Re: iked: load explicit flows for ipip/ipcomp
ok On Sun, Nov 05, 2017 at 10:39:18PM +0100, Patrick Wildt wrote: > Hi, > > for IPcomp we need to load explicit ESP-flows for the IPIP or IPCOMP > tunneled packets, otherwise every packet between the gateways will > be sent into the tunnel (e.g. ICMP, too). > > ok? > > Patrick > > diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c > index 706f9ebbe1d..cacfe690008 100644 > --- a/sbin/iked/ikev2.c > +++ b/sbin/iked/ikev2.c > @@ -4942,16 +4942,21 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa > *sa) > { > struct iked_childsa *other, *nother, *csa = NULL, *csb = NULL; > struct iked_flow*flow, *flowa = NULL, *flowb = NULL; > + struct iked_flow*flowc = NULL, *flowd = NULL; > struct iked_flow*nflow, *oflow; > > if ((csa = calloc(1, sizeof(*csa))) == NULL || > (csb = calloc(1, sizeof(*csb))) == NULL || > (flowa = calloc(1, sizeof(*flowa))) == NULL || > - (flowb = calloc(1, sizeof(*flowb))) == NULL) { > + (flowb = calloc(1, sizeof(*flowb))) == NULL || > + (flowc = calloc(1, sizeof(*flowc))) == NULL || > + (flowd = calloc(1, sizeof(*flowd))) == NULL) { > free(csa); > free(csb); > free(flowa); > free(flowb); > + free(flowc); > + free(flowd); > return (-1); > } > > @@ -5039,8 +5044,9 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa > *sa) > } > } > > - /* setup ESP flows for gateways */ > + /* setup ESP flows for gateways (IPCOMP) */ > flowa->flow_ipcomp = 1; > + flowa->flow_ipproto = IPPROTO_IPCOMP; > flowa->flow_dir = IPSP_DIRECTION_OUT; > flowa->flow_saproto = IKEV2_SAPROTO_ESP; > flowa->flow_local = >sa_local; > @@ -5054,22 +5060,36 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa > *sa) > (sa->sa_local.addr_af == AF_INET) ? 32 : 128; > flowa->flow_ikesa = sa; > > - /* skip if flow already exists */ > + /* matching incoming flow */ > + memcpy(flowb, flowa, sizeof(*flowb)); > + flowb->flow_dir = IPSP_DIRECTION_IN; > + memcpy(>flow_dst, >flow_src, sizeof(flowa->flow_src)); > + memcpy(>flow_src, >flow_dst, sizeof(flowa->flow_dst)); > + > + /* setup ESP flows for gateways (IPIP) */ > + memcpy(flowc, flowa, sizeof(*flowc)); > + flowc->flow_ipproto = IPPROTO_IPIP; > + > + /* matching incoming flow */ > + memcpy(flowd, flowb, sizeof(*flowd)); > + flowd->flow_ipproto = IPPROTO_IPIP; > + > + /* skip if flows already exists */ > TAILQ_FOREACH(flow, >sa_flows, flow_entry) { > - if (flow_equal(flow, flowa)) { > + if (flow_equal(flow, flowa) || flow_equal(flow, flowb) || > + flow_equal(flow, flowc) || flow_equal(flow, flowd)) { > free(flowa); > free(flowb); > + free(flowc); > + free(flowd); > goto done; > } > } > > - memcpy(flowb, flowa, sizeof(*flowb)); > - flowb->flow_dir = IPSP_DIRECTION_IN; > - memcpy(>flow_dst, >flow_src, sizeof(flowa->flow_src)); > - memcpy(>flow_src, >flow_dst, sizeof(flowa->flow_dst)); > - > TAILQ_INSERT_TAIL(>sa_flows, flowa, flow_entry); > TAILQ_INSERT_TAIL(>sa_flows, flowb, flow_entry); > + TAILQ_INSERT_TAIL(>sa_flows, flowc, flow_entry); > + TAILQ_INSERT_TAIL(>sa_flows, flowd, flow_entry); > > done: > /* make sure IPCOMP CPIs are not reused */ EOF
Re: ikev2: follow rfc5903 correctly (ECP Groups)
ok 2017-10-24 16:25 GMT+02:00 Patrick Wildt: > Hi, > > in the final RFC 5903 the computation for the DH shared secret changed. > Instead of the full point, only the X point is included. Unfortunately > this is a backwards incompatible change, so older ikeds won't be com- > patible with this change is committed. Of course only if you use ECP. > Anyway, this change makes us follow the RFC correctly. > > Source: https://tools.ietf.org/html/rfc5903 - 9. Changes from RFC 4753 > > ok? > > Patrick > > diff --git a/sbin/iked/dh.c b/sbin/iked/dh.c > index a8308eec596..a3ef5f80906 100644 > --- a/sbin/iked/dh.c > +++ b/sbin/iked/dh.c > @@ -38,10 +38,13 @@ int modp_create_shared(struct group *, uint8_t *, uint8_t > *); > /* EC2N/ECP */ > intec_init(struct group *); > intec_getlen(struct group *); > +intec_secretlen(struct group *); > intec_create_exchange(struct group *, uint8_t *); > intec_create_shared(struct group *, uint8_t *, uint8_t *); > > -intec_point2raw(struct group *, const EC_POINT *, uint8_t *, size_t); > +#define EC_POINT2RAW_FULL 0 > +#define EC_POINT2RAW_XONLY 1 > +intec_point2raw(struct group *, const EC_POINT *, uint8_t *, size_t, > int); > EC_POINT * > ec_raw2point(struct group *, uint8_t *, size_t); > > @@ -293,6 +296,7 @@ group_get(uint32_t id) > case GROUP_ECP: > group->init = ec_init; > group->getlen = ec_getlen; > + group->secretlen = ec_secretlen; > group->exchange = ec_create_exchange; > group->shared = ec_create_shared; > break; > @@ -343,6 +347,15 @@ dh_getlen(struct group *group) > return (group->getlen(group)); > } > > +int > +dh_secretlen(struct group *group) > +{ > + if (group->secretlen) > + return (group->secretlen(group)); > + else > + return (group->getlen(group)); > +} > + > int > dh_create_exchange(struct group *group, uint8_t *buf) > { > @@ -450,6 +463,20 @@ ec_getlen(struct group *group) > return ((roundup(group->spec->bits, 8) * 2) / 8); > } > > +/* > + * Note that the shared secret only includes the x value: > + * > + * See RFC 5903, 7. ECP Key Exchange Data Formats: > + * The Diffie-Hellman shared secret value consists of the x value of the > + * Diffie-Hellman common value. > + * See also RFC 5903, 9. Changes from RFC 4753. > + */ > +int > +ec_secretlen(struct group *group) > +{ > + return (ec_getlen(group) / 2); > +} > + > int > ec_create_exchange(struct group *group, uint8_t *buf) > { > @@ -459,7 +486,7 @@ ec_create_exchange(struct group *group, uint8_t *buf) > bzero(buf, len); > > return (ec_point2raw(group, EC_KEY_get0_public_key(group->ec), > - buf, len)); > + buf, len, EC_POINT2RAW_FULL)); > } > > int > @@ -496,7 +523,8 @@ ec_create_shared(struct group *group, uint8_t *secret, > uint8_t *exchange) > if (!EC_POINT_mul(ecgroup, secretp, NULL, exchangep, privkey, NULL)) > goto done; > > - ret = ec_point2raw(group, secretp, secret, ec_getlen(group)); > + ret = ec_point2raw(group, secretp, secret, ec_secretlen(group), > + EC_POINT2RAW_XONLY); > > done: > if (exkey != NULL) > @@ -511,7 +539,7 @@ ec_create_shared(struct group *group, uint8_t *secret, > uint8_t *exchange) > > int > ec_point2raw(struct group *group, const EC_POINT *point, > -uint8_t *buf, size_t len) > +uint8_t *buf, size_t len, int mode) > { > const EC_GROUP *ecgroup = NULL; > BN_CTX *bnctx = NULL; > @@ -528,9 +556,19 @@ ec_point2raw(struct group *group, const EC_POINT *point, > goto done; > > eclen = ec_getlen(group); > - if (len < eclen) > + switch (mode) { > + case EC_POINT2RAW_XONLY: > + xlen = eclen / 2; > + ylen = 0; > + break; > + case EC_POINT2RAW_FULL: > + xlen = ylen = eclen / 2; > + break; > + default: > + goto done; > + } > + if (len < xlen + ylen) > goto done; > - xlen = ylen = eclen / 2; > > if ((ecgroup = EC_KEY_get0_group(group->ec)) == NULL) > goto done; > @@ -551,10 +589,12 @@ ec_point2raw(struct group *group, const EC_POINT *point, > if (!BN_bn2bin(x, buf + xoff)) > goto done; > > - yoff = (ylen - BN_num_bytes(y)) + xlen; > - bzero(buf + xlen, yoff - xlen); > - if (!BN_bn2bin(y, buf + yoff)) > - goto done; > + if (ylen > 0) { > + yoff = (ylen - BN_num_bytes(y)) + xlen; > + bzero(buf + xlen, yoff - xlen); > + if (!BN_bn2bin(y, buf + yoff)) > + goto done; > + } > > ret = 0; > done: > diff --git a/sbin/iked/dh.h b/sbin/iked/dh.h > index 77bb4b5ef16..7e24d4d6746 100644 > ---
Re: iked: support multiple subjectAltNames
ok 2017-10-19 15:40 GMT+02:00 Patrick Wildt: > Hi, > > so far, even if we look for our own cert, we only match the id against > the first subjectAltName. This means we cannot use certificates where > we actually need a different one. This diff changes the behaviour so > that we check all subjectAltNames of a given certificate. > > ok? > > Patrick > > diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c > index a8034411e77..543bd0b8725 100644 > --- a/sbin/iked/ca.c > +++ b/sbin/iked/ca.c > @@ -65,7 +65,7 @@ intca_privkey_to_method(struct iked_id *); > struct ibuf * > ca_x509_serialize(X509 *); > int ca_x509_subjectaltname_cmp(X509 *, struct iked_static_id *); > -int ca_x509_subjectaltname(X509 *cert, struct iked_id *); > +int ca_x509_subjectaltname(X509 *cert, struct iked_id *, int); > int ca_dispatch_parent(int, struct privsep_proc *, struct imsg *); > int ca_dispatch_ikev2(int, struct privsep_proc *, struct imsg *); > > @@ -1400,34 +1400,31 @@ ca_x509_subjectaltname_cmp(X509 *cert, struct > iked_static_id *id) > { > struct iked_id sanid; > char idstr[IKED_ID_SIZE]; > - int ret = -1; > - > - bzero(, sizeof(sanid)); > - > - if (ca_x509_subjectaltname(cert, ) != 0) > - return (-1); > - > - ikev2_print_id(, idstr, sizeof(idstr)); > - > - /* Compare id types, length and data */ > - if ((id->id_type != sanid.id_type) || > - ((ssize_t)ibuf_size(sanid.id_buf) != > - (id->id_length - id->id_offset)) || > - (memcmp(id->id_data + id->id_offset, > - ibuf_data(sanid.id_buf), > - ibuf_size(sanid.id_buf)) != 0)) { > + int ret = -1, lastpos = -1; > + > + while (ca_x509_subjectaltname(cert, , lastpos++) == 0) { > + ikev2_print_id(, idstr, sizeof(idstr)); > + > + /* Compare id types, length and data */ > + if ((id->id_type == sanid.id_type) && > + ((ssize_t)ibuf_size(sanid.id_buf) == > + (id->id_length - id->id_offset)) && > + (memcmp(id->id_data + id->id_offset, > + ibuf_data(sanid.id_buf), > + ibuf_size(sanid.id_buf)) == 0)) { > + ret = 0; > + break; > + } > log_debug("%s: %s mismatched", __func__, idstr); > - goto done; > + bzero(, sizeof(sanid)); > } > > - ret = 0; > - done: > ibuf_release(sanid.id_buf); > return (ret); > } > > int > -ca_x509_subjectaltname(X509 *cert, struct iked_id *id) > +ca_x509_subjectaltname(X509 *cert, struct iked_id *id, int lastpos) > { > X509_EXTENSION *san; > uint8_t sanhdr[4], *data; > @@ -1435,7 +1432,7 @@ ca_x509_subjectaltname(X509 *cert, struct iked_id *id) > char idstr[IKED_ID_SIZE]; > > if ((ext = X509_get_ext_by_NID(cert, > - NID_subject_alt_name, -1)) == -1 || > + NID_subject_alt_name, lastpos)) == -1 || > ((san = X509_get_ext(cert, ext)) == NULL)) { > log_debug("%s: did not find subjectAltName in certificate", > __func__); >
Re: tcpbench(4) support for AF_UNIX
schaut gut aus, hab aber nicht probiert. 2016-07-20 16:09 GMT+02:00 Claudio Jeker: > For testing I want to abuse tcpbench to work over AF_UNIX sockets. > This diff does exactly that with minimal extras. Especially the unix > socket is not removed from the filesystem when closed. I don't want to > add pledge cpath to tcpbench just for that. > > -- > :wq Claudio > > Index: tcpbench.1 > === > RCS file: /cvs/src/usr.bin/tcpbench/tcpbench.1,v > retrieving revision 1.20 > diff -u -p -r1.20 tcpbench.1 > --- tcpbench.1 19 Aug 2014 03:28:53 - 1.20 > +++ tcpbench.1 20 Jul 2016 12:44:21 - > @@ -24,7 +24,7 @@ > .Nm > .Fl l > .Nm > -.Op Fl 46uv > +.Op Fl 46Uuv > .Op Fl B Ar buf > .Op Fl b Ar addr > .Op Fl k Ar kvars > @@ -39,7 +39,7 @@ > .Nm > .Bk -words > .Fl s > -.Op Fl 46uv > +.Op Fl 46Uuv > .Op Fl B Ar buf > .Op Fl k Ar kvars > .Op Fl p Ar port > @@ -47,6 +47,7 @@ > .Op Fl S Ar space > .Op Fl T Ar toskeyword > .Op Fl V Ar rtable > +.Op Ar hostname > .Ek > .Sh DESCRIPTION > .Nm > @@ -138,6 +139,11 @@ or a number in either hex or decimal. > Stop after > .Ar secs > seconds. > +.It Fl U > +Use AF_UNIX sockets instead of IPv4 or IPv6 sockets. > +In both cases > +.Ar hostname > +is the path to the AF_UNIX socket that should be used. > .It Fl u > Use UDP instead of TCP; this must be specified on both the client > and the server. > Index: tcpbench.c > === > RCS file: /cvs/src/usr.bin/tcpbench/tcpbench.c,v > retrieving revision 1.50 > diff -u -p -r1.50 tcpbench.c > --- tcpbench.c 6 Apr 2016 14:09:06 - 1.50 > +++ tcpbench.c 20 Jul 2016 12:46:24 - > @@ -21,6 +21,7 @@ > #include > #include > #include > +#include > > #include > > @@ -56,6 +57,7 @@ > #define DEFAULT_UDP_PKT (1500 - 28) /* TODO don't hardcode this */ > #define TCP_MODE !ptb->uflag > #define UDP_MODE ptb->uflag > +#define UNIX_MODE ptb->Uflag > #define MAX_FD 1024 > > /* Our tcpbench globals */ > @@ -66,6 +68,8 @@ struct { > int Tflag;/* ToS if != -1 */ > int vflag;/* Verbose */ > int uflag;/* UDP mode */ > + int Uflag;/* UNIX (AF_LOCAL) mode */ > + int Rflag;/* in UDP mode randomize size */ > kvm_t*kvmh; /* Kvm handler */ > char**kvars;/* Kvm enabled vars */ > u_longktcbtab; /* Ktcb */ > @@ -179,11 +183,11 @@ usage(void) > { > fprintf(stderr, > "usage: tcpbench -l\n" > - " tcpbench [-46uv] [-B buf] [-b addr] [-k kvars] [-n > connections]\n" > + " tcpbench [-46Uuv] [-B buf] [-b addr] [-k kvars] [-n > connections]\n" > "[-p port] [-r interval] [-S space] [-T > toskeyword]\n" > "[-t secs] [-V rtable] hostname\n" > - " tcpbench -s [-46uv] [-B buf] [-k kvars] [-p port]\n" > - "[-r interval] [-S space] [-T toskeyword] [-V > rtable]\n"); > + " tcpbench -s [-46Uuv] [-B buf] [-k kvars] [-p port] [-r > interval]\n" > + "[-S space] [-T toskeyword] [-V rtable] > [hostname]\n"); > exit(1); > } > > @@ -212,6 +216,11 @@ saddr_ntop(const struct sockaddr *addr, > char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV]; > int herr; > > + if (addr->sa_family == AF_UNIX) { > + struct sockaddr_un *sun = (struct sockaddr_un *)addr; > + snprintf(buf, len, "%s", sun->sun_path); > + return; > + } > if ((herr = getnameinfo(addr, alen, hbuf, sizeof(hbuf), > pbuf, sizeof(pbuf), NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { > if (herr == EAI_SYSTEM) > @@ -805,7 +814,8 @@ server_init(struct addrinfo *aitop, stru > fprintf(stderr, "bound to fd %d\n", sock); > lnfds++; > } > - freeaddrinfo(aitop); > + if (!UNIX_MODE) > + freeaddrinfo(aitop); > if (lnfds == 0) > errx(1, "No working listen addresses found"); > } > @@ -815,8 +825,11 @@ client_handle_sc(int fd, short event, vo > { > struct statctx *sc = v_sc; > ssize_t n; > + size_t blen = sc->buflen; > > - if ((n = write(sc->fd, sc->buf, sc->buflen)) == -1) { > + if (ptb->Rflag) > + blen = arc4random_uniform(blen) + 1; > + if ((n = write(sc->fd, sc->buf, blen)) == -1) { > if (errno == EINTR || errno == EWOULDBLOCK || > (UDP_MODE && errno == ENOBUFS)) > return; > @@ -916,7 +929,8 @@ client_init(struct addrinfo *aitop, int > if (mainstats.nconns == 1) > set_slice_timer(1); > } > - freeaddrinfo(aitop); > + if
Re: ecdsa support in iked
great! this changes the code to hide the ECDSA conversion inside crypto.c and also make ECDSA work with the generic RFC 7427 signature encoding. Could you verify this with OS X? I've only tested strongswan. -m 2016-07-03 11:07 GMT+02:00 René Ammerlaan <rj.ammerl...@sungai.nl>: > Hi, > > I’ve created a patch for ecdsa support in iked. Also found a bug in handling > auth_eap, because that value is never initialised to 0. I also updated the > dsa sign functions with the newer EVP_Digest so it’s aligned with the rest of > the code, but it’s not required for ecdsa support. > > The ecdsa signature should contain only plain r and s, so the signature is > converted to that format. I’ve tested compatibility with OSX and IOS and both > seem to be working fine. > > Regards, > > René commit 75b98b0bfa99284850f5b8b501e973cd71a7ae5e Author: Markus Friedl <mfri...@gmail.com> Date: Wed Jul 20 14:56:04 2016 +0200 ecdsa 1) move ecdsa en/decoding into crypto.c 2) allow ECDSA with generic RFC 7427 signature encoding diff --git crypto.c crypto.c index 154ec20..85254a6 100644 --- crypto.c +++ crypto.c @@ -39,36 +39,52 @@ #include "iked.h" #include "ikev2.h" -/* RFC 7427, A.1 */ -static const uint8_t sha256WithRSAEncryption[] = { +/* RFC 7427, A.1 RSA */ +static const uint8_t sha256WithRSA[] = { 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00 }; -static const uint8_t sha384WithRSAEncryption[] = { +static const uint8_t sha384WithRSA[] = { 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00 }; -static const uint8_t sha512WithRSAEncryption[] = { +static const uint8_t sha512WithRSA[] = { 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00 }; +/* RFC 7427, A.3 ECDSA */ +static const uint8_t ecdsa_sha256[] = { + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x04, 0x03, 0x02 +}; +static const uint8_t ecdsa_sha384[] = { + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x04, 0x03, 0x03 +}; +static const uint8_t ecdsa_sha512[] = { + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x04, 0x03, 0x04 +}; struct { + int sc_keytype; + const EVP_MD*(*sc_md)(void); uint8_t sc_len; const uint8_t *sc_oid; - const EVP_MD*(*sc_md)(void); } schemes[] = { - { sizeof(sha256WithRSAEncryption), - sha256WithRSAEncryption, EVP_sha256 }, - { sizeof(sha384WithRSAEncryption), - sha384WithRSAEncryption, EVP_sha384 }, - { sizeof(sha512WithRSAEncryption), - sha512WithRSAEncryption, EVP_sha512 }, + { EVP_PKEY_RSA, EVP_sha256, sizeof(sha256WithRSA), sha256WithRSA }, + { EVP_PKEY_RSA, EVP_sha384, sizeof(sha384WithRSA), sha384WithRSA }, + { EVP_PKEY_RSA, EVP_sha512, sizeof(sha512WithRSA), sha512WithRSA }, + { EVP_PKEY_EC, EVP_sha256, sizeof(ecdsa_sha256), ecdsa_sha256 }, + { EVP_PKEY_EC, EVP_sha384, sizeof(ecdsa_sha384), ecdsa_sha384 }, + { EVP_PKEY_EC, EVP_sha512, sizeof(ecdsa_sha512), ecdsa_sha256 }, }; int_dsa_verify_init(struct iked_dsa *, const uint8_t *, size_t); -size_t _dsa_verify_offset(struct iked_dsa *, uint8_t *); +int_dsa_verify_prepare(struct iked_dsa *, uint8_t **, size_t *, + uint8_t **); int_dsa_sign_encode(struct iked_dsa *, uint8_t *, size_t *); +size_t _dsa_sign_ecdsa(struct iked_dsa *, uint8_t *, size_t); struct iked_hash * hash_new(uint8_t type, uint16_t id) @@ -358,6 +374,7 @@ struct ibuf * cipher_setiv(struct iked_cipher *encr, void *iv, size_t len) { ibuf_release(encr->encr_iv); + encr->encr_iv = NULL; if (iv != NULL) { if (len < encr->encr_ivlength) { log_debug("%s: invalid IV length %zu", __func__, len); @@ -659,6 +676,7 @@ dsa_setkey(struct iked_dsa *dsa, void *key, size_t keylen, uint8_t type) if (rawcert != NULL) BIO_free(rawcert); ibuf_release(dsa->dsa_keydata); + dsa->dsa_keydata = NULL; return (NULL); } @@ -667,6 +685,7 @@ _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) { uint8_t oidlen; size_t i; + int keytype; if (dsa->dsa_priv != NULL) return (0); @@ -679,23 +698,30 @@ _dsa_verify_init(struct iked_dsa *dsa, const uint8_t *sig, size_t len) print_map(dsa->dsa_method, ikev2_auth_map)); return (-1); } + if (dsa->dsa_key == NULL) { + log_debug("%s: dsa_key not set for %s", __func__, + print_map(dsa->dsa_method, ikev2_auth_map)); +
ipsec/ipv6 refactor
Hi, this matches the IPsec/IPv4 change I committed back in December, but since I don't have extensive IPv6 setups it's still not committed. Please test, give feedback and it will finally go into the next release. Thanks, -m ipv6ipsec-refactor.diff Description: Binary data
Re: Send hostname to remote host with syslogd
fwiw, this is what i have in my tree for some time now: Index: syslogd.c === RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.104 diff -u -p -u -r1.104 syslogd.c --- syslogd.c 12 Jul 2011 11:28:31 - 1.104 +++ syslogd.c 7 Feb 2013 12:05:16 - @@ -195,6 +195,7 @@ int MarkInterval = 20 * 60; /* interval intMarkSeq = 0;/* mark sequence number */ intSecureMode = 1; /* when true, speak only unix domain socks */ intNoDNS = 0; /* when true, will refrain from doing DNS lookups */ +intIncludeHostname = 0;/* include RFC 3164 style hostnames when forwarding */ char *ctlsock_path = NULL; /* Path to control socket */ @@ -289,7 +290,7 @@ main(int argc, char *argv[]) struct addrinfo hints, *res, *res0; FILE *fp; - while ((ch = getopt(argc, argv, dnuf:m:p:a:s:)) != -1) + while ((ch = getopt(argc, argv, dhnuf:m:p:a:s:)) != -1) switch (ch) { case 'd': /* debug */ Debug++; @@ -297,6 +298,9 @@ main(int argc, char *argv[]) case 'f': /* configuration file */ ConfFile = optarg; break; + case 'h': /* RFC 3164 hostnames */ + IncludeHostname = 1; + break; case 'm': /* mark interval */ MarkInterval = atoi(optarg) * 60; break; @@ -611,7 +615,7 @@ usage(void) { (void)fprintf(stderr, - usage: syslogd [-dnu] [-a path] [-f config_file] [-m mark_interval]\n + usage: syslogd [-dnuh] [-a path] [-f config_file] [-m mark_interval]\n [-p log_socket] [-s reporting_socket]\n); exit(1); } @@ -888,8 +892,10 @@ fprintlog(struct filed *f, int flags, ch case F_FORW: dprintf( %s\n, f-f_un.f_forw.f_hname); - if ((l = snprintf(line, sizeof(line), %d%.15s %s, + if ((l = snprintf(line, sizeof(line), %d%.15s %s%s%s, f-f_prevpri, (char *)iov[0].iov_base, + IncludeHostname ? LocalHostName : , + IncludeHostname ? : , (char *)iov[4].iov_base)) = sizeof(line) || l == -1) l = strlen(line); if (sendto(pfd[PFD_INET].fd, line, l, 0, 2013/2/1 Stuart Henderson s...@spacehopper.org: From: Gabriel Linder lin...@jeuxvideo.com To: tech@openbsd.org Sent: Wednesday, December 26, 2012 9:40:40 AM Subject: Send hostname to remote host with syslogd While playing with base syslogd and syslog-ng to have a unique loghost on my network, I noticed that OpenBSD syslogd does not send the hostname (while other daemons like rsyslog send it), so my loghost log the IP instead of the hostname. Is there a reason for this behaviour ? Does your loghost really log the provided hostname _instead of_ the IP address? That seems like bad information loss, especially as the hostname here does not include the domain name. I'm a bit undecided as to whether this is really useful (I suppose having it _in addition_ to the IP address might be useful where there's a NAT between log source and destination) but in any event if it's done, I think it should be optional and off by default; it changes the established format and eats into a limited 1K max line length. The diff below fix this, works for me. Diff is also available at http://dargor.servebeer.com/~dargor/openbsd/syslogd.diff (thunderbird likes to mess with my tabs...) see git-format-patch(1) for information about how to correct your Thunderbird settings.
Re: [patch] Re: hacking pfkey: a few questions
yes, just writing an appropriate isakmpd.policy file should work:: Authorizer: POLICY Conditions: app_domain == IPsec policy ( remote_filter != 000.000.000.000-255.255.255.255 ) - true; On Tue, Apr 13, 2010 at 12:10:27PM +1000, Damien Miller wrote: On Mon, 12 Apr 2010, Toni Mueller wrote: Hi, with your comments, I have produceds a second version of the patch, which includes the following changes: IPsec isn't really my area, but some questions: 1) Why are these flows illegal? 0/0 - 0/0 seems like it might have a use as a shorthand for tunnel absolutely everything. 2) Why are you implementing this in the kernel instead of isakmpd? 3) Why are you implementing this at all? Doesn't isakmpd have mechanisms to prevent peers from creating undesired flows? -d