From 44a51ab986bf9c0b9c11434059a53b52c04042bd Mon Sep 17 00:00:00 2001 From: Hakan Olsson Date: Thu, 4 Nov 1999 11:29:36 +0000 Subject: Support IPsec bypass flows. (ok angelos@, niklas@) --- sbin/ipsecadm/ipsecadm.8 | 41 +++++++++++++++++++++++++++++++++--- sbin/ipsecadm/ipsecadm.c | 54 ++++++++++++++++++++++++++++++++++-------------- 2 files changed, 77 insertions(+), 18 deletions(-) (limited to 'sbin') diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8 index 9abd302ebfd..c487dd61fa9 100644 --- a/sbin/ipsecadm/ipsecadm.8 +++ b/sbin/ipsecadm/ipsecadm.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsecadm.8,v 1.14 1999/10/07 20:54:42 angelos Exp $ +.\" $OpenBSD: ipsecadm.8,v 1.15 1999/11/04 11:29:35 ho Exp $ .\" Copyright 1997 Niels Provos .\" All rights reserved. .\" @@ -158,10 +158,25 @@ Association. Allowed modifiers are: .Fl sport , .Fl dport , .Fl local , -.Fl delete . +.Fl delete , +and +.Fl bypass . The .Xr netstat 1 -command shows the existing flows. +command shows the existing flows. A +.Nm bypass +flow is used to specify a flow for which IPSec processing will be +bypassed, i.e packets will not be processed by any SAs. For +.Nm bypass +flows, additional modifiers are restricted to: +.Fl addr , +.Fl transport , +.Fl sport , +.Fl dport , +.Fl local , +and +.Fl delete . +These flows always have SPI 0, destination 0.0.0.0 and protocol 0. .It bind Associate an incoming Security Association with an outgoing Security Association. When a socket receives packets secured by the incoming @@ -379,6 +394,14 @@ to using a source address of 0.0.0.0 and a source network mask of 255.255.255.255. .It delete Instead of creating a flow, an existing flow is deleted. +.It bypass +For +.Nm flow , +create or delete a +.Nm bypass +flow. Packets matching this flow will not be processed by IPSec. For +.Nm flush , +only flush SAs of type bypass. .It ah For .Nm flush , @@ -416,6 +439,18 @@ ipsecadm old ah -auth md5 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 \e\ -key 12341234deadbeef .Ed .Pp +Setup a flow using the above SA: +.Bd -literal +ipsecadm flow -dst 169.20.12.2 -spi 1001 -proto ah -local \e\ + -addr 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0.0 +.Ed +.Pp +Setup a bypass flow: +.Bd -literal +ipsecadm flow -bypass -local \e\ + -addr 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0 +.Ed +.Pp Delete all esp SAs and their flows and routing information: .Bd -literal ipsecadm flush -esp diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c index ed766a75556..155d609951f 100644 --- a/sbin/ipsecadm/ipsecadm.c +++ b/sbin/ipsecadm/ipsecadm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecadm.c,v 1.24 1999/09/07 12:35:27 ho Exp $ */ +/* $OpenBSD: ipsecadm.c,v 1.25 1999/11/04 11:29:35 ho Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -197,6 +197,7 @@ usage() "\t -addr \t subnets for flow\n" "\t -delete\t\t\t delete specified flow\n" "\t -local\t\t\t also create a local flow\n" + "\t -bypass\t\t\t create/delete a bypass flow\n" "\t -sport\t\t\t source port for flow\n" "\t -dport\t\t\t destination port for flow\n" "\t -[ah|esp|oldah|oldesp|ip4]\t to flush a particular protocol\n" @@ -234,6 +235,7 @@ main(int argc, char **argv) struct iovec iov[20]; int cnt = 0; u_char realkey[8192], realakey[8192]; + int bypass = 0; if (argc < 2) { @@ -500,17 +502,20 @@ main(int argc, char **argv) if(!strcmp(argv[i] + 1, "ip4")) smsg.sadb_msg_satype = SADB_X_SATYPE_IPIP; else - { - fprintf(stderr, "%s: invalid SA type %s\n", argv[0], - argv[i + 1]); - exit(1); - } + if(!strcmp(argv[i] + 1, "bypass")) + smsg.sadb_msg_satype = SADB_X_SATYPE_BYPASS; + else + { + fprintf(stderr, "%s: invalid SA type %s\n", argv[0], + argv[i + 1]); + exit(1); + } i++; continue; } if (!strcmp(argv[i] + 1, "spi") && spi == SPI_RESERVED_MIN && - (i + 1 < argc)) + (i + 1 < argc) && !bypass) { spi = htonl(strtoul(argv[i + 1], NULL, 16)); if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) @@ -666,7 +671,25 @@ main(int argc, char **argv) continue; } - if (!strcmp(argv[i] + 1, "transport") && + if (!strcmp(argv[i] + 1, "bypass") && iscmd(mode, FLOW) && !bypass) + { + /* Setup everything for a bypass flow */ + bypass = 1; + sa.sadb_sa_spi = 0; + sprotocol.sadb_protocol_len = 1; + sprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; + sprotocol.sadb_protocol_proto = 0; + smsg.sadb_msg_satype = SADB_X_SATYPE_BYPASS; + sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; + sad2.sadb_address_len = (sizeof(sad2) + + sizeof(struct sockaddr_in)) / 8; + dst.sin.sin_family = AF_INET; + dst.sin.sin_len = sizeof(struct sockaddr_in); + dstset = inet_aton("0.0.0.0", &dst.sin.sin_addr) != -1 ? 1 : 0; + continue; + } + + if (!strcmp(argv[i] + 1, "transport") && iscmd(mode, FLOW) && (i + 1 < argc)) { if (isalpha(argv[i + 1][0])) @@ -699,7 +722,7 @@ main(int argc, char **argv) continue; } - if (!strcmp(argv[i] + 1, "sport") && + if (!strcmp(argv[i] + 1, "sport") && iscmd(mode, FLOW) && (i + 1 < argc)) { if (isalpha(argv[i + 1][0])) @@ -724,7 +747,7 @@ main(int argc, char **argv) continue; } - if (!strcmp(argv[i] + 1, "dport") && + if (!strcmp(argv[i] + 1, "dport") && iscmd(mode, FLOW) && (i + 1 < argc)) { if (isalpha(argv[i + 1][0])) @@ -748,7 +771,7 @@ main(int argc, char **argv) continue; } - if (!strcmp(argv[i] + 1, "dst") && (i + 1 < argc)) + if (!strcmp(argv[i] + 1, "dst") && (i + 1 < argc) && !bypass) { sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; sad2.sadb_address_len = (sizeof(sad2) + @@ -774,7 +797,7 @@ main(int argc, char **argv) } if (!strcmp(argv[i] + 1, "proto") && (i + 1 < argc) && - (iscmd(mode, FLOW) || iscmd(mode, GRP_SPI) || + ((iscmd(mode, FLOW) && !bypass) || iscmd(mode, GRP_SPI) || iscmd(mode, DEL_SPI) || iscmd(mode, BINDSA))) { if (isalpha(argv[i + 1][0])) @@ -930,7 +953,7 @@ main(int argc, char **argv) exit(1); } - if (spi == SPI_RESERVED_MIN && !iscmd(mode, FLUSH)) + if (spi == SPI_RESERVED_MIN && !iscmd(mode, FLUSH) && !bypass) { fprintf(stderr, "%s: no SPI specified\n", argv[0]); exit(1); @@ -949,7 +972,8 @@ main(int argc, char **argv) exit(1); } - if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) || iscmd(mode, FLOW) || + if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI) || + (iscmd(mode, FLOW) && !bypass) || iscmd(mode, BINDSA)) && proto != IPPROTO_ESP && proto != IPPROTO_AH && proto != IPPROTO_IPIP) { @@ -980,7 +1004,7 @@ main(int argc, char **argv) exit(1); } - if (iscmd(mode, FLOW) && (sprotocol.sadb_protocol_proto == 0) && + if (iscmd(mode, FLOW) && !bypass && (sprotocol.sadb_protocol_proto == 0) && (odst.sin.sin_port || osrc.sin.sin_port)) { fprintf(stderr, "%s: no transport protocol supplied with source/destination ports\n", argv[0]); -- cgit v1.2.3