On 11/Nov - 18:45, Robert Elz wrote: > Date: Mon, 11 Nov 2013 11:49:14 +0100 > From: Arnaud Degroote <degroote%NetBSD.org@localhost> > Message-ID: <20131111104914.GB6456@bugfree> > > > | If you want to use a programming interface instead of setkey, you can > | use the function ipsec_set_policy (3) from libipsec which takes the same > | kind of input than setkey (8). > > Thanks, that does help a little - but that interface just seems to take > a textual description of the policy (which I don't have, but could produce > with a little sprintf'ing - though doing so seems a little perverse), > and converts it into a binary structure (that I could probably just fill > in with C assignment statements - the values for it should not be hard to > find, > and don't in any way depend upon any external specification - just what > port numbers happen to have been assigned to my socket when it connected) > > But, that doesn't tell me what to do with the structure when I have built > it, and I think that's really what I wanted to know. > > | Some low-level API exists, but are not documented. > > That's what I was afraid of. And I think it is that that I really need > to get access to. > > | Dig into libpfkey.h. > > Thanks, but ... that shows me the structure used, which contains many > fields whose purpose is way beyond anything I can even guess at, and > prototypes for lots of functions whose purpose I have no idea of (I > have just taken a quick glance so far, but there look to be too many > for pure trial and error to ever come up with anything useful.) > > | The protocol used if PFKEY, as described in RFC 2367. > > That probably helps more, thanks - do we believe that NetBSD supports > the interface in that RFC completely? > I would say YES + some extensions. Through, it is not a 100% guarantee. You should look closer at pfkey_send_add2 (add SA) pfkey_send_update2 (update SA) pkfey_send_delete (delete SA) and pfkey_send_spd{add,update,delete} (add,update,delete SP) The code, in correlation with the RFC, is relatively simple to understand. Or you can use directly pfkey_{send, recv} which use directly sadb_msg (in net/pfkeyv2.h) -- Arnaud Degroote Postdoc RIA LAAS - CNRS
Attachment:
signature.asc
Description: Digital signature