diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y index a2ca31dd5458..00e39d7a5029 100644 --- a/sbin/setkey/parse.y +++ b/sbin/setkey/parse.y @@ -1,4 +1,4 @@ -/* $NetBSD: parse.y,v 1.11 2003/07/26 15:28:24 mrg Exp $ */ +/* $NetBSD: parse.y,v 1.12 2003/09/07 22:18:58 itojun Exp $ */ /* $KAME: parse.y,v 1.80 2003/06/27 07:15:45 itojun Exp $ */ /* @@ -72,6 +72,7 @@ void free_buffer __P((void)); int setkeymsg0 __P((struct sadb_msg *, unsigned int, unsigned int, size_t)); static int setkeymsg_spdaddr __P((unsigned int, unsigned int, vchar_t *, struct addrinfo *, int, struct addrinfo *, int)); +static int setkeymsg_spdaddr_tag __P((unsigned int, char *, vchar_t *)); static int setkeymsg_addr __P((unsigned int, unsigned int, struct addrinfo *, struct addrinfo *, int)); static int setkeymsg_add __P((unsigned int, unsigned int, @@ -106,6 +107,7 @@ extern void yyerror __P((const char *)); %token SPDADD SPDDELETE SPDDUMP SPDFLUSH %token F_POLICY PL_REQUESTS %token F_AIFLAGS +%token TAGGED %type prefix protocol_spec upper_spec %type ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY @@ -502,6 +504,15 @@ spdadd_command if (status < 0) return -1; } + | SPDADD TAGGED QUOTEDSTRING policy_spec EOT + { + int status; + + status = setkeymsg_spdaddr_tag(SADB_X_SPDADD, + $3.buf, &$4); + if (status < 0) + return -1; + } ; spddelete_command @@ -798,6 +809,46 @@ setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen) return 0; } +static int +setkeymsg_spdaddr_tag(type, tag, policy) + unsigned int type; + char *tag; + vchar_t *policy; +{ + struct sadb_msg *msg; + char buf[BUFSIZ]; + int l, l0; + struct sadb_x_tag m_tag; + int n; + + msg = (struct sadb_msg *)buf; + + /* fix up length afterwards */ + setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0); + l = sizeof(struct sadb_msg); + + memcpy(buf + l, policy->buf, policy->len); + l += policy->len; + + l0 = l; + n = 0; + + memset(&m_tag, 0, sizeof(m_tag)); + m_tag.sadb_x_tag_len = PFKEY_UNIT64(sizeof(m_tag)); + m_tag.sadb_x_tag_exttype = SADB_X_EXT_TAG; + if (strlcpy(m_tag.sadb_x_tag_name, tag, + sizeof(m_tag.sadb_x_tag_name)) >= sizeof(m_tag.sadb_x_tag_name)) + return -1; + memcpy(buf + l, &m_tag, sizeof(m_tag)); + l += sizeof(m_tag); + + msg->sadb_msg_len = PFKEY_UNIT64(l); + + sendkeymsg(buf, l); + + return 0; +} + /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */ static int setkeymsg_addr(type, satype, srcs, dsts, no_spi) diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index c77a5ad0a563..3218d66a8855 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -1,5 +1,5 @@ -.\" $NetBSD: setkey.8,v 1.21 2003/07/25 10:09:38 itojun Exp $ -.\" $KAME: setkey.8,v 1.86 2003/07/25 09:53:01 itojun Exp $ +.\" $NetBSD: setkey.8,v 1.22 2003/09/07 22:18:58 itojun Exp $ +.\" $KAME: setkey.8,v 1.87 2003/09/07 22:16:01 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 25, 2003 +.Dd September 7, 2003 .Dt SETKEY 8 .Os .\" @@ -185,6 +185,15 @@ on the command line achieves the same functionality. Add an SPD entry. .\" .It Xo +.Li spdadd tagged +.Ar tag Ar policy +.Li ; +.Xc +Add an SPD entry based on PF tag. +.Ar tag +must be a string surrounded by doublequote. +.\" +.It Xo .Li spddelete .Op Fl 46n .Ar src_range Ar dst_range Ar upperspec Fl P Ar direction @@ -642,6 +651,11 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any .Xr ipsec_set_policy 3 , .Xr racoon 8 , .Xr sysctl 8 +.Rs +.%T "Changed manual key configuration for IPsec" +.%O "http://www.kame.net/newsletter/19991007/" +.%D "October 1999" +.Re .\" .Sh HISTORY The @@ -652,3 +666,11 @@ The command was completely re-designed in June 1998. .Sh BUGS .Nm should report and handle syntax errors better. +.Pp +For IPsec gateway configuration, +.Ar src_range +and +.Ar dst_range +with TCP/UDP port number do not work, as the gateway does not reassemble +packets +.Pq cannot inspect upper-layer headers . diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l index 1778b4117ac1..cbf8eecdf067 100644 --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -1,4 +1,4 @@ -/* $NetBSD: token.l,v 1.11 2003/07/25 10:09:38 itojun Exp $ */ +/* $NetBSD: token.l,v 1.12 2003/09/07 22:18:58 itojun Exp $ */ /* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */ /* @@ -106,6 +106,7 @@ spdadd { return(SPDADD); } spddelete { return(SPDDELETE); } spddump { return(SPDDUMP); } spdflush { return(SPDFLUSH); } +tagged { return(TAGGED); } {hyphen}P { BEGIN S_PL; return(F_POLICY); } [a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* { yymore();