From 8ed702383fb71581fa139a8a70b92984f6b9ba38 Mon Sep 17 00:00:00 2001 From: brian Date: Thu, 17 May 2001 15:30:49 +0000 Subject: Allow ``ip4'' as an ``upperspec'' value, and update the man page with *all* the permissible values. This should really be spelt ipencap (as /etc/protocols does), but a precedent has already been set by the ipproto array in setkey.c. It would be nice if /etc/protocols was parsed for the upperspec field, but I don't do yacc/lex... This change allows policies that only encrypt the encapsulated packets passing between the endpoints of a gif tunnel. Setting such a policy means that you can still talk directly (and unencrypted) between the public IP numbers with (say) ssh. MFC after: 1 week --- usr.sbin/setkey/setkey.8 | 3 +++ usr.sbin/setkey/token.l | 1 + 2 files changed, 4 insertions(+) (limited to 'usr.sbin/setkey') diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index 3bfcada..7921800 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -366,6 +366,9 @@ They must be in numeric form. .It Ar upperspec Upper-layer protocol to be used. Currently +.Li icmp , +.Li icmp6 , +.Li ip4 , .Li tcp , .Li udp and diff --git a/usr.sbin/setkey/token.l b/usr.sbin/setkey/token.l index 8916fdd..c2eaad5 100644 --- a/usr.sbin/setkey/token.l +++ b/usr.sbin/setkey/token.l @@ -200,6 +200,7 @@ nocyclic-seq { PREPROC; return(NOCYCLICSEQ); } /* upper layer protocols */ icmp { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); } icmp6 { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); } +ip4 { PREPROC; yylval.num = IPPROTO_IPV4; return(UP_PROTO); } tcp { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); } udp { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); } -- cgit v1.1