summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2009-10-04When IKE is operating in dynamic mode and no srcid is given, the hostnameJoel Sing
is used as the srcid, however the srcid type is not specified. Rectify this by explicitly setting the srcid type to FQDN after successfully retrieving the hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support since get_id_type() returned ID_FQDN even when presented with a null pointer. Issue reported by Mikolaj Kucharski.
2009-08-04Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid isJoel Sing
given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN. ok hshoexer@ markus@ todd@
2009-03-31Fixed memory leaks which would occur if the second of two memoryTobias Stoeckmann
allocations fails. looks right deraadt, krw ok henning
2009-01-30If the "peer" address is not specified or derived from "to" forAlexander Bluhm
"ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@
2009-01-29After checking that peer == NULL do not assign peer = NULL a fewAlexander Bluhm
lines later. No functional change. ok grunk@, hshoexer@
2009-01-29tweak previous;Jason McIntyre
2009-01-28Allow to specify ike and flow explicitly without peer. The anyAlexander Bluhm
keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
2009-01-27A warning text in ipsecctl was used twice. Make the messages uniqueAlexander Bluhm
for easier debugging. ok grunk@, hshoexer@, todd@
2009-01-20Add support to isakmpd(8) and ipsecctl(8) to install SA's with aMarco Pfatschbacher
different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
2008-12-22Only warn about pfkey failures when errno is != EEXIST.Hans-Joerg Hoexer
This avoids warnings about already existing manual flows when ipsec.conf is reloaded. From Mitja Muzenic <mitja at muzenic dot net>, thanks!
2008-11-29Explain how /32 changes the address type to IPV4_ADDR_SUBNET. From MitjaHans-Joerg Hoexer
Muzenic (mitja at muzenic dot net), many thanks!
2008-11-14When parsing v4 addresses mark them as network addressesHans-Joerg Hoexer
(IPV4_ADDR_SUBNET) when they contain a '/'. This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations. From Mitja Muzenic <mitja at muzenic dot net>, thanks! Idea supported by markus@ and jdixon@.
2008-10-17findeol() fix from pfctlHenning Brauer
2008-08-19use the actual keysize from the SA to figure out which AES variantMarkus Friedl
(aes-192, aes-256) is used; ok hshoexer@
2008-07-21Free the rules in the rule_queue also if ipsecctl is called withAlexander Bluhm
the -n switch. This triggers malloc related bugs during the regress tests. ok hshoexer
2008-07-01Isakmpd acquire mode did not work with a config generated fromAlexander Bluhm
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
2008-07-01If a rules contains a hostname instead of an address, use the listAlexander Bluhm
of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
2008-07-01If multiple to addresses but no peer are given in an ike or flowAlexander Bluhm
rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
2008-06-14Move ike and flow peer selection to common function.Alexander Bluhm
No functional change yet. ok hshoexer
2008-06-11trivial code simplificationAlexander Bluhm
tested and ok hshoexer, grunk
2008-04-11add support for the "include" directive using code from pfctl/parse.y.Reyk Floeter
pointed out by Prabhu Gurumurthy ok deraadt@
2008-02-22Support for specifying aes-{128,192,256}. Originial idea by PrabhuHans-Joerg Hoexer
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys! ok todd@
2008-02-12document modifier types; requested by AurelienJason McIntyre
text from ipsecadm(8), hshoexer, and myself
2008-01-04Strip off trailing '/32' when address type is IPV4_ADDR as isakmpd doesHans-Joerg Hoexer
not accept the trailing '/32'. Diff from Mitja Muzenic <mitja@muzenic.net>, thanks!
2007-11-12Remove space/tab compression function from lgetc() and replaceMarco Pfatschbacher
it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
2007-10-22sync with daemon parser code.Pierre-Yves Ritschard
ok deraadt@
2007-10-16Allow '=' to end a number in all lexers.Marco Pfatschbacher
Requested and OK deraadt@
2007-10-16in the lex... even inside quotes, a \ followed by space or tab shouldTheo de Raadt
expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
2007-10-13in all these programs using the same pfctl-derived parse.y, re-unify theTheo de Raadt
yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
2007-10-11next step in the yylex unification: handle quoted strings in a nicer fashionTheo de Raadt
as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
2007-09-17Document the syntax used with manual SAs for automatic creationStuart Henderson
of the SA matching return traffic; it was already there for spi but not authkey/enckey (all 3 are required). assistance and ok from jmc@
2007-09-12Here too: Add support to the lex for parsing number out of the stream.Hans-Joerg Hoexer
handle this in the parser. better range checks. with and ok deraadt@
2007-08-21no need to include both sys/types.h and params.hHans-Joerg Hoexer
2007-08-10duplicate strdup; ok hshoexerMarkus Friedl
2007-07-03allow proto esp/ah in flow specification (especially useful for bypass flows)Markus Friedl
ok hshoexer, mpf
2007-05-31convert to new .Dd format;Jason McIntyre
2007-05-10Do not crash when lists include the "any" keyword. Reported byHans-Joerg Hoexer
<ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@
2007-03-16move autodetection of the ID type to the parser. this way theMarkus Friedl
static flows have the correct ID, too. ok hshoexer, reyk
2007-03-06Explain, why aesctr has 160 bit keys (128 bit aes key + 32 bit nonce).Hans-Joerg Hoexer
ok jmc@
2007-02-26Really, we don't need two grp18's ;-)Todd T. Fries
ok hshoexer@ and markus@
2007-02-19tweak;Jason McIntyre
2007-02-19Document NULL encryption.Hans-Joerg Hoexer
2007-02-19Bits for ESP+NULL encryption. This is useful, when AH can not beHans-Joerg Hoexer
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks! ok markus@
2007-02-19do not display empty authkey/enckey line when -k option is notHans-Joerg Hoexer
specified. ok markus@
2007-02-19undo previous commit and keep the original behaviour of the parser.Hans-Joerg Hoexer
asked for by deraadt@
2007-02-16Address PR 5380: refer to DH MODP well-known group numbers.Chad Loder
Thanks to sthen <at> symphytum DOT spacehopper DOT org
2007-02-16Do not accept '\n' in quoted strings. Addresses issues noticed byHans-Joerg Hoexer
Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks! ok markus@ cloder@ (uhm, quite some time ago)
2007-01-10allow rule if there is at least _one_ matching address family combination.Markus Friedl
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
2007-01-10add -k to usage();Jason McIntyre
2007-01-04don't pass -1 as a netmask; report vicviq at gmail.comMarkus Friedl