Add support for switching rdomain on IPsec encryption/decryption.

It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be configured, the encrypted rdomain is always the one the responsible iked instance is running in. The configured rdomain must exist before iked activates the IPsec SAs, otherwise pfkey will return an error. ok markus@, patrick@
author: tobhe <tobhe@openbsd.org> 2020-04-23 20:17:48 +0000
committer: tobhe <tobhe@openbsd.org> 2020-04-23 20:17:48 +0000
commit: 0347364bcafdc08a518dbaa9a2e5afa4f10abdc0 (patch)
tree: 4148759110cf24272cc8ac3eebb5a884e992cd97 /sbin/iked/policy.c
parent: Support SADB_X_EXT_RDOMAIN extension in pfkey dump (-m). (diff)
download: wireguard-openbsd-0347364bcafdc08a518dbaa9a2e5afa4f10abdc0.tar.xz
wireguard-openbsd-0347364bcafdc08a518dbaa9a2e5afa4f10abdc0.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 3a05d947927..aa320248dd5 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.58 2020/04/04 20:36:34 tobhe Exp $	*/
+/*	$OpenBSD: policy.c,v 1.59 2020/04/23 20:17:48 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -875,6 +875,8 @@ flow_cmp(struct iked_flow *a, struct iked_flow *b)
 	int		diff = 0;
 
 	if (!diff)
+		diff = a->flow_rdomain - b->flow_rdomain;
+	if (!diff)
 		diff = (int)a->flow_ipproto - (int)b->flow_ipproto;
 	if (!diff)
 		diff = (int)a->flow_saproto - (int)b->flow_saproto;
author	tobhe <tobhe@openbsd.org>	2020-04-23 20:17:48 +0000
committer	tobhe <tobhe@openbsd.org>	2020-04-23 20:17:48 +0000
commit	0347364bcafdc08a518dbaa9a2e5afa4f10abdc0 (patch)
tree	4148759110cf24272cc8ac3eebb5a884e992cd97 /sbin/iked/policy.c
parent	Support SADB_X_EXT_RDOMAIN extension in pfkey dump (-m). (diff)
download	wireguard-openbsd-0347364bcafdc08a518dbaa9a2e5afa4f10abdc0.tar.xz wireguard-openbsd-0347364bcafdc08a518dbaa9a2e5afa4f10abdc0.zip