diff options
author | luigi <luigi@FreeBSD.org> | 2003-07-04 21:42:32 +0000 |
---|---|---|
committer | luigi <luigi@FreeBSD.org> | 2003-07-04 21:42:32 +0000 |
commit | c530f5973f70002f8d4f101d8be867a7b2cd031c (patch) | |
tree | 2273123f1eca64c0add21999e5c7ee78411d66b4 | |
parent | d9dfac9f45d8211c085077869a18bbb7761f562b (diff) | |
download | FreeBSD-src-c530f5973f70002f8d4f101d8be867a7b2cd031c.zip FreeBSD-src-c530f5973f70002f8d4f101d8be867a7b2cd031c.tar.gz |
Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.
Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week
-rw-r--r-- | sbin/ipfw/ipfw.8 | 12 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.c | 10 | ||||
-rw-r--r-- | sys/netinet/ip_fw2.c | 16 |
3 files changed, 38 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 42d1956..ba2ded6 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -927,6 +927,18 @@ with a .It Cm ipprecedence Ar precedence Matches IP packets whose precedence field is equal to .Ar precedence . +.It Cm ipsec +Matches packets that have IPSEC history associated with them +(i.e. the packet comes encapsulated in IPSEC, the kernel +has IPSEC support and IPSEC_FILTERGIF option, and can correctly +decapsulate it). +.Pp +Note that specifying +.Cm ipsec +is different from specifying +.Cm proto Ar ipsec +as the latter will only look at the specific IP protocol field, +irrespective of IPSEC kernel support and the validity of the IPSEC data. .It Cm iptos Ar spec Matches IP packets whose .Cm tos diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index cef3752..12d774f 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -225,6 +225,7 @@ enum tokens { TOK_MAC, TOK_MACTYPE, TOK_VERREVPATH, + TOK_IPSEC, TOK_PLR, TOK_NOERROR, @@ -335,6 +336,7 @@ struct _s_x rule_options[] = { { "mac", TOK_MAC }, { "mac-type", TOK_MACTYPE }, { "verrevpath", TOK_VERREVPATH }, + { "ipsec", TOK_IPSEC }, { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ @@ -1226,6 +1228,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) printf(" verrevpath"); break; + case O_IPSEC: + printf(" ipsec"); + break; + case O_KEEP_STATE: printf(" keep-state"); break; @@ -3270,6 +3276,10 @@ read_options: fill_cmd(cmd, O_VERREVPATH, 0, 0); break; + case TOK_IPSEC: + fill_cmd(cmd, O_IPSEC, 0, 0); + break; + default: errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s); } diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index ad930f9..652c74e 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -73,6 +73,10 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> +#ifdef IPSEC +#include <netinet6/ipsec.h> +#endif + #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */ #include <machine/in_cksum.h> /* XXX for in_cksum */ @@ -1820,6 +1824,17 @@ check_body: verify_rev_path(src_ip, m->m_pkthdr.rcvif)); break; + case O_IPSEC: +#ifdef FAST_IPSEC + match = (m_tag_find(m, + PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); +#endif +#ifdef IPSEC + match = (ipsec_gethist(m, NULL) != NULL); +#endif + /* otherwise no match */ + break; + /* * The second set of opcodes represents 'actions', * i.e. the terminal part of a rule once the packet @@ -2392,6 +2407,7 @@ check_ipfw_struct(struct ip_fw *rule, int size) case O_TCPOPTS: case O_ESTAB: case O_VERREVPATH: + case O_IPSEC: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; |