more correct diff:
Index: ike.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.54
diff -u -p -r1.54 ike.c
--- ike.c 24 Nov 2006 08:07:18 -0000 1.54
+++ ike.c 24 Nov 2006 10:46:19 -0000
@@ -38,17 +38,18 @@ static void ike_section_peer(struct ipse
static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
FILE *, u_int8_t);
static int ike_get_id_type(char *);
-static void ike_section_ipsec(struct ipsec_addr_wrap *, struct
- ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *);
+static void ike_section_ipsec(struct ipsec_addr_wrap *, u_int16_t, struct
+ ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *,
+ char *, FILE *);
static int ike_section_p1(struct ipsec_addr_wrap *, struct
ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t);
-static int ike_section_p2(struct ipsec_addr_wrap *, struct
- ipsec_addr_wrap *, u_int8_t, u_int8_t, struct
+static int ike_section_p2(struct ipsec_addr_wrap *, u_int16_t, struct
+ ipsec_addr_wrap *, u_int16_t, u_int8_t, u_int8_t, struct
ipsec_transforms *, FILE *, u_int8_t);
static void ike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *,
u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *);
-static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct
- ipsec_addr_wrap *, FILE *);
+static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, u_int16_t,
+ struct ipsec_addr_wrap *, u_int16_t, FILE *);
static int ike_gen_config(struct ipsec_rule *, FILE *);
static int ike_delete_config(struct ipsec_rule *, FILE *);
@@ -174,33 +175,45 @@ ike_get_id_type(char *string)
}
static void
-ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
- struct ipsec_addr_wrap *peer, FILE *fd)
+ike_section_ipsec(struct ipsec_addr_wrap *src, u_int16_t sport,
+ struct ipsec_addr_wrap *dst, u_int16_t dport, struct ipsec_addr_wrap *peer,
+ char *tag, FILE *fd)
{
- fprintf(fd, SET "[IPsec-%s-%s]:Phase=2 force\n", src->name, dst->name);
+ char *p;
+
+ if (asprintf(&p, "%s:%d-%s:%d", src->name, ntohs(sport), dst->name,
+ ntohs(dport)) == -1)
+ err(1, "ike_section_ipsec");
+
+ fprintf(fd, SET "[IPsec-%s]:Phase=2 force\n", p);
if (peer)
- fprintf(fd, SET "[IPsec-%s-%s]:ISAKMP-peer=peer-%s force\n",
- src->name, dst->name, peer->name);
+ fprintf(fd, SET "[IPsec-%s]:ISAKMP-peer=peer-%s force\n", p,
+ peer->name);
else
fprintf(fd, SET
- "[IPsec-%s-%s]:ISAKMP-peer=peer-default force\n",
- src->name, dst->name);
+ "[IPsec-%s]:ISAKMP-peer=peer-default force\n", p);
- fprintf(fd, SET "[IPsec-%s-%s]:Configuration=qm-%s-%s force\n",
- src->name, dst->name, src->name, dst->name);
- fprintf(fd, SET "[IPsec-%s-%s]:Local-ID=lid-%s force\n", src->name,
- dst->name, src->name);
- fprintf(fd, SET "[IPsec-%s-%s]:Remote-ID=rid-%s force\n", src->name,
- dst->name, dst->name);
+ fprintf(fd, SET "[IPsec-%s]:Configuration=qm-%s force\n", p, p);
+ fprintf(fd, SET "[IPsec-%s]:Local-ID=lid-%s force\n", p, src->name);
+ fprintf(fd, SET "[IPsec-%s]:Remote-ID=rid-%s force\n", p, dst->name);
+
+ if (tag)
+ fprintf(fd, SET "[IPsec-%s]:PF-Tag=%s force\n", p, tag);
+
+ free(p);
}
static int
-ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
- u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd,
- u_int8_t ike_exch)
-{
- char *tag, *exchange_type, *sprefix;
+ike_section_p2(struct ipsec_addr_wrap *src, u_int16_t sport,
+ struct ipsec_addr_wrap *dst, u_int16_t dport, u_int8_t satype,
+ u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, u_int8_t
ike_exch)
+{
+ char *p, *tag, *exchange_type, *sprefix;
+
+ if (asprintf(&p, "%s:%d-%s:%d", src->name, ntohs(sport), dst->name,
+ ntohs(dport)) == -1)
+ err(1, "ike_section_p2");
switch (ike_exch) {
case IKE_QM:
@@ -213,10 +226,9 @@ ike_section_p2(struct ipsec_addr_wrap *s
return (-1);
}
- fprintf(fd, SET "[%s-%s-%s]:EXCHANGE_TYPE=%s force\n",
- tag, src->name, dst->name, exchange_type);
- fprintf(fd, SET "[%s-%s-%s]:Suites=%s-", tag, src->name,
- dst->name, sprefix);
+ fprintf(fd, SET "[%s-%s]:EXCHANGE_TYPE=%s force\n", tag, p,
+ exchange_type);
+ fprintf(fd, SET "[%s-%s]:Suites=%s-", tag, p, sprefix);
switch (satype) {
case IPSEC_ESP:
@@ -339,6 +354,8 @@ ike_section_p2(struct ipsec_addr_wrap *s
fprintf(fd, "-PFS");
fprintf(fd, "-SUITE force\n");
+ free(p);
+
return (0);
}
@@ -567,22 +584,28 @@ ike_section_p2ids(u_int8_t proto, struct
}
static int
-ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src,
- struct ipsec_addr_wrap *dst, FILE *fd)
+ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, u_int16_t sport,
+ struct ipsec_addr_wrap *dst, u_int16_t dport, FILE *fd)
{
+ char *p;
+
+ if (asprintf(&p, "%s:%d-%s:%d", src->name, ntohs(sport), dst->name,
+ ntohs(dport)) == -1)
+ err(1, "ike_connect");
+
switch (mode) {
case IKE_ACTIVE:
case IKE_DYNAMIC:
- fprintf(fd, ADD "[Phase 2]:Connections=IPsec-%s-%s\n",
- src->name, dst->name);
+ fprintf(fd, ADD "[Phase 2]:Connections=IPsec-%s\n", p);
break;
case IKE_PASSIVE:
- fprintf(fd, ADD "[Phase 2]:Passive-Connections=IPsec-%s-%s\n",
- src->name, dst->name);
+ fprintf(fd, ADD "[Phase 2]:Passive-Connections=IPsec-%s\n", p);
break;
default:
+ free(p);
return (-1);
}
+ free(p);
return (0);
}
@@ -595,13 +618,15 @@ ike_gen_config(struct ipsec_rule *r, FIL
fd, r->ikeauth, r->p1ie) == -1)
return (-1);
ike_section_ids(r->peer, r->auth, fd, r->ikemode);
- ike_section_ipsec(r->src, r->dst, r->peer, fd);
- if (ike_section_p2(r->src, r->dst, r->satype, r->tmode, r->p2xfs,
- fd, r->p2ie) == -1)
+ ike_section_ipsec(r->src, r->sport, r->dst, r->dport, r->peer, r->tag,
+ fd);
+ if (ike_section_p2(r->src, r->sport, r->dst, r->dport, r->satype,
+ r->tmode, r->p2xfs, fd, r->p2ie) == -1)
return (-1);
ike_section_p2ids(r->proto, r->src, r->sport, r->dst, r->dport, fd);
- if (ike_connect(r->ikemode, r->src, r->dst, fd) == -1)
+ if (ike_connect(r->ikemode, r->src, r->sport, r->dst, r->dport, fd)
+ == -1)
return (-1);
return (0);
@@ -610,15 +635,20 @@ ike_gen_config(struct ipsec_rule *r, FIL
static int
ike_delete_config(struct ipsec_rule *r, FILE *fd)
{
+ char *p;
+
+ if (asprintf(&p, "%s:%d-%s:%d", r->src->name, ntohs(r->sport),
+ r->dst->name, ntohs(r->dport)) == -1)
+ err(1, "ike_delete_config");
#if 0
switch (r->ikemode) {
case IKE_ACTIVE:
case IKE_DYNAMIC:
- fprintf(fd, "t IPsec-%s-%s\n", r->src->name, r->dst->name);
+ fprintf(fd, "t IPsec-%s\n", p);
break;
case IKE_PASSIVE:
fprintf(fd, DELETE "[Phase 2]\n");
- fprintf(fd, "t IPsec-%s-%s\n", r->src->name, r->dst->name);
+ fprintf(fd, "t IPsec-%s\n", p);
break;
default:
return (-1);
@@ -635,16 +665,17 @@ ike_delete_config(struct ipsec_rule *r,
if (r->auth->dstid)
fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid);
}
- fprintf(fd, DELETE "[IPsec-%s-%s]\n", r->src->name, r->dst->name);
- fprintf(fd, DELETE "[qm-%s-%s]\n", r->src->name, r->dst->name);
+ fprintf(fd, DELETE "[IPsec-%s]\n", p);
+ fprintf(fd, DELETE "[qm-%s]\n", p);
fprintf(fd, DELETE "[lid-%s]\n", r->src->name);
fprintf(fd, DELETE "[rid-%s]\n", r->dst->name);
#else
- fprintf(fd, "t IPsec-%s-%s\n", r->src->name, r->dst->name);
- fprintf(fd, DELETE "[IPsec-%s-%s]\n", r->src->name, r->dst->name);
- fprintf(fd, DELETE "[qm-%s-%s]\n", r->src->name, r->dst->name);
+ fprintf(fd, "t IPsec-%s\n", p);
+ fprintf(fd, DELETE "[IPsec-%s]\n", p);
+ fprintf(fd, DELETE "[qm-%s]\n", p);
#endif
+ free(p);
return (0);
}