Add NAT ports to SAD in setkey so that NAT SAD entries generated by

racoon can be removed by hand.
This commit is contained in:
manu 2005-12-04 20:46:40 +00:00
parent 3ab5dca36c
commit a5b1c92448
7 changed files with 83 additions and 21 deletions

View File

@ -1,3 +1,11 @@
2005-12-04 Frederic Senault <fred@lacave.net>
* src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
function to display SAD entries with their associated ports.
* src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
in conjunction with -D to show SADs with the port, allow both get and
delete commands to use bracketed ports if needed.
---------------------------------------------
0.6.3 released

View File

@ -1,4 +1,4 @@
/* $NetBSD: libpfkey.h,v 1.8 2005/11/21 14:20:28 manu Exp $ */
/* $NetBSD: libpfkey.h,v 1.9 2005/12/04 20:46:40 manu Exp $ */
/* Id: libpfkey.h,v 1.8.2.3 2005/06/29 13:01:28 manubsd Exp */
@ -46,6 +46,7 @@
struct sadb_msg;
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_sadump_withports __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
extern void pfkey_spdump_withports __P((struct sadb_msg *));

View File

@ -1,4 +1,4 @@
/* $NetBSD: pfkey_dump.c,v 1.11 2005/11/21 14:20:28 manu Exp $ */
/* $NetBSD: pfkey_dump.c,v 1.12 2005/12/04 20:46:40 manu Exp $ */
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
@ -107,10 +107,12 @@ do { \
} while (/*CONSTCOND*/0)
static char *str_ipaddr __P((struct sockaddr *));
static char *str_ipport __P((struct sockaddr *));
static char *str_prefport __P((u_int, u_int, u_int, u_int));
static void str_upperspec __P((u_int, u_int, u_int));
static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
static void pfkey_sadump1(struct sadb_msg *, int);
static void pfkey_spdump1(struct sadb_msg *, int);
struct val2str {
@ -210,9 +212,25 @@ static struct val2str str_alg_comp[] = {
/*
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
*/
void
pfkey_sadump(m)
struct sadb_msg *m;
{
pfkey_sadump1(m, 0);
}
void
pfkey_sadump_withports(m)
struct sadb_msg *m;
{
pfkey_sadump1(m, 1);
}
void
pfkey_sadump1(m, withports)
struct sadb_msg *m;
int withports;
{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *m_sa;
@ -231,6 +249,7 @@ pfkey_sadump(m)
struct sadb_x_nat_t_type *natt_type;
struct sadb_x_nat_t_port *natt_sport, *natt_dport;
struct sadb_address *natt_oa;
struct sockaddr *sa;
int use_natt = 0;
#endif
@ -276,7 +295,11 @@ pfkey_sadump(m)
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s", str_ipaddr((void *)(m_saddr + 1)));
sa = (void *)(m_saddr + 1);
if (withports)
printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
else
printf("%s", str_ipaddr(sa));
#ifdef SADB_X_EXT_NAT_T_TYPE
if (use_natt && natt_sport)
printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
@ -288,7 +311,11 @@ pfkey_sadump(m)
printf(" no ADDRESS_DST extension.\n");
return;
}
printf("%s", str_ipaddr((void *)(m_daddr + 1)));
sa = (void *)(m_daddr + 1);
if (withports)
printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
else
printf("%s", str_ipaddr(sa));
#ifdef SADB_X_EXT_NAT_T_TYPE
if (use_natt && natt_dport)
printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
@ -602,6 +629,26 @@ str_ipaddr(sa)
return NULL;
}
/*
* set "port" to buffer.
*/
static char *
str_ipport(sa)
struct sockaddr *sa;
{
static char buf[NI_MAXHOST];
const int niflag = NI_NUMERICSERV;
if (sa == NULL)
return "";
if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, 0,
buf, sizeof(buf), niflag) == 0)
return buf;
return NULL;
}
/*
* set "/prefix[port number]" to buffer.
*/

View File

@ -1,4 +1,4 @@
/* $NetBSD: parse.y,v 1.7 2005/11/21 14:20:36 manu Exp $ */
/* $NetBSD: parse.y,v 1.8 2005/12/04 20:46:40 manu Exp $ */
/* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */
@ -180,7 +180,7 @@ add_command
/* delete */
delete_command
: DELETE ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
: DELETE ipaddropts ipandport ipandport protocol_spec spi extension_spec EOT
{
int status;
@ -211,7 +211,7 @@ deleteall_command
/* get command */
get_command
: GET ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
: GET ipaddropts ipandport ipandport protocol_spec spi extension_spec EOT
{
int status;
@ -709,7 +709,6 @@ ipandport
}
;
prefix
: /*NOTHING*/ { $$ = -1; }
| SLASH DECSTRING { $$ = $2; }

View File

@ -1,4 +1,4 @@
.\" $NetBSD: setkey.8,v 1.17 2005/09/15 08:42:09 wiz Exp $
.\" $NetBSD: setkey.8,v 1.18 2005/12/04 20:46:40 manu Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
@ -97,9 +97,7 @@ If
is also specified, the SPD entries are dumped.
If
.Fl p
is specified with
.FL P ,
the ports that can be used for ESP over UDP are displayed.
is specified, the ports are displayed.
.It Fl F
Flush the SAD entries.
If
@ -266,7 +264,8 @@ Meta-arguments are as follows:
.It Ar src
.It Ar dst
Source/destination of the secure communication is specified as
an IPv4/v6 address.
an IPv4/v6 address, and an optional port number between square
brackets.
.Nm
can resolve a FQDN into numeric addresses.
If the FQDN resolves into multiple addresses,

View File

@ -1,4 +1,4 @@
/* $NetBSD: setkey.c,v 1.9 2005/11/21 14:20:36 manu Exp $ */
/* $NetBSD: setkey.c,v 1.10 2005/12/04 20:46:40 manu Exp $ */
/* $KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $ */
@ -135,7 +135,7 @@ usage(int only_version)
printf("usage: setkey [-v" RK_OPTS "] file ...\n");
printf(" setkey [-nv" RK_OPTS "] -c\n");
printf(" setkey [-nv" RK_OPTS "] -f filename\n");
printf(" setkey [-Palv" RK_OPTS "] -D\n");
printf(" setkey [-Palpv" RK_OPTS "] -D\n");
printf(" setkey [-Pv] -F\n");
printf(" setkey [-H] -x\n");
printf(" setkey [-V] [-h]\n");
@ -570,6 +570,9 @@ postproc(msg, len)
switch (msg->sadb_msg_type) {
case SADB_GET:
if (f_withports)
pfkey_sadump_withports(msg);
else
pfkey_sadump(msg);
break;
@ -585,10 +588,15 @@ postproc(msg, len)
break;
}
}
if (f_forever)
if (f_forever) {
/* TODO: f_withports */
shortdump(msg);
} else {
if (f_withports)
pfkey_sadump_withports(msg);
else
pfkey_sadump(msg);
}
msg = (struct sadb_msg *)((caddr_t)msg +
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose) {

View File

@ -1,5 +1,5 @@
#define TOP_PACKAGE "ipsec-tools"
#define TOP_PACKAGE_NAME "ipsec-tools"
#define TOP_PACKAGE_VERSION "0.6.3"
#define TOP_PACKAGE_STRING "ipsec-tools 0.6.3"
#define TOP_PACKAGE_VERSION "0.6.3-20051204"
#define TOP_PACKAGE_STRING "ipsec-tools 0.6.3-20051204"
#define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"