synchronize with latest kame tree.
behavior change: policy syntax was changed. you may need to update your setkey(8) configuration files.
This commit is contained in:
@@ -27,7 +27,7 @@
|
||||
# $FreeBSD$
|
||||
|
||||
LIB= ipsec
|
||||
SHLIB_MAJOR= 0
|
||||
SHLIB_MAJOR= 1
|
||||
SHLIB_MINOR= 0
|
||||
CFLAGS+=-I${.OBJDIR}
|
||||
CFLAGS+=-DIPSEC_DEBUG -DIPSEC
|
||||
@@ -35,11 +35,11 @@ CFLAGS+=-DIPSEC_DEBUG -DIPSEC
|
||||
CFLAGS+=-DINET6
|
||||
.endif
|
||||
|
||||
.PATH: ${.CURDIR}/../../sys/netkey
|
||||
SRCS= pfkey.c pfkey_dump.c
|
||||
#.PATH: ${.CURDIR}/../../sys/netkey
|
||||
#SRCS= pfkey.c pfkey_dump.c
|
||||
SRCS+= ipsec_strerror.c policy_parse.y policy_token.l
|
||||
SRCS+= ipsec_dump_policy.c ipsec_get_policylen.c
|
||||
SRCS+= key_debug.c
|
||||
#SRCS+= key_debug.c
|
||||
CLEANFILES+= y.tab.c y.tab.h
|
||||
YFLAGS+=-d -p __libipsecyy
|
||||
LFLAGS+=-P__libipsecyy
|
||||
|
||||
+173
-119
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,8 +28,6 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@@ -39,6 +40,7 @@
|
||||
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <netdb.h>
|
||||
@@ -53,7 +55,11 @@ static const char *ipsp_policy_strs[] = {
|
||||
"discard", "none", "ipsec", "entrust", "bypass",
|
||||
};
|
||||
|
||||
static int set_addresses __P((char *buf, caddr_t ptr));
|
||||
static char *ipsec_dump_ipsecrequest __P((char *, size_t,
|
||||
struct sadb_x_ipsecrequest *, size_t));
|
||||
static int set_addresses __P((char *, size_t, struct sockaddr *,
|
||||
struct sockaddr *));
|
||||
static char *set_address __P((char *, size_t, struct sockaddr *));
|
||||
|
||||
/*
|
||||
* policy is sadb_x_policy buffer.
|
||||
@@ -67,15 +73,16 @@ ipsec_dump_policy(policy, delimiter)
|
||||
{
|
||||
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
|
||||
struct sadb_x_ipsecrequest *xisr;
|
||||
int xtlen, buflen;
|
||||
size_t off, buflen;
|
||||
char *buf;
|
||||
int error;
|
||||
char isrbuf[1024];
|
||||
char *newbuf;
|
||||
|
||||
/* sanity check */
|
||||
if (policy == NULL)
|
||||
return NULL;
|
||||
if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
|
||||
ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
|
||||
__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -89,7 +96,7 @@ ipsec_dump_policy(policy, delimiter)
|
||||
case IPSEC_DIR_OUTBOUND:
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_DIR;
|
||||
__ipsec_errcode = EIPSEC_INVAL_DIR;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -101,7 +108,7 @@ ipsec_dump_policy(policy, delimiter)
|
||||
case IPSEC_POLICY_ENTRUST:
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_POLICY;
|
||||
__ipsec_errcode = EIPSEC_INVAL_POLICY;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -111,143 +118,190 @@ ipsec_dump_policy(policy, delimiter)
|
||||
+ 1; /* NUL */
|
||||
|
||||
if ((buf = malloc(buflen)) == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
__ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return NULL;
|
||||
}
|
||||
strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]);
|
||||
strcat(buf, " ");
|
||||
strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]);
|
||||
snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
|
||||
ipsp_policy_strs[xpl->sadb_x_policy_type]);
|
||||
|
||||
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return buf;
|
||||
}
|
||||
|
||||
xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
|
||||
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
|
||||
|
||||
/* count length of buffer for use */
|
||||
/* XXX non-seriously */
|
||||
while (xtlen > 0) {
|
||||
buflen += 20;
|
||||
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL)
|
||||
buflen += 50;
|
||||
xtlen -= xisr->sadb_x_ipsecrequest_len;
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
|
||||
+ xisr->sadb_x_ipsecrequest_len);
|
||||
off = sizeof(*xpl);
|
||||
while (off < PFKEY_EXTLEN(xpl)) {
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
|
||||
off += xisr->sadb_x_ipsecrequest_len;
|
||||
}
|
||||
|
||||
/* validity check */
|
||||
if (xtlen < 0) {
|
||||
ipsec_errcode = EIPSEC_INVAL_SADBMSG;
|
||||
if (off != PFKEY_EXTLEN(xpl)) {
|
||||
__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((buf = realloc(buf, buflen)) == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
off = sizeof(*xpl);
|
||||
while (off < PFKEY_EXTLEN(xpl)) {
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
|
||||
|
||||
if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
|
||||
PFKEY_EXTLEN(xpl) - off) == NULL) {
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
buflen = strlen(buf) + strlen(delimiter) + strlen(isrbuf) + 1;
|
||||
newbuf = (char *)realloc(buf, buflen);
|
||||
if (newbuf == NULL) {
|
||||
__ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
buf = newbuf;
|
||||
snprintf(buf, buflen, "%s%s%s", buf, delimiter, isrbuf);
|
||||
|
||||
off += xisr->sadb_x_ipsecrequest_len;
|
||||
}
|
||||
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return buf;
|
||||
}
|
||||
|
||||
static char *
|
||||
ipsec_dump_ipsecrequest(buf, len, xisr, bound)
|
||||
char *buf;
|
||||
size_t len;
|
||||
struct sadb_x_ipsecrequest *xisr;
|
||||
size_t bound; /* boundary */
|
||||
{
|
||||
const char *proto, *mode, *level;
|
||||
char abuf[NI_MAXHOST * 2 + 2];
|
||||
|
||||
if (xisr->sadb_x_ipsecrequest_len > bound) {
|
||||
__ipsec_errcode = EIPSEC_INVAL_PROTO;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
|
||||
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
|
||||
|
||||
while (xtlen > 0) {
|
||||
strcat(buf, delimiter);
|
||||
|
||||
switch (xisr->sadb_x_ipsecrequest_proto) {
|
||||
case IPPROTO_ESP:
|
||||
strcat(buf, "esp");
|
||||
break;
|
||||
case IPPROTO_AH:
|
||||
strcat(buf, "ah");
|
||||
break;
|
||||
case IPPROTO_IPCOMP:
|
||||
strcat(buf, "ipcomp");
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_PROTO;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
strcat(buf, "/");
|
||||
|
||||
switch (xisr->sadb_x_ipsecrequest_mode) {
|
||||
case IPSEC_MODE_ANY:
|
||||
strcat(buf, "any");
|
||||
break;
|
||||
case IPSEC_MODE_TRANSPORT:
|
||||
strcat(buf, "transport");
|
||||
break;
|
||||
case IPSEC_MODE_TUNNEL:
|
||||
strcat(buf, "tunnel");
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_MODE;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
strcat(buf, "/");
|
||||
|
||||
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
|
||||
error = set_addresses(buf, (caddr_t)(xisr + 1));
|
||||
if (error) {
|
||||
ipsec_errcode = EIPSEC_INVAL_MODE;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
switch (xisr->sadb_x_ipsecrequest_level) {
|
||||
case IPSEC_LEVEL_DEFAULT:
|
||||
strcat(buf, "/default");
|
||||
break;
|
||||
case IPSEC_LEVEL_USE:
|
||||
strcat(buf, "/use");
|
||||
break;
|
||||
case IPSEC_LEVEL_REQUIRE:
|
||||
strcat(buf, "/require");
|
||||
break;
|
||||
case IPSEC_LEVEL_UNIQUE:
|
||||
strcat(buf, "/unique");
|
||||
break;
|
||||
default:
|
||||
ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
||||
free(buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
xtlen -= xisr->sadb_x_ipsecrequest_len;
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
|
||||
+ xisr->sadb_x_ipsecrequest_len);
|
||||
switch (xisr->sadb_x_ipsecrequest_proto) {
|
||||
case IPPROTO_ESP:
|
||||
proto = "esp";
|
||||
break;
|
||||
case IPPROTO_AH:
|
||||
proto = "ah";
|
||||
break;
|
||||
case IPPROTO_IPCOMP:
|
||||
proto = "ipcomp";
|
||||
break;
|
||||
default:
|
||||
__ipsec_errcode = EIPSEC_INVAL_PROTO;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
switch (xisr->sadb_x_ipsecrequest_mode) {
|
||||
case IPSEC_MODE_ANY:
|
||||
mode = "any";
|
||||
break;
|
||||
case IPSEC_MODE_TRANSPORT:
|
||||
mode = "transport";
|
||||
break;
|
||||
case IPSEC_MODE_TUNNEL:
|
||||
mode = "tunnel";
|
||||
break;
|
||||
default:
|
||||
__ipsec_errcode = EIPSEC_INVAL_MODE;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
abuf[0] = '\0';
|
||||
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
|
||||
struct sockaddr *sa1, *sa2;
|
||||
caddr_t p;
|
||||
|
||||
p = (caddr_t)(xisr + 1);
|
||||
sa1 = (struct sockaddr *)p;
|
||||
sa2 = (struct sockaddr *)(p + sa1->sa_len);
|
||||
if (sizeof(*xisr) + sa1->sa_len + sa2->sa_len !=
|
||||
xisr->sadb_x_ipsecrequest_len) {
|
||||
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
|
||||
return NULL;
|
||||
}
|
||||
if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
|
||||
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
switch (xisr->sadb_x_ipsecrequest_level) {
|
||||
case IPSEC_LEVEL_DEFAULT:
|
||||
level = "default";
|
||||
break;
|
||||
case IPSEC_LEVEL_USE:
|
||||
level = "use";
|
||||
break;
|
||||
case IPSEC_LEVEL_REQUIRE:
|
||||
level = "require";
|
||||
break;
|
||||
case IPSEC_LEVEL_UNIQUE:
|
||||
level = "unique";
|
||||
break;
|
||||
default:
|
||||
__ipsec_errcode = EIPSEC_INVAL_LEVEL;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (xisr->sadb_x_ipsecrequest_reqid == 0)
|
||||
snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level);
|
||||
else {
|
||||
int ch;
|
||||
|
||||
if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX)
|
||||
ch = '#';
|
||||
else
|
||||
ch = ':';
|
||||
snprintf(buf, len, "%s/%s/%s/%s%c%d", proto, mode, abuf, level,
|
||||
ch, xisr->sadb_x_ipsecrequest_reqid);
|
||||
}
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return buf;
|
||||
}
|
||||
|
||||
static int
|
||||
set_addresses(buf, ptr)
|
||||
set_addresses(buf, len, sa1, sa2)
|
||||
char *buf;
|
||||
caddr_t ptr;
|
||||
size_t len;
|
||||
struct sockaddr *sa1;
|
||||
struct sockaddr *sa2;
|
||||
{
|
||||
char tmp[100]; /* XXX */
|
||||
struct sockaddr *saddr = (struct sockaddr *)ptr;
|
||||
|
||||
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
|
||||
NULL, 0, NI_NUMERICHOST);
|
||||
|
||||
strcat(buf, tmp);
|
||||
|
||||
strcat(buf, "-");
|
||||
|
||||
saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len);
|
||||
getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
|
||||
NULL, 0, NI_NUMERICHOST);
|
||||
|
||||
strcat(buf, tmp);
|
||||
char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
|
||||
|
||||
if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
|
||||
set_address(tmp2, sizeof(tmp2), sa2) == NULL)
|
||||
return -1;
|
||||
if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
|
||||
return -1;
|
||||
snprintf(buf, len, "%s-%s", tmp1, tmp2);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static char *
|
||||
set_address(buf, len, sa)
|
||||
char *buf;
|
||||
size_t len;
|
||||
struct sockaddr *sa;
|
||||
{
|
||||
#ifdef NI_WITHSCOPEID
|
||||
const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
|
||||
#else
|
||||
const int niflags = NI_NUMERICHOST;
|
||||
#endif
|
||||
|
||||
if (len < 1)
|
||||
return NULL;
|
||||
buf[0] = '\0';
|
||||
if (getnameinfo(sa, sa->sa_len, buf, len, NULL, 0, niflags) != 0)
|
||||
return NULL;
|
||||
return buf;
|
||||
}
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,13 +28,13 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
#include <net/pfkeyv2.h>
|
||||
|
||||
#include "ipsec_strerror.h"
|
||||
|
||||
@@ -1,4 +1,7 @@
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" $FreeBSD$
|
||||
.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $
|
||||
.\"
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
@@ -25,9 +28,6 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd May 5, 1998
|
||||
.Dt IPSEC_SET_POLICY 3
|
||||
.Os
|
||||
@@ -36,10 +36,10 @@
|
||||
.Nm ipsec_get_policylen ,
|
||||
.Nm ipsec_dump_policy
|
||||
.Nd manipulate IPsec policy specification structure from readable string
|
||||
.\"
|
||||
.Sh LIBRARY
|
||||
.Lb libipsec
|
||||
.Sh SYNOPSIS
|
||||
.Fd #include <sys/types.h>
|
||||
.Fd #include <netinet6/ipsec.h>
|
||||
.Ft "char *"
|
||||
.Fn ipsec_set_policy "char *policy" "int len"
|
||||
@@ -167,9 +167,9 @@ is the other node
|
||||
.Pp
|
||||
.Ar level
|
||||
must be set to one of the following:
|
||||
.Li default , use
|
||||
.Li default , use , require
|
||||
or
|
||||
.Li require .
|
||||
.Li unique .
|
||||
.Li default
|
||||
means that the kernel should consult the system default policy
|
||||
defined by
|
||||
@@ -189,6 +189,19 @@ or encrypted
|
||||
.Li require
|
||||
means that a relevant SA is required,
|
||||
since the kernel must perform IPsec operation against packets.
|
||||
.Li unique
|
||||
is the same as
|
||||
.Li require ,
|
||||
but adds the restriction that the SA for outbound traffic is used
|
||||
only for this policy.
|
||||
You may need the identifier in order to relate the policy and the SA
|
||||
when you define the SA by manual keying.
|
||||
You can put the decimal number as the identifier after
|
||||
.Li unique
|
||||
like
|
||||
.Li unique : number .
|
||||
.Li number
|
||||
must be between 1 and 32767 .
|
||||
If the
|
||||
.Ar request
|
||||
string is kept unambiguous,
|
||||
@@ -219,8 +232,8 @@ Here are several examples
|
||||
in discard
|
||||
out ipsec esp/transport/10.1.1.1-10.1.1.2/require
|
||||
in ipsec ah/transport/10.1.1.2-10.1.1.1/require
|
||||
in ipsec esp/transport/10.1.1.2-10.1.1.1/use
|
||||
ah/tunnel/10.1.1.2-10.1.1.1/require
|
||||
out ipsec esp/transport/10.1.1.2-10.1.1.1/use
|
||||
ah/tunnel/10.1.1.2-10.1.1.1/unique:1000
|
||||
in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
|
||||
esp/transport/10.1.1.2-10.1.1.1/use
|
||||
.Ed
|
||||
@@ -238,11 +251,7 @@ and
|
||||
on errors.
|
||||
.Sh SEE ALSO
|
||||
.Xr ipsec_strerror 3 ,
|
||||
.Xr ipsec 4 ,
|
||||
.Xr ispec 4 ,
|
||||
.Xr setkey 8
|
||||
.Sh HISTORY
|
||||
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
|
||||
.Pp
|
||||
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
|
||||
was initially integrated into
|
||||
.Fx 4.0
|
||||
|
||||
@@ -1,4 +1,7 @@
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" $FreeBSD$
|
||||
.\" $KAME: ipsec_strerror.3,v 1.6 2000/05/07 05:25:03 itojun Exp $
|
||||
.\"
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
@@ -25,22 +28,19 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id: ipsec_strerror.3,v 1.2 1999/09/21 03:49:19 itojun Exp $
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd May 6, 1998
|
||||
.Dt IPSEC_STRERROR 3
|
||||
.Os
|
||||
.\"
|
||||
.Sh NAME
|
||||
.Nm ipsec_strerror
|
||||
.Nd error code for IPsec policy manipulation library
|
||||
.Sh LIBRARY
|
||||
.Lb libipsec
|
||||
.\"
|
||||
.Sh SYNOPSIS
|
||||
.Fd #include <sys/types.h>
|
||||
.Fd #include <netinet6/ipsec.h>
|
||||
.Ft "char *"
|
||||
.Fn ipsec_strerror void
|
||||
.Fn ipsec_strerror
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
.Pa netinet6/ipsec.h
|
||||
declares
|
||||
@@ -51,16 +51,30 @@ which is used to pass error code from IPsec policy manipulation library
|
||||
to user program.
|
||||
.Fn ipsec_strerror
|
||||
can be used to obtain error message string for the error code.
|
||||
.Pp
|
||||
The array pointed to is not to be modified by the program.
|
||||
Since
|
||||
.Fn ipsec_strerror
|
||||
uses
|
||||
.Xr strerror 3
|
||||
as underlying function, calling
|
||||
.Xr strerror 3
|
||||
after
|
||||
.Fn ipsec_strerror
|
||||
would make the return value from
|
||||
.Fn ipsec_strerror
|
||||
invalid, or overwritten.
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
.Fn ipsec_strerror
|
||||
always return a pointer to C string.
|
||||
The C string must not be overwritten by user programs.
|
||||
.\"
|
||||
.\" .Sh SEE ALSO
|
||||
.Sh SEE ALSO
|
||||
.Xr ipsec_set_policy 3
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
|
||||
.Pp
|
||||
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
|
||||
was initially integrated into
|
||||
.Fx 4.0
|
||||
.\"
|
||||
.\" .Sh BUGS
|
||||
.\" (to be written)
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: ipsec_strerror.c,v 1.6 2000/05/07 05:25:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,8 +28,6 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@@ -37,7 +38,7 @@
|
||||
|
||||
#include "ipsec_strerror.h"
|
||||
|
||||
int ipsec_errcode;
|
||||
int __ipsec_errcode;
|
||||
|
||||
static char *ipsec_errlist[] = {
|
||||
"Success", /*EIPSEC_NO_ERROR*/
|
||||
@@ -72,15 +73,15 @@ NULL, /*EIPSEC_SYSTEM_ERROR*/
|
||||
|
||||
char *ipsec_strerror(void)
|
||||
{
|
||||
if (ipsec_errcode < 0 || ipsec_errcode > EIPSEC_MAX)
|
||||
ipsec_errcode = EIPSEC_MAX;
|
||||
if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX)
|
||||
__ipsec_errcode = EIPSEC_MAX;
|
||||
|
||||
return ipsec_errlist[ipsec_errcode];
|
||||
return ipsec_errlist[__ipsec_errcode];
|
||||
}
|
||||
|
||||
void ipsec_set_strerror(char *str)
|
||||
void __ipsec_set_strerror(char *str)
|
||||
{
|
||||
ipsec_errcode = EIPSEC_SYSTEM_ERROR;
|
||||
__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
|
||||
ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str;
|
||||
|
||||
return;
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: ipsec_strerror.h,v 1.7 2000/05/07 05:25:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,38 +28,36 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
extern int ipsec_errcode;
|
||||
extern void ipsec_set_strerror(char *str);
|
||||
extern int __ipsec_errcode;
|
||||
extern void __ipsec_set_strerror __P((char *));
|
||||
|
||||
#define EIPSEC_NO_ERROR 0 /*success*/
|
||||
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
|
||||
#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/
|
||||
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
|
||||
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
|
||||
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
|
||||
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
|
||||
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
|
||||
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
|
||||
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
|
||||
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
|
||||
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
|
||||
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
|
||||
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
|
||||
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
|
||||
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
|
||||
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
|
||||
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
|
||||
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
|
||||
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
|
||||
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
|
||||
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
|
||||
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
|
||||
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
|
||||
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
|
||||
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
|
||||
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
|
||||
#define EIPSEC_MAX 27 /*unknown error*/
|
||||
#define EIPSEC_NO_ERROR 0 /*success*/
|
||||
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
|
||||
#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/
|
||||
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
|
||||
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
|
||||
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
|
||||
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
|
||||
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
|
||||
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
|
||||
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
|
||||
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
|
||||
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
|
||||
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
|
||||
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
|
||||
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
|
||||
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
|
||||
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
|
||||
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
|
||||
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
|
||||
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
|
||||
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
|
||||
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
|
||||
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
|
||||
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
|
||||
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
|
||||
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
|
||||
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
|
||||
#define EIPSEC_MAX 27 /*unknown error*/
|
||||
|
||||
@@ -0,0 +1,77 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: libpfkey.h,v 1.1 2000/06/08 21:28:32 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
extern void pfkey_sadump __P((struct sadb_msg *));
|
||||
extern void pfkey_spdump __P((struct sadb_msg *));
|
||||
|
||||
struct sockaddr;
|
||||
int ipsec_check_keylen __P((u_int, u_int, u_int));
|
||||
u_int pfkey_set_softrate __P((u_int, u_int));
|
||||
u_int pfkey_get_softrate __P((u_int));
|
||||
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
|
||||
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
|
||||
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
|
||||
struct sockaddr *, u_int32_t, u_int32_t, u_int,
|
||||
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
|
||||
u_int64_t, u_int64_t, u_int32_t));
|
||||
int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
|
||||
struct sockaddr *, u_int32_t, u_int32_t, u_int,
|
||||
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
|
||||
u_int64_t, u_int64_t, u_int32_t));
|
||||
int pfkey_send_delete __P((int, u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||
int pfkey_send_get __P((int, u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||
int pfkey_send_register __P((int, u_int));
|
||||
int pfkey_recv_register __P((int));
|
||||
int pfkey_send_flush __P((int, u_int));
|
||||
int pfkey_send_dump __P((int, u_int));
|
||||
int pfkey_send_promisc_toggle __P((int, int));
|
||||
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spddelete2 __P((int, u_int32_t));
|
||||
int pfkey_send_spdget __P((int, u_int32_t));
|
||||
int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spdflush __P((int));
|
||||
int pfkey_send_spddump __P((int));
|
||||
|
||||
int pfkey_open __P((void));
|
||||
void pfkey_close __P((int));
|
||||
struct sadb_msg *pfkey_recv __P((int));
|
||||
int pfkey_send __P((int, struct sadb_msg *, int));
|
||||
int pfkey_align __P((struct sadb_msg *, caddr_t *));
|
||||
int pfkey_check __P((caddr_t *));
|
||||
+406
-232
File diff suppressed because it is too large
Load Diff
+124
-61
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: pfkey_dump.c,v 1.19 2000/06/10 06:47:11 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,8 +28,6 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@@ -39,9 +40,6 @@
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netinet6/in6.h>
|
||||
#endif
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
@@ -49,11 +47,13 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include "ipsec_strerror.h"
|
||||
#include "libpfkey.h"
|
||||
|
||||
#define GETMSGSTR(str, num) \
|
||||
{ \
|
||||
#define GETMSGSTR(str, num) \
|
||||
do { \
|
||||
if (sizeof((str)[0]) == 0 \
|
||||
|| num >= sizeof(str)/sizeof((str)[0])) \
|
||||
printf("%d ", (num)); \
|
||||
@@ -61,15 +61,12 @@
|
||||
printf("%d ", (num)); \
|
||||
else \
|
||||
printf("%s ", (str)[(num)]); \
|
||||
}
|
||||
} while (0)
|
||||
|
||||
#define GETAF(p) \
|
||||
(((struct sockaddr *)(p))->sa_family)
|
||||
|
||||
static char *_str_ipaddr __P((u_int family, caddr_t addr));
|
||||
static char *_str_prefport __P((u_int family, u_int pref, u_int port));
|
||||
static char *_str_time __P((time_t t));
|
||||
static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
|
||||
static char *str_ipaddr __P((struct sockaddr *));
|
||||
static char *str_prefport __P((u_int, u_int, u_int));
|
||||
static char *str_time __P((time_t));
|
||||
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
|
||||
|
||||
/*
|
||||
* Must to be re-written about following strings.
|
||||
@@ -151,6 +148,7 @@ pfkey_sadump(m)
|
||||
{
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
struct sadb_sa *m_sa;
|
||||
struct sadb_x_sa2 *m_sa2;
|
||||
struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
|
||||
struct sadb_address *m_saddr, *m_daddr, *m_paddr;
|
||||
struct sadb_key *m_auth, *m_enc;
|
||||
@@ -168,6 +166,7 @@ pfkey_sadump(m)
|
||||
}
|
||||
|
||||
m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
|
||||
m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
|
||||
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
|
||||
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
|
||||
m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
|
||||
@@ -177,7 +176,7 @@ pfkey_sadump(m)
|
||||
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
|
||||
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
|
||||
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
|
||||
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
|
||||
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
|
||||
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
|
||||
|
||||
/* source address */
|
||||
@@ -185,34 +184,36 @@ pfkey_sadump(m)
|
||||
printf("no ADDRESS_SRC extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s ",
|
||||
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
|
||||
printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
|
||||
|
||||
/* destination address */
|
||||
if (m_daddr == NULL) {
|
||||
printf("no ADDRESS_DST extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s ",
|
||||
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
|
||||
printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
|
||||
|
||||
/* SA type */
|
||||
if (m_sa == NULL) {
|
||||
printf("no SA extension.\n");
|
||||
return;
|
||||
}
|
||||
if (m_sa2 == NULL) {
|
||||
printf("no SA2 extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("\n\t");
|
||||
|
||||
GETMSGSTR(_str_satype, m->sadb_msg_satype);
|
||||
|
||||
printf("mode=");
|
||||
GETMSGSTR(_str_mode, m->sadb_msg_mode);
|
||||
GETMSGSTR(_str_mode, m_sa2->sadb_x_sa2_mode);
|
||||
|
||||
printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n",
|
||||
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
|
||||
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
||||
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
|
||||
m_sa->sadb_sa_replay,
|
||||
m_sa->sadb_sa_flags);
|
||||
(u_int32_t)m_sa2->sadb_x_sa2_reqid,
|
||||
(u_int32_t)m_sa2->sadb_x_sa2_reqid);
|
||||
|
||||
/* encryption key */
|
||||
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
|
||||
@@ -237,8 +238,13 @@ pfkey_sadump(m)
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
/* replay windoe size & flags */
|
||||
printf("\treplay=%u flags=0x%08x ",
|
||||
m_sa->sadb_sa_replay,
|
||||
m_sa->sadb_sa_flags);
|
||||
|
||||
/* state */
|
||||
printf("\tstate=");
|
||||
printf("state=");
|
||||
GETMSGSTR(_str_state, m_sa->sadb_sa_state);
|
||||
|
||||
printf("seq=%lu pid=%lu\n",
|
||||
@@ -250,8 +256,8 @@ pfkey_sadump(m)
|
||||
time_t tmp_time = time(0);
|
||||
|
||||
printf("\tcreated: %s",
|
||||
_str_time(m_lftc->sadb_lifetime_addtime));
|
||||
printf("\tcurrent: %s\n", _str_time(tmp_time));
|
||||
str_time(m_lftc->sadb_lifetime_addtime));
|
||||
printf("\tcurrent: %s\n", str_time(tmp_time));
|
||||
printf("\tdiff: %lu(s)",
|
||||
(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
|
||||
0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
|
||||
@@ -264,7 +270,7 @@ pfkey_sadump(m)
|
||||
0 : m_lfts->sadb_lifetime_addtime));
|
||||
|
||||
printf("\tlast: %s",
|
||||
_str_time(m_lftc->sadb_lifetime_usetime));
|
||||
str_time(m_lftc->sadb_lifetime_usetime));
|
||||
printf("\thard: %lu(s)",
|
||||
(u_long)(m_lfth == NULL ?
|
||||
0 : m_lfth->sadb_lifetime_usetime));
|
||||
@@ -272,9 +278,9 @@ pfkey_sadump(m)
|
||||
(u_long)(m_lfts == NULL ?
|
||||
0 : m_lfts->sadb_lifetime_usetime));
|
||||
|
||||
_str_lifetime_byte(m_lftc, "current");
|
||||
_str_lifetime_byte(m_lfth, "hard");
|
||||
_str_lifetime_byte(m_lfts, "soft");
|
||||
str_lifetime_byte(m_lftc, "current");
|
||||
str_lifetime_byte(m_lfth, "hard");
|
||||
str_lifetime_byte(m_lfts, "soft");
|
||||
printf("\n");
|
||||
|
||||
printf("\tallocated: %lu",
|
||||
@@ -288,7 +294,7 @@ pfkey_sadump(m)
|
||||
}
|
||||
|
||||
/* XXX DEBUG */
|
||||
printf("\trefcnt=%d\n", m->sadb_msg_reserved);
|
||||
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -297,9 +303,12 @@ void
|
||||
pfkey_spdump(m)
|
||||
struct sadb_msg *m;
|
||||
{
|
||||
char pbuf[NI_MAXSERV];
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
struct sadb_address *m_saddr, *m_daddr;
|
||||
struct sadb_x_policy *m_xpl;
|
||||
struct sockaddr *sa;
|
||||
u_int16_t port;
|
||||
|
||||
/* check pfkey message. */
|
||||
if (pfkey_align(m, mhp)) {
|
||||
@@ -320,25 +329,49 @@ pfkey_spdump(m)
|
||||
printf("no ADDRESS_SRC extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s%s ",
|
||||
_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
|
||||
_str_prefport(GETAF(m_saddr + 1),
|
||||
m_saddr->sadb_address_prefixlen,
|
||||
_INPORTBYSA(m_saddr + 1)));
|
||||
sa = (struct sockaddr *)(m_saddr + 1);
|
||||
switch (sa->sa_family) {
|
||||
case AF_INET:
|
||||
case AF_INET6:
|
||||
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
||||
NI_NUMERICSERV) != 0)
|
||||
port = 0; /*XXX*/
|
||||
else
|
||||
port = atoi(pbuf);
|
||||
printf("%s%s ", str_ipaddr(sa),
|
||||
str_prefport(sa->sa_family,
|
||||
m_saddr->sadb_address_prefixlen, port));
|
||||
break;
|
||||
default:
|
||||
printf("unknown-af ");
|
||||
break;
|
||||
}
|
||||
|
||||
/* destination address */
|
||||
if (m_daddr == NULL) {
|
||||
printf("no ADDRESS_DST extension.\n");
|
||||
return;
|
||||
}
|
||||
printf("%s%s ",
|
||||
_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
|
||||
_str_prefport(GETAF(m_daddr + 1),
|
||||
m_daddr->sadb_address_prefixlen,
|
||||
_INPORTBYSA(m_daddr + 1)));
|
||||
sa = (struct sockaddr *)(m_daddr + 1);
|
||||
switch (sa->sa_family) {
|
||||
case AF_INET:
|
||||
case AF_INET6:
|
||||
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
|
||||
NI_NUMERICSERV) != 0)
|
||||
port = 0; /*XXX*/
|
||||
else
|
||||
port = atoi(pbuf);
|
||||
printf("%s%s ", str_ipaddr(sa),
|
||||
str_prefport(sa->sa_family,
|
||||
m_daddr->sadb_address_prefixlen, port));
|
||||
break;
|
||||
default:
|
||||
printf("unknown-af ");
|
||||
break;
|
||||
}
|
||||
|
||||
/* upper layer protocol */
|
||||
if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) {
|
||||
if (m_saddr->sadb_address_proto != m_daddr->sadb_address_proto) {
|
||||
printf("upper layer protocol mismatched.\n");
|
||||
return;
|
||||
}
|
||||
@@ -362,12 +395,13 @@ pfkey_spdump(m)
|
||||
free(d_xpl);
|
||||
}
|
||||
|
||||
printf("\tseq=%ld pid=%ld\n",
|
||||
printf("\tspid=%ld seq=%ld pid=%ld\n",
|
||||
(u_long)m_xpl->sadb_x_policy_id,
|
||||
(u_long)m->sadb_msg_seq,
|
||||
(u_long)m->sadb_msg_pid);
|
||||
|
||||
/* XXX TEST */
|
||||
printf("\trefcnt=%d\n", m->sadb_msg_reserved);
|
||||
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -376,35 +410,48 @@ pfkey_spdump(m)
|
||||
* set "ipaddress" to buffer.
|
||||
*/
|
||||
static char *
|
||||
_str_ipaddr(family, addr)
|
||||
u_int family;
|
||||
caddr_t addr;
|
||||
str_ipaddr(sa)
|
||||
struct sockaddr *sa;
|
||||
{
|
||||
static char buf[128];
|
||||
char addrbuf[128];
|
||||
static char buf[NI_MAXHOST];
|
||||
#ifdef NI_WITHSCOPEID
|
||||
const int niflag = NI_NUMERICHOST | NI_WITHSCOPEID;
|
||||
#else
|
||||
const int niflag = NI_NUMERICHOST;
|
||||
#endif
|
||||
|
||||
if (addr == NULL)
|
||||
if (sa == NULL)
|
||||
return "";
|
||||
|
||||
inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s", addrbuf);
|
||||
|
||||
return buf;
|
||||
if (getnameinfo(sa, sa->sa_len, buf, sizeof(buf), NULL, 0, niflag) == 0)
|
||||
return buf;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* set "/prefix[port number]" to buffer.
|
||||
*/
|
||||
static char *
|
||||
_str_prefport(family, pref, port)
|
||||
str_prefport(family, pref, port)
|
||||
u_int family, pref, port;
|
||||
{
|
||||
static char buf[128];
|
||||
char prefbuf[10];
|
||||
char portbuf[10];
|
||||
int plen;
|
||||
|
||||
if (pref == (_INALENBYAF(family) << 3))
|
||||
switch (family) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
default:
|
||||
return "?";
|
||||
}
|
||||
|
||||
if (pref == plen)
|
||||
prefbuf[0] = '\0';
|
||||
else
|
||||
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
|
||||
@@ -412,7 +459,7 @@ _str_prefport(family, pref, port)
|
||||
if (port == IPSEC_PORT_ANY)
|
||||
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
|
||||
else
|
||||
snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
|
||||
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
|
||||
|
||||
@@ -423,7 +470,7 @@ _str_prefport(family, pref, port)
|
||||
* set "Mon Day Time Year" to buffer
|
||||
*/
|
||||
static char *
|
||||
_str_time(t)
|
||||
str_time(t)
|
||||
time_t t;
|
||||
{
|
||||
static char buf[128];
|
||||
@@ -443,7 +490,7 @@ _str_time(t)
|
||||
}
|
||||
|
||||
static void
|
||||
_str_lifetime_byte(x, str)
|
||||
str_lifetime_byte(x, str)
|
||||
struct sadb_lifetime *x;
|
||||
char *str;
|
||||
{
|
||||
@@ -456,8 +503,24 @@ _str_lifetime_byte(x, str)
|
||||
return;
|
||||
}
|
||||
|
||||
#if 0
|
||||
if ((x->sadb_lifetime_bytes) / 1024 / 1024) {
|
||||
y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024;
|
||||
unit = "M";
|
||||
w = 1;
|
||||
} else if ((x->sadb_lifetime_bytes) / 1024) {
|
||||
y = (x->sadb_lifetime_bytes) * 1.0 / 1024;
|
||||
unit = "K";
|
||||
w = 1;
|
||||
} else {
|
||||
y = (x->sadb_lifetime_bytes) * 1.0;
|
||||
unit = "";
|
||||
w = 0;
|
||||
}
|
||||
#else
|
||||
y = (x->sadb_lifetime_bytes) * 1.0;
|
||||
unit = "";
|
||||
w = 0;
|
||||
#endif
|
||||
printf("\t%s: %.*f(%sbytes)", str, w, y, unit);
|
||||
}
|
||||
|
||||
+59
-53
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,10 +28,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
/* KAME $Id: policy_parse.y,v 1.1 1999/10/20 01:26:41 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* IN/OUT bound policy configuration take place such below:
|
||||
@@ -59,24 +59,24 @@
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include "ipsec_strerror.h"
|
||||
|
||||
#define ATOX(c) \
|
||||
#define ATOX(c) \
|
||||
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
|
||||
|
||||
static caddr_t pbuf = NULL; /* sadb_x_policy buffer */
|
||||
static int tlen = 0; /* total length of pbuf */
|
||||
static int offset = 0; /* offset of pbuf */
|
||||
static int p_dir, p_type, p_protocol, p_mode, p_level;
|
||||
static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
|
||||
static struct sockaddr *p_src = NULL;
|
||||
static struct sockaddr *p_dst = NULL;
|
||||
|
||||
struct _val;
|
||||
extern void yyerror __P((char *msg));
|
||||
static struct sockaddr *parse_sockaddr __P((/*struct _val *buf*/));
|
||||
static struct sockaddr *parse_sockaddr __P((struct _val *buf));
|
||||
static int rule_check __P((void));
|
||||
static int init_x_policy __P((void));
|
||||
static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
|
||||
@@ -85,8 +85,8 @@ static void policy_parse_request_init __P((void));
|
||||
static caddr_t policy_parse __P((char *msg, int msglen));
|
||||
|
||||
extern void __policy__strbuffer__init__ __P((char *msg));
|
||||
extern int yyparse();
|
||||
extern int yylex();
|
||||
extern int yyparse __P((void));
|
||||
extern int yylex __P((void));
|
||||
|
||||
%}
|
||||
|
||||
@@ -98,12 +98,12 @@ extern int yylex();
|
||||
} val;
|
||||
}
|
||||
|
||||
%token DIR ACTION PROTOCOL MODE LEVEL
|
||||
%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY
|
||||
%token IPADDRESS
|
||||
%token ME ANY
|
||||
%token SLASH HYPHEN
|
||||
%type <num> DIR ACTION PROTOCOL MODE LEVEL
|
||||
%type <val> IPADDRESS
|
||||
%type <val> IPADDRESS LEVEL_SPECIFY
|
||||
|
||||
%%
|
||||
policy_spec
|
||||
@@ -116,6 +116,14 @@ policy_spec
|
||||
return -1;
|
||||
}
|
||||
rules
|
||||
| DIR
|
||||
{
|
||||
p_dir = $1;
|
||||
p_type = 0; /* ignored it by kernel */
|
||||
|
||||
if (init_x_policy())
|
||||
return -1;
|
||||
}
|
||||
;
|
||||
|
||||
rules
|
||||
@@ -139,11 +147,11 @@ rule
|
||||
| protocol SLASH mode SLASH SLASH level
|
||||
| protocol SLASH mode
|
||||
| protocol SLASH {
|
||||
ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
|
||||
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
|
||||
return -1;
|
||||
}
|
||||
| protocol {
|
||||
ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
|
||||
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
|
||||
return -1;
|
||||
}
|
||||
;
|
||||
@@ -157,7 +165,14 @@ mode
|
||||
;
|
||||
|
||||
level
|
||||
: LEVEL { p_level = $1; }
|
||||
: LEVEL {
|
||||
p_level = $1;
|
||||
p_reqid = 0;
|
||||
}
|
||||
| LEVEL_SPECIFY {
|
||||
p_level = IPSEC_LEVEL_UNIQUE;
|
||||
p_reqid = atol($1.buf); /* atol() is good. */
|
||||
}
|
||||
;
|
||||
|
||||
addresses
|
||||
@@ -174,13 +189,13 @@ addresses
|
||||
}
|
||||
| ME HYPHEN ANY {
|
||||
if (p_dir != IPSEC_DIR_OUTBOUND) {
|
||||
ipsec_errcode = EIPSEC_INVAL_DIR;
|
||||
__ipsec_errcode = EIPSEC_INVAL_DIR;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
| ANY HYPHEN ME {
|
||||
if (p_dir != IPSEC_DIR_INBOUND) {
|
||||
ipsec_errcode = EIPSEC_INVAL_DIR;
|
||||
__ipsec_errcode = EIPSEC_INVAL_DIR;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
@@ -195,7 +210,10 @@ void
|
||||
yyerror(msg)
|
||||
char *msg;
|
||||
{
|
||||
fprintf(stderr, "%s\n", msg);
|
||||
extern char *__libipsecyytext; /*XXX*/
|
||||
|
||||
fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
|
||||
msg, __libipsecyytext);
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -213,43 +231,29 @@ parse_sockaddr(buf)
|
||||
hints.ai_family = PF_UNSPEC;
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
error = getaddrinfo(buf->buf, serv, &hints, &res);
|
||||
if (error != 0 || res->ai_addr == NULL) {
|
||||
ipsec_set_strerror(error == EAI_SYSTEM ?
|
||||
gai_strerror(error) : strerror(errno));
|
||||
if (error != 0) {
|
||||
yyerror("invalid IP address");
|
||||
__ipsec_set_strerror(gai_strerror(error));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (res->ai_addr == NULL) {
|
||||
ipsec_set_strerror(gai_strerror(error));
|
||||
yyerror("invalid IP address");
|
||||
__ipsec_set_strerror(gai_strerror(error));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
newaddr = malloc(res->ai_addr->sa_len);
|
||||
if (newaddr == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
__ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
freeaddrinfo(res);
|
||||
return NULL;
|
||||
}
|
||||
memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
|
||||
|
||||
/*
|
||||
* XXX: If the scope of the destination is link-local,
|
||||
* embed the scope-id(in this case, interface index)
|
||||
* into the address.
|
||||
*/
|
||||
if (newaddr->sa_family == AF_INET6) {
|
||||
struct sockaddr_in6 *sin6;
|
||||
|
||||
sin6 = (struct sockaddr_in6 *)newaddr;
|
||||
if(IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) &&
|
||||
sin6->sin6_scope_id != 0)
|
||||
*(u_short *)&sin6->sin6_addr.s6_addr[2] =
|
||||
htons(sin6->sin6_scope_id & 0xffff);
|
||||
}
|
||||
|
||||
freeaddrinfo(res);
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return newaddr;
|
||||
}
|
||||
|
||||
@@ -258,29 +262,29 @@ rule_check()
|
||||
{
|
||||
if (p_type == IPSEC_POLICY_IPSEC) {
|
||||
if (p_protocol == IPPROTO_IP) {
|
||||
ipsec_errcode = EIPSEC_NO_PROTO;
|
||||
__ipsec_errcode = EIPSEC_NO_PROTO;
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (p_mode != IPSEC_MODE_TRANSPORT
|
||||
&& p_mode != IPSEC_MODE_TUNNEL) {
|
||||
ipsec_errcode = EIPSEC_INVAL_MODE;
|
||||
__ipsec_errcode = EIPSEC_INVAL_MODE;
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (p_src == NULL && p_dst == NULL) {
|
||||
if (p_mode != IPSEC_MODE_TRANSPORT) {
|
||||
ipsec_errcode = EIPSEC_INVAL_ADDRESS;
|
||||
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
else if (p_src->sa_family != p_dst->sa_family) {
|
||||
ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
|
||||
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -293,7 +297,7 @@ init_x_policy()
|
||||
|
||||
pbuf = malloc(tlen);
|
||||
if (pbuf == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
__ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return -1;
|
||||
}
|
||||
p = (struct sadb_x_policy *)pbuf;
|
||||
@@ -304,7 +308,7 @@ init_x_policy()
|
||||
p->sadb_x_policy_reserved = 0;
|
||||
offset = tlen;
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -322,7 +326,7 @@ set_x_request(src, dst)
|
||||
|
||||
pbuf = realloc(pbuf, tlen);
|
||||
if (pbuf == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
__ipsec_errcode = EIPSEC_NO_BUFS;
|
||||
return -1;
|
||||
}
|
||||
p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
|
||||
@@ -330,12 +334,13 @@ set_x_request(src, dst)
|
||||
p->sadb_x_ipsecrequest_proto = p_protocol;
|
||||
p->sadb_x_ipsecrequest_mode = p_mode;
|
||||
p->sadb_x_ipsecrequest_level = p_level;
|
||||
p->sadb_x_ipsecrequest_reqid = p_reqid;
|
||||
offset += sizeof(*p);
|
||||
|
||||
if (set_sockaddr(src) || set_sockaddr(dst))
|
||||
return -1;
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -344,7 +349,7 @@ set_sockaddr(addr)
|
||||
struct sockaddr *addr;
|
||||
{
|
||||
if (addr == NULL) {
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -354,7 +359,7 @@ set_sockaddr(addr)
|
||||
|
||||
offset += addr->sa_len;
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -364,6 +369,7 @@ policy_parse_request_init()
|
||||
p_protocol = IPPROTO_IP;
|
||||
p_mode = IPSEC_MODE_ANY;
|
||||
p_level = IPSEC_LEVEL_DEFAULT;
|
||||
p_reqid = 0;
|
||||
if (p_src != NULL) {
|
||||
free(p_src);
|
||||
p_src = NULL;
|
||||
@@ -401,7 +407,7 @@ policy_parse(msg, msglen)
|
||||
/* update total length */
|
||||
((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
|
||||
return pbuf;
|
||||
}
|
||||
@@ -415,12 +421,12 @@ ipsec_set_policy(msg, msglen)
|
||||
|
||||
policy = policy_parse(msg, msglen);
|
||||
if (policy == NULL) {
|
||||
if (ipsec_errcode == EIPSEC_NO_ERROR)
|
||||
ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
|
||||
if (__ipsec_errcode == EIPSEC_NO_ERROR)
|
||||
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
__ipsec_errcode = EIPSEC_NO_ERROR;
|
||||
return policy;
|
||||
}
|
||||
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: policy_token.l,v 1.9 2000/05/07 05:25:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,8 +28,6 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
%{
|
||||
@@ -46,8 +47,14 @@
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
|
||||
#ifndef __NetBSD__
|
||||
#include "y.tab.h"
|
||||
#define yylval __libipsecyylval /* XXX */
|
||||
#else
|
||||
#include "policy_parse.h"
|
||||
#endif
|
||||
#define yylval __libipsecyylval /* XXX */
|
||||
|
||||
int yylex __P((void));
|
||||
%}
|
||||
|
||||
%option noyywrap
|
||||
@@ -56,7 +63,6 @@
|
||||
nl \n
|
||||
ws [ \t]+
|
||||
digit [0-9]
|
||||
letter [0-9A-Za-z]
|
||||
hexdigit [0-9A-Fa-f]
|
||||
special [()+\|\?\*,]
|
||||
dot \.
|
||||
@@ -79,9 +85,7 @@ decstring {digit}+
|
||||
hexpair {hexdigit}{hexdigit}
|
||||
hexstring 0[xX]{hexdigit}+
|
||||
octetstring {octet}({dot}{octet})+
|
||||
ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%{letter}{letter}+)?
|
||||
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
|
||||
hostname {name}(({dot}{name})+{dot}?)?
|
||||
ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%[a-zA-Z0-9]+)?
|
||||
|
||||
%%
|
||||
|
||||
@@ -107,12 +111,17 @@ any { return(ANY); }
|
||||
default { yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); }
|
||||
use { yylval.num = IPSEC_LEVEL_USE; return(LEVEL); }
|
||||
require { yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); }
|
||||
unique{colon}{decstring} {
|
||||
yylval.val.len = strlen(yytext + 7);
|
||||
yylval.val.buf = yytext + 7;
|
||||
return(LEVEL_SPECIFY);
|
||||
}
|
||||
unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
|
||||
{slash} { return(SLASH); }
|
||||
|
||||
{ipaddress} {
|
||||
yylval.val.len = strlen(yytext);
|
||||
yylval.val.buf = strdup(yytext);
|
||||
yylval.val.buf = yytext;
|
||||
return(IPADDRESS);
|
||||
}
|
||||
|
||||
@@ -123,6 +132,8 @@ unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
|
||||
|
||||
%%
|
||||
|
||||
void __policy__strbuffer__init__ __P((char *));
|
||||
|
||||
void
|
||||
__policy__strbuffer__init__(msg)
|
||||
char *msg;
|
||||
|
||||
+211
-73
@@ -1,3 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: test-policy.c,v 1.13 2000/05/07 05:25:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
@@ -25,8 +28,6 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
@@ -34,7 +35,6 @@
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet6/in6.h>
|
||||
#include <net/pfkeyv2.h>
|
||||
#include <netkey/key_debug.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
@@ -43,90 +43,115 @@
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
#include <err.h>
|
||||
|
||||
char *requests[] = {
|
||||
"must_error", /* error */
|
||||
"in ipsec must_error", /* error */
|
||||
"out ipsec esp/must_error", /* error */
|
||||
"out discard",
|
||||
"out none",
|
||||
"in entrust",
|
||||
"out entrust",
|
||||
"in bypass", /* may be error */
|
||||
"out ipsec esp", /* error */
|
||||
"in ipsec ah/transport",
|
||||
"in ipsec ah/tunnel", /* error */
|
||||
"out ipsec ah/transport/",
|
||||
"out ipsec ah/tunnel/", /* error */
|
||||
"in ipsec esp / transport / 10.0.0.1-10.0.0.2",
|
||||
"in ipsec esp/tunnel/::1-::2",
|
||||
"in ipsec esp/tunnel/10.0.0.1-::2", /* error */
|
||||
"in ipsec esp/tunnel/::1-::2/require",
|
||||
"out ipsec ah/transport//use",
|
||||
"out ipsec ah/transport esp/use",
|
||||
"in ipsec ah/transport esp/tunnel", /* error */
|
||||
"in ipsec
|
||||
struct req_t {
|
||||
int result; /* expected result; 0:ok 1:ng */
|
||||
char *str;
|
||||
} reqs[] = {
|
||||
{ 0, "out ipsec" },
|
||||
{ 1, "must_error" },
|
||||
{ 1, "in ipsec must_error" },
|
||||
{ 1, "out ipsec esp/must_error" },
|
||||
{ 1, "out discard" },
|
||||
{ 1, "out none" },
|
||||
{ 0, "in entrust" },
|
||||
{ 0, "out entrust" },
|
||||
{ 1, "out ipsec esp" },
|
||||
{ 0, "in ipsec ah/transport" },
|
||||
{ 1, "in ipsec ah/tunnel" },
|
||||
{ 0, "out ipsec ah/transport/" },
|
||||
{ 1, "out ipsec ah/tunnel/" },
|
||||
{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
|
||||
{ 0, "in ipsec esp/tunnel/::1-::2" },
|
||||
{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
|
||||
{ 0, "in ipsec esp/tunnel/::1-::2/require" },
|
||||
{ 0, "out ipsec ah/transport//use" },
|
||||
{ 1, "out ipsec ah/transport esp/use" },
|
||||
{ 1, "in ipsec ah/transport esp/tunnel" },
|
||||
{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
|
||||
{ 0, "in ipsec
|
||||
ah / transport
|
||||
esp / tunnel / ::1-::2",
|
||||
"
|
||||
out ipsec
|
||||
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
|
||||
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
|
||||
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
|
||||
",
|
||||
"out ipsec esp/transport/fec0::10-fec0::11/use",
|
||||
esp / tunnel / ::1-::2" },
|
||||
{ 0, "out ipsec
|
||||
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
|
||||
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
|
||||
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
|
||||
" },
|
||||
{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
|
||||
};
|
||||
|
||||
int test(char *buf, int family);
|
||||
int test1 __P((void));
|
||||
int test1sub1 __P((struct req_t *));
|
||||
int test1sub2 __P((char *, int));
|
||||
int test2 __P((void));
|
||||
int test2sub __P((int));
|
||||
|
||||
int
|
||||
main(ac, av)
|
||||
int ac;
|
||||
char **av;
|
||||
{
|
||||
int do_setsockopt;
|
||||
char *buf;
|
||||
test1();
|
||||
test2();
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
||||
int
|
||||
test1()
|
||||
{
|
||||
int i;
|
||||
int result;
|
||||
|
||||
if (ac != 1)
|
||||
do_setsockopt = 1;
|
||||
else
|
||||
do_setsockopt = 0;
|
||||
printf("TEST1\n");
|
||||
for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
|
||||
printf("#%d [%s]\n", i + 1, reqs[i].str);
|
||||
|
||||
for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) {
|
||||
printf("*** requests ***\n");
|
||||
printf("\t[%s]\n", requests[i]);
|
||||
|
||||
buf = ipsec_set_policy(requests[i], strlen(requests[i]));
|
||||
if (buf == NULL) {
|
||||
printf("ipsec_set_policy: %s\n", ipsec_strerror());
|
||||
continue;
|
||||
result = test1sub1(&reqs[i]);
|
||||
if (result == 0 && reqs[i].result == 1) {
|
||||
errx(1, "ERROR: expecting failure.\n");
|
||||
} else if (result == 1 && reqs[i].result == 0) {
|
||||
errx(1, "ERROR: expecting success.\n");
|
||||
}
|
||||
|
||||
printf("\tsetlen:%d\n", ipsec_get_policylen(buf));
|
||||
|
||||
if (do_setsockopt) {
|
||||
printf("\tPF_INET:\n");
|
||||
test(buf, PF_INET);
|
||||
|
||||
printf("\tPF_INET6:\n");
|
||||
test(buf, PF_INET6);
|
||||
} else {
|
||||
kdebug_sadb_x_policy((struct sadb_ext *)buf);
|
||||
}
|
||||
free(buf);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
test(policy, family)
|
||||
test1sub1(req)
|
||||
struct req_t *req;
|
||||
{
|
||||
char *buf;
|
||||
|
||||
buf = ipsec_set_policy(req->str, strlen(req->str));
|
||||
if (buf == NULL) {
|
||||
printf("ipsec_set_policy: %s\n", ipsec_strerror());
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (test1sub2(buf, PF_INET) != 0
|
||||
|| test1sub2(buf, PF_INET6) != 0) {
|
||||
free(buf);
|
||||
return 1;
|
||||
}
|
||||
#if 0
|
||||
kdebug_sadb_x_policy((struct sadb_ext *)buf);
|
||||
#endif
|
||||
|
||||
free(buf);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
test1sub2(policy, family)
|
||||
char *policy;
|
||||
int family;
|
||||
{
|
||||
int so, proto, optname;
|
||||
int so;
|
||||
int proto = 0, optname = 0;
|
||||
int len;
|
||||
char getbuf[1024];
|
||||
|
||||
@@ -145,35 +170,148 @@ test(policy, family)
|
||||
err(1, "socket");
|
||||
|
||||
len = ipsec_get_policylen(policy);
|
||||
#if 0
|
||||
printf("\tsetlen:%d\n", len);
|
||||
#endif
|
||||
|
||||
if (setsockopt(so, proto, optname, policy, len) < 0) {
|
||||
printf("error on setsockopt");
|
||||
goto end;
|
||||
printf("fail to set sockopt; %s\n", strerror(errno));
|
||||
close(so);
|
||||
return 1;
|
||||
}
|
||||
|
||||
len = sizeof(getbuf);
|
||||
memset(getbuf, 0, sizeof(getbuf));
|
||||
memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
|
||||
if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
|
||||
printf("error on getsockopt");
|
||||
goto end;
|
||||
printf("fail to get sockopt; %s\n", strerror(errno));
|
||||
close(so);
|
||||
return 1;
|
||||
}
|
||||
|
||||
{
|
||||
char *buf = NULL;
|
||||
|
||||
#if 0
|
||||
printf("\tgetlen:%d\n", len);
|
||||
#endif
|
||||
|
||||
if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
|
||||
printf("%s\n", ipsec_strerror());
|
||||
goto end;
|
||||
} else {
|
||||
printf("\t[%s]\n", buf);
|
||||
free(buf);
|
||||
close(so);
|
||||
return 1;
|
||||
}
|
||||
#if 0
|
||||
printf("\t[%s]\n", buf);
|
||||
#endif
|
||||
free(buf);
|
||||
}
|
||||
|
||||
end:
|
||||
close (so);
|
||||
return 0;
|
||||
}
|
||||
|
||||
char addr[] = {
|
||||
28, 28, 0, 0,
|
||||
0, 0, 0, 0,
|
||||
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
|
||||
0, 0, 0, 0,
|
||||
};
|
||||
|
||||
int
|
||||
test2()
|
||||
{
|
||||
int so;
|
||||
char *pol1 = "out ipsec";
|
||||
char *pol2 = "out ipsec ah/transport//use";
|
||||
char *sp1, *sp2;
|
||||
int splen1, splen2;
|
||||
int spid;
|
||||
struct sadb_msg *m;
|
||||
|
||||
printf("TEST2\n");
|
||||
if (getuid() != 0)
|
||||
errx(1, "root privilege required.\n");
|
||||
|
||||
sp1 = ipsec_set_policy(pol1, strlen(pol1));
|
||||
splen1 = ipsec_get_policylen(sp1);
|
||||
sp2 = ipsec_set_policy(pol2, strlen(pol2));
|
||||
splen2 = ipsec_get_policylen(sp2);
|
||||
|
||||
if ((so = pfkey_open()) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
|
||||
printf("spdflush()\n");
|
||||
if (pfkey_send_spdflush(so) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
m = pfkey_recv(so);
|
||||
free(m);
|
||||
|
||||
printf("spdsetidx()\n");
|
||||
if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
|
||||
(struct sockaddr *)addr, 128,
|
||||
255, sp1, splen1, 0) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
m = pfkey_recv(so);
|
||||
free(m);
|
||||
|
||||
printf("spdupdate()\n");
|
||||
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
|
||||
(struct sockaddr *)addr, 128,
|
||||
255, sp2, splen2, 0) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
m = pfkey_recv(so);
|
||||
free(m);
|
||||
|
||||
printf("spddelete()\n");
|
||||
if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
|
||||
(struct sockaddr *)addr, 128,
|
||||
255, sp1, splen1, 0) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
m = pfkey_recv(so);
|
||||
free(m);
|
||||
|
||||
printf("spdadd()\n");
|
||||
if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
|
||||
(struct sockaddr *)addr, 128,
|
||||
255, sp2, splen2, 0) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
spid = test2sub(so);
|
||||
|
||||
printf("spdget(%u)\n", spid);
|
||||
if (pfkey_send_spdget(so, spid) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
m = pfkey_recv(so);
|
||||
free(m);
|
||||
|
||||
printf("spddelete2()\n");
|
||||
if (pfkey_send_spddelete2(so, spid) < 0)
|
||||
errx(1, "ERROR: %s\n", ipsec_strerror());
|
||||
m = pfkey_recv(so);
|
||||
free(m);
|
||||
|
||||
/* expecting failure */
|
||||
printf("spdupdate()\n");
|
||||
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
|
||||
(struct sockaddr *)addr, 128,
|
||||
255, sp2, splen2, 0) == 0) {
|
||||
errx(1, "ERROR: expecting failure.\n");
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
test2sub(so)
|
||||
int so;
|
||||
{
|
||||
struct sadb_msg *msg;
|
||||
caddr_t mhp[SADB_EXT_MAX + 1];
|
||||
|
||||
if ((msg = pfkey_recv(so)) == NULL)
|
||||
errx(1, "ERROR: pfkey_recv failure.\n");
|
||||
if (pfkey_align(msg, mhp) < 0)
|
||||
errx(1, "ERROR: pfkey_align failure.\n");
|
||||
|
||||
return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
|
||||
}
|
||||
|
||||
|
||||
@@ -29,11 +29,18 @@
|
||||
PROG= setkey
|
||||
SRCS= setkey.c parse.y token.l
|
||||
CFLAGS+=-g
|
||||
CFLAGS+=-I${.CURDIR}/../../lib/libipsec
|
||||
DPADD= ${LIBL} ${LIBY}
|
||||
LDADD= -ll -ly
|
||||
CLEANFILES+= y.tab.c y.tab.h key_test.o keytest
|
||||
YFLAGS+=-d
|
||||
|
||||
# libpfkey.
|
||||
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
|
||||
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
|
||||
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
|
||||
CFLAGS+=-I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey
|
||||
|
||||
SCRIPTS= scriptdump
|
||||
|
||||
BINOWN = root
|
||||
|
||||
+269
-154
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,10 +28,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */
|
||||
|
||||
%{
|
||||
#include <sys/types.h>
|
||||
@@ -45,48 +45,52 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include "libpfkey.h"
|
||||
#include "vchar.h"
|
||||
|
||||
#define ATOX(c) \
|
||||
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
|
||||
|
||||
u_int p_type;
|
||||
u_int32_t p_spi;
|
||||
struct sockaddr *p_src, *p_dst;
|
||||
u_int p_prefs, p_prefd, p_upper;
|
||||
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
|
||||
u_int p_key_enc_len, p_key_auth_len;
|
||||
caddr_t p_key_enc, p_key_auth;
|
||||
time_t p_lt_hard, p_lt_soft;
|
||||
u_int p_type;
|
||||
u_int32_t p_spi;
|
||||
struct sockaddr *p_src, *p_dst;
|
||||
u_int p_prefs, p_prefd, p_upper;
|
||||
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
|
||||
u_int32_t p_reqid;
|
||||
u_int p_key_enc_len, p_key_auth_len;
|
||||
caddr_t p_key_enc, p_key_auth;
|
||||
time_t p_lt_hard, p_lt_soft;
|
||||
|
||||
u_int p_policy_len;
|
||||
char *p_policy;
|
||||
u_int p_policy_len;
|
||||
char *p_policy;
|
||||
|
||||
/* temporary buffer */
|
||||
static struct sockaddr *pp_addr;
|
||||
static u_int pp_prefix;
|
||||
static u_int pp_port;
|
||||
static caddr_t pp_key;
|
||||
static struct sockaddr *pp_addr;
|
||||
static u_int pp_prefix;
|
||||
static u_int pp_port;
|
||||
static caddr_t pp_key;
|
||||
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern int m_len;
|
||||
extern char cmdarg[8192];
|
||||
extern int f_debug;
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern int m_len;
|
||||
extern char cmdarg[8192];
|
||||
extern int f_debug;
|
||||
|
||||
int setkeymsg __P((void));
|
||||
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
|
||||
void parse_init __P((void));
|
||||
void free_buffer __P((void));
|
||||
int setkeymsg __P((void));
|
||||
static struct addrinfo *parse_addr __P((char *, char *, int));
|
||||
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
|
||||
void parse_init __P((void));
|
||||
void free_buffer __P((void));
|
||||
|
||||
extern int setkeymsg __P((void));
|
||||
extern int sendkeymsg __P((void));
|
||||
extern int setkeymsg __P((void));
|
||||
extern int sendkeymsg __P((void));
|
||||
|
||||
extern int yylex __P((void));
|
||||
extern void yyerror __P((char *));
|
||||
extern int yylex __P((void));
|
||||
extern void yyfatal __P((const char *));
|
||||
extern void yyerror __P((const char *));
|
||||
%}
|
||||
|
||||
%union {
|
||||
@@ -96,11 +100,11 @@ extern void yyerror __P((char *));
|
||||
|
||||
%token EOT
|
||||
%token ADD GET DELETE FLUSH DUMP
|
||||
%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY
|
||||
%token ADDRESS PREFIX PORT PORTANY
|
||||
%token UP_PROTO PR_ESP PR_AH PR_IPCOMP
|
||||
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
|
||||
%token F_MODE MODE
|
||||
%token F_EXT EXTENSION
|
||||
%token F_MODE MODE F_REQID
|
||||
%token F_EXT EXTENSION NOCYCLICSEQ
|
||||
%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
|
||||
%token F_LIFETIME_HARD F_LIFETIME_SOFT
|
||||
%token DECSTRING QUOTEDSTRING HEXSTRING ANY
|
||||
@@ -108,6 +112,14 @@ extern void yyerror __P((char *));
|
||||
%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
|
||||
%token F_POLICY PL_REQUESTS
|
||||
|
||||
%type <num> PORT PREFIX EXTENSION MODE
|
||||
%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP
|
||||
%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
|
||||
%type <num> DECSTRING
|
||||
%type <val> ADDRESS PL_REQUESTS
|
||||
%type <val> key_string policy_requests
|
||||
%type <val> QUOTEDSTRING HEXSTRING
|
||||
|
||||
%%
|
||||
commands
|
||||
: /*NOTHING*/
|
||||
@@ -146,13 +158,23 @@ add_command
|
||||
/* delete */
|
||||
delete_command
|
||||
: DELETE { p_type = SADB_DELETE; }
|
||||
sa_selector_spec extension_spec EOT
|
||||
sa_selector_spec extension_spec
|
||||
{
|
||||
if (p_mode != IPSEC_MODE_ANY)
|
||||
yyerror("WARNING: mode is obsoleted.");
|
||||
}
|
||||
EOT
|
||||
;
|
||||
|
||||
/* get command */
|
||||
get_command
|
||||
: GET { p_type = SADB_GET; }
|
||||
sa_selector_spec extension_spec EOT
|
||||
sa_selector_spec extension_spec
|
||||
{
|
||||
if (p_mode != IPSEC_MODE_ANY)
|
||||
yyerror("WARNING: mode is obsoleted.");
|
||||
}
|
||||
EOT
|
||||
;
|
||||
|
||||
/* flush */
|
||||
@@ -179,7 +201,7 @@ protocol_spec
|
||||
| PR_ESP
|
||||
{
|
||||
p_satype = SADB_SATYPE_ESP;
|
||||
if ($1.num == 1)
|
||||
if ($1 == 1)
|
||||
p_ext |= SADB_X_EXT_OLD;
|
||||
else
|
||||
p_ext &= ~SADB_X_EXT_OLD;
|
||||
@@ -187,7 +209,7 @@ protocol_spec
|
||||
| PR_AH
|
||||
{
|
||||
p_satype = SADB_SATYPE_AH;
|
||||
if ($1.num == 1)
|
||||
if ($1 == 1)
|
||||
p_ext |= SADB_X_EXT_OLD;
|
||||
else
|
||||
p_ext &= ~SADB_X_EXT_OLD;
|
||||
@@ -199,18 +221,18 @@ protocol_spec
|
||||
;
|
||||
|
||||
spi
|
||||
: DECSTRING { p_spi = $1.num; }
|
||||
: DECSTRING { p_spi = $1; }
|
||||
| HEXSTRING
|
||||
{
|
||||
caddr_t bp;
|
||||
caddr_t yp = $1.val.buf;
|
||||
caddr_t yp = $1.buf;
|
||||
char buf0[4], buf[4];
|
||||
int i, j;
|
||||
|
||||
/* sanity check */
|
||||
if ($1.val.len > 4) {
|
||||
if ($1.len > 4) {
|
||||
yyerror("SPI too big.");
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -223,13 +245,13 @@ spi
|
||||
/* initialize */
|
||||
for (i = 0; i < 4; i++) buf[i] = 0;
|
||||
|
||||
for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--)
|
||||
for (j = $1.len - 1, i = 3; j >= 0; j--, i--)
|
||||
buf[i] = buf0[j];
|
||||
|
||||
/* XXX: endian */
|
||||
p_spi = ntohl(*(u_int32_t *)buf);
|
||||
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
}
|
||||
;
|
||||
|
||||
@@ -249,16 +271,16 @@ ah_spec
|
||||
;
|
||||
|
||||
ipcomp_spec
|
||||
: F_COMP ALG_COMP { p_alg_enc = $2.num; }
|
||||
| F_COMP ALG_COMP { p_alg_enc = $2.num; }
|
||||
: F_COMP ALG_COMP { p_alg_enc = $2; }
|
||||
| F_COMP ALG_COMP { p_alg_enc = $2; }
|
||||
F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; }
|
||||
;
|
||||
|
||||
enc_alg
|
||||
: ALG_ENC { p_alg_enc = $1.num; }
|
||||
: ALG_ENC { p_alg_enc = $1; }
|
||||
| ALG_ENC_DESDERIV
|
||||
{
|
||||
p_alg_enc = $1.num;
|
||||
p_alg_enc = $1;
|
||||
if (p_ext & SADB_X_EXT_OLD) {
|
||||
yyerror("algorithm mismatched.");
|
||||
return -1;
|
||||
@@ -267,7 +289,7 @@ enc_alg
|
||||
}
|
||||
| ALG_ENC_DES32IV
|
||||
{
|
||||
p_alg_enc = $1.num;
|
||||
p_alg_enc = $1;
|
||||
if (!(p_ext & SADB_X_EXT_OLD)) {
|
||||
yyerror("algorithm mismatched.");
|
||||
return -1;
|
||||
@@ -286,7 +308,7 @@ enc_key
|
||||
}
|
||||
| key_string
|
||||
{
|
||||
p_key_enc_len = $1.val.len;
|
||||
p_key_enc_len = $1.len;
|
||||
p_key_enc = pp_key;
|
||||
|
||||
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
|
||||
@@ -299,7 +321,7 @@ enc_key
|
||||
;
|
||||
|
||||
auth_alg
|
||||
: ALG_AUTH { p_alg_auth = $1.num; }
|
||||
: ALG_AUTH { p_alg_auth = $1; }
|
||||
;
|
||||
|
||||
auth_key
|
||||
@@ -312,7 +334,7 @@ auth_key
|
||||
}
|
||||
| key_string
|
||||
{
|
||||
p_key_auth_len = $1.val.len;
|
||||
p_key_auth_len = $1.len;
|
||||
p_key_auth = pp_key;
|
||||
|
||||
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
|
||||
@@ -327,20 +349,20 @@ auth_key
|
||||
key_string
|
||||
: QUOTEDSTRING
|
||||
{
|
||||
pp_key = $1.val.buf;
|
||||
pp_key = $1.buf;
|
||||
/* free pp_key later */
|
||||
}
|
||||
| HEXSTRING
|
||||
{
|
||||
caddr_t bp;
|
||||
caddr_t yp = $1.val.buf;
|
||||
caddr_t yp = $1.buf;
|
||||
|
||||
if ((pp_key = malloc($1.val.len)) == 0) {
|
||||
free($1.val.buf);
|
||||
yyerror(strerror(errno));
|
||||
if ((pp_key = malloc($1.len)) == 0) {
|
||||
free($1.buf);
|
||||
yyerror("not enough core");
|
||||
return -1;
|
||||
}
|
||||
memset(pp_key, 0, $1.val.len);
|
||||
memset(pp_key, 0, $1.len);
|
||||
|
||||
bp = pp_key;
|
||||
while (*yp) {
|
||||
@@ -348,7 +370,7 @@ key_string
|
||||
yp += 2, bp++;
|
||||
}
|
||||
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
}
|
||||
;
|
||||
|
||||
@@ -358,9 +380,11 @@ extension_spec
|
||||
;
|
||||
|
||||
extension
|
||||
: F_EXT EXTENSION { p_ext |= $1.num; }
|
||||
| F_MODE MODE { p_mode = $2.num; }
|
||||
: F_EXT EXTENSION { p_ext |= $2; }
|
||||
| F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
|
||||
| F_MODE MODE { p_mode = $2; }
|
||||
| F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
|
||||
| F_REQID DECSTRING { p_reqid = $2; }
|
||||
| F_REPLAY DECSTRING
|
||||
{
|
||||
if (p_ext & SADB_X_EXT_OLD) {
|
||||
@@ -368,10 +392,10 @@ extension
|
||||
"only use on new spec.");
|
||||
return -1;
|
||||
}
|
||||
p_replay = $2.num;
|
||||
p_replay = $2;
|
||||
}
|
||||
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; }
|
||||
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; }
|
||||
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
|
||||
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
|
||||
;
|
||||
|
||||
/* definition about command for SPD management */
|
||||
@@ -391,7 +415,7 @@ spddelete_command:
|
||||
p_type = SADB_X_SPDDELETE;
|
||||
p_satype = SADB_SATYPE_UNSPEC;
|
||||
}
|
||||
sp_selector_spec EOT
|
||||
sp_selector_spec policy_spec EOT
|
||||
;
|
||||
|
||||
spddump_command:
|
||||
@@ -416,97 +440,107 @@ spdflush_command:
|
||||
sp_selector_spec
|
||||
: ipaddress { p_src = pp_addr; }
|
||||
prefix { p_prefs = pp_prefix; }
|
||||
port { _INPORTBYSA(p_src) = htons(pp_port); }
|
||||
port
|
||||
{
|
||||
switch (p_src->sa_family) {
|
||||
case AF_INET:
|
||||
((struct sockaddr_in *)p_src)->sin_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
((struct sockaddr_in6 *)p_src)->sin6_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
}
|
||||
ipaddress { p_dst = pp_addr; }
|
||||
prefix { p_prefd = pp_prefix; }
|
||||
port { _INPORTBYSA(p_dst) = htons(pp_port); }
|
||||
port
|
||||
{
|
||||
switch (p_dst->sa_family) {
|
||||
case AF_INET:
|
||||
((struct sockaddr_in *)p_dst)->sin_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
((struct sockaddr_in6 *)p_dst)->sin6_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
}
|
||||
upper_spec
|
||||
{
|
||||
/* XXX is it something userland should check? */
|
||||
#if 0
|
||||
switch (p_upper) {
|
||||
case IPPROTO_ICMP:
|
||||
case IPPROTO_ICMPV6:
|
||||
if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY
|
||||
|| _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) {
|
||||
yyerror("port number must be \"any\".");
|
||||
return -1;
|
||||
}
|
||||
if ((pp_addr->sa_family == AF_INET6
|
||||
&& p_upper == IPPROTO_ICMP)
|
||||
|| (pp_addr->sa_family == AF_INET
|
||||
&& p_upper == IPPROTO_ICMPV6)) {
|
||||
yyerror("upper layer protocol "
|
||||
"mismatched.\n");
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
;
|
||||
|
||||
ipaddress
|
||||
: IP4_ADDRESS
|
||||
: ADDRESS
|
||||
{
|
||||
struct sockaddr_in *in;
|
||||
u_int sa_len = $1.val.len;
|
||||
struct addrinfo *res;
|
||||
|
||||
if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) {
|
||||
yyerror(strerror(errno));
|
||||
free($1.val.buf);
|
||||
res = parse_addr($1.buf, NULL, AI_NUMERICHOST);
|
||||
if (res == NULL) {
|
||||
free($1.buf);
|
||||
return -1;
|
||||
}
|
||||
memset((caddr_t)in, 0, sa_len);
|
||||
|
||||
in->sin_family = PF_INET;
|
||||
in->sin_len = sa_len;
|
||||
in->sin_port = IPSEC_PORT_ANY;
|
||||
(void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr);
|
||||
|
||||
pp_addr = (struct sockaddr *)in;
|
||||
free($1.val.buf);
|
||||
}
|
||||
| IP6_ADDRESS
|
||||
{
|
||||
#ifdef INET6
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int sa_len = $1.val.len;
|
||||
struct addrinfo hints, *res;
|
||||
int ret_gai;
|
||||
|
||||
if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) {
|
||||
free($1.val.buf);
|
||||
yyerror(strerror(errno));
|
||||
return -1;
|
||||
pp_addr = (struct sockaddr *)malloc(res->ai_addrlen);
|
||||
if (!pp_addr) {
|
||||
yyerror("not enough core");
|
||||
goto end;
|
||||
}
|
||||
memset((caddr_t)in6, 0, sa_len);
|
||||
|
||||
bzero(&hints, sizeof(struct addrinfo));
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
hints.ai_family = AF_INET6;
|
||||
ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res);
|
||||
if (ret_gai) {
|
||||
free($1.val.buf);
|
||||
free(in6);
|
||||
yyerror(gai_strerror(ret_gai));
|
||||
if (ret_gai == EAI_SYSTEM)
|
||||
yyerror(strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
(void)memcpy(in6, res->ai_addr, res->ai_addrlen);
|
||||
|
||||
/*
|
||||
* XXX: If the scope of the destination is link-local,
|
||||
* embed the scope-id(in this case, interface index)
|
||||
* into the address.
|
||||
*/
|
||||
if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) &&
|
||||
in6->sin6_scope_id != 0)
|
||||
*(u_short *)&in6->sin6_addr.s6_addr[2] =
|
||||
htons(in6->sin6_scope_id & 0xffff);
|
||||
|
||||
memcpy(pp_addr, res->ai_addr, res->ai_addrlen);
|
||||
end:
|
||||
freeaddrinfo(res);
|
||||
|
||||
pp_addr = (struct sockaddr *)in6;
|
||||
#else
|
||||
yyerror("IPv6 address not supported");
|
||||
#endif
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
}
|
||||
;
|
||||
|
||||
prefix
|
||||
: /*NOTHING*/ { pp_prefix = ~0; }
|
||||
| PREFIX { pp_prefix = $1.num; }
|
||||
| PREFIX { pp_prefix = $1; }
|
||||
;
|
||||
|
||||
port
|
||||
: /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; }
|
||||
| PORT { pp_port = $1.num; }
|
||||
| PORT { pp_port = $1; }
|
||||
| PORTANY { pp_port = IPSEC_PORT_ANY; }
|
||||
;
|
||||
|
||||
upper_spec
|
||||
: DECSTRING { p_upper = $1.num; }
|
||||
| UP_PROTO { p_upper = $1.num; }
|
||||
: DECSTRING { p_upper = $1; }
|
||||
| UP_PROTO { p_upper = $1; }
|
||||
| PR_ESP { p_upper = IPPROTO_ESP; };
|
||||
| PR_AH { p_upper = IPPROTO_AH; };
|
||||
| PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };
|
||||
@@ -516,9 +550,9 @@ upper_spec
|
||||
policy_spec
|
||||
: F_POLICY policy_requests
|
||||
{
|
||||
p_policy = ipsec_set_policy($2.val.buf, $2.val.len);
|
||||
p_policy = ipsec_set_policy($2.buf, $2.len);
|
||||
if (p_policy == NULL) {
|
||||
free($2.val.buf);
|
||||
free($2.buf);
|
||||
p_policy = NULL;
|
||||
yyerror(ipsec_strerror());
|
||||
return -1;
|
||||
@@ -526,13 +560,12 @@ policy_spec
|
||||
|
||||
p_policy_len = ipsec_get_policylen(p_policy);
|
||||
|
||||
free($2.val.buf);
|
||||
free($2.buf);
|
||||
}
|
||||
;
|
||||
|
||||
policy_requests:
|
||||
/*NOTHING*/
|
||||
| PL_REQUESTS { $$ = $1; }
|
||||
policy_requests
|
||||
: PL_REQUESTS { $$ = $1; }
|
||||
;
|
||||
|
||||
%%
|
||||
@@ -546,7 +579,6 @@ setkeymsg()
|
||||
m_msg.sadb_msg_type = p_type;
|
||||
m_msg.sadb_msg_errno = 0;
|
||||
m_msg.sadb_msg_satype = p_satype;
|
||||
m_msg.sadb_msg_mode = p_mode;
|
||||
m_msg.sadb_msg_reserved = 0;
|
||||
m_msg.sadb_msg_seq = 0;
|
||||
m_msg.sadb_msg_pid = getpid();
|
||||
@@ -629,6 +661,7 @@ setkeymsg()
|
||||
case SADB_GET:
|
||||
{
|
||||
struct sadb_sa m_sa;
|
||||
struct sadb_x_sa2 m_sa2;
|
||||
struct sadb_address m_addr;
|
||||
u_int len;
|
||||
|
||||
@@ -645,14 +678,36 @@ setkeymsg()
|
||||
memcpy(m_buf + m_len, &m_sa, len);
|
||||
m_len += len;
|
||||
|
||||
len = sizeof(struct sadb_x_sa2);
|
||||
m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
|
||||
m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
|
||||
m_sa2.sadb_x_sa2_mode = p_mode;
|
||||
m_sa2.sadb_x_sa2_reqid = p_reqid;
|
||||
|
||||
memcpy(m_buf + m_len, &m_sa2, len);
|
||||
m_len += len;
|
||||
|
||||
/* set src */
|
||||
m_addr.sadb_address_len =
|
||||
PFKEY_UNIT64(sizeof(m_addr)
|
||||
+ PFKEY_ALIGN8(p_src->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
||||
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
|
||||
m_addr.sadb_address_prefixlen =
|
||||
_INALENBYAF(p_src->sa_family) << 3;
|
||||
switch (p_src->sa_family) {
|
||||
case AF_INET:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -665,8 +720,21 @@ setkeymsg()
|
||||
+ PFKEY_ALIGN8(p_dst->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
||||
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
|
||||
m_addr.sadb_address_prefixlen =
|
||||
_INALENBYAF(p_dst->sa_family) << 3;
|
||||
switch (p_dst->sa_family) {
|
||||
case AF_INET:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -681,17 +749,15 @@ setkeymsg()
|
||||
break;
|
||||
|
||||
case SADB_X_SPDADD:
|
||||
case SADB_X_SPDDELETE:
|
||||
{
|
||||
struct sadb_address m_addr;
|
||||
u_int8_t plen;
|
||||
|
||||
memcpy(m_buf + m_len, p_policy, p_policy_len);
|
||||
m_len += p_policy_len;
|
||||
free(p_policy);
|
||||
p_policy = NULL;
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
|
||||
case SADB_X_SPDDELETE:
|
||||
{
|
||||
struct sadb_address m_addr;
|
||||
|
||||
/* set src */
|
||||
m_addr.sadb_address_len =
|
||||
@@ -699,9 +765,21 @@ setkeymsg()
|
||||
+ PFKEY_ALIGN8(p_src->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
||||
m_addr.sadb_address_proto = p_upper;
|
||||
switch (p_src->sa_family) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_prefixlen =
|
||||
(p_prefs != ~0 ? p_prefs :
|
||||
_INALENBYAF(p_src->sa_family) << 3);
|
||||
(p_prefs != ~0 ? p_prefs : plen);
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -714,9 +792,21 @@ setkeymsg()
|
||||
+ PFKEY_ALIGN8(p_dst->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
||||
m_addr.sadb_address_proto = p_upper;
|
||||
switch (p_dst->sa_family) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_prefixlen =
|
||||
(p_prefd != ~0 ? p_prefd :
|
||||
_INALENBYAF(p_dst->sa_family) << 3);
|
||||
(p_prefd != ~0 ? p_prefd : plen);
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -731,6 +821,30 @@ setkeymsg()
|
||||
return 0;
|
||||
}
|
||||
|
||||
static struct addrinfo *
|
||||
parse_addr(host, port, flag)
|
||||
char *host;
|
||||
char *port;
|
||||
int flag;
|
||||
{
|
||||
struct addrinfo hints, *res = NULL;
|
||||
int error;
|
||||
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = PF_UNSPEC;
|
||||
hints.ai_socktype = SOCK_DGRAM;
|
||||
hints.ai_flags = flag;
|
||||
error = getaddrinfo(host, port, &hints, &res);
|
||||
if (error != 0) {
|
||||
yyerror(gai_strerror(error));
|
||||
return NULL;
|
||||
}
|
||||
if (res->ai_next != NULL) {
|
||||
yyerror(gai_strerror(error));
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
static int
|
||||
setvarbuf(off, ebuf, elen, vbuf, vlen)
|
||||
caddr_t vbuf;
|
||||
@@ -757,11 +871,12 @@ parse_init()
|
||||
p_upper = 0;
|
||||
|
||||
p_satype = 0;
|
||||
p_ext = SADB_X_EXT_NONE;
|
||||
p_ext = SADB_X_EXT_CYCSEQ;
|
||||
p_alg_enc = SADB_EALG_NONE;
|
||||
p_alg_auth = SADB_AALG_NONE;
|
||||
p_mode = IPSEC_MODE_ANY;
|
||||
p_replay = 4;
|
||||
p_reqid = 0;
|
||||
p_replay = 0;
|
||||
p_key_enc_len = p_key_auth_len = 0;
|
||||
p_key_enc = p_key_auth = 0;
|
||||
p_lt_hard = p_lt_soft = 0;
|
||||
|
||||
@@ -170,7 +170,7 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
|
||||
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||
|
||||
# Also delete command, you can delete a entry of either SP or SA.
|
||||
spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ;
|
||||
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
|
||||
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||
|
||||
# By dump command, you can dump all entry of either SP or SA.
|
||||
@@ -204,7 +204,7 @@ add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
|
||||
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
|
||||
add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ;
|
||||
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
|
||||
add ::1 ::1 esp 10018 -m transport -E simple ;
|
||||
#add ::1 ::1 ah 20000 -m transport -A null ;
|
||||
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
|
||||
|
||||
@@ -20,8 +20,8 @@ open(IN, "setkey -D |") || die;
|
||||
foreach $_ (<IN>) {
|
||||
if (/^[^\t]/) {
|
||||
($src, $dst) = split(/\s+/, $_);
|
||||
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*replay=(\d+)/) {
|
||||
($proto, $ipsecmode, $spi, $replay) = ($1, $2, $3, $4);
|
||||
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) {
|
||||
($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4);
|
||||
} elsif (/^\tE: (\S+) (.*)/) {
|
||||
$ealgo = $1;
|
||||
$ekey = $2;
|
||||
@@ -32,17 +32,19 @@ foreach $_ (<IN>) {
|
||||
$akey = $2;
|
||||
$akey =~ s/\s//g;
|
||||
$akey =~ s/^/0x/g;
|
||||
} elsif (/^\tstate=/) {
|
||||
} elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) {
|
||||
print "$mode $src $dst $proto $spi -m $ipsecmode";
|
||||
print " -r $replay" if $replay;
|
||||
$replay = $1;
|
||||
print " -u $reqid" if $reqid;
|
||||
if ($mode eq 'add') {
|
||||
print " -r $replay" if $replay;
|
||||
if ($proto eq 'esp') {
|
||||
print " -E $ealgo $ekey" if $ealgo;
|
||||
print " -A $aalgo $akey" if $aalgo;
|
||||
} elsif ($proto eq 'ah') {
|
||||
print " -A $aalgo $akey" if $aalgo;
|
||||
}
|
||||
}
|
||||
}
|
||||
print ";\n";
|
||||
|
||||
$src = $dst = $upper = $proxy = '';
|
||||
|
||||
+73
-64
@@ -1,6 +1,9 @@
|
||||
.\" $FreeBSD$
|
||||
.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
@@ -12,7 +15,7 @@
|
||||
.\" 3. Neither the name of the project nor the names of its contributors
|
||||
.\" may be used to endorse or promote products derived from this software
|
||||
.\" without specific prior written permission.
|
||||
.\"
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,15 +28,14 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd May 17, 1998
|
||||
.Dt SETKEY 8
|
||||
.Os
|
||||
.Os KAME
|
||||
.\"
|
||||
.Sh NAME
|
||||
.Nm setkey
|
||||
.Nd manually manipulate the SA/SP database.
|
||||
.Nd manually manipulate the IPsec SA/SP database.
|
||||
.\"
|
||||
.Sh SYNOPSIS
|
||||
.Nm setkey
|
||||
.Op Fl dv
|
||||
@@ -50,19 +52,20 @@
|
||||
.Nm setkey
|
||||
.Op Fl h
|
||||
.Fl x
|
||||
.\"
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
updates, or lists the content of, Security Association Database (SAD) entries
|
||||
in the kernel as well as Security Policy Database (SPD) entries.
|
||||
addes, updates, dumpes, or flushes
|
||||
Security Association Database (SAD) entries
|
||||
as well as Security Policy Database (SPD) entries in the kernel.
|
||||
.Pp
|
||||
.Nm
|
||||
takes a series of operation from standard input
|
||||
takes a series of operations from the standard input
|
||||
.Po
|
||||
if invoked with
|
||||
.Fl c
|
||||
.Pc
|
||||
or file named
|
||||
or the file named
|
||||
.Ar filename
|
||||
.Po
|
||||
if invoked with
|
||||
@@ -75,21 +78,23 @@ If with
|
||||
.Fl P ,
|
||||
the SPD entries are dumped.
|
||||
.It Fl F
|
||||
Flush the SAD.
|
||||
Flush the SAD entries.
|
||||
If with
|
||||
.Fl P ,
|
||||
the SPD are flushed.
|
||||
the SPD entries are flushed.
|
||||
.It Fl a
|
||||
.Nm
|
||||
usually do not display dead SAD entries on
|
||||
usually does not display dead SAD entries with
|
||||
.Fl D .
|
||||
With
|
||||
If with
|
||||
.Fl a ,
|
||||
dead SAD entries will be displayed as well.
|
||||
Dead SAD entries are kept in the kernel,
|
||||
when they are referenced from any of SPD entries in the kernel.
|
||||
the dead SAD entries will be displayed as well.
|
||||
A dead SAD entry means that
|
||||
it has been expired but remains
|
||||
because it is referenced by SPD entries.
|
||||
.It Fl d
|
||||
Enable debugging messages.
|
||||
Enable to print debugging messages for command parser,
|
||||
without talking to kernel. It is not used usually.
|
||||
.It Fl x
|
||||
Loop forever and dump all the messages transmitted to
|
||||
.Dv PF_KEY
|
||||
@@ -98,7 +103,6 @@ socket.
|
||||
Add hexadecimal dump on
|
||||
.Fl x
|
||||
mode.
|
||||
The order is significant.
|
||||
.It Fl l
|
||||
Loop forever with short output on
|
||||
.Fl D .
|
||||
@@ -111,10 +115,8 @@ including messages sent from other processes
|
||||
.Pc .
|
||||
.El
|
||||
.Pp
|
||||
Operation has the following grammar.
|
||||
Note that lines, that start with a
|
||||
hashmark ('#') are treated as comment lines.
|
||||
Description of meta-arguments follows.
|
||||
Operations have the following grammar. Note that lines starting with
|
||||
hashmarks ('#') are treated as comment lines.
|
||||
.Bl -tag -width Ds
|
||||
.It Xo
|
||||
.Li add
|
||||
@@ -123,51 +125,49 @@ Description of meta-arguments follows.
|
||||
.Ar algorithm...
|
||||
.Li ;
|
||||
.Xc
|
||||
Add a SAD entry.
|
||||
Add an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li get
|
||||
.Ar src Ar dst Ar protocol Ar spi
|
||||
.Op Ar mode
|
||||
.Li ;
|
||||
.Xc
|
||||
Show a SAD entry.
|
||||
Show an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li delete
|
||||
.Ar src Ar dst Ar protocol Ar spi
|
||||
.Op Ar mode
|
||||
.Li ;
|
||||
.Xc
|
||||
Remove a SAD entry.
|
||||
Remove an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li flush
|
||||
.Op Ar protocol
|
||||
.Li ;
|
||||
.Xc
|
||||
Clear all SAD entries that matches the options.
|
||||
Clear all SAD entries matched by the options.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li dump
|
||||
.Op Ar protocol
|
||||
.Li ;
|
||||
.Xc
|
||||
Dumps all SAD entries that matches the options.
|
||||
Dumps all SAD entries matched by the options.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spdadd
|
||||
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
||||
.Li ;
|
||||
.Xc
|
||||
Add a SPD entry.
|
||||
Add an SPD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spddelete
|
||||
.Ar src_range Ar dst_range Ar upperspec
|
||||
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
||||
.Li ;
|
||||
.Xc
|
||||
Delete a SPD entry.
|
||||
Delete an SPD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spdflush
|
||||
@@ -215,8 +215,9 @@ IPCOMP
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar spi
|
||||
Security Parameter Index (SPI) for the SA and SPD.
|
||||
Security Parameter Index (SPI) for the SAD and the SPD.
|
||||
It must be decimal number or hexadecimal number
|
||||
You can not use the set of SPI values in the range 0 through 255.
|
||||
.Po
|
||||
with
|
||||
.Li 0x
|
||||
@@ -225,30 +226,40 @@ attached
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar extensions
|
||||
takes some of the following:
|
||||
.Bl -tag -width Fl -compact
|
||||
take some of the following:
|
||||
.Bl -tag -width Fl -compact
|
||||
.\"
|
||||
.It Fl m Ar mode
|
||||
Specify an security protocol mode for use. By default,
|
||||
.Li any .
|
||||
Specify a security protocol mode for use.
|
||||
.Ar mode
|
||||
is one of following:
|
||||
.Li transport , tunnel
|
||||
or
|
||||
.Li any .
|
||||
The default value is
|
||||
.Li any .
|
||||
.\"
|
||||
.It Fl r Ar size
|
||||
Specify window size of bytes for replay prevention.
|
||||
.Ar size
|
||||
must be decimal number in 32-bit word. If
|
||||
.Ar size
|
||||
is zero or not specified, replay check don't take place.
|
||||
.\"
|
||||
.It Fl u Ar id
|
||||
Specify the identifier of policy. See also
|
||||
.Xr ipsec_set_policy 3 .
|
||||
.\"
|
||||
.It Fl f Ar pad_option
|
||||
.Ar pad_option
|
||||
is one of following:
|
||||
.Li zero-pad , random-pad
|
||||
or
|
||||
.Li seq-pad
|
||||
.It Fl f Li cyclic-seq
|
||||
Allow cyclic sequence number.
|
||||
.\"
|
||||
.It Fl f Li nocyclic-seq
|
||||
Don't allow cyclic sequence number.
|
||||
.\"
|
||||
.It Fl lh Ar time
|
||||
.It Fl ls Ar time
|
||||
Specify hard/soft lifetime.
|
||||
@@ -256,7 +267,7 @@ Specify hard/soft lifetime.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar algorithm
|
||||
.Bl -tag -width Fl -compact
|
||||
.Bl -tag -width Fl -compact
|
||||
.It Fl E Ar ealgo Ar key
|
||||
Specify encryption algorithm.
|
||||
.It Fl A Ar aalgo Ar key
|
||||
@@ -268,7 +279,7 @@ is used for esp, it will be treated as ESP payload authentication algorithm.
|
||||
Specify compression algorithm.
|
||||
If
|
||||
.Fl R
|
||||
is specified with
|
||||
is not specified with
|
||||
.Li ipcomp
|
||||
line, the kernel will use well-known IPComp CPI
|
||||
.Pq compression parameter index
|
||||
@@ -280,7 +291,7 @@ field is only for kernel internal use in this case.
|
||||
.\"Therefore, compression protocol number will appear on IPComp CPI field.
|
||||
If
|
||||
.Fl R
|
||||
is not used,
|
||||
is used,
|
||||
the value on
|
||||
.Ar spi
|
||||
field will appear on IPComp CPI field on outgoing packets.
|
||||
@@ -311,7 +322,7 @@ SAs accept
|
||||
only.
|
||||
.Pp
|
||||
.Ar key
|
||||
must be double-quoted character string or a series of hexadecimal digits.
|
||||
must be double-quoted character string or series of hexadecimal digits.
|
||||
.Pp
|
||||
Possible values for
|
||||
.Ar ealgo ,
|
||||
@@ -322,7 +333,7 @@ are specified in separate section.
|
||||
.\"
|
||||
.It Ar src_range
|
||||
.It Ar dst_range
|
||||
These are selection of the secure communication is specified as
|
||||
These are selections of the secure communication specified as
|
||||
IPv4/v6 address or IPv4/v6 address range, and it may accompany
|
||||
TCP/UDP port specification.
|
||||
This takes the following form:
|
||||
@@ -365,7 +376,7 @@ NOTE:
|
||||
.Ar upperspec
|
||||
does not work against forwarding case at this moment,
|
||||
as it requires extra reassembly at forwarding node
|
||||
.Pq not implemented as this moment .
|
||||
.Pq not implemented at this moment .
|
||||
.\"
|
||||
.It Ar policy
|
||||
.Ar policy
|
||||
@@ -427,15 +438,15 @@ is to be one of the following:
|
||||
or
|
||||
.Li require .
|
||||
.Li default
|
||||
means kernel consults to the system wide default against protocol you
|
||||
means the kernel consults to the system wide default against protocol you
|
||||
specified, e.g.
|
||||
.Li esp_trans_deflev
|
||||
sysctl variable, when kernel processes the packet.
|
||||
sysctl variable, when the kernel processes the packet.
|
||||
.Li use
|
||||
means that kernel use a SA if it's available,
|
||||
otherwise kernel keeps normal operation.
|
||||
means that the kernel use a SA if it's available,
|
||||
otherwise the kernel keeps normal operation.
|
||||
.Li require
|
||||
means SA is required whenever kernel deals with the packet.
|
||||
means SA is required whenever the kernel deals with the packet.
|
||||
Note that
|
||||
.Dq Li discard
|
||||
and
|
||||
@@ -456,7 +467,7 @@ The following list shows the supported algorithms.
|
||||
and
|
||||
.Sy algorithm
|
||||
are almost orthogonal.
|
||||
Following are the list of authentication algorithms that can be used as
|
||||
Followings are the list of authentication algorithms that can be used as
|
||||
.Ar aalgo
|
||||
in
|
||||
.Fl A Ar aalgo
|
||||
@@ -477,7 +488,7 @@ keyed-sha1 160 ah: 96bit ICV (no document)
|
||||
null 0 to 2048 for debugging
|
||||
.Ed
|
||||
.Pp
|
||||
Following are the list of encryption algorithms that can be used as
|
||||
Followings are the list of encryption algorithms that can be used as
|
||||
.Ar ealgo
|
||||
in
|
||||
.Fl E Ar ealgo
|
||||
@@ -497,7 +508,7 @@ des-deriv 64 ipsec-ciph-des-derived-01 (expired)
|
||||
3des-deriv 192 no document
|
||||
.Ed
|
||||
.Pp
|
||||
Following are the list of compression algorithms that can be used as
|
||||
Followings are the list of compression algorithms that can be used as
|
||||
.Ar calgo
|
||||
in
|
||||
.Fl C Ar calgo
|
||||
@@ -510,7 +521,7 @@ algorithm comment
|
||||
deflate rfc2394
|
||||
lzs rfc2395
|
||||
.Ed
|
||||
.\"
|
||||
.\"
|
||||
.Sh EXAMPLES
|
||||
.Bd -literal -offset
|
||||
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
||||
@@ -533,20 +544,18 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
||||
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
||||
|
||||
.Ed
|
||||
.\"
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
The command exits with 0 on success, and non-zero on errors.
|
||||
.\"
|
||||
.\"
|
||||
.Sh SEE ALSO
|
||||
.Xr ipsec_set_policy 3 ,
|
||||
.Xr sysctl 8
|
||||
.\"
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
||||
The command was completely re-designed in June 1998.
|
||||
.Pp
|
||||
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
|
||||
was initially integrated into
|
||||
.Fx 4.0
|
||||
.\"
|
||||
.\" .Sh BUGS
|
||||
|
||||
+52
-40
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,10 +28,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
/* KAME $Id: setkey.c,v 1.5 1999/10/26 09:39:37 sakane Exp $ */
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@@ -51,40 +51,42 @@
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
void Usage __P((void));
|
||||
int main __P((int, char **));
|
||||
int get_supported __P((void));
|
||||
void sendkeyshort __P((u_int));
|
||||
void promisc __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
int postproc __P((struct sadb_msg *, int));
|
||||
const char *numstr __P((int));
|
||||
void shortdump_hdr __P((void));
|
||||
void shortdump __P((struct sadb_msg *));
|
||||
#include "libpfkey.h"
|
||||
|
||||
void Usage __P((void));
|
||||
int main __P((int, char **));
|
||||
int get_supported __P((void));
|
||||
void sendkeyshort __P((u_int));
|
||||
void promisc __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
int postproc __P((struct sadb_msg *, int));
|
||||
const char *numstr __P((int));
|
||||
void shortdump_hdr __P((void));
|
||||
void shortdump __P((struct sadb_msg *));
|
||||
|
||||
#define MODE_SCRIPT 1
|
||||
#define MODE_CMDDUMP 2
|
||||
#define MODE_CMDFLUSH 3
|
||||
#define MODE_PROMISC 4
|
||||
|
||||
int so;
|
||||
|
||||
int f_forever = 0;
|
||||
int f_all = 0;
|
||||
int f_debug = 0;
|
||||
int f_verbose = 0;
|
||||
int f_mode = 0;
|
||||
int f_cmddump = 0;
|
||||
int f_policy = 0;
|
||||
int f_promisc = 0;
|
||||
int f_hexdump = 0;
|
||||
char *pname;
|
||||
int f_forever = 0;
|
||||
int f_all = 0;
|
||||
int f_debug = 0;
|
||||
int f_verbose = 0;
|
||||
int f_mode = 0;
|
||||
int f_cmddump = 0;
|
||||
int f_policy = 0;
|
||||
int f_hexdump = 0;
|
||||
char *pname;
|
||||
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
|
||||
extern int lineno;
|
||||
extern int lineno;
|
||||
|
||||
extern int parse __P((FILE **));
|
||||
extern int parse __P((FILE **));
|
||||
|
||||
void
|
||||
Usage()
|
||||
@@ -95,7 +97,7 @@ Usage()
|
||||
printf("\t%s [-Pdv] -F\n", pname);
|
||||
printf("\t%s [-h] -x\n", pname);
|
||||
pfkey_close(so);
|
||||
exit(0);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
@@ -139,9 +141,8 @@ main(ac, av)
|
||||
f_hexdump = 1;
|
||||
break;
|
||||
case 'x':
|
||||
f_promisc = 1;
|
||||
promisc();
|
||||
/*NOTREACHED*/
|
||||
f_mode = MODE_PROMISC;
|
||||
break;
|
||||
case 'P':
|
||||
f_policy = 1;
|
||||
break;
|
||||
@@ -170,10 +171,15 @@ main(ac, av)
|
||||
errx(-1, "%s", ipsec_strerror());
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
parse(&fp);
|
||||
if (parse(&fp))
|
||||
exit (1);
|
||||
break;
|
||||
case MODE_PROMISC:
|
||||
promisc();
|
||||
/*NOTREACHED*/
|
||||
default:
|
||||
Usage();
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
exit(0);
|
||||
@@ -216,7 +222,6 @@ sendkeyshort(type)
|
||||
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_seq = 0;
|
||||
m_msg->sadb_msg_pid = getpid();
|
||||
|
||||
@@ -240,7 +245,6 @@ promisc()
|
||||
m_msg->sadb_msg_satype = 1;
|
||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_seq = 0;
|
||||
m_msg->sadb_msg_pid = getpid();
|
||||
|
||||
@@ -325,8 +329,10 @@ sendkeymsg()
|
||||
if (f_forever)
|
||||
shortdump_hdr();
|
||||
again:
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)m_buf);
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
if ((len = send(so, m_buf, m_len, 0)) < 0) {
|
||||
perror("send");
|
||||
@@ -345,8 +351,10 @@ sendkeymsg()
|
||||
break;
|
||||
}
|
||||
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)rbuf);
|
||||
printf("\n");
|
||||
}
|
||||
if (postproc(msg, len) < 0)
|
||||
break;
|
||||
} while (msg->sadb_msg_errno || msg->sadb_msg_seq);
|
||||
@@ -423,8 +431,10 @@ postproc(msg, len)
|
||||
pfkey_sadump(msg);
|
||||
msg = (struct sadb_msg *)((caddr_t)msg +
|
||||
PFKEY_UNUNIT64(msg->sadb_msg_len));
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)msg);
|
||||
printf("\n");
|
||||
}
|
||||
break;
|
||||
|
||||
case SADB_X_SPDDUMP:
|
||||
@@ -432,8 +442,10 @@ postproc(msg, len)
|
||||
if (msg->sadb_msg_seq == 0) break;
|
||||
msg = (struct sadb_msg *)((caddr_t)msg +
|
||||
PFKEY_UNUNIT64(msg->sadb_msg_len));
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)msg);
|
||||
printf("\n");
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
+83
-32
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,10 +28,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
/* KAME $Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp $ */
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@@ -47,23 +47,24 @@
|
||||
#include <ctype.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
char *pname;
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
char *pname;
|
||||
|
||||
void Usage __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
void key_setsadbmsg __P((u_int));
|
||||
void key_setsadbsens __P((void));
|
||||
void key_setsadbprop __P((void));
|
||||
void key_setsadbid __P((u_int, caddr_t));
|
||||
void key_setsadblft __P((u_int, u_int));
|
||||
void key_setspirange __P((void));
|
||||
void key_setsadbkey __P((u_int, caddr_t));
|
||||
void key_setsadbsa __P((void));
|
||||
void key_setsadbaddr __P((u_int, u_int, caddr_t));
|
||||
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
|
||||
void Usage __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
void key_setsadbmsg __P((u_int));
|
||||
void key_setsadbsens __P((void));
|
||||
void key_setsadbprop __P((void));
|
||||
void key_setsadbid __P((u_int, caddr_t));
|
||||
void key_setsadblft __P((u_int, u_int));
|
||||
void key_setspirange __P((void));
|
||||
void key_setsadbkey __P((u_int, caddr_t));
|
||||
void key_setsadbsa __P((void));
|
||||
void key_setsadbaddr __P((u_int, u_int, caddr_t));
|
||||
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
|
||||
|
||||
void
|
||||
Usage()
|
||||
@@ -98,6 +99,18 @@ sendkeymsg()
|
||||
perror("socket(PF_KEY)");
|
||||
goto end;
|
||||
}
|
||||
#if 0
|
||||
{
|
||||
#include <sys/time.h>
|
||||
struct timeval tv;
|
||||
tv.tv_sec = 1;
|
||||
tv.tv_usec = 0;
|
||||
if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) {
|
||||
perror("setsockopt");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
pfkey_sadump((struct sadb_msg *)m_buf);
|
||||
|
||||
@@ -124,11 +137,14 @@ key_setsadbmsg(type)
|
||||
{
|
||||
struct sadb_msg m_msg;
|
||||
|
||||
memset(&m_msg, 0, sizeof(m_msg));
|
||||
m_msg.sadb_msg_version = PF_KEY_V2;
|
||||
m_msg.sadb_msg_type = type;
|
||||
m_msg.sadb_msg_errno = 0;
|
||||
m_msg.sadb_msg_satype = SADB_SATYPE_ESP;
|
||||
#if 0
|
||||
m_msg.sadb_msg_reserved = 0;
|
||||
#endif
|
||||
m_msg.sadb_msg_seq = 0;
|
||||
m_msg.sadb_msg_pid = getpid();
|
||||
|
||||
@@ -223,6 +239,24 @@ key_setsadbmsg(type)
|
||||
break;
|
||||
|
||||
case SADB_X_SPDADD:
|
||||
#if 0
|
||||
{
|
||||
struct sadb_x_policy m_policy;
|
||||
|
||||
m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy));
|
||||
m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
||||
m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC;
|
||||
m_policy.sadb_x_policy_esp_trans = 1;
|
||||
m_policy.sadb_x_policy_ah_trans = 2;
|
||||
m_policy.sadb_x_policy_esp_network = 3;
|
||||
m_policy.sadb_x_policy_ah_network = 4;
|
||||
m_policy.sadb_x_policy_reserved = 0;
|
||||
|
||||
memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy));
|
||||
m_len += sizeof(struct sadb_x_policy);
|
||||
}
|
||||
#endif
|
||||
|
||||
case SADB_X_SPDDELETE:
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
|
||||
@@ -437,32 +471,49 @@ key_setsadbaddr(ext, af, str)
|
||||
caddr_t str;
|
||||
{
|
||||
struct sadb_address m_addr;
|
||||
u_char abuf[64];
|
||||
struct sockaddr *a = (struct sockaddr *)abuf;
|
||||
u_int len;
|
||||
struct addrinfo hints, *res;
|
||||
const char *serv;
|
||||
int plen;
|
||||
|
||||
switch (af) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
default:
|
||||
/* XXX bark */
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* make sockaddr buffer */
|
||||
memset(abuf, 0, sizeof(abuf));
|
||||
a->sa_len = _SALENBYAF(af);
|
||||
a->sa_family = af;
|
||||
_INPORTBYSA(a) =
|
||||
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234));
|
||||
if (inet_pton(af, str, _INADDRBYSA(a)) != 1)
|
||||
; /* XXX do something */
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = af;
|
||||
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/
|
||||
if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) {
|
||||
/* XXX bark */
|
||||
exit(1);
|
||||
}
|
||||
|
||||
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len);
|
||||
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen);
|
||||
m_addr.sadb_address_len = PFKEY_UNIT64(len);
|
||||
m_addr.sadb_address_exttype = ext;
|
||||
m_addr.sadb_address_proto =
|
||||
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP);
|
||||
m_addr.sadb_address_prefixlen = _INALENBYAF(af);
|
||||
m_addr.sadb_address_prefixlen = plen;
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
key_setsadbextbuf(m_buf, m_len,
|
||||
(caddr_t)&m_addr, sizeof(struct sadb_address),
|
||||
abuf, a->sa_len);
|
||||
(caddr_t)res->ai_addr, res->ai_addrlen);
|
||||
m_len += len;
|
||||
|
||||
freeaddrinfo(res);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
+37
-44
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,8 +28,6 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
%{
|
||||
@@ -63,18 +64,19 @@
|
||||
|
||||
#define PREPROC DECHO CMDARG
|
||||
|
||||
int lineno = 1;
|
||||
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
|
||||
int lineno = 1;
|
||||
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
|
||||
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern u_int m_len;
|
||||
extern int f_debug;
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern u_int m_len;
|
||||
extern int f_debug;
|
||||
|
||||
int yylex __P((void));
|
||||
void yyerror __P((char *s));
|
||||
extern void parse_init __P((void));
|
||||
int parse __P((FILE **));
|
||||
int yyparse __P((void));
|
||||
int yylex __P((void));
|
||||
void yyfatal __P((const char *s));
|
||||
void yyerror __P((const char *s));
|
||||
extern void parse_init __P((void));
|
||||
int parse __P((FILE **));
|
||||
int yyparse __P((void));
|
||||
|
||||
%}
|
||||
|
||||
@@ -106,9 +108,7 @@ decstring {digit}+
|
||||
hexpair {hexdigit}{hexdigit}
|
||||
hexstring 0[xX]{hexdigit}+
|
||||
octetstring {octet}({dot}{octet})+
|
||||
ipaddress {ipv4addr}|{ipv6addr}
|
||||
ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3}
|
||||
ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}(%{letter}{letter}+)?
|
||||
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
||||
ipaddrmask {slash}{digit}{1,3}
|
||||
ipaddrport {blcl}{decstring}{elcl}
|
||||
keyword {letter}{letter}+
|
||||
@@ -186,11 +186,12 @@ lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
|
||||
{hyphen}m { PREPROC; return(F_MODE); }
|
||||
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
|
||||
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
|
||||
{hyphen}u { PREPROC; return(F_REQID); }
|
||||
{hyphen}f { PREPROC; return(F_EXT); }
|
||||
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
|
||||
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
|
||||
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
|
||||
cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
|
||||
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
|
||||
{hyphen}r { PREPROC; return(F_REPLAY); }
|
||||
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
|
||||
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
|
||||
@@ -214,35 +215,17 @@ any { PREPROC; return(ANY); }
|
||||
char *bp;
|
||||
|
||||
PREPROC;
|
||||
yylval.num = strtol(yytext, &bp, 10);
|
||||
yylval.num = strtoul(yytext, &bp, 10);
|
||||
return(DECSTRING);
|
||||
}
|
||||
|
||||
{ipv4addr} {
|
||||
/*
|
||||
* I can't supprt the type without dot,
|
||||
* because it's umbiguous against {decstring}.
|
||||
* e.g. 127
|
||||
*/
|
||||
{ipaddress} {
|
||||
PREPROC;
|
||||
|
||||
yylval.val.len = sizeof(struct sockaddr_in);
|
||||
yylval.val.len = yyleng;
|
||||
yylval.val.buf = strdup(yytext);
|
||||
|
||||
return(IP4_ADDRESS);
|
||||
}
|
||||
|
||||
{ipv6addr} {
|
||||
#ifdef INET6
|
||||
PREPROC;
|
||||
|
||||
yylval.val.len = sizeof(struct sockaddr_in6);
|
||||
yylval.val.buf = strdup(yytext);
|
||||
|
||||
return(IP6_ADDRESS);
|
||||
#else
|
||||
yyerror("IPv6 address not supported");
|
||||
#endif
|
||||
return(ADDRESS);
|
||||
}
|
||||
|
||||
{ipaddrmask} {
|
||||
@@ -263,7 +246,6 @@ any { PREPROC; return(ANY); }
|
||||
}
|
||||
|
||||
{blcl}any{elcl} {
|
||||
char *p = yytext;
|
||||
PREPROC;
|
||||
return(PORTANY);
|
||||
}
|
||||
@@ -294,12 +276,24 @@ any { PREPROC; return(ANY); }
|
||||
return(QUOTEDSTRING);
|
||||
}
|
||||
|
||||
. { yyerror("Syntax error"); }
|
||||
. {
|
||||
yyfatal("Syntax error");
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
%%
|
||||
|
||||
void
|
||||
yyerror(char *s)
|
||||
yyfatal(s)
|
||||
const char *s;
|
||||
{
|
||||
yyerror(s);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
void
|
||||
yyerror(s)
|
||||
const char *s;
|
||||
{
|
||||
printf("line %d: %s at [%s]\n", lineno, s, yytext);
|
||||
}
|
||||
@@ -319,4 +313,3 @@ parse(fp)
|
||||
|
||||
return(0);
|
||||
}
|
||||
|
||||
|
||||
+7
-6
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,11 +28,9 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
typedef struct {
|
||||
u_int len;
|
||||
caddr_t buf;
|
||||
u_int len;
|
||||
caddr_t buf;
|
||||
} vchar_t;
|
||||
|
||||
@@ -29,11 +29,18 @@
|
||||
PROG= setkey
|
||||
SRCS= setkey.c parse.y token.l
|
||||
CFLAGS+=-g
|
||||
CFLAGS+=-I${.CURDIR}/../../lib/libipsec
|
||||
DPADD= ${LIBL} ${LIBY}
|
||||
LDADD= -ll -ly
|
||||
CLEANFILES+= y.tab.c y.tab.h key_test.o keytest
|
||||
YFLAGS+=-d
|
||||
|
||||
# libpfkey.
|
||||
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
|
||||
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
|
||||
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
|
||||
CFLAGS+=-I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey
|
||||
|
||||
SCRIPTS= scriptdump
|
||||
|
||||
BINOWN = root
|
||||
|
||||
+269
-154
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,10 +28,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
/* KAME $Id: parse.y,v 1.7 1999/10/27 17:08:57 sakane Exp $ */
|
||||
|
||||
%{
|
||||
#include <sys/types.h>
|
||||
@@ -45,48 +45,52 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include "libpfkey.h"
|
||||
#include "vchar.h"
|
||||
|
||||
#define ATOX(c) \
|
||||
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
|
||||
|
||||
u_int p_type;
|
||||
u_int32_t p_spi;
|
||||
struct sockaddr *p_src, *p_dst;
|
||||
u_int p_prefs, p_prefd, p_upper;
|
||||
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
|
||||
u_int p_key_enc_len, p_key_auth_len;
|
||||
caddr_t p_key_enc, p_key_auth;
|
||||
time_t p_lt_hard, p_lt_soft;
|
||||
u_int p_type;
|
||||
u_int32_t p_spi;
|
||||
struct sockaddr *p_src, *p_dst;
|
||||
u_int p_prefs, p_prefd, p_upper;
|
||||
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
|
||||
u_int32_t p_reqid;
|
||||
u_int p_key_enc_len, p_key_auth_len;
|
||||
caddr_t p_key_enc, p_key_auth;
|
||||
time_t p_lt_hard, p_lt_soft;
|
||||
|
||||
u_int p_policy_len;
|
||||
char *p_policy;
|
||||
u_int p_policy_len;
|
||||
char *p_policy;
|
||||
|
||||
/* temporary buffer */
|
||||
static struct sockaddr *pp_addr;
|
||||
static u_int pp_prefix;
|
||||
static u_int pp_port;
|
||||
static caddr_t pp_key;
|
||||
static struct sockaddr *pp_addr;
|
||||
static u_int pp_prefix;
|
||||
static u_int pp_port;
|
||||
static caddr_t pp_key;
|
||||
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern int m_len;
|
||||
extern char cmdarg[8192];
|
||||
extern int f_debug;
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern int m_len;
|
||||
extern char cmdarg[8192];
|
||||
extern int f_debug;
|
||||
|
||||
int setkeymsg __P((void));
|
||||
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
|
||||
void parse_init __P((void));
|
||||
void free_buffer __P((void));
|
||||
int setkeymsg __P((void));
|
||||
static struct addrinfo *parse_addr __P((char *, char *, int));
|
||||
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
|
||||
void parse_init __P((void));
|
||||
void free_buffer __P((void));
|
||||
|
||||
extern int setkeymsg __P((void));
|
||||
extern int sendkeymsg __P((void));
|
||||
extern int setkeymsg __P((void));
|
||||
extern int sendkeymsg __P((void));
|
||||
|
||||
extern int yylex __P((void));
|
||||
extern void yyerror __P((char *));
|
||||
extern int yylex __P((void));
|
||||
extern void yyfatal __P((const char *));
|
||||
extern void yyerror __P((const char *));
|
||||
%}
|
||||
|
||||
%union {
|
||||
@@ -96,11 +100,11 @@ extern void yyerror __P((char *));
|
||||
|
||||
%token EOT
|
||||
%token ADD GET DELETE FLUSH DUMP
|
||||
%token IP4_ADDRESS IP6_ADDRESS PREFIX PORT PORTANY
|
||||
%token ADDRESS PREFIX PORT PORTANY
|
||||
%token UP_PROTO PR_ESP PR_AH PR_IPCOMP
|
||||
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
|
||||
%token F_MODE MODE
|
||||
%token F_EXT EXTENSION
|
||||
%token F_MODE MODE F_REQID
|
||||
%token F_EXT EXTENSION NOCYCLICSEQ
|
||||
%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
|
||||
%token F_LIFETIME_HARD F_LIFETIME_SOFT
|
||||
%token DECSTRING QUOTEDSTRING HEXSTRING ANY
|
||||
@@ -108,6 +112,14 @@ extern void yyerror __P((char *));
|
||||
%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
|
||||
%token F_POLICY PL_REQUESTS
|
||||
|
||||
%type <num> PORT PREFIX EXTENSION MODE
|
||||
%type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP
|
||||
%type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
|
||||
%type <num> DECSTRING
|
||||
%type <val> ADDRESS PL_REQUESTS
|
||||
%type <val> key_string policy_requests
|
||||
%type <val> QUOTEDSTRING HEXSTRING
|
||||
|
||||
%%
|
||||
commands
|
||||
: /*NOTHING*/
|
||||
@@ -146,13 +158,23 @@ add_command
|
||||
/* delete */
|
||||
delete_command
|
||||
: DELETE { p_type = SADB_DELETE; }
|
||||
sa_selector_spec extension_spec EOT
|
||||
sa_selector_spec extension_spec
|
||||
{
|
||||
if (p_mode != IPSEC_MODE_ANY)
|
||||
yyerror("WARNING: mode is obsoleted.");
|
||||
}
|
||||
EOT
|
||||
;
|
||||
|
||||
/* get command */
|
||||
get_command
|
||||
: GET { p_type = SADB_GET; }
|
||||
sa_selector_spec extension_spec EOT
|
||||
sa_selector_spec extension_spec
|
||||
{
|
||||
if (p_mode != IPSEC_MODE_ANY)
|
||||
yyerror("WARNING: mode is obsoleted.");
|
||||
}
|
||||
EOT
|
||||
;
|
||||
|
||||
/* flush */
|
||||
@@ -179,7 +201,7 @@ protocol_spec
|
||||
| PR_ESP
|
||||
{
|
||||
p_satype = SADB_SATYPE_ESP;
|
||||
if ($1.num == 1)
|
||||
if ($1 == 1)
|
||||
p_ext |= SADB_X_EXT_OLD;
|
||||
else
|
||||
p_ext &= ~SADB_X_EXT_OLD;
|
||||
@@ -187,7 +209,7 @@ protocol_spec
|
||||
| PR_AH
|
||||
{
|
||||
p_satype = SADB_SATYPE_AH;
|
||||
if ($1.num == 1)
|
||||
if ($1 == 1)
|
||||
p_ext |= SADB_X_EXT_OLD;
|
||||
else
|
||||
p_ext &= ~SADB_X_EXT_OLD;
|
||||
@@ -199,18 +221,18 @@ protocol_spec
|
||||
;
|
||||
|
||||
spi
|
||||
: DECSTRING { p_spi = $1.num; }
|
||||
: DECSTRING { p_spi = $1; }
|
||||
| HEXSTRING
|
||||
{
|
||||
caddr_t bp;
|
||||
caddr_t yp = $1.val.buf;
|
||||
caddr_t yp = $1.buf;
|
||||
char buf0[4], buf[4];
|
||||
int i, j;
|
||||
|
||||
/* sanity check */
|
||||
if ($1.val.len > 4) {
|
||||
if ($1.len > 4) {
|
||||
yyerror("SPI too big.");
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -223,13 +245,13 @@ spi
|
||||
/* initialize */
|
||||
for (i = 0; i < 4; i++) buf[i] = 0;
|
||||
|
||||
for (j = $1.val.len - 1, i = 3; j >= 0; j--, i--)
|
||||
for (j = $1.len - 1, i = 3; j >= 0; j--, i--)
|
||||
buf[i] = buf0[j];
|
||||
|
||||
/* XXX: endian */
|
||||
p_spi = ntohl(*(u_int32_t *)buf);
|
||||
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
}
|
||||
;
|
||||
|
||||
@@ -249,16 +271,16 @@ ah_spec
|
||||
;
|
||||
|
||||
ipcomp_spec
|
||||
: F_COMP ALG_COMP { p_alg_enc = $2.num; }
|
||||
| F_COMP ALG_COMP { p_alg_enc = $2.num; }
|
||||
: F_COMP ALG_COMP { p_alg_enc = $2; }
|
||||
| F_COMP ALG_COMP { p_alg_enc = $2; }
|
||||
F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; }
|
||||
;
|
||||
|
||||
enc_alg
|
||||
: ALG_ENC { p_alg_enc = $1.num; }
|
||||
: ALG_ENC { p_alg_enc = $1; }
|
||||
| ALG_ENC_DESDERIV
|
||||
{
|
||||
p_alg_enc = $1.num;
|
||||
p_alg_enc = $1;
|
||||
if (p_ext & SADB_X_EXT_OLD) {
|
||||
yyerror("algorithm mismatched.");
|
||||
return -1;
|
||||
@@ -267,7 +289,7 @@ enc_alg
|
||||
}
|
||||
| ALG_ENC_DES32IV
|
||||
{
|
||||
p_alg_enc = $1.num;
|
||||
p_alg_enc = $1;
|
||||
if (!(p_ext & SADB_X_EXT_OLD)) {
|
||||
yyerror("algorithm mismatched.");
|
||||
return -1;
|
||||
@@ -286,7 +308,7 @@ enc_key
|
||||
}
|
||||
| key_string
|
||||
{
|
||||
p_key_enc_len = $1.val.len;
|
||||
p_key_enc_len = $1.len;
|
||||
p_key_enc = pp_key;
|
||||
|
||||
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
|
||||
@@ -299,7 +321,7 @@ enc_key
|
||||
;
|
||||
|
||||
auth_alg
|
||||
: ALG_AUTH { p_alg_auth = $1.num; }
|
||||
: ALG_AUTH { p_alg_auth = $1; }
|
||||
;
|
||||
|
||||
auth_key
|
||||
@@ -312,7 +334,7 @@ auth_key
|
||||
}
|
||||
| key_string
|
||||
{
|
||||
p_key_auth_len = $1.val.len;
|
||||
p_key_auth_len = $1.len;
|
||||
p_key_auth = pp_key;
|
||||
|
||||
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
|
||||
@@ -327,20 +349,20 @@ auth_key
|
||||
key_string
|
||||
: QUOTEDSTRING
|
||||
{
|
||||
pp_key = $1.val.buf;
|
||||
pp_key = $1.buf;
|
||||
/* free pp_key later */
|
||||
}
|
||||
| HEXSTRING
|
||||
{
|
||||
caddr_t bp;
|
||||
caddr_t yp = $1.val.buf;
|
||||
caddr_t yp = $1.buf;
|
||||
|
||||
if ((pp_key = malloc($1.val.len)) == 0) {
|
||||
free($1.val.buf);
|
||||
yyerror(strerror(errno));
|
||||
if ((pp_key = malloc($1.len)) == 0) {
|
||||
free($1.buf);
|
||||
yyerror("not enough core");
|
||||
return -1;
|
||||
}
|
||||
memset(pp_key, 0, $1.val.len);
|
||||
memset(pp_key, 0, $1.len);
|
||||
|
||||
bp = pp_key;
|
||||
while (*yp) {
|
||||
@@ -348,7 +370,7 @@ key_string
|
||||
yp += 2, bp++;
|
||||
}
|
||||
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
}
|
||||
;
|
||||
|
||||
@@ -358,9 +380,11 @@ extension_spec
|
||||
;
|
||||
|
||||
extension
|
||||
: F_EXT EXTENSION { p_ext |= $1.num; }
|
||||
| F_MODE MODE { p_mode = $2.num; }
|
||||
: F_EXT EXTENSION { p_ext |= $2; }
|
||||
| F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
|
||||
| F_MODE MODE { p_mode = $2; }
|
||||
| F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
|
||||
| F_REQID DECSTRING { p_reqid = $2; }
|
||||
| F_REPLAY DECSTRING
|
||||
{
|
||||
if (p_ext & SADB_X_EXT_OLD) {
|
||||
@@ -368,10 +392,10 @@ extension
|
||||
"only use on new spec.");
|
||||
return -1;
|
||||
}
|
||||
p_replay = $2.num;
|
||||
p_replay = $2;
|
||||
}
|
||||
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2.num; }
|
||||
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2.num; }
|
||||
| F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
|
||||
| F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
|
||||
;
|
||||
|
||||
/* definition about command for SPD management */
|
||||
@@ -391,7 +415,7 @@ spddelete_command:
|
||||
p_type = SADB_X_SPDDELETE;
|
||||
p_satype = SADB_SATYPE_UNSPEC;
|
||||
}
|
||||
sp_selector_spec EOT
|
||||
sp_selector_spec policy_spec EOT
|
||||
;
|
||||
|
||||
spddump_command:
|
||||
@@ -416,97 +440,107 @@ spdflush_command:
|
||||
sp_selector_spec
|
||||
: ipaddress { p_src = pp_addr; }
|
||||
prefix { p_prefs = pp_prefix; }
|
||||
port { _INPORTBYSA(p_src) = htons(pp_port); }
|
||||
port
|
||||
{
|
||||
switch (p_src->sa_family) {
|
||||
case AF_INET:
|
||||
((struct sockaddr_in *)p_src)->sin_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
((struct sockaddr_in6 *)p_src)->sin6_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
}
|
||||
ipaddress { p_dst = pp_addr; }
|
||||
prefix { p_prefd = pp_prefix; }
|
||||
port { _INPORTBYSA(p_dst) = htons(pp_port); }
|
||||
port
|
||||
{
|
||||
switch (p_dst->sa_family) {
|
||||
case AF_INET:
|
||||
((struct sockaddr_in *)p_dst)->sin_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
((struct sockaddr_in6 *)p_dst)->sin6_port =
|
||||
htons(pp_port);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
}
|
||||
upper_spec
|
||||
{
|
||||
/* XXX is it something userland should check? */
|
||||
#if 0
|
||||
switch (p_upper) {
|
||||
case IPPROTO_ICMP:
|
||||
case IPPROTO_ICMPV6:
|
||||
if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY
|
||||
|| _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) {
|
||||
yyerror("port number must be \"any\".");
|
||||
return -1;
|
||||
}
|
||||
if ((pp_addr->sa_family == AF_INET6
|
||||
&& p_upper == IPPROTO_ICMP)
|
||||
|| (pp_addr->sa_family == AF_INET
|
||||
&& p_upper == IPPROTO_ICMPV6)) {
|
||||
yyerror("upper layer protocol "
|
||||
"mismatched.\n");
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
;
|
||||
|
||||
ipaddress
|
||||
: IP4_ADDRESS
|
||||
: ADDRESS
|
||||
{
|
||||
struct sockaddr_in *in;
|
||||
u_int sa_len = $1.val.len;
|
||||
struct addrinfo *res;
|
||||
|
||||
if ((in = (struct sockaddr_in *)malloc(sa_len)) == 0) {
|
||||
yyerror(strerror(errno));
|
||||
free($1.val.buf);
|
||||
res = parse_addr($1.buf, NULL, AI_NUMERICHOST);
|
||||
if (res == NULL) {
|
||||
free($1.buf);
|
||||
return -1;
|
||||
}
|
||||
memset((caddr_t)in, 0, sa_len);
|
||||
|
||||
in->sin_family = PF_INET;
|
||||
in->sin_len = sa_len;
|
||||
in->sin_port = IPSEC_PORT_ANY;
|
||||
(void)inet_pton(PF_INET, $1.val.buf, &in->sin_addr);
|
||||
|
||||
pp_addr = (struct sockaddr *)in;
|
||||
free($1.val.buf);
|
||||
}
|
||||
| IP6_ADDRESS
|
||||
{
|
||||
#ifdef INET6
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int sa_len = $1.val.len;
|
||||
struct addrinfo hints, *res;
|
||||
int ret_gai;
|
||||
|
||||
if ((in6 = (struct sockaddr_in6 *)malloc(sa_len)) == 0) {
|
||||
free($1.val.buf);
|
||||
yyerror(strerror(errno));
|
||||
return -1;
|
||||
pp_addr = (struct sockaddr *)malloc(res->ai_addrlen);
|
||||
if (!pp_addr) {
|
||||
yyerror("not enough core");
|
||||
goto end;
|
||||
}
|
||||
memset((caddr_t)in6, 0, sa_len);
|
||||
|
||||
bzero(&hints, sizeof(struct addrinfo));
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
hints.ai_family = AF_INET6;
|
||||
ret_gai = getaddrinfo($1.val.buf, NULL, &hints, &res);
|
||||
if (ret_gai) {
|
||||
free($1.val.buf);
|
||||
free(in6);
|
||||
yyerror(gai_strerror(ret_gai));
|
||||
if (ret_gai == EAI_SYSTEM)
|
||||
yyerror(strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
(void)memcpy(in6, res->ai_addr, res->ai_addrlen);
|
||||
|
||||
/*
|
||||
* XXX: If the scope of the destination is link-local,
|
||||
* embed the scope-id(in this case, interface index)
|
||||
* into the address.
|
||||
*/
|
||||
if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr) &&
|
||||
in6->sin6_scope_id != 0)
|
||||
*(u_short *)&in6->sin6_addr.s6_addr[2] =
|
||||
htons(in6->sin6_scope_id & 0xffff);
|
||||
|
||||
memcpy(pp_addr, res->ai_addr, res->ai_addrlen);
|
||||
end:
|
||||
freeaddrinfo(res);
|
||||
|
||||
pp_addr = (struct sockaddr *)in6;
|
||||
#else
|
||||
yyerror("IPv6 address not supported");
|
||||
#endif
|
||||
free($1.val.buf);
|
||||
free($1.buf);
|
||||
}
|
||||
;
|
||||
|
||||
prefix
|
||||
: /*NOTHING*/ { pp_prefix = ~0; }
|
||||
| PREFIX { pp_prefix = $1.num; }
|
||||
| PREFIX { pp_prefix = $1; }
|
||||
;
|
||||
|
||||
port
|
||||
: /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; }
|
||||
| PORT { pp_port = $1.num; }
|
||||
| PORT { pp_port = $1; }
|
||||
| PORTANY { pp_port = IPSEC_PORT_ANY; }
|
||||
;
|
||||
|
||||
upper_spec
|
||||
: DECSTRING { p_upper = $1.num; }
|
||||
| UP_PROTO { p_upper = $1.num; }
|
||||
: DECSTRING { p_upper = $1; }
|
||||
| UP_PROTO { p_upper = $1; }
|
||||
| PR_ESP { p_upper = IPPROTO_ESP; };
|
||||
| PR_AH { p_upper = IPPROTO_AH; };
|
||||
| PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };
|
||||
@@ -516,9 +550,9 @@ upper_spec
|
||||
policy_spec
|
||||
: F_POLICY policy_requests
|
||||
{
|
||||
p_policy = ipsec_set_policy($2.val.buf, $2.val.len);
|
||||
p_policy = ipsec_set_policy($2.buf, $2.len);
|
||||
if (p_policy == NULL) {
|
||||
free($2.val.buf);
|
||||
free($2.buf);
|
||||
p_policy = NULL;
|
||||
yyerror(ipsec_strerror());
|
||||
return -1;
|
||||
@@ -526,13 +560,12 @@ policy_spec
|
||||
|
||||
p_policy_len = ipsec_get_policylen(p_policy);
|
||||
|
||||
free($2.val.buf);
|
||||
free($2.buf);
|
||||
}
|
||||
;
|
||||
|
||||
policy_requests:
|
||||
/*NOTHING*/
|
||||
| PL_REQUESTS { $$ = $1; }
|
||||
policy_requests
|
||||
: PL_REQUESTS { $$ = $1; }
|
||||
;
|
||||
|
||||
%%
|
||||
@@ -546,7 +579,6 @@ setkeymsg()
|
||||
m_msg.sadb_msg_type = p_type;
|
||||
m_msg.sadb_msg_errno = 0;
|
||||
m_msg.sadb_msg_satype = p_satype;
|
||||
m_msg.sadb_msg_mode = p_mode;
|
||||
m_msg.sadb_msg_reserved = 0;
|
||||
m_msg.sadb_msg_seq = 0;
|
||||
m_msg.sadb_msg_pid = getpid();
|
||||
@@ -629,6 +661,7 @@ setkeymsg()
|
||||
case SADB_GET:
|
||||
{
|
||||
struct sadb_sa m_sa;
|
||||
struct sadb_x_sa2 m_sa2;
|
||||
struct sadb_address m_addr;
|
||||
u_int len;
|
||||
|
||||
@@ -645,14 +678,36 @@ setkeymsg()
|
||||
memcpy(m_buf + m_len, &m_sa, len);
|
||||
m_len += len;
|
||||
|
||||
len = sizeof(struct sadb_x_sa2);
|
||||
m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
|
||||
m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
|
||||
m_sa2.sadb_x_sa2_mode = p_mode;
|
||||
m_sa2.sadb_x_sa2_reqid = p_reqid;
|
||||
|
||||
memcpy(m_buf + m_len, &m_sa2, len);
|
||||
m_len += len;
|
||||
|
||||
/* set src */
|
||||
m_addr.sadb_address_len =
|
||||
PFKEY_UNIT64(sizeof(m_addr)
|
||||
+ PFKEY_ALIGN8(p_src->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
||||
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
|
||||
m_addr.sadb_address_prefixlen =
|
||||
_INALENBYAF(p_src->sa_family) << 3;
|
||||
switch (p_src->sa_family) {
|
||||
case AF_INET:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -665,8 +720,21 @@ setkeymsg()
|
||||
+ PFKEY_ALIGN8(p_dst->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
||||
m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
|
||||
m_addr.sadb_address_prefixlen =
|
||||
_INALENBYAF(p_dst->sa_family) << 3;
|
||||
switch (p_dst->sa_family) {
|
||||
case AF_INET:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
m_addr.sadb_address_prefixlen =
|
||||
sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -681,17 +749,15 @@ setkeymsg()
|
||||
break;
|
||||
|
||||
case SADB_X_SPDADD:
|
||||
case SADB_X_SPDDELETE:
|
||||
{
|
||||
struct sadb_address m_addr;
|
||||
u_int8_t plen;
|
||||
|
||||
memcpy(m_buf + m_len, p_policy, p_policy_len);
|
||||
m_len += p_policy_len;
|
||||
free(p_policy);
|
||||
p_policy = NULL;
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
|
||||
case SADB_X_SPDDELETE:
|
||||
{
|
||||
struct sadb_address m_addr;
|
||||
|
||||
/* set src */
|
||||
m_addr.sadb_address_len =
|
||||
@@ -699,9 +765,21 @@ setkeymsg()
|
||||
+ PFKEY_ALIGN8(p_src->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
||||
m_addr.sadb_address_proto = p_upper;
|
||||
switch (p_src->sa_family) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_prefixlen =
|
||||
(p_prefs != ~0 ? p_prefs :
|
||||
_INALENBYAF(p_src->sa_family) << 3);
|
||||
(p_prefs != ~0 ? p_prefs : plen);
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -714,9 +792,21 @@ setkeymsg()
|
||||
+ PFKEY_ALIGN8(p_dst->sa_len));
|
||||
m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
||||
m_addr.sadb_address_proto = p_upper;
|
||||
switch (p_dst->sa_family) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
yyerror("unsupported address family");
|
||||
exit(1); /*XXX*/
|
||||
}
|
||||
m_addr.sadb_address_prefixlen =
|
||||
(p_prefd != ~0 ? p_prefd :
|
||||
_INALENBYAF(p_dst->sa_family) << 3);
|
||||
(p_prefd != ~0 ? p_prefd : plen);
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
setvarbuf(&m_len,
|
||||
@@ -731,6 +821,30 @@ setkeymsg()
|
||||
return 0;
|
||||
}
|
||||
|
||||
static struct addrinfo *
|
||||
parse_addr(host, port, flag)
|
||||
char *host;
|
||||
char *port;
|
||||
int flag;
|
||||
{
|
||||
struct addrinfo hints, *res = NULL;
|
||||
int error;
|
||||
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = PF_UNSPEC;
|
||||
hints.ai_socktype = SOCK_DGRAM;
|
||||
hints.ai_flags = flag;
|
||||
error = getaddrinfo(host, port, &hints, &res);
|
||||
if (error != 0) {
|
||||
yyerror(gai_strerror(error));
|
||||
return NULL;
|
||||
}
|
||||
if (res->ai_next != NULL) {
|
||||
yyerror(gai_strerror(error));
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
static int
|
||||
setvarbuf(off, ebuf, elen, vbuf, vlen)
|
||||
caddr_t vbuf;
|
||||
@@ -757,11 +871,12 @@ parse_init()
|
||||
p_upper = 0;
|
||||
|
||||
p_satype = 0;
|
||||
p_ext = SADB_X_EXT_NONE;
|
||||
p_ext = SADB_X_EXT_CYCSEQ;
|
||||
p_alg_enc = SADB_EALG_NONE;
|
||||
p_alg_auth = SADB_AALG_NONE;
|
||||
p_mode = IPSEC_MODE_ANY;
|
||||
p_replay = 4;
|
||||
p_reqid = 0;
|
||||
p_replay = 0;
|
||||
p_key_enc_len = p_key_auth_len = 0;
|
||||
p_key_enc = p_key_auth = 0;
|
||||
p_lt_hard = p_lt_soft = 0;
|
||||
|
||||
@@ -170,7 +170,7 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
|
||||
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||
|
||||
# Also delete command, you can delete a entry of either SP or SA.
|
||||
spddelete out fec0:0:0:1::/64 fec0:0:0:2:/64 any ;
|
||||
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
|
||||
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||
|
||||
# By dump command, you can dump all entry of either SP or SA.
|
||||
@@ -204,7 +204,7 @@ add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
|
||||
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
|
||||
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
|
||||
add ::1 ::1 esp 10017 -m transport -f seq-pad -f cyclic-seq -E simple ;
|
||||
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
|
||||
add ::1 ::1 esp 10018 -m transport -E simple ;
|
||||
#add ::1 ::1 ah 20000 -m transport -A null ;
|
||||
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
|
||||
|
||||
@@ -20,8 +20,8 @@ open(IN, "setkey -D |") || die;
|
||||
foreach $_ (<IN>) {
|
||||
if (/^[^\t]/) {
|
||||
($src, $dst) = split(/\s+/, $_);
|
||||
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*replay=(\d+)/) {
|
||||
($proto, $ipsecmode, $spi, $replay) = ($1, $2, $3, $4);
|
||||
} elsif (/^\t(esp|ah) mode=(\S+) spi=(\d+).*reqid=(\d+)/) {
|
||||
($proto, $ipsecmode, $spi, $reqid) = ($1, $2, $3, $4);
|
||||
} elsif (/^\tE: (\S+) (.*)/) {
|
||||
$ealgo = $1;
|
||||
$ekey = $2;
|
||||
@@ -32,17 +32,19 @@ foreach $_ (<IN>) {
|
||||
$akey = $2;
|
||||
$akey =~ s/\s//g;
|
||||
$akey =~ s/^/0x/g;
|
||||
} elsif (/^\tstate=/) {
|
||||
} elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) {
|
||||
print "$mode $src $dst $proto $spi -m $ipsecmode";
|
||||
print " -r $replay" if $replay;
|
||||
$replay = $1;
|
||||
print " -u $reqid" if $reqid;
|
||||
if ($mode eq 'add') {
|
||||
print " -r $replay" if $replay;
|
||||
if ($proto eq 'esp') {
|
||||
print " -E $ealgo $ekey" if $ealgo;
|
||||
print " -A $aalgo $akey" if $aalgo;
|
||||
} elsif ($proto eq 'ah') {
|
||||
print " -A $aalgo $akey" if $aalgo;
|
||||
}
|
||||
}
|
||||
}
|
||||
print ";\n";
|
||||
|
||||
$src = $dst = $upper = $proxy = '';
|
||||
|
||||
+73
-64
@@ -1,6 +1,9 @@
|
||||
.\" $FreeBSD$
|
||||
.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
@@ -12,7 +15,7 @@
|
||||
.\" 3. Neither the name of the project nor the names of its contributors
|
||||
.\" may be used to endorse or promote products derived from this software
|
||||
.\" without specific prior written permission.
|
||||
.\"
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,15 +28,14 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id: setkey.8,v 1.14 1999/10/27 17:08:58 sakane Exp $
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd May 17, 1998
|
||||
.Dt SETKEY 8
|
||||
.Os
|
||||
.Os KAME
|
||||
.\"
|
||||
.Sh NAME
|
||||
.Nm setkey
|
||||
.Nd manually manipulate the SA/SP database.
|
||||
.Nd manually manipulate the IPsec SA/SP database.
|
||||
.\"
|
||||
.Sh SYNOPSIS
|
||||
.Nm setkey
|
||||
.Op Fl dv
|
||||
@@ -50,19 +52,20 @@
|
||||
.Nm setkey
|
||||
.Op Fl h
|
||||
.Fl x
|
||||
.\"
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
updates, or lists the content of, Security Association Database (SAD) entries
|
||||
in the kernel as well as Security Policy Database (SPD) entries.
|
||||
addes, updates, dumpes, or flushes
|
||||
Security Association Database (SAD) entries
|
||||
as well as Security Policy Database (SPD) entries in the kernel.
|
||||
.Pp
|
||||
.Nm
|
||||
takes a series of operation from standard input
|
||||
takes a series of operations from the standard input
|
||||
.Po
|
||||
if invoked with
|
||||
.Fl c
|
||||
.Pc
|
||||
or file named
|
||||
or the file named
|
||||
.Ar filename
|
||||
.Po
|
||||
if invoked with
|
||||
@@ -75,21 +78,23 @@ If with
|
||||
.Fl P ,
|
||||
the SPD entries are dumped.
|
||||
.It Fl F
|
||||
Flush the SAD.
|
||||
Flush the SAD entries.
|
||||
If with
|
||||
.Fl P ,
|
||||
the SPD are flushed.
|
||||
the SPD entries are flushed.
|
||||
.It Fl a
|
||||
.Nm
|
||||
usually do not display dead SAD entries on
|
||||
usually does not display dead SAD entries with
|
||||
.Fl D .
|
||||
With
|
||||
If with
|
||||
.Fl a ,
|
||||
dead SAD entries will be displayed as well.
|
||||
Dead SAD entries are kept in the kernel,
|
||||
when they are referenced from any of SPD entries in the kernel.
|
||||
the dead SAD entries will be displayed as well.
|
||||
A dead SAD entry means that
|
||||
it has been expired but remains
|
||||
because it is referenced by SPD entries.
|
||||
.It Fl d
|
||||
Enable debugging messages.
|
||||
Enable to print debugging messages for command parser,
|
||||
without talking to kernel. It is not used usually.
|
||||
.It Fl x
|
||||
Loop forever and dump all the messages transmitted to
|
||||
.Dv PF_KEY
|
||||
@@ -98,7 +103,6 @@ socket.
|
||||
Add hexadecimal dump on
|
||||
.Fl x
|
||||
mode.
|
||||
The order is significant.
|
||||
.It Fl l
|
||||
Loop forever with short output on
|
||||
.Fl D .
|
||||
@@ -111,10 +115,8 @@ including messages sent from other processes
|
||||
.Pc .
|
||||
.El
|
||||
.Pp
|
||||
Operation has the following grammar.
|
||||
Note that lines, that start with a
|
||||
hashmark ('#') are treated as comment lines.
|
||||
Description of meta-arguments follows.
|
||||
Operations have the following grammar. Note that lines starting with
|
||||
hashmarks ('#') are treated as comment lines.
|
||||
.Bl -tag -width Ds
|
||||
.It Xo
|
||||
.Li add
|
||||
@@ -123,51 +125,49 @@ Description of meta-arguments follows.
|
||||
.Ar algorithm...
|
||||
.Li ;
|
||||
.Xc
|
||||
Add a SAD entry.
|
||||
Add an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li get
|
||||
.Ar src Ar dst Ar protocol Ar spi
|
||||
.Op Ar mode
|
||||
.Li ;
|
||||
.Xc
|
||||
Show a SAD entry.
|
||||
Show an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li delete
|
||||
.Ar src Ar dst Ar protocol Ar spi
|
||||
.Op Ar mode
|
||||
.Li ;
|
||||
.Xc
|
||||
Remove a SAD entry.
|
||||
Remove an SAD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li flush
|
||||
.Op Ar protocol
|
||||
.Li ;
|
||||
.Xc
|
||||
Clear all SAD entries that matches the options.
|
||||
Clear all SAD entries matched by the options.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li dump
|
||||
.Op Ar protocol
|
||||
.Li ;
|
||||
.Xc
|
||||
Dumps all SAD entries that matches the options.
|
||||
Dumps all SAD entries matched by the options.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spdadd
|
||||
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
||||
.Li ;
|
||||
.Xc
|
||||
Add a SPD entry.
|
||||
Add an SPD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spddelete
|
||||
.Ar src_range Ar dst_range Ar upperspec
|
||||
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
||||
.Li ;
|
||||
.Xc
|
||||
Delete a SPD entry.
|
||||
Delete an SPD entry.
|
||||
.\"
|
||||
.It Xo
|
||||
.Li spdflush
|
||||
@@ -215,8 +215,9 @@ IPCOMP
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar spi
|
||||
Security Parameter Index (SPI) for the SA and SPD.
|
||||
Security Parameter Index (SPI) for the SAD and the SPD.
|
||||
It must be decimal number or hexadecimal number
|
||||
You can not use the set of SPI values in the range 0 through 255.
|
||||
.Po
|
||||
with
|
||||
.Li 0x
|
||||
@@ -225,30 +226,40 @@ attached
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar extensions
|
||||
takes some of the following:
|
||||
.Bl -tag -width Fl -compact
|
||||
take some of the following:
|
||||
.Bl -tag -width Fl -compact
|
||||
.\"
|
||||
.It Fl m Ar mode
|
||||
Specify an security protocol mode for use. By default,
|
||||
.Li any .
|
||||
Specify a security protocol mode for use.
|
||||
.Ar mode
|
||||
is one of following:
|
||||
.Li transport , tunnel
|
||||
or
|
||||
.Li any .
|
||||
The default value is
|
||||
.Li any .
|
||||
.\"
|
||||
.It Fl r Ar size
|
||||
Specify window size of bytes for replay prevention.
|
||||
.Ar size
|
||||
must be decimal number in 32-bit word. If
|
||||
.Ar size
|
||||
is zero or not specified, replay check don't take place.
|
||||
.\"
|
||||
.It Fl u Ar id
|
||||
Specify the identifier of policy. See also
|
||||
.Xr ipsec_set_policy 3 .
|
||||
.\"
|
||||
.It Fl f Ar pad_option
|
||||
.Ar pad_option
|
||||
is one of following:
|
||||
.Li zero-pad , random-pad
|
||||
or
|
||||
.Li seq-pad
|
||||
.It Fl f Li cyclic-seq
|
||||
Allow cyclic sequence number.
|
||||
.\"
|
||||
.It Fl f Li nocyclic-seq
|
||||
Don't allow cyclic sequence number.
|
||||
.\"
|
||||
.It Fl lh Ar time
|
||||
.It Fl ls Ar time
|
||||
Specify hard/soft lifetime.
|
||||
@@ -256,7 +267,7 @@ Specify hard/soft lifetime.
|
||||
.\"
|
||||
.Pp
|
||||
.It Ar algorithm
|
||||
.Bl -tag -width Fl -compact
|
||||
.Bl -tag -width Fl -compact
|
||||
.It Fl E Ar ealgo Ar key
|
||||
Specify encryption algorithm.
|
||||
.It Fl A Ar aalgo Ar key
|
||||
@@ -268,7 +279,7 @@ is used for esp, it will be treated as ESP payload authentication algorithm.
|
||||
Specify compression algorithm.
|
||||
If
|
||||
.Fl R
|
||||
is specified with
|
||||
is not specified with
|
||||
.Li ipcomp
|
||||
line, the kernel will use well-known IPComp CPI
|
||||
.Pq compression parameter index
|
||||
@@ -280,7 +291,7 @@ field is only for kernel internal use in this case.
|
||||
.\"Therefore, compression protocol number will appear on IPComp CPI field.
|
||||
If
|
||||
.Fl R
|
||||
is not used,
|
||||
is used,
|
||||
the value on
|
||||
.Ar spi
|
||||
field will appear on IPComp CPI field on outgoing packets.
|
||||
@@ -311,7 +322,7 @@ SAs accept
|
||||
only.
|
||||
.Pp
|
||||
.Ar key
|
||||
must be double-quoted character string or a series of hexadecimal digits.
|
||||
must be double-quoted character string or series of hexadecimal digits.
|
||||
.Pp
|
||||
Possible values for
|
||||
.Ar ealgo ,
|
||||
@@ -322,7 +333,7 @@ are specified in separate section.
|
||||
.\"
|
||||
.It Ar src_range
|
||||
.It Ar dst_range
|
||||
These are selection of the secure communication is specified as
|
||||
These are selections of the secure communication specified as
|
||||
IPv4/v6 address or IPv4/v6 address range, and it may accompany
|
||||
TCP/UDP port specification.
|
||||
This takes the following form:
|
||||
@@ -365,7 +376,7 @@ NOTE:
|
||||
.Ar upperspec
|
||||
does not work against forwarding case at this moment,
|
||||
as it requires extra reassembly at forwarding node
|
||||
.Pq not implemented as this moment .
|
||||
.Pq not implemented at this moment .
|
||||
.\"
|
||||
.It Ar policy
|
||||
.Ar policy
|
||||
@@ -427,15 +438,15 @@ is to be one of the following:
|
||||
or
|
||||
.Li require .
|
||||
.Li default
|
||||
means kernel consults to the system wide default against protocol you
|
||||
means the kernel consults to the system wide default against protocol you
|
||||
specified, e.g.
|
||||
.Li esp_trans_deflev
|
||||
sysctl variable, when kernel processes the packet.
|
||||
sysctl variable, when the kernel processes the packet.
|
||||
.Li use
|
||||
means that kernel use a SA if it's available,
|
||||
otherwise kernel keeps normal operation.
|
||||
means that the kernel use a SA if it's available,
|
||||
otherwise the kernel keeps normal operation.
|
||||
.Li require
|
||||
means SA is required whenever kernel deals with the packet.
|
||||
means SA is required whenever the kernel deals with the packet.
|
||||
Note that
|
||||
.Dq Li discard
|
||||
and
|
||||
@@ -456,7 +467,7 @@ The following list shows the supported algorithms.
|
||||
and
|
||||
.Sy algorithm
|
||||
are almost orthogonal.
|
||||
Following are the list of authentication algorithms that can be used as
|
||||
Followings are the list of authentication algorithms that can be used as
|
||||
.Ar aalgo
|
||||
in
|
||||
.Fl A Ar aalgo
|
||||
@@ -477,7 +488,7 @@ keyed-sha1 160 ah: 96bit ICV (no document)
|
||||
null 0 to 2048 for debugging
|
||||
.Ed
|
||||
.Pp
|
||||
Following are the list of encryption algorithms that can be used as
|
||||
Followings are the list of encryption algorithms that can be used as
|
||||
.Ar ealgo
|
||||
in
|
||||
.Fl E Ar ealgo
|
||||
@@ -497,7 +508,7 @@ des-deriv 64 ipsec-ciph-des-derived-01 (expired)
|
||||
3des-deriv 192 no document
|
||||
.Ed
|
||||
.Pp
|
||||
Following are the list of compression algorithms that can be used as
|
||||
Followings are the list of compression algorithms that can be used as
|
||||
.Ar calgo
|
||||
in
|
||||
.Fl C Ar calgo
|
||||
@@ -510,7 +521,7 @@ algorithm comment
|
||||
deflate rfc2394
|
||||
lzs rfc2395
|
||||
.Ed
|
||||
.\"
|
||||
.\"
|
||||
.Sh EXAMPLES
|
||||
.Bd -literal -offset
|
||||
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
||||
@@ -533,20 +544,18 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
||||
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
||||
|
||||
.Ed
|
||||
.\"
|
||||
.\"
|
||||
.Sh RETURN VALUES
|
||||
The command exits with 0 on success, and non-zero on errors.
|
||||
.\"
|
||||
.\"
|
||||
.Sh SEE ALSO
|
||||
.Xr ipsec_set_policy 3 ,
|
||||
.Xr sysctl 8
|
||||
.\"
|
||||
.\"
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
||||
The command was completely re-designed in June 1998.
|
||||
.Pp
|
||||
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
|
||||
was initially integrated into
|
||||
.Fx 4.0
|
||||
.\"
|
||||
.\" .Sh BUGS
|
||||
|
||||
+52
-40
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,10 +28,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
/* KAME $Id: setkey.c,v 1.5 1999/10/26 09:39:37 sakane Exp $ */
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@@ -51,40 +51,42 @@
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
void Usage __P((void));
|
||||
int main __P((int, char **));
|
||||
int get_supported __P((void));
|
||||
void sendkeyshort __P((u_int));
|
||||
void promisc __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
int postproc __P((struct sadb_msg *, int));
|
||||
const char *numstr __P((int));
|
||||
void shortdump_hdr __P((void));
|
||||
void shortdump __P((struct sadb_msg *));
|
||||
#include "libpfkey.h"
|
||||
|
||||
void Usage __P((void));
|
||||
int main __P((int, char **));
|
||||
int get_supported __P((void));
|
||||
void sendkeyshort __P((u_int));
|
||||
void promisc __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
int postproc __P((struct sadb_msg *, int));
|
||||
const char *numstr __P((int));
|
||||
void shortdump_hdr __P((void));
|
||||
void shortdump __P((struct sadb_msg *));
|
||||
|
||||
#define MODE_SCRIPT 1
|
||||
#define MODE_CMDDUMP 2
|
||||
#define MODE_CMDFLUSH 3
|
||||
#define MODE_PROMISC 4
|
||||
|
||||
int so;
|
||||
|
||||
int f_forever = 0;
|
||||
int f_all = 0;
|
||||
int f_debug = 0;
|
||||
int f_verbose = 0;
|
||||
int f_mode = 0;
|
||||
int f_cmddump = 0;
|
||||
int f_policy = 0;
|
||||
int f_promisc = 0;
|
||||
int f_hexdump = 0;
|
||||
char *pname;
|
||||
int f_forever = 0;
|
||||
int f_all = 0;
|
||||
int f_debug = 0;
|
||||
int f_verbose = 0;
|
||||
int f_mode = 0;
|
||||
int f_cmddump = 0;
|
||||
int f_policy = 0;
|
||||
int f_hexdump = 0;
|
||||
char *pname;
|
||||
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
|
||||
extern int lineno;
|
||||
extern int lineno;
|
||||
|
||||
extern int parse __P((FILE **));
|
||||
extern int parse __P((FILE **));
|
||||
|
||||
void
|
||||
Usage()
|
||||
@@ -95,7 +97,7 @@ Usage()
|
||||
printf("\t%s [-Pdv] -F\n", pname);
|
||||
printf("\t%s [-h] -x\n", pname);
|
||||
pfkey_close(so);
|
||||
exit(0);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
@@ -139,9 +141,8 @@ main(ac, av)
|
||||
f_hexdump = 1;
|
||||
break;
|
||||
case 'x':
|
||||
f_promisc = 1;
|
||||
promisc();
|
||||
/*NOTREACHED*/
|
||||
f_mode = MODE_PROMISC;
|
||||
break;
|
||||
case 'P':
|
||||
f_policy = 1;
|
||||
break;
|
||||
@@ -170,10 +171,15 @@ main(ac, av)
|
||||
errx(-1, "%s", ipsec_strerror());
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
parse(&fp);
|
||||
if (parse(&fp))
|
||||
exit (1);
|
||||
break;
|
||||
case MODE_PROMISC:
|
||||
promisc();
|
||||
/*NOTREACHED*/
|
||||
default:
|
||||
Usage();
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
exit(0);
|
||||
@@ -216,7 +222,6 @@ sendkeyshort(type)
|
||||
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_seq = 0;
|
||||
m_msg->sadb_msg_pid = getpid();
|
||||
|
||||
@@ -240,7 +245,6 @@ promisc()
|
||||
m_msg->sadb_msg_satype = 1;
|
||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_reserved = 0;
|
||||
m_msg->sadb_msg_seq = 0;
|
||||
m_msg->sadb_msg_pid = getpid();
|
||||
|
||||
@@ -325,8 +329,10 @@ sendkeymsg()
|
||||
if (f_forever)
|
||||
shortdump_hdr();
|
||||
again:
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)m_buf);
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
if ((len = send(so, m_buf, m_len, 0)) < 0) {
|
||||
perror("send");
|
||||
@@ -345,8 +351,10 @@ sendkeymsg()
|
||||
break;
|
||||
}
|
||||
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)rbuf);
|
||||
printf("\n");
|
||||
}
|
||||
if (postproc(msg, len) < 0)
|
||||
break;
|
||||
} while (msg->sadb_msg_errno || msg->sadb_msg_seq);
|
||||
@@ -423,8 +431,10 @@ postproc(msg, len)
|
||||
pfkey_sadump(msg);
|
||||
msg = (struct sadb_msg *)((caddr_t)msg +
|
||||
PFKEY_UNUNIT64(msg->sadb_msg_len));
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)msg);
|
||||
printf("\n");
|
||||
}
|
||||
break;
|
||||
|
||||
case SADB_X_SPDDUMP:
|
||||
@@ -432,8 +442,10 @@ postproc(msg, len)
|
||||
if (msg->sadb_msg_seq == 0) break;
|
||||
msg = (struct sadb_msg *)((caddr_t)msg +
|
||||
PFKEY_UNUNIT64(msg->sadb_msg_len));
|
||||
if (f_verbose)
|
||||
if (f_verbose) {
|
||||
kdebug_sadb((struct sadb_msg *)msg);
|
||||
printf("\n");
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: test-pfkey.c,v 1.4 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,10 +28,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
/* KAME $Id: test-pfkey.c,v 1.2 1999/10/26 08:09:17 itojun Exp $ */
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@@ -47,23 +47,24 @@
|
||||
#include <ctype.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
char *pname;
|
||||
u_char m_buf[BUFSIZ];
|
||||
u_int m_len;
|
||||
char *pname;
|
||||
|
||||
void Usage __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
void key_setsadbmsg __P((u_int));
|
||||
void key_setsadbsens __P((void));
|
||||
void key_setsadbprop __P((void));
|
||||
void key_setsadbid __P((u_int, caddr_t));
|
||||
void key_setsadblft __P((u_int, u_int));
|
||||
void key_setspirange __P((void));
|
||||
void key_setsadbkey __P((u_int, caddr_t));
|
||||
void key_setsadbsa __P((void));
|
||||
void key_setsadbaddr __P((u_int, u_int, caddr_t));
|
||||
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
|
||||
void Usage __P((void));
|
||||
int sendkeymsg __P((void));
|
||||
void key_setsadbmsg __P((u_int));
|
||||
void key_setsadbsens __P((void));
|
||||
void key_setsadbprop __P((void));
|
||||
void key_setsadbid __P((u_int, caddr_t));
|
||||
void key_setsadblft __P((u_int, u_int));
|
||||
void key_setspirange __P((void));
|
||||
void key_setsadbkey __P((u_int, caddr_t));
|
||||
void key_setsadbsa __P((void));
|
||||
void key_setsadbaddr __P((u_int, u_int, caddr_t));
|
||||
void key_setsadbextbuf __P((caddr_t, int, caddr_t, int, caddr_t, int));
|
||||
|
||||
void
|
||||
Usage()
|
||||
@@ -98,6 +99,18 @@ sendkeymsg()
|
||||
perror("socket(PF_KEY)");
|
||||
goto end;
|
||||
}
|
||||
#if 0
|
||||
{
|
||||
#include <sys/time.h>
|
||||
struct timeval tv;
|
||||
tv.tv_sec = 1;
|
||||
tv.tv_usec = 0;
|
||||
if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) < 0) {
|
||||
perror("setsockopt");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
pfkey_sadump((struct sadb_msg *)m_buf);
|
||||
|
||||
@@ -124,11 +137,14 @@ key_setsadbmsg(type)
|
||||
{
|
||||
struct sadb_msg m_msg;
|
||||
|
||||
memset(&m_msg, 0, sizeof(m_msg));
|
||||
m_msg.sadb_msg_version = PF_KEY_V2;
|
||||
m_msg.sadb_msg_type = type;
|
||||
m_msg.sadb_msg_errno = 0;
|
||||
m_msg.sadb_msg_satype = SADB_SATYPE_ESP;
|
||||
#if 0
|
||||
m_msg.sadb_msg_reserved = 0;
|
||||
#endif
|
||||
m_msg.sadb_msg_seq = 0;
|
||||
m_msg.sadb_msg_pid = getpid();
|
||||
|
||||
@@ -223,6 +239,24 @@ key_setsadbmsg(type)
|
||||
break;
|
||||
|
||||
case SADB_X_SPDADD:
|
||||
#if 0
|
||||
{
|
||||
struct sadb_x_policy m_policy;
|
||||
|
||||
m_policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(m_policy));
|
||||
m_policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
||||
m_policy.sadb_x_policy_type = SADB_X_PL_IPSEC;
|
||||
m_policy.sadb_x_policy_esp_trans = 1;
|
||||
m_policy.sadb_x_policy_ah_trans = 2;
|
||||
m_policy.sadb_x_policy_esp_network = 3;
|
||||
m_policy.sadb_x_policy_ah_network = 4;
|
||||
m_policy.sadb_x_policy_reserved = 0;
|
||||
|
||||
memcpy(m_buf + m_len, &m_policy, sizeof(struct sadb_x_policy));
|
||||
m_len += sizeof(struct sadb_x_policy);
|
||||
}
|
||||
#endif
|
||||
|
||||
case SADB_X_SPDDELETE:
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_SRC, AF_INET, "192.168.1.1");
|
||||
key_setsadbaddr(SADB_EXT_ADDRESS_DST, AF_INET, "10.0.3.4");
|
||||
@@ -437,32 +471,49 @@ key_setsadbaddr(ext, af, str)
|
||||
caddr_t str;
|
||||
{
|
||||
struct sadb_address m_addr;
|
||||
u_char abuf[64];
|
||||
struct sockaddr *a = (struct sockaddr *)abuf;
|
||||
u_int len;
|
||||
struct addrinfo hints, *res;
|
||||
const char *serv;
|
||||
int plen;
|
||||
|
||||
switch (af) {
|
||||
case AF_INET:
|
||||
plen = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
case AF_INET6:
|
||||
plen = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
default:
|
||||
/* XXX bark */
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* make sockaddr buffer */
|
||||
memset(abuf, 0, sizeof(abuf));
|
||||
a->sa_len = _SALENBYAF(af);
|
||||
a->sa_family = af;
|
||||
_INPORTBYSA(a) =
|
||||
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : htons(0x1234));
|
||||
if (inet_pton(af, str, _INADDRBYSA(a)) != 1)
|
||||
; /* XXX do something */
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = af;
|
||||
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
serv = (ext == SADB_EXT_ADDRESS_PROXY ? "0" : "4660"); /*0x1234*/
|
||||
if (getaddrinfo(str, serv, &hints, &res) != 0 || res->ai_next) {
|
||||
/* XXX bark */
|
||||
exit(1);
|
||||
}
|
||||
|
||||
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(a->sa_len);
|
||||
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(res->ai_addrlen);
|
||||
m_addr.sadb_address_len = PFKEY_UNIT64(len);
|
||||
m_addr.sadb_address_exttype = ext;
|
||||
m_addr.sadb_address_proto =
|
||||
(ext == SADB_EXT_ADDRESS_PROXY ? 0 : IPPROTO_TCP);
|
||||
m_addr.sadb_address_prefixlen = _INALENBYAF(af);
|
||||
m_addr.sadb_address_prefixlen = plen;
|
||||
m_addr.sadb_address_reserved = 0;
|
||||
|
||||
key_setsadbextbuf(m_buf, m_len,
|
||||
(caddr_t)&m_addr, sizeof(struct sadb_address),
|
||||
abuf, a->sa_len);
|
||||
(caddr_t)res->ai_addr, res->ai_addrlen);
|
||||
m_len += len;
|
||||
|
||||
freeaddrinfo(res);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
+37
-44
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,8 +28,6 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
%{
|
||||
@@ -63,18 +64,19 @@
|
||||
|
||||
#define PREPROC DECHO CMDARG
|
||||
|
||||
int lineno = 1;
|
||||
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
|
||||
int lineno = 1;
|
||||
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
|
||||
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern u_int m_len;
|
||||
extern int f_debug;
|
||||
extern u_char m_buf[BUFSIZ];
|
||||
extern u_int m_len;
|
||||
extern int f_debug;
|
||||
|
||||
int yylex __P((void));
|
||||
void yyerror __P((char *s));
|
||||
extern void parse_init __P((void));
|
||||
int parse __P((FILE **));
|
||||
int yyparse __P((void));
|
||||
int yylex __P((void));
|
||||
void yyfatal __P((const char *s));
|
||||
void yyerror __P((const char *s));
|
||||
extern void parse_init __P((void));
|
||||
int parse __P((FILE **));
|
||||
int yyparse __P((void));
|
||||
|
||||
%}
|
||||
|
||||
@@ -106,9 +108,7 @@ decstring {digit}+
|
||||
hexpair {hexdigit}{hexdigit}
|
||||
hexstring 0[xX]{hexdigit}+
|
||||
octetstring {octet}({dot}{octet})+
|
||||
ipaddress {ipv4addr}|{ipv6addr}
|
||||
ipv4addr {digit}{1,3}({dot}{digit}{1,3}){0,3}
|
||||
ipv6addr {hexdigit}{0,4}({colon}{hexdigit}{0,4}){2,7}(%{letter}{letter}+)?
|
||||
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
||||
ipaddrmask {slash}{digit}{1,3}
|
||||
ipaddrport {blcl}{decstring}{elcl}
|
||||
keyword {letter}{letter}+
|
||||
@@ -186,11 +186,12 @@ lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
|
||||
{hyphen}m { PREPROC; return(F_MODE); }
|
||||
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
|
||||
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
|
||||
{hyphen}u { PREPROC; return(F_REQID); }
|
||||
{hyphen}f { PREPROC; return(F_EXT); }
|
||||
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
|
||||
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
|
||||
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
|
||||
cyclic-seq { PREPROC; yylval.num = SADB_X_EXT_CYCSEQ; return(EXTENSION); }
|
||||
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
|
||||
{hyphen}r { PREPROC; return(F_REPLAY); }
|
||||
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
|
||||
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
|
||||
@@ -214,35 +215,17 @@ any { PREPROC; return(ANY); }
|
||||
char *bp;
|
||||
|
||||
PREPROC;
|
||||
yylval.num = strtol(yytext, &bp, 10);
|
||||
yylval.num = strtoul(yytext, &bp, 10);
|
||||
return(DECSTRING);
|
||||
}
|
||||
|
||||
{ipv4addr} {
|
||||
/*
|
||||
* I can't supprt the type without dot,
|
||||
* because it's umbiguous against {decstring}.
|
||||
* e.g. 127
|
||||
*/
|
||||
{ipaddress} {
|
||||
PREPROC;
|
||||
|
||||
yylval.val.len = sizeof(struct sockaddr_in);
|
||||
yylval.val.len = yyleng;
|
||||
yylval.val.buf = strdup(yytext);
|
||||
|
||||
return(IP4_ADDRESS);
|
||||
}
|
||||
|
||||
{ipv6addr} {
|
||||
#ifdef INET6
|
||||
PREPROC;
|
||||
|
||||
yylval.val.len = sizeof(struct sockaddr_in6);
|
||||
yylval.val.buf = strdup(yytext);
|
||||
|
||||
return(IP6_ADDRESS);
|
||||
#else
|
||||
yyerror("IPv6 address not supported");
|
||||
#endif
|
||||
return(ADDRESS);
|
||||
}
|
||||
|
||||
{ipaddrmask} {
|
||||
@@ -263,7 +246,6 @@ any { PREPROC; return(ANY); }
|
||||
}
|
||||
|
||||
{blcl}any{elcl} {
|
||||
char *p = yytext;
|
||||
PREPROC;
|
||||
return(PORTANY);
|
||||
}
|
||||
@@ -294,12 +276,24 @@ any { PREPROC; return(ANY); }
|
||||
return(QUOTEDSTRING);
|
||||
}
|
||||
|
||||
. { yyerror("Syntax error"); }
|
||||
. {
|
||||
yyfatal("Syntax error");
|
||||
/*NOTREACHED*/
|
||||
}
|
||||
|
||||
%%
|
||||
|
||||
void
|
||||
yyerror(char *s)
|
||||
yyfatal(s)
|
||||
const char *s;
|
||||
{
|
||||
yyerror(s);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
void
|
||||
yyerror(s)
|
||||
const char *s;
|
||||
{
|
||||
printf("line %d: %s at [%s]\n", lineno, s, yytext);
|
||||
}
|
||||
@@ -319,4 +313,3 @@ parse(fp)
|
||||
|
||||
return(0);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,7 +1,10 @@
|
||||
/* $FreeBSD$ */
|
||||
/* $KAME: vchar.h,v 1.2 2000/06/07 00:29:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -13,7 +16,7 @@
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@@ -25,11 +28,9 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
typedef struct {
|
||||
u_int len;
|
||||
caddr_t buf;
|
||||
u_int len;
|
||||
caddr_t buf;
|
||||
} vchar_t;
|
||||
|
||||
Reference in New Issue
Block a user