ipo_addr.sen_ip_dst.s_addr, &rule->dst->v4,
- sizeof(struct in_addr));
- bcopy(&ipo->ipo_mask.sen_ip_dst.s_addr,
- &rule->dst->v4mask.mask, sizeof(struct in_addr));
- } else
- warnx("unsupported encapsulation policy type %d",
- ipo->ipo_addr.sen_type);
-
- /* IPsec gateway. */
- if (ipo->ipo_dst.sa.sa_family == AF_INET) {
- rule->peer = calloc(1, sizeof(struct ipsec_addr));
- if (rule->peer == NULL)
- err(1, "calloc");
- rule->peer->af = AF_INET;
-
- bcopy(&((struct sockaddr_in *)&ipo->ipo_dst.sa)->sin_addr,
- &rule->peer->v4, sizeof(struct in_addr));
-
- /* No netmask for peer. */
- memset(&rule->peer->v4mask, 0xff, sizeof(u_int32_t));
-
- if (ipo->ipo_sproto == IPPROTO_ESP)
- rule->proto = IPSEC_ESP;
- else if (ipo->ipo_sproto == IPPROTO_AH)
- rule->proto = IPSEC_AH;
- else {
- rule->proto = PROTO_UNKNOWN;
- warnx("unsupported protocol %d",
- ipo->ipo_sproto);
- }
-
- if (ipo->ipo_addr.sen_direction == IPSP_DIRECTION_OUT)
- rule->direction = IPSEC_OUT;
- else if (ipo->ipo_addr.sen_direction == IPSP_DIRECTION_IN)
- rule->direction = IPSEC_IN;
- else {
- rule->direction = DIRECTION_UNKNOWN;
- warnx("bogus direction %d",
- ipo->ipo_addr.sen_direction);
- }
- } else
- warnx("unsupported address family %d",
- ipo->ipo_dst.sa.sa_family);
+ if (pfkey_parse(msg, rule))
+ errx(1, "failed to parse pfkey message");
ipsecctl_add_rule(ipsec, rule);
}