From cb814bc52fb76202f99e3596c8e8be86e4e847b6 Mon Sep 17 00:00:00 2001 From: Hans-Joerg Hoexer Date: Mon, 29 May 2006 04:18:17 +0000 Subject: merge expand_sa() and expand_rule(). --- sbin/ipsecctl/parse.y | 52 ++++++++++++++++++++------------------------------- 1 file changed, 20 insertions(+), 32 deletions(-) (limited to 'sbin/ipsecctl/parse.y') diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 6e56dacc4de..489b9482431 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.72 2006/05/29 03:53:04 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.73 2006/05/29 04:18:16 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -154,15 +154,14 @@ struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, u_int32_t, struct ipsec_transforms *, struct ipsec_key *, struct ipsec_key *); -int expand_sa(struct ipsec_rule *, u_int32_t, - struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, u_int8_t, char *, char *, u_int8_t); -int expand_rule(struct ipsec_rule *, u_int8_t); +int expand_rule(struct ipsec_rule *, u_int8_t, u_int32_t, + struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *reverse_rule(struct ipsec_rule *); struct ipsec_rule *create_ike(u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, @@ -290,8 +289,8 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec { YYERROR; r->nr = ipsec->rule_nr++; - if (expand_sa(r, $3.spiin, $4.keyin, NULL)) - errx(1, "tcpmd5rule: expand_sa"); + if (expand_rule(r, 0, $3.spiin, $4.keyin, NULL)) + errx(1, "tcpmd5rule: expand_rule"); } ; @@ -305,8 +304,8 @@ sarule : satype tmode hosts spispec transforms authkeyspec YYERROR; r->nr = ipsec->rule_nr++; - if (expand_sa(r, $4.spiin, $6.keyin, $7.keyin)) - errx(1, "sarule: expand_sa"); + if (expand_rule(r, 0, $4.spiin, $6.keyin, $7.keyin)) + errx(1, "sarule: expand_rule"); } ; @@ -319,7 +318,7 @@ flowrule : FLOW satype dir proto hosts peers ids type { YYERROR; r->nr = ipsec->rule_nr++; - if (expand_rule(r, $3)) + if (expand_rule(r, $3, 0, NULL, NULL)) errx(1, "flowrule: expand_rule"); } ; @@ -1645,27 +1644,6 @@ create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_addr_wrap *src, struct return r; } -int -expand_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, - struct ipsec_key *enckey) -{ - struct ipsec_rule *r; - - if (ipsecctl_add_rule(ipsec, rule)) - return (1); - if (spi != 0 || authkey || enckey) { - r = reverse_sa(rule, spi, authkey, enckey); - if (r == NULL) - return (1); - r->nr = ipsec->rule_nr++; - - if (ipsecctl_add_rule(ipsec, r)) - return (1); - } - - return (0); -} - struct ipsec_rule * reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, struct ipsec_key *enckey) @@ -1764,18 +1742,28 @@ errout: } int -expand_rule(struct ipsec_rule *rule, u_int8_t direction) +expand_rule(struct ipsec_rule *rule, u_int8_t direction, u_int32_t spi, + struct ipsec_key *authkey, struct ipsec_key *enckey) { struct ipsec_rule *r; if (ipsecctl_add_rule(ipsec, rule)) return (1); - /* Create and add reverse flow rule. */ if (direction == IPSEC_INOUT) { + /* Create and add reverse flow rule. */ r = reverse_rule(rule); r->nr = ipsec->rule_nr++; + if (ipsecctl_add_rule(ipsec, r)) + return (1); + } else if (spi != 0 || authkey || enckey) { + /* Create and add reverse sa rule. */ + r = reverse_sa(rule, spi, authkey, enckey); + if (r == NULL) + return (1); + r->nr = ipsec->rule_nr++; + if (ipsecctl_add_rule(ipsec, r)) return (1); } -- cgit v1.2.3