Add NAT ports to SAD in setkey so that NAT SAD entries generated by
racoon can be removed by hand.
This commit is contained in:
parent
3ab5dca36c
commit
a5b1c92448
|
@ -1,3 +1,11 @@
|
|||
2005-12-04 Frederic Senault <fred@lacave.net>
|
||||
|
||||
* src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
|
||||
function to display SAD entries with their associated ports.
|
||||
* src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
|
||||
in conjunction with -D to show SADs with the port, allow both get and
|
||||
delete commands to use bracketed ports if needed.
|
||||
|
||||
---------------------------------------------
|
||||
|
||||
0.6.3 released
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: libpfkey.h,v 1.8 2005/11/21 14:20:28 manu Exp $ */
|
||||
/* $NetBSD: libpfkey.h,v 1.9 2005/12/04 20:46:40 manu Exp $ */
|
||||
|
||||
/* Id: libpfkey.h,v 1.8.2.3 2005/06/29 13:01:28 manubsd Exp */
|
||||
|
||||
|
@ -46,6 +46,7 @@
|
|||
|
||||
struct sadb_msg;
|
||||
extern void pfkey_sadump __P((struct sadb_msg *));
|
||||
extern void pfkey_sadump_withports __P((struct sadb_msg *));
|
||||
extern void pfkey_spdump __P((struct sadb_msg *));
|
||||
extern void pfkey_spdump_withports __P((struct sadb_msg *));
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: pfkey_dump.c,v 1.11 2005/11/21 14:20:28 manu Exp $ */
|
||||
/* $NetBSD: pfkey_dump.c,v 1.12 2005/12/04 20:46:40 manu Exp $ */
|
||||
|
||||
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
|
||||
|
||||
|
@ -107,10 +107,12 @@ do { \
|
|||
} while (/*CONSTCOND*/0)
|
||||
|
||||
static char *str_ipaddr __P((struct sockaddr *));
|
||||
static char *str_ipport __P((struct sockaddr *));
|
||||
static char *str_prefport __P((u_int, u_int, u_int, u_int));
|
||||
static void str_upperspec __P((u_int, u_int, u_int));
|
||||
static char *str_time __P((time_t));
|
||||
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
|
||||
static void pfkey_sadump1(struct sadb_msg *, int);
|
||||
static void pfkey_spdump1(struct sadb_msg *, int);
|
||||
|
||||
struct val2str {
|
||||
|
@ -210,9 +212,25 @@ static struct val2str str_alg_comp[] = {
|
|||
/*
|
||||
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
|
||||
*/
|
||||
|
||||
void
|
||||
pfkey_sadump(m)
|
||||
struct sadb_msg *m;
|
||||
{
|
||||
pfkey_sadump1(m, 0);
|
||||
}
|
||||
|
||||
void
|
||||
pfkey_sadump_withports(m)
|
||||
struct sadb_msg *m;
|
||||
{
|
||||
pfkey_sadump1(m, 1);
|
||||
}
|
||||
|
||||
void
|
||||
pfkey_sadump1(m, withports)
|
||||
struct sadb_msg *m;
|
||||
int withports;
|
||||
{
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
struct sadb_sa *m_sa;
|
||||
|
@ -231,6 +249,7 @@ pfkey_sadump(m)
|
|||
struct sadb_x_nat_t_type *natt_type;
|
||||
struct sadb_x_nat_t_port *natt_sport, *natt_dport;
|
||||
struct sadb_address *natt_oa;
|
||||
struct sockaddr *sa;
|
||||
|
||||
int use_natt = 0;
|
||||
#endif
|
||||
|
@ -276,7 +295,11 @@ pfkey_sadump(m)
|
|||
printf("no ADDRESS_SRC extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s", str_ipaddr((void *)(m_saddr + 1)));
|
||||
sa = (void *)(m_saddr + 1);
|
||||
if (withports)
|
||||
printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
|
||||
else
|
||||
printf("%s", str_ipaddr(sa));
|
||||
#ifdef SADB_X_EXT_NAT_T_TYPE
|
||||
if (use_natt && natt_sport)
|
||||
printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
|
||||
|
@ -288,7 +311,11 @@ pfkey_sadump(m)
|
|||
printf(" no ADDRESS_DST extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s", str_ipaddr((void *)(m_daddr + 1)));
|
||||
sa = (void *)(m_daddr + 1);
|
||||
if (withports)
|
||||
printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
|
||||
else
|
||||
printf("%s", str_ipaddr(sa));
|
||||
#ifdef SADB_X_EXT_NAT_T_TYPE
|
||||
if (use_natt && natt_dport)
|
||||
printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
|
||||
|
@ -602,6 +629,26 @@ str_ipaddr(sa)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* set "port" to buffer.
|
||||
*/
|
||||
static char *
|
||||
str_ipport(sa)
|
||||
struct sockaddr *sa;
|
||||
{
|
||||
static char buf[NI_MAXHOST];
|
||||
const int niflag = NI_NUMERICSERV;
|
||||
|
||||
if (sa == NULL)
|
||||
return "";
|
||||
|
||||
if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, 0,
|
||||
buf, sizeof(buf), niflag) == 0)
|
||||
return buf;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* set "/prefix[port number]" to buffer.
|
||||
*/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: parse.y,v 1.7 2005/11/21 14:20:36 manu Exp $ */
|
||||
/* $NetBSD: parse.y,v 1.8 2005/12/04 20:46:40 manu Exp $ */
|
||||
|
||||
/* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */
|
||||
|
||||
|
@ -180,7 +180,7 @@ add_command
|
|||
|
||||
/* delete */
|
||||
delete_command
|
||||
: DELETE ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
|
||||
: DELETE ipaddropts ipandport ipandport protocol_spec spi extension_spec EOT
|
||||
{
|
||||
int status;
|
||||
|
||||
|
@ -211,7 +211,7 @@ deleteall_command
|
|||
|
||||
/* get command */
|
||||
get_command
|
||||
: GET ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
|
||||
: GET ipaddropts ipandport ipandport protocol_spec spi extension_spec EOT
|
||||
{
|
||||
int status;
|
||||
|
||||
|
@ -709,7 +709,6 @@ ipandport
|
|||
}
|
||||
;
|
||||
|
||||
|
||||
prefix
|
||||
: /*NOTHING*/ { $$ = -1; }
|
||||
| SLASH DECSTRING { $$ = $2; }
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: setkey.8,v 1.17 2005/09/15 08:42:09 wiz Exp $
|
||||
.\" $NetBSD: setkey.8,v 1.18 2005/12/04 20:46:40 manu Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" All rights reserved.
|
||||
|
@ -97,9 +97,7 @@ If
|
|||
is also specified, the SPD entries are dumped.
|
||||
If
|
||||
.Fl p
|
||||
is specified with
|
||||
.FL P ,
|
||||
the ports that can be used for ESP over UDP are displayed.
|
||||
is specified, the ports are displayed.
|
||||
.It Fl F
|
||||
Flush the SAD entries.
|
||||
If
|
||||
|
@ -266,7 +264,8 @@ Meta-arguments are as follows:
|
|||
.It Ar src
|
||||
.It Ar dst
|
||||
Source/destination of the secure communication is specified as
|
||||
an IPv4/v6 address.
|
||||
an IPv4/v6 address, and an optional port number between square
|
||||
brackets.
|
||||
.Nm
|
||||
can resolve a FQDN into numeric addresses.
|
||||
If the FQDN resolves into multiple addresses,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: setkey.c,v 1.9 2005/11/21 14:20:36 manu Exp $ */
|
||||
/* $NetBSD: setkey.c,v 1.10 2005/12/04 20:46:40 manu Exp $ */
|
||||
|
||||
/* $KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $ */
|
||||
|
||||
|
@ -135,7 +135,7 @@ usage(int only_version)
|
|||
printf("usage: setkey [-v" RK_OPTS "] file ...\n");
|
||||
printf(" setkey [-nv" RK_OPTS "] -c\n");
|
||||
printf(" setkey [-nv" RK_OPTS "] -f filename\n");
|
||||
printf(" setkey [-Palv" RK_OPTS "] -D\n");
|
||||
printf(" setkey [-Palpv" RK_OPTS "] -D\n");
|
||||
printf(" setkey [-Pv] -F\n");
|
||||
printf(" setkey [-H] -x\n");
|
||||
printf(" setkey [-V] [-h]\n");
|
||||
|
@ -570,6 +570,9 @@ postproc(msg, len)
|
|||
|
||||
switch (msg->sadb_msg_type) {
|
||||
case SADB_GET:
|
||||
if (f_withports)
|
||||
pfkey_sadump_withports(msg);
|
||||
else
|
||||
pfkey_sadump(msg);
|
||||
break;
|
||||
|
||||
|
@ -585,10 +588,15 @@ postproc(msg, len)
|
|||
break;
|
||||
}
|
||||
}
|
||||
if (f_forever)
|
||||
if (f_forever) {
|
||||
/* TODO: f_withports */
|
||||
shortdump(msg);
|
||||
} else {
|
||||
if (f_withports)
|
||||
pfkey_sadump_withports(msg);
|
||||
else
|
||||
pfkey_sadump(msg);
|
||||
}
|
||||
msg = (struct sadb_msg *)((caddr_t)msg +
|
||||
PFKEY_UNUNIT64(msg->sadb_msg_len));
|
||||
if (f_verbose) {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#define TOP_PACKAGE "ipsec-tools"
|
||||
#define TOP_PACKAGE_NAME "ipsec-tools"
|
||||
#define TOP_PACKAGE_VERSION "0.6.3"
|
||||
#define TOP_PACKAGE_STRING "ipsec-tools 0.6.3"
|
||||
#define TOP_PACKAGE_VERSION "0.6.3-20051204"
|
||||
#define TOP_PACKAGE_STRING "ipsec-tools 0.6.3-20051204"
|
||||
#define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"
|
||||
|
|
Loading…
Reference in New Issue