Module Name:    src
Committed By:   tteras
Date:           Fri Dec  3 14:32:53 UTC 2010

Modified Files:
        src/crypto/dist/ipsec-tools/src/libipsec: libpfkey.h pfkey_dump.c
        src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.8

Log Message:
Support GRE key as upper layer protocol specifier (will be supported in
Linux kernel 2.6.38).


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 \
    src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h \
    src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/setkey/setkey.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
diff -u src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17 src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.18
--- src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17	Mon Aug 17 13:52:14 2009
+++ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h	Fri Dec  3 14:32:52 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: libpfkey.h,v 1.17 2009/08/17 13:52:14 vanhu Exp $	*/
+/*	$NetBSD: libpfkey.h,v 1.18 2010/12/03 14:32:52 tteras Exp $	*/
 
 /* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */
 
@@ -210,6 +210,10 @@
 #define IPPROTO_IPCOMP IPPROTO_COMP
 #endif
 
+#ifndef IPPROTO_MH
+#define IPPROTO_MH		135
+#endif
+
 static __inline u_int8_t
 sysdep_sa_len (const struct sockaddr *sa)
 {
Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.17 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.18
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.17	Fri Apr  2 15:13:26 2010
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Fri Dec  3 14:32:52 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.17 2010/04/02 15:13:26 christos Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.18 2010/12/03 14:32:52 tteras Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
@@ -716,13 +716,19 @@
 	else
 		snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
 
-	if (ulp == IPPROTO_ICMPV6)
+	switch (ulp) {
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+	case IPPROTO_MH:
+	case IPPROTO_GRE:
 		memset(portbuf, 0, sizeof(portbuf));
-	else {
+		break;
+	default:
 		if (port == IPSEC_PORT_ANY)
-			snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
+			strcpy(portbuf, "[any]");
 		else
 			snprintf(portbuf, sizeof(portbuf), "[%u]", port);
+		break;
 	}
 
 	snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
@@ -734,29 +740,26 @@
 str_upperspec(ulp, p1, p2)
 	u_int ulp, p1, p2;
 {
-	if (ulp == IPSEC_ULPROTO_ANY)
-		printf("any");
-	else if (ulp == IPPROTO_ICMPV6) {
-		printf("icmp6");
-		if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
-			printf(" %u,%u", p1, p2);
-	} else {
-		struct protoent *ent;
+	struct protoent *ent;
 
-		switch (ulp) {
-		case IPPROTO_IPV4:
-			printf("ip4");
-			break;
-		default:
-			ent = getprotobynumber((int)ulp);
-			if (ent)
-				printf("%s", ent->p_name);
-			else
-				printf("%u", ulp);
+	ent = getprotobynumber((int)ulp);
+	if (ent)
+		printf("%s", ent->p_name);
+	else
+		printf("%u", ulp);
 
-			endprotoent();
-			break;
-		}
+	if (p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY)
+		return;
+
+	switch (ulp) {
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+	case IPPROTO_MH:
+		printf(" %u,%u", p1, p2);
+		break;
+	case IPPROTO_GRE:
+		printf(" %u", (p1 << 16) + p2);
+		break;
 	}
 }
 

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.14
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13	Fri Jun  4 13:06:03 2010
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Fri Dec  3 14:32:52 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.13 2010/06/04 13:06:03 vanhu Exp $	*/
+/*	$NetBSD: parse.y,v 1.14 2010/12/03 14:32:52 tteras Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -57,10 +57,6 @@
 #include "vchar.h"
 #include "extern.h"
 
-#ifndef IPPROTO_MH
-#define IPPROTO_MH		135
-#endif
-
 #define DEFAULT_NATT_PORT	4500
 
 #ifndef UDP_ENCAP_ESPINUDP
@@ -95,7 +91,7 @@
 static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
 
 static struct addrinfo *parse_addr __P((char *, char *));
-static int fix_portstr __P((vchar_t *, vchar_t *, vchar_t *));
+static int fix_portstr __P((int, vchar_t *, vchar_t *, vchar_t *));
 static int setvarbuf __P((char *, int *, struct sadb_ext *, int, 
     const void *, int));
 void parse_init __P((void));
@@ -584,16 +580,8 @@
 #endif
 
 			/* fixed port fields if ulp is icmp */
-			if ($10.buf != NULL) {
-				if (($9 != IPPROTO_ICMPV6) &&
-					($9 != IPPROTO_ICMP) &&
-					($9 != IPPROTO_MH))
-					return -1;
-				free($5.buf);
-				free($8.buf);
-				if (fix_portstr(&$10, &$5, &$8))
-					return -1;
-			}
+			if (fix_portstr($9, &$10, &$5, &$8))
+				return -1;
 
 			src = parse_addr($3.buf, $5.buf);
 			dst = parse_addr($6.buf, $8.buf);
@@ -638,16 +626,8 @@
 #endif
 
 			/* fixed port fields if ulp is icmp */
-			if ($10.buf != NULL) {
-				if (($9 != IPPROTO_ICMPV6) &&
-					($9 != IPPROTO_ICMP) &&
-					($9 != IPPROTO_MH))
-					return -1;
-				free($5.buf);
-				free($8.buf);
-				if (fix_portstr(&$10, &$5, &$8))
-					return -1;
-			}
+			if (fix_portstr($9, &$10, &$5, &$8))
+				return -1;
 
 			src = parse_addr($3.buf, $5.buf);
 			dst = parse_addr($6.buf, $8.buf);
@@ -687,16 +667,8 @@
 			struct addrinfo *src, *dst;
 
 			/* fixed port fields if ulp is icmp */
-			if ($10.buf != NULL) {
-				if (($9 != IPPROTO_ICMPV6) &&
-					($9 != IPPROTO_ICMP) &&
-					($9 != IPPROTO_MH))
-					return -1;
-				free($5.buf);
-				free($8.buf);
-				if (fix_portstr(&$10, &$5, &$8))
-					return -1;
-			}
+			if (fix_portstr($9, &$10, &$5, &$8))
+				return -1;
 
 			src = parse_addr($3.buf, $5.buf);
 			dst = parse_addr($6.buf, $8.buf);
@@ -1584,36 +1556,55 @@
 }
 
 static int
-fix_portstr(spec, sport, dport)
+fix_portstr(ulproto, spec, sport, dport)
+	int ulproto;
 	vchar_t *spec, *sport, *dport;
 {
-	const char *p, *p2 = "0";
-	char *q;
-	u_int l;
-
-	l = 0;
-	for (q = spec->buf; *q != ',' && *q != '\0' && l < spec->len; q++, l++)
-		;
-	if (*q != '\0') {
-		if (*q == ',') {
-			*q = '\0';
-			p2 = ++q;
-		}
-		for (p = p2; *p != '\0' && l < spec->len; p++, l++)
-			;
-		if (*p != '\0' || *p2 == '\0') {
+	char sp[16], dp[16];
+	int a, b, c, d;
+	unsigned long u;
+
+	if (spec->buf == NULL)
+		return 0;
+
+	switch (ulproto) {
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+	case IPPROTO_MH:
+		if (sscanf(spec->buf, "%d,%d", &a, &b) == 2) {
+			sprintf(sp, "%d", a);
+			sprintf(dp, "%d", b);
+		} else if (sscanf(spec->buf, "%d", &a) == 1) {
+			sprintf(sp, "%d", a);
+		} else {
 			yyerror("invalid an upper layer protocol spec");
 			return -1;
 		}
+		break;
+	case IPPROTO_GRE:
+		if (sscanf(spec->buf, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
+			sprintf(sp, "%d", (a << 8) + b);
+			sprintf(dp, "%d", (c << 8) + d);
+		} else if (sscanf(spec->buf, "%lu", &u) == 1) {
+			sprintf(sp, "%d", (int) (u >> 16));
+			sprintf(dp, "%d", (int) (u & 0xffff));
+		} else {
+			yyerror("invalid an upper layer protocol spec");
+			return -1;
+		}
+		break;
 	}
 
-	sport->buf = strdup(spec->buf);
+	free(sport->buf);
+	sport->buf = strdup(sp);
 	if (!sport->buf) {
 		yyerror("insufficient memory");
 		return -1;
 	}
 	sport->len = strlen(sport->buf);
-	dport->buf = strdup(p2);
+
+	free(dport->buf);
+	dport->buf = strdup(dp);
 	if (!dport->buf) {
 		yyerror("insufficient memory");
 		return -1;

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.25 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.26
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.25	Fri Jun  4 21:53:36 2010
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Fri Dec  3 14:32:52 2010
@@ -1,4 +1,4 @@
-.\"	$NetBSD: setkey.8,v 1.25 2010/06/04 21:53:36 wiz Exp $
+.\"	$NetBSD: setkey.8,v 1.26 2010/12/03 14:32:52 tteras Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\" All rights reserved.
@@ -430,25 +430,31 @@
 or
 .Li icmp6 ,
 .Li ip4 ,
+.Li gre ,
 or
 .Li any .
 .Li any
 stands for
 .Dq any protocol .
 You can also use the protocol number.
-You can specify a type and/or a code of ICMPv6 when the
-upper-layer protocol is ICMPv6.
-The specification can be placed after
-.Li icmp6 .
-A type is separated from a code by single comma.
-A code must always be specified.
+Additional specification can be placed after the protocol name for
+some protocols.
+You can specify a type and/or a code of ICMP or ICMPv6.
+The type is separated from a code by single comma and the code must
+always be specified.
+GRE key can be specified in dotted-quad format or as plain number.
 When a zero is specified, the kernel deals with it as a wildcard.
 Note that the kernel can not distinguish a wildcard from an ICPMv6
 type of zero.
+.Pp
 For example, the following means that the policy doesn't require IPsec
 for any inbound Neighbor Solicitation.
 .Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ;
 .Pp
+A second example of requiring transport mode encryption of specific
+GRE tunnel:
+.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ;
+.Pp
 .Em Note :
 .Ar upperspec
 does not work against forwarding case at this moment,
@@ -456,7 +462,7 @@
 .Pq not implemented at this moment .
 There are many protocols in
 .Pa /etc/protocols ,
-but all protocols except of TCP, UDP, and ICMP may not be suitable
+but all protocols except of TCP, UDP, GRE, and ICMP may not be suitable
 to use with IPsec.
 You have to consider carefully what to use.
 .\"

Reply via email to