![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / ipsecctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.183 / (download) - annotate - [select for diffs], Mon Aug 7 04:10:08 2023 UTC (10 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.182: +66 -2 lines
Diff to previous 1.182 (colored)
add support route based ipsec vpn negotiation with sec(4) via isakmpd. this adds "interface secX" to the grammar that you can use instead of specifying tunnel/transport modes and traffic selectors. if you have config like "ike interface sec0 local ... peer ...", ipsecctl will generate the right config for isakmpd to negotiate esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however, this also specifies that they should be set up as interface SAs in the kernel for use with sec(4). this supports route-based instead of policy based ipsec encapsulation, and allows us to more easily operate with other vendors and products that also offer route-based vpns with opinions about the negotiated policy that doesnt fit with the SPD. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Revision 1.182 / (download) - annotate - [select for diffs], Wed Apr 19 13:33:37 2023 UTC (13 months, 3 weeks ago) by jsg
Branch: MAIN
Changes since 1.181: +1 -2 lines
Diff to previous 1.181 (colored)
remove duplicate includes
Revision 1.181 / (download) - annotate - [select for diffs], Fri Oct 22 12:30:54 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.180: +1 -2 lines
Diff to previous 1.180 (colored)
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
Revision 1.180 / (download) - annotate - [select for diffs], Fri Oct 15 15:01:27 2021 UTC (2 years, 7 months ago) by naddy
Branch: MAIN
Changes since 1.179: +13 -13 lines
Diff to previous 1.179 (colored)
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
Revision 1.179 / (download) - annotate - [select for diffs], Tue Dec 29 19:50:03 2020 UTC (3 years, 5 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.178: +3 -2 lines
Diff to previous 1.178 (colored)
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
Revision 1.178 / (download) - annotate - [select for diffs], Fri Feb 7 13:01:34 2020 UTC (4 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.177: +37 -11 lines
Diff to previous 1.177 (colored)
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
Revision 1.177 / (download) - annotate - [select for diffs], Mon Aug 26 18:53:58 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.176: +14 -13 lines
Diff to previous 1.176 (colored)
Fix file descriptor leak due to popfile() never closing the main config file. The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8)) ok bluhm@
Revision 1.176 / (download) - annotate - [select for diffs], Wed Feb 13 22:57:07 2019 UTC (5 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.175: +3 -3 lines
Diff to previous 1.175 (colored)
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
Revision 1.175 / (download) - annotate - [select for diffs], Wed Nov 7 08:10:45 2018 UTC (5 years, 7 months ago) by miko
Branch: MAIN
Changes since 1.174: +3 -7 lines
Diff to previous 1.174 (colored)
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
Revision 1.174 / (download) - annotate - [select for diffs], Thu Nov 1 00:18:44 2018 UTC (5 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.173: +3 -2 lines
Diff to previous 1.173 (colored)
- odd condition/test in PF lexer
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
Revision 1.173 / (download) - annotate - [select for diffs], Wed Jul 11 07:39:22 2018 UTC (5 years, 11 months ago) by krw
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.172: +51 -51 lines
Diff to previous 1.172 (colored)
Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
Revision 1.172 / (download) - annotate - [select for diffs], Mon Jul 9 12:05:10 2018 UTC (5 years, 11 months ago) by krw
Branch: MAIN
Changes since 1.171: +5 -5 lines
Diff to previous 1.171 (colored)
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function. Recommended by florian@ and deraadt@ ok benno@ henning@ tb@
Revision 1.171 / (download) - annotate - [select for diffs], Sun Jul 8 17:15:07 2018 UTC (5 years, 11 months ago) by krw
Branch: MAIN
Changes since 1.170: +3 -3 lines
Diff to previous 1.170 (colored)
Be consistent in warn() and log_warn() usage when running out of memory. Next step, be correct *and* consistent. ok dennis@ tb@ benno@ schwarze@
Revision 1.170 / (download) - annotate - [select for diffs], Thu Apr 26 14:12:19 2018 UTC (6 years, 1 month ago) by krw
Branch: MAIN
Changes since 1.169: +3 -1 lines
Diff to previous 1.169 (colored)
Plug leak in error case of the common 'varset' implementations. ok benno@
Revision 1.169 / (download) - annotate - [select for diffs], Fri Oct 27 08:29:32 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.168: +35 -17 lines
Diff to previous 1.168 (colored)
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does. ok visa@, markus@
Revision 1.168 / (download) - annotate - [select for diffs], Wed Apr 19 15:59:38 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.167: +21 -21 lines
Diff to previous 1.167 (colored)
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
Revision 1.167 / (download) - annotate - [select for diffs], Fri Apr 14 18:06:28 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.166: +23 -15 lines
Diff to previous 1.166 (colored)
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
Revision 1.166 / (download) - annotate - [select for diffs], Thu Jan 5 12:42:18 2017 UTC (7 years, 5 months ago) by krw
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.165: +7 -5 lines
Diff to previous 1.165 (colored)
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
Revision 1.165 / (download) - annotate - [select for diffs], Tue Jun 21 21:35:24 2016 UTC (7 years, 11 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.164: +9 -1 lines
Diff to previous 1.164 (colored)
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin. feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
Revision 1.164 / (download) - annotate - [select for diffs], Wed Dec 9 21:41:50 2015 UTC (8 years, 6 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.163: +1 -2 lines
Diff to previous 1.163 (colored)
Remove plain DES encryption from IPsec. DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
Revision 1.163 / (download) - annotate - [select for diffs], Wed Nov 4 12:46:13 2015 UTC (8 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.162: +2 -1 lines
Diff to previous 1.162 (colored)
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
Revision 1.162 / (download) - annotate - [select for diffs], Wed Jun 3 02:24:36 2015 UTC (9 years ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.161: +7 -6 lines
Diff to previous 1.161 (colored)
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
Revision 1.161 / (download) - annotate - [select for diffs], Thu Nov 20 05:51:20 2014 UTC (9 years, 6 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.160: +4 -1 lines
Diff to previous 1.160 (colored)
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer. pfctl parse.y patch from and ok deraadt@
Revision 1.160 / (download) - annotate - [select for diffs], Tue Nov 4 05:56:39 2014 UTC (9 years, 7 months ago) by doug
Branch: MAIN
Changes since 1.159: +12 -8 lines
Diff to previous 1.159 (colored)
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters. ok sthen@ naddy@ markus@
Revision 1.159 / (download) - annotate - [select for diffs], Wed Jan 22 00:21:16 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.158: +2 -2 lines
Diff to previous 1.158 (colored)
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
Revision 1.158 / (download) - annotate - [select for diffs], Mon Nov 25 12:52:12 2013 UTC (10 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.157: +7 -7 lines
Diff to previous 1.157 (colored)
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
Revision 1.157 / (download) - annotate - [select for diffs], Fri Nov 22 04:12:47 2013 UTC (10 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.156: +2 -2 lines
Diff to previous 1.156 (colored)
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
Revision 1.156 / (download) - annotate - [select for diffs], Tue Jul 10 13:58:33 2012 UTC (11 years, 11 months ago) by lteo
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3,
OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.155: +56 -31 lines
Diff to previous 1.155 (colored)
Rename "life" to "lifetime" to match iked. ok mikeb naddy sthen; procedures ok henning
Revision 1.155 / (download) - annotate - [select for diffs], Sun Jul 8 17:51:51 2012 UTC (11 years, 11 months ago) by naddy
Branch: MAIN
Changes since 1.154: +28 -23 lines
Diff to previous 1.154 (colored)
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations. Also include a tweak (with jmc@) to the key size explanation, for completeness sake. ok mikeb@
Revision 1.154 / (download) - annotate - [select for diffs], Sat Jul 7 20:29:23 2012 UTC (11 years, 11 months ago) by naddy
Branch: MAIN
Changes since 1.153: +3 -3 lines
Diff to previous 1.153 (colored)
copy&paste mistake in error message
Revision 1.153 / (download) - annotate - [select for diffs], Sat Jun 30 14:51:31 2012 UTC (11 years, 11 months ago) by naddy
Branch: MAIN
Changes since 1.152: +4 -1 lines
Diff to previous 1.152 (colored)
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@
Revision 1.152 / (download) - annotate - [select for diffs], Tue Dec 20 13:27:51 2011 UTC (12 years, 5 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.151: +3 -3 lines
Diff to previous 1.151 (colored)
unsigned long should use "%lu" format; from eric lax, thanks
Revision 1.151 / (download) - annotate - [select for diffs], Wed Jul 6 22:03:00 2011 UTC (12 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.150: +14 -2 lines
Diff to previous 1.150 (colored)
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
Revision 1.150 / (download) - annotate - [select for diffs], Wed Oct 6 22:19:20 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.149: +1 -2 lines
Diff to previous 1.149 (colored)
Retire Skipjack There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
Revision 1.149 / (download) - annotate - [select for diffs], Wed Sep 22 14:04:09 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.148: +59 -39 lines
Diff to previous 1.148 (colored)
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5). Available "enc" arguments denoting use of 1) AES-GCM-16: aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce) 2) ENCR_NULL_AUTH_AES_GMAC: aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce) Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support). Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only. Example configuration: ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. OK naddy
Revision 1.148 / (download) - annotate - [select for diffs], Tue Aug 3 18:42:40 2010 UTC (13 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.147: +4 -3 lines
Diff to previous 1.147 (colored)
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
Revision 1.147 / (download) - annotate - [select for diffs], Mon May 10 02:00:50 2010 UTC (14 years, 1 month ago) by krw
Branch: MAIN
Changes since 1.146: +2 -2 lines
Diff to previous 1.146 (colored)
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
Revision 1.146 / (download) - annotate - [select for diffs], Tue Aug 4 15:05:50 2009 UTC (14 years, 10 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.145: +12 -2 lines
Diff to previous 1.145 (colored)
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN. ok hshoexer@ markus@ todd@
Revision 1.145 / (download) - annotate - [select for diffs], Tue Mar 31 21:03:48 2009 UTC (15 years, 2 months ago) by tobias
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.144: +7 -3 lines
Diff to previous 1.144 (colored)
Fixed memory leaks which would occur if the second of two memory allocations fails. looks right deraadt, krw ok henning
Revision 1.144 / (download) - annotate - [select for diffs], Fri Jan 30 14:24:52 2009 UTC (15 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.143: +67 -7 lines
Diff to previous 1.143 (colored)
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@
Revision 1.143 / (download) - annotate - [select for diffs], Thu Jan 29 15:37:09 2009 UTC (15 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.142: +3 -7 lines
Diff to previous 1.142 (colored)
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change. ok grunk@, hshoexer@
Revision 1.142 / (download) - annotate - [select for diffs], Wed Jan 28 18:07:19 2009 UTC (15 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.141: +32 -13 lines
Diff to previous 1.141 (colored)
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
Revision 1.141 / (download) - annotate - [select for diffs], Tue Jan 20 14:36:19 2009 UTC (15 years, 4 months ago) by mpf
Branch: MAIN
Changes since 1.140: +30 -3 lines
Diff to previous 1.140 (colored)
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
Revision 1.140 / (download) - annotate - [select for diffs], Fri Nov 14 23:16:37 2008 UTC (15 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.139: +2 -2 lines
Diff to previous 1.139 (colored)
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'. This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations. From Mitja Muzenic <mitja at muzenic dot net>, thanks! Idea supported by markus@ and jdixon@.
Revision 1.139 / (download) - annotate - [select for diffs], Fri Oct 17 14:33:15 2008 UTC (15 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.138: +5 -3 lines
Diff to previous 1.138 (colored)
findeol() fix from pfctl
Revision 1.138 / (download) - annotate - [select for diffs], Tue Jul 1 14:31:37 2008 UTC (15 years, 11 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.137: +9 -4 lines
Diff to previous 1.137 (colored)
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
Revision 1.137 / (download) - annotate - [select for diffs], Tue Jul 1 14:08:39 2008 UTC (15 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.136: +58 -41 lines
Diff to previous 1.136 (colored)
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
Revision 1.136 / (download) - annotate - [select for diffs], Sat Jun 14 00:57:30 2008 UTC (15 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.135: +31 -38 lines
Diff to previous 1.135 (colored)
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
Revision 1.135 / (download) - annotate - [select for diffs], Wed Jun 11 22:11:20 2008 UTC (16 years ago) by bluhm
Branch: MAIN
Changes since 1.134: +3 -5 lines
Diff to previous 1.134 (colored)
trivial code simplification tested and ok hshoexer, grunk
Revision 1.134 / (download) - annotate - [select for diffs], Fri Apr 11 00:05:51 2008 UTC (16 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.133: +18 -0 lines
Diff to previous 1.133 (colored)
add support for the "include" directive using code from pfctl/parse.y. pointed out by Prabhu Gurumurthy ok deraadt@
Revision 1.133 / (download) - annotate - [select for diffs], Fri Feb 22 23:51:31 2008 UTC (16 years, 3 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.132: +4 -1 lines
Diff to previous 1.132 (colored)
Support for specifying aes-{128,192,256}. Originial idea by Prabhu
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
Revision 1.132 / (download) - annotate - [select for diffs], Mon Nov 12 23:59:41 2007 UTC (16 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.131: +2 -10 lines
Diff to previous 1.131 (colored)
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
Revision 1.131 / (download) - annotate - [select for diffs], Mon Oct 22 16:35:33 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.130: +6 -3 lines
Diff to previous 1.130 (colored)
sync with daemon parser code. ok deraadt@
Revision 1.130 / (download) - annotate - [select for diffs], Tue Oct 16 20:01:23 2007 UTC (16 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.129: +2 -2 lines
Diff to previous 1.129 (colored)
Allow '=' to end a number in all lexers. Requested and OK deraadt@
Revision 1.129 / (download) - annotate - [select for diffs], Tue Oct 16 06:06:49 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.128: +4 -2 lines
Diff to previous 1.128 (colored)
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
Revision 1.128 / (download) - annotate - [select for diffs], Sat Oct 13 16:35:18 2007 UTC (16 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.127: +149 -60 lines
Diff to previous 1.127 (colored)
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
Revision 1.127 / (download) - annotate - [select for diffs], Thu Oct 11 14:39:16 2007 UTC (16 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.126: +28 -16 lines
Diff to previous 1.126 (colored)
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
Revision 1.126 / (download) - annotate - [select for diffs], Wed Sep 12 20:22:59 2007 UTC (16 years, 9 months ago) by hshoexer
Branch: MAIN
Changes since 1.125: +100 -59 lines
Diff to previous 1.125 (colored)
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks. with and ok deraadt@
Revision 1.125 / (download) - annotate - [select for diffs], Fri Aug 10 12:32:12 2007 UTC (16 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.124: +1 -3 lines
Diff to previous 1.124 (colored)
duplicate strdup; ok hshoexer
Revision 1.124 / (download) - annotate - [select for diffs], Tue Jul 3 11:32:27 2007 UTC (16 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.123: +3 -1 lines
Diff to previous 1.123 (colored)
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
Revision 1.123 / (download) - annotate - [select for diffs], Thu May 10 06:10:04 2007 UTC (17 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.122: +2 -1 lines
Diff to previous 1.122 (colored)
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@
Revision 1.122 / (download) - annotate - [select for diffs], Fri Mar 16 20:51:01 2007 UTC (17 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.121: +18 -6 lines
Diff to previous 1.121 (colored)
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
Revision 1.121 / (download) - annotate - [select for diffs], Mon Feb 26 14:40:09 2007 UTC (17 years, 3 months ago) by todd
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.120: +2 -2 lines
Diff to previous 1.120 (colored)
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
Revision 1.120 / (download) - annotate - [select for diffs], Mon Feb 19 09:00:46 2007 UTC (17 years, 3 months ago) by hshoexer
Branch: MAIN
Changes since 1.119: +3 -3 lines
Diff to previous 1.119 (colored)
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks! ok markus@
Revision 1.119 / (download) - annotate - [select for diffs], Mon Feb 19 08:29:30 2007 UTC (17 years, 3 months ago) by hshoexer
Branch: MAIN
Changes since 1.118: +5 -3 lines
Diff to previous 1.118 (colored)
undo previous commit and keep the original behaviour of the parser. asked for by deraadt@
Revision 1.118 / (download) - annotate - [select for diffs], Fri Feb 16 10:16:09 2007 UTC (17 years, 3 months ago) by hshoexer
Branch: MAIN
Changes since 1.117: +3 -5 lines
Diff to previous 1.117 (colored)
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks! ok markus@ cloder@ (uhm, quite some time ago)
Revision 1.117 / (download) - annotate - [select for diffs], Wed Jan 10 14:37:09 2007 UTC (17 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.116: +2 -2 lines
Diff to previous 1.116 (colored)
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
Revision 1.116 / (download) - annotate - [select for diffs], Thu Jan 4 21:31:21 2007 UTC (17 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.115: +4 -3 lines
Diff to previous 1.115 (colored)
don't pass -1 as a netmask; report vicviq at gmail.com
Revision 1.115 / (download) - annotate - [select for diffs], Tue Jan 2 23:27:33 2007 UTC (17 years, 5 months ago) by itojun
Branch: MAIN
Changes since 1.114: +57 -36 lines
Diff to previous 1.114 (colored)
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
Revision 1.114 / (download) - annotate - [select for diffs], Fri Nov 24 13:52:13 2006 UTC (17 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.113: +34 -6 lines
Diff to previous 1.113 (colored)
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Revision 1.108.2.1 / (download) - annotate - [select for diffs], Thu Nov 16 22:27:53 2006 UTC (17 years, 6 months ago) by brad
Branch: OPENBSD_4_0
Changes since 1.108: +3 -2 lines
Diff to previous 1.108 (colored) next main 1.109 (colored)
MFC: Fix by msf@ check both rule source and destination when grouping sa's fixes PR5262 ok msg@ hshoexer@
Revision 1.113 / (download) - annotate - [select for diffs], Mon Nov 13 11:04:05 2006 UTC (17 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.112: +77 -16 lines
Diff to previous 1.112 (colored)
Handle rules with addresses from mismatched address families correctly. ok msf@
Revision 1.112 / (download) - annotate - [select for diffs], Fri Nov 10 15:01:31 2006 UTC (17 years, 7 months ago) by msf
Branch: MAIN
Changes since 1.111: +3 -2 lines
Diff to previous 1.111 (colored)
check both rule sourace and destination when grouping sa's fixes PR5262 ok hshoexer@
Revision 1.111 / (download) - annotate - [select for diffs], Fri Nov 10 14:42:19 2006 UTC (17 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.110: +1 -4 lines
Diff to previous 1.110 (colored)
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
Revision 1.110 / (download) - annotate - [select for diffs], Wed Nov 1 03:10:02 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.109: +80 -58 lines
Diff to previous 1.109 (colored)
Add support for aggressive mode (from the k2k6 IPsec hackathon). ok hshoexer
Revision 1.109 / (download) - annotate - [select for diffs], Fri Sep 22 10:22:49 2006 UTC (17 years, 8 months ago) by hshoexer
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored)
typo in err(); from bret.lambert@gmail.com, thanks!
Revision 1.108 / (download) - annotate - [select for diffs], Sun Jun 18 18:18:01 2006 UTC (17 years, 11 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE
Branch point for: OPENBSD_4_0
Changes since 1.107: +2 -1 lines
Diff to previous 1.107 (colored)
add group "none"; when choosen, pfs will be disabled. ok david msf
Revision 1.107 / (download) - annotate - [select for diffs], Fri Jun 16 10:09:51 2006 UTC (17 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.106: +2 -2 lines
Diff to previous 1.106 (colored)
report the correct line number on an error. Noticed by david@
Revision 1.106 / (download) - annotate - [select for diffs], Sun Jun 11 20:21:08 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default. ok naddy@
Revision 1.105 / (download) - annotate - [select for diffs], Sat Jun 10 19:38:24 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.104: +3 -3 lines
Diff to previous 1.104 (colored)
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
Revision 1.104 / (download) - annotate - [select for diffs], Sat Jun 10 12:02:56 2006 UTC (18 years ago) by deraadt
Branch: MAIN
Changes since 1.103: +12 -4 lines
Diff to previous 1.103 (colored)
knf & careful data freeing, regression tested by todd
Revision 1.103 / (download) - annotate - [select for diffs], Thu Jun 8 22:34:30 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.102: +4 -4 lines
Diff to previous 1.102 (colored)
fix some indentation, noticed by david@
Revision 1.102 / (download) - annotate - [select for diffs], Thu Jun 8 21:15:21 2006 UTC (18 years ago) by naddy
Branch: MAIN
Changes since 1.101: +8 -7 lines
Diff to previous 1.101 (colored)
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
Revision 1.101 / (download) - annotate - [select for diffs], Thu Jun 8 16:51:25 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.100: +11 -1 lines
Diff to previous 1.100 (colored)
turns out this really doesn't break what is in the tree; ok hshoexer@
Revision 1.100 / (download) - annotate - [select for diffs], Wed Jun 7 23:02:52 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.99: +6 -3 lines
Diff to previous 1.99 (colored)
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
Revision 1.99 / (download) - annotate - [select for diffs], Wed Jun 7 21:57:52 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.98: +1 -11 lines
Diff to previous 1.98 (colored)
Do not yet expand the "any" keyword to v6 addresses. ok todd@
Revision 1.98 / (download) - annotate - [select for diffs], Wed Jun 7 21:49:46 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.97: +1 -3 lines
Diff to previous 1.97 (colored)
remove unused prototype, ok todd@
Revision 1.97 / (download) - annotate - [select for diffs], Fri Jun 2 15:43:37 2006 UTC (18 years ago) by naddy
Branch: MAIN
Changes since 1.96: +23 -1 lines
Diff to previous 1.96 (colored)
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
Revision 1.96 / (download) - annotate - [select for diffs], Fri Jun 2 05:59:31 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.95: +30 -3 lines
Diff to previous 1.95 (colored)
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
Revision 1.95 / (download) - annotate - [select for diffs], Fri Jun 2 05:57:05 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.94: +11 -13 lines
Diff to previous 1.94 (colored)
simplify handling of peers.
Revision 1.94 / (download) - annotate - [select for diffs], Fri Jun 2 05:01:27 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.93: +21 -24 lines
Diff to previous 1.93 (colored)
some more cleanup and simplification, no functional change.
Revision 1.93 / (download) - annotate - [select for diffs], Fri Jun 2 04:51:55 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.92: +41 -50 lines
Diff to previous 1.92 (colored)
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
Revision 1.92 / (download) - annotate - [select for diffs], Fri Jun 2 03:40:26 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.91: +1 -13 lines
Diff to previous 1.91 (colored)
Simplify main/quick mode parsing and generation of the actual ike config.
Revision 1.91 / (download) - annotate - [select for diffs], Fri Jun 2 03:31:20 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.90: +44 -20 lines
Diff to previous 1.90 (colored)
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
Revision 1.90 / (download) - annotate - [select for diffs], Fri Jun 2 00:33:47 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.89: +42 -4 lines
Diff to previous 1.89 (colored)
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
Revision 1.89 / (download) - annotate - [select for diffs], Thu Jun 1 22:44:03 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.88: +72 -7 lines
Diff to previous 1.88 (colored)
Final bits for SA grouping.
Revision 1.88 / (download) - annotate - [select for diffs], Thu Jun 1 17:32:20 2006 UTC (18 years ago) by naddy
Branch: MAIN
Changes since 1.87: +57 -14 lines
Diff to previous 1.87 (colored)
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8 ok hshoexer@ msf@
Revision 1.87 / (download) - annotate - [select for diffs], Thu Jun 1 15:33:08 2006 UTC (18 years ago) by markus
Branch: MAIN
Changes since 1.86: +7 -5 lines
Diff to previous 1.86 (colored)
print actual key size when warning about the wrong key size; ok hshoexer
Revision 1.86 / (download) - annotate - [select for diffs], Thu Jun 1 06:50:58 2006 UTC (18 years ago) by deraadt
Branch: MAIN
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored)
spacing
Revision 1.85 / (download) - annotate - [select for diffs], Thu Jun 1 05:55:04 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.84: +2 -2 lines
Diff to previous 1.84 (colored)
knf
Revision 1.84 / (download) - annotate - [select for diffs], Thu Jun 1 05:48:31 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.83: +38 -3 lines
Diff to previous 1.83 (colored)
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
Revision 1.83 / (download) - annotate - [select for diffs], Thu Jun 1 02:20:44 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.82: +9 -24 lines
Diff to previous 1.82 (colored)
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
Revision 1.82 / (download) - annotate - [select for diffs], Wed May 31 14:38:31 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.81: +3 -3 lines
Diff to previous 1.81 (colored)
white spaces
Revision 1.81 / (download) - annotate - [select for diffs], Wed May 31 09:03:43 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.80: +62 -5 lines
Diff to previous 1.80 (colored)
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
Revision 1.80 / (download) - annotate - [select for diffs], Mon May 29 20:12:14 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.79: +21 -2 lines
Diff to previous 1.79 (colored)
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and
192.168.9.0/24.
Revision 1.79 / (download) - annotate - [select for diffs], Mon May 29 18:50:27 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.78: +137 -38 lines
Diff to previous 1.78 (colored)
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
Revision 1.78 / (download) - annotate - [select for diffs], Mon May 29 16:04:25 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.77: +14 -14 lines
Diff to previous 1.77 (colored)
unify code a little bit (consistent variable names).
Revision 1.77 / (download) - annotate - [select for diffs], Mon May 29 15:59:49 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.76: +13 -5 lines
Diff to previous 1.76 (colored)
Also return proper list of addresses for interface groups. As usual, this and the previous commit reused suitable code from the tree (pfctl).
Revision 1.76 / (download) - annotate - [select for diffs], Mon May 29 15:48:46 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.75: +12 -4 lines
Diff to previous 1.75 (colored)
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
Revision 1.75 / (download) - annotate - [select for diffs], Mon May 29 15:22:40 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.74: +33 -21 lines
Diff to previous 1.74 (colored)
teach expand_rule() to iterate over host lists, not used yet.
Revision 1.74 / (download) - annotate - [select for diffs], Mon May 29 15:18:17 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.73: +8 -7 lines
Diff to previous 1.73 (colored)
fix rule numbering (for -vv) late ikerule also use expand_rule
Revision 1.73 / (download) - annotate - [select for diffs], Mon May 29 04:18:16 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.72: +20 -32 lines
Diff to previous 1.72 (colored)
merge expand_sa() and expand_rule().
Revision 1.72 / (download) - annotate - [select for diffs], Mon May 29 03:53:04 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.71: +24 -12 lines
Diff to previous 1.71 (colored)
move generation of reverse flow rules to seperat function.
Revision 1.71 / (download) - annotate - [select for diffs], Mon May 29 03:38:28 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.70: +28 -29 lines
Diff to previous 1.70 (colored)
unify expansion of SA rules. Needed for general rule expansion.
Revision 1.70 / (download) - annotate - [select for diffs], Sun May 28 21:24:09 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.69: +5 -1 lines
Diff to previous 1.69 (colored)
when parsing host specifications, initialize host address queue pointers, not used yet.
Revision 1.69 / (download) - annotate - [select for diffs], Sun May 28 21:10:10 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.68: +18 -19 lines
Diff to previous 1.68 (colored)
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
Revision 1.68 / (download) - annotate - [select for diffs], Sun May 28 01:36:06 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.67: +3 -2 lines
Diff to previous 1.67 (colored)
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
Revision 1.67 / (download) - annotate - [select for diffs], Sat May 27 17:21:40 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.66: +34 -2 lines
Diff to previous 1.66 (colored)
allow to specify groups to be used IKE
Revision 1.66 / (download) - annotate - [select for diffs], Fri May 26 01:06:11 2006 UTC (18 years ago) by deraadt
Branch: MAIN
Changes since 1.65: +2 -4 lines
Diff to previous 1.65 (colored)
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
Revision 1.65 / (download) - annotate - [select for diffs], Mon May 15 08:39:51 2006 UTC (18 years ago) by deraadt
Branch: MAIN
Changes since 1.64: +7 -7 lines
Diff to previous 1.64 (colored)
permit proto 0; ok hshoexer
Revision 1.64 / (download) - annotate - [select for diffs], Thu May 11 20:40:12 2006 UTC (18 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.63: +3 -3 lines
Diff to previous 1.63 (colored)
fix some spelling; noticed by david@
Revision 1.63 / (download) - annotate - [select for diffs], Thu Apr 20 09:03:23 2006 UTC (18 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.62: +2 -2 lines
Diff to previous 1.62 (colored)
constify char *infile here, too. noticed by lint.
Revision 1.62 / (download) - annotate - [select for diffs], Wed Apr 19 17:28:28 2006 UTC (18 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.61: +54 -1 lines
Diff to previous 1.61 (colored)
add support for interface groups.
Revision 1.61 / (download) - annotate - [select for diffs], Wed Apr 19 17:19:45 2006 UTC (18 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.60: +3 -8 lines
Diff to previous 1.60 (colored)
small cleanup: no need to strdup here.
Revision 1.60 / (download) - annotate - [select for diffs], Wed Apr 19 16:10:50 2006 UTC (18 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.59: +41 -27 lines
Diff to previous 1.59 (colored)
"type" keyword to specify flow type (require, use, etc.)
Revision 1.59 / (download) - annotate - [select for diffs], Wed Apr 19 15:49:49 2006 UTC (18 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.58: +48 -3 lines
Diff to previous 1.58 (colored)
add hostname resolver. at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
Revision 1.58 / (download) - annotate - [select for diffs], Thu Apr 13 11:55:07 2006 UTC (18 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.57: +52 -32 lines
Diff to previous 1.57 (colored)
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords. ok markus@
Revision 1.57 / (download) - annotate - [select for diffs], Fri Mar 31 14:02:08 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.56: +8 -7 lines
Diff to previous 1.56 (colored)
allow specification of encapsulated protocol for ike; ok hshoexer
Revision 1.56 / (download) - annotate - [select for diffs], Fri Mar 31 13:13:51 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.55: +57 -31 lines
Diff to previous 1.55 (colored)
allow specification of encapsulated protocol for flows; ok hshoexer
Revision 1.55 / (download) - annotate - [select for diffs], Thu Mar 30 15:30:18 2006 UTC (18 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.54: +2 -1 lines
Diff to previous 1.54 (colored)
when resolving interface names to ip adresses, set netmask to all bits 1
Revision 1.54 / (download) - annotate - [select for diffs], Thu Mar 30 12:44:20 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.53: +28 -10 lines
Diff to previous 1.53 (colored)
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
Revision 1.53 / (download) - annotate - [select for diffs], Wed Mar 22 16:01:23 2006 UTC (18 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.52: +27 -1 lines
Diff to previous 1.52 (colored)
add support for macros in ipsec.conf(5). some bits have already been there. requested by david@ ok hshoexer@, msf@
Revision 1.52 / (download) - annotate - [select for diffs], Tue Mar 7 00:30:28 2006 UTC (18 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.51: +32 -10 lines
Diff to previous 1.51 (colored)
add support for special "bypass" and "deny" flows. ok hshoexer@, thanks jmc@
Revision 1.51 / (download) - annotate - [select for diffs], Tue Mar 7 00:19:58 2006 UTC (18 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.50: +4 -2 lines
Diff to previous 1.50 (colored)
add an ike option for road warrior setups (hosts with dynamic ip addresses). "ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines). ok hshoexer@, looks fine markus@, jmc@
Revision 1.50 / (download) - annotate - [select for diffs], Fri Jan 20 16:11:22 2006 UTC (18 years, 4 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.49: +9 -3 lines
Diff to previous 1.49 (colored)
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
Revision 1.49 / (download) - annotate - [select for diffs], Tue Jan 17 05:39:23 2006 UTC (18 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.48: +12 -9 lines
Diff to previous 1.48 (colored)
wrap long lines (no binary change)
Revision 1.48 / (download) - annotate - [select for diffs], Mon Jan 16 23:57:20 2006 UTC (18 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.47: +29 -19 lines
Diff to previous 1.47 (colored)
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default. ok hshoexer@, manpage ok jmc@
Revision 1.47 / (download) - annotate - [select for diffs], Mon Dec 12 09:41:51 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.46: +3 -1 lines
Diff to previous 1.46 (colored)
Correctly copy interface names; fixes breakage noticed by naddy@ ok naddy@ cvs: ----------------------------------------------------------------------
Revision 1.46 / (download) - annotate - [select for diffs], Tue Dec 6 14:27:57 2005 UTC (18 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.45: +15 -2 lines
Diff to previous 1.45 (colored)
ipip support: ip-in-ip w/o gif(4); ok hshoexer
Revision 1.45 / (download) - annotate - [select for diffs], Thu Dec 1 15:14:47 2005 UTC (18 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)
spacing
Revision 1.44 / (download) - annotate - [select for diffs], Sun Nov 27 09:47:56 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.43: +13 -1 lines
Diff to previous 1.43 (colored)
sanity check constraints for transforms. ok deraadt@
Revision 1.43 / (download) - annotate - [select for diffs], Sun Nov 27 03:50:58 2005 UTC (18 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.42: +36 -72 lines
Diff to previous 1.42 (colored)
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
Revision 1.42 / (download) - annotate - [select for diffs], Sat Nov 26 23:26:49 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.41: +11 -1 lines
Diff to previous 1.41 (colored)
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
Revision 1.41 / (download) - annotate - [select for diffs], Thu Nov 24 11:52:07 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.40: +1 -3 lines
Diff to previous 1.40 (colored)
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
Revision 1.40 / (download) - annotate - [select for diffs], Sat Nov 12 21:57:34 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
spacing
Revision 1.39 / (download) - annotate - [select for diffs], Sat Nov 12 21:49:38 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.38: +123 -4 lines
Diff to previous 1.38 (colored)
add support for interface names as host specifications
Revision 1.38 / (download) - annotate - [select for diffs], Sat Nov 12 17:22:23 2005 UTC (18 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.37: +6 -2 lines
Diff to previous 1.37 (colored)
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
Revision 1.37 / (download) - annotate - [select for diffs], Sat Nov 12 17:04:32 2005 UTC (18 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.36: +5 -6 lines
Diff to previous 1.36 (colored)
simplify TAILQ walking code; ok hshoexer
Revision 1.36 / (download) - annotate - [select for diffs], Sat Nov 12 16:41:39 2005 UTC (18 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.35: +78 -76 lines
Diff to previous 1.35 (colored)
spacing
Revision 1.35 / (download) - annotate - [select for diffs], Sat Nov 12 16:40:58 2005 UTC (18 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.34: +5 -6 lines
Diff to previous 1.34 (colored)
do not stat() before open(); instead -- use fstat(); ok hshoexer
Revision 1.34 / (download) - annotate - [select for diffs], Sat Nov 12 12:00:53 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.33: +32 -18 lines
Diff to previous 1.33 (colored)
handle transport/tunnel mode
Revision 1.33 / (download) - annotate - [select for diffs], Sun Nov 6 22:51:51 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.32: +63 -48 lines
Diff to previous 1.32 (colored)
Improved address and address mask handling, derived from pfctl stuff.
Revision 1.32 / (download) - annotate - [select for diffs], Sun Nov 6 10:52:27 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.31: +6 -5 lines
Diff to previous 1.31 (colored)
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
Revision 1.31 / (download) - annotate - [select for diffs], Sun Oct 30 20:42:11 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.30: +13 -5 lines
Diff to previous 1.30 (colored)
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
Revision 1.30 / (download) - annotate - [select for diffs], Sun Oct 30 19:50:23 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.29: +41 -8 lines
Diff to previous 1.29 (colored)
add support for ipcomp.
Revision 1.29 / (download) - annotate - [select for diffs], Fri Oct 28 07:18:47 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.28: +5 -5 lines
Diff to previous 1.28 (colored)
more error message cleanup
Revision 1.28 / (download) - annotate - [select for diffs], Sun Oct 16 21:41:36 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.27: +51 -22 lines
Diff to previous 1.27 (colored)
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
Revision 1.27 / (download) - annotate - [select for diffs], Sun Oct 16 21:29:22 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
Unset debug flag.
Revision 1.26 / (download) - annotate - [select for diffs], Sun Oct 16 21:24:45 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.25: +18 -3 lines
Diff to previous 1.25 (colored)
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
Revision 1.25 / (download) - annotate - [select for diffs], Sun Oct 16 19:52:19 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.24: +26 -26 lines
Diff to previous 1.24 (colored)
cleanup messages generated by err(3)
Revision 1.24 / (download) - annotate - [select for diffs], Mon Aug 22 17:26:46 2005 UTC (18 years, 9 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.23: +140 -8 lines
Diff to previous 1.23 (colored)
Teach ipsecctl to control isakmpd. ok deraadt
Revision 1.23 / (download) - annotate - [select for diffs], Fri Aug 19 08:47:56 2005 UTC (18 years, 9 months ago) by hshoexer
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
more useful error message
Revision 1.22 / (download) - annotate - [select for diffs], Tue Aug 9 12:37:45 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.21: +104 -54 lines
Diff to previous 1.21 (colored)
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
Revision 1.21 / (download) - annotate - [select for diffs], Tue Aug 9 12:35:25 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
Correct keysize for 3des-cbc
Revision 1.20 / (download) - annotate - [select for diffs], Mon Aug 8 13:29:00 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.19: +179 -13 lines
Diff to previous 1.19 (colored)
add crypto transforms and static keying rules
Revision 1.19 / (download) - annotate - [select for diffs], Mon Aug 8 09:15:09 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.18: +23 -13 lines
Diff to previous 1.18 (colored)
prepare for static keying
Revision 1.18 / (download) - annotate - [select for diffs], Fri Aug 5 15:44:57 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.17: +60 -29 lines
Diff to previous 1.17 (colored)
more key handling stuff.
Revision 1.17 / (download) - annotate - [select for diffs], Fri Aug 5 14:39:02 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.16: +23 -15 lines
Diff to previous 1.16 (colored)
prepare for authentication and encryption keys, not used yet.
Revision 1.16 / (download) - annotate - [select for diffs], Fri Aug 5 14:09:27 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.15: +7 -10 lines
Diff to previous 1.15 (colored)
simplify a bit.
Revision 1.15 / (download) - annotate - [select for diffs], Tue Aug 2 15:47:25 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.14: +17 -11 lines
Diff to previous 1.14 (colored)
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
Revision 1.14 / (download) - annotate - [select for diffs], Sun Jul 24 12:11:49 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.13: +3 -3 lines
Diff to previous 1.13 (colored)
use correct function names in error messages
Revision 1.13 / (download) - annotate - [select for diffs], Sun Jul 24 10:06:38 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.12: +5 -5 lines
Diff to previous 1.12 (colored)
prepare for combining SAs and flows in one single rule, no functional change yet.
Revision 1.12 / (download) - annotate - [select for diffs], Sat Jul 23 20:35:04 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.11: +43 -4 lines
Diff to previous 1.11 (colored)
add automatic creation of reverse SAs. A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
Revision 1.11 / (download) - annotate - [select for diffs], Sat Jul 23 20:09:02 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.10: +23 -8 lines
Diff to previous 1.10 (colored)
prepare for specifying both in and out key, not used yet.
Revision 1.10 / (download) - annotate - [select for diffs], Sat Jul 23 19:28:27 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.9: +43 -10 lines
Diff to previous 1.9 (colored)
prepare for specifying incoming and outgoing SPIs, not used yet.
Revision 1.9 / (download) - annotate - [select for diffs], Sun Jul 10 09:33:10 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.8: +56 -20 lines
Diff to previous 1.8 (colored)
allow reading key from a file
Revision 1.8 / (download) - annotate - [select for diffs], Sat Jul 9 21:41:08 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.7: +5 -4 lines
Diff to previous 1.7 (colored)
it's ok to not specify the key when deleting a tcpmd5 SA
Revision 1.7 / (download) - annotate - [select for diffs], Sat Jul 9 21:12:07 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.6: +108 -7 lines
Diff to previous 1.6 (colored)
add support tcpmd5
Revision 1.6 / (download) - annotate - [select for diffs], Thu Jul 7 22:00:36 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.5: +12 -4 lines
Diff to previous 1.5 (colored)
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
Revision 1.5 / (download) - annotate - [select for diffs], Thu Jul 7 21:00:08 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.4: +5 -1 lines
Diff to previous 1.4 (colored)
add type for rules; will need this for tcpmd5
Revision 1.4 / (download) - annotate - [select for diffs], Wed May 25 16:31:22 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.3: +3 -3 lines
Diff to previous 1.3 (colored)
do not swap srcid/dstid for INOUT rules.
Revision 1.3 / (download) - annotate - [select for diffs], Wed May 25 16:29:21 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
use bzero
Revision 1.2 / (download) - annotate - [select for diffs], Mon Apr 4 22:22:55 2005 UTC (19 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.1: +1 -1 lines
Diff to previous 1.1 (colored)
fix cvs id tags
Revision 1.1 / (download) - annotate - [select for diffs], Mon Apr 4 22:19:50 2005 UTC (19 years, 2 months ago) by hshoexer
Branch: MAIN
Add ipsecctl utility, work in progress ok deraadt