Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src Support GRE key as upper layer p...
details: https://anonhg.NetBSD.org/src/rev/6f14cc3e4f31
branches: trunk
changeset: 759245:6f14cc3e4f31
user: tteras <tteras%NetBSD.org@localhost>
date: Fri Dec 03 14:32:52 2010 +0000
description:
Support GRE key as upper layer protocol specifier (will be supported in
Linux kernel 2.6.38).
diffstat:
crypto/dist/ipsec-tools/src/libipsec/libpfkey.h | 6 +-
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c | 53 ++++++-----
crypto/dist/ipsec-tools/src/setkey/parse.y | 97 ++++++++++------------
crypto/dist/ipsec-tools/src/setkey/setkey.8 | 22 +++-
4 files changed, 91 insertions(+), 87 deletions(-)
diffs (truncated from 315 to 300 lines):
diff -r 817205b8b2dc -r 6f14cc3e4f31 crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
--- a/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Fri Dec 03 13:11:50 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Fri Dec 03 14:32:52 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: libpfkey.h,v 1.17 2009/08/17 13:52:14 vanhu Exp $ */
+/* $NetBSD: libpfkey.h,v 1.18 2010/12/03 14:32:52 tteras Exp $ */
/* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */
@@ -210,6 +210,10 @@
#define IPPROTO_IPCOMP IPPROTO_COMP
#endif
+#ifndef IPPROTO_MH
+#define IPPROTO_MH 135
+#endif
+
static __inline u_int8_t
sysdep_sa_len (const struct sockaddr *sa)
{
diff -r 817205b8b2dc -r 6f14cc3e4f31 crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Fri Dec 03 13:11:50 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Fri Dec 03 14:32:52 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey_dump.c,v 1.17 2010/04/02 15:13:26 christos Exp $ */
+/* $NetBSD: pfkey_dump.c,v 1.18 2010/12/03 14:32:52 tteras Exp $ */
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
@@ -716,13 +716,19 @@
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
- if (ulp == IPPROTO_ICMPV6)
+ switch (ulp) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ case IPPROTO_MH:
+ case IPPROTO_GRE:
memset(portbuf, 0, sizeof(portbuf));
- else {
+ break;
+ default:
if (port == IPSEC_PORT_ANY)
- snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
+ strcpy(portbuf, "[any]");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
+ break;
}
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
@@ -734,29 +740,26 @@
str_upperspec(ulp, p1, p2)
u_int ulp, p1, p2;
{
- if (ulp == IPSEC_ULPROTO_ANY)
- printf("any");
- else if (ulp == IPPROTO_ICMPV6) {
- printf("icmp6");
- if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
- printf(" %u,%u", p1, p2);
- } else {
- struct protoent *ent;
+ struct protoent *ent;
+
+ ent = getprotobynumber((int)ulp);
+ if (ent)
+ printf("%s", ent->p_name);
+ else
+ printf("%u", ulp);
- switch (ulp) {
- case IPPROTO_IPV4:
- printf("ip4");
- break;
- default:
- ent = getprotobynumber((int)ulp);
- if (ent)
- printf("%s", ent->p_name);
- else
- printf("%u", ulp);
+ if (p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY)
+ return;
- endprotoent();
- break;
- }
+ switch (ulp) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ case IPPROTO_MH:
+ printf(" %u,%u", p1, p2);
+ break;
+ case IPPROTO_GRE:
+ printf(" %u", (p1 << 16) + p2);
+ break;
}
}
diff -r 817205b8b2dc -r 6f14cc3e4f31 crypto/dist/ipsec-tools/src/setkey/parse.y
--- a/crypto/dist/ipsec-tools/src/setkey/parse.y Fri Dec 03 13:11:50 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/parse.y Fri Dec 03 14:32:52 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: parse.y,v 1.13 2010/06/04 13:06:03 vanhu Exp $ */
+/* $NetBSD: parse.y,v 1.14 2010/12/03 14:32:52 tteras Exp $ */
/* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */
@@ -57,10 +57,6 @@
#include "vchar.h"
#include "extern.h"
-#ifndef IPPROTO_MH
-#define IPPROTO_MH 135
-#endif
-
#define DEFAULT_NATT_PORT 4500
#ifndef UDP_ENCAP_ESPINUDP
@@ -95,7 +91,7 @@
static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
static struct addrinfo *parse_addr __P((char *, char *));
-static int fix_portstr __P((vchar_t *, vchar_t *, vchar_t *));
+static int fix_portstr __P((int, vchar_t *, vchar_t *, vchar_t *));
static int setvarbuf __P((char *, int *, struct sadb_ext *, int,
const void *, int));
void parse_init __P((void));
@@ -584,16 +580,8 @@
#endif
/* fixed port fields if ulp is icmp */
- if ($10.buf != NULL) {
- if (($9 != IPPROTO_ICMPV6) &&
- ($9 != IPPROTO_ICMP) &&
- ($9 != IPPROTO_MH))
- return -1;
- free($5.buf);
- free($8.buf);
- if (fix_portstr(&$10, &$5, &$8))
- return -1;
- }
+ if (fix_portstr($9, &$10, &$5, &$8))
+ return -1;
src = parse_addr($3.buf, $5.buf);
dst = parse_addr($6.buf, $8.buf);
@@ -638,16 +626,8 @@
#endif
/* fixed port fields if ulp is icmp */
- if ($10.buf != NULL) {
- if (($9 != IPPROTO_ICMPV6) &&
- ($9 != IPPROTO_ICMP) &&
- ($9 != IPPROTO_MH))
- return -1;
- free($5.buf);
- free($8.buf);
- if (fix_portstr(&$10, &$5, &$8))
- return -1;
- }
+ if (fix_portstr($9, &$10, &$5, &$8))
+ return -1;
src = parse_addr($3.buf, $5.buf);
dst = parse_addr($6.buf, $8.buf);
@@ -687,16 +667,8 @@
struct addrinfo *src, *dst;
/* fixed port fields if ulp is icmp */
- if ($10.buf != NULL) {
- if (($9 != IPPROTO_ICMPV6) &&
- ($9 != IPPROTO_ICMP) &&
- ($9 != IPPROTO_MH))
- return -1;
- free($5.buf);
- free($8.buf);
- if (fix_portstr(&$10, &$5, &$8))
- return -1;
- }
+ if (fix_portstr($9, &$10, &$5, &$8))
+ return -1;
src = parse_addr($3.buf, $5.buf);
dst = parse_addr($6.buf, $8.buf);
@@ -1584,36 +1556,55 @@
}
static int
-fix_portstr(spec, sport, dport)
+fix_portstr(ulproto, spec, sport, dport)
+ int ulproto;
vchar_t *spec, *sport, *dport;
{
- const char *p, *p2 = "0";
- char *q;
- u_int l;
+ char sp[16], dp[16];
+ int a, b, c, d;
+ unsigned long u;
+
+ if (spec->buf == NULL)
+ return 0;
- l = 0;
- for (q = spec->buf; *q != ',' && *q != '\0' && l < spec->len; q++, l++)
- ;
- if (*q != '\0') {
- if (*q == ',') {
- *q = '\0';
- p2 = ++q;
- }
- for (p = p2; *p != '\0' && l < spec->len; p++, l++)
- ;
- if (*p != '\0' || *p2 == '\0') {
+ switch (ulproto) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ case IPPROTO_MH:
+ if (sscanf(spec->buf, "%d,%d", &a, &b) == 2) {
+ sprintf(sp, "%d", a);
+ sprintf(dp, "%d", b);
+ } else if (sscanf(spec->buf, "%d", &a) == 1) {
+ sprintf(sp, "%d", a);
+ } else {
yyerror("invalid an upper layer protocol spec");
return -1;
}
+ break;
+ case IPPROTO_GRE:
+ if (sscanf(spec->buf, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
+ sprintf(sp, "%d", (a << 8) + b);
+ sprintf(dp, "%d", (c << 8) + d);
+ } else if (sscanf(spec->buf, "%lu", &u) == 1) {
+ sprintf(sp, "%d", (int) (u >> 16));
+ sprintf(dp, "%d", (int) (u & 0xffff));
+ } else {
+ yyerror("invalid an upper layer protocol spec");
+ return -1;
+ }
+ break;
}
- sport->buf = strdup(spec->buf);
+ free(sport->buf);
+ sport->buf = strdup(sp);
if (!sport->buf) {
yyerror("insufficient memory");
return -1;
}
sport->len = strlen(sport->buf);
- dport->buf = strdup(p2);
+
+ free(dport->buf);
+ dport->buf = strdup(dp);
if (!dport->buf) {
yyerror("insufficient memory");
return -1;
diff -r 817205b8b2dc -r 6f14cc3e4f31 crypto/dist/ipsec-tools/src/setkey/setkey.8
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.8 Fri Dec 03 13:11:50 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.8 Fri Dec 03 14:32:52 2010 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: setkey.8,v 1.25 2010/06/04 21:53:36 wiz Exp $
+.\" $NetBSD: setkey.8,v 1.26 2010/12/03 14:32:52 tteras Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
@@ -430,25 +430,31 @@
or
.Li icmp6 ,
.Li ip4 ,
+.Li gre ,
or
.Li any .
.Li any
stands for
.Dq any protocol .
You can also use the protocol number.
-You can specify a type and/or a code of ICMPv6 when the
-upper-layer protocol is ICMPv6.
-The specification can be placed after
-.Li icmp6 .
-A type is separated from a code by single comma.
-A code must always be specified.
+Additional specification can be placed after the protocol name for
+some protocols.
+You can specify a type and/or a code of ICMP or ICMPv6.
+The type is separated from a code by single comma and the code must
+always be specified.
+GRE key can be specified in dotted-quad format or as plain number.
When a zero is specified, the kernel deals with it as a wildcard.
Note that the kernel can not distinguish a wildcard from an ICPMv6
type of zero.
+.Pp
For example, the following means that the policy doesn't require IPsec
for any inbound Neighbor Solicitation.
.Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
.Pp
+A second example of requiring transport mode encryption of specific
Home |
Main Index |
Thread Index |
Old Index