sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation. spddump (setkey -DP) will print lifetime information.
This commit is contained in:
parent
1d965dd4fe
commit
33fe7af9a4
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: libpfkey.h,v 1.1 2000/06/12 10:40:52 itojun Exp $ */
|
||||
/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */
|
||||
/* $NetBSD: libpfkey.h,v 1.2 2002/05/14 11:24:21 itojun Exp $ */
|
||||
/* $KAME: libpfkey.h,v 1.6 2001/03/05 18:22:17 thorpej Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -30,11 +30,15 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
struct sadb_msg;
|
||||
extern void pfkey_sadump __P((struct sadb_msg *));
|
||||
extern void pfkey_spdump __P((struct sadb_msg *));
|
||||
|
||||
struct sockaddr;
|
||||
struct sadb_alg;
|
||||
int ipsec_check_keylen __P((u_int, u_int, u_int));
|
||||
int ipsec_check_keylen2 __P((u_int, u_int, u_int));
|
||||
int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
|
||||
u_int pfkey_set_softrate __P((u_int, u_int));
|
||||
u_int pfkey_get_softrate __P((u_int));
|
||||
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
|
||||
@ -49,17 +53,26 @@ int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
|
||||
u_int64_t, u_int64_t, u_int32_t));
|
||||
int pfkey_send_delete __P((int, u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||
int pfkey_send_delete_all __P((int, u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *));
|
||||
int pfkey_send_get __P((int, u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||
int pfkey_send_register __P((int, u_int));
|
||||
int pfkey_recv_register __P((int));
|
||||
int pfkey_set_supported __P((struct sadb_msg *, int));
|
||||
int pfkey_send_flush __P((int, u_int));
|
||||
int pfkey_send_dump __P((int, u_int));
|
||||
int pfkey_send_promisc_toggle __P((int, int));
|
||||
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
|
||||
caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
|
||||
caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spddelete2 __P((int, u_int32_t));
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: pfkey_dump.c,v 1.9 2000/10/03 23:00:54 itojun Exp $ */
|
||||
/* $KAME: pfkey_dump.c,v 1.22 2000/09/12 07:10:53 itojun Exp $ */
|
||||
/* $NetBSD: pfkey_dump.c,v 1.10 2002/05/14 11:24:21 itojun Exp $ */
|
||||
/* $KAME: pfkey_dump.c,v 1.36 2002/05/13 05:30:08 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
@ -77,7 +77,8 @@ do { \
|
||||
} while (0)
|
||||
|
||||
static char *str_ipaddr __P((struct sockaddr *));
|
||||
static char *str_prefport __P((u_int, u_int, u_int));
|
||||
static char *str_prefport __P((u_int, u_int, u_int, u_int));
|
||||
static void str_upperspec __P((u_int, u_int, u_int));
|
||||
static char *str_time __P((time_t));
|
||||
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
|
||||
|
||||
@ -108,22 +109,6 @@ static char *str_mode[] = {
|
||||
"tunnel",
|
||||
};
|
||||
|
||||
static char *str_upper[] = {
|
||||
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
|
||||
"", "tcp", "", "egp", "",
|
||||
/*10*/ "", "", "", "", "",
|
||||
"", "", "udp", "", "",
|
||||
/*20*/ "", "", "idp", "", "",
|
||||
"", "", "", "", "tp",
|
||||
/*30*/ "", "", "", "", "",
|
||||
"", "", "", "", "",
|
||||
/*40*/ "", "ip6", "", "rt6", "frag6",
|
||||
"", "rsvp", "gre", "", "",
|
||||
/*50*/ "esp", "ah", "", "", "",
|
||||
"", "", "", "icmp6", "none",
|
||||
/*60*/ "dst6",
|
||||
};
|
||||
|
||||
static char *str_state[] = {
|
||||
"larval",
|
||||
"mature",
|
||||
@ -265,17 +250,15 @@ pfkey_sadump(m)
|
||||
}
|
||||
|
||||
/* replay windoe size & flags */
|
||||
printf("\treplay=%u flags=0x%08x ",
|
||||
printf("\tseq=0x%08x replay=%u flags=0x%08x ",
|
||||
m_sa2->sadb_x_sa2_sequence,
|
||||
m_sa->sadb_sa_replay,
|
||||
m_sa->sadb_sa_flags);
|
||||
|
||||
/* state */
|
||||
printf("state=");
|
||||
GETMSGSTR(str_state, m_sa->sadb_sa_state);
|
||||
|
||||
printf("seq=%lu pid=%lu\n",
|
||||
(u_long)m->sadb_msg_seq,
|
||||
(u_long)m->sadb_msg_pid);
|
||||
printf("\n");
|
||||
|
||||
/* lifetime */
|
||||
if (m_lftc != NULL) {
|
||||
@ -319,8 +302,12 @@ pfkey_sadump(m)
|
||||
0 : m_lfts->sadb_lifetime_allocations));
|
||||
}
|
||||
|
||||
printf("\tsadb_seq=%lu pid=%lu ",
|
||||
(u_long)m->sadb_msg_seq,
|
||||
(u_long)m->sadb_msg_pid);
|
||||
|
||||
/* XXX DEBUG */
|
||||
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
|
||||
printf("refcnt=%u\n", m->sadb_msg_reserved);
|
||||
|
||||
return;
|
||||
}
|
||||
@ -333,8 +320,9 @@ pfkey_spdump(m)
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
struct sadb_address *m_saddr, *m_daddr;
|
||||
struct sadb_x_policy *m_xpl;
|
||||
struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
|
||||
struct sockaddr *sa;
|
||||
u_int16_t port;
|
||||
u_int16_t sport = 0, dport = 0;
|
||||
|
||||
/* check pfkey message. */
|
||||
if (pfkey_align(m, mhp)) {
|
||||
@ -349,6 +337,8 @@ pfkey_spdump(m)
|
||||
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
|
||||
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
|
||||
m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
|
||||
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
|
||||
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
|
||||
|
||||
/* source address */
|
||||
if (m_saddr == NULL) {
|
||||
@ -361,12 +351,13 @@ pfkey_spdump(m)
|
||||
case AF_INET6:
|
||||
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
||||
NI_NUMERICSERV) != 0)
|
||||
port = 0; /*XXX*/
|
||||
sport = 0; /*XXX*/
|
||||
else
|
||||
port = atoi(pbuf);
|
||||
sport = atoi(pbuf);
|
||||
printf("%s%s ", str_ipaddr(sa),
|
||||
str_prefport(sa->sa_family,
|
||||
m_saddr->sadb_address_prefixlen, port));
|
||||
m_saddr->sadb_address_prefixlen, sport,
|
||||
m_saddr->sadb_address_proto));
|
||||
break;
|
||||
default:
|
||||
printf("unknown-af ");
|
||||
@ -384,12 +375,13 @@ pfkey_spdump(m)
|
||||
case AF_INET6:
|
||||
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
||||
NI_NUMERICSERV) != 0)
|
||||
port = 0; /*XXX*/
|
||||
dport = 0; /*XXX*/
|
||||
else
|
||||
port = atoi(pbuf);
|
||||
dport = atoi(pbuf);
|
||||
printf("%s%s ", str_ipaddr(sa),
|
||||
str_prefport(sa->sa_family,
|
||||
m_daddr->sadb_address_prefixlen, port));
|
||||
m_daddr->sadb_address_prefixlen, dport,
|
||||
m_saddr->sadb_address_proto));
|
||||
break;
|
||||
default:
|
||||
printf("unknown-af ");
|
||||
@ -401,10 +393,7 @@ pfkey_spdump(m)
|
||||
printf("upper layer protocol mismatched.\n");
|
||||
return;
|
||||
}
|
||||
if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
|
||||
printf("any");
|
||||
else
|
||||
GETMSGSTR(str_upper, m_saddr->sadb_address_proto);
|
||||
str_upperspec(m_saddr->sadb_address_proto, sport, dport);
|
||||
|
||||
/* policy */
|
||||
{
|
||||
@ -421,6 +410,21 @@ pfkey_spdump(m)
|
||||
free(d_xpl);
|
||||
}
|
||||
|
||||
/* lifetime */
|
||||
if (m_lftc) {
|
||||
printf("\tcreated: %s ",
|
||||
str_time(m_lftc->sadb_lifetime_addtime));
|
||||
printf("lastused: %s\n",
|
||||
str_time(m_lftc->sadb_lifetime_usetime));
|
||||
}
|
||||
if (m_lfth) {
|
||||
printf("\tlifetime: %lu(s) ",
|
||||
(u_long)m_lfth->sadb_lifetime_addtime);
|
||||
printf("validtime: %lu(s)\n",
|
||||
(u_long)m_lfth->sadb_lifetime_usetime);
|
||||
}
|
||||
|
||||
|
||||
printf("\tspid=%ld seq=%ld pid=%ld\n",
|
||||
(u_long)m_xpl->sadb_x_policy_id,
|
||||
(u_long)m->sadb_msg_seq,
|
||||
@ -458,8 +462,8 @@ str_ipaddr(sa)
|
||||
* set "/prefix[port number]" to buffer.
|
||||
*/
|
||||
static char *
|
||||
str_prefport(family, pref, port)
|
||||
u_int family, pref, port;
|
||||
str_prefport(family, pref, port, ulp)
|
||||
u_int family, pref, port, ulp;
|
||||
{
|
||||
static char buf[128];
|
||||
char prefbuf[10];
|
||||
@ -492,6 +496,32 @@ str_prefport(family, pref, port)
|
||||
return buf;
|
||||
}
|
||||
|
||||
static void
|
||||
str_upperspec(ulp, p1, p2)
|
||||
u_int ulp, p1, p2;
|
||||
{
|
||||
if (ulp == IPSEC_ULPROTO_ANY)
|
||||
printf("any");
|
||||
else {
|
||||
struct protoent *ent;
|
||||
|
||||
switch (ulp) {
|
||||
case IPPROTO_IPV4:
|
||||
printf("ip4");
|
||||
break;
|
||||
default:
|
||||
ent = getprotobynumber(ulp);
|
||||
if (ent)
|
||||
printf("%s", ent->p_name);
|
||||
else
|
||||
printf("%d", ulp);
|
||||
|
||||
endprotoent();
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* set "Mon Day Time Year" to buffer
|
||||
*/
|
||||
|
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: parse.y,v 1.7 2001/11/02 03:57:25 lukem Exp $ */
|
||||
/* $KAME: parse.y,v 1.63 2001/08/17 06:28:49 itojun Exp $ */
|
||||
/* $NetBSD: parse.y,v 1.8 2002/05/14 11:24:20 itojun Exp $ */
|
||||
/* $KAME: parse.y,v 1.69 2002/05/14 11:16:10 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
@ -457,10 +457,25 @@ spdadd_command
|
||||
: SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec policy_spec EOT
|
||||
{
|
||||
int status;
|
||||
struct addrinfo *src, *dst;
|
||||
|
||||
src = parse_addr($3.buf, $5.buf);
|
||||
dst = parse_addr($6.buf, $8.buf);
|
||||
if (!src || !dst) {
|
||||
/* yyerror is already called */
|
||||
return -1;
|
||||
}
|
||||
if (src->ai_next || dst->ai_next) {
|
||||
yyerror("multiple address specified");
|
||||
freeaddrinfo(src);
|
||||
freeaddrinfo(dst);
|
||||
return -1;
|
||||
}
|
||||
|
||||
status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$10,
|
||||
parse_addr($3.buf, $5.buf), $4,
|
||||
parse_addr($6.buf, $8.buf), $7);
|
||||
src, $4, dst, $7);
|
||||
freeaddrinfo(src);
|
||||
freeaddrinfo(dst);
|
||||
if (status < 0)
|
||||
return -1;
|
||||
}
|
||||
@ -487,10 +502,10 @@ spddelete_command
|
||||
|
||||
status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$10,
|
||||
src, $4, dst, $7);
|
||||
if (status < 0)
|
||||
return -1;
|
||||
freeaddrinfo(src);
|
||||
freeaddrinfo(dst);
|
||||
if (status < 0)
|
||||
return -1;
|
||||
}
|
||||
;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
.\" $NetBSD: setkey.8,v 1.13 2001/11/16 12:10:06 wiz Exp $
|
||||
.\" $KAME: setkey.8,v 1.66 2001/09/04 10:05:07 jinmei Exp $
|
||||
.\" $NetBSD: setkey.8,v 1.14 2002/05/14 11:24:20 itojun Exp $
|
||||
.\" $KAME: setkey.8,v 1.73 2002/05/14 11:05:35 itojun Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" All rights reserved.
|
||||
@ -419,23 +419,12 @@ You have to consider and be careful to use them.
|
||||
.Pp
|
||||
.It Ar policy
|
||||
.Ar policy
|
||||
is the one of following:
|
||||
.Bd -literal -offset
|
||||
.Xo
|
||||
.Fl P
|
||||
.Ar direction
|
||||
.Li discard
|
||||
.Xc
|
||||
.Xo
|
||||
.Fl P
|
||||
.Ar direction
|
||||
.Li none
|
||||
.Xc
|
||||
.Xo
|
||||
.Fl P
|
||||
.Ar direction
|
||||
.Li ipsec
|
||||
.Ar protocol/mode/src-dst/level
|
||||
is the one of the following three formats:
|
||||
.Bd -literal -offset indent
|
||||
.It Fl P Ar direction Li discard
|
||||
.It Fl P Ar direction Li none
|
||||
.It Xo Fl P Ar direction Li ipsec
|
||||
.Ar protocol/mode/src-dst/level Op ...
|
||||
.Xc
|
||||
.Ed
|
||||
.Pp
|
||||
@ -452,6 +441,9 @@ means the packet matching indexes will be discarded.
|
||||
means that IPsec operation will not take place onto the packet.
|
||||
.Li ipsec
|
||||
means that IPsec operation will take place onto the packet.
|
||||
The part of
|
||||
.Ar protocol/mode/src-dst/level
|
||||
specifies the rule how to process the packet .
|
||||
Either
|
||||
.Li ah ,
|
||||
.Li esp
|
||||
@ -503,19 +495,31 @@ otherwise the kernel keeps normal operation.
|
||||
means SA is required whenever the kernel sends a packet matched
|
||||
with the policy.
|
||||
.Li unique
|
||||
is the same to require.
|
||||
In addition, it allows the policy to bind with the unique out-bound SA.
|
||||
If you use the SA by manual keying,
|
||||
is the same to require,
|
||||
in addition, it allows the policy to bind with the unique out-bound SA.
|
||||
You just specify the policy level
|
||||
.Li unique ,
|
||||
.Xr racoon 8
|
||||
will configure the SA for the policy.
|
||||
If you configure the SA by manual keying for that policy,
|
||||
you can put the decimal number as the policy identifier after
|
||||
.Li unique
|
||||
separated by colon
|
||||
.Sq \&:
|
||||
like the following;
|
||||
.Li unique:number .
|
||||
in order to bind this policy to the SA .
|
||||
.Li number
|
||||
must be between 1 and 32767.
|
||||
It corresponds to
|
||||
.Ar extensions Fl u .
|
||||
.Ar extensions Fl u
|
||||
of the manual SA configuration.
|
||||
When you want to use SA bundle, you can define multiple rules.
|
||||
For example, if an IP header was followed by AH header followed by ESP header
|
||||
followed by an upper layer protocol header, the rule
|
||||
would be:
|
||||
.Dl esp/transport//require ah/transport//require ;
|
||||
The rule order is very important.
|
||||
.Pp
|
||||
Note that
|
||||
.Dq Li discard
|
||||
@ -591,7 +595,7 @@ algorithm
|
||||
deflate rfc2394
|
||||
.Ed
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
.Sh EXIT STATUS
|
||||
The command exits with 0 on success, and non-zero on errors.
|
||||
.\"
|
||||
.Sh EXAMPLES
|
||||
|
@ -1,5 +1,5 @@
|
||||
/* $NetBSD: token.l,v 1.6 2001/09/07 04:12:10 itojun Exp $ */
|
||||
/* $KAME: token.l,v 1.33 2001/08/17 06:21:57 itojun Exp $ */
|
||||
/* $NetBSD: token.l,v 1.7 2002/05/14 11:24:20 itojun Exp $ */
|
||||
/* $KAME: token.l,v 1.34 2001/09/25 14:15:24 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
|
Loading…
Reference in New Issue
Block a user