sync with latest kame setkey(8), modulo icmp6 hack.

pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.
This commit is contained in:
itojun 2002-05-14 11:24:20 +00:00
parent 1d965dd4fe
commit 33fe7af9a4
6 changed files with 779 additions and 205 deletions

View File

@ -1,5 +1,5 @@
/* $NetBSD: libpfkey.h,v 1.1 2000/06/12 10:40:52 itojun Exp $ */ /* $NetBSD: libpfkey.h,v 1.2 2002/05/14 11:24:21 itojun Exp $ */
/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */ /* $KAME: libpfkey.h,v 1.6 2001/03/05 18:22:17 thorpej Exp $ */
/* /*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,11 +30,15 @@
* SUCH DAMAGE. * SUCH DAMAGE.
*/ */
struct sadb_msg;
extern void pfkey_sadump __P((struct sadb_msg *)); extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *)); extern void pfkey_spdump __P((struct sadb_msg *));
struct sockaddr; struct sockaddr;
struct sadb_alg;
int ipsec_check_keylen __P((u_int, u_int, u_int)); int ipsec_check_keylen __P((u_int, u_int, u_int));
int ipsec_check_keylen2 __P((u_int, u_int, u_int));
int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
u_int pfkey_set_softrate __P((u_int, u_int)); u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int)); u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
@ -49,17 +53,26 @@ int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
u_int64_t, u_int64_t, u_int32_t)); u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_delete __P((int, u_int, u_int, int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t)); struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_delete_all __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *));
int pfkey_send_get __P((int, u_int, u_int, int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t)); struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int)); int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int)); int pfkey_recv_register __P((int));
int pfkey_set_supported __P((struct sadb_msg *, int));
int pfkey_send_flush __P((int, u_int)); int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int)); int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int)); int pfkey_send_promisc_toggle __P((int, int));
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int, int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
caddr_t, int, u_int32_t));
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int, int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
caddr_t, int, u_int32_t));
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int, int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t)); struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete2 __P((int, u_int32_t)); int pfkey_send_spddelete2 __P((int, u_int32_t));

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +1,5 @@
/* $NetBSD: pfkey_dump.c,v 1.9 2000/10/03 23:00:54 itojun Exp $ */ /* $NetBSD: pfkey_dump.c,v 1.10 2002/05/14 11:24:21 itojun Exp $ */
/* $KAME: pfkey_dump.c,v 1.22 2000/09/12 07:10:53 itojun Exp $ */ /* $KAME: pfkey_dump.c,v 1.36 2002/05/13 05:30:08 itojun Exp $ */
/* /*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -77,7 +77,8 @@ do { \
} while (0) } while (0)
static char *str_ipaddr __P((struct sockaddr *)); static char *str_ipaddr __P((struct sockaddr *));
static char *str_prefport __P((u_int, u_int, u_int)); static char *str_prefport __P((u_int, u_int, u_int, u_int));
static void str_upperspec __P((u_int, u_int, u_int));
static char *str_time __P((time_t)); static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *)); static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
@ -108,22 +109,6 @@ static char *str_mode[] = {
"tunnel", "tunnel",
}; };
static char *str_upper[] = {
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
"", "tcp", "", "egp", "",
/*10*/ "", "", "", "", "",
"", "", "udp", "", "",
/*20*/ "", "", "idp", "", "",
"", "", "", "", "tp",
/*30*/ "", "", "", "", "",
"", "", "", "", "",
/*40*/ "", "ip6", "", "rt6", "frag6",
"", "rsvp", "gre", "", "",
/*50*/ "esp", "ah", "", "", "",
"", "", "", "icmp6", "none",
/*60*/ "dst6",
};
static char *str_state[] = { static char *str_state[] = {
"larval", "larval",
"mature", "mature",
@ -265,17 +250,15 @@ pfkey_sadump(m)
} }
/* replay windoe size & flags */ /* replay windoe size & flags */
printf("\treplay=%u flags=0x%08x ", printf("\tseq=0x%08x replay=%u flags=0x%08x ",
m_sa2->sadb_x_sa2_sequence,
m_sa->sadb_sa_replay, m_sa->sadb_sa_replay,
m_sa->sadb_sa_flags); m_sa->sadb_sa_flags);
/* state */ /* state */
printf("state="); printf("state=");
GETMSGSTR(str_state, m_sa->sadb_sa_state); GETMSGSTR(str_state, m_sa->sadb_sa_state);
printf("\n");
printf("seq=%lu pid=%lu\n",
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* lifetime */ /* lifetime */
if (m_lftc != NULL) { if (m_lftc != NULL) {
@ -319,8 +302,12 @@ pfkey_sadump(m)
0 : m_lfts->sadb_lifetime_allocations)); 0 : m_lfts->sadb_lifetime_allocations));
} }
printf("\tsadb_seq=%lu pid=%lu ",
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* XXX DEBUG */ /* XXX DEBUG */
printf("\trefcnt=%u\n", m->sadb_msg_reserved); printf("refcnt=%u\n", m->sadb_msg_reserved);
return; return;
} }
@ -333,8 +320,9 @@ pfkey_spdump(m)
caddr_t mhp[SADB_EXT_MAX + 1]; caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_address *m_saddr, *m_daddr; struct sadb_address *m_saddr, *m_daddr;
struct sadb_x_policy *m_xpl; struct sadb_x_policy *m_xpl;
struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
struct sockaddr *sa; struct sockaddr *sa;
u_int16_t port; u_int16_t sport = 0, dport = 0;
/* check pfkey message. */ /* check pfkey message. */
if (pfkey_align(m, mhp)) { if (pfkey_align(m, mhp)) {
@ -349,6 +337,8 @@ pfkey_spdump(m)
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
/* source address */ /* source address */
if (m_saddr == NULL) { if (m_saddr == NULL) {
@ -361,12 +351,13 @@ pfkey_spdump(m)
case AF_INET6: case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf), if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0) NI_NUMERICSERV) != 0)
port = 0; /*XXX*/ sport = 0; /*XXX*/
else else
port = atoi(pbuf); sport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa), printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family, str_prefport(sa->sa_family,
m_saddr->sadb_address_prefixlen, port)); m_saddr->sadb_address_prefixlen, sport,
m_saddr->sadb_address_proto));
break; break;
default: default:
printf("unknown-af "); printf("unknown-af ");
@ -384,12 +375,13 @@ pfkey_spdump(m)
case AF_INET6: case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf), if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0) NI_NUMERICSERV) != 0)
port = 0; /*XXX*/ dport = 0; /*XXX*/
else else
port = atoi(pbuf); dport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa), printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family, str_prefport(sa->sa_family,
m_daddr->sadb_address_prefixlen, port)); m_daddr->sadb_address_prefixlen, dport,
m_saddr->sadb_address_proto));
break; break;
default: default:
printf("unknown-af "); printf("unknown-af ");
@ -401,10 +393,7 @@ pfkey_spdump(m)
printf("upper layer protocol mismatched.\n"); printf("upper layer protocol mismatched.\n");
return; return;
} }
if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY) str_upperspec(m_saddr->sadb_address_proto, sport, dport);
printf("any");
else
GETMSGSTR(str_upper, m_saddr->sadb_address_proto);
/* policy */ /* policy */
{ {
@ -421,6 +410,21 @@ pfkey_spdump(m)
free(d_xpl); free(d_xpl);
} }
/* lifetime */
if (m_lftc) {
printf("\tcreated: %s ",
str_time(m_lftc->sadb_lifetime_addtime));
printf("lastused: %s\n",
str_time(m_lftc->sadb_lifetime_usetime));
}
if (m_lfth) {
printf("\tlifetime: %lu(s) ",
(u_long)m_lfth->sadb_lifetime_addtime);
printf("validtime: %lu(s)\n",
(u_long)m_lfth->sadb_lifetime_usetime);
}
printf("\tspid=%ld seq=%ld pid=%ld\n", printf("\tspid=%ld seq=%ld pid=%ld\n",
(u_long)m_xpl->sadb_x_policy_id, (u_long)m_xpl->sadb_x_policy_id,
(u_long)m->sadb_msg_seq, (u_long)m->sadb_msg_seq,
@ -458,8 +462,8 @@ str_ipaddr(sa)
* set "/prefix[port number]" to buffer. * set "/prefix[port number]" to buffer.
*/ */
static char * static char *
str_prefport(family, pref, port) str_prefport(family, pref, port, ulp)
u_int family, pref, port; u_int family, pref, port, ulp;
{ {
static char buf[128]; static char buf[128];
char prefbuf[10]; char prefbuf[10];
@ -492,6 +496,32 @@ str_prefport(family, pref, port)
return buf; return buf;
} }
static void
str_upperspec(ulp, p1, p2)
u_int ulp, p1, p2;
{
if (ulp == IPSEC_ULPROTO_ANY)
printf("any");
else {
struct protoent *ent;
switch (ulp) {
case IPPROTO_IPV4:
printf("ip4");
break;
default:
ent = getprotobynumber(ulp);
if (ent)
printf("%s", ent->p_name);
else
printf("%d", ulp);
endprotoent();
break;
}
}
}
/* /*
* set "Mon Day Time Year" to buffer * set "Mon Day Time Year" to buffer
*/ */

View File

@ -1,5 +1,5 @@
/* $NetBSD: parse.y,v 1.7 2001/11/02 03:57:25 lukem Exp $ */ /* $NetBSD: parse.y,v 1.8 2002/05/14 11:24:20 itojun Exp $ */
/* $KAME: parse.y,v 1.63 2001/08/17 06:28:49 itojun Exp $ */ /* $KAME: parse.y,v 1.69 2002/05/14 11:16:10 itojun Exp $ */
/* /*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -457,10 +457,25 @@ spdadd_command
: SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec policy_spec EOT : SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec policy_spec EOT
{ {
int status; int status;
struct addrinfo *src, *dst;
src = parse_addr($3.buf, $5.buf);
dst = parse_addr($6.buf, $8.buf);
if (!src || !dst) {
/* yyerror is already called */
return -1;
}
if (src->ai_next || dst->ai_next) {
yyerror("multiple address specified");
freeaddrinfo(src);
freeaddrinfo(dst);
return -1;
}
status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$10, status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$10,
parse_addr($3.buf, $5.buf), $4, src, $4, dst, $7);
parse_addr($6.buf, $8.buf), $7); freeaddrinfo(src);
freeaddrinfo(dst);
if (status < 0) if (status < 0)
return -1; return -1;
} }
@ -487,10 +502,10 @@ spddelete_command
status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$10, status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$10,
src, $4, dst, $7); src, $4, dst, $7);
if (status < 0)
return -1;
freeaddrinfo(src); freeaddrinfo(src);
freeaddrinfo(dst); freeaddrinfo(dst);
if (status < 0)
return -1;
} }
; ;

View File

@ -1,5 +1,5 @@
.\" $NetBSD: setkey.8,v 1.13 2001/11/16 12:10:06 wiz Exp $ .\" $NetBSD: setkey.8,v 1.14 2002/05/14 11:24:20 itojun Exp $
.\" $KAME: setkey.8,v 1.66 2001/09/04 10:05:07 jinmei Exp $ .\" $KAME: setkey.8,v 1.73 2002/05/14 11:05:35 itojun Exp $
.\" .\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved. .\" All rights reserved.
@ -419,23 +419,12 @@ You have to consider and be careful to use them.
.Pp .Pp
.It Ar policy .It Ar policy
.Ar policy .Ar policy
is the one of following: is the one of the following three formats:
.Bd -literal -offset .Bd -literal -offset indent
.Xo .It Fl P Ar direction Li discard
.Fl P .It Fl P Ar direction Li none
.Ar direction .It Xo Fl P Ar direction Li ipsec
.Li discard .Ar protocol/mode/src-dst/level Op ...
.Xc
.Xo
.Fl P
.Ar direction
.Li none
.Xc
.Xo
.Fl P
.Ar direction
.Li ipsec
.Ar protocol/mode/src-dst/level
.Xc .Xc
.Ed .Ed
.Pp .Pp
@ -452,6 +441,9 @@ means the packet matching indexes will be discarded.
means that IPsec operation will not take place onto the packet. means that IPsec operation will not take place onto the packet.
.Li ipsec .Li ipsec
means that IPsec operation will take place onto the packet. means that IPsec operation will take place onto the packet.
The part of
.Ar protocol/mode/src-dst/level
specifies the rule how to process the packet .
Either Either
.Li ah , .Li ah ,
.Li esp .Li esp
@ -503,19 +495,31 @@ otherwise the kernel keeps normal operation.
means SA is required whenever the kernel sends a packet matched means SA is required whenever the kernel sends a packet matched
with the policy. with the policy.
.Li unique .Li unique
is the same to require. is the same to require,
In addition, it allows the policy to bind with the unique out-bound SA. in addition, it allows the policy to bind with the unique out-bound SA.
If you use the SA by manual keying, You just specify the policy level
.Li unique ,
.Xr racoon 8
will configure the SA for the policy.
If you configure the SA by manual keying for that policy,
you can put the decimal number as the policy identifier after you can put the decimal number as the policy identifier after
.Li unique .Li unique
separated by colon separated by colon
.Sq \&: .Sq \&:
like the following; like the following;
.Li unique:number . .Li unique:number .
in order to bind this policy to the SA .
.Li number .Li number
must be between 1 and 32767. must be between 1 and 32767.
It corresponds to It corresponds to
.Ar extensions Fl u . .Ar extensions Fl u
of the manual SA configuration.
When you want to use SA bundle, you can define multiple rules.
For example, if an IP header was followed by AH header followed by ESP header
followed by an upper layer protocol header, the rule
would be:
.Dl esp/transport//require ah/transport//require ;
The rule order is very important.
.Pp .Pp
Note that Note that
.Dq Li discard .Dq Li discard
@ -591,7 +595,7 @@ algorithm
deflate rfc2394 deflate rfc2394
.Ed .Ed
.\" .\"
.Sh RETURN VALUES .Sh EXIT STATUS
The command exits with 0 on success, and non-zero on errors. The command exits with 0 on success, and non-zero on errors.
.\" .\"
.Sh EXAMPLES .Sh EXAMPLES

View File

@ -1,5 +1,5 @@
/* $NetBSD: token.l,v 1.6 2001/09/07 04:12:10 itojun Exp $ */ /* $NetBSD: token.l,v 1.7 2002/05/14 11:24:20 itojun Exp $ */
/* $KAME: token.l,v 1.33 2001/08/17 06:21:57 itojun Exp $ */ /* $KAME: token.l,v 1.34 2001/09/25 14:15:24 sakane Exp $ */
/* /*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.