upgrade libipsec to the latest.

- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly
This commit is contained in:
itojun 2000-01-31 14:15:30 +00:00
parent 2a29f83468
commit e5e6464767
11 changed files with 1463 additions and 1852 deletions

View File

@ -1,4 +1,4 @@
# $NetBSD: shl.elf,v 1.14 1999/11/23 11:20:29 blymn Exp $
# $NetBSD: shl.elf,v 1.15 2000/01/31 14:15:34 itojun Exp $
./usr/lib/libamu.so.1
./usr/lib/libbfd.so.3
./usr/lib/libbz2.so.0
@ -8,7 +8,7 @@
./usr/lib/libedit.so.2
./usr/lib/libg2c.so.0
./usr/lib/libgnumalloc.so.0
./usr/lib/libipsec.so.0
./usr/lib/libipsec.so.1
./usr/lib/libkvm.so.5
./usr/lib/libm.so.0
./usr/lib/libmenu.so.0

View File

@ -1,4 +1,4 @@
# $NetBSD: shl.mi,v 1.52 2000/01/28 17:40:41 itojun Exp $
# $NetBSD: shl.mi,v 1.53 2000/01/31 14:15:34 itojun Exp $
./usr/lib/libamu.so.1.1
./usr/lib/libbfd.so.3.0
./usr/lib/libbz2.so.0.0
@ -8,7 +8,7 @@
./usr/lib/libedit.so.2.3
./usr/lib/libg2c.so.0.0
./usr/lib/libgnumalloc.so.0.0
./usr/lib/libipsec.so.0.0
./usr/lib/libipsec.so.1.0
./usr/lib/libkvm.so.5.0
./usr/lib/libm.so.0.1
./usr/lib/libmenu.so.0.1

View File

@ -1,17 +1,24 @@
# $NetBSD: Makefile,v 1.2 1999/07/03 06:59:28 itojun Exp $
# $NetBSD: Makefile,v 1.3 2000/01/31 14:15:30 itojun Exp $
LIB= ipsec
#CFLAGS+=-g
CPPFLAGS+=-DIPSEC_DEBUG
CPPFLAGS+=-DIPSEC
CPPFLAGS+=-DINET6
CFLAGS+=-g
CPPFLAGS+=-DIPSEC_DEBUG -DIPSEC -DINET6 -I. -DYY_NO_UNPUT
.PATH: ${.CURDIR}/../../sys/netkey
SRCS= pfkey.c pfkey_dump.c
SRCS+= ipsec_policy.c ipsec_strerror.c key_debug.c
SRCS+= ipsec_strerror.c policy_parse.y policy_token.l
SRCS+= ipsec_get_policylen.c ipsec_dump_policy.c
SRCS+= key_debug.c
LPREFIX+=__libyy
YPREFIX+=__libyy
YHEADER=1
#LFLAGS+= -olex.yy.c
MAN= ipsec_set_policy.3 ipsec_strerror.3
MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
ipsec_set_policy.3 ipsec_dump_policy.3
CLEANFILES+= y.tab.h
.include <bsd.lib.mk>

View File

@ -1,667 +0,0 @@
/* $NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if 0
static char *rcsid = "@(#) ipsec_policy.c KAME Revision: 1.1.4.8";
#else
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: ipsec_policy.c,v 1.3 1999/07/04 01:36:12 itojun Exp $");
#endif
#endif
/*
* The following requests are accepted:
* protocol parsed as protocol/default/
* protocol/level/proxy
* protocol/ parsed as protocol/default/
* protocol/level parsed as protocol/level/
* protocol/level/ parsed as protocol/level/
* protocol/proxy parsed as protocol/default/proxy
* protocol//proxy parsed as protocol/default/proxy
* protocol// parsed as protocol/default/
* You can concatenate these requests with either ' ' or '\n'.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <assert.h>
#include <net/route.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#include <netkey/keyv2.h>
#include <netkey/key_var.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#include <strings.h>
#include <errno.h>
#include "ipsec_strerror.h"
/* order must be the same */
static char *tokens[] = {
"discard", "none", "ipsec", "entrust", "bypass",
"esp", "ah", "ipcomp", "default", "use", "require", "/", NULL
};
enum token {
t_invalid = -1, t_discard, t_none, t_ipsec, t_entrust, t_bypass,
t_esp, t_ah, t_ipcomp, t_default, t_use, t_require, t_slash, t_omit,
};
static int values[] = {
IPSEC_POLICY_DISCARD, IPSEC_POLICY_NONE, IPSEC_POLICY_IPSEC,
IPSEC_POLICY_ENTRUST, IPSEC_POLICY_BYPASS,
IPPROTO_ESP, IPPROTO_AH, IPPROTO_IPCOMP,
IPSEC_LEVEL_DEFAULT, IPSEC_LEVEL_USE, IPSEC_LEVEL_REQUIRE, 0, 0,
};
struct pbuf {
char *buf;
int buflen; /* size of the buffer */
int off; /* current offset */
};
/* XXX duplicated def */
static char *ipsp_strs[] = {
"discard", "none", "ipsec", "entrust", "bypass",
};
static enum token gettoken(char *p);
static char *skiptoken(char *p, enum token t);
static char *skipspaces(char *p);
static char *parse_request(struct pbuf *pbuf, char *p);
static char *parse_policy(struct pbuf *pbuf, char *p);
static char *get_sockaddr(char *host, struct sockaddr *addr);
static int parse_setreq(struct pbuf *pbuf, int proto, int level,
struct sockaddr *proxy);
static int parse_main(struct pbuf *pbuf, char *policy);
static enum token gettoken(char *p)
{
int i;
int l;
assert(p);
for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
if (tokens[i] == NULL)
continue;
l = strlen(tokens[i]);
if (strncmp(p, tokens[i], l) != 0)
continue;
/* slash alone is okay as token */
if (i == t_slash)
return i;
/* other ones are words, so needs proper termination */
if (isspace(p[l]) || p[l] == '/' || p[l] == '\0')
return i;
}
return t_invalid;
}
static char *skiptoken(char *p, enum token t)
{
assert(p);
assert(tokens[t] != NULL);
if (gettoken(p) != t)
return NULL;
return p + strlen(tokens[t]);
}
static char *skipspaces(char *p)
{
assert(p);
while (p && isspace(*p))
p++;
return p;
}
static char *parse_request(struct pbuf *pbuf, char *p)
{
enum token t;
int i;
enum token ts[3]; /* set of tokens */
struct sockaddr_storage proxy;
int isproxy;
assert(p);
assert(pbuf);
i = 0;
/*
* here, we accept sequence like:
* [token slash]* token
* and decode that into ts[].
*/
for (i = 0; i < sizeof(ts)/sizeof(ts[0]); i++)
ts[i] = t_invalid;
i = 0;
while (i < sizeof(ts)/sizeof(ts[0])) {
/* get a token */
p = skipspaces(p);
t = gettoken(p);
switch (t) {
case t_invalid:
/*
* this may be a proxy.
* this shouldn't be a termination.
*/
if (*p != '\0')
goto breakbreak;
goto parseerror;
case t_esp:
case t_ah:
case t_ipcomp:
case t_default:
case t_use:
case t_require:
/*
* protocol or level - just keep it into ts[],
* we'll care about protocol/level ordering afterwards
*/
ts[i++] = t;
p = skiptoken(p, t);
break;
case t_slash:
/*
* the user did not specify the token - don't advance
* the pointer.
*/
ts[i++] = t_omit;
break;
default:
/* bzz, you are wrong */
goto parseerror;
}
/* get a slash */
p = skipspaces(p);
t = gettoken(p);
switch (t) {
case t_invalid:
/* this may be a termination. */
if (*p == '\0')
goto breakbreak;
goto parseerror;
case t_esp:
case t_ah:
case t_ipcomp:
/* protocol - we've hit the next request */
goto breakbreak;
case t_slash:
p = skiptoken(p, t);
break;
default:
/* bzz, you are wrong */
return NULL;
}
}
breakbreak:
/* alright, we've got the tokens. */
switch (i) {
case 0:
ipsec_errcode = EIPSEC_NO_PROTO;
return NULL; /* no token? naa, go away */
case 1:
case 2:
if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp)) {
ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
if (i == 1) {
i++;
ts[1] = t_default;
}
if (ts[1] == t_omit)
ts[1] = t_default;
if (!(ts[1] == t_default || ts[1] == t_use
|| ts[1] == t_require)) {
ipsec_errcode = EIPSEC_INVAL_LEVEL;
return NULL;
}
break;
default:
ipsec_errcode = EIPSEC_INVAL_LEVEL; /*XXX*/
return NULL;
}
/* here, we should be having 2 tokens */
assert(i == 2);
/* we may have a proxy here */
isproxy = 0;
if (*p != '\0' && gettoken(p) == t_invalid) {
p = get_sockaddr(p, (struct sockaddr *)&proxy);
if (p == NULL) {
/* get_sockaddr updates ipsec_errcode */
return NULL;
}
isproxy++;
p = skipspaces(p);
}
if (parse_setreq(pbuf, values[ts[0]], values[ts[1]],
isproxy ? (struct sockaddr *)&proxy : NULL) < 0) {
/* parse_setreq updates ipsec_errcode */
return NULL;
}
return p;
parseerror:
ipsec_errcode = EIPSEC_NO_ERROR; /*sentinel*/
switch (i) {
case 0:
ipsec_errcode = EIPSEC_NO_PROTO;
break;
case 1:
case 2:
if (!(ts[0] == t_esp || ts[0] == t_ah || ts[0] == t_ipcomp))
ipsec_errcode = EIPSEC_INVAL_PROTO;
if (i == 1)
break;
if (!(ts[1] == t_default || ts[1] == t_use
|| ts[1] == t_require)) {
ipsec_errcode = EIPSEC_INVAL_LEVEL;
}
break;
}
if (ipsec_errcode == EIPSEC_NO_ERROR)
ipsec_errcode = EIPSEC_INVAL_LEVEL; /*XXX*/
return NULL;
}
static char *parse_policy(struct pbuf *pbuf, char *p)
{
enum token t;
int len;
struct sadb_x_policy *policy;
assert(p);
assert(pbuf);
ipsec_errcode = EIPSEC_NO_ERROR;
/* get the token */
p = skipspaces(p);
t = gettoken(p);
switch (t) {
case t_discard:
case t_none:
case t_ipsec:
case t_entrust:
case t_bypass:
p = skiptoken(p, t);
break;
default:
/* bzz, you're wrong */
ipsec_errcode = EIPSEC_INVAL_POLICY;
return NULL;
}
/* construct policy structure */
len = PFKEY_ALIGN8(sizeof(*policy));
policy = NULL;
if (pbuf->buf) {
if (pbuf->off + len > pbuf->buflen) {
/* buffer overflow */
ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
policy = (struct sadb_x_policy *)&pbuf->buf[pbuf->off];
memset(policy, 0, sizeof(*policy));
policy->sadb_x_policy_len = PFKEY_UNIT64(len);
/* update later */
policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
policy->sadb_x_policy_type = values[t];
}
pbuf->off += len;
/* alright, go to the next step */
while (p && *p)
p = parse_request(pbuf, p);
/* ipsec policy needs request */
if (t == t_ipsec && pbuf->off == len) {
ipsec_errcode = EIPSEC_INVAL_POLICY;
return NULL;
}
/* update length */
if (policy)
policy->sadb_x_policy_len = PFKEY_UNIT64(pbuf->off);
return p;
}
static char *get_sockaddr(char *host, struct sockaddr *addr)
{
struct sockaddr *saddr = NULL;
struct addrinfo hints, *res;
char *serv = NULL;
int error;
char *p, c;
/* find the next delimiter */
p = host;
while (p && *p && !isspace(*p) && *p != '/')
p++;
if (p == host)
return NULL;
c = *p;
*p = '\0';
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
if ((error = getaddrinfo(host, serv, &hints, &res)) != 0) {
ipsec_set_strerror(gai_strerror(error));
*p = c;
return NULL;
}
if (res->ai_addr == NULL) {
ipsec_set_strerror(gai_strerror(error));
*p = c;
return NULL;
}
#if 0
if (res->ai_next) {
printf("getaddrinfo(%s): "
"resolved to multiple address, taking the first one",
host);
}
#endif
if ((saddr = malloc(res->ai_addr->sa_len)) == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
freeaddrinfo(res);
*p = c;
return NULL;
}
memcpy(addr, res->ai_addr, res->ai_addr->sa_len);
freeaddrinfo(res);
ipsec_errcode = EIPSEC_NO_ERROR;
*p = c;
return p;
}
static int parse_setreq(struct pbuf *pbuf, int proto, int level,
struct sockaddr *proxy)
{
struct sadb_x_ipsecrequest *req;
int start;
int len;
assert(pbuf);
start = pbuf->off;
len = PFKEY_ALIGN8(sizeof(*req));
req = NULL;
if (pbuf->buf) {
if (pbuf->off + len > pbuf->buflen) {
/* buffer overflow */
ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
req = (struct sadb_x_ipsecrequest *)&pbuf->buf[pbuf->off];
memset(req, 0, sizeof(*req));
req->sadb_x_ipsecrequest_len = len; /* updated later */
req->sadb_x_ipsecrequest_proto = proto;
req->sadb_x_ipsecrequest_mode =
(proxy == NULL ? IPSEC_MODE_TRANSPORT
: IPSEC_MODE_TUNNEL);
req->sadb_x_ipsecrequest_level = level;
}
pbuf->off += len;
if (proxy) {
len = PFKEY_ALIGN8(proxy->sa_len);
if (pbuf->buf) {
if (pbuf->off + len > pbuf->buflen) {
/* buffer overflow */
ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
memset(&pbuf->buf[pbuf->off], 0, len);
memcpy(&pbuf->buf[pbuf->off], proxy, proxy->sa_len);
}
if (req)
req->sadb_x_ipsecrequest_len += len;
pbuf->off += len;
}
return 0;
}
static int parse_main(struct pbuf *pbuf, char *policy)
{
char *p;
ipsec_errcode = EIPSEC_NO_ERROR;
if (policy == NULL) {
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
p = parse_policy(pbuf, policy);
if (!p) {
/* ipsec_errcode updated somewhere inside */
return -1;
}
p = skipspaces(p);
if (*p != '\0') {
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
/* %%% */
int ipsec_get_policylen(char *policy)
{
struct pbuf pbuf;
memset(&pbuf, 0, sizeof(pbuf));
if (parse_main(&pbuf, policy) < 0)
return -1;
ipsec_errcode = EIPSEC_NO_ERROR;
return pbuf.off;
}
int ipsec_set_policy(char *buf, int len, char *policy)
{
struct pbuf pbuf;
memset(&pbuf, 0, sizeof(pbuf));
pbuf.buf = buf;
pbuf.buflen = len;
if (parse_main(&pbuf, policy) < 0)
return -1;
ipsec_errcode = EIPSEC_NO_ERROR;
return pbuf.off;
}
/*
* policy is sadb_x_policy buffer.
* Must call free() later.
* When delimiter == NULL, alternatively ' '(space) is applied.
*/
char *ipsec_dump_policy(char *policy, char *delimiter)
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
struct sadb_x_ipsecrequest *xisr;
int xtlen, buflen;
char *buf;
/* sanity check */
if (policy == NULL)
return NULL;
if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
return NULL;
}
/* set delimiter */
if (delimiter == NULL)
delimiter = " ";
switch (xpl->sadb_x_policy_type) {
case IPSEC_POLICY_DISCARD:
case IPSEC_POLICY_NONE:
case IPSEC_POLICY_IPSEC:
case IPSEC_POLICY_BYPASS:
case IPSEC_POLICY_ENTRUST:
break;
default:
ipsec_errcode = EIPSEC_INVAL_POLICY;
return NULL;
}
buflen = strlen(ipsp_strs[xpl->sadb_x_policy_type]) + 1;
if ((buf = malloc(buflen)) == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
strcpy(buf, ipsp_strs[xpl->sadb_x_policy_type]);
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
/* count length of buffer for use */
/* XXX non-seriously */
while (xtlen > 0) {
buflen += 20;
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL)
buflen += 50;
xtlen -= xisr->sadb_x_ipsecrequest_len;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
}
/* validity check */
if (xtlen < 0) {
ipsec_errcode = EIPSEC_INVAL_SADBMSG;
free(buf);
return NULL;
}
if ((buf = realloc(buf, buflen)) == NULL) {
ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
xtlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(policy + sizeof(*xpl));
while (xtlen > 0) {
switch (xisr->sadb_x_ipsecrequest_proto) {
case IPPROTO_ESP:
strcat(buf, delimiter);
strcat(buf, "esp");
break;
case IPPROTO_AH:
strcat(buf, delimiter);
strcat(buf, "ah");
break;
case IPPROTO_IPCOMP:
strcat(buf, delimiter);
strcat(buf, "ipcomp");
break;
default:
ipsec_errcode = EIPSEC_INVAL_PROTO;
free(buf);
return NULL;
}
switch (xisr->sadb_x_ipsecrequest_level) {
case IPSEC_LEVEL_DEFAULT:
strcat(buf, "/default");
break;
case IPSEC_LEVEL_USE:
strcat(buf, "/use");
break;
case IPSEC_LEVEL_REQUIRE:
strcat(buf, "/require");
break;
default:
ipsec_errcode = EIPSEC_INVAL_LEVEL;
free(buf);
return NULL;
}
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL) {
char tmp[100]; /* XXX */
struct sockaddr *saddr =
(struct sockaddr *)((caddr_t)xisr + sizeof(*xisr));
#if 1
inet_ntop(saddr->sa_family, _INADDRBYSA(saddr),
tmp, sizeof(tmp));
#else
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
NULL, 0, NI_NUMERICHOST);
#endif
strcat(buf, "/");
strcat(buf, tmp);
}
xtlen -= xisr->sadb_x_ipsecrequest_len;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
}
ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}

View File

@ -25,8 +25,8 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $NetBSD: ipsec_set_policy.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
.\" KAME Id: ipsec_set_policy.3,v 1.1.2.6 1999/07/01 06:54:58 sakane Exp
.\" $NetBSD: ipsec_set_policy.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
.\" KAME Id: ipsec_set_policy.3,v 1.8 2000/01/27 17:59:12 itojun Exp
.\"
.Dd May 5, 1998
.Dt IPSEC_SET_POLICY 3
@ -43,10 +43,10 @@
.\"
.Sh SYNOPSIS
.Fd #include <netinet6/ipsec.h>
.Ft "char *"
.Fn ipsec_set_policy "char *policy" "int len"
.Ft int
.Fn ipsec_set_policy "char *buf" "int len" "char *policy"
.Ft int
.Fn ipsec_get_policylen "char *policy"
.Fn ipsec_get_policylen "char *buf"
.Ft "char *"
.Fn ipsec_dump_policy "char *buf" "char *delim"
.\"
@ -58,21 +58,18 @@ and/or
.Li struct sadb_x_ipsecrequest
from human-readable policy specification.
policy specification must be given as C string
.Fa policy ,
and the resulting structure will be generated at the buffer pointed to by
.Fa buf ,
length
.Fa len .
.Pp
To obtain the required buffer size beforehand, use
.Fn ipsec_get_policylen
with the same
.Fa policy
argument.
and length
.Fa len
of
.Fa policy .
.Fn ipsec_set_policy
will return the buffer of IPsec policy specification structure.
.Pp
You may want the length of the generated buffer such when calling
.Xr setsockopt 2 .
.Fn ipsec_get_policylen
will return the required buffer size,
and you may want to allocate buffer dynamically for use with
.Fn ipsec_set_policy .
will return the length.
.Pp
.Fn ipsec_dump_policy
converts IPsec policy structure into readable form.
@ -95,51 +92,99 @@ returns pointer to dynamically allocated string.
It is caller's responsibility to reclaim the region, by using
.Xr free 3 .
.Pp
.\"
.Fa policy
is formatted as either of the following:
.Bl -tag -width "discard"
.It Li discard
.Li discard
means the packet matching indexes will be discarded.
.It Li none
.Li none
means IPsec will not be performed on the matching packets
.It Ar direction Li entrust
.Ar direction
must be
.Li in
or
.Li out .
.Ar direction
specifies which direction the policy needs to be applied.
.Li entrust
means to consult to SPD defined by
.Xr setkey 8 .
.It Ar direction Li bypass
.Li bypass
means to be bypassed the IPsec processing.
.Po
packet will be transmitted in clear
.Pc .
.It Xo Li ipsec
.Ar protocol
.Op Ar /level
.Op Ar /peer
.Op ...
This is for privileged socket.
.It Xo
.Ar direction
.Li ipsec
.Ar request ...
.Xc
.Li ipsec
means that the matching packets are subject to IPsec processing.
.Li ipsec
can be followed by multiple set of
.Do
can be followed by one or more
.Ar request
string, which is formatted as below:
.Bl -tag -width "discard"
.It Xo
.Ar protocol
.Li /
.Ar mode
.Li /
.Ar src
.Li -
.Ar dst
.Op Ar /level
.Op Ar /peer
.Dc
arguments.
.Xc
.Ar protocol
is either
.Li ah ,
.Li esp
or
.Li ipcomp .
.Pp
.Ar mode
is either
.Li transport
or
.Li tunnel .
.Pp
.Ar src
and
.Ar dst
specifies IPsec endpoint.
.Ar src
always means
.Dq sending node
and
.Ar dst
always means
.Dq receiving node .
Therefore, when
.Ar direction
is
.Li in ,
.Ar dst
is this node
and
.Ar src
is the other node
.Pq peer .
.Pp
.Ar level
must be set to one of the following:
.Li default , use
.Li default , use , require
or
.Li require .
.Li unique .
.Li default
means that the kernel should consult the system default policy
defined by
.Xr sysctl 8 ,
such as
.Li net.inet.ipsec.esp_trans_deflev .
See
.Xr ipsec 4
regarding the system default.
.Li use
means that a relevant SA can be used when available,
since the kernel may perform IPsec operation against packets when possible.
@ -150,14 +195,24 @@ or encrypted
.Li require
means that a relevant SA is required,
since the kernel must perform IPsec operation against packets.
.Ar peer
is an IPv4 or IPv6 address string, and it will be used as
a hint when IPsec system configures IPsec tunnel mode SA by using
key management protocol.
.Pp
If the string is kept unambiguous,
.Li unique
is the same as
.Li require ,
but adds the restriction that the SA for outbound traffic is used
only for this policy.
You may need the identifier in order to relate the policy and the SA
when you define the SA by manual keying.
You can put the decimal number as the identifier after
.Li unique
like
.Li unique : number .
.Li number
must be between 1 and 32767 .
If the
.Ar request
string is kept unambiguous,
.Ar level
and slashes surrounding
and slash prior to
.Ar level
can be omitted.
However, it is encouraged to specify them explicitly
@ -167,19 +222,31 @@ If
is omitted, it will be interpreted as
.Li default .
.El
.El
.Pp
Here are several examples:
Note that there is a bit difference of specification from
.Xr setkey 8 .
In specification by
.Xr setkey 8 ,
both entrust and bypass are not used. Refer to
.Xr setkey 8
for detail.
.Pp
Here are several examples
.Pq long lines are wrapped for readability :
.Bd -literal -offset indent
discard
ipsec esp/require
ipsec ah/use/10.1.1.1
ipsec esp/use ah/require
ipsec ipcomp/use esp/use ah/require
in discard
out ipsec esp/transport/10.1.1.1-10.1.1.2/require
in ipsec ah/transport/10.1.1.2-10.1.1.1/require
out ipsec esp/transport/10.1.1.2-10.1.1.1/use
ah/tunnel/10.1.1.2-10.1.1.1/unique:1000
in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
esp/transport/10.1.1.2-10.1.1.1/use
.Ed
.\"
.Sh RETURN VALUES
.Fn ipsec_set_policy
returns with 0 on success, negative value on errors.
returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
.Fn ipsec_get_policylen
returns with positive value
.Pq meaning the buffer size
@ -192,6 +259,7 @@ on errors.
.\"
.Sh SEE ALSO
.Xr ipsec_strerror 3 ,
.Xr ispec 4 ,
.Xr setkey 8
.\"
.Sh HISTORY

View File

@ -25,8 +25,8 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $NetBSD: ipsec_strerror.3,v 1.5 1999/12/21 14:17:18 itojun Exp $
.\" KAME Id: ipsec_strerror.3,v 1.1.2.1 1999/05/06 09:26:43 itojun Exp
.\" $NetBSD: ipsec_strerror.3,v 1.6 2000/01/31 14:15:31 itojun Exp $
.\" KAME Id: ipsec_strerror.3,v 1.4 2000/01/27 17:59:13 itojun Exp
.\"
.Dd May 6, 1998
.Dt IPSEC_STRERROR 3
@ -42,7 +42,7 @@
.Sh SYNOPSIS
.Fd #include <netinet6/ipsec.h>
.Ft "char *"
.Fn ipsec_strerror "int code"
.Fn ipsec_strerror
.\"
.Sh DESCRIPTION
.Pa netinet6/ipsec.h
@ -54,6 +54,19 @@ which is used to pass error code from IPsec policy manipulation library
to user program.
.Fn ipsec_strerror
can be used to obtain error message string for the error code.
.Pp
The array pointed to is not to be modified by the program.
Since
.Fn ipsec_strerror
uses
.Xr strerror 3
as underlying function, calling
.Xr strerror 3
after
.Fn ipsec_strerror
would make the return value from
.Fn ipsec_strerror
invalid, or overwritten.
.\"
.Sh RETURN VALUES
.Fn ipsec_strerror

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_strerror.c,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
/* $NetBSD: ipsec_strerror.c,v 1.4 2000/01/31 14:15:31 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -46,7 +46,9 @@ static char *ipsec_errlist[] = {
"Invalid sadb message", /*EIPSEC_INVAL_SADBMSG*/
"Invalid version", /*EIPSEC_INVAL_VERSION*/
"Invalid security policy", /*EIPSEC_INVAL_POLICY*/
"Invalid address specification", /*EIPSEC_INVAL_ADDRESS*/
"Invalid ipsec protocol", /*EIPSEC_INVAL_PROTO*/
"Invalid ipsec mode", /*EIPSEC_INVAL_MODE*/
"Invalid ipsec level", /*EIPSEC_INVAL_LEVEL*/
"Invalid SA type", /*EIPSEC_INVAL_SATYPE*/
"Invalid message type", /*EIPSEC_INVAL_MSGTYPE*/
@ -55,6 +57,7 @@ static char *ipsec_errlist[] = {
"Invalid key length", /*EIPSEC_INVAL_KEYLEN*/
"Invalid address family", /*EIPSEC_INVAL_FAMILY*/
"Invalid prefix length", /*EIPSEC_INVAL_PREFIXLEN*/
"Invalid direciton", /*EIPSEC_INVAL_DIR*/
"SPI range violation", /*EIPSEC_INVAL_SPI*/
"No protocol specified", /*EIPSEC_NO_PROTO*/
"No algorithm specified", /*EIPSEC_NO_ALGS*/
@ -62,6 +65,7 @@ static char *ipsec_errlist[] = {
"Must get supported algorithms list first", /*EIPSEC_DO_GET_SUPP_LIST*/
"Protocol mismatch", /*EIPSEC_PROTO_MISMATCH*/
"Family mismatch", /*EIPSEC_FAMILY_MISMATCH*/
"Too few arguments", /*EIPSEC_FEW_ARGUMENTS*/
NULL, /*EIPSEC_SYSTEM_ERROR*/
"Unknown error", /*EIPSEC_MAX*/
};

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_strerror.h,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
/* $NetBSD: ipsec_strerror.h,v 1.4 2000/01/31 14:15:31 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -30,7 +30,7 @@
*/
extern int ipsec_errcode;
extern void ipsec_set_strerror(char *str);
extern void ipsec_set_strerror __P((char *));
#define EIPSEC_NO_ERROR 0 /*success*/
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
@ -38,21 +38,25 @@ extern void ipsec_set_strerror(char *str);
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
#define EIPSEC_INVAL_PROTO 6 /*invalid ipsec protocol*/
#define EIPSEC_INVAL_LEVEL 7 /*invalid ipsec level*/
#define EIPSEC_INVAL_SATYPE 8 /*invalid SA type*/
#define EIPSEC_INVAL_MSGTYPE 9 /*invalid message type*/
#define EIPSEC_INVAL_EXTTYPE 10 /*invalid extension type*/
#define EIPSEC_INVAL_ALGS 11 /*Invalid algorithm type*/
#define EIPSEC_INVAL_KEYLEN 12 /*invalid key length*/
#define EIPSEC_INVAL_FAMILY 13 /*invalid address family*/
#define EIPSEC_INVAL_PREFIXLEN 14 /*SPI range violation*/
#define EIPSEC_INVAL_SPI 15 /*invalid prefixlen*/
#define EIPSEC_NO_PROTO 16 /*no protocol specified*/
#define EIPSEC_NO_ALGS 17 /*No algorithm specified*/
#define EIPSEC_NO_BUFS 18 /*no buffers available*/
#define EIPSEC_DO_GET_SUPP_LIST 19 /*must get supported algorithm first*/
#define EIPSEC_PROTO_MISMATCH 20 /*protocol mismatch*/
#define EIPSEC_FAMILY_MISMATCH 21 /*family mismatch*/
#define EIPSEC_SYSTEM_ERROR 22 /*system error*/
#define EIPSEC_MAX 23 /*unknown error*/
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
#define EIPSEC_MAX 27 /*unknown error*/

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,4 @@
/* $NetBSD: pfkey_dump.c,v 1.3 1999/07/04 01:36:13 itojun Exp $ */
/* $NetBSD: pfkey_dump.c,v 1.4 2000/01/31 14:15:32 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -38,6 +38,7 @@
#include <netkey/key_debug.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/in6.h>
#endif
@ -52,7 +53,7 @@
#include "ipsec_strerror.h"
#define GETMSGSTR(str, num) \
{ \
do { \
if (sizeof((str)[0]) == 0 \
|| num >= sizeof(str)/sizeof((str)[0])) \
printf("%d ", (num)); \
@ -60,14 +61,15 @@
printf("%d ", (num)); \
else \
printf("%s ", (str)[(num)]); \
}
} while (0)
#define GETAF(p) \
(((struct sockaddr *)(p))->sa_family)
static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port);
static char *_str_time(time_t t);
static void _str_lifetime_byte(struct sadb_lifetime *x, char *str);
static char *_str_ipaddr __P((u_int family, caddr_t addr));
static char *_str_prefport __P((u_int family, u_int pref, u_int port));
static char *_str_time __P((time_t t));
static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
/*
* Must to be re-written about following strings.
@ -85,21 +87,27 @@ static char *_str_satype[] = {
"ipcomp",
};
static char *_str_upper[] = {
"any", "icmp", "", "", "",
"", "tcp", "", "", "",
"", "", "", "", "",
"", "", "udp", "", "",
"", "", "", "", "",
"", "", "", "", "",
static char *_str_mode[] = {
"any",
"transport",
"tunnel",
};
#if 0
static char *_str_base[] = {
"new",
"old",
static char *_str_upper[] = {
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
"", "tcp", "", "egp", "",
/*10*/ "", "", "", "", "",
"", "", "udp", "", "",
/*20*/ "", "", "idp", "", "",
"", "", "", "", "tp",
/*30*/ "", "", "", "", "",
"", "", "", "", "",
/*40*/ "", "ip6", "", "rt6", "frag6",
"", "rsvp", "gre", "", "",
/*50*/ "esp", "ah", "", "", "",
"", "", "", "icmp6", "none",
/*60*/ "dst6",
};
#endif
static char *_str_state[] = {
"larval",
@ -134,16 +142,12 @@ static char *_str_alg_comp[] = {
"lzs",
};
static char *_str_dir[] = {
"outbound",
"inbound",
"bi-direction",
};
/*
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
*/
void pfkey_sadump(struct sadb_msg *m)
void
pfkey_sadump(m)
struct sadb_msg *m;
{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *m_sa;
@ -154,7 +158,11 @@ void pfkey_sadump(struct sadb_msg *m)
struct sadb_sens *m_sens;
/* check pfkey message. */
if (pfkey_check(m, mhp)) {
if (pfkey_align(m, mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
if (pfkey_check(mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
@ -169,7 +177,7 @@ void pfkey_sadump(struct sadb_msg *m)
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
/* source address */
@ -178,10 +186,7 @@ void pfkey_sadump(struct sadb_msg *m)
return;
}
printf("%s ",
_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
_INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
m_saddr->sadb_address_prefixlen,
_INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
/* destination address */
if (m_daddr == NULL) {
@ -189,42 +194,25 @@ void pfkey_sadump(struct sadb_msg *m)
return;
}
printf("%s ",
_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
_INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
m_daddr->sadb_address_prefixlen,
_INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
/* upper layer protocol */
if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) {
printf("upper layer protocol mismatched.\n");
return;
}
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
/* proxy address */
if (m_paddr != NULL) {
int prefix = _INALENBYAF(GETAF((caddr_t)m_paddr + sizeof(*m_paddr))) << 3;
printf("%s",
_str_addr(GETAF((caddr_t)m_paddr + sizeof(*m_paddr)),
_INADDRBYSA((caddr_t)m_paddr + sizeof(*m_paddr)),
prefix,
0));
}
printf("\n");
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
/* SA type */
if (m_sa == NULL) {
printf("no SA extension.\n");
return;
}
printf("\t");
printf("\n\t");
GETMSGSTR(_str_satype, m->sadb_msg_satype);
printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n",
printf("mode=");
GETMSGSTR(_str_mode, m->sadb_msg_mode);
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
m_sa->sadb_sa_replay,
m_sa->sadb_sa_flags);
(u_int32_t)m->sadb_msg_reqid,
(u_int32_t)m->sadb_msg_reqid);
/* encryption key */
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
@ -249,8 +237,13 @@ void pfkey_sadump(struct sadb_msg *m)
printf("\n");
}
/* replay windoe size & flags */
printf("\treplay=%u flags=0x%08x ",
m_sa->sadb_sa_replay,
m_sa->sadb_sa_flags);
/* state */
printf("\tstate=");
printf("state=");
GETMSGSTR(_str_state, m_sa->sadb_sa_state);
printf("seq=%lu pid=%lu\n",
@ -299,24 +292,26 @@ void pfkey_sadump(struct sadb_msg *m)
0 : m_lfts->sadb_lifetime_allocations));
}
{ /* XXX TEST */
char *x = (char *)&m->sadb_msg_reserved;
printf("\tdir=");
GETMSGSTR(_str_dir, (int)x[0]);
printf("refcnt=%d\n", (int)x[1]);
}
/* XXX DEBUG */
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
return;
}
void pfkey_spdump(struct sadb_msg *m)
void
pfkey_spdump(m)
struct sadb_msg *m;
{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_address *m_saddr, *m_daddr;
struct sadb_x_policy *m_xpl;
/* check pfkey message. */
if (pfkey_check(m, mhp)) {
if (pfkey_align(m, mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
if (pfkey_check(mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
@ -330,25 +325,32 @@ void pfkey_spdump(struct sadb_msg *m)
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s ",
_str_addr(GETAF((caddr_t)m_saddr + sizeof(*m_saddr)),
_INADDRBYSA((caddr_t)m_saddr + sizeof(*m_saddr)),
m_saddr->sadb_address_prefixlen,
_INPORTBYSA((caddr_t)m_saddr + sizeof(*m_saddr))));
printf("%s%s ",
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
_str_prefport(GETAF(m_saddr + 1),
m_saddr->sadb_address_prefixlen,
_INPORTBYSA(m_saddr + 1)));
/* destination address */
if (m_daddr == NULL) {
printf("no ADDRESS_DST extension.\n");
return;
}
printf("%s ",
_str_addr(GETAF((caddr_t)m_daddr + sizeof(*m_daddr)),
_INADDRBYSA((caddr_t)m_daddr + sizeof(*m_daddr)),
m_daddr->sadb_address_prefixlen,
_INPORTBYSA((caddr_t)m_daddr + sizeof(*m_daddr))));
printf("%s%s ",
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
_str_prefport(GETAF(m_daddr + 1),
m_daddr->sadb_address_prefixlen,
_INPORTBYSA(m_daddr + 1)));
/* upper layer protocol */
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
printf("upper layer protocol mismatched.\n");
return;
}
if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
printf("any");
else
GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
/* policy */
{
@ -369,37 +371,65 @@ void pfkey_spdump(struct sadb_msg *m)
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
{ /* TEST */
char *x = (char *)&m->sadb_msg_reserved;
printf("\tdir=");
GETMSGSTR(_str_dir, (int)x[0]);
printf("refcnt=%d\n", (int)x[1]);
}
/* XXX TEST */
printf("\trefcnt=%u\n", m->sadb_msg_reserved2);
return;
}
/*
* set "ip address/prefix[port number]" to buffer.
* set "ipaddress" to buffer.
*/
static char *_str_addr(u_int family, caddr_t addr, u_int pref, u_int port)
static char *
_str_ipaddr(family, addr)
u_int family;
caddr_t addr;
{
static char buf[128];
char pbuf[128];
char addrbuf[128];
if (addr == NULL)
return "";
inet_ntop(family, addr, pbuf, sizeof(pbuf));
inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
snprintf(buf, sizeof(buf), "%s", addrbuf);
return buf;
}
/*
* set "/prefix[port number]" to buffer.
*/
static char *
_str_prefport(family, pref, port)
u_int family, pref, port;
{
static char buf[128];
char prefbuf[10];
char portbuf[10];
if (pref == (_INALENBYAF(family) << 3))
prefbuf[0] = '\0';
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
if (port == IPSEC_PORT_ANY)
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
snprintf(buf, sizeof(buf), "%s/%u[%u]", pbuf, pref, ntohs(port));
return buf;
}
/*
* set "Mon Day Time Year" to buffer
*/
static char *_str_time(time_t t)
static char *
_str_time(t)
time_t t;
{
static char buf[128];
@ -417,7 +447,10 @@ static char *_str_time(time_t t)
return(buf);
}
static void _str_lifetime_byte(struct sadb_lifetime *x, char *str)
static void
_str_lifetime_byte(x, str)
struct sadb_lifetime *x;
char *str;
{
double y;
char *unit;

View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.1 1999/07/01 20:15:29 itojun Exp $
# $NetBSD: shlib_version,v 1.2 2000/01/31 14:15:32 itojun Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=0
major=1
minor=0