summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r--sbin/ipsecctl/ipsecctl.h9
-rw-r--r--sbin/ipsecctl/parse.y91
2 files changed, 49 insertions, 51 deletions
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 6e5a367c138..c5c0e5ab7bd 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.45 2006/06/02 03:31:20 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.46 2006/06/02 04:51:55 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -103,6 +103,13 @@ struct ipsec_addr_wrap {
struct ipsec_addr_wrap *tail;
};
+struct ipsec_hosts {
+ struct ipsec_addr_wrap *src;
+ struct ipsec_addr_wrap *dst;
+ u_int16_t sport;
+ u_int16_t dport;
+};
+
struct ipsec_auth {
char *srcid;
char *dstid;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index f9829e0c53e..e747a7b4a5a 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.92 2006/06/02 03:40:26 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.93 2006/06/02 04:51:55 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -158,29 +158,24 @@ int validate_sa(u_int32_t, u_int8_t,
struct ipsec_key *, u_int8_t);
int validate_af(struct ipsec_addr_wrap *,
struct ipsec_addr_wrap *);
-struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *,
- struct ipsec_addr_wrap *, u_int32_t,
- struct ipsec_transforms *, struct ipsec_key *,
- struct ipsec_key *);
+struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *,
+ u_int32_t, struct ipsec_transforms *,
+ struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t,
struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule *create_sagroup(struct ipsec_addr_wrap *, u_int8_t,
u_int32_t, struct ipsec_addr_wrap *, u_int8_t,
u_int32_t);
-struct ipsec_rule *create_flow(u_int8_t, u_int8_t,
- struct ipsec_addr_wrap *, u_int16_t,
- struct ipsec_addr_wrap *, u_int16_t,
+struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *,
struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
u_int8_t, char *, char *, u_int8_t);
int expand_rule(struct ipsec_rule *, u_int8_t, u_int32_t,
struct ipsec_key *, struct ipsec_key *, int);
struct ipsec_rule *reverse_rule(struct ipsec_rule *);
-struct ipsec_rule *create_ike(u_int8_t, struct ipsec_addr_wrap *, struct
- ipsec_addr_wrap *, struct ipsec_addr_wrap *,
- struct ipsec_addr_wrap *,
- struct ipsec_transforms *, struct
- ipsec_transforms *, u_int8_t, u_int8_t, char *,
- char *, struct ike_auth *);
+struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *,
+ struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
+ struct ike_mode *, struct ike_mode *, u_int8_t,
+ u_int8_t, char *, char *, struct ike_auth *);
int add_sagroup(struct ipsec_rule *);
struct ipsec_transforms *ipsec_transforms;
@@ -194,13 +189,8 @@ typedef struct {
u_int8_t proto; /* encapsulated protocol */
u_int8_t tmode;
char *string;
- struct {
- struct ipsec_addr_wrap *src;
- struct ipsec_addr_wrap *dst;
- u_int16_t sport;
- u_int16_t dport;
- } hosts;
u_int16_t port;
+ struct ipsec_hosts hosts;
struct {
struct ipsec_addr_wrap *peer;
struct ipsec_addr_wrap *local;
@@ -306,8 +296,8 @@ comma : ','
tcpmd5rule : TCPMD5 hosts spispec authkeyspec {
struct ipsec_rule *r;
- r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, $2.src,
- $2.dst, $3.spiout, NULL, $4.keyout, NULL);
+ r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, &$2,
+ $3.spiout, NULL, $4.keyout, NULL);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -321,8 +311,8 @@ sarule : satype tmode hosts spispec transforms authkeyspec
enckeyspec {
struct ipsec_rule *r;
- r = create_sa($1, $2, $3.src, $3.dst, $4.spiout, $5,
- $6.keyout, $7.keyout);
+ r = create_sa($1, $2, &$3, $4.spiout, $5, $6.keyout,
+ $7.keyout);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -335,9 +325,8 @@ sarule : satype tmode hosts spispec transforms authkeyspec
flowrule : FLOW satype dir proto hosts peers ids type {
struct ipsec_rule *r;
- r = create_flow($3, $4, $5.src, $5.sport, $5.dst,
- $5.dport, $6.local, $6.peer, $2, $7.srcid,
- $7.dstid, $8);
+ r = create_flow($3, $4, &$5, $6.local, $6.peer, $2,
+ $7.srcid, $7.dstid, $8);
if (r == NULL)
YYERROR;
@@ -350,8 +339,8 @@ ikerule : IKE ikemode satype proto hosts peers mainmode quickmode
ids ikeauth {
struct ipsec_rule *r;
- r = create_ike($4, $5.src, $5.dst, $6.local, $6.peer,
- $7->xfs, $8->xfs, $3, $2, $9.srcid, $9.dstid, &$10);
+ r = create_ike($4, &$5, $6.local, $6.peer,
+ $7, $8, $3, $2, $9.srcid, $9.dstid, &$10);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -1960,9 +1949,9 @@ add_sagroup(struct ipsec_rule *r)
}
struct ipsec_rule *
-create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_addr_wrap *src, struct
- ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_transforms *xfs,
- struct ipsec_key *authkey, struct ipsec_key *enckey)
+create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_hosts *hosts,
+ u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey,
+ struct ipsec_key *enckey)
{
struct ipsec_rule *r;
@@ -1976,8 +1965,8 @@ create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_addr_wrap *src, struct
r->type |= RULE_SA;
r->satype = satype;
r->tmode = tmode;
- r->src = src;
- r->dst = dst;
+ r->src = hosts->src;
+ r->dst = hosts->dst;
r->spi = spi;
r->xfs = xfs;
r->authkey = authkey;
@@ -2037,8 +2026,7 @@ create_sagroup(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi,
}
struct ipsec_rule *
-create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_addr_wrap *src,
- u_int16_t sport, struct ipsec_addr_wrap *dst, u_int16_t dport,
+create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts,
struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer,
u_int8_t satype, char *srcid, char *dstid, u_int8_t type)
{
@@ -2057,11 +2045,11 @@ create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_addr_wrap *src,
r->satype = satype;
r->proto = proto;
- r->src = src;
- r->sport = sport;
- r->dst = dst;
- r->dport = dport;
- if ((sport != 0 || dport != 0) &&
+ r->src = hosts->src;
+ r->sport = hosts->sport;
+ r->dst = hosts->dst;
+ r->dport = hosts->dport;
+ if ((hosts->sport != 0 || hosts->dport != 0) &&
(proto != IPPROTO_TCP && proto != IPPROTO_UDP)) {
yyerror("no protocol supplied with source/destination ports");
goto errout;
@@ -2107,8 +2095,8 @@ errout:
free(srcid);
if (dstid)
free(dstid);
- free(src);
- free(dst);
+ free(hosts->src);
+ free(hosts->dst);
return NULL;
}
@@ -2215,9 +2203,10 @@ reverse_rule(struct ipsec_rule *rule)
}
struct ipsec_rule *
-create_ike(u_int8_t proto, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
- *dst, struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer,
- struct ipsec_transforms *mmxfs, struct ipsec_transforms *qmxfs,
+create_ike(u_int8_t proto,
+ struct ipsec_hosts *hosts,
+ struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer,
+ struct ike_mode *mainmode, struct ike_mode *quickmode,
u_int8_t satype, u_int8_t mode, char *srcid, char *dstid,
struct ike_auth *authtype)
{
@@ -2230,8 +2219,8 @@ create_ike(u_int8_t proto, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
r->type = RULE_IKE;
r->proto = proto;
- r->src = src;
- r->dst = dst;
+ r->src = hosts->src;
+ r->dst = hosts->dst;
if (peer == NULL) {
/* Set peer to remote host. Must be a host address. */
@@ -2254,8 +2243,10 @@ create_ike(u_int8_t proto, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
r->satype = satype;
r->ikemode = mode;
- r->mmxfs = mmxfs;
- r->qmxfs = qmxfs;
+ if (mainmode)
+ r->mmxfs = mainmode->xfs;
+ if (quickmode)
+ r->qmxfs = quickmode->xfs;
r->auth = calloc(1, sizeof(struct ipsec_auth));
if (r->auth == NULL)
err(1, "create_ike: calloc");