diff options
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 9 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 91 |
2 files changed, 49 insertions, 51 deletions
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 6e5a367c138..c5c0e5ab7bd 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.45 2006/06/02 03:31:20 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.46 2006/06/02 04:51:55 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -103,6 +103,13 @@ struct ipsec_addr_wrap { struct ipsec_addr_wrap *tail; }; +struct ipsec_hosts { + struct ipsec_addr_wrap *src; + struct ipsec_addr_wrap *dst; + u_int16_t sport; + u_int16_t dport; +}; + struct ipsec_auth { char *srcid; char *dstid; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index f9829e0c53e..e747a7b4a5a 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.92 2006/06/02 03:40:26 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.93 2006/06/02 04:51:55 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -158,29 +158,24 @@ int validate_sa(u_int32_t, u_int8_t, struct ipsec_key *, u_int8_t); int validate_af(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *); -struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *, - struct ipsec_addr_wrap *, u_int32_t, - struct ipsec_transforms *, struct ipsec_key *, - struct ipsec_key *); +struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *, + u_int32_t, struct ipsec_transforms *, + struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *create_sagroup(struct ipsec_addr_wrap *, u_int8_t, u_int32_t, struct ipsec_addr_wrap *, u_int8_t, u_int32_t); -struct ipsec_rule *create_flow(u_int8_t, u_int8_t, - struct ipsec_addr_wrap *, u_int16_t, - struct ipsec_addr_wrap *, u_int16_t, +struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, u_int8_t, char *, char *, u_int8_t); int expand_rule(struct ipsec_rule *, u_int8_t, u_int32_t, struct ipsec_key *, struct ipsec_key *, int); struct ipsec_rule *reverse_rule(struct ipsec_rule *); -struct ipsec_rule *create_ike(u_int8_t, struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, struct ipsec_addr_wrap *, - struct ipsec_addr_wrap *, - struct ipsec_transforms *, struct - ipsec_transforms *, u_int8_t, u_int8_t, char *, - char *, struct ike_auth *); +struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *, + struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, + struct ike_mode *, struct ike_mode *, u_int8_t, + u_int8_t, char *, char *, struct ike_auth *); int add_sagroup(struct ipsec_rule *); struct ipsec_transforms *ipsec_transforms; @@ -194,13 +189,8 @@ typedef struct { u_int8_t proto; /* encapsulated protocol */ u_int8_t tmode; char *string; - struct { - struct ipsec_addr_wrap *src; - struct ipsec_addr_wrap *dst; - u_int16_t sport; - u_int16_t dport; - } hosts; u_int16_t port; + struct ipsec_hosts hosts; struct { struct ipsec_addr_wrap *peer; struct ipsec_addr_wrap *local; @@ -306,8 +296,8 @@ comma : ',' tcpmd5rule : TCPMD5 hosts spispec authkeyspec { struct ipsec_rule *r; - r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, $2.src, - $2.dst, $3.spiout, NULL, $4.keyout, NULL); + r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, &$2, + $3.spiout, NULL, $4.keyout, NULL); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -321,8 +311,8 @@ sarule : satype tmode hosts spispec transforms authkeyspec enckeyspec { struct ipsec_rule *r; - r = create_sa($1, $2, $3.src, $3.dst, $4.spiout, $5, - $6.keyout, $7.keyout); + r = create_sa($1, $2, &$3, $4.spiout, $5, $6.keyout, + $7.keyout); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -335,9 +325,8 @@ sarule : satype tmode hosts spispec transforms authkeyspec flowrule : FLOW satype dir proto hosts peers ids type { struct ipsec_rule *r; - r = create_flow($3, $4, $5.src, $5.sport, $5.dst, - $5.dport, $6.local, $6.peer, $2, $7.srcid, - $7.dstid, $8); + r = create_flow($3, $4, &$5, $6.local, $6.peer, $2, + $7.srcid, $7.dstid, $8); if (r == NULL) YYERROR; @@ -350,8 +339,8 @@ ikerule : IKE ikemode satype proto hosts peers mainmode quickmode ids ikeauth { struct ipsec_rule *r; - r = create_ike($4, $5.src, $5.dst, $6.local, $6.peer, - $7->xfs, $8->xfs, $3, $2, $9.srcid, $9.dstid, &$10); + r = create_ike($4, &$5, $6.local, $6.peer, + $7, $8, $3, $2, $9.srcid, $9.dstid, &$10); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -1960,9 +1949,9 @@ add_sagroup(struct ipsec_rule *r) } struct ipsec_rule * -create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_addr_wrap *src, struct - ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_transforms *xfs, - struct ipsec_key *authkey, struct ipsec_key *enckey) +create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_hosts *hosts, + u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey, + struct ipsec_key *enckey) { struct ipsec_rule *r; @@ -1976,8 +1965,8 @@ create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_addr_wrap *src, struct r->type |= RULE_SA; r->satype = satype; r->tmode = tmode; - r->src = src; - r->dst = dst; + r->src = hosts->src; + r->dst = hosts->dst; r->spi = spi; r->xfs = xfs; r->authkey = authkey; @@ -2037,8 +2026,7 @@ create_sagroup(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi, } struct ipsec_rule * -create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_addr_wrap *src, - u_int16_t sport, struct ipsec_addr_wrap *dst, u_int16_t dport, +create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer, u_int8_t satype, char *srcid, char *dstid, u_int8_t type) { @@ -2057,11 +2045,11 @@ create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_addr_wrap *src, r->satype = satype; r->proto = proto; - r->src = src; - r->sport = sport; - r->dst = dst; - r->dport = dport; - if ((sport != 0 || dport != 0) && + r->src = hosts->src; + r->sport = hosts->sport; + r->dst = hosts->dst; + r->dport = hosts->dport; + if ((hosts->sport != 0 || hosts->dport != 0) && (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) { yyerror("no protocol supplied with source/destination ports"); goto errout; @@ -2107,8 +2095,8 @@ errout: free(srcid); if (dstid) free(dstid); - free(src); - free(dst); + free(hosts->src); + free(hosts->dst); return NULL; } @@ -2215,9 +2203,10 @@ reverse_rule(struct ipsec_rule *rule) } struct ipsec_rule * -create_ike(u_int8_t proto, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap - *dst, struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer, - struct ipsec_transforms *mmxfs, struct ipsec_transforms *qmxfs, +create_ike(u_int8_t proto, + struct ipsec_hosts *hosts, + struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer, + struct ike_mode *mainmode, struct ike_mode *quickmode, u_int8_t satype, u_int8_t mode, char *srcid, char *dstid, struct ike_auth *authtype) { @@ -2230,8 +2219,8 @@ create_ike(u_int8_t proto, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap r->type = RULE_IKE; r->proto = proto; - r->src = src; - r->dst = dst; + r->src = hosts->src; + r->dst = hosts->dst; if (peer == NULL) { /* Set peer to remote host. Must be a host address. */ @@ -2254,8 +2243,10 @@ create_ike(u_int8_t proto, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap r->satype = satype; r->ikemode = mode; - r->mmxfs = mmxfs; - r->qmxfs = qmxfs; + if (mainmode) + r->mmxfs = mainmode->xfs; + if (quickmode) + r->qmxfs = quickmode->xfs; r->auth = calloc(1, sizeof(struct ipsec_auth)); if (r->auth == NULL) err(1, "create_ike: calloc"); |