diff options
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipsecadm/ipsecadm.8 | 55 | ||||
| -rw-r--r-- | sbin/ipsecadm/ipsecadm.c | 20 |
2 files changed, 62 insertions, 13 deletions
diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8 index 02d5572308b..548ce91b5f6 100644 --- a/sbin/ipsecadm/ipsecadm.8 +++ b/sbin/ipsecadm/ipsecadm.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsecadm.8,v 1.18 1999/12/20 05:42:03 angelos Exp $ +.\" $OpenBSD: ipsecadm.8,v 1.19 2000/01/13 04:46:18 angelos Exp $ .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -149,7 +149,9 @@ and .Fl proto2 . .It flow Create a flow determining which packets are routed via which Security -Association. Allowed modifiers are: +Association, or (for ingress flows) which packets may be received over +an incoming SA. +Allowed modifiers are: .Fl dst , .Fl spi , .Fl proto , @@ -158,14 +160,16 @@ Association. Allowed modifiers are: .Fl sport , .Fl dport , .Fl delete , +.Fl ingress , and .Fl bypass . The .Xr netstat 1 -command shows the existing flows. A +command shows the existing egress (outbound) flows. A .Nm bypass flow is used to specify a flow for which IPSec processing will be -bypassed, i.e packets will not be processed by any SAs. For +bypassed, i.e packets will not be processed by any SAs. +For .Nm bypass flows, additional modifiers are restricted to: .Fl addr , @@ -177,9 +181,10 @@ and These flows always have SPI 0, destination 0.0.0.0 and protocol 0. .It bind Associate an incoming Security Association with an outgoing Security -Association. When a socket receives packets secured by the incoming -SA all responses will be processed by the outgoing SA. Allowed modifiers -are: +Association. +When a socket receives packets secured by the incoming SA all +responses will be processed by the outgoing SA. +Allowed modifiers are: .Fl dst , .Fl spi , .Fl proto , @@ -381,12 +386,28 @@ Instead of a number, a valid service name that appears in can be used. .It delete Instead of creating a flow, an existing flow is deleted. +.It ingress +For +.Nm flow , +create or delete an +.Nm ingress +flow. +An SA's +.Nm ingress +flows specify the types of packets that may be accepted over that SA, +if the sysctl variable +.Bl -tag -width xxxxxxxxxxxxxxxxxxxxx +.It net.inet.ip.ipsec-acl +.El +is set to any non-zero value. .It bypass For .Nm flow , create or delete a .Nm bypass -flow. Packets matching this flow will not be processed by IPSec. For +flow. +Packets matching this flow will not be processed by IPSec. +For .Nm flush , only flush SAs of type bypass. .It ah @@ -415,7 +436,7 @@ Setup a SA which uses new esp with 3des encryption and HMAC-SHA1 authentication: .Bd -literal ipsecadm new esp -enc 3des -auth sha1 -spi 1001 -dst 169.20.12.2 \e\ - -src 169.20.12.3.342 \e\ + -src 169.20.12.3 \e\ -key 638063806380638063806380638063806380638063806380 \e\ -authkey 1234123412341234123412341234123412341234 .Ed @@ -429,7 +450,21 @@ ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 \e\ Setup a flow using the above SA: .Bd -literal ipsecadm flow -dst 169.20.12.2 -spi 1001 -proto ah \e\ - -addr 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0.0 + -addr 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0 +.Ed +.Pp +Setup an inbound SA: +.Bd -literal +ipsecadm new esp -enc blf -auth md5 -spi 1002 -dst 169.20.12.3 \e\ + -src 169.20.12.2 \e\ + -key abadbeef15deadbeefabadbeef15deadbeefabadbeef15deadbeef \e\ + -authkey 12349876432167890192837465098273 +.Ed +.Pp +Setup an ingress flow on for the inbound SA: +.Bd -literal +ipsecadm flow -addr 10.0.0.0 255.0.0.0 10.1.1.0 255.255.255.0 \e\ + -dst 10.10.32.1 -spi 1002 -proto esp -ingress .Ed .Pp Setup a bypass flow: diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c index f42e874d911..f59c17413bf 100644 --- a/sbin/ipsecadm/ipsecadm.c +++ b/sbin/ipsecadm/ipsecadm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecadm.c,v 1.29 2000/01/09 22:53:40 angelos Exp $ */ +/* $OpenBSD: ipsecadm.c,v 1.30 2000/01/13 04:46:18 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -205,6 +205,7 @@ usage() "\t -bypass\t\t\t create/delete a bypass flow\n" "\t -sport\t\t\t source port for flow\n" "\t -dport\t\t\t destination port for flow\n" + "\t -ingress\t\t\t flow is ingress access control entry\n" "\t -[ah|esp|oldah|oldesp|ip4]\t to flush a particular protocol\n" "\talso: dst2, spi2, proto2\n" ); @@ -214,7 +215,7 @@ int main(int argc, char **argv) { int auth = 0, enc = 0, klen = 0, alen = 0, mode = ESP_NEW, i = 0; - int proto = IPPROTO_ESP, proto2 = IPPROTO_AH; + int proto = IPPROTO_ESP, proto2 = IPPROTO_AH, ingress = 0; int dport = -1, sport = -1, tproto = -1, setmask = 0; u_int32_t spi = SPI_RESERVED_MIN, spi2 = SPI_RESERVED_MIN; union sockaddr_union *src, *dst, *dst2, *osrc, *odst, *osmask; @@ -810,7 +811,7 @@ main(int argc, char **argv) continue; } - if (!strcmp(argv[i] + 1, "bypass") && iscmd(mode, FLOW) && !bypass) + if (!strcmp(argv[i] + 1, "bypass") && iscmd(mode, FLOW)) { /* Setup everything for a bypass flow */ bypass = 1; @@ -886,6 +887,13 @@ main(int argc, char **argv) continue; } + if (!strcmp(argv[i] + 1, "ingress") && iscmd(mode, FLOW)) + { + sa.sadb_sa_flags |= SADB_X_SAFLAGS_INGRESS_FLOW; + ingress = 1; + continue; + } + if (!strcmp(argv[i] + 1, "dport") && iscmd(mode, FLOW) && (i + 1 < argc)) { @@ -1208,6 +1216,12 @@ main(int argc, char **argv) exit(1); } + if (bypass && ingress) + { + fprintf(stderr, "%s: cannot specify \"-bypass\" and \"-ingress\" simultaneously\n", argv[0]); + exit(1); + } + if ((klen > 2 * 8100) || (alen > 2 * 8100)) { fprintf(stderr, "%s: key too long\n", argv[0]); |