[Ipsec-tools-commits] ipsec-tools/src/setkey parse.y,1.16,1.17 setkey.8,1.8,1.9 setkey.c,1.13,1.14

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/ipsec-tools/ipsec-tools/src/setkey
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv17217/src/setkey

Modified Files:
	parse.y setkey.8 setkey.c 
Log Message:
RFC/kernel modes introduced into setkey; fwd policy generation;
changed adminport socket location; updated docs


Index: setkey.c
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/setkey.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14

--- setkey.c	5 Nov 2004 13:27:17 -0000	1.13
+++ setkey.c	14 Nov 2004 20:15:43 -0000	1.14
@@ -106,6 +106,7 @@
 int f_hexdump = 0;
 int f_tflag = 0;
 int f_notreally = 0;
+int f_rfcmode = 1;
 static time_t thiszone;
 
 extern int lineno;
@@ -129,10 +130,10 @@
 {
 	printf("setkey @(#) %s (%s)\n", TOP_PACKAGE_STRING, TOP_PACKAGE_URL); 
 	if (! only_version) {
-		printf("usage: setkey [-v] file ...\n");
-		printf("       setkey [-nv] -c\n");
-		printf("       setkey [-nv] -f filename\n");
-		printf("       setkey [-Palv] -D\n");
+		printf("usage: setkey [-vrk] file ...\n");
+		printf("       setkey [-nvrk] -c\n");
+		printf("       setkey [-nvrk] -f filename\n");
+		printf("       setkey [-Palvrk] -D\n");
 		printf("       setkey [-Pv] -F\n");
 		printf("       setkey [-H] -x\n");
 		printf("       setkey [-V] [-h]\n");
@@ -157,7 +158,7 @@
 
 	thiszone = gmt2local(0);
 
-	while ((c = getopt(argc, argv, "acdf:HlnvxDFPhV")) != -1) {
+	while ((c = getopt(argc, argv, "acdf:HlnvxDFPhVrk")) != -1) {
 		switch (c) {
 		case 'c':
 			f_mode = MODE_STDIN;
@@ -197,6 +198,12 @@
 		case 'v':
 			f_verbose = 1;
 			break;
+		case 'r':
+			f_rfcmode = 1;
+			break;
+		case 'k':
+			f_rfcmode = 0;
+			break;
 		case 'V':
 			usage(1);
 			break;

Index: setkey.8
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/setkey.8,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- setkey.8	5 Jun 2004 14:48:55 -0000	1.8
+++ setkey.8	14 Nov 2004 20:15:43 -0000	1.9
@@ -37,16 +37,16 @@
 .\"
 .Sh SYNOPSIS
 .Nm setkey
-.Op Fl nv
+.Op Fl nvrk
 .Ar file ...
 .Nm setkey
-.Op Fl nv
+.Op Fl nvrk
 .Fl c
 .Nm setkey
-.Op Fl v
+.Op Fl vrk
 .Fl f Ar filename
 .Nm setkey
-.Op Fl aPlv
+.Op Fl aPlvrk
 .Fl D
 .Nm setkey
 .Op Fl Pv
@@ -116,6 +116,11 @@
 No action.
 The program will check validity of input, but no changes to the SPD will
 be made.
+.It Fl r
+Use semantics described in IPSec RFCs. This mode is default. For details see section 
+.Xr RFC vs kernel semantics.
+.It Fl k
+Use semantics used in kernel.
 .It Fl x
 Loop forever and dump all the messages transmitted to
 .Dv PF_KEY
@@ -472,9 +477,11 @@
 You must specify the direction of its policy as
 .Ar direction .
 Either
-.Li out
+.Ar out
+,
+.Ar in
 or
-.Li in
+.Ar fwd
 are used.
 .Pp
 .Ar priority specification
@@ -690,6 +697,25 @@
 deflate		rfc2394
 .Ed
 .\"
+.Ss RFC vs kernel semantics
+Linux kernel uses 
+.Ar fwd 
+policy instead of 
+.Ar in
+policy for packets what are forwarded through that particular box.
+.Pp
+In 
+.Ar kernel
+mode setkey manages and shows policies and SAs exactly as they are stored in the kernel.
+.Pp
+In 
+.Ar RFC
+mode 
+.Ar setkey
+.Bd -literal
+creates fwd policies for every in policy inserted.
+(not implemented yet) filters out all fwd policies
+.Ed
 .Sh RETURN VALUES
 The command exits with 0 on success, and non-zero on errors.
 .\"

Index: parse.y
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/parse.y,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- parse.y	14 Nov 2004 16:37:16 -0000	1.16
+++ parse.y	14 Nov 2004 20:15:43 -0000	1.17
@@ -108,6 +108,7 @@
 extern int yylex __P((void));
 extern void yyfatal __P((const char *));
 extern void yyerror __P((const char *));
+extern int f_rfcmode;
 %}
 
 %union {
@@ -861,6 +862,7 @@
 	int plen;
 	struct sockaddr *sa;
 	int salen;
+	struct sadb_x_policy *sp;
 
 	msg = (struct sadb_msg *)buf;
 
@@ -871,6 +873,7 @@
 	setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
 	l = sizeof(struct sadb_msg);
 
+	sp = (struct sadb_x_policy*) (buf + l);
 	memcpy(buf + l, policy->buf, policy->len);
 	l += policy->len;
 
@@ -930,6 +933,20 @@
 
 			sendkeymsg(buf, l);
 
+#ifdef HAVE_POLICY_FWD
+			/* create extra rule with FWD policy */
+			if (f_rfcmode && sp->sadb_x_policy_dir == IPSEC_DIR_INBOUND) {
+				sp->sadb_x_policy_dir = IPSEC_DIR_FWD;
+
+				/* XXX unique policies w/o numeric value specified
+				 * will be inserted with deferent numerics.
+				 * Will that work? */
+				sendkeymsg(buf, l);
+				/* restoring for next message */
+				sp->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+			}
+#endif
+
 			n++;
 		}
 	}



