From: Aidas K. <mo...@us...> - 2004-11-14 20:15:52
|
Update of /cvsroot/ipsec-tools/ipsec-tools/src/setkey In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv17217/src/setkey Modified Files: parse.y setkey.8 setkey.c Log Message: RFC/kernel modes introduced into setkey; fwd policy generation; changed adminport socket location; updated docs Index: setkey.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/setkey.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -d -r1.13 -r1.14 --- setkey.c 5 Nov 2004 13:27:17 -0000 1.13 +++ setkey.c 14 Nov 2004 20:15:43 -0000 1.14 @@ -106,6 +106,7 @@ int f_hexdump = 0; int f_tflag = 0; int f_notreally = 0; +int f_rfcmode = 1; static time_t thiszone; extern int lineno; @@ -129,10 +130,10 @@ { printf("setkey @(#) %s (%s)\n", TOP_PACKAGE_STRING, TOP_PACKAGE_URL); if (! only_version) { - printf("usage: setkey [-v] file ...\n"); - printf(" setkey [-nv] -c\n"); - printf(" setkey [-nv] -f filename\n"); - printf(" setkey [-Palv] -D\n"); + printf("usage: setkey [-vrk] file ...\n"); + printf(" setkey [-nvrk] -c\n"); + printf(" setkey [-nvrk] -f filename\n"); + printf(" setkey [-Palvrk] -D\n"); printf(" setkey [-Pv] -F\n"); printf(" setkey [-H] -x\n"); printf(" setkey [-V] [-h]\n"); @@ -157,7 +158,7 @@ thiszone = gmt2local(0); - while ((c = getopt(argc, argv, "acdf:HlnvxDFPhV")) != -1) { + while ((c = getopt(argc, argv, "acdf:HlnvxDFPhVrk")) != -1) { switch (c) { case 'c': f_mode = MODE_STDIN; @@ -197,6 +198,12 @@ case 'v': f_verbose = 1; break; + case 'r': + f_rfcmode = 1; + break; + case 'k': + f_rfcmode = 0; + break; case 'V': usage(1); break; Index: setkey.8 =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/setkey.8,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- setkey.8 5 Jun 2004 14:48:55 -0000 1.8 +++ setkey.8 14 Nov 2004 20:15:43 -0000 1.9 @@ -37,16 +37,16 @@ .\" .Sh SYNOPSIS .Nm setkey -.Op Fl nv +.Op Fl nvrk .Ar file ... .Nm setkey -.Op Fl nv +.Op Fl nvrk .Fl c .Nm setkey -.Op Fl v +.Op Fl vrk .Fl f Ar filename .Nm setkey -.Op Fl aPlv +.Op Fl aPlvrk .Fl D .Nm setkey .Op Fl Pv @@ -116,6 +116,11 @@ No action. The program will check validity of input, but no changes to the SPD will be made. +.It Fl r +Use semantics described in IPSec RFCs. This mode is default. For details see section +.Xr RFC vs kernel semantics. +.It Fl k +Use semantics used in kernel. .It Fl x Loop forever and dump all the messages transmitted to .Dv PF_KEY @@ -472,9 +477,11 @@ You must specify the direction of its policy as .Ar direction . Either -.Li out +.Ar out +, +.Ar in or -.Li in +.Ar fwd are used. .Pp .Ar priority specification @@ -690,6 +697,25 @@ deflate rfc2394 .Ed .\" +.Ss RFC vs kernel semantics +Linux kernel uses +.Ar fwd +policy instead of +.Ar in +policy for packets what are forwarded through that particular box. +.Pp +In +.Ar kernel +mode setkey manages and shows policies and SAs exactly as they are stored in the kernel. +.Pp +In +.Ar RFC +mode +.Ar setkey +.Bd -literal +creates fwd policies for every in policy inserted. +(not implemented yet) filters out all fwd policies +.Ed .Sh RETURN VALUES The command exits with 0 on success, and non-zero on errors. .\" Index: parse.y =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/parse.y,v retrieving revision 1.16 retrieving revision 1.17 diff -u -d -r1.16 -r1.17 --- parse.y 14 Nov 2004 16:37:16 -0000 1.16 +++ parse.y 14 Nov 2004 20:15:43 -0000 1.17 @@ -108,6 +108,7 @@ extern int yylex __P((void)); extern void yyfatal __P((const char *)); extern void yyerror __P((const char *)); +extern int f_rfcmode; %} %union { @@ -861,6 +862,7 @@ int plen; struct sockaddr *sa; int salen; + struct sadb_x_policy *sp; msg = (struct sadb_msg *)buf; @@ -871,6 +873,7 @@ setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0); l = sizeof(struct sadb_msg); + sp = (struct sadb_x_policy*) (buf + l); memcpy(buf + l, policy->buf, policy->len); l += policy->len; @@ -930,6 +933,20 @@ sendkeymsg(buf, l); +#ifdef HAVE_POLICY_FWD + /* create extra rule with FWD policy */ + if (f_rfcmode && sp->sadb_x_policy_dir == IPSEC_DIR_INBOUND) { + sp->sadb_x_policy_dir = IPSEC_DIR_FWD; + + /* XXX unique policies w/o numeric value specified + * will be inserted with deferent numerics. + * Will that work? */ + sendkeymsg(buf, l); + /* restoring for next message */ + sp->sadb_x_policy_dir = IPSEC_DIR_INBOUND; + } +#endif + n++; } } |