sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation. spddump (setkey -DP) will print lifetime information.
This commit is contained in:
parent
1d965dd4fe
commit
33fe7af9a4
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: libpfkey.h,v 1.1 2000/06/12 10:40:52 itojun Exp $ */
|
/* $NetBSD: libpfkey.h,v 1.2 2002/05/14 11:24:21 itojun Exp $ */
|
||||||
/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */
|
/* $KAME: libpfkey.h,v 1.6 2001/03/05 18:22:17 thorpej Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||||
@ -30,11 +30,15 @@
|
|||||||
* SUCH DAMAGE.
|
* SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
struct sadb_msg;
|
||||||
extern void pfkey_sadump __P((struct sadb_msg *));
|
extern void pfkey_sadump __P((struct sadb_msg *));
|
||||||
extern void pfkey_spdump __P((struct sadb_msg *));
|
extern void pfkey_spdump __P((struct sadb_msg *));
|
||||||
|
|
||||||
struct sockaddr;
|
struct sockaddr;
|
||||||
|
struct sadb_alg;
|
||||||
int ipsec_check_keylen __P((u_int, u_int, u_int));
|
int ipsec_check_keylen __P((u_int, u_int, u_int));
|
||||||
|
int ipsec_check_keylen2 __P((u_int, u_int, u_int));
|
||||||
|
int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
|
||||||
u_int pfkey_set_softrate __P((u_int, u_int));
|
u_int pfkey_set_softrate __P((u_int, u_int));
|
||||||
u_int pfkey_get_softrate __P((u_int));
|
u_int pfkey_get_softrate __P((u_int));
|
||||||
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
|
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
|
||||||
@ -49,17 +53,26 @@ int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
|
|||||||
u_int64_t, u_int64_t, u_int32_t));
|
u_int64_t, u_int64_t, u_int32_t));
|
||||||
int pfkey_send_delete __P((int, u_int, u_int,
|
int pfkey_send_delete __P((int, u_int, u_int,
|
||||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||||
|
int pfkey_send_delete_all __P((int, u_int, u_int,
|
||||||
|
struct sockaddr *, struct sockaddr *));
|
||||||
int pfkey_send_get __P((int, u_int, u_int,
|
int pfkey_send_get __P((int, u_int, u_int,
|
||||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||||
int pfkey_send_register __P((int, u_int));
|
int pfkey_send_register __P((int, u_int));
|
||||||
int pfkey_recv_register __P((int));
|
int pfkey_recv_register __P((int));
|
||||||
|
int pfkey_set_supported __P((struct sadb_msg *, int));
|
||||||
int pfkey_send_flush __P((int, u_int));
|
int pfkey_send_flush __P((int, u_int));
|
||||||
int pfkey_send_dump __P((int, u_int));
|
int pfkey_send_dump __P((int, u_int));
|
||||||
int pfkey_send_promisc_toggle __P((int, int));
|
int pfkey_send_promisc_toggle __P((int, int));
|
||||||
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
|
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
|
||||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||||
|
int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int,
|
||||||
|
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
|
||||||
|
caddr_t, int, u_int32_t));
|
||||||
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
|
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
|
||||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||||
|
int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int,
|
||||||
|
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
|
||||||
|
caddr_t, int, u_int32_t));
|
||||||
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
|
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
|
||||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||||
int pfkey_send_spddelete2 __P((int, u_int32_t));
|
int pfkey_send_spddelete2 __P((int, u_int32_t));
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: pfkey_dump.c,v 1.9 2000/10/03 23:00:54 itojun Exp $ */
|
/* $NetBSD: pfkey_dump.c,v 1.10 2002/05/14 11:24:21 itojun Exp $ */
|
||||||
/* $KAME: pfkey_dump.c,v 1.22 2000/09/12 07:10:53 itojun Exp $ */
|
/* $KAME: pfkey_dump.c,v 1.36 2002/05/13 05:30:08 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@ -77,7 +77,8 @@ do { \
|
|||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
static char *str_ipaddr __P((struct sockaddr *));
|
static char *str_ipaddr __P((struct sockaddr *));
|
||||||
static char *str_prefport __P((u_int, u_int, u_int));
|
static char *str_prefport __P((u_int, u_int, u_int, u_int));
|
||||||
|
static void str_upperspec __P((u_int, u_int, u_int));
|
||||||
static char *str_time __P((time_t));
|
static char *str_time __P((time_t));
|
||||||
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
|
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
|
||||||
|
|
||||||
@ -108,22 +109,6 @@ static char *str_mode[] = {
|
|||||||
"tunnel",
|
"tunnel",
|
||||||
};
|
};
|
||||||
|
|
||||||
static char *str_upper[] = {
|
|
||||||
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
|
|
||||||
"", "tcp", "", "egp", "",
|
|
||||||
/*10*/ "", "", "", "", "",
|
|
||||||
"", "", "udp", "", "",
|
|
||||||
/*20*/ "", "", "idp", "", "",
|
|
||||||
"", "", "", "", "tp",
|
|
||||||
/*30*/ "", "", "", "", "",
|
|
||||||
"", "", "", "", "",
|
|
||||||
/*40*/ "", "ip6", "", "rt6", "frag6",
|
|
||||||
"", "rsvp", "gre", "", "",
|
|
||||||
/*50*/ "esp", "ah", "", "", "",
|
|
||||||
"", "", "", "icmp6", "none",
|
|
||||||
/*60*/ "dst6",
|
|
||||||
};
|
|
||||||
|
|
||||||
static char *str_state[] = {
|
static char *str_state[] = {
|
||||||
"larval",
|
"larval",
|
||||||
"mature",
|
"mature",
|
||||||
@ -265,17 +250,15 @@ pfkey_sadump(m)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* replay windoe size & flags */
|
/* replay windoe size & flags */
|
||||||
printf("\treplay=%u flags=0x%08x ",
|
printf("\tseq=0x%08x replay=%u flags=0x%08x ",
|
||||||
|
m_sa2->sadb_x_sa2_sequence,
|
||||||
m_sa->sadb_sa_replay,
|
m_sa->sadb_sa_replay,
|
||||||
m_sa->sadb_sa_flags);
|
m_sa->sadb_sa_flags);
|
||||||
|
|
||||||
/* state */
|
/* state */
|
||||||
printf("state=");
|
printf("state=");
|
||||||
GETMSGSTR(str_state, m_sa->sadb_sa_state);
|
GETMSGSTR(str_state, m_sa->sadb_sa_state);
|
||||||
|
printf("\n");
|
||||||
printf("seq=%lu pid=%lu\n",
|
|
||||||
(u_long)m->sadb_msg_seq,
|
|
||||||
(u_long)m->sadb_msg_pid);
|
|
||||||
|
|
||||||
/* lifetime */
|
/* lifetime */
|
||||||
if (m_lftc != NULL) {
|
if (m_lftc != NULL) {
|
||||||
@ -319,8 +302,12 @@ pfkey_sadump(m)
|
|||||||
0 : m_lfts->sadb_lifetime_allocations));
|
0 : m_lfts->sadb_lifetime_allocations));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
printf("\tsadb_seq=%lu pid=%lu ",
|
||||||
|
(u_long)m->sadb_msg_seq,
|
||||||
|
(u_long)m->sadb_msg_pid);
|
||||||
|
|
||||||
/* XXX DEBUG */
|
/* XXX DEBUG */
|
||||||
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
|
printf("refcnt=%u\n", m->sadb_msg_reserved);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -333,8 +320,9 @@ pfkey_spdump(m)
|
|||||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||||
struct sadb_address *m_saddr, *m_daddr;
|
struct sadb_address *m_saddr, *m_daddr;
|
||||||
struct sadb_x_policy *m_xpl;
|
struct sadb_x_policy *m_xpl;
|
||||||
|
struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
|
||||||
struct sockaddr *sa;
|
struct sockaddr *sa;
|
||||||
u_int16_t port;
|
u_int16_t sport = 0, dport = 0;
|
||||||
|
|
||||||
/* check pfkey message. */
|
/* check pfkey message. */
|
||||||
if (pfkey_align(m, mhp)) {
|
if (pfkey_align(m, mhp)) {
|
||||||
@ -349,6 +337,8 @@ pfkey_spdump(m)
|
|||||||
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
|
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
|
||||||
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
|
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
|
||||||
m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
|
m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
|
||||||
|
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
|
||||||
|
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
|
||||||
|
|
||||||
/* source address */
|
/* source address */
|
||||||
if (m_saddr == NULL) {
|
if (m_saddr == NULL) {
|
||||||
@ -361,12 +351,13 @@ pfkey_spdump(m)
|
|||||||
case AF_INET6:
|
case AF_INET6:
|
||||||
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
||||||
NI_NUMERICSERV) != 0)
|
NI_NUMERICSERV) != 0)
|
||||||
port = 0; /*XXX*/
|
sport = 0; /*XXX*/
|
||||||
else
|
else
|
||||||
port = atoi(pbuf);
|
sport = atoi(pbuf);
|
||||||
printf("%s%s ", str_ipaddr(sa),
|
printf("%s%s ", str_ipaddr(sa),
|
||||||
str_prefport(sa->sa_family,
|
str_prefport(sa->sa_family,
|
||||||
m_saddr->sadb_address_prefixlen, port));
|
m_saddr->sadb_address_prefixlen, sport,
|
||||||
|
m_saddr->sadb_address_proto));
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
printf("unknown-af ");
|
printf("unknown-af ");
|
||||||
@ -384,12 +375,13 @@ pfkey_spdump(m)
|
|||||||
case AF_INET6:
|
case AF_INET6:
|
||||||
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
||||||
NI_NUMERICSERV) != 0)
|
NI_NUMERICSERV) != 0)
|
||||||
port = 0; /*XXX*/
|
dport = 0; /*XXX*/
|
||||||
else
|
else
|
||||||
port = atoi(pbuf);
|
dport = atoi(pbuf);
|
||||||
printf("%s%s ", str_ipaddr(sa),
|
printf("%s%s ", str_ipaddr(sa),
|
||||||
str_prefport(sa->sa_family,
|
str_prefport(sa->sa_family,
|
||||||
m_daddr->sadb_address_prefixlen, port));
|
m_daddr->sadb_address_prefixlen, dport,
|
||||||
|
m_saddr->sadb_address_proto));
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
printf("unknown-af ");
|
printf("unknown-af ");
|
||||||
@ -401,10 +393,7 @@ pfkey_spdump(m)
|
|||||||
printf("upper layer protocol mismatched.\n");
|
printf("upper layer protocol mismatched.\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
|
str_upperspec(m_saddr->sadb_address_proto, sport, dport);
|
||||||
printf("any");
|
|
||||||
else
|
|
||||||
GETMSGSTR(str_upper, m_saddr->sadb_address_proto);
|
|
||||||
|
|
||||||
/* policy */
|
/* policy */
|
||||||
{
|
{
|
||||||
@ -421,6 +410,21 @@ pfkey_spdump(m)
|
|||||||
free(d_xpl);
|
free(d_xpl);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* lifetime */
|
||||||
|
if (m_lftc) {
|
||||||
|
printf("\tcreated: %s ",
|
||||||
|
str_time(m_lftc->sadb_lifetime_addtime));
|
||||||
|
printf("lastused: %s\n",
|
||||||
|
str_time(m_lftc->sadb_lifetime_usetime));
|
||||||
|
}
|
||||||
|
if (m_lfth) {
|
||||||
|
printf("\tlifetime: %lu(s) ",
|
||||||
|
(u_long)m_lfth->sadb_lifetime_addtime);
|
||||||
|
printf("validtime: %lu(s)\n",
|
||||||
|
(u_long)m_lfth->sadb_lifetime_usetime);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
printf("\tspid=%ld seq=%ld pid=%ld\n",
|
printf("\tspid=%ld seq=%ld pid=%ld\n",
|
||||||
(u_long)m_xpl->sadb_x_policy_id,
|
(u_long)m_xpl->sadb_x_policy_id,
|
||||||
(u_long)m->sadb_msg_seq,
|
(u_long)m->sadb_msg_seq,
|
||||||
@ -458,8 +462,8 @@ str_ipaddr(sa)
|
|||||||
* set "/prefix[port number]" to buffer.
|
* set "/prefix[port number]" to buffer.
|
||||||
*/
|
*/
|
||||||
static char *
|
static char *
|
||||||
str_prefport(family, pref, port)
|
str_prefport(family, pref, port, ulp)
|
||||||
u_int family, pref, port;
|
u_int family, pref, port, ulp;
|
||||||
{
|
{
|
||||||
static char buf[128];
|
static char buf[128];
|
||||||
char prefbuf[10];
|
char prefbuf[10];
|
||||||
@ -492,6 +496,32 @@ str_prefport(family, pref, port)
|
|||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
str_upperspec(ulp, p1, p2)
|
||||||
|
u_int ulp, p1, p2;
|
||||||
|
{
|
||||||
|
if (ulp == IPSEC_ULPROTO_ANY)
|
||||||
|
printf("any");
|
||||||
|
else {
|
||||||
|
struct protoent *ent;
|
||||||
|
|
||||||
|
switch (ulp) {
|
||||||
|
case IPPROTO_IPV4:
|
||||||
|
printf("ip4");
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
ent = getprotobynumber(ulp);
|
||||||
|
if (ent)
|
||||||
|
printf("%s", ent->p_name);
|
||||||
|
else
|
||||||
|
printf("%d", ulp);
|
||||||
|
|
||||||
|
endprotoent();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* set "Mon Day Time Year" to buffer
|
* set "Mon Day Time Year" to buffer
|
||||||
*/
|
*/
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: parse.y,v 1.7 2001/11/02 03:57:25 lukem Exp $ */
|
/* $NetBSD: parse.y,v 1.8 2002/05/14 11:24:20 itojun Exp $ */
|
||||||
/* $KAME: parse.y,v 1.63 2001/08/17 06:28:49 itojun Exp $ */
|
/* $KAME: parse.y,v 1.69 2002/05/14 11:16:10 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@ -457,10 +457,25 @@ spdadd_command
|
|||||||
: SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec policy_spec EOT
|
: SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec policy_spec EOT
|
||||||
{
|
{
|
||||||
int status;
|
int status;
|
||||||
|
struct addrinfo *src, *dst;
|
||||||
|
|
||||||
|
src = parse_addr($3.buf, $5.buf);
|
||||||
|
dst = parse_addr($6.buf, $8.buf);
|
||||||
|
if (!src || !dst) {
|
||||||
|
/* yyerror is already called */
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (src->ai_next || dst->ai_next) {
|
||||||
|
yyerror("multiple address specified");
|
||||||
|
freeaddrinfo(src);
|
||||||
|
freeaddrinfo(dst);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$10,
|
status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$10,
|
||||||
parse_addr($3.buf, $5.buf), $4,
|
src, $4, dst, $7);
|
||||||
parse_addr($6.buf, $8.buf), $7);
|
freeaddrinfo(src);
|
||||||
|
freeaddrinfo(dst);
|
||||||
if (status < 0)
|
if (status < 0)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -487,10 +502,10 @@ spddelete_command
|
|||||||
|
|
||||||
status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$10,
|
status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$10,
|
||||||
src, $4, dst, $7);
|
src, $4, dst, $7);
|
||||||
if (status < 0)
|
|
||||||
return -1;
|
|
||||||
freeaddrinfo(src);
|
freeaddrinfo(src);
|
||||||
freeaddrinfo(dst);
|
freeaddrinfo(dst);
|
||||||
|
if (status < 0)
|
||||||
|
return -1;
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
.\" $NetBSD: setkey.8,v 1.13 2001/11/16 12:10:06 wiz Exp $
|
.\" $NetBSD: setkey.8,v 1.14 2002/05/14 11:24:20 itojun Exp $
|
||||||
.\" $KAME: setkey.8,v 1.66 2001/09/04 10:05:07 jinmei Exp $
|
.\" $KAME: setkey.8,v 1.73 2002/05/14 11:05:35 itojun Exp $
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
.\" All rights reserved.
|
.\" All rights reserved.
|
||||||
@ -419,23 +419,12 @@ You have to consider and be careful to use them.
|
|||||||
.Pp
|
.Pp
|
||||||
.It Ar policy
|
.It Ar policy
|
||||||
.Ar policy
|
.Ar policy
|
||||||
is the one of following:
|
is the one of the following three formats:
|
||||||
.Bd -literal -offset
|
.Bd -literal -offset indent
|
||||||
.Xo
|
.It Fl P Ar direction Li discard
|
||||||
.Fl P
|
.It Fl P Ar direction Li none
|
||||||
.Ar direction
|
.It Xo Fl P Ar direction Li ipsec
|
||||||
.Li discard
|
.Ar protocol/mode/src-dst/level Op ...
|
||||||
.Xc
|
|
||||||
.Xo
|
|
||||||
.Fl P
|
|
||||||
.Ar direction
|
|
||||||
.Li none
|
|
||||||
.Xc
|
|
||||||
.Xo
|
|
||||||
.Fl P
|
|
||||||
.Ar direction
|
|
||||||
.Li ipsec
|
|
||||||
.Ar protocol/mode/src-dst/level
|
|
||||||
.Xc
|
.Xc
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -452,6 +441,9 @@ means the packet matching indexes will be discarded.
|
|||||||
means that IPsec operation will not take place onto the packet.
|
means that IPsec operation will not take place onto the packet.
|
||||||
.Li ipsec
|
.Li ipsec
|
||||||
means that IPsec operation will take place onto the packet.
|
means that IPsec operation will take place onto the packet.
|
||||||
|
The part of
|
||||||
|
.Ar protocol/mode/src-dst/level
|
||||||
|
specifies the rule how to process the packet .
|
||||||
Either
|
Either
|
||||||
.Li ah ,
|
.Li ah ,
|
||||||
.Li esp
|
.Li esp
|
||||||
@ -503,19 +495,31 @@ otherwise the kernel keeps normal operation.
|
|||||||
means SA is required whenever the kernel sends a packet matched
|
means SA is required whenever the kernel sends a packet matched
|
||||||
with the policy.
|
with the policy.
|
||||||
.Li unique
|
.Li unique
|
||||||
is the same to require.
|
is the same to require,
|
||||||
In addition, it allows the policy to bind with the unique out-bound SA.
|
in addition, it allows the policy to bind with the unique out-bound SA.
|
||||||
If you use the SA by manual keying,
|
You just specify the policy level
|
||||||
|
.Li unique ,
|
||||||
|
.Xr racoon 8
|
||||||
|
will configure the SA for the policy.
|
||||||
|
If you configure the SA by manual keying for that policy,
|
||||||
you can put the decimal number as the policy identifier after
|
you can put the decimal number as the policy identifier after
|
||||||
.Li unique
|
.Li unique
|
||||||
separated by colon
|
separated by colon
|
||||||
.Sq \&:
|
.Sq \&:
|
||||||
like the following;
|
like the following;
|
||||||
.Li unique:number .
|
.Li unique:number .
|
||||||
|
in order to bind this policy to the SA .
|
||||||
.Li number
|
.Li number
|
||||||
must be between 1 and 32767.
|
must be between 1 and 32767.
|
||||||
It corresponds to
|
It corresponds to
|
||||||
.Ar extensions Fl u .
|
.Ar extensions Fl u
|
||||||
|
of the manual SA configuration.
|
||||||
|
When you want to use SA bundle, you can define multiple rules.
|
||||||
|
For example, if an IP header was followed by AH header followed by ESP header
|
||||||
|
followed by an upper layer protocol header, the rule
|
||||||
|
would be:
|
||||||
|
.Dl esp/transport//require ah/transport//require ;
|
||||||
|
The rule order is very important.
|
||||||
.Pp
|
.Pp
|
||||||
Note that
|
Note that
|
||||||
.Dq Li discard
|
.Dq Li discard
|
||||||
@ -591,7 +595,7 @@ algorithm
|
|||||||
deflate rfc2394
|
deflate rfc2394
|
||||||
.Ed
|
.Ed
|
||||||
.\"
|
.\"
|
||||||
.Sh RETURN VALUES
|
.Sh EXIT STATUS
|
||||||
The command exits with 0 on success, and non-zero on errors.
|
The command exits with 0 on success, and non-zero on errors.
|
||||||
.\"
|
.\"
|
||||||
.Sh EXAMPLES
|
.Sh EXAMPLES
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/* $NetBSD: token.l,v 1.6 2001/09/07 04:12:10 itojun Exp $ */
|
/* $NetBSD: token.l,v 1.7 2002/05/14 11:24:20 itojun Exp $ */
|
||||||
/* $KAME: token.l,v 1.33 2001/08/17 06:21:57 itojun Exp $ */
|
/* $KAME: token.l,v 1.34 2001/09/25 14:15:24 sakane Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
|
Loading…
Reference in New Issue
Block a user