diff options
| author |   reyk <reyk@openbsd.org> | 2006-03-07 00:30:28 +0000 |
|---|---|---|
| committer | reyk <reyk@openbsd.org> | 2006-03-07 00:30:28 +0000 |
| commit | 7c7fb9e5068badaecc9e9ed9b45686abc74a0322 (patch) | |
| tree | 1bee5ccb91528027769ae453f207547be5909b14 | |
| parent | add an ike option for road warrior setups (hosts with dynamic ip (diff) | |
| download | wireguard-openbsd-7c7fb9e5068badaecc9e9ed9b45686abc74a0322.tar.xz wireguard-openbsd-7c7fb9e5068badaecc9e9ed9b45686abc74a0322.zip | |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 18 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 42 | ||||
| -rw-r--r-- | sbin/ipsecctl/pfkey.c | 8 |
3 files changed, 56 insertions, 12 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 75f7503da2c..1fa68432dc4 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.31 2006/03/07 00:19:58 reyk Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.32 2006/03/07 00:30:28 reyk Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -115,6 +115,18 @@ is identical to the .Ar peer specification can be left out. +.It Ar type Aq Ar modifier +This optional parameter sets up special flows using the modifiers +.Ar bypass +or +.Ar deny . +A bypass flow is used to specify a flow for which security processing +will be bypassed: matching packets will not be processed by any other +flows and handled in normal operation. +A deny flow is used to drop any matching packets. +By default, +.Xr ipsecctl 8 +will automatically set up normal flows with the corresponding type. .El .Sh IPSEC SAs The security parameters for a @@ -518,6 +530,10 @@ tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \e ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 ike esp from 192.168.3.1 to 192.168.3.2 + +# Use bypass flow to exclude local subnets from larger VPNs +flow in from 192.168.62.0/24 to 192.168.62.0/24 type bypass +ike dynamic esp from 192.168.62.0/24 to 192.168.48.0/20 peer 192.168.3.12 .Ed .Sh SEE ALSO .Xr ipcomp 4 , diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index a5ff3817e07..541d01d619c 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.51 2006/03/07 00:19:58 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.52 2006/03/07 00:30:28 reyk Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -133,7 +133,7 @@ struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, - u_int8_t, char *, char *); + u_int8_t, char *, char *, u_int8_t); struct ipsec_rule *reverse_rule(struct ipsec_rule *); struct ipsec_rule *create_ike(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, @@ -162,6 +162,7 @@ typedef struct { char *dstid; } ids; char *id; + u_int8_t type; struct ike_auth ikeauth; struct { u_int32_t spiout; @@ -191,6 +192,7 @@ typedef struct { %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE %token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC +%token TYPE DENY BYPASS %token <v.string> STRING %type <v.dir> dir %type <v.protocol> protocol @@ -210,6 +212,7 @@ typedef struct { %type <v.qmxfs> qmxfs %type <v.ikemode> ikemode %type <v.ikeauth> ikeauth +%type <v.type> type %% grammar : /* empty */ @@ -292,11 +295,11 @@ sarule : protocol tmode hosts spispec transforms authkeyspec } ; -flowrule : FLOW protocol dir hosts peer ids { +flowrule : FLOW protocol dir hosts peer ids type { struct ipsec_rule *r; r = create_flow($3, $4.src, $4.dst, $5, $2, $6.srcid, - $6.dstid); + $6.dstid, $7); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -305,7 +308,7 @@ flowrule : FLOW protocol dir hosts peer ids { errx(1, "flowrule: ipsecctl_add_rule"); /* Create and add reverse flow rule. */ - if ($3 == IPSEC_INOUT) { + if ($7 == TYPE_UNKNOWN && $3 == IPSEC_INOUT) { r = reverse_rule(r); r->nr = ipsec->rule_nr++; @@ -421,6 +424,17 @@ ids : /* empty */ { } ; +type : /* empty */ { + $$ = TYPE_UNKNOWN; + } + | TYPE DENY { + $$ = TYPE_DENY; + } + | TYPE BYPASS { + $$ = TYPE_BYPASS; + } + ; + id : STRING { $$ = $1; } ; @@ -632,7 +646,9 @@ lookup(char *s) { "any", ANY }, { "auth", AUTHXF }, { "authkey", AUTHKEY }, + { "bypass", BYPASS }, { "comp", COMPXF }, + { "deny", DENY }, { "dstid", DSTID }, { "dynamic", DYNAMIC }, { "enc", ENCXF }, @@ -658,6 +674,7 @@ lookup(char *s) { "to", TO }, { "transport", TRANSPORT }, { "tunnel", TUNNEL }, + { "type", TYPE }, }; const struct keywords *p; @@ -1464,7 +1481,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, struct ipsec_rule * create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct ipsec_addr_wrap *peer, u_int8_t proto, char *srcid, char - *dstid) + *dstid, u_int8_t type) { struct ipsec_rule *r; @@ -1479,14 +1496,20 @@ create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap else r->direction = dir; + r->proto = proto; + r->src = src; + r->dst = dst; + + if (type != TYPE_UNKNOWN) { + r->flowtype = type; + return (r); + } + if (r->direction == IPSEC_IN) r->flowtype = TYPE_USE; else r->flowtype = TYPE_REQUIRE; - r->src = src; - r->dst = dst; - if (peer == NULL) { /* Set peer to remote host. Must be a host address. */ if (r->direction == IPSEC_IN) { @@ -1505,7 +1528,6 @@ create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap } else r->peer = peer; - r->proto = proto; r->auth = calloc(1, sizeof(struct ipsec_auth)); if (r->auth == NULL) err(1, "create_flow: calloc"); diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index c25345b6a7f..1e3e3c91104 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.32 2005/12/06 14:27:57 markus Exp $ */ +/* $OpenBSD: pfkey.c,v 1.33 2006/03/07 00:30:28 reyk Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -140,6 +140,12 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction, case TYPE_REQUIRE: sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; break; + case TYPE_DENY: + sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY; + break; + case TYPE_BYPASS: + sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS; + break; default: warnx("unsupported flowtype %d", flowtype); return -1; |