summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2006-05-29enable lists.Hans-Joerg Hoexer
This allows rules like: ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4 This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
2006-05-29Need protoype for ipsecctl_free_rule(). While around clean upHans-Joerg Hoexer
prototype for ipsecctl_add_rule.
2006-05-29Provide functions for copying members of rules. Implement copyrule()Hans-Joerg Hoexer
function to copy a single rule. Use that for rule expansion.
2006-05-29add ipsecctl_free_rule() for cleaning up rules.Hans-Joerg Hoexer
2006-05-29unify code a little bit (consistent variable names).Hans-Joerg Hoexer
2006-05-29Also return proper list of addresses for interface groups.Hans-Joerg Hoexer
As usual, this and the previous commit reused suitable code from the tree (pfctl).
2006-05-29As the rule expansion is now aware of host lists, host_if() has toHans-Joerg Hoexer
return a proper list of addresses bound to an interface.
2006-05-29teach expand_rule() to iterate over host lists, not used yet.Hans-Joerg Hoexer
2006-05-29fix rule numbering (for -vv)Hans-Joerg Hoexer
late ikerule also use expand_rule
2006-05-29merge expand_sa() and expand_rule().Hans-Joerg Hoexer
2006-05-29move generation of reverse flow rules to seperat function.Hans-Joerg Hoexer
2006-05-29unify expansion of SA rules. Needed for general rule expansion.Hans-Joerg Hoexer
2006-05-28when parsing host specifications, initialize host address queue pointers, notHans-Joerg Hoexer
used yet.
2006-05-28prepare for rule expansion. Get rid of addr_node, link structHans-Joerg Hoexer
ipsec_addr_wrap directly.
2006-05-28kill trainling whitespaceHans-Joerg Hoexer
2006-05-28whoops, undo last commit. Of course, set_ipmask() is needed...Hans-Joerg Hoexer
2006-05-28this one not needed yet.Hans-Joerg Hoexer
2006-05-28fill in AF_INET6 casesTodd T. Fries
this does not complete v6 support for ipsecctl, but makes progress ok hshoexer@
2006-05-28matching brackets are usefulTodd T. Fries
ok dlg@
2006-05-28missing `Ar';Jason McIntyre
2006-05-28add ERANGE error detection, found when looking at bgpd's parse.yTodd T. Fries
ok hshoexer@
2006-05-27Adresses can be specified in CIDR notation, as symbolic host names, interfaceHans-Joerg Hoexer
names or interface group names. So it's time to document this...
2006-05-27allow to specify groups to be used IKEHans-Joerg Hoexer
2006-05-26vpn.8 removal;Jason McIntyre
2006-05-26\<char> is <char> except for \<newline> -- no exceptions. much like howTheo de Raadt
other things work. ok henning
2006-05-18paramter -> parameterMiod Vallat
2006-05-15permit proto 0; ok hshoexerTheo de Raadt
2006-05-15delete weird CTheo de Raadt
2006-05-11fix some spelling; noticed by david@Hans-Joerg Hoexer
2006-04-20constify char *infile here, too. noticed by lint.Hans-Joerg Hoexer
2006-04-19add support for interface groups.Hans-Joerg Hoexer
2006-04-19small cleanup: no need to strdup here.Hans-Joerg Hoexer
2006-04-19"type" keyword to specify flow type (require, use, etc.)Hans-Joerg Hoexer
2006-04-19add hostname resolver.Hans-Joerg Hoexer
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
2006-04-13Add support for "local" to ike rules. Allows to specify the local IP to beHans-Joerg Hoexer
used on a multi-homed machine. Also, relax order of peer/local keywords. ok markus@
2006-04-12document that tunnel and transport mode can be specified for SAs.Hans-Joerg Hoexer
2006-03-31tweaks;Jason McIntyre
2006-03-31wenn dumping rules always show type, srcid and dstid (if set).Hans-Joerg Hoexer
ok reyk@
2006-03-31allow do delete dynamic rulesHans-Joerg Hoexer
ok reyk@
2006-03-31allow specification of encapsulated protocol for ike; ok hshoexerMarkus Friedl
2006-03-31allow specification of encapsulated protocol for flows; ok hshoexerMarkus Friedl
2006-03-31uppercase `ip';Jason McIntyre
2006-03-30when resolving interface names to ip adresses, set netmask to all bits 1Hans-Joerg Hoexer
2006-03-30allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok ↵Markus Friedl
hshoexer, reyk
2006-03-22add support for macros in ipsec.conf(5). some bits have already beenReyk Floeter
there. requested by david@ ok hshoexer@, msf@
2006-03-20When being verbose while deleting ike rules (-dv), print deletions instead ofHans-Joerg Hoexer
additions. Suggested by david@
2006-03-20When adding a connection, do not explicitly start that connectionHans-Joerg Hoexer
using "t" and "c" fifo commands. This is prone to a race when adding several tunnels between the same peers. Just let isakmpd start that connection on its own (using the connection checker).
2006-03-07add support for special "bypass" and "deny" flows.Reyk Floeter
ok hshoexer@, thanks jmc@
2006-03-07add an ike option for road warrior setups (hosts with dynamic ipReyk Floeter
addresses). "ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines). ok hshoexer@, looks fine markus@, jmc@
2006-02-21The new default encryption algorithm for main mode is AES instead of 3DES.Hans-Joerg Hoexer
Noticed as not being documented by otto@. ok otto@
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-30 01:41:50 +0000