Module Name: src Committed By: tteras Date: Fri Dec 3 14:32:53 UTC 2010
Modified Files: src/crypto/dist/ipsec-tools/src/libipsec: libpfkey.h pfkey_dump.c src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.8 Log Message: Support GRE key as upper layer protocol specifier (will be supported in Linux kernel 2.6.38). To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 \ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h \ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/setkey/parse.y cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/setkey/setkey.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h diff -u src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17 src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.18 --- src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17 Mon Aug 17 13:52:14 2009 +++ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Fri Dec 3 14:32:52 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: libpfkey.h,v 1.17 2009/08/17 13:52:14 vanhu Exp $ */ +/* $NetBSD: libpfkey.h,v 1.18 2010/12/03 14:32:52 tteras Exp $ */ /* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */ @@ -210,6 +210,10 @@ #define IPPROTO_IPCOMP IPPROTO_COMP #endif +#ifndef IPPROTO_MH +#define IPPROTO_MH 135 +#endif + static __inline u_int8_t sysdep_sa_len (const struct sockaddr *sa) { Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.17 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.18 --- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.17 Fri Apr 2 15:13:26 2010 +++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Fri Dec 3 14:32:52 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: pfkey_dump.c,v 1.17 2010/04/02 15:13:26 christos Exp $ */ +/* $NetBSD: pfkey_dump.c,v 1.18 2010/12/03 14:32:52 tteras Exp $ */ /* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */ @@ -716,13 +716,19 @@ else snprintf(prefbuf, sizeof(prefbuf), "/%u", pref); - if (ulp == IPPROTO_ICMPV6) + switch (ulp) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + case IPPROTO_MH: + case IPPROTO_GRE: memset(portbuf, 0, sizeof(portbuf)); - else { + break; + default: if (port == IPSEC_PORT_ANY) - snprintf(portbuf, sizeof(portbuf), "[%s]", "any"); + strcpy(portbuf, "[any]"); else snprintf(portbuf, sizeof(portbuf), "[%u]", port); + break; } snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf); @@ -734,29 +740,26 @@ str_upperspec(ulp, p1, p2) u_int ulp, p1, p2; { - if (ulp == IPSEC_ULPROTO_ANY) - printf("any"); - else if (ulp == IPPROTO_ICMPV6) { - printf("icmp6"); - if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY)) - printf(" %u,%u", p1, p2); - } else { - struct protoent *ent; + struct protoent *ent; - switch (ulp) { - case IPPROTO_IPV4: - printf("ip4"); - break; - default: - ent = getprotobynumber((int)ulp); - if (ent) - printf("%s", ent->p_name); - else - printf("%u", ulp); + ent = getprotobynumber((int)ulp); + if (ent) + printf("%s", ent->p_name); + else + printf("%u", ulp); - endprotoent(); - break; - } + if (p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY) + return; + + switch (ulp) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + case IPPROTO_MH: + printf(" %u,%u", p1, p2); + break; + case IPPROTO_GRE: + printf(" %u", (p1 << 16) + p2); + break; } } Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.14 --- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13 Fri Jun 4 13:06:03 2010 +++ src/crypto/dist/ipsec-tools/src/setkey/parse.y Fri Dec 3 14:32:52 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: parse.y,v 1.13 2010/06/04 13:06:03 vanhu Exp $ */ +/* $NetBSD: parse.y,v 1.14 2010/12/03 14:32:52 tteras Exp $ */ /* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */ @@ -57,10 +57,6 @@ #include "vchar.h" #include "extern.h" -#ifndef IPPROTO_MH -#define IPPROTO_MH 135 -#endif - #define DEFAULT_NATT_PORT 4500 #ifndef UDP_ENCAP_ESPINUDP @@ -95,7 +91,7 @@ static int p_aiflags = 0, p_aifamily = PF_UNSPEC; static struct addrinfo *parse_addr __P((char *, char *)); -static int fix_portstr __P((vchar_t *, vchar_t *, vchar_t *)); +static int fix_portstr __P((int, vchar_t *, vchar_t *, vchar_t *)); static int setvarbuf __P((char *, int *, struct sadb_ext *, int, const void *, int)); void parse_init __P((void)); @@ -584,16 +580,8 @@ #endif /* fixed port fields if ulp is icmp */ - if ($10.buf != NULL) { - if (($9 != IPPROTO_ICMPV6) && - ($9 != IPPROTO_ICMP) && - ($9 != IPPROTO_MH)) - return -1; - free($5.buf); - free($8.buf); - if (fix_portstr(&$10, &$5, &$8)) - return -1; - } + if (fix_portstr($9, &$10, &$5, &$8)) + return -1; src = parse_addr($3.buf, $5.buf); dst = parse_addr($6.buf, $8.buf); @@ -638,16 +626,8 @@ #endif /* fixed port fields if ulp is icmp */ - if ($10.buf != NULL) { - if (($9 != IPPROTO_ICMPV6) && - ($9 != IPPROTO_ICMP) && - ($9 != IPPROTO_MH)) - return -1; - free($5.buf); - free($8.buf); - if (fix_portstr(&$10, &$5, &$8)) - return -1; - } + if (fix_portstr($9, &$10, &$5, &$8)) + return -1; src = parse_addr($3.buf, $5.buf); dst = parse_addr($6.buf, $8.buf); @@ -687,16 +667,8 @@ struct addrinfo *src, *dst; /* fixed port fields if ulp is icmp */ - if ($10.buf != NULL) { - if (($9 != IPPROTO_ICMPV6) && - ($9 != IPPROTO_ICMP) && - ($9 != IPPROTO_MH)) - return -1; - free($5.buf); - free($8.buf); - if (fix_portstr(&$10, &$5, &$8)) - return -1; - } + if (fix_portstr($9, &$10, &$5, &$8)) + return -1; src = parse_addr($3.buf, $5.buf); dst = parse_addr($6.buf, $8.buf); @@ -1584,36 +1556,55 @@ } static int -fix_portstr(spec, sport, dport) +fix_portstr(ulproto, spec, sport, dport) + int ulproto; vchar_t *spec, *sport, *dport; { - const char *p, *p2 = "0"; - char *q; - u_int l; - - l = 0; - for (q = spec->buf; *q != ',' && *q != '\0' && l < spec->len; q++, l++) - ; - if (*q != '\0') { - if (*q == ',') { - *q = '\0'; - p2 = ++q; - } - for (p = p2; *p != '\0' && l < spec->len; p++, l++) - ; - if (*p != '\0' || *p2 == '\0') { + char sp[16], dp[16]; + int a, b, c, d; + unsigned long u; + + if (spec->buf == NULL) + return 0; + + switch (ulproto) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + case IPPROTO_MH: + if (sscanf(spec->buf, "%d,%d", &a, &b) == 2) { + sprintf(sp, "%d", a); + sprintf(dp, "%d", b); + } else if (sscanf(spec->buf, "%d", &a) == 1) { + sprintf(sp, "%d", a); + } else { yyerror("invalid an upper layer protocol spec"); return -1; } + break; + case IPPROTO_GRE: + if (sscanf(spec->buf, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) { + sprintf(sp, "%d", (a << 8) + b); + sprintf(dp, "%d", (c << 8) + d); + } else if (sscanf(spec->buf, "%lu", &u) == 1) { + sprintf(sp, "%d", (int) (u >> 16)); + sprintf(dp, "%d", (int) (u & 0xffff)); + } else { + yyerror("invalid an upper layer protocol spec"); + return -1; + } + break; } - sport->buf = strdup(spec->buf); + free(sport->buf); + sport->buf = strdup(sp); if (!sport->buf) { yyerror("insufficient memory"); return -1; } sport->len = strlen(sport->buf); - dport->buf = strdup(p2); + + free(dport->buf); + dport->buf = strdup(dp); if (!dport->buf) { yyerror("insufficient memory"); return -1; Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8 diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.25 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.26 --- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.25 Fri Jun 4 21:53:36 2010 +++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8 Fri Dec 3 14:32:52 2010 @@ -1,4 +1,4 @@ -.\" $NetBSD: setkey.8,v 1.25 2010/06/04 21:53:36 wiz Exp $ +.\" $NetBSD: setkey.8,v 1.26 2010/12/03 14:32:52 tteras Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. @@ -430,25 +430,31 @@ or .Li icmp6 , .Li ip4 , +.Li gre , or .Li any . .Li any stands for .Dq any protocol . You can also use the protocol number. -You can specify a type and/or a code of ICMPv6 when the -upper-layer protocol is ICMPv6. -The specification can be placed after -.Li icmp6 . -A type is separated from a code by single comma. -A code must always be specified. +Additional specification can be placed after the protocol name for +some protocols. +You can specify a type and/or a code of ICMP or ICMPv6. +The type is separated from a code by single comma and the code must +always be specified. +GRE key can be specified in dotted-quad format or as plain number. When a zero is specified, the kernel deals with it as a wildcard. Note that the kernel can not distinguish a wildcard from an ICPMv6 type of zero. +.Pp For example, the following means that the policy doesn't require IPsec for any inbound Neighbor Solicitation. .Dl spdadd ::/0 ::/0 icmp6 135,0 -P in none ; .Pp +A second example of requiring transport mode encryption of specific +GRE tunnel: +.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ; +.Pp .Em Note : .Ar upperspec does not work against forwarding case at this moment, @@ -456,7 +462,7 @@ .Pq not implemented at this moment . There are many protocols in .Pa /etc/protocols , -but all protocols except of TCP, UDP, and ICMP may not be suitable +but all protocols except of TCP, UDP, GRE, and ICMP may not be suitable to use with IPsec. You have to consider carefully what to use. .\"