diff options
Diffstat (limited to 'sbin/setkey')
| -rw-r--r-- | sbin/setkey/parse.y | 57 | ||||
| -rw-r--r-- | sbin/setkey/setkey.8 | 53 | ||||
| -rw-r--r-- | sbin/setkey/setkey.c | 2 | ||||
| -rw-r--r-- | sbin/setkey/token.l | 2 |
4 files changed, 104 insertions, 10 deletions
diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y index 448a8ee5278c..a7bcd2d8dafc 100644 --- a/sbin/setkey/parse.y +++ b/sbin/setkey/parse.y @@ -46,6 +46,7 @@ #include <string.h> #include <unistd.h> +#include <stdbool.h> #include <stdio.h> #include <stdint.h> #include <netdb.h> @@ -68,6 +69,8 @@ u_int p_natt_type; struct addrinfo *p_natt_oai, *p_natt_oar; int p_natt_sport, p_natt_dport; int p_natt_fraglen; +bool esn; +vchar_t p_hwif; static int p_aiflags = 0, p_aifamily = PF_UNSPEC; @@ -115,6 +118,7 @@ extern void yyerror(const char *); %token SPDADD SPDDELETE SPDDUMP SPDFLUSH %token F_POLICY PL_REQUESTS %token F_AIFLAGS F_NATT F_NATT_MTU +%token F_ESN F_HWIF %token TAGGED %type <num> prefix protocol_spec upper_spec @@ -539,12 +543,21 @@ extension { p_natt_fraglen = $2; } + | F_ESN + { + esn = true; + p_ext |= SADB_X_SAFLAGS_ESN; + } + | F_HWIF STRING + { + p_hwif = $2; + } ; /* definition about command for SPD management */ /* spdadd */ spdadd_command - : SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT + : SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec spd_hwif EOT { int status; struct addrinfo *src, *dst; @@ -648,6 +661,14 @@ ipaddropts | ipaddropts ipaddropt ; +spd_hwif + : + | F_HWIF STRING + { + p_hwif = $2; + } + ; + ipaddropt : F_AIFLAGS { @@ -831,6 +852,7 @@ setkeymsg_spdaddr(unsigned type, unsigned upper, vchar_t *policy, char buf[BUFSIZ]; int l, l0; struct sadb_address m_addr; + struct sadb_x_if_hw_offl m_if_hw; struct addrinfo *s, *d; int n; int plen; @@ -849,6 +871,20 @@ setkeymsg_spdaddr(unsigned type, unsigned upper, vchar_t *policy, memcpy(buf + l, policy->buf, policy->len); l += policy->len; + if (p_hwif.len != 0) { + l0 = sizeof(struct sadb_x_if_hw_offl); + m_if_hw.sadb_x_if_hw_offl_len = PFKEY_UNIT64(l0); + m_if_hw.sadb_x_if_hw_offl_exttype = SADB_X_EXT_IF_HW_OFFL; + m_if_hw.sadb_x_if_hw_offl_flags = 0; + memset(&m_if_hw.sadb_x_if_hw_offl_if[0], 0, + sizeof(m_if_hw.sadb_x_if_hw_offl_if)); + strlcpy(&m_if_hw.sadb_x_if_hw_offl_if[0], p_hwif.buf, + sizeof(m_if_hw.sadb_x_if_hw_offl_if)); + + memcpy(buf + l, &m_if_hw, l0); + l += l0; + } + l0 = l; n = 0; @@ -1040,6 +1076,7 @@ setkeymsg_add(unsigned type, unsigned satype, struct addrinfo *srcs, struct sadb_x_nat_t_type m_natt_type; struct sadb_x_nat_t_port m_natt_port; struct sadb_x_nat_t_frag m_natt_frag; + struct sadb_x_if_hw_offl m_if_hw; int n; int plen; struct sockaddr *sa; @@ -1256,6 +1293,20 @@ setkeymsg_add(unsigned type, unsigned satype, struct addrinfo *srcs, } } + if (p_hwif.len != 0) { + len = sizeof(struct sadb_x_if_hw_offl); + m_if_hw.sadb_x_if_hw_offl_len = PFKEY_UNIT64(len); + m_if_hw.sadb_x_if_hw_offl_exttype = SADB_X_EXT_IF_HW_OFFL; + m_if_hw.sadb_x_if_hw_offl_flags = 0; + memset(&m_if_hw.sadb_x_if_hw_offl_if[0], 0, + sizeof(m_if_hw.sadb_x_if_hw_offl_if)); + strlcpy(&m_if_hw.sadb_x_if_hw_offl_if[0], p_hwif.buf, + sizeof(m_if_hw.sadb_x_if_hw_offl_if)); + + memcpy(buf + l, &m_if_hw, len); + l += len; + } + if (n == 0) return -1; else @@ -1355,6 +1406,10 @@ parse_init(void) p_natt_oai = p_natt_oar = NULL; p_natt_sport = p_natt_dport = 0; p_natt_fraglen = -1; + + esn = false; + p_hwif.len = 0; + p_hwif.buf = NULL; } void diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index 7dab0f622efd..e3bcf10b9a9a 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 27, 2023 +.Dd August 25, 2024 .Dt SETKEY 8 .Os .\" @@ -230,7 +230,7 @@ IPv4/v6 address. The .Nm utility -can resolve a FQDN into numeric addresses. +can resolve an FQDN into numeric addresses. If the FQDN resolves into multiple addresses, .Nm will install multiple SAD/SPD entries into the kernel @@ -341,6 +341,13 @@ symbols are part of the syntax for the ports specification, not indication of the optional components. .It Fl natt_mtu Ar fragsize Configure NAT-T fragment size. +.It Fl esn +Enable Extended Sequence Number extension for this SA. +.It Fl hwif Ar ifname +Request hardware offload to the specified interface +.Ar ifname +(only). +By default offload occurs to all capable interfaces. .El .\" .Pp @@ -472,27 +479,43 @@ is expressed in one of the following three formats: .Xc .El .Pp -The direction of a policy must be specified as -one of: +.Bl -tag -compact -width "policy level" +.It Ar direction +The +.Ar direction +of a policy must be specified as one of: .Li out or .Li in . +.It Ar policy level The direction is followed by one of the following policy levels: .Li discard , .Li none , or .Li ipsec . +.Bl -compact -bullet +.It The .Li discard -policylevel means that packets matching the supplied indices will -be discarded while +policy level means that packets matching the supplied indices will +be discarded. +.It +The .Li none -means that IPsec operations will not take place on the packet and +policy level means that IPsec operations will not take place on +the packet. +.It +The .Li ipsec -means that IPsec operation will take place onto the packet. +policy level means that IPsec operation will take place onto +the packet. +.El +.It Ar protocol/mode/src-dst/level The .Ar protocol/mode/src-dst/level statement gives the rule for how to process the packet. +.Bl -compact -bullet +.It The .Ar protocol is specified as @@ -500,12 +523,15 @@ is specified as .Li esp or .Li ipcomp . +.It The .Ar mode is either .Li transport or .Li tunnel . +.El +.Pp If .Ar mode is @@ -517,6 +543,7 @@ and with a dash, .Sq - , between the addresses. +.Pp If .Ar mode is @@ -526,6 +553,7 @@ both and .Ar dst can be omitted. +.Pp The .Ar level is one of the following: @@ -534,25 +562,32 @@ or .Li unique . If the SA is not available in every level, the kernel will request the SA from the key exchange daemon. +.Pp +.Bl -compact -bullet +.It A value of .Li default tells the kernel to use the system wide default protocol e.g.,\& the one from the .Li esp_trans_deflev sysctl variable, when the kernel processes the packet. +.It A value of .Li use means that the kernel will use an SA if it is available, otherwise the kernel will pass the packet as it would normally. +.It A value of .Li require means that an SA is required whenever the kernel sends a packet matched that matches the policy. +.It The .Li unique level is the same as .Li require but, in addition, it allows the policy to bind with the unique out-bound SA. +.Pp For example, if you specify the policy level .Li unique , .Xr racoon 8 Pq Pa ports/security/ipsec-tools @@ -570,6 +605,8 @@ must be between 1 and 32767, which corresponds to .Ar extensions Fl u of manual SA configuration. +.El +.El .Pp When you want to use an SA bundle, you can define multiple rules. For diff --git a/sbin/setkey/setkey.c b/sbin/setkey/setkey.c index d9b905ad845e..f7268d8f1e10 100644 --- a/sbin/setkey/setkey.c +++ b/sbin/setkey/setkey.c @@ -502,7 +502,7 @@ static const char *ipproto[] = { }; #define STR_OR_ID(x, tab) \ - (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) + (((x) < nitems(tab) && tab[(x)]) ? tab[(x)] : numstr(x)) const char * numstr(int x) diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l index 054a57ef1015..65756f0fd12c 100644 --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -187,6 +187,8 @@ nocyclic-seq { return(NOCYCLICSEQ); } {hyphen}ls { return(F_LIFETIME_SOFT); } {hyphen}natt { return(F_NATT); } {hyphen}natt_mtu { return(F_NATT_MTU); } +{hyphen}esn { return(F_ESN); } +{hyphen}hwif { return(F_HWIF); } /* ... */ any { return(ANY); } |