summaryrefslogtreecommitdiffstats
path: root/sbin/setkey
diff options
context:
space:
mode:
authorume <ume@FreeBSD.org>2001-06-11 12:39:29 +0000
committerume <ume@FreeBSD.org>2001-06-11 12:39:29 +0000
commit832f8d224926758a9ae0b23a6b45353e44fbc87a (patch)
treea79fc7ad2b97862c4a404f352f0211ad93a7b5f1 /sbin/setkey
parent2693854b01a52b0395a91322aa3edf926bddff38 (diff)
downloadFreeBSD-src-832f8d224926758a9ae0b23a6b45353e44fbc87a.zip
FreeBSD-src-832f8d224926758a9ae0b23a6b45353e44fbc87a.tar.gz
Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some critical problem after the snap was out were fixed. There are many many changes since last KAME merge. TODO: - The definitions of SADB_* in sys/net/pfkeyv2.h are still different from RFC2407/IANA assignment because of binary compatibility issue. It should be fixed under 5-CURRENT. - ip6po_m member of struct ip6_pktopts is no longer used. But, it is still there because of binary compatibility issue. It should be removed under 5-CURRENT. Reviewed by: itojun Obtained from: KAME MFC after: 3 weeks
Diffstat (limited to 'sbin/setkey')
-rw-r--r--sbin/setkey/parse.y85
-rw-r--r--sbin/setkey/scriptdump.pl4
-rw-r--r--sbin/setkey/setkey.8161
-rw-r--r--sbin/setkey/setkey.c78
-rw-r--r--sbin/setkey/token.l36
5 files changed, 270 insertions, 94 deletions
diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index 0eea4c1..1d43dc4 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -1,5 +1,5 @@
/* $FreeBSD$ */
-/* $KAME: parse.y,v 1.29 2000/06/10 14:17:44 sakane Exp $ */
+/* $KAME: kame/kame/kame/setkey/parse.y,v 1.36 2001/06/07 15:53:12 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -57,6 +57,7 @@
u_int p_type;
u_int32_t p_spi;
+int p_no_spi;
struct sockaddr *p_src, *p_dst;
u_int p_prefs, p_prefd, p_upper;
u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
@@ -79,7 +80,6 @@ extern int m_len;
extern char cmdarg[8192];
extern int f_debug;
-int setkeymsg __P((void));
static struct addrinfo *parse_addr __P((char *, char *, int));
static int setvarbuf __P((int *, struct sadb_ext *, int, caddr_t, int));
void parse_init __P((void));
@@ -107,7 +107,7 @@ extern void yyerror __P((const char *));
%token F_EXT EXTENSION NOCYCLICSEQ
%token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
%token F_LIFETIME_HARD F_LIFETIME_SOFT
-%token DECSTRING QUOTEDSTRING HEXSTRING ANY
+%token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
/* SPD management */
%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
%token F_POLICY PL_REQUESTS
@@ -118,7 +118,7 @@ extern void yyerror __P((const char *));
%type <num> DECSTRING
%type <val> ADDRESS PL_REQUESTS
%type <val> key_string policy_requests
-%type <val> QUOTEDSTRING HEXSTRING
+%type <val> QUOTEDSTRING HEXSTRING STRING
%%
commands
@@ -140,6 +140,7 @@ command
: add_command
| get_command
| delete_command
+ | deleteall_command
| flush_command
| dump_command
| spdadd_command
@@ -166,6 +167,16 @@ delete_command
EOT
;
+ /* deleteall command */
+deleteall_command
+ : DELETEALL { p_type = SADB_DELETE; }
+ ipaddress { p_src = pp_addr; }
+ ipaddress { p_dst = pp_addr; }
+ protocol_spec
+ { p_no_spi = 1; }
+ EOT
+ ;
+
/* get command */
get_command
: GET { p_type = SADB_GET; }
@@ -327,7 +338,7 @@ auth_alg
auth_key
: /*NOTHING*/
{
- if (p_alg_auth != SADB_AALG_NULL) {
+ if (p_alg_auth != SADB_X_AALG_NULL) {
yyerror("no key found.");
return -1;
}
@@ -541,10 +552,27 @@ port
upper_spec
: DECSTRING { p_upper = $1; }
| UP_PROTO { p_upper = $1; }
- | PR_ESP { p_upper = IPPROTO_ESP; };
- | PR_AH { p_upper = IPPROTO_AH; };
- | PR_IPCOMP { p_upper = IPPROTO_IPCOMP; };
| ANY { p_upper = IPSEC_ULPROTO_ANY; }
+ | STRING
+ {
+ struct protoent *ent;
+
+ ent = getprotobyname($1.buf);
+ if (ent)
+ p_upper = ent->p_proto;
+ else {
+ if (strcmp("icmp6", $1.buf) == 0) {
+ p_upper = IPPROTO_ICMPV6;
+ } else if(strcmp("ip4", $1.buf) == 0) {
+ p_upper = IPPROTO_IPV4;
+ } else {
+ yyerror("invalid upper layer protocol");
+ free($1.buf);
+ return -1;
+ }
+ }
+ free($1.buf);
+ }
;
policy_spec
@@ -665,27 +693,29 @@ setkeymsg()
struct sadb_address m_addr;
u_int len;
- len = sizeof(struct sadb_sa);
- m_sa.sadb_sa_len = PFKEY_UNIT64(len);
- m_sa.sadb_sa_exttype = SADB_EXT_SA;
- m_sa.sadb_sa_spi = htonl(p_spi);
- m_sa.sadb_sa_replay = p_replay;
- m_sa.sadb_sa_state = 0;
- m_sa.sadb_sa_auth = p_alg_auth;
- m_sa.sadb_sa_encrypt = p_alg_enc;
- m_sa.sadb_sa_flags = p_ext;
-
- memcpy(m_buf + m_len, &m_sa, len);
- m_len += len;
+ if (p_no_spi == 0) {
+ len = sizeof(struct sadb_sa);
+ m_sa.sadb_sa_len = PFKEY_UNIT64(len);
+ m_sa.sadb_sa_exttype = SADB_EXT_SA;
+ m_sa.sadb_sa_spi = htonl(p_spi);
+ m_sa.sadb_sa_replay = p_replay;
+ m_sa.sadb_sa_state = 0;
+ m_sa.sadb_sa_auth = p_alg_auth;
+ m_sa.sadb_sa_encrypt = p_alg_enc;
+ m_sa.sadb_sa_flags = p_ext;
+
+ memcpy(m_buf + m_len, &m_sa, len);
+ m_len += len;
- len = sizeof(struct sadb_x_sa2);
- m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
- m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
- m_sa2.sadb_x_sa2_mode = p_mode;
- m_sa2.sadb_x_sa2_reqid = p_reqid;
+ len = sizeof(struct sadb_x_sa2);
+ m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
+ m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
+ m_sa2.sadb_x_sa2_mode = p_mode;
+ m_sa2.sadb_x_sa2_reqid = p_reqid;
- memcpy(m_buf + m_len, &m_sa2, len);
- m_len += len;
+ memcpy(m_buf + m_len, &m_sa2, len);
+ m_len += len;
+ }
/* set src */
m_addr.sadb_address_len =
@@ -864,6 +894,7 @@ parse_init()
{
p_type = 0;
p_spi = 0;
+ p_no_spi = 0;
p_src = 0, p_dst = 0;
pp_prefix = p_prefs = p_prefd = ~0;
diff --git a/sbin/setkey/scriptdump.pl b/sbin/setkey/scriptdump.pl
index aa36544..33907dc 100644
--- a/sbin/setkey/scriptdump.pl
+++ b/sbin/setkey/scriptdump.pl
@@ -33,11 +33,11 @@ foreach $_ (<IN>) {
$akey =~ s/\s//g;
$akey =~ s/^/0x/g;
} elsif (/^\treplay=(\d+) flags=(0x\d+) state=/) {
- print "$mode $src $dst $proto $spi -m $ipsecmode";
+ print "$mode $src $dst $proto $spi";
$replay = $1;
print " -u $reqid" if $reqid;
if ($mode eq 'add') {
- print " -r $replay" if $replay;
+ print " -m $ipsecmode -r $replay" if $replay;
if ($proto eq 'esp') {
print " -E $ealgo $ekey" if $ealgo;
print " -A $aalgo $akey" if $aalgo;
diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8
index 7921800..368fc5d 100644
--- a/sbin/setkey/setkey.8
+++ b/sbin/setkey/setkey.8
@@ -1,5 +1,5 @@
-.\" $FreeBSD$
-.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $
+.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $
+.\" $FreeBSD$
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
@@ -28,9 +28,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd May 17, 1998
+.Dd November 20, 2000
.Dt SETKEY 8
-.Os KAME
+.Os
.\"
.Sh NAME
.Nm setkey
@@ -55,7 +55,7 @@
.\"
.Sh DESCRIPTION
.Nm
-addes, updates, dumpes, or flushes
+adds, updates, dumps, or flushes
Security Association Database (SAD) entries
as well as Security Policy Database (SPD) entries in the kernel.
.Pp
@@ -94,11 +94,14 @@ it has been expired but remains
because it is referenced by SPD entries.
.It Fl d
Enable to print debugging messages for command parser,
-without talking to kernel. It is not used usually.
+without talking to kernel.
+It is not used usually.
.It Fl x
Loop forever and dump all the messages transmitted to
.Dv PF_KEY
socket.
+.Fl xx
+makes each timestamps unformatted.
.It Fl h
Add hexadecimal dump on
.Fl x
@@ -108,14 +111,13 @@ Loop forever with short output on
.Fl D .
.It Fl v
Be verbose.
+The program will dump messages exchanged on
.Dv PF_KEY
-socket
-.Po
-including messages sent from other processes
-.Pc .
+socket, including messages sent from other processes to the kernel.
.El
.Pp
-Operations have the following grammar. Note that lines starting with
+Operations have the following grammar.
+Note that lines starting with
hashmarks ('#') are treated as comment lines.
.Bl -tag -width Ds
.It Xo
@@ -142,6 +144,13 @@ Show an SAD entry.
Remove an SAD entry.
.\"
.It Xo
+.Li deleteall
+.Ar src Ar dst Ar protocol
+.Li ;
+.Xc
+Remove all SAD entries that match the specification.
+.\"
+.It Xo
.Li flush
.Op Ar protocol
.Li ;
@@ -227,7 +236,7 @@ attached
.\"
.Pp
.It Ar extensions
-take some of the following:
+takes some of the following:
.Bl -tag -width Fl -compact
.\"
.It Fl m Ar mode
@@ -243,39 +252,49 @@ The default value is
.It Fl r Ar size
Specify window size of bytes for replay prevention.
.Ar size
-must be decimal number in 32-bit word. If
+must be decimal number in 32-bit word.
+If
.Ar size
is zero or not specified, replay check don't take place.
.\"
.It Fl u Ar id
-Specify the identifier of policy. See also
-.Xr ipsec_set_policy 3 .
+Specify the identifier of the policy entry in SPD.
+See
+.Ar policy .
.\"
.It Fl f Ar pad_option
+defines the content of the ESP padding.
.Ar pad_option
is one of following:
-.Li zero-pad , random-pad
-or
-.Li seq-pad
+.Bl -tag -width random-pad -compact
+.It Li zero-pad
+All of the padding are zero.
+.It Li random-pad
+A series of randomized values are set.
+.It Li seq-pad
+A series of sequential increasing numbers started from 1 are set.
+.El
.\"
.It Fl f Li nocyclic-seq
Don't allow cyclic sequence number.
.\"
.It Fl lh Ar time
.It Fl ls Ar time
-Specify hard/soft lifetime.
+Specify hard/soft life time duration of the SA.
.El
.\"
.Pp
.It Ar algorithm
.Bl -tag -width Fl -compact
.It Fl E Ar ealgo Ar key
-Specify encryption algorithm.
+Specify a encryption algorithm.
.It Fl A Ar aalgo Ar key
-Specify authentication algorithm.
+Specify a authentication algorithm.
If
.Fl A
-is used for esp, it will be treated as ESP payload authentication algorithm.
+is used with
+.Ar protocol Li esp ,
+it will be treated as ESP payload authentication algorithm.
.It Fl C Ar calgo Op Fl R
Specify compression algorithm.
If
@@ -302,23 +321,23 @@ field needs to be smaller than
in this case.
.El
.Pp
-.Li esp
-SAs accept
+.Ar protocol Li esp
+accepts
.Fl E
and
.Fl A .
-.Li esp-old
-SAs accept
+.Ar protocol Li esp-old
+accepts
.Fl E
only.
-.Li ah
+.Ar protocol Li ah
and
.Li ah-old
-SAs accept
+accept
.Fl A
only.
-.Li ipcomp
-SAs accept
+.Ar protocol Li ipcomp
+accepts
.Fl C
only.
.Pp
@@ -365,45 +384,57 @@ They must be in numeric form.
.Pp
.It Ar upperspec
Upper-layer protocol to be used.
-Currently
-.Li icmp ,
+You can use one of words in
+.Pa /etc/protocols
+as
+.Ar upperspec .
+Or
.Li icmp6 ,
.Li ip4 ,
-.Li tcp ,
-.Li udp
and
.Li any
can be specified.
.Li any
stands for
.Dq any protocol .
+Also you can use the protocol number.
.Pp
NOTE:
.Ar upperspec
does not work against forwarding case at this moment,
as it requires extra reassembly at forwarding node
.Pq not implemented at this moment .
+We have many protocols in
+.Pa /etc/protocols ,
+but protocols except of TCP, UDP and ICMP may not be suitable to use with IPSec.
+You have to consider and be careful to use them.
+.Li icmp
+.Li tcp
+.Li udp
+all protocols
.\"
.Pp
.It Ar policy
.Ar policy
is the one of following:
-.Pp
-.Bl -item -compact
-.It
+.Bd -literal -offset
+.Xo
.Fl P
.Ar direction
.Li discard
-.It
+.Xc
+.Xo
.Fl P
.Ar direction
.Li none
-.It
+.Xc
+.Xo
.Fl P
.Ar direction
.Li ipsec
.Ar protocol/mode/src-dst/level
-.El
+.Xc
+.Ed
.Pp
You must specify the direction of its policy as
.Ar direction .
@@ -430,18 +461,33 @@ is either
.Li transport
or
.Li tunnel .
-You must specify the end-points addresses of the SA as
+If
+.Ar mode
+is
+.Li tunnel ,
+you must specify the end-points addresses of the SA as
.Ar src
and
.Ar dst
with
.Sq -
between these addresses which is used to specify the SA to use.
+If
+.Ar mode
+is
+.Li transport ,
+both
+.Ar src
+and
+.Ar dst
+can be omited.
.Ar level
is to be one of the following:
-.Li default , use
+.Li default , use , require
or
-.Li require .
+.Li unique .
+If the SA is not available in every level, the kernel will request
+getting SA to the key exchange daemon.
.Li default
means the kernel consults to the system wide default against protocol you
specified, e.g.
@@ -451,7 +497,23 @@ sysctl variable, when the kernel processes the packet.
means that the kernel use a SA if it's available,
otherwise the kernel keeps normal operation.
.Li require
-means SA is required whenever the kernel deals with the packet.
+means SA is required whenever the kernel sends a packet matched
+with the policy.
+.Li unique
+is the same to require.
+In addition, it allows the policy to bind with the unique out-bound SA.
+If you use the SA by manual keying,
+you can put the decimal number as the policy identifier after
+.Li unique
+separated by colon
+.Sq \:
+like the following;
+.Li unique:number .
+.Li number
+must be between 1 and 32767.
+It corresponds to
+.Ar extensions Fl u .
+.Pp
Note that
.Dq Li discard
and
@@ -491,6 +553,12 @@ keyed-md5 128 ah: 96bit ICV (no document)
keyed-sha1 160 ah: 96bit ICV (no document)
160 ah-old: 128bit ICV (no document)
null 0 to 2048 for debugging
+hmac-sha2-256 256 ah: 96bit ICV (no document)
+ 256 ah-old: 128bit ICV (no document)
+hmac-sha2-384 384 ah: 96bit ICV (no document)
+ 384 ah-old: 128bit ICV (no document)
+hmac-sha2-512 512 ah: 96bit ICV (no document)
+ 512 ah-old: 128bit ICV (no document)
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
@@ -508,9 +576,9 @@ des-cbc 64 esp-old: rfc1829, esp: rfc2405
simple 0 to 2048 rfc2410
blowfish-cbc 40 to 448 rfc2451
cast128-cbc 40 to 128 rfc2451
-rc5-cbc 40 to 2040 rfc2451
des-deriv 64 ipsec-ciph-des-derived-01 (expired)
3des-deriv 192 no document
+rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00
.Ed
.Pp
Followings are the list of compression algorithms that can be used as
@@ -555,7 +623,8 @@ The command exits with 0 on success, and non-zero on errors.
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3 ,
-.Xr sysctl 8
+.Xr sysctl 8 ,
+.Xr racoon 8
.\"
.Sh HISTORY
The
diff --git a/sbin/setkey/setkey.c b/sbin/setkey/setkey.c
index b1e1c1e..e729e7d 100644
--- a/sbin/setkey/setkey.c
+++ b/sbin/setkey/setkey.c
@@ -1,5 +1,5 @@
/* $FreeBSD$ */
-/* $KAME: setkey.c,v 1.14 2000/06/10 06:47:09 sakane Exp $ */
+/* $KAME: setkey.c,v 1.18 2001/05/08 04:36:39 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -63,6 +63,8 @@ int postproc __P((struct sadb_msg *, int));
const char *numstr __P((int));
void shortdump_hdr __P((void));
void shortdump __P((struct sadb_msg *));
+static void printdate __P((void));
+static int32_t gmt2local __P((time_t));
#define MODE_SCRIPT 1
#define MODE_CMDDUMP 2
@@ -79,11 +81,14 @@ int f_mode = 0;
int f_cmddump = 0;
int f_policy = 0;
int f_hexdump = 0;
+int f_tflag = 0;
char *pname;
u_char m_buf[BUFSIZ];
u_int m_len;
+static time_t thiszone;
+
extern int lineno;
extern int parse __P((FILE **));
@@ -112,7 +117,9 @@ main(ac, av)
if (ac == 1) Usage();
- while ((c = getopt(ac, av, "acdf:hlvxDFP")) != EOF) {
+ thiszone = gmt2local(0);
+
+ while ((c = getopt(ac, av, "acdf:hlvxDFP")) != -1) {
switch (c) {
case 'c':
f_mode = MODE_SCRIPT;
@@ -142,6 +149,7 @@ main(ac, av)
break;
case 'x':
f_mode = MODE_PROMISC;
+ f_tflag++;
break;
case 'P':
f_policy = 1;
@@ -199,7 +207,7 @@ get_supported()
if (f_debug)
return 0;
- if (pfkey_send_register(so, PF_UNSPEC) < 0)
+ if (pfkey_send_register(so, SADB_SATYPE_UNSPEC) < 0)
return -1;
if (pfkey_recv_register(so) < 0)
@@ -275,6 +283,7 @@ promisc()
err(1, "recv");
/*NOTREACHED*/
}
+ printdate();
if (f_hexdump) {
int i;
for (i = 0; i < len; i++) {
@@ -541,7 +550,7 @@ shortdump(msg)
snprintf(buf, sizeof(buf), "%-3lu", (u_long)t);
printf("%s", buf);
} else
- printf(" ???/???");
+ printf(" ??\?/???"); /* backslash to avoid trigraph ??/ */
printf(" ");
@@ -576,3 +585,64 @@ shortdump(msg)
printf("\n");
}
+
+/* From: tcpdump(1):gmt2local.c and util.c */
+/*
+ * Print the timestamp
+ */
+static void
+printdate()
+{
+ struct timeval tp;
+ int s;
+
+ if (gettimeofday(&tp, NULL) == -1) {
+ perror("gettimeofday");
+ return;
+ }
+
+ if (f_tflag == 1) {
+ /* Default */
+ s = (tp.tv_sec + thiszone ) % 86400;
+ (void)printf("%02d:%02d:%02d.%06u ",
+ s / 3600, (s % 3600) / 60, s % 60, (u_int32_t)tp.tv_usec);
+ } else if (f_tflag > 1) {
+ /* Unix timeval style */
+ (void)printf("%u.%06u ",
+ (u_int32_t)tp.tv_sec, (u_int32_t)tp.tv_usec);
+ }
+
+ printf("\n");
+}
+
+/*
+ * Returns the difference between gmt and local time in seconds.
+ * Use gmtime() and localtime() to keep things simple.
+ */
+int32_t
+gmt2local(time_t t)
+{
+ register int dt, dir;
+ register struct tm *gmt, *loc;
+ struct tm sgmt;
+
+ if (t == 0)
+ t = time(NULL);
+ gmt = &sgmt;
+ *gmt = *gmtime(&t);
+ loc = localtime(&t);
+ dt = (loc->tm_hour - gmt->tm_hour) * 60 * 60 +
+ (loc->tm_min - gmt->tm_min) * 60;
+
+ /*
+ * If the year or julian day is different, we span 00:00 GMT
+ * and must add or subtract a day. Check the year first to
+ * avoid problems when the julian day wraps.
+ */
+ dir = loc->tm_year - gmt->tm_year;
+ if (dir == 0)
+ dir = loc->tm_yday - gmt->tm_yday;
+ dt += dir * 24 * 60 * 60;
+
+ return (dt);
+}
diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l
index c2eaad5..208196e 100644
--- a/sbin/setkey/token.l
+++ b/sbin/setkey/token.l
@@ -1,5 +1,5 @@
/* $FreeBSD$ */
-/* $KAME: token.l,v 1.13 2000/06/07 00:29:14 itojun Exp $ */
+/* $KAME: token.l,v 1.21 2001/05/18 05:35:01 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -47,7 +47,11 @@
#include <unistd.h>
#include <errno.h>
#include "vchar.h"
+#ifdef __NetBSD__
+#include "parse.h"
+#else
#include "y.tab.h"
+#endif
#define DECHO \
if (f_debug) {printf("<%d>", yy_start); ECHO ; printf("\n"); }
@@ -121,6 +125,7 @@ hostname {name}(({dot}{name})+{dot}?)?
add { PREPROC; return(ADD); }
delete { PREPROC; return(DELETE); }
+deleteall { PREPROC; return(DELETEALL); }
get { PREPROC; return(GET); }
flush { PREPROC; return(FLUSH); }
dump { PREPROC; return(DUMP); }
@@ -160,20 +165,23 @@ ipcomp { PREPROC; yylval.num = 0; return(PR_IPCOMP); }
{hyphen}A { PREPROC; return(F_AUTH); }
hmac-md5 { PREPROC; yylval.num = SADB_AALG_MD5HMAC; return(ALG_AUTH); }
hmac-sha1 { PREPROC; yylval.num = SADB_AALG_SHA1HMAC; return(ALG_AUTH); }
-keyed-md5 { PREPROC; yylval.num = SADB_AALG_MD5; return(ALG_AUTH); }
-keyed-sha1 { PREPROC; yylval.num = SADB_AALG_SHA; return(ALG_AUTH); }
-null { PREPROC; yylval.num = SADB_AALG_NULL; return(ALG_AUTH); }
+keyed-md5 { PREPROC; yylval.num = SADB_X_AALG_MD5; return(ALG_AUTH); }
+keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); }
+hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
+hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
+hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
+null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
/* encryption alogorithm */
{hyphen}E { PREPROC; return(F_ENC); }
des-cbc { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
3des-cbc { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); }
simple { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
-blowfish-cbc { PREPROC; yylval.num = SADB_EALG_BLOWFISHCBC; return(ALG_ENC); }
-cast128-cbc { PREPROC; yylval.num = SADB_EALG_CAST128CBC; return(ALG_ENC); }
-rc5-cbc { PREPROC; yylval.num = SADB_EALG_RC5CBC; return(ALG_ENC); }
+blowfish-cbc { PREPROC; yylval.num = SADB_X_EALG_BLOWFISHCBC; return(ALG_ENC); }
+cast128-cbc { PREPROC; yylval.num = SADB_X_EALG_CAST128CBC; return(ALG_ENC); }
des-deriv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DESDERIV); }
des-32iv { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC_DES32IV); }
+rijndael-cbc { PREPROC; yylval.num = SADB_X_EALG_RIJNDAELCBC; return(ALG_ENC); }
/* compression algorithms */
{hyphen}C { PREPROC; return(F_COMP); }
@@ -196,14 +204,6 @@ nocyclic-seq { PREPROC; return(NOCYCLICSEQ); }
{hyphen}lh { PREPROC; return(F_LIFETIME_HARD); }
{hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); }
-
- /* upper layer protocols */
-icmp { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); }
-icmp6 { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); }
-ip4 { PREPROC; yylval.num = IPPROTO_IPV4; return(UP_PROTO); }
-tcp { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); }
-udp { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); }
-
/* ... */
any { PREPROC; return(ANY); }
{ws} { PREPROC; }
@@ -277,6 +277,12 @@ any { PREPROC; return(ANY); }
return(QUOTEDSTRING);
}
+[a-z0-9.\-]* {
+ yylval.val.len = yyleng;
+ yylval.val.buf = strdup(yytext);
+ return(STRING);
+ }
+
. {
yyfatal("Syntax error");
/*NOTREACHED*/
OpenPOWER on IntegriCloud