summaryrefslogtreecommitdiffstats
path: root/sbin/ipsecctl/ipsecctl.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove unnused af argument from unmask(), sync with pfctlkn2018-09-071-5/+4
| | | | | | Noted by jca, thanks. OK jca claudio
* Support collapsing flow outputs.mpi2017-11-201-8/+196
| | | | | | Makes it easier to check live status of complex setups. ok hshoexer@
* Rename all SA groups to bundles consistently. The first kernelbluhm2017-04-191-8/+8
| | | | | | | commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
* Now that the kernel provides information about IPsec SA bundles,bluhm2017-03-021-4/+1
| | | | | print them by default. OK hshoexer@
* Remove NULL-checks before free(). ok tb@mmcc2015-12-101-31/+16
|
* Replace <sys/param.h> with <limits.h> and other less dirty headers wherederaadt2015-01-161-2/+1
| | | | | | | | | possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
* Yet more #include de-duplication.krw2014-11-201-2/+1
| | | | ok deraadt@ tedu@
* don't output "esn" string in the rule section as we can't use themikeb2012-07-051-3/+1
| | | | | | | keyword in the grammar to create a esn-enabled rule (no reason to do so for manual sa configuration). instead decode sa flags so that we can also watch changes happening in the realtime with the monitor mode. prompted and ok by naddy
* Print esn flag when dumping SAs with ESN enabledmikeb2012-06-291-2/+4
|
* - put -i in the right placejmc2011-11-081-2/+2
| | | | - prevent an erroneous space in the formatting of -D
* allow the path to isakmpd's fifo to be specified (aka changed) on thehenning2011-11-081-4/+10
| | | | command line, ok mikeb sthen
* A warning text in ipsecctl was used twice. Make the messages uniquebluhm2009-01-271-2/+2
| | | | | | for easier debugging. ok grunk@, hshoexer@, todd@
* Add support to isakmpd(8) and ipsecctl(8) to install SA's with ampf2009-01-201-1/+3
| | | | | | | | different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
* Free the rules in the rule_queue also if ipsecctl is called withbluhm2008-07-211-7/+13
| | | | | | the -n switch. This triggers malloc related bugs during the regress tests. ok hshoexer
* Isakmpd acquire mode did not work with a config generated frombluhm2008-07-011-1/+3
| | | | | | | | | | | | | ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
* in all these programs using the same pfctl-derived parse.y, re-unify thederaadt2007-10-131-20/+2
| | | | | | | | yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
* no need to include both sys/types.h and params.hhshoexer2007-08-211-2/+1
|
* do not display empty authkey/enckey line when -k option is nothshoexer2007-02-191-3/+3
| | | | | | specified. ok markus@
* add -k to usage();jmc2007-01-101-2/+2
|
* do not print secret keys by default, -k restores old behaviour; ok hshoexermarkus2007-01-031-2/+8
|
* handle multiple SAs with different same src/dst but different port;markus2006-11-301-1/+7
| | | | | | store IKE connection string and phase2 IDs in the ipsec rule; cleanup internal API: pass rules around instead of rule members; report Brian Candler; fix with hshoexer, msf; ok hshoexer
* When using -vv, also show grouped SAs.hshoexer2006-11-101-1/+19
|
* KNF unrelated to previous commit.mcbride2006-11-011-2/+2
|
* Add support for aggressive mode (from the k2k6 IPsec hackathon).mcbride2006-11-011-9/+9
| | | | ok hshoexer
* sort SAs by spi; ok hshoexermarkus2006-09-191-4/+39
|
* Security Association Database is abbreviated 'SAD' (RFC 2401 et al), not 'SADB'. jmc@, hshoexer@ ok.ho2006-08-311-3/+3
|
* fix usage, make synopsis more pretty. noticed by david@hshoexer2006-06-081-2/+2
|
* exit(2) when loading of rules did work partially. ok markus@hshoexer2006-06-021-7/+11
|
* add trailing \ when printing multiple lines for an SA, this waymarkus2006-06-021-3/+3
| | | | the output of ispecctl matches its input
* allow to specify phase 1 and 2 lifetimes. Right now, these valueshshoexer2006-06-021-1/+9
| | | | can only be set globally (ie. Default-phase-[12]-lifetime).
* Support flows with port modifiers for proto tcp/udp, e.g.naddy2006-06-011-1/+23
| | | | | | flow proto udp from 1.2.3.4 port ntp to 5.6.7.8 ok hshoexer@ msf@
* more to free, needed for SA grouping.hshoexer2006-06-011-7/+13
|
* convert pfkey to ipsec_rule and use ipsecctl_print_rule() when dumpingmarkus2006-06-011-2/+1
| | | | | the in-kernel SAs. this way we produce the same output as rule loading ok hshoexer
* Prepare for SA grouping.hshoexer2006-06-011-1/+2
|
* correct error messages to match calloc where appropriatetodd2006-06-011-2/+2
| | | | ok hshoexer@
* rename list link for ipsec_rule structures from "entries" to "rule_entry".hshoexer2006-06-011-4/+4
|
* implement monitor mode for ipsecctl. worked on with markus@msf2006-05-301-2/+17
| | | | ok hshoexer@
* add ipsecctl_free_rule() for cleaning up rules.hshoexer2006-05-291-39/+45
|
* wenn dumping rules always show type, srcid and dstid (if set).hshoexer2006-03-311-12/+9
| | | | ok reyk@
* allow specification of encapsulated protocol for flows; ok hshoexermarkus2006-03-311-8/+25
|
* allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reykmarkus2006-03-301-1/+13
|
* add support for macros in ipsec.conf(5). some bits have already beenreyk2006-03-221-4/+9
| | | | | | | there. requested by david@ ok hshoexer@, msf@
* noted by lint: include <string.h> instead of <strings.h>, add tow ARGSUSED1hshoexer2006-02-011-2/+4
|
* wrap long lines (no binary change)reyk2006-01-171-2/+3
|
* add support for pre-shared keys with "ike esp" using the new keywordreyk2006-01-161-1/+6
| | | | | | "psk". rsa-sig is recommended and will still be used by default. ok hshoexer@, manpage ok jmc@
* more appropriate error messages; ok hshoexermarkus2005-12-061-3/+7
|
* ipip support: ip-in-ip w/o gif(4); ok hshoexermarkus2005-12-061-3/+3
|
* do not choke and dump core when printing bypass flows. noticed by jacobhshoexer2005-12-011-5/+9
| | | | schlyter. Thanks!
* handle that pfkey_ipsec_flush() can fail.hshoexer2005-11-301-2/+3
|
* Fix memory leaks. From Andrey Matveev <evol at online dot ptt dot ru>,hshoexer2005-11-211-1/+5
| | | | thanks!
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.