Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sbin/ping IPsec support (specify policy on ping - quite usef...
details: https://anonhg.NetBSD.org/src/rev/d665cc74ecd4
branches: trunk
changeset: 474238:d665cc74ecd4
user: itojun <itojun%NetBSD.org@localhost>
date: Fri Jul 02 04:53:23 1999 +0000
description:
IPsec support (specify policy on ping - quite useful to test
if IPsec is working or not) is added.
diffstat:
sbin/ping/Makefile | 5 +-
sbin/ping/ping.8 | 19 +++++++-
sbin/ping/ping.c | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 151 insertions(+), 9 deletions(-)
diffs (295 lines):
diff -r 3b33aaba8e25 -r d665cc74ecd4 sbin/ping/Makefile
--- a/sbin/ping/Makefile Fri Jul 02 04:48:19 1999 +0000
+++ b/sbin/ping/Makefile Fri Jul 02 04:53:23 1999 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.10 1999/02/24 19:31:38 jwise Exp $
+# $NetBSD: Makefile,v 1.11 1999/07/02 04:53:23 itojun Exp $
# @(#)Makefile 8.1 (Berkeley) 6/5/93
PROG= ping
@@ -6,5 +6,8 @@
BINOWN= root
BINMODE=4555
LDADD= -lm
+CPPFLAGS+= -DIPSEC
+LDADD+= -lipsec
+LDADD+= ${LIBIPSEC}
.include <bsd.prog.mk>
diff -r 3b33aaba8e25 -r d665cc74ecd4 sbin/ping/ping.8
--- a/sbin/ping/ping.8 Fri Jul 02 04:48:19 1999 +0000
+++ b/sbin/ping/ping.8 Fri Jul 02 04:53:23 1999 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: ping.8,v 1.30 1999/06/19 19:15:22 sommerfeld Exp $
+.\" $NetBSD: ping.8,v 1.31 1999/07/02 04:53:24 itojun Exp $
.\"
.\" Copyright (c) 1985, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -50,6 +50,9 @@
.Op Fl c Ar count
.Ek
.Bk -words
+.Op Fl E Ar policy
+.Ek
+.Bk -words
.Op Fl g Ar gateway
.Ek
.Bk -words
@@ -115,6 +118,19 @@
.Dv Don't Fragment
bit in the IP header.
This can be used to determine the path MTU.
+.It Fl E Ar policy
+Use IPsec policy specification string
+.Ar policy
+for packets.
+For the format of specification string, please refer
+.Xr ipsec_set_policy 3 .
+Please note that this option is same as
+.Fl P
+in KAME/FreeBSD and KAME/BSDI
+.Po
+.Fl P
+was already occupied in NetBSD
+.Pc .
.It Fl f
Flood ping.
Outputs packets as fast as they come back or one hundred times per second,
@@ -447,3 +463,4 @@
.Nm
command appeared in
.Bx 4.3 .
+IPsec support was added by WIDE/KAME project.
diff -r 3b33aaba8e25 -r d665cc74ecd4 sbin/ping/ping.c
--- a/sbin/ping/ping.c Fri Jul 02 04:48:19 1999 +0000
+++ b/sbin/ping/ping.c Fri Jul 02 04:53:23 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ping.c,v 1.49 1999/06/19 19:15:22 sommerfeld Exp $ */
+/* $NetBSD: ping.c,v 1.50 1999/07/02 04:53:24 itojun Exp $ */
/*
* Copyright (c) 1989, 1993
@@ -62,7 +62,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: ping.c,v 1.49 1999/06/19 19:15:22 sommerfeld Exp $");
+__RCSID("$NetBSD: ping.c,v 1.50 1999/07/02 04:53:24 itojun Exp $");
#endif
#include <stdio.h>
@@ -103,6 +103,10 @@
#include <ctype.h>
#include <netdb.h>
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif /*IPSEC*/
+
#define FLOOD_INTVL 0.01 /* default flood output interval */
#define MAXPACKET (65536-60-8) /* max packet size */
@@ -122,6 +126,14 @@
#define F_MCAST 0x2000 /* multicast target */
#define F_MCAST_NOLOOP 0x4000 /* no multicast loopback */
#define F_AUDIBLE 0x8000 /* audible output */
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
+#define F_POLICY 0x10000
+#else
+#define F_AUTHHDR 0x10000
+#define F_ENCRYPT 0x20000
+#endif /*IPSEC_POLICY_IPSEC*/
+#endif /*IPSEC*/
/* MAX_DUP_CHK is the number of bits in received table, the
@@ -145,6 +157,7 @@
char *fill_pat;
int s; /* Socket file descriptor */
+int sloop; /* Socket file descriptor/loopback */
#define PHDR_LEN sizeof(struct timeval) /* size of timestamp header */
struct sockaddr_in whereto, send_addr; /* Who to ping */
@@ -240,13 +253,28 @@
#ifdef SIGINFO
struct termios ts;
#endif
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
+ char *policy = NULL;
+#endif
+#endif
#ifdef sgi
__progname = argv[0];
#endif
+#ifndef IPSEC
+#define IPSECOPT
+#else
+#ifdef IPSEC_POLICY_IPSEC
+#define IPSECOPT "E:"
+#else
+#define IPSECOPT "AE"
+#endif /*IPSEC_POLICY_IPSEC*/
+#endif
while ((c = getopt(argc, argv,
- "ac:dDfg:h:i:I:l:Lnop:PqQrRs:t:T:vw:")) != -1) {
+ "ac:dDfg:h:i:I:l:Lnop:PqQrRs:t:T:vw:" IPSECOPT)) != -1) {
+#undef IPSECOPT
switch (c) {
case 'a':
pingflags |= F_AUDIBLE;
@@ -345,6 +373,21 @@
if (*p != '\0' || maxwait <= 0)
errx(1, "Bad/invalid maxwait time %s", optarg);
break;
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
+ case 'E':
+ pingflags |= F_POLICY;
+ policy = strdup(optarg);
+ break;
+#else
+ case 'A':
+ pingflags |= F_AUTHHDR;
+ break;
+ case 'E':
+ pingflags |= F_ENCRYPT;
+ break;
+#endif /*IPSEC_POLICY_IPSEC*/
+#endif /*IPSEC*/
default:
usage();
break;
@@ -420,6 +463,19 @@
warn("SO_DONTROUTE");
}
+ if ((sloop = cap_socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
+ err(1, "Cannot create socket");
+ if (options & SO_DEBUG) {
+ if (setsockopt(sloop, SOL_SOCKET, SO_DEBUG,
+ (char *)&on, sizeof(on)) == -1)
+ warn("Can't turn on socket debugging");
+ }
+ if (options & SO_DONTROUTE) {
+ if (setsockopt(sloop, SOL_SOCKET, SO_DONTROUTE,
+ (char *)&on, sizeof(on)) == -1)
+ warn("SO_DONTROUTE");
+ }
+
if (pingflags & F_SOURCE_ROUTE) {
optspace[IPOPT_OPTVAL] = IPOPT_LSRR;
optspace[IPOPT_OLEN] = optlen = 7;
@@ -477,6 +533,63 @@
sizeof(src_addr.sin_addr)) < 0)
err(1, "Can't set source interface/address");
}
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
+ {
+ int len;
+ char *buf;
+ if (pingflags & F_POLICY) {
+ if ((len = ipsec_get_policylen(policy)) < 0)
+ errx(1, ipsec_strerror());
+ if ((buf = malloc(len)) == NULL)
+ err(1, "malloc");
+ if ((len = ipsec_set_policy(buf, len, policy)) < 0)
+ errx(1, ipsec_strerror());
+ if (setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, buf, len) < 0)
+ err(1, NULL);
+ free(buf);
+ }
+ if ((len = ipsec_get_policylen("bypass")) < 0)
+ errx(1, ipsec_strerror());
+ if ((buf = malloc(len)) == NULL)
+ err(1, "malloc");
+ if ((len = ipsec_set_policy(buf, len, "bypass")) < 0)
+ errx(1, ipsec_strerror());
+ if (setsockopt(sloop, IPPROTO_IP, IP_IPSEC_POLICY, buf, len) < 0)
+ warnx("ipsec is not configured");
+ free(buf);
+ }
+#else
+ {
+ int optval;
+ if (pingflags & F_AUTHHDR) {
+ optval = IPSEC_LEVEL_REQUIRE;
+#ifdef IP_AUTH_TRANS_LEVEL
+ (void)setsockopt(s, IPPROTO_IP, IP_AUTH_TRANS_LEVEL,
+ (char *)&optval, sizeof(optval));
+#else
+ (void)setsockopt(s, IPPROTO_IP, IP_AUTH_LEVEL,
+ (char *)&optval, sizeof(optval));
+#endif
+ }
+ if (pingflags & F_ENCRYPT) {
+ optval = IPSEC_LEVEL_REQUIRE;
+ (void)setsockopt(s, IPPROTO_IP, IP_ESP_TRANS_LEVEL,
+ (char *)&optval, sizeof(optval));
+ }
+ optval = IPSEC_LEVEL_BYPASS;
+#ifdef IP_AUTH_TRANS_LEVEL
+ (void)setsockopt(sloop, IPPROTO_IP, IP_AUTH_TRANS_LEVEL,
+ (char *)&optval, sizeof(optval));
+#else
+ (void)setsockopt(sloop, IPPROTO_IP, IP_AUTH_LEVEL,
+ (char *)&optval, sizeof(optval));
+#endif
+ (void)setsockopt(sloop, IPPROTO_IP, IP_ESP_TRANS_LEVEL,
+ (char *)&optval, sizeof(optval));
+ }
+#endif /*IPSEC_POLICY_IPSEC*/
+#endif /*IPSEC*/
(void)printf("PING %s (%s): %d data bytes\n", hostname,
inet_ntoa(whereto.sin_addr), datalen);
@@ -702,10 +815,10 @@
opack_icmp.icmp_cksum = in_cksum((u_short*)&opack_icmp,
PHDR_LEN);
sw = 0;
- if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,
+ if (setsockopt(sloop,IPPROTO_IP,IP_HDRINCL,
(char *)&sw,sizeof(sw)) < 0)
err(1, "Can't turn off special IP header");
- if (sendto(s, (char *) &opack_icmp, PHDR_LEN, MSG_DONTROUTE,
+ if (sendto(sloop, (char *) &opack_icmp, PHDR_LEN, MSG_DONTROUTE,
(struct sockaddr *)&loc_addr,
sizeof(struct sockaddr_in)) < 0) {
/*
@@ -718,7 +831,7 @@
warn("failed to clear cached route");
}
sw = 1;
- if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,
+ if (setsockopt(sloop,IPPROTO_IP,IP_HDRINCL,
(char *)&sw, sizeof(sw)) < 0)
err(1, "Can't set special IP header");
@@ -1677,12 +1790,21 @@
static void
usage(void)
{
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
+#define IPSECOPT "\n [-E policy] "
+#else
+#define IPSECOPT "\n [-AE] "
+#endif /*IPSEC_POLICY_IPSEC*/
+#else
+#define IPSECOPT ""
+#endif /*IPSEC*/
(void)fprintf(stderr, "Usage: \n"
"%s [-dDfLnoPqQrRv] [-c count] [-g gateway] [-h host]"
" [-i interval] [-I addr]\n"
" [-l preload] [-p pattern] [-s size] [-t tos] [-T ttl]"
- " [-w maxwait] host\n",
+ " [-w maxwait] " IPSECOPT "host\n",
__progname);
exit(1);
}
Home |
Main Index |
Thread Index |
Old Index