warn that port-number does not work for gateway config. PR kern/22715
add reference. bump date.
This commit is contained in:
itojun
parent
5bd33bcad6
commit
643b0ddea3
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: parse.y,v 1.11 2003/07/26 15:28:24 mrg Exp $ */
|
||||
/* $NetBSD: parse.y,v 1.12 2003/09/07 22:18:58 itojun Exp $ */
|
||||
/* $KAME: parse.y,v 1.80 2003/06/27 07:15:45 itojun Exp $ */
|
||||
|
||||
/*
|
||||
@ -72,6 +72,7 @@ void free_buffer __P((void));
|
||||
int setkeymsg0 __P((struct sadb_msg *, unsigned int, unsigned int, size_t));
|
||||
static int setkeymsg_spdaddr __P((unsigned int, unsigned int, vchar_t *,
|
||||
struct addrinfo *, int, struct addrinfo *, int));
|
||||
static int setkeymsg_spdaddr_tag __P((unsigned int, char *, vchar_t *));
|
||||
static int setkeymsg_addr __P((unsigned int, unsigned int,
|
||||
struct addrinfo *, struct addrinfo *, int));
|
||||
static int setkeymsg_add __P((unsigned int, unsigned int,
|
||||
@ -106,6 +107,7 @@ extern void yyerror __P((const char *));
|
||||
%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
|
||||
%token F_POLICY PL_REQUESTS
|
||||
%token F_AIFLAGS
|
||||
%token TAGGED
|
||||
|
||||
%type <num> prefix protocol_spec upper_spec
|
||||
%type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
|
||||
@ -502,6 +504,15 @@ spdadd_command
|
||||
if (status < 0)
|
||||
return -1;
|
||||
}
|
||||
| SPDADD TAGGED QUOTEDSTRING policy_spec EOT
|
||||
{
|
||||
int status;
|
||||
|
||||
status = setkeymsg_spdaddr_tag(SADB_X_SPDADD,
|
||||
$3.buf, &$4);
|
||||
if (status < 0)
|
||||
return -1;
|
||||
}
|
||||
;
|
||||
|
||||
spddelete_command
|
||||
@ -798,6 +809,46 @@ setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
setkeymsg_spdaddr_tag(type, tag, policy)
|
||||
unsigned int type;
|
||||
char *tag;
|
||||
vchar_t *policy;
|
||||
{
|
||||
struct sadb_msg *msg;
|
||||
char buf[BUFSIZ];
|
||||
int l, l0;
|
||||
struct sadb_x_tag m_tag;
|
||||
int n;
|
||||
|
||||
msg = (struct sadb_msg *)buf;
|
||||
|
||||
/* fix up length afterwards */
|
||||
setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
|
||||
l = sizeof(struct sadb_msg);
|
||||
|
||||
memcpy(buf + l, policy->buf, policy->len);
|
||||
l += policy->len;
|
||||
|
||||
l0 = l;
|
||||
n = 0;
|
||||
|
||||
memset(&m_tag, 0, sizeof(m_tag));
|
||||
m_tag.sadb_x_tag_len = PFKEY_UNIT64(sizeof(m_tag));
|
||||
m_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG;
|
||||
if (strlcpy(m_tag.sadb_x_tag_name, tag,
|
||||
sizeof(m_tag.sadb_x_tag_name)) >= sizeof(m_tag.sadb_x_tag_name))
|
||||
return -1;
|
||||
memcpy(buf + l, &m_tag, sizeof(m_tag));
|
||||
l += sizeof(m_tag);
|
||||
|
||||
msg->sadb_msg_len = PFKEY_UNIT64(l);
|
||||
|
||||
sendkeymsg(buf, l);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
|
||||
static int
|
||||
setkeymsg_addr(type, satype, srcs, dsts, no_spi)
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
.\" $NetBSD: setkey.8,v 1.21 2003/07/25 10:09:38 itojun Exp $
|
||||
.\" $KAME: setkey.8,v 1.86 2003/07/25 09:53:01 itojun Exp $
|
||||
.\" $NetBSD: setkey.8,v 1.22 2003/09/07 22:18:58 itojun Exp $
|
||||
.\" $KAME: setkey.8,v 1.87 2003/09/07 22:16:01 itojun Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" All rights reserved.
|
||||
@ -28,7 +28,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd July 25, 2003
|
||||
.Dd September 7, 2003
|
||||
.Dt SETKEY 8
|
||||
.Os
|
||||
.\"
|
||||
@ -185,6 +185,15 @@ on the command line achieves the same functionality.
|
||||
Add an SPD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spdadd tagged
|
||||
.Ar tag Ar policy
|
||||
.Li ;
|
||||
.Xc
|
||||
Add an SPD entry based on PF tag.
|
||||
.Ar tag
|
||||
must be a string surrounded by doublequote.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spddelete
|
||||
.Op Fl 46n
|
||||
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
||||
@ -642,6 +651,11 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
||||
.Xr ipsec_set_policy 3 ,
|
||||
.Xr racoon 8 ,
|
||||
.Xr sysctl 8
|
||||
.Rs
|
||||
.%T "Changed manual key configuration for IPsec"
|
||||
.%O "http://www.kame.net/newsletter/19991007/"
|
||||
.%D "October 1999"
|
||||
.Re
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
The
|
||||
@ -652,3 +666,11 @@ The command was completely re-designed in June 1998.
|
||||
.Sh BUGS
|
||||
.Nm
|
||||
should report and handle syntax errors better.
|
||||
.Pp
|
||||
For IPsec gateway configuration,
|
||||
.Ar src_range
|
||||
and
|
||||
.Ar dst_range
|
||||
with TCP/UDP port number do not work, as the gateway does not reassemble
|
||||
packets
|
||||
.Pq cannot inspect upper-layer headers .
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: token.l,v 1.11 2003/07/25 10:09:38 itojun Exp $ */
|
||||
/* $NetBSD: token.l,v 1.12 2003/09/07 22:18:58 itojun Exp $ */
|
||||
/* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */
|
||||
|
||||
/*
|
||||
@ -106,6 +106,7 @@ spdadd { return(SPDADD); }
|
||||
spddelete { return(SPDDELETE); }
|
||||
spddump { return(SPDDUMP); }
|
||||
spdflush { return(SPDFLUSH); }
|
||||
tagged { return(TAGGED); }
|
||||
{hyphen}P { BEGIN S_PL; return(F_POLICY); }
|
||||
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* {
|
||||
yymore();
|
||||
|
||||
Loading…
Reference in New Issue
Block a user