Add NAT ports to SAD in setkey so that NAT SAD entries generated by

racoon can be removed by hand.
2005-12-04 20:46:40 +00:00 · 2005-12-04 20:46:40 +00:00 · a5b1c92448
parent 3ab5dca36c
commit a5b1c92448
7 changed files with 83 additions and 21 deletions
--- a/crypto/dist/ipsec-tools/ChangeLog
+++ b/crypto/dist/ipsec-tools/ChangeLog
@ -1,3 +1,11 @@
+2005-12-04  Frederic Senault  <fred@lacave.net>
+
+	* src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
+	  function to display SAD entries with their associated ports.
+	* src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
+	  in conjunction with -D to show SADs with the port, allow both get and
+	  delete commands to use bracketed ports if needed.
+
 ---------------------------------------------

 	0.6.3 released
--- a/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
+++ b/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
@ -1,4 +1,4 @@
-/*	$NetBSD: libpfkey.h,v 1.8 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: libpfkey.h,v 1.9 2005/12/04 20:46:40 manu Exp $	*/

 /* Id: libpfkey.h,v 1.8.2.3 2005/06/29 13:01:28 manubsd Exp */

@ -46,6 +46,7 @@

 struct sadb_msg;
 extern void pfkey_sadump __P((struct sadb_msg *));
+extern void pfkey_sadump_withports __P((struct sadb_msg *));
 extern void pfkey_spdump __P((struct sadb_msg *));
 extern void pfkey_spdump_withports __P((struct sadb_msg *));

--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.11 2005/11/21 14:20:28 manu Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.12 2005/12/04 20:46:40 manu Exp $	*/

 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/

@ -107,10 +107,12 @@ do { \
 } while (/*CONSTCOND*/0)

 static char *str_ipaddr __P((struct sockaddr *));
+static char *str_ipport __P((struct sockaddr *));
 static char *str_prefport __P((u_int, u_int, u_int, u_int));
 static void str_upperspec __P((u_int, u_int, u_int));
 static char *str_time __P((time_t));
 static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
+static void pfkey_sadump1(struct sadb_msg *, int);
 static void pfkey_spdump1(struct sadb_msg *, int);

 struct val2str {
@ -210,9 +212,25 @@ static struct val2str str_alg_comp[] = {
 /*
 * dump SADB_MSG formated.  For debugging, you should use kdebug_sadb().
 */
+
 void
 pfkey_sadump(m)
 	struct sadb_msg *m;
+{
+	pfkey_sadump1(m, 0);
+}
+
+void
+pfkey_sadump_withports(m)
+	struct sadb_msg *m;
+{
+	pfkey_sadump1(m, 1);
+}
+
+void
+pfkey_sadump1(m, withports)
+	struct sadb_msg *m;
+	int withports;
 {
 	caddr_t mhp[SADB_EXT_MAX + 1];
 	struct sadb_sa *m_sa;
@ -231,6 +249,7 @@ pfkey_sadump(m)
 	struct sadb_x_nat_t_type *natt_type;
 	struct sadb_x_nat_t_port *natt_sport, *natt_dport;
 	struct sadb_address *natt_oa;
+	struct sockaddr *sa;

 	int use_natt = 0;
 #endif
@ -276,7 +295,11 @@ pfkey_sadump(m)
 		printf("no ADDRESS_SRC extension.\n");
 		return;
 	}
-	printf("%s", str_ipaddr((void *)(m_saddr + 1)));
+	sa = (void *)(m_saddr + 1);
+	if (withports)
+		printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
+	else
+		printf("%s", str_ipaddr(sa));
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	if (use_natt && natt_sport)
 		printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
@ -288,7 +311,11 @@ pfkey_sadump(m)
 		printf(" no ADDRESS_DST extension.\n");
 		return;
 	}
-	printf("%s", str_ipaddr((void *)(m_daddr + 1)));
+	sa = (void *)(m_daddr + 1);
+	if (withports)
+		printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
+	else
+		printf("%s", str_ipaddr(sa));
 #ifdef SADB_X_EXT_NAT_T_TYPE
 	if (use_natt && natt_dport)
 		printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
@ -602,6 +629,26 @@ str_ipaddr(sa)
 	return NULL;
 }

+/*
+ * set "port" to buffer.
+ */
+static char *
+str_ipport(sa)
+	struct sockaddr *sa;
+{
+	static char buf[NI_MAXHOST];
+	const int niflag = NI_NUMERICSERV;
+
+	if (sa == NULL)
+		return "";
+
+	if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, 0, 
+	    buf, sizeof(buf), niflag) == 0)
+		return buf;
+	return NULL;
+}
+
+
 /*
 * set "/prefix[port number]" to buffer.
 */
--- a/crypto/dist/ipsec-tools/src/setkey/parse.y
+++ b/crypto/dist/ipsec-tools/src/setkey/parse.y
@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.7 2005/11/21 14:20:36 manu Exp $	*/
+/*	$NetBSD: parse.y,v 1.8 2005/12/04 20:46:40 manu Exp $	*/

 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/

@ -180,7 +180,7 @@ add_command

 	/* delete */
 delete_command
-	:	DELETE ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
+	:	DELETE ipaddropts ipandport ipandport protocol_spec spi extension_spec EOT
 		{
 			int status;

@ -211,7 +211,7 @@ deleteall_command

 	/* get command */
 get_command
-	:	GET ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
+	:	GET ipaddropts ipandport ipandport protocol_spec spi extension_spec EOT
 		{
 			int status;

@ -709,7 +709,6 @@ ipandport
 		}
 	;

-
 prefix
 	:	/*NOTHING*/ { $$ = -1; }
 	|	SLASH DECSTRING { $$ = $2; }
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.8
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: setkey.8,v 1.17 2005/09/15 08:42:09 wiz Exp $
+.\"	$NetBSD: setkey.8,v 1.18 2005/12/04 20:46:40 manu Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\" All rights reserved.
@ -97,9 +97,7 @@ If
 is also specified, the SPD entries are dumped.
 If
 .Fl p
-is specified with
-.FL P ,
-the ports that can be used for ESP over UDP are displayed.
+is specified, the ports are displayed.
 .It Fl F
 Flush the SAD entries.
 If
@ -266,7 +264,8 @@ Meta-arguments are as follows:
 .It Ar src
 .It Ar dst
 Source/destination of the secure communication is specified as
-an IPv4/v6 address.
+an IPv4/v6 address, and an optional port number between square
+brackets.
 .Nm
 can resolve a FQDN into numeric addresses.
 If the FQDN resolves into multiple addresses,
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.c
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.c
@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.9 2005/11/21 14:20:36 manu Exp $	*/
+/*	$NetBSD: setkey.c,v 1.10 2005/12/04 20:46:40 manu Exp $	*/

 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/

@ -135,7 +135,7 @@ usage(int only_version)
 		printf("usage: setkey [-v" RK_OPTS "] file ...\n");
 		printf("       setkey [-nv" RK_OPTS "] -c\n");
 		printf("       setkey [-nv" RK_OPTS "] -f filename\n");
-		printf("       setkey [-Palv" RK_OPTS "] -D\n");
+		printf("       setkey [-Palpv" RK_OPTS "] -D\n");
 		printf("       setkey [-Pv] -F\n");
 		printf("       setkey [-H] -x\n");
 		printf("       setkey [-V] [-h]\n");
@ -570,7 +570,10 @@ postproc(msg, len)

 	switch (msg->sadb_msg_type) {
 	case SADB_GET:
-		pfkey_sadump(msg);
+		if (f_withports)
+			pfkey_sadump_withports(msg);
+		else
+			pfkey_sadump(msg);
 		break;

 	case SADB_DUMP:
@ -585,10 +588,15 @@ postproc(msg, len)
 					break;
 			}
 		}
-		if (f_forever)
+		if (f_forever) {
+			/* TODO: f_withports */
 			shortdump(msg);
-		else
-			pfkey_sadump(msg);
+		} else {
+			if (f_withports)
+				pfkey_sadump_withports(msg);
+			else
+				pfkey_sadump(msg);
+		}
 		msg = (struct sadb_msg *)((caddr_t)msg +
 				     PFKEY_UNUNIT64(msg->sadb_msg_len));
 		if (f_verbose) {
--- a/lib/libipsec/package_version.h
+++ b/lib/libipsec/package_version.h
@ -1,5 +1,5 @@
 #define TOP_PACKAGE "ipsec-tools"
 #define TOP_PACKAGE_NAME "ipsec-tools"
-#define TOP_PACKAGE_VERSION  "0.6.3"
-#define TOP_PACKAGE_STRING  "ipsec-tools 0.6.3"
+#define TOP_PACKAGE_VERSION  "0.6.3-20051204"
+#define TOP_PACKAGE_STRING  "ipsec-tools 0.6.3-20051204"
 #define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"