summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2008-02-22Support for specifying aes-{128,192,256}. Originial idea by PrabhuHans-Joerg Hoexer
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys! ok todd@
2008-02-12document modifier types; requested by AurelienJason McIntyre
text from ipsecadm(8), hshoexer, and myself
2008-01-04Strip off trailing '/32' when address type is IPV4_ADDR as isakmpd doesHans-Joerg Hoexer
not accept the trailing '/32'. Diff from Mitja Muzenic <mitja@muzenic.net>, thanks!
2007-11-12Remove space/tab compression function from lgetc() and replaceMarco Pfatschbacher
it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
2007-10-22sync with daemon parser code.Pierre-Yves Ritschard
ok deraadt@
2007-10-16Allow '=' to end a number in all lexers.Marco Pfatschbacher
Requested and OK deraadt@
2007-10-16in the lex... even inside quotes, a \ followed by space or tab shouldTheo de Raadt
expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
2007-10-13in all these programs using the same pfctl-derived parse.y, re-unify theTheo de Raadt
yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
2007-10-11next step in the yylex unification: handle quoted strings in a nicer fashionTheo de Raadt
as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
2007-09-17Document the syntax used with manual SAs for automatic creationStuart Henderson
of the SA matching return traffic; it was already there for spi but not authkey/enckey (all 3 are required). assistance and ok from jmc@
2007-09-12Here too: Add support to the lex for parsing number out of the stream.Hans-Joerg Hoexer
handle this in the parser. better range checks. with and ok deraadt@
2007-08-21no need to include both sys/types.h and params.hHans-Joerg Hoexer
2007-08-10duplicate strdup; ok hshoexerMarkus Friedl
2007-07-03allow proto esp/ah in flow specification (especially useful for bypass flows)Markus Friedl
ok hshoexer, mpf
2007-05-31convert to new .Dd format;Jason McIntyre
2007-05-10Do not crash when lists include the "any" keyword. Reported byHans-Joerg Hoexer
<ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@
2007-03-16move autodetection of the ID type to the parser. this way theMarkus Friedl
static flows have the correct ID, too. ok hshoexer, reyk
2007-03-06Explain, why aesctr has 160 bit keys (128 bit aes key + 32 bit nonce).Hans-Joerg Hoexer
ok jmc@
2007-02-26Really, we don't need two grp18's ;-)Todd T. Fries
ok hshoexer@ and markus@
2007-02-19tweak;Jason McIntyre
2007-02-19Document NULL encryption.Hans-Joerg Hoexer
2007-02-19Bits for ESP+NULL encryption. This is useful, when AH can not beHans-Joerg Hoexer
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks! ok markus@
2007-02-19do not display empty authkey/enckey line when -k option is notHans-Joerg Hoexer
specified. ok markus@
2007-02-19undo previous commit and keep the original behaviour of the parser.Hans-Joerg Hoexer
asked for by deraadt@
2007-02-16Address PR 5380: refer to DH MODP well-known group numbers.Chad Loder
Thanks to sthen <at> symphytum DOT spacehopper DOT org
2007-02-16Do not accept '\n' in quoted strings. Addresses issues noticed byHans-Joerg Hoexer
Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks! ok markus@ cloder@ (uhm, quite some time ago)
2007-01-10allow rule if there is at least _one_ matching address family combination.Markus Friedl
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
2007-01-10add -k to usage();Jason McIntyre
2007-01-04don't pass -1 as a netmask; report vicviq at gmail.comMarkus Friedl
2007-01-03do not print secret keys by default, -k restores old behaviour; ok hshoexerMarkus Friedl
2007-01-02better support for IPv6 hostname/numeric representation.Jun-ichiro itojun Hagino
hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
2006-12-18call ike_setup_ids from a more appropriate location.Mathieu Sauve-Frankel
ok hshoexer@
2006-12-12a rewrite of enc.4, hopefully a little more useful than what we previouslyJason McIntyre
had; more can go in here, so feel free... many thanks to ho for feedback, and angelos and cedric who i harangued endlessly to explain nat/ipsec to me; the ipsec.conf.5 change just moves some stuff more appropriate to enc.4; ok hshoexer
2006-12-06SAD -> SADB; ok hshoexerJason McIntyre
2006-11-30typo: wrong rid for protocolMarkus Friedl
2006-11-30use rmv to unregister ipsec connections; ok hshoexer, hoMarkus Friedl
2006-11-30handle multiple SAs with different same src/dst but different port;Markus Friedl
store IKE connection string and phase2 IDs in the ipsec rule; cleanup internal API: pass rules around instead of rule members; report Brian Candler; fix with hshoexer, msf; ok hshoexer
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-24fix typo for remote port; from Brian CandlerMarkus Friedl
2006-11-21do not delete sections that might be shared with other connectionsMarkus Friedl
however, this workaround might leak config entries in isakmpd; ok (for now) hshoexer
2006-11-13briefly describe phases 1 and 2, and use these terms moreJason McIntyre
consistently in the rest of the page; help/ok hshoexer
2006-11-13previous was not quite right;Jason McIntyre
2006-11-13fix a macro mistake;Jason McIntyre
2006-11-13Handle rules with addresses from mismatched address families correctly.Ryan Thomas McBride
ok msf@
2006-11-10check both rule sourace and destination when grouping sa'sMathieu Sauve-Frankel
fixes PR5262 ok hshoexer@
2006-11-10When using -vv, also show grouped SAs.Hans-Joerg Hoexer
2006-11-10Fix grouping for SAs. Now all combinations of SAs are possible,Hans-Joerg Hoexer
not only ESP+AH (ie. ESP inside AH).
2006-11-10Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.Hans-Joerg Hoexer
2006-11-01KNF unrelated to previous commit.Ryan Thomas McBride
2006-11-01Add support for aggressive mode (from the k2k6 IPsec hackathon).Ryan Thomas McBride
ok hshoexer