- do hexdump on send. set length field properly
- check for encryption/authentication key together with algorithm. - warned if a deprecated encryption algorithm (that includes "simple") is specified. - changed the syntax how to define a policy of a ICMPv6 type and/or a code, like spdadd ::/0 ::/0 icmp6 134,0 -P out none; - random cleanup in parser. - use yyfatal, or return -1 after yyerror. - deal with strdup() failure. - permit scope notation in policy string (-P esp/tunnel/foo%scope-bar%scope/use) - simplify /prefix and [port]. - g/c some unused symbols. Obtained from: KAME
This commit is contained in:
@@ -39,7 +39,7 @@ LDADD= -ll -ly
|
|||||||
|
|
||||||
CLEANFILES= y.tab.c y.tab.h key_test.o keytest
|
CLEANFILES= y.tab.c y.tab.h key_test.o keytest
|
||||||
|
|
||||||
# libpfkey.
|
# libpfkey
|
||||||
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
|
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
|
||||||
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
|
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
|
||||||
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
|
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
|
||||||
|
|||||||
+864
-550
File diff suppressed because it is too large
Load Diff
+18
-18
@@ -45,9 +45,9 @@
|
|||||||
#
|
#
|
||||||
# At Host-A and Host-B,
|
# At Host-A and Host-B,
|
||||||
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
|
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
|
||||||
esp/transport/fec0::10-fec0::11/use ;
|
esp/transport//use ;
|
||||||
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
|
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
|
||||||
esp/transport/fec0::11-fec0::10/use ;
|
esp/transport//use ;
|
||||||
add fec0::10 fec0::11 esp 0x10001
|
add fec0::10 fec0::11 esp 0x10001
|
||||||
-m transport
|
-m transport
|
||||||
-E blowfish-cbc "kamekame"
|
-E blowfish-cbc "kamekame"
|
||||||
@@ -112,10 +112,10 @@ add 172.16.0.2 172.16.0.1 ah-old 0x10004
|
|||||||
# At Gateway-A:
|
# At Gateway-A:
|
||||||
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
|
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
|
||||||
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
|
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
|
||||||
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
ah/transport//require ;
|
||||||
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
|
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
|
||||||
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
|
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
|
||||||
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
ah/transport//require ;
|
||||||
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
|
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
|
||||||
-m tunnel
|
-m tunnel
|
||||||
-E 3des-cbc "kamekame12341234kame1234"
|
-E 3des-cbc "kamekame12341234kame1234"
|
||||||
@@ -146,10 +146,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
|
|||||||
#
|
#
|
||||||
# At Host-A:
|
# At Host-A:
|
||||||
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
|
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
|
||||||
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
|
esp/transport//use
|
||||||
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
||||||
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
|
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
|
||||||
esp/transport/fec0:0:0:2::2-fec0:0:0:1::1/use
|
esp/transport//use
|
||||||
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
||||||
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
|
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
|
||||||
-m transport
|
-m transport
|
||||||
@@ -166,10 +166,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
|
|||||||
-E rc5-cbc "kamekame"
|
-E rc5-cbc "kamekame"
|
||||||
-A hmac-md5 "this is the test" ;
|
-A hmac-md5 "this is the test" ;
|
||||||
|
|
||||||
# By "get" command, you can get an entry of either SP or SA.
|
# By "get" command, you can get a entry of either SP or SA.
|
||||||
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||||
|
|
||||||
# Also delete command, you can delete an entry of either SP or SA.
|
# Also delete command, you can delete a entry of either SP or SA.
|
||||||
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
|
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
|
||||||
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||||
|
|
||||||
@@ -188,24 +188,24 @@ dump esp ;
|
|||||||
flush ah ;
|
flush ah ;
|
||||||
|
|
||||||
# XXX
|
# XXX
|
||||||
add ::1 ::1 esp 10001 -m transport -E simple ;
|
add ::1 ::1 esp 10001 -m transport -E null ;
|
||||||
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
|
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
|
||||||
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
|
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
|
||||||
add ::1 ::1 esp 10004 -m transport -E simple -A null ;
|
add ::1 ::1 esp 10004 -m transport -E null -A null ;
|
||||||
add ::1 ::1 esp 10005 -m transport -E simple -A hmac-md5 "1234123412341234" ;
|
add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
|
||||||
add ::1 ::1 esp 10006 -m tunnel -E simple -A hmac-sha1 "12341234123412341234" ;
|
add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
|
||||||
add ::1 ::1 esp 10007 -m transport -E simple -A keyed-md5 "1234123412341234" ;
|
add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
|
||||||
add ::1 ::1 esp 10008 -m any -E simple -A keyed-sha1 "12341234123412341234" ;
|
add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
|
||||||
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
|
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
|
||||||
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
|
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
|
||||||
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
|
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
|
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
|
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
|
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
|
add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
|
||||||
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
|
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
|
||||||
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
|
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
|
||||||
add ::1 ::1 esp 10018 -m transport -E simple ;
|
add ::1 ::1 esp 10018 -m transport -E null ;
|
||||||
#add ::1 ::1 ah 20000 -m transport -A null ;
|
#add ::1 ::1 ah 20000 -m transport -A null ;
|
||||||
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
|
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
|
||||||
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
|
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
|
||||||
|
|||||||
+193
-147
@@ -1,4 +1,4 @@
|
|||||||
.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $
|
.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@@ -34,20 +34,20 @@
|
|||||||
.\"
|
.\"
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
.Nm setkey
|
.Nm setkey
|
||||||
.Nd "manually manipulate the IPsec SA/SP database"
|
.Nd manually manipulate the IPsec SA/SP database
|
||||||
.\"
|
.\"
|
||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl dv
|
.Op Fl v
|
||||||
.Fl c
|
.Fl c
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl dv
|
.Op Fl v
|
||||||
.Fl f Ar filename
|
.Fl f Ar filename
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl adPlv
|
.Op Fl aPlv
|
||||||
.Fl D
|
.Fl D
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl dPv
|
.Op Fl Pv
|
||||||
.Fl F
|
.Fl F
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl h
|
.Op Fl h
|
||||||
@@ -56,19 +56,23 @@
|
|||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
utility adds, updates, dumps, or flushes
|
command adds, updates, dumps, or flushes
|
||||||
Security Association Database (SAD) entries
|
Security Association Database (SAD) entries
|
||||||
as well as Security Policy Database (SPD) entries in the kernel.
|
as well as Security Policy Database (SPD) entries in the kernel.
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
utility takes a series of operations from the standard input
|
command takes a series of operations from the standard input
|
||||||
(if invoked with
|
.Po
|
||||||
.Fl c )
|
if invoked with
|
||||||
|
.Fl c
|
||||||
|
.Pc
|
||||||
or the file named
|
or the file named
|
||||||
.Ar filename
|
.Ar filename
|
||||||
(if invoked with
|
.Po
|
||||||
.Fl f Ar filename ) .
|
if invoked with
|
||||||
|
.Fl f Ar filename
|
||||||
|
.Pc .
|
||||||
.Bl -tag -width Ds
|
.Bl -tag -width Ds
|
||||||
.It Fl D
|
.It Fl D
|
||||||
Dump the SAD entries.
|
Dump the SAD entries.
|
||||||
@@ -81,24 +85,15 @@ If with
|
|||||||
.Fl P ,
|
.Fl P ,
|
||||||
the SPD entries are flushed.
|
the SPD entries are flushed.
|
||||||
.It Fl a
|
.It Fl a
|
||||||
Dead SAD entries are usually not displayed with
|
.Nm
|
||||||
|
usually does not display dead SAD entries with
|
||||||
.Fl D .
|
.Fl D .
|
||||||
If with
|
If with
|
||||||
.Fl a ,
|
.Fl a ,
|
||||||
the dead SAD entries will be displayed as well.
|
the dead SAD entries will be displayed as well.
|
||||||
A dead SAD entry means that
|
A dead SAD entry means that
|
||||||
it has been expired but remains
|
it has been expired but remains in the system
|
||||||
because it is referenced by SPD entries.
|
because it is referenced by some SPD entries.
|
||||||
.It Fl d
|
|
||||||
Enable to print debugging messages for command parser,
|
|
||||||
without talking to kernel.
|
|
||||||
It is not used usually.
|
|
||||||
.It Fl x
|
|
||||||
Loop forever and dump all the messages transmitted to
|
|
||||||
.Dv PF_KEY
|
|
||||||
socket.
|
|
||||||
.Fl xx
|
|
||||||
makes each timestamps unformatted.
|
|
||||||
.It Fl h
|
.It Fl h
|
||||||
Add hexadecimal dump on
|
Add hexadecimal dump on
|
||||||
.Fl x
|
.Fl x
|
||||||
@@ -111,23 +106,39 @@ Be verbose.
|
|||||||
The program will dump messages exchanged on
|
The program will dump messages exchanged on
|
||||||
.Dv PF_KEY
|
.Dv PF_KEY
|
||||||
socket, including messages sent from other processes to the kernel.
|
socket, including messages sent from other processes to the kernel.
|
||||||
|
.It Fl x
|
||||||
|
Loop forever and dump all the messages transmitted to
|
||||||
|
.Dv PF_KEY
|
||||||
|
socket.
|
||||||
|
.Fl xx
|
||||||
|
makes each timestamps unformatted.
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Ss Configuration syntax
|
||||||
Operations have the following grammar.
|
With
|
||||||
Note that lines starting with
|
.Fl c
|
||||||
hashmarks ('#') are treated as comment lines.
|
or
|
||||||
|
.Fl f
|
||||||
|
on the command line,
|
||||||
|
.Nm
|
||||||
|
accepts the following configuration syntax.
|
||||||
|
Lines starting with hash signs ('#') are treated as comment lines.
|
||||||
.Bl -tag -width Ds
|
.Bl -tag -width Ds
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li add
|
.Li add
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol Ar spi
|
.Ar src Ar dst Ar protocol Ar spi
|
||||||
.Op Ar extensions
|
.Op Ar extensions
|
||||||
.Ar algorithm...
|
.Ar algorithm ...
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Add an SAD entry.
|
Add an SAD entry.
|
||||||
|
.Li add
|
||||||
|
can fail with multiple reasons,
|
||||||
|
including when the key length does not match the specified algorithm.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li get
|
.Li get
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol Ar spi
|
.Ar src Ar dst Ar protocol Ar spi
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -135,6 +146,7 @@ Show an SAD entry.
|
|||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li delete
|
.Li delete
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol Ar spi
|
.Ar src Ar dst Ar protocol Ar spi
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -142,6 +154,7 @@ Remove an SAD entry.
|
|||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li deleteall
|
.Li deleteall
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol
|
.Ar src Ar dst Ar protocol
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -153,6 +166,8 @@ Remove all SAD entries that match the specification.
|
|||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Clear all SAD entries matched by the options.
|
Clear all SAD entries matched by the options.
|
||||||
|
.Fl F
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li dump
|
.Li dump
|
||||||
@@ -160,9 +175,12 @@ Clear all SAD entries matched by the options.
|
|||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Dumps all SAD entries matched by the options.
|
Dumps all SAD entries matched by the options.
|
||||||
|
.Fl D
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li spdadd
|
.Li spdadd
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -170,6 +188,7 @@ Add an SPD entry.
|
|||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li spddelete
|
.Li spddelete
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -180,12 +199,16 @@ Delete an SPD entry.
|
|||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Clear all SPD entries.
|
Clear all SPD entries.
|
||||||
|
.Fl FP
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li spddump
|
.Li spddump
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Dumps all SPD entries.
|
Dumps all SPD entries.
|
||||||
|
.Fl DP
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.El
|
.El
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
@@ -196,13 +219,23 @@ Meta-arguments are as follows:
|
|||||||
.It Ar dst
|
.It Ar dst
|
||||||
Source/destination of the secure communication is specified as
|
Source/destination of the secure communication is specified as
|
||||||
IPv4/v6 address.
|
IPv4/v6 address.
|
||||||
The
|
|
||||||
.Nm
|
.Nm
|
||||||
utility does not consult hostname-to-address for arguments
|
can resolve a FQDN into numeric addresses.
|
||||||
.Ar src
|
If the FQDN resolves into multiple addresses,
|
||||||
|
.Nm
|
||||||
|
will install multiple SAD/SPD entries into the kernel
|
||||||
|
by trying all possible combinations.
|
||||||
|
.Fl 4 ,
|
||||||
|
.Fl 6
|
||||||
and
|
and
|
||||||
.Ar dst .
|
.Fl n
|
||||||
They must be in numeric form.
|
restricts the address resolution of FQDN in certain ways.
|
||||||
|
.Fl 4
|
||||||
|
and
|
||||||
|
.Fl 6
|
||||||
|
restrict results into IPv4/v6 addresses only, respectively.
|
||||||
|
.Fl n
|
||||||
|
avoids FQDN resolution and requires addresses to be numeric addresses.
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar protocol
|
.It Ar protocol
|
||||||
@@ -210,7 +243,7 @@ They must be in numeric form.
|
|||||||
is one of following:
|
is one of following:
|
||||||
.Bl -tag -width Fl -compact
|
.Bl -tag -width Fl -compact
|
||||||
.It Li esp
|
.It Li esp
|
||||||
ESP based on rfc2405
|
ESP based on rfc2406
|
||||||
.It Li esp-old
|
.It Li esp-old
|
||||||
ESP based on rfc1827
|
ESP based on rfc1827
|
||||||
.It Li ah
|
.It Li ah
|
||||||
@@ -218,21 +251,24 @@ AH based on rfc2402
|
|||||||
.It Li ah-old
|
.It Li ah-old
|
||||||
AH based on rfc1826
|
AH based on rfc1826
|
||||||
.It Li ipcomp
|
.It Li ipcomp
|
||||||
IPCOMP
|
IPComp
|
||||||
.El
|
.El
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar spi
|
.It Ar spi
|
||||||
Security Parameter Index (SPI) for the SAD and the SPD.
|
Security Parameter Index
|
||||||
It must be decimal number or hexadecimal number
|
.Pq SPI
|
||||||
You cannot use the set of SPI values in the range 0 through 255.
|
for the SAD and the SPD.
|
||||||
(with
|
.Ar spi
|
||||||
.Li 0x
|
must be a decimal number, or a hexadecimal number with
|
||||||
attached).
|
.Dq Li 0x
|
||||||
|
prefix.
|
||||||
|
SPI values between 0 and 255 are reserved for future use by IANA
|
||||||
|
and they cannot be used.
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar extensions
|
.It Ar extensions
|
||||||
takes some of the following:
|
take some of the following:
|
||||||
.Bl -tag -width Fl -compact
|
.Bl -tag -width Fl -compact
|
||||||
.\"
|
.\"
|
||||||
.It Fl m Ar mode
|
.It Fl m Ar mode
|
||||||
@@ -283,62 +319,41 @@ Specify hard/soft life time duration of the SA.
|
|||||||
.It Ar algorithm
|
.It Ar algorithm
|
||||||
.Bl -tag -width Fl -compact
|
.Bl -tag -width Fl -compact
|
||||||
.It Fl E Ar ealgo Ar key
|
.It Fl E Ar ealgo Ar key
|
||||||
Specify an encryption algorithm.
|
Specify an encryption algorithm
|
||||||
|
.Ar ealgo
|
||||||
|
for ESP.
|
||||||
|
.It Xo
|
||||||
|
.Fl E Ar ealgo Ar key
|
||||||
|
.Fl A Ar aalgo Ar key
|
||||||
|
.Xc
|
||||||
|
Specify a encryption algorithm
|
||||||
|
.Ar ealgo ,
|
||||||
|
as well as a payload authentication algorithm
|
||||||
|
.Ar aalgo ,
|
||||||
|
for ESP.
|
||||||
.It Fl A Ar aalgo Ar key
|
.It Fl A Ar aalgo Ar key
|
||||||
Specify an authentication algorithm.
|
Specify an authentication algorithm for AH.
|
||||||
If
|
|
||||||
.Fl A
|
|
||||||
is used with
|
|
||||||
.Ar protocol Li esp ,
|
|
||||||
it will be treated as ESP payload authentication algorithm.
|
|
||||||
.It Fl C Ar calgo Op Fl R
|
.It Fl C Ar calgo Op Fl R
|
||||||
Specify compression algorithm.
|
Specify a compression algorithm for IPComp.
|
||||||
If
|
If
|
||||||
.Fl R
|
.Fl R
|
||||||
is not specified with
|
is specified,
|
||||||
.Li ipcomp
|
|
||||||
line, the kernel will use well-known IPComp CPI
|
|
||||||
(compression parameter index)
|
|
||||||
on IPComp CPI field on packets, and
|
|
||||||
.Ar spi
|
.Ar spi
|
||||||
field will be ignored.
|
field value will be used as the IPComp CPI
|
||||||
.Ar spi
|
.Pq compression parameter index
|
||||||
field is only for kernel internal use in this case.
|
on wire as is.
|
||||||
.\"Therefore, compression protocol number will appear on IPComp CPI field.
|
|
||||||
If
|
If
|
||||||
.Fl R
|
.Fl R
|
||||||
is used,
|
is not specified,
|
||||||
the value on
|
the kernel will use well-known CPI on wire, and
|
||||||
.Ar spi
|
.Ar spi
|
||||||
field will appear on IPComp CPI field on outgoing packets.
|
field will be used only as an index for kernel internal usage.
|
||||||
.Ar spi
|
|
||||||
field needs to be smaller than
|
|
||||||
.Li 0x10000
|
|
||||||
in this case.
|
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
.Ar protocol Li esp
|
|
||||||
accepts
|
|
||||||
.Fl E
|
|
||||||
and
|
|
||||||
.Fl A .
|
|
||||||
.Ar protocol Li esp-old
|
|
||||||
accepts
|
|
||||||
.Fl E
|
|
||||||
only.
|
|
||||||
.Ar protocol Li ah
|
|
||||||
and
|
|
||||||
.Li ah-old
|
|
||||||
accept
|
|
||||||
.Fl A
|
|
||||||
only.
|
|
||||||
.Ar protocol Li ipcomp
|
|
||||||
accepts
|
|
||||||
.Fl C
|
|
||||||
only.
|
|
||||||
.Pp
|
|
||||||
.Ar key
|
.Ar key
|
||||||
must be double-quoted character string or series of hexadecimal digits.
|
must be double-quoted character string, or a series of hexadecimal digits
|
||||||
|
preceded by
|
||||||
|
.Dq Li 0x .
|
||||||
.Pp
|
.Pp
|
||||||
Possible values for
|
Possible values for
|
||||||
.Ar ealgo ,
|
.Ar ealgo ,
|
||||||
@@ -369,14 +384,11 @@ The square bracket around
|
|||||||
.Ar port
|
.Ar port
|
||||||
is really necessary.
|
is really necessary.
|
||||||
They are not manpage metacharacters.
|
They are not manpage metacharacters.
|
||||||
.Pp
|
For FQDN resolution, the rules applicable to
|
||||||
The
|
|
||||||
.Nm
|
|
||||||
utility does not consult hostname-to-address for arguments
|
|
||||||
.Ar src
|
.Ar src
|
||||||
and
|
and
|
||||||
.Ar dst .
|
.Ar dst
|
||||||
They must be in numeric form.
|
apply here as well.
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar upperspec
|
.It Ar upperspec
|
||||||
@@ -395,34 +407,38 @@ can be specified.
|
|||||||
stands for
|
stands for
|
||||||
.Dq any protocol .
|
.Dq any protocol .
|
||||||
Also you can use the protocol number.
|
Also you can use the protocol number.
|
||||||
|
You can specify a type and/or a code of ICMPv6 when
|
||||||
|
Upper-layer protocol is ICMPv6.
|
||||||
|
the specification can be placed after
|
||||||
|
.Li icmp6 .
|
||||||
|
A type is separated with a code by single comma.
|
||||||
|
A code must be specified anytime.
|
||||||
|
When a zero is specified, the kernel deals with it as a wildcard.
|
||||||
|
Note that the kernel can not distinguish a wildcard from that a type
|
||||||
|
of ICMPv6 is zero.
|
||||||
|
For example, the following means the policy doesn't require IPsec
|
||||||
|
for any inbound Neighbor Solicitation.
|
||||||
|
.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
|
||||||
.Pp
|
.Pp
|
||||||
NOTE:
|
NOTE:
|
||||||
.Ar upperspec
|
.Ar upperspec
|
||||||
does not work against forwarding case at this moment,
|
does not work against forwarding case at this moment,
|
||||||
as it requires extra reassembly at forwarding node
|
as it requires extra reassembly at forwarding node
|
||||||
(not implemented at this moment).
|
.Pq not implemented at this moment .
|
||||||
We have many protocols in
|
We have many protocols in
|
||||||
.Pa /etc/protocols ,
|
.Pa /etc/protocols ,
|
||||||
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
|
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
|
||||||
You have to consider and be careful to use them.
|
You have to consider and be careful to use them.
|
||||||
.Li icmp
|
|
||||||
.Li tcp
|
|
||||||
.Li udp
|
|
||||||
all protocols
|
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar policy
|
.It Ar policy
|
||||||
.Ar policy
|
.Ar policy
|
||||||
is the one of following:
|
is the one of the following three formats:
|
||||||
.Bd -literal -offset
|
.Bd -literal -offset indent
|
||||||
.Xo
|
.It Fl P Ar direction Li discard
|
||||||
.Fl P Ar direction Li discard
|
.It Fl P Ar direction Li none
|
||||||
.Xc
|
.It Xo Fl P Ar direction Li ipsec
|
||||||
.Xo
|
.Ar protocol/mode/src-dst/level Op ...
|
||||||
.Fl P Ar direction Li none
|
|
||||||
.Xc
|
|
||||||
.Xo
|
|
||||||
.Fl P Ar direction Li ipsec Ar protocol/mode/src-dst/level
|
|
||||||
.Xc
|
.Xc
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@@ -439,6 +455,9 @@ means the packet matching indexes will be discarded.
|
|||||||
means that IPsec operation will not take place onto the packet.
|
means that IPsec operation will not take place onto the packet.
|
||||||
.Li ipsec
|
.Li ipsec
|
||||||
means that IPsec operation will take place onto the packet.
|
means that IPsec operation will take place onto the packet.
|
||||||
|
The part of
|
||||||
|
.Ar protocol/mode/src-dst/level
|
||||||
|
specifies the rule how to process the packet.
|
||||||
Either
|
Either
|
||||||
.Li ah ,
|
.Li ah ,
|
||||||
.Li esp
|
.Li esp
|
||||||
@@ -480,7 +499,7 @@ If the SA is not available in every level, the kernel will request
|
|||||||
getting SA to the key exchange daemon.
|
getting SA to the key exchange daemon.
|
||||||
.Li default
|
.Li default
|
||||||
means the kernel consults to the system wide default against protocol you
|
means the kernel consults to the system wide default against protocol you
|
||||||
specified, e.g.\&
|
specified, e.g.
|
||||||
.Li esp_trans_deflev
|
.Li esp_trans_deflev
|
||||||
sysctl variable, when the kernel processes the packet.
|
sysctl variable, when the kernel processes the packet.
|
||||||
.Li use
|
.Li use
|
||||||
@@ -492,17 +511,29 @@ with the policy.
|
|||||||
.Li unique
|
.Li unique
|
||||||
is the same to require.
|
is the same to require.
|
||||||
In addition, it allows the policy to bind with the unique out-bound SA.
|
In addition, it allows the policy to bind with the unique out-bound SA.
|
||||||
If you use the SA by manual keying,
|
You just specify the policy level
|
||||||
|
.Li unique ,
|
||||||
|
.Xr racoon 8
|
||||||
|
will configure the SA for the policy.
|
||||||
|
If you configure the SA by manual keying for that policy,
|
||||||
you can put the decimal number as the policy identifier after
|
you can put the decimal number as the policy identifier after
|
||||||
.Li unique
|
.Li unique
|
||||||
separated by colon
|
separated by colon
|
||||||
.Sq \:
|
.Sq \&:
|
||||||
like the following;
|
like the following;
|
||||||
.Li unique:number .
|
.Li unique:number .
|
||||||
|
in order to bind this policy to the SA.
|
||||||
.Li number
|
.Li number
|
||||||
must be between 1 and 32767.
|
must be between 1 and 32767.
|
||||||
It corresponds to
|
It corresponds to
|
||||||
.Ar extensions Fl u .
|
.Ar extensions Fl u
|
||||||
|
of the manual SA configuration.
|
||||||
|
When you want to use SA bundle, you can define multiple rules.
|
||||||
|
For example, if an IP header was followed by AH header followed by ESP header
|
||||||
|
followed by an upper layer protocol header, the rule
|
||||||
|
would be:
|
||||||
|
.Dl esp/transport//require ah/transport//require ;
|
||||||
|
The rule order is very important.
|
||||||
.Pp
|
.Pp
|
||||||
Note that
|
Note that
|
||||||
.Dq Li discard
|
.Dq Li discard
|
||||||
@@ -543,7 +574,8 @@ keyed-md5 128 ah: 96bit ICV (no document)
|
|||||||
keyed-sha1 160 ah: 96bit ICV (no document)
|
keyed-sha1 160 ah: 96bit ICV (no document)
|
||||||
160 ah-old: 128bit ICV (no document)
|
160 ah-old: 128bit ICV (no document)
|
||||||
null 0 to 2048 for debugging
|
null 0 to 2048 for debugging
|
||||||
hmac-sha2-256 256 ah: 96bit ICV (no document)
|
hmac-sha2-256 256 ah: 96bit ICV
|
||||||
|
(draft-ietf-ipsec-ciph-sha-256-00)
|
||||||
256 ah-old: 128bit ICV (no document)
|
256 ah-old: 128bit ICV (no document)
|
||||||
hmac-sha2-384 384 ah: 96bit ICV (no document)
|
hmac-sha2-384 384 ah: 96bit ICV (no document)
|
||||||
384 ah-old: 128bit ICV (no document)
|
384 ah-old: 128bit ICV (no document)
|
||||||
@@ -551,8 +583,8 @@ hmac-sha2-512 512 ah: 96bit ICV (no document)
|
|||||||
512 ah-old: 128bit ICV (no document)
|
512 ah-old: 128bit ICV (no document)
|
||||||
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
||||||
ah-old: 128bit ICV (no document)
|
ah-old: 128bit ICV (no document)
|
||||||
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
|
.\"aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
|
||||||
128 ah-old: 128bit ICV (no document)
|
.\" 128 ah-old: 128bit ICV (no document)
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
Followings are the list of encryption algorithms that can be used as
|
Followings are the list of encryption algorithms that can be used as
|
||||||
@@ -567,13 +599,13 @@ parameter:
|
|||||||
algorithm keylen (bits) comment
|
algorithm keylen (bits) comment
|
||||||
des-cbc 64 esp-old: rfc1829, esp: rfc2405
|
des-cbc 64 esp-old: rfc1829, esp: rfc2405
|
||||||
3des-cbc 192 rfc2451
|
3des-cbc 192 rfc2451
|
||||||
simple 0 to 2048 rfc2410
|
null 0 to 2048 rfc2410
|
||||||
blowfish-cbc 40 to 448 rfc2451
|
blowfish-cbc 40 to 448 rfc2451
|
||||||
cast128-cbc 40 to 128 rfc2451
|
cast128-cbc 40 to 128 rfc2451
|
||||||
des-deriv 64 ipsec-ciph-des-derived-01 (expired)
|
des-deriv 64 ipsec-ciph-des-derived-01
|
||||||
3des-deriv 192 no document
|
3des-deriv 192 no document
|
||||||
rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00
|
rijndael-cbc 128/192/256 rfc3602
|
||||||
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
.\"aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
Note that the first 128 bits of a key for
|
Note that the first 128 bits of a key for
|
||||||
@@ -591,44 +623,58 @@ parameter:
|
|||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
algorithm comment
|
algorithm comment
|
||||||
deflate rfc2394
|
deflate rfc2394
|
||||||
lzs rfc2395
|
|
||||||
.Ed
|
|
||||||
.\"
|
|
||||||
.Sh EXAMPLES
|
|
||||||
.Bd -literal -offset
|
|
||||||
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
|
||||||
-E des-cbc "ESP SA!!" ;
|
|
||||||
|
|
||||||
add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456
|
|
||||||
-A hmac-sha1 "AH SA configuration!" ;
|
|
||||||
|
|
||||||
add 10.0.11.41 10.0.11.33 esp 0x10001
|
|
||||||
-E des-cbc "ESP with"
|
|
||||||
-A hmac-md5 "authentication!!" ;
|
|
||||||
|
|
||||||
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
|
|
||||||
|
|
||||||
flush ;
|
|
||||||
|
|
||||||
dump esp ;
|
|
||||||
|
|
||||||
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
|
||||||
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
|
||||||
|
|
||||||
.Ed
|
.Ed
|
||||||
.\"
|
.\"
|
||||||
.Sh RETURN VALUES
|
.Sh RETURN VALUES
|
||||||
The command exits with 0 on success, and non-zero on errors.
|
The command exits with 0 on success, and non-zero on errors.
|
||||||
.\"
|
.\"
|
||||||
|
.Sh EXAMPLES
|
||||||
|
.Bd -literal -offset
|
||||||
|
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
||||||
|
-E des-cbc 0x3ffe05014819ffff ;
|
||||||
|
|
||||||
|
add -6 myhost.example.com yourhost.example.com ah 123456
|
||||||
|
-A hmac-sha1 "AH SA configuration!" ;
|
||||||
|
|
||||||
|
add 10.0.11.41 10.0.11.33 esp 0x10001
|
||||||
|
-E des-cbc 0x3ffe05014819ffff
|
||||||
|
-A hmac-md5 "authentication!!" ;
|
||||||
|
|
||||||
|
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
|
||||||
|
|
||||||
|
flush ;
|
||||||
|
|
||||||
|
dump esp ;
|
||||||
|
|
||||||
|
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
||||||
|
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
||||||
|
|
||||||
|
.Ed
|
||||||
|
.\"
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr ipsec_set_policy 3 ,
|
.Xr ipsec_set_policy 3 ,
|
||||||
.Xr racoon 8 ,
|
.Xr racoon 8 ,
|
||||||
.Xr sysctl 8
|
.Xr sysctl 8
|
||||||
|
.Rs
|
||||||
|
.%T "Changed manual key configuration for IPsec"
|
||||||
|
.%O "http://www.kame.net/newsletter/19991007/"
|
||||||
|
.%D "October 1999"
|
||||||
|
.Re
|
||||||
.\"
|
.\"
|
||||||
.Sh HISTORY
|
.Sh HISTORY
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
||||||
The command was completely re-designed in June 1998.
|
The command was completely re-designed in June 1998.
|
||||||
.\"
|
.\"
|
||||||
.\" .Sh BUGS
|
.Sh BUGS
|
||||||
|
.Nm
|
||||||
|
should report and handle syntax errors better.
|
||||||
|
.Pp
|
||||||
|
For IPsec gateway configuration,
|
||||||
|
.Ar src_range
|
||||||
|
and
|
||||||
|
.Ar dst_range
|
||||||
|
with TCP/UDP port number do not work, as the gateway does not reassemble
|
||||||
|
packets
|
||||||
|
.Pq cannot inspect upper-layer headers .
|
||||||
|
|||||||
+54
-73
@@ -1,5 +1,5 @@
|
|||||||
/* $FreeBSD$ */
|
/* $FreeBSD$ */
|
||||||
/* $KAME: setkey.c,v 1.18 2001/05/08 04:36:39 itojun Exp $ */
|
/* $KAME: setkey.c,v 1.28 2003/06/27 07:15:45 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@@ -58,7 +58,7 @@ int main __P((int, char **));
|
|||||||
int get_supported __P((void));
|
int get_supported __P((void));
|
||||||
void sendkeyshort __P((u_int));
|
void sendkeyshort __P((u_int));
|
||||||
void promisc __P((void));
|
void promisc __P((void));
|
||||||
int sendkeymsg __P((void));
|
int sendkeymsg __P((char *, size_t));
|
||||||
int postproc __P((struct sadb_msg *, int));
|
int postproc __P((struct sadb_msg *, int));
|
||||||
const char *numstr __P((int));
|
const char *numstr __P((int));
|
||||||
void shortdump_hdr __P((void));
|
void shortdump_hdr __P((void));
|
||||||
@@ -75,18 +75,12 @@ int so;
|
|||||||
|
|
||||||
int f_forever = 0;
|
int f_forever = 0;
|
||||||
int f_all = 0;
|
int f_all = 0;
|
||||||
int f_debug = 0;
|
|
||||||
int f_verbose = 0;
|
int f_verbose = 0;
|
||||||
int f_mode = 0;
|
int f_mode = 0;
|
||||||
int f_cmddump = 0;
|
int f_cmddump = 0;
|
||||||
int f_policy = 0;
|
int f_policy = 0;
|
||||||
int f_hexdump = 0;
|
int f_hexdump = 0;
|
||||||
int f_tflag = 0;
|
int f_tflag = 0;
|
||||||
char *pname;
|
|
||||||
|
|
||||||
u_char m_buf[BUFSIZ];
|
|
||||||
u_int m_len;
|
|
||||||
|
|
||||||
static time_t thiszone;
|
static time_t thiszone;
|
||||||
|
|
||||||
extern int lineno;
|
extern int lineno;
|
||||||
@@ -96,12 +90,12 @@ extern int parse __P((FILE **));
|
|||||||
void
|
void
|
||||||
usage()
|
usage()
|
||||||
{
|
{
|
||||||
printf("usage:\t%s [-dv] -c\n", pname);
|
|
||||||
printf("\t%s [-dv] -f (file)\n", pname);
|
printf("usage: setkey [-v] -c\n");
|
||||||
printf("\t%s [-Padlv] -D\n", pname);
|
printf(" setkey [-v] -f filename\n");
|
||||||
printf("\t%s [-Pdv] -F\n", pname);
|
printf(" setkey [-Palv] -D\n");
|
||||||
printf("\t%s [-h] -x\n", pname);
|
printf(" setkey [-Pv] -F\n");
|
||||||
pfkey_close(so);
|
printf(" setkey [-h] -x\n");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -113,8 +107,6 @@ main(ac, av)
|
|||||||
FILE *fp = stdin;
|
FILE *fp = stdin;
|
||||||
int c;
|
int c;
|
||||||
|
|
||||||
pname = *av;
|
|
||||||
|
|
||||||
if (ac == 1) {
|
if (ac == 1) {
|
||||||
usage();
|
usage();
|
||||||
/* NOTREACHED */
|
/* NOTREACHED */
|
||||||
@@ -157,9 +149,6 @@ main(ac, av)
|
|||||||
case 'P':
|
case 'P':
|
||||||
f_policy = 1;
|
f_policy = 1;
|
||||||
break;
|
break;
|
||||||
case 'd':
|
|
||||||
f_debug = 1;
|
|
||||||
break;
|
|
||||||
case 'v':
|
case 'v':
|
||||||
f_verbose = 1;
|
f_verbose = 1;
|
||||||
break;
|
break;
|
||||||
@@ -169,13 +158,18 @@ main(ac, av)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
so = pfkey_open();
|
||||||
|
if (so < 0) {
|
||||||
|
perror("pfkey_open");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
switch (f_mode) {
|
switch (f_mode) {
|
||||||
case MODE_CMDDUMP:
|
case MODE_CMDDUMP:
|
||||||
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
|
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
|
||||||
break;
|
break;
|
||||||
case MODE_CMDFLUSH:
|
case MODE_CMDFLUSH:
|
||||||
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
|
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
|
||||||
pfkey_close(so);
|
|
||||||
break;
|
break;
|
||||||
case MODE_SCRIPT:
|
case MODE_SCRIPT:
|
||||||
if (get_supported() < 0) {
|
if (get_supported() < 0) {
|
||||||
@@ -199,16 +193,6 @@ main(ac, av)
|
|||||||
int
|
int
|
||||||
get_supported()
|
get_supported()
|
||||||
{
|
{
|
||||||
int so;
|
|
||||||
|
|
||||||
if ((so = pfkey_open()) < 0) {
|
|
||||||
perror("pfkey_open");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* debug mode ? */
|
|
||||||
if (f_debug)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
|
if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
@@ -223,20 +207,18 @@ void
|
|||||||
sendkeyshort(type)
|
sendkeyshort(type)
|
||||||
u_int type;
|
u_int type;
|
||||||
{
|
{
|
||||||
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
|
struct sadb_msg msg;
|
||||||
|
|
||||||
m_len = sizeof(struct sadb_msg);
|
msg.sadb_msg_version = PF_KEY_V2;
|
||||||
|
msg.sadb_msg_type = type;
|
||||||
|
msg.sadb_msg_errno = 0;
|
||||||
|
msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
||||||
|
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
|
||||||
|
msg.sadb_msg_reserved = 0;
|
||||||
|
msg.sadb_msg_seq = 0;
|
||||||
|
msg.sadb_msg_pid = getpid();
|
||||||
|
|
||||||
m_msg->sadb_msg_version = PF_KEY_V2;
|
sendkeymsg((char *)&msg, sizeof(msg));
|
||||||
m_msg->sadb_msg_type = type;
|
|
||||||
m_msg->sadb_msg_errno = 0;
|
|
||||||
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
|
||||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
|
||||||
m_msg->sadb_msg_reserved = 0;
|
|
||||||
m_msg->sadb_msg_seq = 0;
|
|
||||||
m_msg->sadb_msg_pid = getpid();
|
|
||||||
|
|
||||||
sendkeymsg();
|
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -244,27 +226,20 @@ sendkeyshort(type)
|
|||||||
void
|
void
|
||||||
promisc()
|
promisc()
|
||||||
{
|
{
|
||||||
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
|
struct sadb_msg msg;
|
||||||
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
||||||
int so, l;
|
ssize_t l;
|
||||||
|
|
||||||
m_len = sizeof(struct sadb_msg);
|
msg.sadb_msg_version = PF_KEY_V2;
|
||||||
|
msg.sadb_msg_type = SADB_X_PROMISC;
|
||||||
|
msg.sadb_msg_errno = 0;
|
||||||
|
msg.sadb_msg_satype = 1;
|
||||||
|
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
|
||||||
|
msg.sadb_msg_reserved = 0;
|
||||||
|
msg.sadb_msg_seq = 0;
|
||||||
|
msg.sadb_msg_pid = getpid();
|
||||||
|
|
||||||
m_msg->sadb_msg_version = PF_KEY_V2;
|
if ((l = send(so, &msg, sizeof(msg), 0)) < 0) {
|
||||||
m_msg->sadb_msg_type = SADB_X_PROMISC;
|
|
||||||
m_msg->sadb_msg_errno = 0;
|
|
||||||
m_msg->sadb_msg_satype = 1;
|
|
||||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
|
||||||
m_msg->sadb_msg_reserved = 0;
|
|
||||||
m_msg->sadb_msg_seq = 0;
|
|
||||||
m_msg->sadb_msg_pid = getpid();
|
|
||||||
|
|
||||||
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
|
|
||||||
err(1, "socket(PF_KEY)");
|
|
||||||
/*NOTREACHED*/
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((l = send(so, m_buf, m_len, 0)) < 0) {
|
|
||||||
err(1, "send");
|
err(1, "send");
|
||||||
/*NOTREACHED*/
|
/*NOTREACHED*/
|
||||||
}
|
}
|
||||||
@@ -301,7 +276,7 @@ promisc()
|
|||||||
}
|
}
|
||||||
/* adjust base pointer for promisc mode */
|
/* adjust base pointer for promisc mode */
|
||||||
if (base->sadb_msg_type == SADB_X_PROMISC) {
|
if (base->sadb_msg_type == SADB_X_PROMISC) {
|
||||||
if (sizeof(*base) < l)
|
if ((ssize_t)sizeof(*base) < l)
|
||||||
base++;
|
base++;
|
||||||
else
|
else
|
||||||
base = NULL;
|
base = NULL;
|
||||||
@@ -315,19 +290,14 @@ promisc()
|
|||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
sendkeymsg()
|
sendkeymsg(buf, len)
|
||||||
|
char *buf;
|
||||||
|
size_t len;
|
||||||
{
|
{
|
||||||
int so;
|
|
||||||
|
|
||||||
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
||||||
int l;
|
ssize_t l;
|
||||||
struct sadb_msg *msg;
|
struct sadb_msg *msg;
|
||||||
|
|
||||||
if ((so = pfkey_open()) < 0) {
|
|
||||||
perror("pfkey_open");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
{
|
||||||
struct timeval tv;
|
struct timeval tv;
|
||||||
tv.tv_sec = 1;
|
tv.tv_sec = 1;
|
||||||
@@ -342,11 +312,23 @@ sendkeymsg()
|
|||||||
shortdump_hdr();
|
shortdump_hdr();
|
||||||
again:
|
again:
|
||||||
if (f_verbose) {
|
if (f_verbose) {
|
||||||
kdebug_sadb((struct sadb_msg *)m_buf);
|
kdebug_sadb((struct sadb_msg *)buf);
|
||||||
printf("\n");
|
printf("\n");
|
||||||
}
|
}
|
||||||
|
if (f_hexdump) {
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < len; i++) {
|
||||||
|
if (i % 16 == 0)
|
||||||
|
printf("%08x: ", i);
|
||||||
|
printf("%02x ", buf[i] & 0xff);
|
||||||
|
if (i % 16 == 15)
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
if (len % 16)
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
|
||||||
if ((l = send(so, m_buf, m_len, 0)) < 0) {
|
if ((l = send(so, buf, len, 0)) < 0) {
|
||||||
perror("send");
|
perror("send");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
@@ -378,7 +360,6 @@ sendkeymsg()
|
|||||||
}
|
}
|
||||||
|
|
||||||
end:
|
end:
|
||||||
pfkey_close(so);
|
|
||||||
return(0);
|
return(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
+111
-152
@@ -1,5 +1,5 @@
|
|||||||
/* $FreeBSD$ */
|
/* $FreeBSD$ */
|
||||||
/* $KAME: token.l,v 1.21 2001/05/18 05:35:01 sakane Exp $ */
|
/* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@@ -46,30 +46,12 @@
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
#include <netdb.h>
|
||||||
|
|
||||||
#include "vchar.h"
|
#include "vchar.h"
|
||||||
#ifdef __NetBSD__
|
|
||||||
#include "parse.h"
|
|
||||||
#else
|
|
||||||
#include "y.tab.h"
|
#include "y.tab.h"
|
||||||
#endif
|
|
||||||
|
|
||||||
#define DECHO \
|
|
||||||
if (f_debug) {printf("<%d>", yy_start); ECHO ; printf("\n"); }
|
|
||||||
|
|
||||||
#define CMDARG \
|
|
||||||
{ \
|
|
||||||
char *__buf__ = strdup(yytext), *__p__; \
|
|
||||||
for (__p__ = __buf__; *__p__ != NULL; __p__++) \
|
|
||||||
if (*__p__ == '\n' || *__p__ == '\t') \
|
|
||||||
*__p__ = ' '; \
|
|
||||||
strcat(cmdarg, __buf__); \
|
|
||||||
free(__buf__); \
|
|
||||||
}
|
|
||||||
|
|
||||||
#define PREPROC DECHO CMDARG
|
|
||||||
|
|
||||||
int lineno = 1;
|
int lineno = 1;
|
||||||
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
|
|
||||||
|
|
||||||
extern u_char m_buf[BUFSIZ];
|
extern u_char m_buf[BUFSIZ];
|
||||||
extern u_int m_len;
|
extern u_int m_len;
|
||||||
@@ -81,7 +63,6 @@ void yyerror __P((const char *s));
|
|||||||
extern void parse_init __P((void));
|
extern void parse_init __P((void));
|
||||||
int parse __P((FILE **));
|
int parse __P((FILE **));
|
||||||
int yyparse __P((void));
|
int yyparse __P((void));
|
||||||
|
|
||||||
%}
|
%}
|
||||||
|
|
||||||
/* common section */
|
/* common section */
|
||||||
@@ -90,199 +71,177 @@ ws [ \t]+
|
|||||||
digit [0-9]
|
digit [0-9]
|
||||||
letter [0-9A-Za-z]
|
letter [0-9A-Za-z]
|
||||||
hexdigit [0-9A-Fa-f]
|
hexdigit [0-9A-Fa-f]
|
||||||
/*octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5])))*/
|
|
||||||
special [()+\|\?\*,]
|
|
||||||
dot \.
|
dot \.
|
||||||
comma \,
|
|
||||||
hyphen \-
|
hyphen \-
|
||||||
colon \:
|
|
||||||
slash \/
|
slash \/
|
||||||
bcl \{
|
|
||||||
ecl \}
|
|
||||||
blcl \[
|
blcl \[
|
||||||
elcl \]
|
elcl \]
|
||||||
percent \%
|
|
||||||
semi \;
|
semi \;
|
||||||
usec {dot}{digit}{1,6}
|
|
||||||
comment \#.*
|
comment \#.*
|
||||||
ccomment "/*"
|
|
||||||
bracketstring \<[^>]*\>
|
|
||||||
quotedstring \"[^"]*\"
|
quotedstring \"[^"]*\"
|
||||||
decstring {digit}+
|
decstring {digit}+
|
||||||
hexpair {hexdigit}{hexdigit}
|
|
||||||
hexstring 0[xX]{hexdigit}+
|
hexstring 0[xX]{hexdigit}+
|
||||||
octetstring {octet}({dot}{octet})+
|
|
||||||
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
||||||
ipaddrmask {slash}{digit}{1,3}
|
ipaddrmask {slash}{digit}{1,3}
|
||||||
ipaddrport {blcl}{decstring}{elcl}
|
|
||||||
keyword {letter}{letter}+
|
|
||||||
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
|
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
|
||||||
hostname {name}(({dot}{name})+{dot}?)?
|
hostname {name}(({dot}{name})+{dot}?)?
|
||||||
|
|
||||||
%s S_PL
|
%s S_PL S_AUTHALG S_ENCALG
|
||||||
|
|
||||||
%%
|
%%
|
||||||
|
|
||||||
add { PREPROC; return(ADD); }
|
add { return(ADD); }
|
||||||
delete { PREPROC; return(DELETE); }
|
delete { return(DELETE); }
|
||||||
deleteall { PREPROC; return(DELETEALL); }
|
deleteall { return(DELETEALL); }
|
||||||
get { PREPROC; return(GET); }
|
get { return(GET); }
|
||||||
flush { PREPROC; return(FLUSH); }
|
flush { return(FLUSH); }
|
||||||
dump { PREPROC; return(DUMP); }
|
dump { return(DUMP); }
|
||||||
|
|
||||||
/* for management SPD */
|
/* for management SPD */
|
||||||
spdadd { PREPROC; return(SPDADD); }
|
spdadd { return(SPDADD); }
|
||||||
spddelete { PREPROC; return(SPDDELETE); }
|
spddelete { return(SPDDELETE); }
|
||||||
spddump { PREPROC; return(SPDDUMP); }
|
spddump { return(SPDDUMP); }
|
||||||
spdflush { PREPROC; return(SPDFLUSH); }
|
spdflush { return(SPDFLUSH); }
|
||||||
{hyphen}P { BEGIN S_PL; PREPROC; return(F_POLICY); }
|
tagged { return(TAGGED); }
|
||||||
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.\-_/ \n\t]* {
|
{hyphen}P { BEGIN S_PL; return(F_POLICY); }
|
||||||
yymore();
|
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* {
|
||||||
|
yymore();
|
||||||
|
|
||||||
/* count up for nl */
|
/* count up for nl */
|
||||||
{
|
{
|
||||||
char *p;
|
char *p;
|
||||||
for (p = yytext; *p != NULL; p++)
|
for (p = yytext; *p != NULL; p++)
|
||||||
if (*p == '\n')
|
if (*p == '\n')
|
||||||
lineno++;
|
lineno++;
|
||||||
}
|
}
|
||||||
|
|
||||||
yylval.val.len = strlen(yytext);
|
yylval.val.len = strlen(yytext);
|
||||||
yylval.val.buf = strdup(yytext);
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
|
||||||
return(PL_REQUESTS);
|
return(PL_REQUESTS);
|
||||||
}
|
}
|
||||||
<S_PL>{semi} { PREPROC; BEGIN INITIAL; return(EOT); }
|
<S_PL>{semi} { BEGIN INITIAL; return(EOT); }
|
||||||
|
|
||||||
|
/* address resolution flags */
|
||||||
|
{hyphen}[n46][n46]* {
|
||||||
|
yylval.val.len = strlen(yytext);
|
||||||
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
return(F_AIFLAGS);
|
||||||
|
}
|
||||||
|
|
||||||
/* security protocols */
|
/* security protocols */
|
||||||
ah { PREPROC; yylval.num = 0; return(PR_AH); }
|
ah { yylval.num = 0; return(PR_AH); }
|
||||||
esp { PREPROC; yylval.num = 0; return(PR_ESP); }
|
esp { yylval.num = 0; return(PR_ESP); }
|
||||||
ah-old { PREPROC; yylval.num = 1; return(PR_AH); }
|
ah-old { yylval.num = 1; return(PR_AH); }
|
||||||
esp-old { PREPROC; yylval.num = 1; return(PR_ESP); }
|
esp-old { yylval.num = 1; return(PR_ESP); }
|
||||||
ipcomp { PREPROC; yylval.num = 0; return(PR_IPCOMP); }
|
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
|
||||||
|
|
||||||
/* authentication alogorithm */
|
/* authentication alogorithm */
|
||||||
{hyphen}A { PREPROC; return(F_AUTH); }
|
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
|
||||||
hmac-md5 { PREPROC; yylval.num = SADB_AALG_MD5HMAC; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha1 { PREPROC; yylval.num = SADB_AALG_SHA1HMAC; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha1 { yylval.num = SADB_AALG_SHA1HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
keyed-md5 { PREPROC; yylval.num = SADB_X_AALG_MD5; return(ALG_AUTH); }
|
<S_AUTHALG>keyed-md5 { yylval.num = SADB_X_AALG_MD5; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); }
|
<S_AUTHALG>keyed-sha1 { yylval.num = SADB_X_AALG_SHA; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
aes-xcbc-mac { PREPROC; yylval.num = SADB_X_AALG_AES_XCBC_MAC; return(ALG_AUTH); }
|
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
|
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
|
||||||
|
|
||||||
/* encryption alogorithm */
|
/* encryption alogorithm */
|
||||||
{hyphen}E { PREPROC; return(F_ENC); }
|
{hyphen}E { BEGIN S_ENCALG; return(F_ENC); }
|
||||||
des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
|
<S_ENCALG>des-cbc { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
3des-cbc { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); }
|
<S_ENCALG>3des-cbc { yylval.num = SADB_EALG_3DESCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
|
<S_ENCALG>null { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_NOKEY); }
|
||||||
blowfish-cbc { PREPROC; yylval.num = SADB_X_EALG_BLOWFISHCBC; return(ALG_ENC); }
|
<S_ENCALG>simple { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_OLD); }
|
||||||
cast128-cbc { PREPROC; yylval.num = SADB_X_EALG_CAST128CBC; return(ALG_ENC); }
|
<S_ENCALG>blowfish-cbc { yylval.num = SADB_X_EALG_BLOWFISHCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); }
|
<S_ENCALG>cast128-cbc { yylval.num = SADB_X_EALG_CAST128CBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); }
|
<S_ENCALG>des-deriv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DESDERIV); }
|
||||||
rijndael-cbc { PREPROC; yylval.num = SADB_X_EALG_RIJNDAELCBC; return(ALG_ENC); }
|
<S_ENCALG>des-32iv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DES32IV); }
|
||||||
aes-ctr { PREPROC; yylval.num = SADB_X_EALG_AESCTR; return(ALG_ENC); }
|
<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
|
<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
|
|
||||||
/* compression algorithms */
|
/* compression algorithms */
|
||||||
{hyphen}C { PREPROC; return(F_COMP); }
|
{hyphen}C { return(F_COMP); }
|
||||||
oui { PREPROC; yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
|
oui { yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
|
||||||
deflate { PREPROC; yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
|
deflate { yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
|
||||||
lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
|
lzs { yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
|
||||||
{hyphen}R { PREPROC; return(F_RAWCPI); }
|
{hyphen}R { return(F_RAWCPI); }
|
||||||
|
|
||||||
/* extension */
|
/* extension */
|
||||||
{hyphen}m { PREPROC; return(F_MODE); }
|
{hyphen}m { return(F_MODE); }
|
||||||
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
|
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
|
||||||
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
|
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
|
||||||
{hyphen}u { PREPROC; return(F_REQID); }
|
{hyphen}u { return(F_REQID); }
|
||||||
{hyphen}f { PREPROC; return(F_EXT); }
|
{hyphen}f { return(F_EXT); }
|
||||||
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
|
random-pad { yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
|
||||||
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
|
seq-pad { yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
|
||||||
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
|
zero-pad { yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
|
||||||
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
|
nocyclic-seq { return(NOCYCLICSEQ); }
|
||||||
{hyphen}r { PREPROC; return(F_REPLAY); }
|
{hyphen}r { return(F_REPLAY); }
|
||||||
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
|
{hyphen}lh { return(F_LIFETIME_HARD); }
|
||||||
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
|
{hyphen}ls { return(F_LIFETIME_SOFT); }
|
||||||
|
|
||||||
/* ... */
|
/* ... */
|
||||||
any { PREPROC; return(ANY); }
|
any { return(ANY); }
|
||||||
{ws} { PREPROC; }
|
{ws} { }
|
||||||
{nl} { lineno++; }
|
{nl} { lineno++; }
|
||||||
{comment}
|
{comment}
|
||||||
{semi} { PREPROC; return(EOT); }
|
{semi} { return(EOT); }
|
||||||
|
|
||||||
|
/* for address parameters: /prefix, [port] */
|
||||||
|
{slash} { return SLASH; }
|
||||||
|
{blcl} { return BLCL; }
|
||||||
|
{elcl} { return ELCL; }
|
||||||
|
|
||||||
/* parameter */
|
/* parameter */
|
||||||
{decstring} {
|
{decstring} {
|
||||||
char *bp;
|
char *bp;
|
||||||
|
|
||||||
PREPROC;
|
yylval.ulnum = strtoul(yytext, &bp, 10);
|
||||||
yylval.num = strtoul(yytext, &bp, 10);
|
|
||||||
return(DECSTRING);
|
return(DECSTRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
{ipaddress} {
|
|
||||||
PREPROC;
|
|
||||||
|
|
||||||
yylval.val.len = yyleng;
|
|
||||||
yylval.val.buf = strdup(yytext);
|
|
||||||
|
|
||||||
return(ADDRESS);
|
|
||||||
}
|
|
||||||
|
|
||||||
{ipaddrmask} {
|
|
||||||
PREPROC;
|
|
||||||
yytext++;
|
|
||||||
yylval.num = atoi(yytext);
|
|
||||||
return(PREFIX);
|
|
||||||
}
|
|
||||||
|
|
||||||
{ipaddrport} {
|
|
||||||
char *p = yytext;
|
|
||||||
PREPROC;
|
|
||||||
while (*++p != ']') ;
|
|
||||||
*p = NULL;
|
|
||||||
yytext++;
|
|
||||||
yylval.num = atoi(yytext);
|
|
||||||
return(PORT);
|
|
||||||
}
|
|
||||||
|
|
||||||
{blcl}any{elcl} {
|
|
||||||
PREPROC;
|
|
||||||
return(PORTANY);
|
|
||||||
}
|
|
||||||
|
|
||||||
{hexstring} {
|
{hexstring} {
|
||||||
int len = yyleng - 2; /* (str - "0x") */
|
yylval.val.buf = strdup(yytext + 2);
|
||||||
PREPROC;
|
if (!yylval.val.buf)
|
||||||
yylval.val.len = (len & 1) + (len / 2);
|
yyfatal("insufficient memory");
|
||||||
/* fixed string if length is odd. */
|
yylval.val.len = strlen(yylval.val.buf);
|
||||||
if (len & 1) {
|
|
||||||
yytext[1] = '0';
|
|
||||||
yylval.val.buf = strdup(yytext + 1);
|
|
||||||
} else
|
|
||||||
yylval.val.buf = strdup(yytext + 2);
|
|
||||||
|
|
||||||
return(HEXSTRING);
|
return(HEXSTRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
{quotedstring} {
|
{quotedstring} {
|
||||||
char *p = yytext;
|
char *p = yytext;
|
||||||
PREPROC;
|
|
||||||
while (*++p != '"') ;
|
while (*++p != '"') ;
|
||||||
*p = NULL;
|
*p = NULL;
|
||||||
yytext++;
|
yytext++;
|
||||||
yylval.val.len = yyleng - 2;
|
yylval.val.len = yyleng - 2;
|
||||||
yylval.val.buf = strdup(yytext);
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
|
||||||
return(QUOTEDSTRING);
|
return(QUOTEDSTRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
[a-z0-9.\-]* {
|
[A-Za-z0-9:][A-Za-z0-9:%\.-]* {
|
||||||
yylval.val.len = yyleng;
|
yylval.val.len = yyleng;
|
||||||
yylval.val.buf = strdup(yytext);
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
return(STRING);
|
||||||
|
}
|
||||||
|
|
||||||
|
[0-9,]+ {
|
||||||
|
yylval.val.len = yyleng;
|
||||||
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
return(STRING);
|
return(STRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -39,7 +39,7 @@ LDADD= -ll -ly
|
|||||||
|
|
||||||
CLEANFILES= y.tab.c y.tab.h key_test.o keytest
|
CLEANFILES= y.tab.c y.tab.h key_test.o keytest
|
||||||
|
|
||||||
# libpfkey.
|
# libpfkey
|
||||||
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
|
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
|
||||||
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
|
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
|
||||||
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
|
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
|
||||||
|
|||||||
+864
-550
File diff suppressed because it is too large
Load Diff
+18
-18
@@ -45,9 +45,9 @@
|
|||||||
#
|
#
|
||||||
# At Host-A and Host-B,
|
# At Host-A and Host-B,
|
||||||
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
|
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
|
||||||
esp/transport/fec0::10-fec0::11/use ;
|
esp/transport//use ;
|
||||||
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
|
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
|
||||||
esp/transport/fec0::11-fec0::10/use ;
|
esp/transport//use ;
|
||||||
add fec0::10 fec0::11 esp 0x10001
|
add fec0::10 fec0::11 esp 0x10001
|
||||||
-m transport
|
-m transport
|
||||||
-E blowfish-cbc "kamekame"
|
-E blowfish-cbc "kamekame"
|
||||||
@@ -112,10 +112,10 @@ add 172.16.0.2 172.16.0.1 ah-old 0x10004
|
|||||||
# At Gateway-A:
|
# At Gateway-A:
|
||||||
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
|
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
|
||||||
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
|
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
|
||||||
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
ah/transport//require ;
|
||||||
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
|
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
|
||||||
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
|
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
|
||||||
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
ah/transport//require ;
|
||||||
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
|
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001
|
||||||
-m tunnel
|
-m tunnel
|
||||||
-E 3des-cbc "kamekame12341234kame1234"
|
-E 3des-cbc "kamekame12341234kame1234"
|
||||||
@@ -146,10 +146,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001
|
|||||||
#
|
#
|
||||||
# At Host-A:
|
# At Host-A:
|
||||||
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
|
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
|
||||||
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
|
esp/transport//use
|
||||||
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
|
||||||
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
|
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
|
||||||
esp/transport/fec0:0:0:2::2-fec0:0:0:1::1/use
|
esp/transport//use
|
||||||
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
|
||||||
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
|
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
|
||||||
-m transport
|
-m transport
|
||||||
@@ -166,10 +166,10 @@ add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
|
|||||||
-E rc5-cbc "kamekame"
|
-E rc5-cbc "kamekame"
|
||||||
-A hmac-md5 "this is the test" ;
|
-A hmac-md5 "this is the test" ;
|
||||||
|
|
||||||
# By "get" command, you can get an entry of either SP or SA.
|
# By "get" command, you can get a entry of either SP or SA.
|
||||||
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||||
|
|
||||||
# Also delete command, you can delete an entry of either SP or SA.
|
# Also delete command, you can delete a entry of either SP or SA.
|
||||||
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
|
spddelete fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out;
|
||||||
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
delete fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ;
|
||||||
|
|
||||||
@@ -188,24 +188,24 @@ dump esp ;
|
|||||||
flush ah ;
|
flush ah ;
|
||||||
|
|
||||||
# XXX
|
# XXX
|
||||||
add ::1 ::1 esp 10001 -m transport -E simple ;
|
add ::1 ::1 esp 10001 -m transport -E null ;
|
||||||
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
|
add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ;
|
||||||
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
|
add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ;
|
||||||
add ::1 ::1 esp 10004 -m transport -E simple -A null ;
|
add ::1 ::1 esp 10004 -m transport -E null -A null ;
|
||||||
add ::1 ::1 esp 10005 -m transport -E simple -A hmac-md5 "1234123412341234" ;
|
add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ;
|
||||||
add ::1 ::1 esp 10006 -m tunnel -E simple -A hmac-sha1 "12341234123412341234" ;
|
add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ;
|
||||||
add ::1 ::1 esp 10007 -m transport -E simple -A keyed-md5 "1234123412341234" ;
|
add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ;
|
||||||
add ::1 ::1 esp 10008 -m any -E simple -A keyed-sha1 "12341234123412341234" ;
|
add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ;
|
||||||
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
|
add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ;
|
||||||
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
|
add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ;
|
||||||
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
|
add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
|
add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
|
add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
|
add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ;
|
||||||
add ::1 ::1 esp 10015 -m transport -f zero-pad -E simple ;
|
add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ;
|
||||||
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E simple ;
|
add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ;
|
||||||
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E simple ;
|
add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ;
|
||||||
add ::1 ::1 esp 10018 -m transport -E simple ;
|
add ::1 ::1 esp 10018 -m transport -E null ;
|
||||||
#add ::1 ::1 ah 20000 -m transport -A null ;
|
#add ::1 ::1 ah 20000 -m transport -A null ;
|
||||||
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
|
add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234";
|
||||||
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
|
add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234";
|
||||||
|
|||||||
+193
-147
@@ -1,4 +1,4 @@
|
|||||||
.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $
|
.\" $KAME: setkey.8,v 1.89 2003/09/07 22:17:41 itojun Exp $
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@@ -34,20 +34,20 @@
|
|||||||
.\"
|
.\"
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
.Nm setkey
|
.Nm setkey
|
||||||
.Nd "manually manipulate the IPsec SA/SP database"
|
.Nd manually manipulate the IPsec SA/SP database
|
||||||
.\"
|
.\"
|
||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl dv
|
.Op Fl v
|
||||||
.Fl c
|
.Fl c
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl dv
|
.Op Fl v
|
||||||
.Fl f Ar filename
|
.Fl f Ar filename
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl adPlv
|
.Op Fl aPlv
|
||||||
.Fl D
|
.Fl D
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl dPv
|
.Op Fl Pv
|
||||||
.Fl F
|
.Fl F
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl h
|
.Op Fl h
|
||||||
@@ -56,19 +56,23 @@
|
|||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
utility adds, updates, dumps, or flushes
|
command adds, updates, dumps, or flushes
|
||||||
Security Association Database (SAD) entries
|
Security Association Database (SAD) entries
|
||||||
as well as Security Policy Database (SPD) entries in the kernel.
|
as well as Security Policy Database (SPD) entries in the kernel.
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
utility takes a series of operations from the standard input
|
command takes a series of operations from the standard input
|
||||||
(if invoked with
|
.Po
|
||||||
.Fl c )
|
if invoked with
|
||||||
|
.Fl c
|
||||||
|
.Pc
|
||||||
or the file named
|
or the file named
|
||||||
.Ar filename
|
.Ar filename
|
||||||
(if invoked with
|
.Po
|
||||||
.Fl f Ar filename ) .
|
if invoked with
|
||||||
|
.Fl f Ar filename
|
||||||
|
.Pc .
|
||||||
.Bl -tag -width Ds
|
.Bl -tag -width Ds
|
||||||
.It Fl D
|
.It Fl D
|
||||||
Dump the SAD entries.
|
Dump the SAD entries.
|
||||||
@@ -81,24 +85,15 @@ If with
|
|||||||
.Fl P ,
|
.Fl P ,
|
||||||
the SPD entries are flushed.
|
the SPD entries are flushed.
|
||||||
.It Fl a
|
.It Fl a
|
||||||
Dead SAD entries are usually not displayed with
|
.Nm
|
||||||
|
usually does not display dead SAD entries with
|
||||||
.Fl D .
|
.Fl D .
|
||||||
If with
|
If with
|
||||||
.Fl a ,
|
.Fl a ,
|
||||||
the dead SAD entries will be displayed as well.
|
the dead SAD entries will be displayed as well.
|
||||||
A dead SAD entry means that
|
A dead SAD entry means that
|
||||||
it has been expired but remains
|
it has been expired but remains in the system
|
||||||
because it is referenced by SPD entries.
|
because it is referenced by some SPD entries.
|
||||||
.It Fl d
|
|
||||||
Enable to print debugging messages for command parser,
|
|
||||||
without talking to kernel.
|
|
||||||
It is not used usually.
|
|
||||||
.It Fl x
|
|
||||||
Loop forever and dump all the messages transmitted to
|
|
||||||
.Dv PF_KEY
|
|
||||||
socket.
|
|
||||||
.Fl xx
|
|
||||||
makes each timestamps unformatted.
|
|
||||||
.It Fl h
|
.It Fl h
|
||||||
Add hexadecimal dump on
|
Add hexadecimal dump on
|
||||||
.Fl x
|
.Fl x
|
||||||
@@ -111,23 +106,39 @@ Be verbose.
|
|||||||
The program will dump messages exchanged on
|
The program will dump messages exchanged on
|
||||||
.Dv PF_KEY
|
.Dv PF_KEY
|
||||||
socket, including messages sent from other processes to the kernel.
|
socket, including messages sent from other processes to the kernel.
|
||||||
|
.It Fl x
|
||||||
|
Loop forever and dump all the messages transmitted to
|
||||||
|
.Dv PF_KEY
|
||||||
|
socket.
|
||||||
|
.Fl xx
|
||||||
|
makes each timestamps unformatted.
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Ss Configuration syntax
|
||||||
Operations have the following grammar.
|
With
|
||||||
Note that lines starting with
|
.Fl c
|
||||||
hashmarks ('#') are treated as comment lines.
|
or
|
||||||
|
.Fl f
|
||||||
|
on the command line,
|
||||||
|
.Nm
|
||||||
|
accepts the following configuration syntax.
|
||||||
|
Lines starting with hash signs ('#') are treated as comment lines.
|
||||||
.Bl -tag -width Ds
|
.Bl -tag -width Ds
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li add
|
.Li add
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol Ar spi
|
.Ar src Ar dst Ar protocol Ar spi
|
||||||
.Op Ar extensions
|
.Op Ar extensions
|
||||||
.Ar algorithm...
|
.Ar algorithm ...
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Add an SAD entry.
|
Add an SAD entry.
|
||||||
|
.Li add
|
||||||
|
can fail with multiple reasons,
|
||||||
|
including when the key length does not match the specified algorithm.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li get
|
.Li get
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol Ar spi
|
.Ar src Ar dst Ar protocol Ar spi
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -135,6 +146,7 @@ Show an SAD entry.
|
|||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li delete
|
.Li delete
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol Ar spi
|
.Ar src Ar dst Ar protocol Ar spi
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -142,6 +154,7 @@ Remove an SAD entry.
|
|||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li deleteall
|
.Li deleteall
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src Ar dst Ar protocol
|
.Ar src Ar dst Ar protocol
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -153,6 +166,8 @@ Remove all SAD entries that match the specification.
|
|||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Clear all SAD entries matched by the options.
|
Clear all SAD entries matched by the options.
|
||||||
|
.Fl F
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li dump
|
.Li dump
|
||||||
@@ -160,9 +175,12 @@ Clear all SAD entries matched by the options.
|
|||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Dumps all SAD entries matched by the options.
|
Dumps all SAD entries matched by the options.
|
||||||
|
.Fl D
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li spdadd
|
.Li spdadd
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
.Ar src_range Ar dst_range Ar upperspec Ar policy
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -170,6 +188,7 @@ Add an SPD entry.
|
|||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li spddelete
|
.Li spddelete
|
||||||
|
.Op Fl 46n
|
||||||
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
.Ar src_range Ar dst_range Ar upperspec Fl P Ar direction
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
@@ -180,12 +199,16 @@ Delete an SPD entry.
|
|||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Clear all SPD entries.
|
Clear all SPD entries.
|
||||||
|
.Fl FP
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.\"
|
.\"
|
||||||
.It Xo
|
.It Xo
|
||||||
.Li spddump
|
.Li spddump
|
||||||
.Li ;
|
.Li ;
|
||||||
.Xc
|
.Xc
|
||||||
Dumps all SPD entries.
|
Dumps all SPD entries.
|
||||||
|
.Fl DP
|
||||||
|
on the command line achieves the same functionality.
|
||||||
.El
|
.El
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
@@ -196,13 +219,23 @@ Meta-arguments are as follows:
|
|||||||
.It Ar dst
|
.It Ar dst
|
||||||
Source/destination of the secure communication is specified as
|
Source/destination of the secure communication is specified as
|
||||||
IPv4/v6 address.
|
IPv4/v6 address.
|
||||||
The
|
|
||||||
.Nm
|
.Nm
|
||||||
utility does not consult hostname-to-address for arguments
|
can resolve a FQDN into numeric addresses.
|
||||||
.Ar src
|
If the FQDN resolves into multiple addresses,
|
||||||
|
.Nm
|
||||||
|
will install multiple SAD/SPD entries into the kernel
|
||||||
|
by trying all possible combinations.
|
||||||
|
.Fl 4 ,
|
||||||
|
.Fl 6
|
||||||
and
|
and
|
||||||
.Ar dst .
|
.Fl n
|
||||||
They must be in numeric form.
|
restricts the address resolution of FQDN in certain ways.
|
||||||
|
.Fl 4
|
||||||
|
and
|
||||||
|
.Fl 6
|
||||||
|
restrict results into IPv4/v6 addresses only, respectively.
|
||||||
|
.Fl n
|
||||||
|
avoids FQDN resolution and requires addresses to be numeric addresses.
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar protocol
|
.It Ar protocol
|
||||||
@@ -210,7 +243,7 @@ They must be in numeric form.
|
|||||||
is one of following:
|
is one of following:
|
||||||
.Bl -tag -width Fl -compact
|
.Bl -tag -width Fl -compact
|
||||||
.It Li esp
|
.It Li esp
|
||||||
ESP based on rfc2405
|
ESP based on rfc2406
|
||||||
.It Li esp-old
|
.It Li esp-old
|
||||||
ESP based on rfc1827
|
ESP based on rfc1827
|
||||||
.It Li ah
|
.It Li ah
|
||||||
@@ -218,21 +251,24 @@ AH based on rfc2402
|
|||||||
.It Li ah-old
|
.It Li ah-old
|
||||||
AH based on rfc1826
|
AH based on rfc1826
|
||||||
.It Li ipcomp
|
.It Li ipcomp
|
||||||
IPCOMP
|
IPComp
|
||||||
.El
|
.El
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar spi
|
.It Ar spi
|
||||||
Security Parameter Index (SPI) for the SAD and the SPD.
|
Security Parameter Index
|
||||||
It must be decimal number or hexadecimal number
|
.Pq SPI
|
||||||
You cannot use the set of SPI values in the range 0 through 255.
|
for the SAD and the SPD.
|
||||||
(with
|
.Ar spi
|
||||||
.Li 0x
|
must be a decimal number, or a hexadecimal number with
|
||||||
attached).
|
.Dq Li 0x
|
||||||
|
prefix.
|
||||||
|
SPI values between 0 and 255 are reserved for future use by IANA
|
||||||
|
and they cannot be used.
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar extensions
|
.It Ar extensions
|
||||||
takes some of the following:
|
take some of the following:
|
||||||
.Bl -tag -width Fl -compact
|
.Bl -tag -width Fl -compact
|
||||||
.\"
|
.\"
|
||||||
.It Fl m Ar mode
|
.It Fl m Ar mode
|
||||||
@@ -283,62 +319,41 @@ Specify hard/soft life time duration of the SA.
|
|||||||
.It Ar algorithm
|
.It Ar algorithm
|
||||||
.Bl -tag -width Fl -compact
|
.Bl -tag -width Fl -compact
|
||||||
.It Fl E Ar ealgo Ar key
|
.It Fl E Ar ealgo Ar key
|
||||||
Specify an encryption algorithm.
|
Specify an encryption algorithm
|
||||||
|
.Ar ealgo
|
||||||
|
for ESP.
|
||||||
|
.It Xo
|
||||||
|
.Fl E Ar ealgo Ar key
|
||||||
|
.Fl A Ar aalgo Ar key
|
||||||
|
.Xc
|
||||||
|
Specify a encryption algorithm
|
||||||
|
.Ar ealgo ,
|
||||||
|
as well as a payload authentication algorithm
|
||||||
|
.Ar aalgo ,
|
||||||
|
for ESP.
|
||||||
.It Fl A Ar aalgo Ar key
|
.It Fl A Ar aalgo Ar key
|
||||||
Specify an authentication algorithm.
|
Specify an authentication algorithm for AH.
|
||||||
If
|
|
||||||
.Fl A
|
|
||||||
is used with
|
|
||||||
.Ar protocol Li esp ,
|
|
||||||
it will be treated as ESP payload authentication algorithm.
|
|
||||||
.It Fl C Ar calgo Op Fl R
|
.It Fl C Ar calgo Op Fl R
|
||||||
Specify compression algorithm.
|
Specify a compression algorithm for IPComp.
|
||||||
If
|
If
|
||||||
.Fl R
|
.Fl R
|
||||||
is not specified with
|
is specified,
|
||||||
.Li ipcomp
|
|
||||||
line, the kernel will use well-known IPComp CPI
|
|
||||||
(compression parameter index)
|
|
||||||
on IPComp CPI field on packets, and
|
|
||||||
.Ar spi
|
.Ar spi
|
||||||
field will be ignored.
|
field value will be used as the IPComp CPI
|
||||||
.Ar spi
|
.Pq compression parameter index
|
||||||
field is only for kernel internal use in this case.
|
on wire as is.
|
||||||
.\"Therefore, compression protocol number will appear on IPComp CPI field.
|
|
||||||
If
|
If
|
||||||
.Fl R
|
.Fl R
|
||||||
is used,
|
is not specified,
|
||||||
the value on
|
the kernel will use well-known CPI on wire, and
|
||||||
.Ar spi
|
.Ar spi
|
||||||
field will appear on IPComp CPI field on outgoing packets.
|
field will be used only as an index for kernel internal usage.
|
||||||
.Ar spi
|
|
||||||
field needs to be smaller than
|
|
||||||
.Li 0x10000
|
|
||||||
in this case.
|
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
.Ar protocol Li esp
|
|
||||||
accepts
|
|
||||||
.Fl E
|
|
||||||
and
|
|
||||||
.Fl A .
|
|
||||||
.Ar protocol Li esp-old
|
|
||||||
accepts
|
|
||||||
.Fl E
|
|
||||||
only.
|
|
||||||
.Ar protocol Li ah
|
|
||||||
and
|
|
||||||
.Li ah-old
|
|
||||||
accept
|
|
||||||
.Fl A
|
|
||||||
only.
|
|
||||||
.Ar protocol Li ipcomp
|
|
||||||
accepts
|
|
||||||
.Fl C
|
|
||||||
only.
|
|
||||||
.Pp
|
|
||||||
.Ar key
|
.Ar key
|
||||||
must be double-quoted character string or series of hexadecimal digits.
|
must be double-quoted character string, or a series of hexadecimal digits
|
||||||
|
preceded by
|
||||||
|
.Dq Li 0x .
|
||||||
.Pp
|
.Pp
|
||||||
Possible values for
|
Possible values for
|
||||||
.Ar ealgo ,
|
.Ar ealgo ,
|
||||||
@@ -369,14 +384,11 @@ The square bracket around
|
|||||||
.Ar port
|
.Ar port
|
||||||
is really necessary.
|
is really necessary.
|
||||||
They are not manpage metacharacters.
|
They are not manpage metacharacters.
|
||||||
.Pp
|
For FQDN resolution, the rules applicable to
|
||||||
The
|
|
||||||
.Nm
|
|
||||||
utility does not consult hostname-to-address for arguments
|
|
||||||
.Ar src
|
.Ar src
|
||||||
and
|
and
|
||||||
.Ar dst .
|
.Ar dst
|
||||||
They must be in numeric form.
|
apply here as well.
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar upperspec
|
.It Ar upperspec
|
||||||
@@ -395,34 +407,38 @@ can be specified.
|
|||||||
stands for
|
stands for
|
||||||
.Dq any protocol .
|
.Dq any protocol .
|
||||||
Also you can use the protocol number.
|
Also you can use the protocol number.
|
||||||
|
You can specify a type and/or a code of ICMPv6 when
|
||||||
|
Upper-layer protocol is ICMPv6.
|
||||||
|
the specification can be placed after
|
||||||
|
.Li icmp6 .
|
||||||
|
A type is separated with a code by single comma.
|
||||||
|
A code must be specified anytime.
|
||||||
|
When a zero is specified, the kernel deals with it as a wildcard.
|
||||||
|
Note that the kernel can not distinguish a wildcard from that a type
|
||||||
|
of ICMPv6 is zero.
|
||||||
|
For example, the following means the policy doesn't require IPsec
|
||||||
|
for any inbound Neighbor Solicitation.
|
||||||
|
.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
|
||||||
.Pp
|
.Pp
|
||||||
NOTE:
|
NOTE:
|
||||||
.Ar upperspec
|
.Ar upperspec
|
||||||
does not work against forwarding case at this moment,
|
does not work against forwarding case at this moment,
|
||||||
as it requires extra reassembly at forwarding node
|
as it requires extra reassembly at forwarding node
|
||||||
(not implemented at this moment).
|
.Pq not implemented at this moment .
|
||||||
We have many protocols in
|
We have many protocols in
|
||||||
.Pa /etc/protocols ,
|
.Pa /etc/protocols ,
|
||||||
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
|
but protocols except of TCP, UDP and ICMP may not be suitable to use with IPsec.
|
||||||
You have to consider and be careful to use them.
|
You have to consider and be careful to use them.
|
||||||
.Li icmp
|
|
||||||
.Li tcp
|
|
||||||
.Li udp
|
|
||||||
all protocols
|
|
||||||
.\"
|
.\"
|
||||||
.Pp
|
.Pp
|
||||||
.It Ar policy
|
.It Ar policy
|
||||||
.Ar policy
|
.Ar policy
|
||||||
is the one of following:
|
is the one of the following three formats:
|
||||||
.Bd -literal -offset
|
.Bd -literal -offset indent
|
||||||
.Xo
|
.It Fl P Ar direction Li discard
|
||||||
.Fl P Ar direction Li discard
|
.It Fl P Ar direction Li none
|
||||||
.Xc
|
.It Xo Fl P Ar direction Li ipsec
|
||||||
.Xo
|
.Ar protocol/mode/src-dst/level Op ...
|
||||||
.Fl P Ar direction Li none
|
|
||||||
.Xc
|
|
||||||
.Xo
|
|
||||||
.Fl P Ar direction Li ipsec Ar protocol/mode/src-dst/level
|
|
||||||
.Xc
|
.Xc
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@@ -439,6 +455,9 @@ means the packet matching indexes will be discarded.
|
|||||||
means that IPsec operation will not take place onto the packet.
|
means that IPsec operation will not take place onto the packet.
|
||||||
.Li ipsec
|
.Li ipsec
|
||||||
means that IPsec operation will take place onto the packet.
|
means that IPsec operation will take place onto the packet.
|
||||||
|
The part of
|
||||||
|
.Ar protocol/mode/src-dst/level
|
||||||
|
specifies the rule how to process the packet.
|
||||||
Either
|
Either
|
||||||
.Li ah ,
|
.Li ah ,
|
||||||
.Li esp
|
.Li esp
|
||||||
@@ -480,7 +499,7 @@ If the SA is not available in every level, the kernel will request
|
|||||||
getting SA to the key exchange daemon.
|
getting SA to the key exchange daemon.
|
||||||
.Li default
|
.Li default
|
||||||
means the kernel consults to the system wide default against protocol you
|
means the kernel consults to the system wide default against protocol you
|
||||||
specified, e.g.\&
|
specified, e.g.
|
||||||
.Li esp_trans_deflev
|
.Li esp_trans_deflev
|
||||||
sysctl variable, when the kernel processes the packet.
|
sysctl variable, when the kernel processes the packet.
|
||||||
.Li use
|
.Li use
|
||||||
@@ -492,17 +511,29 @@ with the policy.
|
|||||||
.Li unique
|
.Li unique
|
||||||
is the same to require.
|
is the same to require.
|
||||||
In addition, it allows the policy to bind with the unique out-bound SA.
|
In addition, it allows the policy to bind with the unique out-bound SA.
|
||||||
If you use the SA by manual keying,
|
You just specify the policy level
|
||||||
|
.Li unique ,
|
||||||
|
.Xr racoon 8
|
||||||
|
will configure the SA for the policy.
|
||||||
|
If you configure the SA by manual keying for that policy,
|
||||||
you can put the decimal number as the policy identifier after
|
you can put the decimal number as the policy identifier after
|
||||||
.Li unique
|
.Li unique
|
||||||
separated by colon
|
separated by colon
|
||||||
.Sq \:
|
.Sq \&:
|
||||||
like the following;
|
like the following;
|
||||||
.Li unique:number .
|
.Li unique:number .
|
||||||
|
in order to bind this policy to the SA.
|
||||||
.Li number
|
.Li number
|
||||||
must be between 1 and 32767.
|
must be between 1 and 32767.
|
||||||
It corresponds to
|
It corresponds to
|
||||||
.Ar extensions Fl u .
|
.Ar extensions Fl u
|
||||||
|
of the manual SA configuration.
|
||||||
|
When you want to use SA bundle, you can define multiple rules.
|
||||||
|
For example, if an IP header was followed by AH header followed by ESP header
|
||||||
|
followed by an upper layer protocol header, the rule
|
||||||
|
would be:
|
||||||
|
.Dl esp/transport//require ah/transport//require ;
|
||||||
|
The rule order is very important.
|
||||||
.Pp
|
.Pp
|
||||||
Note that
|
Note that
|
||||||
.Dq Li discard
|
.Dq Li discard
|
||||||
@@ -543,7 +574,8 @@ keyed-md5 128 ah: 96bit ICV (no document)
|
|||||||
keyed-sha1 160 ah: 96bit ICV (no document)
|
keyed-sha1 160 ah: 96bit ICV (no document)
|
||||||
160 ah-old: 128bit ICV (no document)
|
160 ah-old: 128bit ICV (no document)
|
||||||
null 0 to 2048 for debugging
|
null 0 to 2048 for debugging
|
||||||
hmac-sha2-256 256 ah: 96bit ICV (no document)
|
hmac-sha2-256 256 ah: 96bit ICV
|
||||||
|
(draft-ietf-ipsec-ciph-sha-256-00)
|
||||||
256 ah-old: 128bit ICV (no document)
|
256 ah-old: 128bit ICV (no document)
|
||||||
hmac-sha2-384 384 ah: 96bit ICV (no document)
|
hmac-sha2-384 384 ah: 96bit ICV (no document)
|
||||||
384 ah-old: 128bit ICV (no document)
|
384 ah-old: 128bit ICV (no document)
|
||||||
@@ -551,8 +583,8 @@ hmac-sha2-512 512 ah: 96bit ICV (no document)
|
|||||||
512 ah-old: 128bit ICV (no document)
|
512 ah-old: 128bit ICV (no document)
|
||||||
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
||||||
ah-old: 128bit ICV (no document)
|
ah-old: 128bit ICV (no document)
|
||||||
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
|
.\"aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
|
||||||
128 ah-old: 128bit ICV (no document)
|
.\" 128 ah-old: 128bit ICV (no document)
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
Followings are the list of encryption algorithms that can be used as
|
Followings are the list of encryption algorithms that can be used as
|
||||||
@@ -567,13 +599,13 @@ parameter:
|
|||||||
algorithm keylen (bits) comment
|
algorithm keylen (bits) comment
|
||||||
des-cbc 64 esp-old: rfc1829, esp: rfc2405
|
des-cbc 64 esp-old: rfc1829, esp: rfc2405
|
||||||
3des-cbc 192 rfc2451
|
3des-cbc 192 rfc2451
|
||||||
simple 0 to 2048 rfc2410
|
null 0 to 2048 rfc2410
|
||||||
blowfish-cbc 40 to 448 rfc2451
|
blowfish-cbc 40 to 448 rfc2451
|
||||||
cast128-cbc 40 to 128 rfc2451
|
cast128-cbc 40 to 128 rfc2451
|
||||||
des-deriv 64 ipsec-ciph-des-derived-01 (expired)
|
des-deriv 64 ipsec-ciph-des-derived-01
|
||||||
3des-deriv 192 no document
|
3des-deriv 192 no document
|
||||||
rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00
|
rijndael-cbc 128/192/256 rfc3602
|
||||||
aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
.\"aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
Note that the first 128 bits of a key for
|
Note that the first 128 bits of a key for
|
||||||
@@ -591,44 +623,58 @@ parameter:
|
|||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
algorithm comment
|
algorithm comment
|
||||||
deflate rfc2394
|
deflate rfc2394
|
||||||
lzs rfc2395
|
|
||||||
.Ed
|
|
||||||
.\"
|
|
||||||
.Sh EXAMPLES
|
|
||||||
.Bd -literal -offset
|
|
||||||
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
|
||||||
-E des-cbc "ESP SA!!" ;
|
|
||||||
|
|
||||||
add 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456
|
|
||||||
-A hmac-sha1 "AH SA configuration!" ;
|
|
||||||
|
|
||||||
add 10.0.11.41 10.0.11.33 esp 0x10001
|
|
||||||
-E des-cbc "ESP with"
|
|
||||||
-A hmac-md5 "authentication!!" ;
|
|
||||||
|
|
||||||
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
|
|
||||||
|
|
||||||
flush ;
|
|
||||||
|
|
||||||
dump esp ;
|
|
||||||
|
|
||||||
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
|
||||||
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
|
||||||
|
|
||||||
.Ed
|
.Ed
|
||||||
.\"
|
.\"
|
||||||
.Sh RETURN VALUES
|
.Sh RETURN VALUES
|
||||||
The command exits with 0 on success, and non-zero on errors.
|
The command exits with 0 on success, and non-zero on errors.
|
||||||
.\"
|
.\"
|
||||||
|
.Sh EXAMPLES
|
||||||
|
.Bd -literal -offset
|
||||||
|
add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
|
||||||
|
-E des-cbc 0x3ffe05014819ffff ;
|
||||||
|
|
||||||
|
add -6 myhost.example.com yourhost.example.com ah 123456
|
||||||
|
-A hmac-sha1 "AH SA configuration!" ;
|
||||||
|
|
||||||
|
add 10.0.11.41 10.0.11.33 esp 0x10001
|
||||||
|
-E des-cbc 0x3ffe05014819ffff
|
||||||
|
-A hmac-md5 "authentication!!" ;
|
||||||
|
|
||||||
|
get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;
|
||||||
|
|
||||||
|
flush ;
|
||||||
|
|
||||||
|
dump esp ;
|
||||||
|
|
||||||
|
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
|
||||||
|
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
|
||||||
|
|
||||||
|
.Ed
|
||||||
|
.\"
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr ipsec_set_policy 3 ,
|
.Xr ipsec_set_policy 3 ,
|
||||||
.Xr racoon 8 ,
|
.Xr racoon 8 ,
|
||||||
.Xr sysctl 8
|
.Xr sysctl 8
|
||||||
|
.Rs
|
||||||
|
.%T "Changed manual key configuration for IPsec"
|
||||||
|
.%O "http://www.kame.net/newsletter/19991007/"
|
||||||
|
.%D "October 1999"
|
||||||
|
.Re
|
||||||
.\"
|
.\"
|
||||||
.Sh HISTORY
|
.Sh HISTORY
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
utility first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
|
||||||
The command was completely re-designed in June 1998.
|
The command was completely re-designed in June 1998.
|
||||||
.\"
|
.\"
|
||||||
.\" .Sh BUGS
|
.Sh BUGS
|
||||||
|
.Nm
|
||||||
|
should report and handle syntax errors better.
|
||||||
|
.Pp
|
||||||
|
For IPsec gateway configuration,
|
||||||
|
.Ar src_range
|
||||||
|
and
|
||||||
|
.Ar dst_range
|
||||||
|
with TCP/UDP port number do not work, as the gateway does not reassemble
|
||||||
|
packets
|
||||||
|
.Pq cannot inspect upper-layer headers .
|
||||||
|
|||||||
+54
-73
@@ -1,5 +1,5 @@
|
|||||||
/* $FreeBSD$ */
|
/* $FreeBSD$ */
|
||||||
/* $KAME: setkey.c,v 1.18 2001/05/08 04:36:39 itojun Exp $ */
|
/* $KAME: setkey.c,v 1.28 2003/06/27 07:15:45 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@@ -58,7 +58,7 @@ int main __P((int, char **));
|
|||||||
int get_supported __P((void));
|
int get_supported __P((void));
|
||||||
void sendkeyshort __P((u_int));
|
void sendkeyshort __P((u_int));
|
||||||
void promisc __P((void));
|
void promisc __P((void));
|
||||||
int sendkeymsg __P((void));
|
int sendkeymsg __P((char *, size_t));
|
||||||
int postproc __P((struct sadb_msg *, int));
|
int postproc __P((struct sadb_msg *, int));
|
||||||
const char *numstr __P((int));
|
const char *numstr __P((int));
|
||||||
void shortdump_hdr __P((void));
|
void shortdump_hdr __P((void));
|
||||||
@@ -75,18 +75,12 @@ int so;
|
|||||||
|
|
||||||
int f_forever = 0;
|
int f_forever = 0;
|
||||||
int f_all = 0;
|
int f_all = 0;
|
||||||
int f_debug = 0;
|
|
||||||
int f_verbose = 0;
|
int f_verbose = 0;
|
||||||
int f_mode = 0;
|
int f_mode = 0;
|
||||||
int f_cmddump = 0;
|
int f_cmddump = 0;
|
||||||
int f_policy = 0;
|
int f_policy = 0;
|
||||||
int f_hexdump = 0;
|
int f_hexdump = 0;
|
||||||
int f_tflag = 0;
|
int f_tflag = 0;
|
||||||
char *pname;
|
|
||||||
|
|
||||||
u_char m_buf[BUFSIZ];
|
|
||||||
u_int m_len;
|
|
||||||
|
|
||||||
static time_t thiszone;
|
static time_t thiszone;
|
||||||
|
|
||||||
extern int lineno;
|
extern int lineno;
|
||||||
@@ -96,12 +90,12 @@ extern int parse __P((FILE **));
|
|||||||
void
|
void
|
||||||
usage()
|
usage()
|
||||||
{
|
{
|
||||||
printf("usage:\t%s [-dv] -c\n", pname);
|
|
||||||
printf("\t%s [-dv] -f (file)\n", pname);
|
printf("usage: setkey [-v] -c\n");
|
||||||
printf("\t%s [-Padlv] -D\n", pname);
|
printf(" setkey [-v] -f filename\n");
|
||||||
printf("\t%s [-Pdv] -F\n", pname);
|
printf(" setkey [-Palv] -D\n");
|
||||||
printf("\t%s [-h] -x\n", pname);
|
printf(" setkey [-Pv] -F\n");
|
||||||
pfkey_close(so);
|
printf(" setkey [-h] -x\n");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -113,8 +107,6 @@ main(ac, av)
|
|||||||
FILE *fp = stdin;
|
FILE *fp = stdin;
|
||||||
int c;
|
int c;
|
||||||
|
|
||||||
pname = *av;
|
|
||||||
|
|
||||||
if (ac == 1) {
|
if (ac == 1) {
|
||||||
usage();
|
usage();
|
||||||
/* NOTREACHED */
|
/* NOTREACHED */
|
||||||
@@ -157,9 +149,6 @@ main(ac, av)
|
|||||||
case 'P':
|
case 'P':
|
||||||
f_policy = 1;
|
f_policy = 1;
|
||||||
break;
|
break;
|
||||||
case 'd':
|
|
||||||
f_debug = 1;
|
|
||||||
break;
|
|
||||||
case 'v':
|
case 'v':
|
||||||
f_verbose = 1;
|
f_verbose = 1;
|
||||||
break;
|
break;
|
||||||
@@ -169,13 +158,18 @@ main(ac, av)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
so = pfkey_open();
|
||||||
|
if (so < 0) {
|
||||||
|
perror("pfkey_open");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
switch (f_mode) {
|
switch (f_mode) {
|
||||||
case MODE_CMDDUMP:
|
case MODE_CMDDUMP:
|
||||||
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
|
sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
|
||||||
break;
|
break;
|
||||||
case MODE_CMDFLUSH:
|
case MODE_CMDFLUSH:
|
||||||
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
|
sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
|
||||||
pfkey_close(so);
|
|
||||||
break;
|
break;
|
||||||
case MODE_SCRIPT:
|
case MODE_SCRIPT:
|
||||||
if (get_supported() < 0) {
|
if (get_supported() < 0) {
|
||||||
@@ -199,16 +193,6 @@ main(ac, av)
|
|||||||
int
|
int
|
||||||
get_supported()
|
get_supported()
|
||||||
{
|
{
|
||||||
int so;
|
|
||||||
|
|
||||||
if ((so = pfkey_open()) < 0) {
|
|
||||||
perror("pfkey_open");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* debug mode ? */
|
|
||||||
if (f_debug)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
|
if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
@@ -223,20 +207,18 @@ void
|
|||||||
sendkeyshort(type)
|
sendkeyshort(type)
|
||||||
u_int type;
|
u_int type;
|
||||||
{
|
{
|
||||||
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
|
struct sadb_msg msg;
|
||||||
|
|
||||||
m_len = sizeof(struct sadb_msg);
|
msg.sadb_msg_version = PF_KEY_V2;
|
||||||
|
msg.sadb_msg_type = type;
|
||||||
|
msg.sadb_msg_errno = 0;
|
||||||
|
msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
||||||
|
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
|
||||||
|
msg.sadb_msg_reserved = 0;
|
||||||
|
msg.sadb_msg_seq = 0;
|
||||||
|
msg.sadb_msg_pid = getpid();
|
||||||
|
|
||||||
m_msg->sadb_msg_version = PF_KEY_V2;
|
sendkeymsg((char *)&msg, sizeof(msg));
|
||||||
m_msg->sadb_msg_type = type;
|
|
||||||
m_msg->sadb_msg_errno = 0;
|
|
||||||
m_msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
|
||||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
|
||||||
m_msg->sadb_msg_reserved = 0;
|
|
||||||
m_msg->sadb_msg_seq = 0;
|
|
||||||
m_msg->sadb_msg_pid = getpid();
|
|
||||||
|
|
||||||
sendkeymsg();
|
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -244,27 +226,20 @@ sendkeyshort(type)
|
|||||||
void
|
void
|
||||||
promisc()
|
promisc()
|
||||||
{
|
{
|
||||||
struct sadb_msg *m_msg = (struct sadb_msg *)m_buf;
|
struct sadb_msg msg;
|
||||||
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
||||||
int so, l;
|
ssize_t l;
|
||||||
|
|
||||||
m_len = sizeof(struct sadb_msg);
|
msg.sadb_msg_version = PF_KEY_V2;
|
||||||
|
msg.sadb_msg_type = SADB_X_PROMISC;
|
||||||
|
msg.sadb_msg_errno = 0;
|
||||||
|
msg.sadb_msg_satype = 1;
|
||||||
|
msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
|
||||||
|
msg.sadb_msg_reserved = 0;
|
||||||
|
msg.sadb_msg_seq = 0;
|
||||||
|
msg.sadb_msg_pid = getpid();
|
||||||
|
|
||||||
m_msg->sadb_msg_version = PF_KEY_V2;
|
if ((l = send(so, &msg, sizeof(msg), 0)) < 0) {
|
||||||
m_msg->sadb_msg_type = SADB_X_PROMISC;
|
|
||||||
m_msg->sadb_msg_errno = 0;
|
|
||||||
m_msg->sadb_msg_satype = 1;
|
|
||||||
m_msg->sadb_msg_len = PFKEY_UNIT64(m_len);
|
|
||||||
m_msg->sadb_msg_reserved = 0;
|
|
||||||
m_msg->sadb_msg_seq = 0;
|
|
||||||
m_msg->sadb_msg_pid = getpid();
|
|
||||||
|
|
||||||
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
|
|
||||||
err(1, "socket(PF_KEY)");
|
|
||||||
/*NOTREACHED*/
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((l = send(so, m_buf, m_len, 0)) < 0) {
|
|
||||||
err(1, "send");
|
err(1, "send");
|
||||||
/*NOTREACHED*/
|
/*NOTREACHED*/
|
||||||
}
|
}
|
||||||
@@ -301,7 +276,7 @@ promisc()
|
|||||||
}
|
}
|
||||||
/* adjust base pointer for promisc mode */
|
/* adjust base pointer for promisc mode */
|
||||||
if (base->sadb_msg_type == SADB_X_PROMISC) {
|
if (base->sadb_msg_type == SADB_X_PROMISC) {
|
||||||
if (sizeof(*base) < l)
|
if ((ssize_t)sizeof(*base) < l)
|
||||||
base++;
|
base++;
|
||||||
else
|
else
|
||||||
base = NULL;
|
base = NULL;
|
||||||
@@ -315,19 +290,14 @@ promisc()
|
|||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
sendkeymsg()
|
sendkeymsg(buf, len)
|
||||||
|
char *buf;
|
||||||
|
size_t len;
|
||||||
{
|
{
|
||||||
int so;
|
|
||||||
|
|
||||||
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
|
||||||
int l;
|
ssize_t l;
|
||||||
struct sadb_msg *msg;
|
struct sadb_msg *msg;
|
||||||
|
|
||||||
if ((so = pfkey_open()) < 0) {
|
|
||||||
perror("pfkey_open");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
{
|
||||||
struct timeval tv;
|
struct timeval tv;
|
||||||
tv.tv_sec = 1;
|
tv.tv_sec = 1;
|
||||||
@@ -342,11 +312,23 @@ sendkeymsg()
|
|||||||
shortdump_hdr();
|
shortdump_hdr();
|
||||||
again:
|
again:
|
||||||
if (f_verbose) {
|
if (f_verbose) {
|
||||||
kdebug_sadb((struct sadb_msg *)m_buf);
|
kdebug_sadb((struct sadb_msg *)buf);
|
||||||
printf("\n");
|
printf("\n");
|
||||||
}
|
}
|
||||||
|
if (f_hexdump) {
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < len; i++) {
|
||||||
|
if (i % 16 == 0)
|
||||||
|
printf("%08x: ", i);
|
||||||
|
printf("%02x ", buf[i] & 0xff);
|
||||||
|
if (i % 16 == 15)
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
if (len % 16)
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
|
||||||
if ((l = send(so, m_buf, m_len, 0)) < 0) {
|
if ((l = send(so, buf, len, 0)) < 0) {
|
||||||
perror("send");
|
perror("send");
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
@@ -378,7 +360,6 @@ sendkeymsg()
|
|||||||
}
|
}
|
||||||
|
|
||||||
end:
|
end:
|
||||||
pfkey_close(so);
|
|
||||||
return(0);
|
return(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
+111
-152
@@ -1,5 +1,5 @@
|
|||||||
/* $FreeBSD$ */
|
/* $FreeBSD$ */
|
||||||
/* $KAME: token.l,v 1.21 2001/05/18 05:35:01 sakane Exp $ */
|
/* $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
||||||
@@ -46,30 +46,12 @@
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
#include <netdb.h>
|
||||||
|
|
||||||
#include "vchar.h"
|
#include "vchar.h"
|
||||||
#ifdef __NetBSD__
|
|
||||||
#include "parse.h"
|
|
||||||
#else
|
|
||||||
#include "y.tab.h"
|
#include "y.tab.h"
|
||||||
#endif
|
|
||||||
|
|
||||||
#define DECHO \
|
|
||||||
if (f_debug) {printf("<%d>", yy_start); ECHO ; printf("\n"); }
|
|
||||||
|
|
||||||
#define CMDARG \
|
|
||||||
{ \
|
|
||||||
char *__buf__ = strdup(yytext), *__p__; \
|
|
||||||
for (__p__ = __buf__; *__p__ != NULL; __p__++) \
|
|
||||||
if (*__p__ == '\n' || *__p__ == '\t') \
|
|
||||||
*__p__ = ' '; \
|
|
||||||
strcat(cmdarg, __buf__); \
|
|
||||||
free(__buf__); \
|
|
||||||
}
|
|
||||||
|
|
||||||
#define PREPROC DECHO CMDARG
|
|
||||||
|
|
||||||
int lineno = 1;
|
int lineno = 1;
|
||||||
char cmdarg[8192]; /* XXX: BUFSIZ is the better ? */
|
|
||||||
|
|
||||||
extern u_char m_buf[BUFSIZ];
|
extern u_char m_buf[BUFSIZ];
|
||||||
extern u_int m_len;
|
extern u_int m_len;
|
||||||
@@ -81,7 +63,6 @@ void yyerror __P((const char *s));
|
|||||||
extern void parse_init __P((void));
|
extern void parse_init __P((void));
|
||||||
int parse __P((FILE **));
|
int parse __P((FILE **));
|
||||||
int yyparse __P((void));
|
int yyparse __P((void));
|
||||||
|
|
||||||
%}
|
%}
|
||||||
|
|
||||||
/* common section */
|
/* common section */
|
||||||
@@ -90,199 +71,177 @@ ws [ \t]+
|
|||||||
digit [0-9]
|
digit [0-9]
|
||||||
letter [0-9A-Za-z]
|
letter [0-9A-Za-z]
|
||||||
hexdigit [0-9A-Fa-f]
|
hexdigit [0-9A-Fa-f]
|
||||||
/*octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5])))*/
|
|
||||||
special [()+\|\?\*,]
|
|
||||||
dot \.
|
dot \.
|
||||||
comma \,
|
|
||||||
hyphen \-
|
hyphen \-
|
||||||
colon \:
|
|
||||||
slash \/
|
slash \/
|
||||||
bcl \{
|
|
||||||
ecl \}
|
|
||||||
blcl \[
|
blcl \[
|
||||||
elcl \]
|
elcl \]
|
||||||
percent \%
|
|
||||||
semi \;
|
semi \;
|
||||||
usec {dot}{digit}{1,6}
|
|
||||||
comment \#.*
|
comment \#.*
|
||||||
ccomment "/*"
|
|
||||||
bracketstring \<[^>]*\>
|
|
||||||
quotedstring \"[^"]*\"
|
quotedstring \"[^"]*\"
|
||||||
decstring {digit}+
|
decstring {digit}+
|
||||||
hexpair {hexdigit}{hexdigit}
|
|
||||||
hexstring 0[xX]{hexdigit}+
|
hexstring 0[xX]{hexdigit}+
|
||||||
octetstring {octet}({dot}{octet})+
|
|
||||||
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
ipaddress [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
||||||
ipaddrmask {slash}{digit}{1,3}
|
ipaddrmask {slash}{digit}{1,3}
|
||||||
ipaddrport {blcl}{decstring}{elcl}
|
|
||||||
keyword {letter}{letter}+
|
|
||||||
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
|
name {letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
|
||||||
hostname {name}(({dot}{name})+{dot}?)?
|
hostname {name}(({dot}{name})+{dot}?)?
|
||||||
|
|
||||||
%s S_PL
|
%s S_PL S_AUTHALG S_ENCALG
|
||||||
|
|
||||||
%%
|
%%
|
||||||
|
|
||||||
add { PREPROC; return(ADD); }
|
add { return(ADD); }
|
||||||
delete { PREPROC; return(DELETE); }
|
delete { return(DELETE); }
|
||||||
deleteall { PREPROC; return(DELETEALL); }
|
deleteall { return(DELETEALL); }
|
||||||
get { PREPROC; return(GET); }
|
get { return(GET); }
|
||||||
flush { PREPROC; return(FLUSH); }
|
flush { return(FLUSH); }
|
||||||
dump { PREPROC; return(DUMP); }
|
dump { return(DUMP); }
|
||||||
|
|
||||||
/* for management SPD */
|
/* for management SPD */
|
||||||
spdadd { PREPROC; return(SPDADD); }
|
spdadd { return(SPDADD); }
|
||||||
spddelete { PREPROC; return(SPDDELETE); }
|
spddelete { return(SPDDELETE); }
|
||||||
spddump { PREPROC; return(SPDDUMP); }
|
spddump { return(SPDDUMP); }
|
||||||
spdflush { PREPROC; return(SPDFLUSH); }
|
spdflush { return(SPDFLUSH); }
|
||||||
{hyphen}P { BEGIN S_PL; PREPROC; return(F_POLICY); }
|
tagged { return(TAGGED); }
|
||||||
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.\-_/ \n\t]* {
|
{hyphen}P { BEGIN S_PL; return(F_POLICY); }
|
||||||
yymore();
|
<S_PL>[a-zA-Z0-9:\.\-_/ \n\t][a-zA-Z0-9:\.%\-_/ \n\t]* {
|
||||||
|
yymore();
|
||||||
|
|
||||||
/* count up for nl */
|
/* count up for nl */
|
||||||
{
|
{
|
||||||
char *p;
|
char *p;
|
||||||
for (p = yytext; *p != NULL; p++)
|
for (p = yytext; *p != NULL; p++)
|
||||||
if (*p == '\n')
|
if (*p == '\n')
|
||||||
lineno++;
|
lineno++;
|
||||||
}
|
}
|
||||||
|
|
||||||
yylval.val.len = strlen(yytext);
|
yylval.val.len = strlen(yytext);
|
||||||
yylval.val.buf = strdup(yytext);
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
|
||||||
return(PL_REQUESTS);
|
return(PL_REQUESTS);
|
||||||
}
|
}
|
||||||
<S_PL>{semi} { PREPROC; BEGIN INITIAL; return(EOT); }
|
<S_PL>{semi} { BEGIN INITIAL; return(EOT); }
|
||||||
|
|
||||||
|
/* address resolution flags */
|
||||||
|
{hyphen}[n46][n46]* {
|
||||||
|
yylval.val.len = strlen(yytext);
|
||||||
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
return(F_AIFLAGS);
|
||||||
|
}
|
||||||
|
|
||||||
/* security protocols */
|
/* security protocols */
|
||||||
ah { PREPROC; yylval.num = 0; return(PR_AH); }
|
ah { yylval.num = 0; return(PR_AH); }
|
||||||
esp { PREPROC; yylval.num = 0; return(PR_ESP); }
|
esp { yylval.num = 0; return(PR_ESP); }
|
||||||
ah-old { PREPROC; yylval.num = 1; return(PR_AH); }
|
ah-old { yylval.num = 1; return(PR_AH); }
|
||||||
esp-old { PREPROC; yylval.num = 1; return(PR_ESP); }
|
esp-old { yylval.num = 1; return(PR_ESP); }
|
||||||
ipcomp { PREPROC; yylval.num = 0; return(PR_IPCOMP); }
|
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
|
||||||
|
|
||||||
/* authentication alogorithm */
|
/* authentication alogorithm */
|
||||||
{hyphen}A { PREPROC; return(F_AUTH); }
|
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
|
||||||
hmac-md5 { PREPROC; yylval.num = SADB_AALG_MD5HMAC; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha1 { PREPROC; yylval.num = SADB_AALG_SHA1HMAC; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha1 { yylval.num = SADB_AALG_SHA1HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
keyed-md5 { PREPROC; yylval.num = SADB_X_AALG_MD5; return(ALG_AUTH); }
|
<S_AUTHALG>keyed-md5 { yylval.num = SADB_X_AALG_MD5; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); }
|
<S_AUTHALG>keyed-sha1 { yylval.num = SADB_X_AALG_SHA; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); }
|
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
aes-xcbc-mac { PREPROC; yylval.num = SADB_X_AALG_AES_XCBC_MAC; return(ALG_AUTH); }
|
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
|
||||||
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
|
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
|
||||||
|
|
||||||
/* encryption alogorithm */
|
/* encryption alogorithm */
|
||||||
{hyphen}E { PREPROC; return(F_ENC); }
|
{hyphen}E { BEGIN S_ENCALG; return(F_ENC); }
|
||||||
des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
|
<S_ENCALG>des-cbc { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
3des-cbc { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); }
|
<S_ENCALG>3des-cbc { yylval.num = SADB_EALG_3DESCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
|
<S_ENCALG>null { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_NOKEY); }
|
||||||
blowfish-cbc { PREPROC; yylval.num = SADB_X_EALG_BLOWFISHCBC; return(ALG_ENC); }
|
<S_ENCALG>simple { yylval.num = SADB_EALG_NULL; BEGIN INITIAL; return(ALG_ENC_OLD); }
|
||||||
cast128-cbc { PREPROC; yylval.num = SADB_X_EALG_CAST128CBC; return(ALG_ENC); }
|
<S_ENCALG>blowfish-cbc { yylval.num = SADB_X_EALG_BLOWFISHCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); }
|
<S_ENCALG>cast128-cbc { yylval.num = SADB_X_EALG_CAST128CBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); }
|
<S_ENCALG>des-deriv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DESDERIV); }
|
||||||
rijndael-cbc { PREPROC; yylval.num = SADB_X_EALG_RIJNDAELCBC; return(ALG_ENC); }
|
<S_ENCALG>des-32iv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DES32IV); }
|
||||||
aes-ctr { PREPROC; yylval.num = SADB_X_EALG_AESCTR; return(ALG_ENC); }
|
<S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
|
<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); }
|
||||||
|
|
||||||
/* compression algorithms */
|
/* compression algorithms */
|
||||||
{hyphen}C { PREPROC; return(F_COMP); }
|
{hyphen}C { return(F_COMP); }
|
||||||
oui { PREPROC; yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
|
oui { yylval.num = SADB_X_CALG_OUI; return(ALG_COMP); }
|
||||||
deflate { PREPROC; yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
|
deflate { yylval.num = SADB_X_CALG_DEFLATE; return(ALG_COMP); }
|
||||||
lzs { PREPROC; yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
|
lzs { yylval.num = SADB_X_CALG_LZS; return(ALG_COMP); }
|
||||||
{hyphen}R { PREPROC; return(F_RAWCPI); }
|
{hyphen}R { return(F_RAWCPI); }
|
||||||
|
|
||||||
/* extension */
|
/* extension */
|
||||||
{hyphen}m { PREPROC; return(F_MODE); }
|
{hyphen}m { return(F_MODE); }
|
||||||
transport { PREPROC; yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
|
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
|
||||||
tunnel { PREPROC; yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
|
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
|
||||||
{hyphen}u { PREPROC; return(F_REQID); }
|
{hyphen}u { return(F_REQID); }
|
||||||
{hyphen}f { PREPROC; return(F_EXT); }
|
{hyphen}f { return(F_EXT); }
|
||||||
random-pad { PREPROC; yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
|
random-pad { yylval.num = SADB_X_EXT_PRAND; return(EXTENSION); }
|
||||||
seq-pad { PREPROC; yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
|
seq-pad { yylval.num = SADB_X_EXT_PSEQ; return(EXTENSION); }
|
||||||
zero-pad { PREPROC; yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
|
zero-pad { yylval.num = SADB_X_EXT_PZERO; return(EXTENSION); }
|
||||||
nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
|
nocyclic-seq { return(NOCYCLICSEQ); }
|
||||||
{hyphen}r { PREPROC; return(F_REPLAY); }
|
{hyphen}r { return(F_REPLAY); }
|
||||||
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
|
{hyphen}lh { return(F_LIFETIME_HARD); }
|
||||||
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
|
{hyphen}ls { return(F_LIFETIME_SOFT); }
|
||||||
|
|
||||||
/* ... */
|
/* ... */
|
||||||
any { PREPROC; return(ANY); }
|
any { return(ANY); }
|
||||||
{ws} { PREPROC; }
|
{ws} { }
|
||||||
{nl} { lineno++; }
|
{nl} { lineno++; }
|
||||||
{comment}
|
{comment}
|
||||||
{semi} { PREPROC; return(EOT); }
|
{semi} { return(EOT); }
|
||||||
|
|
||||||
|
/* for address parameters: /prefix, [port] */
|
||||||
|
{slash} { return SLASH; }
|
||||||
|
{blcl} { return BLCL; }
|
||||||
|
{elcl} { return ELCL; }
|
||||||
|
|
||||||
/* parameter */
|
/* parameter */
|
||||||
{decstring} {
|
{decstring} {
|
||||||
char *bp;
|
char *bp;
|
||||||
|
|
||||||
PREPROC;
|
yylval.ulnum = strtoul(yytext, &bp, 10);
|
||||||
yylval.num = strtoul(yytext, &bp, 10);
|
|
||||||
return(DECSTRING);
|
return(DECSTRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
{ipaddress} {
|
|
||||||
PREPROC;
|
|
||||||
|
|
||||||
yylval.val.len = yyleng;
|
|
||||||
yylval.val.buf = strdup(yytext);
|
|
||||||
|
|
||||||
return(ADDRESS);
|
|
||||||
}
|
|
||||||
|
|
||||||
{ipaddrmask} {
|
|
||||||
PREPROC;
|
|
||||||
yytext++;
|
|
||||||
yylval.num = atoi(yytext);
|
|
||||||
return(PREFIX);
|
|
||||||
}
|
|
||||||
|
|
||||||
{ipaddrport} {
|
|
||||||
char *p = yytext;
|
|
||||||
PREPROC;
|
|
||||||
while (*++p != ']') ;
|
|
||||||
*p = NULL;
|
|
||||||
yytext++;
|
|
||||||
yylval.num = atoi(yytext);
|
|
||||||
return(PORT);
|
|
||||||
}
|
|
||||||
|
|
||||||
{blcl}any{elcl} {
|
|
||||||
PREPROC;
|
|
||||||
return(PORTANY);
|
|
||||||
}
|
|
||||||
|
|
||||||
{hexstring} {
|
{hexstring} {
|
||||||
int len = yyleng - 2; /* (str - "0x") */
|
yylval.val.buf = strdup(yytext + 2);
|
||||||
PREPROC;
|
if (!yylval.val.buf)
|
||||||
yylval.val.len = (len & 1) + (len / 2);
|
yyfatal("insufficient memory");
|
||||||
/* fixed string if length is odd. */
|
yylval.val.len = strlen(yylval.val.buf);
|
||||||
if (len & 1) {
|
|
||||||
yytext[1] = '0';
|
|
||||||
yylval.val.buf = strdup(yytext + 1);
|
|
||||||
} else
|
|
||||||
yylval.val.buf = strdup(yytext + 2);
|
|
||||||
|
|
||||||
return(HEXSTRING);
|
return(HEXSTRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
{quotedstring} {
|
{quotedstring} {
|
||||||
char *p = yytext;
|
char *p = yytext;
|
||||||
PREPROC;
|
|
||||||
while (*++p != '"') ;
|
while (*++p != '"') ;
|
||||||
*p = NULL;
|
*p = NULL;
|
||||||
yytext++;
|
yytext++;
|
||||||
yylval.val.len = yyleng - 2;
|
yylval.val.len = yyleng - 2;
|
||||||
yylval.val.buf = strdup(yytext);
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
|
||||||
return(QUOTEDSTRING);
|
return(QUOTEDSTRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
[a-z0-9.\-]* {
|
[A-Za-z0-9:][A-Za-z0-9:%\.-]* {
|
||||||
yylval.val.len = yyleng;
|
yylval.val.len = yyleng;
|
||||||
yylval.val.buf = strdup(yytext);
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
|
return(STRING);
|
||||||
|
}
|
||||||
|
|
||||||
|
[0-9,]+ {
|
||||||
|
yylval.val.len = yyleng;
|
||||||
|
yylval.val.buf = strdup(yytext);
|
||||||
|
if (!yylval.val.buf)
|
||||||
|
yyfatal("insufficient memory");
|
||||||
return(STRING);
|
return(STRING);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user