search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / cmd / cmd-inet / usr.sbin / ipsecutils / ipsecconf.c
blob1abf6dcb5e06ba526535f97cde041f34e3943381
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <stdio.h>
26 #include <sys/types.h>
27 #include <sys/stat.h>
28 #include <strings.h>
29 #include <stropts.h>
30 #include <fcntl.h>
31 #include <stdlib.h>
32 #include <unistd.h>
33 #include <string.h>
34 #include <ctype.h>
35 #include <arpa/inet.h>
36 #include <locale.h>
37 #include <syslog.h>
38 #include <pwd.h>
39 #include <sys/param.h>
40 #include <sys/sysmacros.h> /* MIN, MAX */
41 #include <sys/sockio.h>
42 #include <net/pfkeyv2.h>
43 #include <net/pfpolicy.h>
44 #include <inet/ipsec_impl.h>
45 #include <signal.h>
46 #include <errno.h>
47 #include <netdb.h>
48 #include <sys/socket.h>
49 #include <sys/systeminfo.h>
50 #include <nss_dbdefs.h> /* NSS_BUFLEN_HOSTS */
51 #include <netinet/in.h>
52 #include <assert.h>
53 #include <inet/ip.h>
54 #include <ipsec_util.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/ip_icmp.h>
57 #include <netinet/icmp6.h>
58
59 /*
60 * Globals
61 */
62 int lfd;
63 char *my_fmri;
64 FILE *debugfile;
65
66 #define USAGE() if (!smf_managed) usage()
67 /*
68 * Buffer length to read in pattern/properties.
69 */
70 #define MAXLEN 1024
71
72 /* Max length of tunnel interface string identifier */
73 #define TUNNAMEMAXLEN LIFNAMSIZ
74
75 /*
76 * Used by parse_one and parse/parse_action to communicate
77 * the errors. -1 is failure, which is not defined here.
78 */
79 enum parse_errors {PARSE_SUCCESS, PARSE_EOF};
80
81 /*
82 * For spdsock_get_ext() diagnostics.
83 */
84 #define SPDSOCK_DIAG_BUF_LEN 128
85 static char spdsock_diag_buf[SPDSOCK_DIAG_BUF_LEN];
86
87 /*
88 * Define CURL here so that while you are reading
89 * this code, it does not affect "vi" in pattern
90 * matching.
91 */
92 #define CURL_BEGIN '{'
93 #define CURL_END '}'
94 #define BACK_SLASH '\\'
95 #define MAXARGS 20
96 #define NOERROR 0
97
98 /*
99 * IPSEC_CONF_ADD should start with 1, so that when multiple commands
100 * are given, we can fail the request.
101 */
102
103 enum ipsec_cmds {IPSEC_CONF_ADD = 1, IPSEC_CONF_DEL, IPSEC_CONF_VIEW,
104 IPSEC_CONF_FLUSH, IPSEC_CONF_LIST, IPSEC_CONF_SUB, IPSEC_CONF_REPLACE};
105
106 static const char policy_conf_file[] = "/var/run/ipsecpolicy.conf";
107 static const char lock_file[] = "/var/run/ipsecconf.lock";
108 static const char index_tag[] = "#INDEX";
109
110 #define POLICY_CONF_FILE policy_conf_file
111 #define LOCK_FILE lock_file
112 #define INDEX_TAG index_tag
113
114 /*
115 * Valid algorithm length.
116 */
117 #define VALID_ALG_LEN 40
118
119 /* Types of Error messages */
120 typedef enum error_type {BAD_ERROR, DUP_ERROR, REQ_ERROR} error_type_t;
121
122 /* Error message human readable conversions */
123 static char *sys_error_message(int);
124 static void error_message(error_type_t, int, int);
125 static int get_pf_pol_socket(void);
126
127 static int cmd;
128 static char *filename;
129 static char lo_buf[MAXLEN]; /* Leftover buffer */
130
131 /*
132 * The new SPD_EXT_TUN_NAME extension has a tunnel name in it. Use the empty
133 * string ("", stored in the char value "all_polheads") for all policy heads
134 * (global and all tunnels). Set interface_name to NULL for global-only, or
135 * specify a name of an IP-in-IP tunnel.
136 */
137 static char *interface_name;
138 static char all_polheads; /* So we can easily get "". */
139
140 /* Error reporting stuff */
141 #define CBUF_LEN 8192 /* Maximum size of the cmd */
142 /*
143 * Following are used for reporting errors with arguments.
144 * We store the line numbers of each argument as we parse them,
145 * so that the error reporting is more specific. We can have only
146 * (MAXARGS - 1) arguments between any pair of CURL_BEGIN CURL_END.
147 * Because a single command can be made up of multiple action/property
148 * combinations, the maximum command size is (2 * (MAXARGS -1)) for each
149 * of patterns, properties and actions.
150 */
151 #define ARG_BUF_LEN ((2 * 3 * (MAXARGS - 1)) + 1)
152 static int arg_indices[ARG_BUF_LEN];
153 static int argindex;
154 static int linecount;
155 static char cbuf[CBUF_LEN]; /* Command buffer */
156 static int cbuf_offset;
157
158
159 #define BYPASS_POLICY_BOOST 0x00800000
160 #define ESP_POLICY_BOOST 0x00400000
161 #define AH_POLICY_BOOST 0x00200000
162 #define INITIAL_BASE_PRIORITY 0x000fffff
163
164 /*
165 * the number used to order the
166 * rules starts at a certain base and
167 * goes down. i.e. rules earlier in
168 * the file are checked first
169 */
170 static uint32_t priority = INITIAL_BASE_PRIORITY;
171
172 #define AH_AUTH 0
173 #define ESP_ENCR 1
174 #define ESP_AUTH 2
175
176
177 /*
178 * for deleting adds on error
179 */
180
181 typedef struct d_list_s
182 {
183 struct d_list_s *next;
184 int index;
185 } d_list_t;
186
187 static d_list_t *d_list = NULL;
188 static d_list_t *d_tail = NULL;
189
190
191 /*
192 * Used for multi-homed source/dest hosts.
193 */
194 static struct hostent *shp, *dhp;
195 static unsigned int splen, dplen;
196 static char tunif[TUNNAMEMAXLEN];
197 static boolean_t has_saprefix, has_daprefix;
198 static uint32_t seq_cnt = 0;
199
200 /* lexxed out action and related properties */
201 typedef struct ap_s
202 {
203 char *act;
204 char *prop[MAXARGS + 1];
205 } ap_t;
206
207
208 /* one lexxed out rule */
209 typedef struct act_prop_s {
210 char *pattern[MAXARGS + 1];
211 ap_t ap[MAXARGS + 1];
212 } act_prop_t;
213
214 typedef struct
215 {
216 uint8_t alg_id;
217 uint32_t alg_minbits;
218 uint32_t alg_maxbits;
219 } algreq_t;
220
221 /* structure to hold all information for one act_prop_t */
222 typedef struct ips_act_props_s {
223 struct ips_act_props_s *iap_next;
224 struct ips_conf_s *iap_head;
225
226 /*
227 * IPsec action types (in SPD_ATTR_TYPE attribute)
228 * SPD_ACTTYPE_DROP 0x0001
229 * SPD_ACTTYPE_PASS 0x0002
230 * SPD_ACTTYPE_IPSEC 0x0003
231 */
232 uint16_t iap_action;
233 uint16_t iap_act_tok;
234
235 /*
236 * Action ATTR flags (in SPD_ATTR_FLAGS attribute)
237 * SPD_APPLY_AH 0x0001
238 * SPD_APPLY_ESP 0x0002
239 * SPD_APPLY_SE 0x0004 * self-encapsulation *
240 * SPD_APPLY_COMP 0x0008 * compression; NYI *
241 * SPD_APPLY_UNIQUE 0x0010 * unique per-flow SA *
242 * SPD_APPLY_BYPASS 0x0020 * bypass policy *
243 */
244 uint16_t iap_attr;
245 uint16_t iap_attr_tok[5];
246
247 algreq_t iap_aauth;
248 algreq_t iap_eencr;
249 algreq_t iap_eauth;
250
251 uint32_t iap_life_soft_time;
252 uint32_t iap_life_hard_time;
253 uint32_t iap_life_soft_bytes;
254 uint32_t iap_life_hard_bytes;
255
256 } ips_act_props_t;
257
258 #define V4_PART_OF_V6(v6) v6._S6_un._S6_u32[3]
259
260 typedef struct ips_conf_s {
261 /* selector */
262 uint16_t patt_tok[8];
263 uint8_t has_saddr;
264 uint8_t has_daddr;
265 uint8_t has_smask;
266 uint8_t has_dmask;
267 uint8_t has_type;
268 uint8_t has_code;
269 uint8_t has_negotiate;
270 uint8_t has_tunnel;
271 uint16_t swap;
272
273 struct in6_addr ips_src_addr_v6;
274 struct in6_addr ips_src_mask_v6;
275 struct in6_addr ips_dst_addr_v6;
276 struct in6_addr ips_dst_mask_v6;
277 uint8_t ips_src_mask_len;
278 uint8_t ips_dst_mask_len;
279 in_port_t ips_src_port_min;
280 in_port_t ips_src_port_max;
281 in_port_t ips_dst_port_min;
282 in_port_t ips_dst_port_max;
283 uint8_t ips_icmp_type;
284 uint8_t ips_icmp_type_end;
285 uint8_t ips_icmp_code;
286 uint8_t ips_icmp_code_end;
287 uint8_t ips_ulp_prot;
288 uint8_t ips_ipsec_prot;
289 uint8_t ips_isv4;
290 /*
291 * SPD_RULE_FLAG_INBOUND 0x0001
292 * SPD_RULE_FLAG_OUTBOUND 0x0002
293 */
294 uint8_t ips_dir;
295 /*
296 * Keep track of tunnel separately due to explosion of ways to set
297 * inbound/outbound.
298 */
299 boolean_t ips_tunnel;
300 uint64_t ips_policy_index;
301 uint32_t ips_act_cnt;
302 ips_act_props_t *ips_acts;
303 } ips_conf_t;
304
305 #define ips_src_addr V4_PART_OF_V6(ips_src_addr_v6)
306 #define ips_dst_addr V4_PART_OF_V6(ips_dst_addr_v6)
307
308 static int ipsecconf_nflag; /* Used only with -l option */
309 static int ipsecconf_qflag; /* Used only with -a|-r option */
310
311 typedef struct str_val {
312 const char *string;
313 int value;
314 } str_val_t;
315
316 typedef struct str_tval {
317 const char *string;
318 int tok_val;
319 int value;
320 } str_tval_t;
321
322 static int parse_int(const char *);
323 static int parse_index(const char *, char *);
324 static int attach_tunname(spd_if_t *);
325 static void usage(void);
326 static int ipsec_conf_del(int, boolean_t);
327 static int ipsec_conf_add(boolean_t, boolean_t, boolean_t);
328 static int ipsec_conf_sub(void);
329 static int ipsec_conf_flush(int);
330 static int ipsec_conf_view(void);
331 static int ipsec_conf_list(void);
332 static int lock(void);
333 static int unlock(int);
334 static int parse_one(FILE *, act_prop_t *);
335 static void reconfigure();
336 static void in_prefixlentomask(unsigned int, uchar_t *);
337 static int in_getprefixlen(char *);
338 static int parse_address(int, char *);
339 #ifdef DEBUG_HEAVY
340 static void pfpol_msg_dump(spd_msg_t *msg, char *);
341 #endif /* DEBUG_HEAVY */
342 static void print_pfpol_msg(spd_msg_t *);
343 static int pfp_delete_rule(uint64_t);
344 static void ipsec_conf_admin(uint8_t);
345 static void print_bit_range(int, int);
346 static void nuke_adds();
347 static boolean_t combined_mode(uint_t);
348
349 #ifdef DEBUG
350 static void dump_conf(ips_conf_t *);
351 #endif
352
353 typedef struct
354 {
355 uint32_t id;
356 uint32_t minkeybits;
357 uint32_t maxkeybits;
358 uint32_t defkeybits;
359 uint32_t incr;
360 } alginfo_t;
361
362 static int ipsec_nalgs[3];
363 static alginfo_t known_algs[3][256];
364
365 #define IPS_SRC_MASK SPD_EXT_LCLADDR + 100
366 #define IPS_DST_MASK SPD_EXT_REMADDR + 100
367
368 /*
369 * if inbound, src=remote, dst=local
370 * if outbound, src=local, dst=remote
371 */
372
373 #define TOK_saddr 1
374 #define TOK_daddr 2
375 #define TOK_sport 3
376 #define TOK_dport 4
377 #define TOK_smask 5
378 #define TOK_dmask 6
379 #define TOK_ulp 7
380 #define TOK_local 8
381 #define TOK_lport 9
382 #define TOK_remote 10
383 #define TOK_rport 11
384 #define TOK_dir 12
385 #define TOK_type 13
386 #define TOK_code 14
387 #define TOK_negotiate 15
388 #define TOK_tunnel 16
389
390 #define IPS_SA SPD_ATTR_END
391 #define IPS_DIR SPD_ATTR_EMPTY
392 #define IPS_NEG SPD_ATTR_NOP
393
394
395 static str_tval_t pattern_table[] = {
396 {"saddr", TOK_saddr, SPD_EXT_LCLADDR},
397 {"src", TOK_saddr, SPD_EXT_LCLADDR},
398 {"srcaddr", TOK_saddr, SPD_EXT_LCLADDR},
399 {"daddr", TOK_daddr, SPD_EXT_REMADDR},
400 {"dst", TOK_daddr, SPD_EXT_REMADDR},
401 {"dstaddr", TOK_daddr, SPD_EXT_REMADDR},
402 {"sport", TOK_sport, SPD_EXT_LCLPORT},
403 {"dport", TOK_dport, SPD_EXT_REMPORT},
404 {"smask", TOK_smask, IPS_SRC_MASK},
405 {"dmask", TOK_dmask, IPS_DST_MASK},
406 {"ulp", TOK_ulp, SPD_EXT_PROTO},
407 {"proto", TOK_ulp, SPD_EXT_PROTO},
408 {"local", TOK_local, SPD_EXT_LCLADDR},
409 {"laddr", TOK_local, SPD_EXT_LCLADDR},
410 {"lport", TOK_lport, SPD_EXT_LCLPORT},
411 {"remote", TOK_remote, SPD_EXT_REMADDR},
412 {"raddr", TOK_remote, SPD_EXT_REMADDR},
413 {"rport", TOK_rport, SPD_EXT_REMPORT},
414 {"dir", TOK_dir, IPS_DIR},
415 {"type", TOK_type, SPD_EXT_ICMP_TYPECODE},
416 {"code", TOK_code, SPD_EXT_ICMP_TYPECODE},
417 {"negotiate", TOK_negotiate, IPS_NEG},
418 {"tunnel", TOK_tunnel, SPD_EXT_TUN_NAME},
419 {NULL, 0, 0},
420 };
421
422 #define TOK_apply 1
423 #define TOK_permit 2
424 #define TOK_ipsec 3
425 #define TOK_bypass 4
426 #define TOK_drop 5
427 #define TOK_or 6
428
429 static str_tval_t action_table[] = {
430 {"apply", TOK_apply, SPD_ACTTYPE_IPSEC},
431 {"permit", TOK_permit, SPD_ACTTYPE_IPSEC},
432 {"ipsec", TOK_ipsec, SPD_ACTTYPE_IPSEC},
433 {"bypass", TOK_bypass, SPD_ACTTYPE_PASS},
434 {"pass", TOK_bypass, SPD_ACTTYPE_PASS},
435 {"drop", TOK_drop, SPD_ACTTYPE_DROP},
436 {"or", TOK_or, 0},
437 {NULL, 0, 0},
438 };
439
440 static str_val_t property_table[] = {
441 {"auth_algs", SPD_ATTR_AH_AUTH},
442 {"encr_algs", SPD_ATTR_ESP_ENCR},
443 {"encr_auth_algs", SPD_ATTR_ESP_AUTH},
444 {"sa", IPS_SA},
445 {"dir", IPS_DIR},
446 {NULL, 0},
447 };
448
449 static str_val_t icmp_type_table[] = {
450 {"unreach", ICMP_UNREACH},
451 {"echo", ICMP_ECHO},
452 {"echorep", ICMP_ECHOREPLY},
453 {"squench", ICMP_SOURCEQUENCH},
454 {"redir", ICMP_REDIRECT},
455 {"timex", ICMP_TIMXCEED},
456 {"paramprob", ICMP_PARAMPROB},
457 {"timest", ICMP_TSTAMP},
458 {"timestrep", ICMP_TSTAMPREPLY},
459 {"inforeq", ICMP_IREQ},
460 {"inforep", ICMP_IREQREPLY},
461 {"maskreq", ICMP_MASKREQ},
462 {"maskrep", ICMP_MASKREPLY},
463 {"unreach6", ICMP6_DST_UNREACH},
464 {"pkttoobig6", ICMP6_PACKET_TOO_BIG},
465 {"timex6", ICMP6_TIME_EXCEEDED},
466 {"paramprob6", ICMP6_PARAM_PROB},
467 {"echo6", ICMP6_ECHO_REQUEST},
468 {"echorep6", ICMP6_ECHO_REPLY},
469 {"router-sol6", ND_ROUTER_SOLICIT},
470 {"router-ad6", ND_ROUTER_ADVERT},
471 {"neigh-sol6", ND_NEIGHBOR_SOLICIT},
472 {"neigh-ad6", ND_NEIGHBOR_ADVERT},
473 {"redir6", ND_REDIRECT},
474 {NULL, 0},
475 };
476
477 static str_val_t icmp_code_table[] = {
478 {"net-unr", ICMP_UNREACH_NET},
479 {"host-unr", ICMP_UNREACH_HOST},
480 {"proto-unr", ICMP_UNREACH_PROTOCOL},
481 {"port-unr", ICMP_UNREACH_PORT},
482 {"needfrag", ICMP_UNREACH_NEEDFRAG},
483 {"srcfail", ICMP_UNREACH_SRCFAIL},
484 {"net-unk", ICMP_UNREACH_NET_UNKNOWN},
485 {"host-unk", ICMP_UNREACH_HOST_UNKNOWN},
486 {"isolate", ICMP_UNREACH_ISOLATED},
487 {"net-prohib", ICMP_UNREACH_NET_PROHIB},
488 {"host-prohib", ICMP_UNREACH_HOST_PROHIB},
489 {"net-tos", ICMP_UNREACH_TOSNET},
490 {"host-tos", ICMP_UNREACH_TOSHOST},
491 {"filter-prohib", ICMP_UNREACH_FILTER_PROHIB},
492 {"host-preced", ICMP_UNREACH_HOST_PRECEDENCE},
493 {"cutoff-preced", ICMP_UNREACH_PRECEDENCE_CUTOFF},
494 {"no-route6", ICMP6_DST_UNREACH_NOROUTE},
495 {"adm-prohib6", ICMP6_DST_UNREACH_ADMIN},
496 {"addr-unr6", ICMP6_DST_UNREACH_ADDR},
497 {"port-unr6", ICMP6_DST_UNREACH_NOPORT},
498 {"hop-limex6", ICMP6_TIME_EXCEED_TRANSIT},
499 {"frag-re-timex6", ICMP6_TIME_EXCEED_REASSEMBLY},
500 {"err-head6", ICMP6_PARAMPROB_HEADER},
501 {"unrec-head6", ICMP6_PARAMPROB_NEXTHEADER},
502 {"unreq-opt6", ICMP6_PARAMPROB_OPTION},
503 {NULL, 0},
504 };
505
506 static sigset_t set, oset;
507
508
509 static boolean_t
510 add_index(int index)
511 {
512 d_list_t *temp = malloc(sizeof (d_list_t));
513
514 if (temp == NULL) {
515 warn("malloc");
516 return (B_TRUE);
517 }
518
519 temp->index = index;
520 temp->next = NULL;
521
522 if (d_tail == NULL) {
523 d_list = d_tail = temp;
524 return (B_FALSE);
525 }
526
527 d_tail->next = temp;
528 d_tail = temp;
529
530 return (B_FALSE);
531 }
532
533 static int
534 block_all_signals()
535 {
536 if (sigfillset(&set) == -1) {
537 warn("sigfillset");
538 return (-1);
539 }
540 if (sigprocmask(SIG_SETMASK, &set, &oset) == -1) {
541 warn("sigprocmask");
542 return (-1);
543 }
544 return (0);
545 }
546
547 static int
548 restore_all_signals()
549 {
550 if (sigprocmask(SIG_SETMASK, &oset, NULL) == -1) {
551 warn("sigprocmask");
552 return (-1);
553 }
554 return (0);
555 }
556
557 /* allocate an ips_act_props_t and link it in correctly */
558 static ips_act_props_t *
559 alloc_iap(ips_conf_t *parent)
560 {
561 ips_act_props_t *ret;
562 ips_act_props_t *next = parent->ips_acts;
563 ips_act_props_t *current = NULL;
564
565 ret = (ips_act_props_t *)calloc(sizeof (ips_act_props_t), 1);
566
567 if (ret == NULL)
568 return (NULL);
569
570 ret->iap_head = parent;
571
572 while (next != NULL) {
573 current = next;
574 next = next->iap_next;
575 }
576
577 if (current != NULL)
578 current->iap_next = ret;
579 else
580 parent->ips_acts = ret;
581
582 parent->ips_act_cnt++;
583
584 return (ret);
585 }
586
587 /*
588 * This function exit()s if it fails.
589 */
590 static void
591 fetch_algorithms()
592 {
593 struct spd_msg msg;
594 struct spd_ext_actions *actp;
595 struct spd_attribute *attr, *endattr;
596 spd_ext_t *exts[SPD_EXT_MAX+1];
597 uint64_t reply_buf[256];
598 int sfd;
599 int cnt, retval;
600 uint64_t *start, *end;
601 alginfo_t alg = {0, 0, 0, 0, 0};
602 uint_t algtype;
603 static boolean_t has_run = B_FALSE;
604
605 if (has_run)
606 return;
607 else
608 has_run = B_TRUE;
609
610 sfd = get_pf_pol_socket();
611 if (sfd < 0) {
612 err(-1, gettext("unable to open policy socket"));
613 }
614
615 (void) memset(&msg, 0, sizeof (msg));
616 msg.spd_msg_version = PF_POLICY_V1;
617 msg.spd_msg_type = SPD_ALGLIST;
618 msg.spd_msg_len = SPD_8TO64(sizeof (msg));
619
620 cnt = write(sfd, &msg, sizeof (msg));
621 if (cnt != sizeof (msg)) {
622 if (cnt < 0) {
623 err(-1, gettext("alglist failed: write"));
624 } else {
625 errx(-1, gettext("alglist failed: short write"));
626 }
627 }
628
629 cnt = read(sfd, reply_buf, sizeof (reply_buf));
630
631 retval = spdsock_get_ext(exts, (spd_msg_t *)reply_buf, SPD_8TO64(cnt),
632 spdsock_diag_buf, SPDSOCK_DIAG_BUF_LEN);
633
634 if (retval == KGE_LEN && exts[0]->spd_ext_len == 0) {
635 /*
636 * No algorithms are defined in the kernel, which caused
637 * the extension length to be zero, and spdsock_get_ext()
638 * to fail with a KGE_LEN error. This is not an error
639 * condition, so we return nicely.
640 */
641 (void) close(sfd);
642 return;
643 } else if (retval != 0) {
644 if (strlen(spdsock_diag_buf) != 0)
645 warnx(spdsock_diag_buf);
646 err(1, gettext("fetch_algorithms failed"));
647 }
648
649 if (!exts[SPD_EXT_ACTION]) {
650 errx(1, gettext("fetch_algorithms: action missing?!"));
651 }
652
653 actp = (struct spd_ext_actions *)exts[SPD_EXT_ACTION];
654 start = (uint64_t *)actp;
655 end = (start + actp->spd_actions_len);
656 endattr = (struct spd_attribute *)end;
657 attr = (struct spd_attribute *)&actp[1];
658
659 algtype = 0;
660
661 while (attr < endattr) {
662 switch (attr->spd_attr_tag) {
663 case SPD_ATTR_NOP:
664 case SPD_ATTR_EMPTY:
665 break;
666 case SPD_ATTR_END:
667 attr = endattr;
668 /* FALLTHRU */
669 case SPD_ATTR_NEXT:
670 known_algs[algtype][ipsec_nalgs[algtype]] = alg;
671 ipsec_nalgs[algtype]++;
672 break;
673
674 case SPD_ATTR_ENCR_MINBITS:
675 case SPD_ATTR_AH_MINBITS:
676 case SPD_ATTR_ESPA_MINBITS:
677 alg.minkeybits = attr->spd_attr_value;
678 break;
679
680 case SPD_ATTR_ENCR_MAXBITS:
681 case SPD_ATTR_AH_MAXBITS:
682 case SPD_ATTR_ESPA_MAXBITS:
683 alg.maxkeybits = attr->spd_attr_value;
684 break;
685
686 case SPD_ATTR_ENCR_DEFBITS:
687 case SPD_ATTR_AH_DEFBITS:
688 case SPD_ATTR_ESPA_DEFBITS:
689 alg.defkeybits = attr->spd_attr_value;
690 break;
691
692 case SPD_ATTR_ENCR_INCRBITS:
693 case SPD_ATTR_AH_INCRBITS:
694 case SPD_ATTR_ESPA_INCRBITS:
695 alg.incr = attr->spd_attr_value;
696 break;
697
698 case SPD_ATTR_AH_AUTH:
699 case SPD_ATTR_ESP_AUTH:
700 case SPD_ATTR_ESP_ENCR:
701 alg.id = attr->spd_attr_value;
702 algtype = attr->spd_attr_tag - SPD_ATTR_AH_AUTH;
703 break;
704 }
705 attr++;
706 }
707
708 (void) close(sfd);
709 }
710
711 /* data dependant transform (act_cnt) */
712 #define ATTR(ap, tag, value) \
713 do { (ap)->spd_attr_tag = (tag); \
714 (ap)->spd_attr_value = (value); \
715 ap++; } while (0)
716
717 static struct spd_attribute *
718 emit_alg(struct spd_attribute *ap, int type, const algreq_t *ar,
719 int algattr, int minbitattr, int maxbitattr)
720 {
721 int id = ar->alg_id;
722 int minbits, i;
723
724 if (id != 0) {
725 /* LINTED E_CONST_COND */
726 ATTR(ap, algattr, ar->alg_id);
727
728 minbits = ar->alg_minbits;
729 if (minbits == 0) {
730 for (i = 0; i < ipsec_nalgs[type]; i++) {
731 if (known_algs[type][i].id == id)
732 break;
733 }
734 if (i < ipsec_nalgs[type])
735 minbits = known_algs[type][i].defkeybits;
736 }
737 if (minbits != 0)
738 /* LINTED E_CONST_COND */
739 ATTR(ap, minbitattr, minbits);
740 if (ar->alg_maxbits != SPD_MAX_MAXBITS)
741 /* LINTED E_CONST_COND */
742 ATTR(ap, maxbitattr, ar->alg_maxbits);
743 }
744
745 return (ap);
746 }
747
748
749
750 static struct spd_attribute *
751 ips_act_props_to_action(struct spd_attribute *ap, uint32_t *rule_priorityp,
752 const ips_act_props_t *act_ptr)
753 {
754 uint32_t rule_priority = *rule_priorityp;
755
756 /* LINTED E_CONST_COND */
757 ATTR(ap, SPD_ATTR_EMPTY, 0);
758
759 /* type */
760 /* LINTED E_CONST_COND */
761 ATTR(ap, SPD_ATTR_TYPE, act_ptr->iap_action);
762
763 if (act_ptr->iap_action == SPD_ACTTYPE_PASS)
764 rule_priority |= BYPASS_POLICY_BOOST;
765
766 /* flags */
767 if (act_ptr->iap_attr != 0)
768 /* LINTED E_CONST_COND */
769 ATTR(ap, SPD_ATTR_FLAGS, act_ptr->iap_attr);
770
771 /* esp */
772 if (act_ptr->iap_attr & SPD_APPLY_ESP) {
773 rule_priority |= ESP_POLICY_BOOST;
774
775 /* encr */
776 ap = emit_alg(ap, ESP_ENCR, &act_ptr->iap_eencr,
777 SPD_ATTR_ESP_ENCR,
778 SPD_ATTR_ENCR_MINBITS, SPD_ATTR_ENCR_MAXBITS);
779
780 /* auth */
781 ap = emit_alg(ap, ESP_AUTH, &act_ptr->iap_eauth,
782 SPD_ATTR_ESP_AUTH,
783 SPD_ATTR_ESPA_MINBITS, SPD_ATTR_ESPA_MAXBITS);
784 }
785
786 /* ah */
787 if (act_ptr->iap_attr & SPD_APPLY_AH) {
788 rule_priority |= AH_POLICY_BOOST;
789 /* auth */
790 ap = emit_alg(ap, AH_AUTH, &act_ptr->iap_aauth,
791 SPD_ATTR_AH_AUTH,
792 SPD_ATTR_AH_MINBITS, SPD_ATTR_AH_MAXBITS);
793 }
794
795 /* lifetimes */
796 if (act_ptr->iap_life_soft_time != 0)
797 /* LINTED E_CONST_COND */
798 ATTR(ap, SPD_ATTR_LIFE_SOFT_TIME, act_ptr->iap_life_soft_time);
799 if (act_ptr->iap_life_hard_time != 0)
800 /* LINTED E_CONST_COND */
801 ATTR(ap, SPD_ATTR_LIFE_HARD_TIME, act_ptr->iap_life_hard_time);
802 if (act_ptr->iap_life_soft_bytes != 0)
803 /* LINTED E_CONST_COND */
804 ATTR(ap, SPD_ATTR_LIFE_SOFT_BYTES,
805 act_ptr->iap_life_soft_bytes);
806 if (act_ptr->iap_life_hard_bytes != 0)
807 /* LINTED E_CONST_COND */
808 ATTR(ap, SPD_ATTR_LIFE_HARD_BYTES,
809 act_ptr->iap_life_hard_bytes);
810
811 /* LINTED E_CONST_COND */
812 ATTR(ap, SPD_ATTR_NEXT, 0);
813
814 *rule_priorityp = rule_priority;
815
816 return (ap);
817 }
818
819 static boolean_t
820 alg_rangecheck(uint_t type, uint_t algid, const algreq_t *ar)
821 {
822 int i;
823 uint_t minbits = ar->alg_minbits;
824 uint_t maxbits = ar->alg_maxbits;
825
826 for (i = 0; i < ipsec_nalgs[type]; i++) {
827 if (known_algs[type][i].id == algid)
828 break;
829 }
830
831 if (i >= ipsec_nalgs[type]) {
832 /*
833 * The kernel (where we populate known_algs from) doesn't
834 * return the id's associated with NONE algorithms so we
835 * test here if this was the reason the algorithm wasn't
836 * found before wrongly failing.
837 */
838 if (((type == ESP_ENCR) && (algid == SADB_EALG_NONE)) ||
839 ((type == ESP_AUTH) && (algid == SADB_AALG_NONE)) ||
840 ((type == AH_AUTH) && (algid == SADB_AALG_NONE))) {
841 return (B_TRUE);
842 } else {
843 return (B_FALSE); /* not found */
844 }
845 }
846
847 if ((minbits == 0) && (maxbits == 0))
848 return (B_TRUE);
849
850 minbits = MAX(minbits, known_algs[type][i].minkeybits);
851 maxbits = MIN(maxbits, known_algs[type][i].maxkeybits);
852
853 /* we could also check key increments here.. */
854 return (minbits <= maxbits); /* non-null intersection */
855 }
856
857 /*
858 * Inspired by kernel/net/spd.c:ipsec_act_wildcard_expand()
859 */
860
861 static struct spd_attribute *
862 ips_act_wild_props_to_action(struct spd_attribute *ap,
863 uint32_t *rule_priorityp, uint16_t *act_cntp,
864 const ips_act_props_t *act_ptr)
865 {
866 ips_act_props_t tact = *act_ptr;
867 boolean_t use_ah, use_esp, use_espa, combined;
868 boolean_t wild_auth, wild_encr, wild_eauth;
869 uint_t auth_alg, auth_idx, auth_min, auth_max;
870 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max;
871 uint_t encr_alg, encr_idx, encr_min, encr_max;
872
873 use_ah = !!(act_ptr->iap_attr & SPD_APPLY_AH);
874 use_esp = !!(act_ptr->iap_attr & SPD_APPLY_ESP);
875 use_espa = !!(act_ptr->iap_attr & SPD_APPLY_ESPA);
876 auth_alg = act_ptr->iap_aauth.alg_id;
877 eauth_alg = act_ptr->iap_eauth.alg_id;
878 encr_alg = act_ptr->iap_eencr.alg_id;
879
880 wild_auth = use_ah && (auth_alg == SADB_AALG_NONE);
881 wild_eauth = use_espa && (eauth_alg == SADB_AALG_NONE);
882 wild_encr = use_esp && (encr_alg == SADB_EALG_NONE);
883
884 auth_min = auth_max = auth_alg;
885 eauth_min = eauth_max = eauth_alg;
886 encr_min = encr_max = encr_alg;
887
888 /*
889 * set up for explosion.. for each dimension, expand output
890 * size by the explosion factor.
891 */
892 if (wild_auth) {
893 auth_min = 0;
894 auth_max = ipsec_nalgs[AH_AUTH] - 1;
895 }
896 if (wild_eauth) {
897 eauth_min = 0;
898 eauth_max = ipsec_nalgs[ESP_AUTH] - 1;
899 }
900 if (wild_encr) {
901 encr_min = 0;
902 encr_max = ipsec_nalgs[ESP_ENCR] - 1;
903 }
904
905 #define WHICH_ALG(type, wild, idx) ((wild)?(known_algs[type][idx].id):(idx))
906
907 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
908 encr_alg = WHICH_ALG(ESP_ENCR, wild_encr, encr_idx);
909
910 if (use_esp &&
911 !alg_rangecheck(ESP_ENCR, encr_alg, &act_ptr->iap_eencr))
912 continue;
913
914 combined = combined_mode(encr_alg);
915
916 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
917 auth_alg = WHICH_ALG(AH_AUTH, wild_auth, auth_idx);
918
919 if (use_ah &&
920 !alg_rangecheck(AH_AUTH, auth_alg,
921 &act_ptr->iap_aauth))
922 continue;
923
924
925 for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
926 eauth_idx++) {
927 eauth_alg = WHICH_ALG(ESP_AUTH, wild_eauth,
928 eauth_idx);
929
930 if (!combined && use_espa &&
931 !alg_rangecheck(ESP_AUTH, eauth_alg,
932 &act_ptr->iap_eauth))
933 continue;
934
935 tact.iap_eencr.alg_id = encr_alg;
936 tact.iap_aauth.alg_id = auth_alg;
937
938 /*
939 * If the cipher is combined-mode don't do any
940 * ESP authentication.
941 */
942 tact.iap_eauth.alg_id =
943 combined ? SADB_AALG_NONE : eauth_alg;
944
945 (*act_cntp)++;
946 ap = ips_act_props_to_action(ap,
947 rule_priorityp, &tact);
948
949 /* Stop now if the cipher is combined-mode. */
950 if (combined)
951 break; /* Out of for loop. */
952 }
953 }
954 }
955
956 #undef WHICH_ALG
957
958 return (ap);
959 }
960
961 /* huge, but not safe since no length checking is done */
962 #define MAX_POL_MSG_LEN 16384
963
964
965 /*
966 * hand in some ips_conf_t's, get back an
967 * iovec of pfpol messages.
968 * this function converts the internal ips_conf_t into
969 * a form that pf_pol can use.
970 * return 0 on success, 1 on failure
971 */
972 static int
973 ips_conf_to_pfpol_msg(int ipsec_cmd, ips_conf_t *inConf, int num_ips,
974 struct iovec *msg)
975 {
976 int i;
977 ips_conf_t *conf;
978 uint64_t *scratch = NULL;
979
980 for (i = 0; i < num_ips; i++) {
981 uint16_t *msg_len;
982 uint16_t act_cnt = 0;
983 uint64_t *next = NULL;
984 spd_msg_t *spd_msg;
985 spd_address_t *spd_address;
986 struct spd_rule *spd_rule;
987 struct spd_proto *spd_proto;
988 struct spd_portrange *spd_portrange;
989 struct spd_ext_actions *spd_ext_actions;
990 struct spd_attribute *ap;
991 struct spd_typecode *spd_typecode;
992 spd_if_t *spd_if;
993 ips_act_props_t *act_ptr;
994 uint32_t rule_priority = 0;
995
996 scratch = calloc(1, MAX_POL_MSG_LEN);
997 msg[i].iov_base = (char *)scratch;
998 if (scratch == NULL) {
999 warn(gettext("memory"));
1000 return (1);
1001 }
1002 conf = &(inConf[i]);
1003
1004 spd_msg = (spd_msg_t *)scratch;
1005 next = (uint64_t *)&(spd_msg[1]);
1006
1007 msg_len = &(spd_msg->spd_msg_len);
1008
1009 spd_msg->spd_msg_version = PF_POLICY_V1;
1010 spd_msg->spd_msg_pid = getpid();
1011 spd_msg->spd_msg_seq = ++seq_cnt;
1012
1013 switch (ipsec_cmd) {
1014 case SPD_ADDRULE:
1015 spd_msg->spd_msg_type = SPD_ADDRULE;
1016 break;
1017
1018 default:
1019 warnx("%s %d", gettext("bad command:"), ipsec_cmd);
1020 spd_msg->spd_msg_type = SPD_ADDRULE;
1021 break;
1022 }
1023
1024 /*
1025 * SELECTOR
1026 */
1027
1028 spd_msg->spd_msg_spdid = SPD_STANDBY;
1029
1030 /* rule */
1031 spd_rule = (struct spd_rule *)next;
1032
1033 spd_rule->spd_rule_len = SPD_8TO64(sizeof (struct spd_rule));
1034 spd_rule->spd_rule_type = SPD_EXT_RULE;
1035 spd_rule->spd_rule_flags = conf->ips_dir;
1036 if (conf->ips_tunnel)
1037 spd_rule->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1038
1039 next = (uint64_t *)&(spd_rule[1]);
1040
1041 /* proto */
1042 if (conf->ips_ulp_prot != 0) {
1043 spd_proto = (struct spd_proto *)next;
1044 spd_proto->spd_proto_len =
1045 SPD_8TO64(sizeof (struct spd_proto));
1046 spd_proto->spd_proto_exttype = SPD_EXT_PROTO;
1047 spd_proto->spd_proto_number = conf->ips_ulp_prot;
1048 next = (uint64_t *)&(spd_proto[1]);
1049 }
1050
1051 /* tunnel */
1052 if (conf->has_tunnel != 0) {
1053 spd_if = (spd_if_t *)next;
1054 spd_if->spd_if_len =
1055 SPD_8TO64(P2ROUNDUP(strlen(tunif) + 1, 8) +
1056 sizeof (spd_if_t));
1057 spd_if->spd_if_exttype = SPD_EXT_TUN_NAME;
1058 (void) strlcpy((char *)spd_if->spd_if_name, tunif,
1059 TUNNAMEMAXLEN);
1060 next = (uint64_t *)(spd_if) + spd_if->spd_if_len;
1061 }
1062
1063 /* icmp type/code */
1064 if (conf->ips_ulp_prot == IPPROTO_ICMP ||
1065 conf->ips_ulp_prot == IPPROTO_ICMPV6) {
1066 if (conf->has_type) {
1067 spd_typecode = (struct spd_typecode *)next;
1068 spd_typecode->spd_typecode_len =
1069 SPD_8TO64(sizeof (struct spd_typecode));
1070 spd_typecode->spd_typecode_exttype =
1071 SPD_EXT_ICMP_TYPECODE;
1072 spd_typecode->spd_typecode_type =
1073 conf->ips_icmp_type;
1074 spd_typecode->spd_typecode_type_end =
1075 conf->ips_icmp_type_end;
1076 if (conf->has_code) {
1077 spd_typecode->spd_typecode_code =
1078 conf->ips_icmp_code;
1079 spd_typecode->spd_typecode_code_end =
1080 conf->ips_icmp_code_end;
1081 } else {
1082 spd_typecode->spd_typecode_code = 255;
1083 spd_typecode->spd_typecode_code_end
1084 = 255;
1085 }
1086 next = (uint64_t *)&(spd_typecode[1]);
1087 }
1088 }
1089
1090 /* src port */
1091 if (conf->ips_src_port_min != 0 ||
1092 conf->ips_src_port_max != 0) {
1093 spd_portrange = (struct spd_portrange *)next;
1094 spd_portrange->spd_ports_len =
1095 SPD_8TO64(sizeof (struct spd_portrange));
1096 spd_portrange->spd_ports_exttype =
1097 (conf->swap)?SPD_EXT_REMPORT:SPD_EXT_LCLPORT;
1098 spd_portrange->spd_ports_minport =
1099 conf->ips_src_port_min;
1100 spd_portrange->spd_ports_maxport =
1101 conf->ips_src_port_max;
1102 next = (uint64_t *)&(spd_portrange[1]);
1103 }
1104 /* dst port */
1105 if (conf->ips_dst_port_min != 0 ||
1106 conf->ips_dst_port_max != 0) {
1107 spd_portrange = (struct spd_portrange *)next;
1108 spd_portrange->spd_ports_len =
1109 SPD_8TO64(sizeof (struct spd_portrange));
1110 spd_portrange->spd_ports_exttype =
1111 (conf->swap)?SPD_EXT_LCLPORT:SPD_EXT_REMPORT;
1112 spd_portrange->spd_ports_minport =
1113 conf->ips_dst_port_min;
1114 spd_portrange->spd_ports_maxport =
1115 conf->ips_dst_port_max;
1116 next = (uint64_t *)&(spd_portrange[1]);
1117 }
1118
1119 /* saddr */
1120 if (conf->has_saddr) {
1121 spd_address = (spd_address_t *)next;
1122 next = (uint64_t *)(spd_address + 1);
1123
1124 spd_address->spd_address_exttype =
1125 (conf->swap)?SPD_EXT_REMADDR:SPD_EXT_LCLADDR;
1126 spd_address->spd_address_prefixlen =
1127 conf->ips_src_mask_len;
1128
1129 if (conf->ips_isv4) {
1130 spd_address->spd_address_af = AF_INET;
1131 (void) memcpy(next, &(conf->ips_src_addr),
1132 sizeof (ipaddr_t));
1133 spd_address->spd_address_len = 2;
1134 next += SPD_8TO64(sizeof (ipaddr_t) + 4);
1135 if (!conf->has_smask)
1136 spd_address->spd_address_prefixlen = 32;
1137 } else {
1138 spd_address->spd_address_af = AF_INET6;
1139 (void) memcpy(next, &(conf->ips_src_addr_v6),
1140 sizeof (in6_addr_t));
1141 spd_address->spd_address_len = 3;
1142 next += SPD_8TO64(sizeof (in6_addr_t));
1143 if (!conf->has_smask)
1144 spd_address->spd_address_prefixlen
1145 = 128;
1146 }
1147 }
1148
1149 /* daddr */
1150 if (conf->has_daddr) {
1151 spd_address = (spd_address_t *)next;
1152
1153 next = (uint64_t *)(spd_address + 1);
1154
1155 spd_address->spd_address_exttype =
1156 (conf->swap)?SPD_EXT_LCLADDR:SPD_EXT_REMADDR;
1157 spd_address->spd_address_prefixlen =
1158 conf->ips_dst_mask_len;
1159
1160 if (conf->ips_isv4) {
1161 spd_address->spd_address_af = AF_INET;
1162 (void) memcpy(next, &conf->ips_dst_addr,
1163 sizeof (ipaddr_t));
1164 spd_address->spd_address_len = 2;
1165 /* "+ 4" below is for padding. */
1166 next += SPD_8TO64(sizeof (ipaddr_t) + 4);
1167 if (!conf->has_dmask)
1168 spd_address->spd_address_prefixlen = 32;
1169 } else {
1170 spd_address->spd_address_af = AF_INET6;
1171 (void) memcpy(next, &(conf->ips_dst_addr_v6),
1172 sizeof (in6_addr_t));
1173 spd_address->spd_address_len = 3;
1174 next += SPD_8TO64(sizeof (in6_addr_t));
1175 if (!conf->has_dmask)
1176 spd_address->spd_address_prefixlen
1177 = 128;
1178 }
1179 }
1180
1181 /* actions */
1182 spd_ext_actions = (struct spd_ext_actions *)next;
1183
1184 spd_ext_actions->spd_actions_exttype = SPD_EXT_ACTION;
1185
1186 act_ptr = conf->ips_acts;
1187 ap = (struct spd_attribute *)(&spd_ext_actions[1]);
1188
1189 rule_priority = priority--;
1190
1191 for (act_ptr = conf->ips_acts; act_ptr != NULL;
1192 act_ptr = act_ptr->iap_next) {
1193 ap = ips_act_wild_props_to_action(ap, &rule_priority,
1194 &act_cnt, act_ptr);
1195 }
1196 ap[-1].spd_attr_tag = SPD_ATTR_END;
1197
1198 next = (uint64_t *)ap;
1199
1200 spd_rule->spd_rule_priority = rule_priority;
1201
1202 msg[i].iov_len = (uintptr_t)next - (uintptr_t)msg[i].iov_base;
1203 *msg_len = (uint16_t)SPD_8TO64(msg[i].iov_len);
1204 spd_ext_actions->spd_actions_count = act_cnt;
1205 spd_ext_actions->spd_actions_len =
1206 SPD_8TO64((uintptr_t)next - (uintptr_t)spd_ext_actions);
1207 #ifdef DEBUG_HEAVY
1208 printf("pfpol msg len in uint64_t's = %d\n", *msg_len);
1209 printf("pfpol test_len in bytes = %d\n", msg[i].iov_len);
1210 pfpol_msg_dump((spd_msg_t *)scratch,
1211 "ips_conf_to_pfpol_msg");
1212 #endif
1213 }
1214
1215 #undef ATTR
1216 return (0);
1217 }
1218
1219 static int
1220 get_pf_pol_socket(void)
1221 {
1222 int s = socket(PF_POLICY, SOCK_RAW, PF_POLICY_V1);
1223 if (s < 0) {
1224 if (errno == EPERM) {
1225 EXIT_BADPERM("Insufficient privileges to open "
1226 "PF_POLICY socket.");
1227 } else {
1228 warn(gettext("(loading pf_policy) socket:"));
1229 }
1230 }
1231
1232 return (s);
1233 }
1234
1235
1236 static int
1237 send_pf_pol_message(int ipsec_cmd, ips_conf_t *conf, int *diag)
1238 {
1239 int retval;
1240 int cnt;
1241 int total_len;
1242 struct iovec polmsg;
1243 spd_msg_t *return_buf;
1244 spd_ext_t *exts[SPD_EXT_MAX+1];
1245 int fd = get_pf_pol_socket();
1246
1247 *diag = 0;
1248
1249 if (fd < 0)
1250 return (EBADF);
1251
1252 retval = ips_conf_to_pfpol_msg(ipsec_cmd, conf, 1, &polmsg);
1253
1254 if (retval) {
1255 (void) close(fd);
1256 return (ENOMEM);
1257 }
1258
1259 total_len = polmsg.iov_len;
1260
1261 cnt = writev(fd, &polmsg, 1);
1262
1263 #ifdef DEBUG_HEAVY
1264 (void) printf("cnt = %d\n", cnt);
1265 #endif
1266 if (cnt < 0) {
1267 warn(gettext("pf_pol write"));
1268 } else {
1269 return_buf = (spd_msg_t *)calloc(total_len, 1);
1270
1271 if (return_buf == NULL) {
1272 warn(gettext("memory"));
1273 } else {
1274 cnt = read(fd, (void*)return_buf, total_len);
1275 #ifdef DEBUG_HEAVY
1276 (void) printf("pf_pol read: cnt = %d(%d)\n", cnt,
1277 total_len);
1278 #endif
1279
1280 if (cnt > 8 && return_buf->spd_msg_errno) {
1281 *diag = return_buf->spd_msg_diagnostic;
1282 if (!ipsecconf_qflag) {
1283 warnx("%s: %s",
1284 gettext("Kernel returned"),
1285 sys_error_message(
1286 return_buf->spd_msg_errno));
1287 }
1288 if (*diag != 0)
1289 (void) printf(gettext(
1290 "\t(spdsock diagnostic: %s)\n"),
1291 spdsock_diag(*diag));
1292 #ifdef DEBUG_HEAVY
1293 pfpol_msg_dump((spd_msg_t *)polmsg.iov_base,
1294 "message in");
1295 pfpol_msg_dump(return_buf,
1296 "send_pf_pol_message");
1297 #endif
1298 retval = return_buf->spd_msg_errno;
1299 free(return_buf);
1300 free(polmsg.iov_base);
1301 (void) close(fd);
1302 return (retval);
1303 }
1304
1305 retval = spdsock_get_ext(exts, return_buf,
1306 return_buf->spd_msg_len, NULL, 0);
1307 /* ignore retval */
1308
1309 if (exts[SPD_EXT_RULE]) {
1310 conf->ips_policy_index =
1311 ((struct spd_rule *)
1312 exts[SPD_EXT_RULE])->spd_rule_index;
1313
1314 if (add_index(conf->ips_policy_index)) {
1315 free(return_buf);
1316 free(polmsg.iov_base);
1317 (void) close(fd);
1318 return (ENOMEM);
1319 }
1320 }
1321
1322 free(return_buf);
1323 }
1324 }
1325
1326 free(polmsg.iov_base);
1327 (void) close(fd);
1328
1329 return (0);
1330
1331 }
1332
1333 int
1334 main(int argc, char *argv[])
1335 {
1336 int ret, flushret;
1337 int c;
1338 int index;
1339 boolean_t smf_managed;
1340 boolean_t just_check = B_FALSE;
1341 boolean_t replace_policy = B_FALSE;
1342
1343 debugfile = stderr;
1344
1345 char *smf_warning = gettext(
1346 "\n\tIPsec policy should be managed using smf(5). Modifying\n"
1347 "\tthe IPsec policy from the command line while the 'policy'\n"
1348 "\tservice is enabled could result in an inconsistent\n"
1349 "\tsecurity policy.\n\n");
1350
1351 flushret = 0;
1352 cmd = 0;
1353
1354 (void) setlocale(LC_ALL, "");
1355 #if !defined(TEXT_DOMAIN)
1356 #define TEXT_DOMAIN "SYS_TEST"
1357 #endif
1358 (void) textdomain(TEXT_DOMAIN);
1359
1360 openlog("ipsecconf", LOG_CONS, LOG_AUTH);
1361
1362 /*
1363 * We don't immediately check for privilege here. This is done by IP
1364 * when we open /dev/ip below.
1365 */
1366
1367 if (argc == 1) {
1368 cmd = IPSEC_CONF_VIEW;
1369 goto done;
1370 }
1371 my_fmri = getenv("SMF_FMRI");
1372 if (my_fmri == NULL)
1373 smf_managed = B_FALSE;
1374 else
1375 smf_managed = B_TRUE;
1376
1377 while ((c = getopt(argc, argv, "nlfLFa:qd:r:i:c:")) != EOF) {
1378 switch (c) {
1379 case 'F':
1380 if (interface_name != NULL) {
1381 USAGE();
1382 EXIT_FATAL("interface name not required.");
1383 }
1384 /* Apply to all policy heads - global and tunnels. */
1385 interface_name = &all_polheads;
1386 /* FALLTHRU */
1387 case 'f':
1388 /*
1389 * The policy flush command can be specified with -a
1390 * to perform an atomic policy replace. It can't be
1391 * specified with any other flags.
1392 */
1393 if (cmd == IPSEC_CONF_ADD) {
1394 cmd = IPSEC_CONF_REPLACE;
1395 break;
1396 }
1397 if (cmd != 0) {
1398 USAGE();
1399 EXIT_FATAL("Multiple commands specified");
1400 }
1401 cmd = IPSEC_CONF_FLUSH;
1402 break;
1403 case 'L':
1404 if (interface_name != NULL) {
1405 USAGE();
1406 EXIT_FATAL("interface name not required.");
1407 }
1408 /* Apply to all policy heads - global and tunnels. */
1409 interface_name = &all_polheads;
1410 /* FALLTHRU */
1411 case 'l':
1412 /* Only one command at a time */
1413 if (cmd != 0) {
1414 USAGE();
1415 EXIT_FATAL("Multiple commands specified");
1416 }
1417 cmd = IPSEC_CONF_LIST;
1418 break;
1419 case 'c':
1420 just_check = B_TRUE;
1421 ipsecconf_qflag++;
1422 /* FALLTHRU */
1423 case 'a':
1424 if (cmd == IPSEC_CONF_FLUSH) {
1425 cmd = IPSEC_CONF_REPLACE;
1426 filename = optarg;
1427 break;
1428 }
1429 /* Only one command at a time, and no interface name */
1430 if (cmd != 0 || interface_name != NULL) {
1431 USAGE();
1432 EXIT_FATAL("Multiple commands or interface "
1433 "not required.");
1434 }
1435 cmd = IPSEC_CONF_ADD;
1436 filename = optarg;
1437 break;
1438 case 'd':
1439 /*
1440 * Only one command at a time. Interface name is
1441 * optional.
1442 */
1443 if (cmd != 0) {
1444 USAGE();
1445 EXIT_FATAL("Multiple commands specified");
1446 }
1447 cmd = IPSEC_CONF_DEL;
1448 index = parse_index(optarg, NULL);
1449 break;
1450 case 'n' :
1451 ipsecconf_nflag++;
1452 break;
1453 case 'q' :
1454 ipsecconf_qflag++;
1455 break;
1456 case 'r' :
1457 /* Only one command at a time, and no interface name */
1458 if (cmd != 0 || interface_name != NULL) {
1459 USAGE();
1460 EXIT_FATAL("Multiple commands or interface "
1461 "not required.");
1462 }
1463 cmd = IPSEC_CONF_SUB;
1464 filename = optarg;
1465 break;
1466 case 'i':
1467 if (interface_name != NULL) {
1468 EXIT_FATAL("Interface name already selected");
1469 }
1470 interface_name = optarg;
1471 /* Check for some cretin using the all-polheads name. */
1472 if (strlen(optarg) == 0) {
1473 USAGE();
1474 EXIT_FATAL("Invalid interface name.");
1475 }
1476 break;
1477 default :
1478 USAGE();
1479 EXIT_FATAL("Bad usage.");
1480 }
1481 }
1482
1483 done:
1484 ret = 0;
1485 lfd = lock();
1486
1487 /*
1488 * ADD, FLUSH, DELETE needs to do two operations.
1489 *
1490 * 1) Update/delete/empty the POLICY_CONF_FILE.
1491 * 2) Make an ioctl and tell IP to update its state.
1492 *
1493 * We already lock()ed so that only one instance of this
1494 * program runs. We also need to make sure that the above
1495 * operations are atomic i.e we don't want to update the file
1496 * and get interrupted before we could tell IP. To make it
1497 * atomic we block all the signals and restore them.
1498 */
1499 switch (cmd) {
1500 case IPSEC_CONF_LIST:
1501 fetch_algorithms();
1502 ret = ipsec_conf_list();
1503 break;
1504 case IPSEC_CONF_FLUSH:
1505 if ((ret = block_all_signals()) == -1) {
1506 break;
1507 }
1508 if (!smf_managed && !ipsecconf_qflag)
1509 (void) fprintf(stdout, "%s", smf_warning);
1510 ret = ipsec_conf_flush(SPD_ACTIVE);
1511 (void) restore_all_signals();
1512 break;
1513 case IPSEC_CONF_VIEW:
1514 if (interface_name != NULL) {
1515 EXIT_FATAL("Cannot view for one interface only.");
1516 }
1517 ret = ipsec_conf_view();
1518 break;
1519 case IPSEC_CONF_DEL:
1520 if (index == -1) {
1521 warnx(gettext("Invalid index"));
1522 ret = -1;
1523 break;
1524 }
1525 if ((ret = block_all_signals()) == -1) {
1526 break;
1527 }
1528 if (!smf_managed && !ipsecconf_qflag)
1529 (void) fprintf(stdout, "%s", smf_warning);
1530 ret = ipsec_conf_del(index, B_FALSE);
1531 (void) restore_all_signals();
1532 flushret = ipsec_conf_flush(SPD_STANDBY);
1533 break;
1534 case IPSEC_CONF_REPLACE:
1535 replace_policy = B_TRUE;
1536 /* FALLTHRU */
1537 case IPSEC_CONF_ADD:
1538 /*
1539 * The IPsec kernel modules should only be loaded
1540 * if there is a policy to install, for this
1541 * reason ipsec_conf_add() calls fetch_algorithms()
1542 * and ipsec_conf_flush() only when appropriate.
1543 */
1544 if ((ret = block_all_signals()) == -1) {
1545 break;
1546 }
1547 if (!smf_managed && !ipsecconf_qflag)
1548 (void) fprintf(stdout, "%s", smf_warning);
1549 ret = ipsec_conf_add(just_check, smf_managed, replace_policy);
1550 (void) restore_all_signals();
1551 break;
1552 case IPSEC_CONF_SUB:
1553 fetch_algorithms();
1554 if ((ret = block_all_signals()) == -1) {
1555 break;
1556 }
1557 if (!smf_managed && !ipsecconf_qflag)
1558 (void) fprintf(stdout, "%s", smf_warning);
1559 ret = ipsec_conf_sub();
1560 (void) restore_all_signals();
1561 flushret = ipsec_conf_flush(SPD_STANDBY);
1562 break;
1563 default :
1564 /* If no argument is given but a "-" */
1565 USAGE();
1566 EXIT_FATAL("Bad usage.");
1567 }
1568
1569 (void) unlock(lfd);
1570 if (ret != 0 || flushret != 0)
1571 ret = 1;
1572 return (ret);
1573 }
1574
1575 static void
1576 perm_check(void)
1577 {
1578 if (errno == EACCES)
1579 EXIT_BADPERM("Insufficient privilege to run ipsecconf.");
1580 else
1581 warn(gettext("Cannot open lock file %s"), LOCK_FILE);
1582
1583 EXIT_BADPERM(NULL);
1584 }
1585
1586 static int
1587 lock()
1588 {
1589 int fd;
1590 struct stat sbuf1;
1591 struct stat sbuf2;
1592
1593 /*
1594 * Open the file with O_CREAT|O_EXCL. If it exists already, it
1595 * will fail. If it already exists, check whether it looks like
1596 * the one we created.
1597 */
1598 (void) umask(0077);
1599 if ((fd = open(LOCK_FILE, O_EXCL|O_CREAT|O_RDWR, S_IRUSR|S_IWUSR))
1600 == -1) {
1601 if (errno != EEXIST) {
1602 /* Some other problem. Will exit. */
1603 perm_check();
1604 }
1605
1606 /*
1607 * open() returned an EEXIST error. We don't fail yet
1608 * as it could be a residual from a previous
1609 * execution.
1610 * File exists. make sure it is OK. We need to lstat()
1611 * as fstat() stats the file pointed to by the symbolic
1612 * link.
1613 */
1614 if (lstat(LOCK_FILE, &sbuf1) == -1) {
1615 EXIT_FATAL2("Cannot lstat lock file %s", LOCK_FILE);
1616 }
1617 /*
1618 * Check whether it is a regular file and not a symbolic
1619 * link. Its link count should be 1. The owner should be
1620 * root and the file should be empty.
1621 */
1622 if (!S_ISREG(sbuf1.st_mode) ||
1623 sbuf1.st_nlink != 1 ||
1624 sbuf1.st_uid != 0 ||
1625 sbuf1.st_size != 0) {
1626 EXIT_FATAL2("Bad lock file %s", LOCK_FILE);
1627 }
1628 if ((fd = open(LOCK_FILE, O_CREAT|O_RDWR,
1629 S_IRUSR|S_IWUSR)) == -1) {
1630 /* Will exit */
1631 perm_check();
1632 }
1633 /*
1634 * Check whether we opened the file that we lstat()ed.
1635 */
1636 if (fstat(fd, &sbuf2) == -1) {
1637 EXIT_FATAL2("Cannot lstat lock file %s", LOCK_FILE);
1638 }
1639 if (sbuf1.st_dev != sbuf2.st_dev ||
1640 sbuf1.st_ino != sbuf2.st_ino) {
1641 /* File changed after we did the lstat() above */
1642 EXIT_FATAL2("Bad lock file %s", LOCK_FILE);
1643 }
1644 }
1645 if (lockf(fd, F_LOCK, 0) == -1) {
1646 EXIT_FATAL2("Cannot lockf %s", LOCK_FILE);
1647 }
1648 return (fd);
1649 }
1650
1651 static int
1652 unlock(int fd)
1653 {
1654 if (lockf(fd, F_ULOCK, 0) == -1) {
1655 warn("lockf");
1656 return (-1);
1657 }
1658 return (0);
1659 }
1660
1661 /* send in TOK_* */
1662 static void
1663 print_pattern_string(int type)
1664 {
1665 int j;
1666
1667 for (j = 0; pattern_table[j].string != NULL; j++) {
1668 if (type == pattern_table[j].tok_val) {
1669 (void) printf("%s ", pattern_table[j].string);
1670 return;
1671 }
1672 }
1673 }
1674
1675 static void
1676 print_icmp_typecode(uint8_t type, uint8_t type_end, uint8_t code,
1677 uint8_t code_end)
1678 {
1679 (void) printf("type %d", type);
1680 if (type_end != type)
1681 (void) printf("-%d ", type_end);
1682 else
1683 (void) printf(" ");
1684 if (code != 255) {
1685 (void) printf("code %d", code);
1686 if (code_end != code)
1687 (void) printf("-%d ", code_end);
1688 else
1689 (void) printf(" ");
1690 }
1691 }
1692
1693
1694 static void
1695 print_spd_flags(uint32_t flags)
1696 {
1697 flags &= (SPD_RULE_FLAG_INBOUND|SPD_RULE_FLAG_OUTBOUND);
1698
1699 if (flags == SPD_RULE_FLAG_OUTBOUND)
1700 (void) printf("dir out ");
1701 else if (flags == SPD_RULE_FLAG_INBOUND)
1702 (void) printf("dir in ");
1703 else if (flags == (SPD_RULE_FLAG_INBOUND|SPD_RULE_FLAG_OUTBOUND))
1704 (void) printf("dir both ");
1705 }
1706
1707 static void
1708 print_bit_range(int min, int max)
1709 {
1710 if (min != 0 || (max != 0 && max != SPD_MAX_MAXBITS)) {
1711 (void) printf("(");
1712 if (min != 0)
1713 (void) printf("%d", min);
1714 if (min != 0 && max != 0 && min != max) {
1715 (void) printf("..");
1716 if (max != 0 && max != SPD_MAX_MAXBITS)
1717 (void) printf("%d", max);
1718 }
1719 (void) printf(")");
1720 }
1721 }
1722
1723 static void
1724 print_alg(const char *tag, algreq_t *algreq, int proto_num)
1725 {
1726 int min = algreq->alg_minbits;
1727 int max = algreq->alg_maxbits;
1728 struct ipsecalgent *alg;
1729
1730 /*
1731 * This function won't be called with alg_id == 0, so we don't
1732 * have to worry about ANY vs. NONE here.
1733 */
1734
1735 (void) printf("%s ", tag);
1736
1737 alg = getipsecalgbynum(algreq->alg_id, proto_num, NULL);
1738 if (alg == NULL) {
1739 (void) printf("%d", algreq->alg_id);
1740 } else {
1741 (void) printf("%s", alg->a_names[0]);
1742 freeipsecalgent(alg);
1743 }
1744
1745 print_bit_range(min, max);
1746 (void) printf(" ");
1747 }
1748
1749 static void
1750 print_ulp(uint8_t proto)
1751 {
1752 struct protoent *pe;
1753
1754 if (proto == 0)
1755 return;
1756
1757 print_pattern_string(TOK_ulp);
1758 pe = NULL;
1759 if (!ipsecconf_nflag) {
1760 pe = getprotobynumber(proto);
1761 }
1762 if (pe != NULL)
1763 (void) printf("%s ", pe->p_name);
1764 else
1765 (void) printf("%d ", proto);
1766 }
1767
1768 /* needs to do ranges */
1769 static void
1770 print_port(uint16_t in_port, int type)
1771 {
1772 in_port_t port = ntohs(in_port);
1773 struct servent *sp;
1774
1775 if (port == 0)
1776 return;
1777
1778 print_pattern_string(type);
1779 sp = NULL;
1780 if (!ipsecconf_nflag)
1781 sp = getservbyport(port, NULL);
1782
1783 if (sp != NULL)
1784 (void) printf("%s ", sp->s_name);
1785 else
1786 (void) printf("%d ", port);
1787 }
1788
1789 /*
1790 * Print the address, given as "raw" input via the void pointer.
1791 */
1792 static void
1793 print_raw_address(void *input, boolean_t isv4)
1794 {
1795 char *cp;
1796 struct hostent *hp;
1797 char domain[MAXHOSTNAMELEN + 1];
1798 struct in_addr addr;
1799 struct in6_addr addr6;
1800 char abuf[INET6_ADDRSTRLEN];
1801 int error_num;
1802 struct in6_addr in_addr;
1803 uchar_t *addr_ptr;
1804 sa_family_t af;
1805 int addr_len;
1806
1807 if (isv4) {
1808 af = AF_INET;
1809 (void) memcpy(&V4_PART_OF_V6(in_addr), input, 4);
1810 /* we don't print unspecified addresses */
1811 IN6_V4MAPPED_TO_INADDR(&in_addr, &addr);
1812 if (addr.s_addr == INADDR_ANY)
1813 return;
1814 addr_ptr = (uchar_t *)&addr.s_addr;
1815 addr_len = IPV4_ADDR_LEN;
1816 } else {
1817 (void) memcpy(&addr6, input, 16);
1818 af = AF_INET6;
1819 /* we don't print unspecified addresses */
1820 if (IN6_IS_ADDR_UNSPECIFIED(&addr6))
1821 return;
1822 addr_ptr = (uchar_t *)&addr6.s6_addr;
1823 addr_len = sizeof (struct in6_addr);
1824 }
1825
1826 cp = NULL;
1827 if (!ipsecconf_nflag) {
1828 if (sysinfo(SI_HOSTNAME, domain, MAXHOSTNAMELEN) != -1 &&
1829 (cp = strchr(domain, '.')) != NULL) {
1830 (void) strlcpy(domain, cp + 1, sizeof (domain));
1831 } else {
1832 domain[0] = 0;
1833 }
1834 cp = NULL;
1835 hp = getipnodebyaddr(addr_ptr, addr_len, af, &error_num);
1836 if (hp) {
1837 if ((cp = strchr(hp->h_name, '.')) != 0 &&
1838 strcasecmp(cp + 1, domain) == 0)
1839 *cp = 0;
1840 cp = hp->h_name;
1841 }
1842 }
1843
1844 if (cp) {
1845 (void) printf("%s", cp);
1846 } else {
1847 (void) printf("%s", inet_ntop(af, addr_ptr, abuf,
1848 INET6_ADDRSTRLEN));
1849 }
1850 }
1851
1852 /*
1853 * Get the next SPD_DUMP message from the PF_POLICY socket. A single
1854 * read may contain multiple messages. This function uses static buffers,
1855 * and is therefore non-reentrant, so if you lift it for an MT application,
1856 * be careful.
1857 *
1858 * Return NULL if there's an error.
1859 */
1860 static spd_msg_t *
1861 ipsec_read_dump(int pfd)
1862 {
1863 static uint64_t buf[SADB_8TO64(CBUF_LEN)];
1864 static uint64_t *offset;
1865 static int len; /* In uint64_t units. */
1866 spd_msg_t *retval;
1867
1868 /* Assume offset and len are initialized to NULL and 0. */
1869
1870 if ((offset - len == buf) || (offset == NULL)) {
1871 /* read a new block from the socket. */
1872 len = read(pfd, &buf, sizeof (buf));
1873 if (len == -1) {
1874 warn(gettext("rule dump: bad read"));
1875 return (NULL);
1876 }
1877 offset = buf;
1878 len = SADB_8TO64(len);
1879 } /* Else I still have more messages from a previous read. */
1880
1881 retval = (spd_msg_t *)offset;
1882 offset += retval->spd_msg_len;
1883 if (offset > buf + len) {
1884 warnx(gettext("dump read: message corruption,"
1885 " %d len exceeds %d boundary."),
1886 SADB_64TO8((uintptr_t)(offset - buf)),
1887 SADB_64TO8((uintptr_t)(len)));
1888 return (NULL);
1889 }
1890
1891 return (retval);
1892 }
1893
1894 /*
1895 * returns 0 on success
1896 * -1 on read error
1897 * >0 on invalid returned message
1898 */
1899
1900 static int
1901 ipsec_conf_list(void)
1902 {
1903 int ret;
1904 int pfd;
1905 struct spd_msg *msg;
1906 int cnt;
1907 spd_msg_t *rmsg;
1908 spd_ext_t *exts[SPD_EXT_MAX+1];
1909 /*
1910 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation
1911 * issues.
1912 */
1913 uint64_t buffer[
1914 SPD_8TO64(sizeof (*msg) + sizeof (spd_if_t) + LIFNAMSIZ) + 1];
1915
1916 pfd = get_pf_pol_socket();
1917
1918 if (pfd == -1) {
1919 warnx(gettext("Error getting list of policies from kernel"));
1920 return (-1);
1921 }
1922
1923 (void) memset(buffer, 0, sizeof (buffer));
1924 msg = (struct spd_msg *)buffer;
1925 msg->spd_msg_version = PF_POLICY_V1;
1926 msg->spd_msg_type = SPD_DUMP;
1927 msg->spd_msg_len = SPD_8TO64(sizeof (*msg));
1928
1929 msg->spd_msg_len += attach_tunname((spd_if_t *)(msg + 1));
1930
1931 cnt = write(pfd, msg, SPD_64TO8(msg->spd_msg_len));
1932
1933 if (cnt < 0) {
1934 warn(gettext("dump: invalid write() return"));
1935 (void) close(pfd);
1936 return (-1);
1937 }
1938
1939 rmsg = ipsec_read_dump(pfd);
1940
1941 if (rmsg == NULL || rmsg->spd_msg_errno != 0) {
1942 warnx("%s: %s", gettext("ruleset dump failed"),
1943 (rmsg == NULL ?
1944 gettext("read error") :
1945 sys_error_message(rmsg->spd_msg_errno)));
1946 (void) close(pfd);
1947 return (-1);
1948 }
1949
1950
1951 for (;;) {
1952 /* read rule */
1953 rmsg = ipsec_read_dump(pfd);
1954
1955 if (rmsg == NULL) {
1956 (void) close(pfd);
1957 return (-1);
1958 }
1959
1960 if (rmsg->spd_msg_errno != 0) {
1961 warnx("%s: %s", gettext("dump read: bad message"),
1962 sys_error_message(rmsg->spd_msg_errno));
1963 (void) close(pfd);
1964 return (-1);
1965 }
1966
1967 ret = spdsock_get_ext(exts, rmsg, rmsg->spd_msg_len,
1968 spdsock_diag_buf, SPDSOCK_DIAG_BUF_LEN);
1969 if (ret != 0) {
1970 if (strlen(spdsock_diag_buf) != 0)
1971 warnx(spdsock_diag_buf);
1972 warnx("%s: %s", gettext("dump read: bad message"),
1973 sys_error_message(rmsg->spd_msg_errno));
1974 (void) close(pfd);
1975 return (ret);
1976 }
1977
1978 /*
1979 * End of dump..
1980 */
1981 if (exts[SPD_EXT_RULESET] != NULL)
1982 break; /* and return 0. */
1983
1984 print_pfpol_msg(rmsg);
1985 }
1986
1987 (void) close(pfd);
1988 return (0);
1989 }
1990
1991 static void
1992 print_iap(ips_act_props_t *iap)
1993 {
1994
1995 /* action */
1996 switch (iap->iap_action) {
1997 case SPD_ACTTYPE_PASS:
1998 (void) printf("pass ");
1999 break;
2000 case SPD_ACTTYPE_DROP:
2001 (void) printf("drop ");
2002 break;
2003 case SPD_ACTTYPE_IPSEC:
2004 (void) printf("ipsec ");
2005 break;
2006 }
2007
2008 /* properties */
2009 (void) printf("%c ", CURL_BEGIN);
2010 if (iap->iap_action == SPD_ACTTYPE_IPSEC) {
2011 if (iap->iap_attr & SPD_APPLY_AH &&
2012 iap->iap_aauth.alg_id != 0)
2013 print_alg("auth_algs", &iap->iap_aauth,
2014 IPSEC_PROTO_AH);
2015
2016 if (iap->iap_attr & SPD_APPLY_ESP) {
2017 print_alg("encr_algs", &iap->iap_eencr,
2018 IPSEC_PROTO_ESP);
2019 if (iap->iap_eauth.alg_id != 0)
2020 print_alg("encr_auth_algs", &iap->iap_eauth,
2021 IPSEC_PROTO_AH);
2022 }
2023 if (iap->iap_attr & SPD_APPLY_UNIQUE)
2024 (void) printf("sa unique ");
2025 else
2026 (void) printf("sa shared ");
2027 }
2028 (void) printf("%c ", CURL_END);
2029 }
2030
2031
2032 static void
2033 print_pfpol_msg(spd_msg_t *msg)
2034 {
2035 spd_ext_t *exts[SPD_EXT_MAX+1];
2036 spd_address_t *spd_address;
2037 struct spd_rule *spd_rule;
2038 struct spd_proto *spd_proto;
2039 struct spd_portrange *spd_portrange;
2040 struct spd_ext_actions *spd_ext_actions;
2041 struct spd_typecode *spd_typecode;
2042 struct spd_attribute *app;
2043 spd_if_t *spd_if;
2044 uint32_t rv;
2045 uint16_t act_count;
2046
2047 rv = spdsock_get_ext(exts, msg, msg->spd_msg_len, spdsock_diag_buf,
2048 SPDSOCK_DIAG_BUF_LEN);
2049
2050 if (rv == KGE_OK && exts[SPD_EXT_RULE] != NULL) {
2051 spd_if = (spd_if_t *)exts[SPD_EXT_TUN_NAME];
2052 spd_rule = (struct spd_rule *)exts[SPD_EXT_RULE];
2053 if (spd_if == NULL) {
2054 (void) printf("%s %lld\n", INDEX_TAG,
2055 spd_rule->spd_rule_index);
2056 } else {
2057 (void) printf("%s %s,%lld\n", INDEX_TAG,
2058 (char *)spd_if->spd_if_name,
2059 spd_rule->spd_rule_index);
2060 }
2061 } else {
2062 if (strlen(spdsock_diag_buf) != 0)
2063 warnx(spdsock_diag_buf);
2064 warnx(gettext("print_pfpol_msg: malformed PF_POLICY message."));
2065 return;
2066 }
2067
2068 (void) printf("%c ", CURL_BEGIN);
2069
2070 if (spd_if != NULL) {
2071 (void) printf("tunnel %s negotiate %s ",
2072 (char *)spd_if->spd_if_name,
2073 (spd_rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL) ?
2074 "tunnel" : "transport");
2075 }
2076
2077 if (exts[SPD_EXT_PROTO] != NULL) {
2078 spd_proto = (struct spd_proto *)exts[SPD_EXT_PROTO];
2079 print_ulp(spd_proto->spd_proto_number);
2080 }
2081
2082 if (exts[SPD_EXT_LCLADDR] != NULL) {
2083 spd_address = (spd_address_t *)exts[SPD_EXT_LCLADDR];
2084
2085 (void) printf("laddr ");
2086 print_raw_address((spd_address + 1),
2087 (spd_address->spd_address_len == 2));
2088 (void) printf("/%d ", spd_address->spd_address_prefixlen);
2089 }
2090
2091 if (exts[SPD_EXT_LCLPORT] != NULL) {
2092 spd_portrange = (struct spd_portrange *)exts[SPD_EXT_LCLPORT];
2093 if (spd_portrange->spd_ports_minport != 0) {
2094 print_port(spd_portrange->spd_ports_minport,
2095 TOK_lport);
2096 }
2097 }
2098
2099
2100 if (exts[SPD_EXT_REMADDR] != NULL) {
2101 spd_address = (spd_address_t *)exts[SPD_EXT_REMADDR];
2102
2103 (void) printf("raddr ");
2104 print_raw_address((spd_address + 1),
2105 (spd_address->spd_address_len == 2));
2106 (void) printf("/%d ", spd_address->spd_address_prefixlen);
2107 }
2108
2109 if (exts[SPD_EXT_REMPORT] != NULL) {
2110 spd_portrange =
2111 (struct spd_portrange *)exts[SPD_EXT_REMPORT];
2112 if (spd_portrange->spd_ports_minport != 0) {
2113 print_port(
2114 spd_portrange->spd_ports_minport, TOK_rport);
2115 }
2116 }
2117
2118 if (exts[SPD_EXT_ICMP_TYPECODE] != NULL) {
2119 spd_typecode =
2120 (struct spd_typecode *)exts[SPD_EXT_ICMP_TYPECODE];
2121 print_icmp_typecode(spd_typecode->spd_typecode_type,
2122 spd_typecode->spd_typecode_type_end,
2123 spd_typecode->spd_typecode_code,
2124 spd_typecode->spd_typecode_code_end);
2125 }
2126
2127 if (exts[SPD_EXT_RULE] != NULL) {
2128 spd_rule = (struct spd_rule *)exts[SPD_EXT_RULE];
2129 print_spd_flags(spd_rule->spd_rule_flags);
2130 }
2131
2132
2133 (void) printf("%c ", CURL_END);
2134
2135 if (exts[SPD_EXT_ACTION] != NULL) {
2136 ips_act_props_t iap;
2137 int or_needed = 0;
2138
2139 (void) memset(&iap, 0, sizeof (iap));
2140 spd_ext_actions =
2141 (struct spd_ext_actions *)exts[SPD_EXT_ACTION];
2142 app = (struct spd_attribute *)(spd_ext_actions + 1);
2143
2144 for (act_count = 0;
2145 act_count < spd_ext_actions->spd_actions_len -1;
2146 act_count++) {
2147
2148 switch (app->spd_attr_tag) {
2149
2150 case SPD_ATTR_NOP:
2151 break;
2152
2153 case SPD_ATTR_END:
2154 /* print */
2155 if (or_needed) {
2156 (void) printf("or ");
2157 } else {
2158 or_needed = 1;
2159 }
2160 print_iap(&iap);
2161 break;
2162
2163 case SPD_ATTR_EMPTY:
2164 /* clear */
2165 (void) memset(&iap, 0, sizeof (iap));
2166 break;
2167
2168 case SPD_ATTR_NEXT:
2169 /* print */
2170 if (or_needed) {
2171 (void) printf("or ");
2172 } else {
2173 or_needed = 1;
2174 }
2175
2176 print_iap(&iap);
2177 break;
2178
2179 case SPD_ATTR_TYPE:
2180 iap.iap_action = app->spd_attr_value;
2181 break;
2182
2183 case SPD_ATTR_FLAGS:
2184 iap.iap_attr = app->spd_attr_value;
2185 break;
2186
2187 case SPD_ATTR_AH_AUTH:
2188 iap.iap_aauth.alg_id = app->spd_attr_value;
2189 break;
2190
2191 case SPD_ATTR_ESP_ENCR:
2192 iap.iap_eencr.alg_id = app->spd_attr_value;
2193 break;
2194
2195 case SPD_ATTR_ESP_AUTH:
2196 iap.iap_eauth.alg_id = app->spd_attr_value;
2197 break;
2198
2199 case SPD_ATTR_ENCR_MINBITS:
2200 iap.iap_eencr.alg_minbits = app->spd_attr_value;
2201 break;
2202
2203 case SPD_ATTR_ENCR_MAXBITS:
2204 iap.iap_eencr.alg_maxbits = app->spd_attr_value;
2205 break;
2206
2207 case SPD_ATTR_AH_MINBITS:
2208 iap.iap_aauth.alg_minbits = app->spd_attr_value;
2209 break;
2210
2211 case SPD_ATTR_AH_MAXBITS:
2212 iap.iap_aauth.alg_maxbits = app->spd_attr_value;
2213 break;
2214
2215 case SPD_ATTR_ESPA_MINBITS:
2216 iap.iap_eauth.alg_minbits = app->spd_attr_value;
2217 break;
2218
2219 case SPD_ATTR_ESPA_MAXBITS:
2220 iap.iap_eauth.alg_maxbits = app->spd_attr_value;
2221 break;
2222
2223 case SPD_ATTR_LIFE_SOFT_TIME:
2224 case SPD_ATTR_LIFE_HARD_TIME:
2225 case SPD_ATTR_LIFE_SOFT_BYTES:
2226 case SPD_ATTR_LIFE_HARD_BYTES:
2227 default:
2228 (void) printf("\tattr %d: %X-%d\n",
2229 act_count,
2230 app->spd_attr_tag,
2231 app->spd_attr_value);
2232 break;
2233 }
2234 app++;
2235 }
2236 }
2237
2238 (void) printf("\n");
2239 }
2240
2241 #ifdef DEBUG_HEAVY
2242 static void
2243 pfpol_msg_dump(spd_msg_t *msg, char *tag)
2244 {
2245 spd_ext_t *exts[SPD_EXT_MAX+1];
2246 uint32_t i;
2247 spd_address_t *spd_address;
2248 struct spd_rule *spd_rule;
2249 struct spd_proto *spd_proto;
2250 struct spd_portrange *spd_portrange;
2251 struct spd_typecode *spd_typecode;
2252 struct spd_ext_actions *spd_ext_actions;
2253 struct spd_attribute *app;
2254 spd_if_t *spd_if;
2255 char abuf[INET6_ADDRSTRLEN];
2256 uint32_t rv;
2257 uint16_t act_count;
2258
2259 rv = spdsock_get_ext(exts, msg, msg->spd_msg_len, NULL, 0);
2260 if (rv != KGE_OK)
2261 return;
2262
2263 (void) printf("===========%s==============\n", tag);
2264 (void) printf("pfpol_msg_dump %d\n-------------------\n", rv);
2265
2266 (void) printf("spd_msg_version:%d\n", msg->spd_msg_version);
2267 (void) printf("spd_msg_type:%d\n", msg->spd_msg_type);
2268 (void) printf("spd_msg_errno:%d\n", msg->spd_msg_errno);
2269 (void) printf("spd_msg_spdid:%d\n", msg->spd_msg_spdid);
2270 (void) printf("spd_msg_len:%d\n", msg->spd_msg_len);
2271 (void) printf("spd_msg_diagnostic:%d\n", msg->spd_msg_diagnostic);
2272 (void) printf("spd_msg_seq:%d\n", msg->spd_msg_seq);
2273 (void) printf("spd_msg_pid:%d\n", msg->spd_msg_pid);
2274
2275 for (i = 1; i <= SPD_EXT_MAX; i++) {
2276 if (exts[i] == NULL) {
2277 printf("skipped %d\n", i);
2278 continue;
2279 }
2280
2281 switch (i) {
2282 case SPD_EXT_TUN_NAME:
2283 spd_if = (spd_if_t *)exts[i];
2284 (void) printf("spd_if = %s\n", spd_if->spd_if_name);
2285 break;
2286
2287 case SPD_EXT_ICMP_TYPECODE:
2288 spd_typecode = (struct spd_typecode *)exts[i];
2289 (void) printf("icmp type %d-%d code %d-%d\n",
2290 spd_typecode->spd_typecode_type,
2291 spd_typecode->spd_typecode_type_end,
2292 spd_typecode->spd_typecode_code,
2293 spd_typecode->spd_typecode_code_end);
2294 break;
2295
2296 case SPD_EXT_LCLPORT:
2297 spd_portrange = (struct spd_portrange *)exts[i];
2298 (void) printf("local ports %d-%d\n",
2299 spd_portrange->spd_ports_minport,
2300 spd_portrange->spd_ports_maxport);
2301
2302 break;
2303
2304 case SPD_EXT_REMPORT:
2305 spd_portrange = (struct spd_portrange *)exts[i];
2306 (void) printf("remote ports %d-%d\n",
2307 spd_portrange->spd_ports_minport,
2308 spd_portrange->spd_ports_maxport);
2309
2310 break;
2311
2312 case SPD_EXT_PROTO:
2313 spd_proto = (struct spd_proto *)exts[i];
2314 (void) printf("proto:spd_proto_exttype %d\n",
2315 spd_proto->spd_proto_exttype);
2316 (void) printf("proto:spd_proto_number %d\n",
2317 spd_proto->spd_proto_number);
2318 break;
2319
2320 case SPD_EXT_LCLADDR:
2321 case SPD_EXT_REMADDR:
2322 spd_address = (spd_address_t *)exts[i];
2323 if (i == SPD_EXT_LCLADDR)
2324 (void) printf("local addr ");
2325 else
2326 (void) printf("remote addr ");
2327
2328
2329 (void) printf("%s\n",
2330 inet_ntop(spd_address->spd_address_af,
2331 (void *) (spd_address +1), abuf,
2332 INET6_ADDRSTRLEN));
2333
2334 (void) printf("prefixlen: %d\n",
2335 spd_address->spd_address_prefixlen);
2336 break;
2337
2338 case SPD_EXT_ACTION:
2339 spd_ext_actions = (struct spd_ext_actions *)exts[i];
2340 (void) printf("spd_ext_action\n");
2341 (void) printf("spd_actions_count %d\n",
2342 spd_ext_actions->spd_actions_count);
2343 app = (struct spd_attribute *)(spd_ext_actions + 1);
2344
2345 for (act_count = 0;
2346 act_count < spd_ext_actions->spd_actions_len -1;
2347 act_count++) {
2348 (void) printf("\tattr %d: %X-%d\n", act_count,
2349 app->spd_attr_tag, app->spd_attr_value);
2350 app++;
2351 }
2352
2353 break;
2354
2355 case SPD_EXT_RULE:
2356 spd_rule = (struct spd_rule *)exts[i];
2357 (void) printf("spd_rule_priority: 0x%x\n",
2358 spd_rule->spd_rule_priority);
2359 (void) printf("spd_rule_flags: %d\n",
2360 spd_rule->spd_rule_flags);
2361 break;
2362
2363 case SPD_EXT_RULESET:
2364 (void) printf("spd_ext_ruleset\n");
2365 break;
2366 default:
2367 (void) printf("default\n");
2368 break;
2369 }
2370 }
2371
2372 (void) printf("-------------------\n");
2373 (void) printf("=========================\n");
2374 }
2375 #endif /* DEBUG_HEAVY */
2376
2377 static int
2378 ipsec_conf_view()
2379 {
2380 char buf[MAXLEN];
2381 FILE *fp;
2382
2383 fp = fopen(POLICY_CONF_FILE, "r");
2384 if (fp == NULL) {
2385 if (errno == ENOENT) {
2386 /*
2387 * The absence of POLICY_CONF_FILE should
2388 * not cause the command to exit with a
2389 * non-zero status, since this condition
2390 * is valid when no policies were previously
2391 * defined.
2392 */
2393 return (0);
2394 }
2395 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
2396 return (-1);
2397 }
2398 while (fgets(buf, MAXLEN, fp) != NULL) {
2399 /* Don't print removed entries */
2400 if (*buf == ';')
2401 continue;
2402 if (strlen(buf) != 0)
2403 buf[strlen(buf) - 1] = '\0';
2404 (void) puts(buf);
2405 }
2406 return (0);
2407 }
2408
2409 /*
2410 * Delete nlines from start in the POLICY_CONF_FILE.
2411 */
2412 static int
2413 delete_from_file(int start, int nlines)
2414 {
2415 FILE *fp;
2416 char ibuf[MAXLEN];
2417 int len;
2418
2419 if ((fp = fopen(POLICY_CONF_FILE, "r+b")) == NULL) {
2420 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
2421 return (-1);
2422 }
2423
2424 /*
2425 * Insert a ";", read the line and discard it. Repeat
2426 * this logic nlines - 1 times. For the last line there
2427 * is just a newline character. We can't just insert a
2428 * single ";" character instead of the newline character
2429 * as it would affect the next line. Thus when we comment
2430 * the last line we seek one less and insert a ";"
2431 * character, which will replace the newline of the
2432 * penultimate line with ; and newline of the last line
2433 * will become part of the previous line.
2434 */
2435 do {
2436 /*
2437 * It is not enough to seek just once and expect the
2438 * subsequent fgets below to take you to the right
2439 * offset of the next line. fgets below seems to affect
2440 * the offset. Thus we need to seek, replace with ";",
2441 * and discard a line using fgets for every line.
2442 */
2443 if (fseek(fp, start, SEEK_SET) == -1) {
2444 warn("fseek");
2445 return (-1);
2446 }
2447 if (fputc(';', fp) < 0) {
2448 warn("fputc");
2449 return (-1);
2450 }
2451 /*
2452 * Flush the above ";" character before we do the fgets().
2453 * Without this, fgets() gets confused with offsets.
2454 */
2455 (void) fflush(fp);
2456 len = 0;
2457 while (fgets(ibuf, MAXLEN, fp) != NULL) {
2458 len += strlen(ibuf);
2459 if (ibuf[len - 1] == '\n') {
2460 /*
2461 * We have read a complete line.
2462 */
2463 break;
2464 }
2465 }
2466 /*
2467 * We read the line after ";" character has been inserted.
2468 * Thus len does not count ";". To advance to the next line
2469 * increment by 1.
2470 */
2471 start += (len + 1);
2472 /*
2473 * If nlines == 2, we will be commenting out the last
2474 * line next, which has only one newline character.
2475 * If we blindly replace it with ";", it will be
2476 * read as part of the next line which could have
2477 * a INDEX string and thus confusing ipsec_conf_view.
2478 * Thus, we seek one less and replace the previous
2479 * line's newline character with ";", and the
2480 * last line's newline character will become part of
2481 * the previous line.
2482 */
2483 if (nlines == 2)
2484 start--;
2485 } while (--nlines != 0);
2486 (void) fclose(fp);
2487 if (nlines != 0)
2488 return (-1);
2489 else
2490 return (0);
2491 }
2492
2493 /*
2494 * Delete an entry from the file by inserting a ";" at the
2495 * beginning of the lines to be removed.
2496 */
2497 static int
2498 ipsec_conf_del(int policy_index, boolean_t ignore_spd)
2499 {
2500 act_prop_t *act_props = malloc(sizeof (act_prop_t));
2501 char *buf;
2502 FILE *fp;
2503 char ibuf[MAXLEN];
2504 int ibuf_len, index_len, index;
2505 int ret = 0;
2506 int offset, prev_offset;
2507 int nlines;
2508 char lifname[LIFNAMSIZ];
2509
2510 if (act_props == NULL) {
2511 warn(gettext("memory"));
2512 return (-1);
2513 }
2514
2515 fp = fopen(POLICY_CONF_FILE, "r");
2516 if (fp == NULL) {
2517 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
2518 free(act_props);
2519 return (-1);
2520 }
2521
2522 index_len = strlen(INDEX_TAG);
2523 index = 0;
2524 for (offset = prev_offset = 0; fgets(ibuf, MAXLEN, fp) != NULL;
2525 offset += ibuf_len) {
2526 prev_offset = offset;
2527 ibuf_len = strlen(ibuf);
2528
2529 if (strncmp(ibuf, INDEX_TAG, index_len) != 0) {
2530 continue;
2531 }
2532
2533 /*
2534 * This line contains INDEX_TAG
2535 */
2536 buf = ibuf + index_len;
2537 buf++; /* Skip the space */
2538 index = parse_index(buf, lifname);
2539 if (index == -1) {
2540 warnx(gettext("Invalid index in the file"));
2541 free(act_props);
2542 return (-1);
2543 }
2544 if (index == policy_index &&
2545 (interface_name == NULL ||
2546 strncmp(interface_name, lifname, LIFNAMSIZ) == 0)) {
2547 if (!ignore_spd) {
2548 ret = parse_one(fp, act_props);
2549 if (ret == -1) {
2550 warnx(gettext("Invalid policy entry "
2551 "in the file"));
2552 free(act_props);
2553 return (-1);
2554 }
2555 }
2556 /*
2557 * nlines is the number of lines we should comment
2558 * out. linecount tells us how many lines this command
2559 * spans. And we need to remove the line with INDEX
2560 * and an extra line we added during ipsec_conf_add.
2561 *
2562 * NOTE : If somebody added a policy entry which does
2563 * not have a newline, ipsec_conf_add() fills in the
2564 * newline. Hence, there is always 2 extra lines
2565 * to delete.
2566 */
2567 nlines = linecount + 2;
2568 goto delete;
2569 }
2570 }
2571
2572 if (!ignore_spd)
2573 ret = pfp_delete_rule(policy_index);
2574
2575 if (ret != 0) {
2576 warnx(gettext("Deletion incomplete. Please "
2577 "flush all the entries and re-configure :"));
2578 reconfigure();
2579 free(act_props);
2580 return (ret);
2581 }
2582 free(act_props);
2583 return (ret);
2584
2585 delete:
2586 /* Delete nlines from prev_offset */
2587 (void) fclose(fp);
2588 ret = delete_from_file(prev_offset, nlines);
2589
2590 if (ret != 0) {
2591 warnx(gettext("Deletion incomplete. Please "
2592 "flush all the entries and re-configure :"));
2593 reconfigure();
2594 free(act_props);
2595 return (ret);
2596 }
2597
2598 if (!ignore_spd)
2599 ret = pfp_delete_rule(policy_index);
2600
2601 if (ret != 0) {
2602 warnx(gettext("Deletion incomplete. Please "
2603 "flush all the entries and re-configure :"));
2604 reconfigure();
2605 free(act_props);
2606 return (ret);
2607 }
2608 free(act_props);
2609 return (0);
2610 }
2611
2612 static int
2613 pfp_delete_rule(uint64_t index)
2614 {
2615 struct spd_msg *msg;
2616 struct spd_rule *rule;
2617 int sfd;
2618 int cnt, len, alloclen;
2619
2620 sfd = get_pf_pol_socket();
2621 if (sfd < 0) {
2622 warn(gettext("unable to open policy socket"));
2623 return (-1);
2624 }
2625
2626 /*
2627 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation
2628 * issues.
2629 */
2630 alloclen = sizeof (spd_msg_t) + sizeof (struct spd_rule) +
2631 sizeof (spd_if_t) + LIFNAMSIZ + 8;
2632 msg = (spd_msg_t *)malloc(alloclen);
2633
2634 if (msg == NULL) {
2635 warn("malloc");
2636 return (-1);
2637 }
2638
2639 rule = (struct spd_rule *)(msg + 1);
2640
2641 (void) memset(msg, 0, alloclen);
2642 msg->spd_msg_version = PF_POLICY_V1;
2643 msg->spd_msg_type = SPD_DELETERULE;
2644 msg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)
2645 + sizeof (struct spd_rule));
2646
2647 rule->spd_rule_type = SPD_EXT_RULE;
2648 rule->spd_rule_len = SPD_8TO64(sizeof (struct spd_rule));
2649 rule->spd_rule_index = index;
2650
2651 msg->spd_msg_len += attach_tunname((spd_if_t *)(rule + 1));
2652
2653 len = SPD_64TO8(msg->spd_msg_len);
2654 cnt = write(sfd, msg, len);
2655
2656 if (cnt != len) {
2657 if (cnt < 0) {
2658 warn(gettext("Delete failed: write"));
2659 (void) close(sfd);
2660 free(msg);
2661 return (-1);
2662 } else {
2663 (void) close(sfd);
2664 free(msg);
2665 warnx(gettext("Delete failed: short write"));
2666 return (-1);
2667 }
2668 }
2669
2670 cnt = read(sfd, msg, len);
2671 if (cnt != len) {
2672 if (cnt < 0) {
2673 warn(gettext("Delete failed: read"));
2674 (void) close(sfd);
2675 free(msg);
2676 return (-1);
2677 } else {
2678 (void) close(sfd);
2679 free(msg);
2680 warnx(gettext("Delete failed while reading reply"));
2681 return (-1);
2682 }
2683 }
2684 (void) close(sfd);
2685 if (msg->spd_msg_errno != 0) {
2686 errno = msg->spd_msg_errno;
2687 warn(gettext("Delete failed: SPD_FLUSH"));
2688 free(msg);
2689 return (-1);
2690 }
2691
2692 free(msg);
2693 return (0);
2694 }
2695
2696 static int
2697 ipsec_conf_flush(int db)
2698 {
2699 int pfd, cnt, len;
2700 int sfd;
2701 struct spd_msg *msg;
2702 /*
2703 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation
2704 * issues.
2705 */
2706 uint64_t buffer[
2707 SPD_8TO64(sizeof (*msg) + sizeof (spd_if_t) + LIFNAMSIZ) + 1];
2708
2709 sfd = get_pf_pol_socket();
2710 if (sfd < 0) {
2711 warn(gettext("unable to open policy socket"));
2712 return (-1);
2713 }
2714
2715 (void) memset(buffer, 0, sizeof (buffer));
2716 msg = (struct spd_msg *)buffer;
2717 msg->spd_msg_version = PF_POLICY_V1;
2718 msg->spd_msg_type = SPD_FLUSH;
2719 msg->spd_msg_len = SPD_8TO64(sizeof (*msg));
2720 msg->spd_msg_spdid = db;
2721
2722 msg->spd_msg_len += attach_tunname((spd_if_t *)(msg + 1));
2723
2724 len = SPD_64TO8(msg->spd_msg_len);
2725 cnt = write(sfd, msg, len);
2726 if (cnt != len) {
2727 if (cnt < 0) {
2728 warn(gettext("Flush failed: write"));
2729 return (-1);
2730 } else {
2731 warnx(gettext("Flush failed: short write"));
2732 return (-1);
2733 }
2734 }
2735
2736 cnt = read(sfd, msg, len);
2737 if (cnt != len) {
2738 if (cnt < 0) {
2739 warn(gettext("Flush failed: read"));
2740 return (-1);
2741 } else {
2742 warnx(gettext("Flush failed while reading reply"));
2743 return (-1);
2744 }
2745 }
2746 (void) close(sfd);
2747 if (msg->spd_msg_errno != 0) {
2748 warnx("%s: %s", gettext("Flush failed: SPD_FLUSH"),
2749 sys_error_message(msg->spd_msg_errno));
2750 return (-1);
2751 }
2752
2753 /* Truncate the file */
2754 if (db == SPD_ACTIVE) {
2755 if ((pfd = open(POLICY_CONF_FILE, O_TRUNC|O_RDWR)) == -1) {
2756 if (errno == ENOENT) {
2757 /*
2758 * The absence of POLICY_CONF_FILE should
2759 * not cause the command to exit with a
2760 * non-zero status, since this condition
2761 * is valid when no policies were previously
2762 * defined.
2763 */
2764 return (0);
2765 }
2766 warn(gettext("%s cannot be truncated"),
2767 POLICY_CONF_FILE);
2768 return (-1);
2769 }
2770 (void) close(pfd);
2771 }
2772 return (0);
2773 }
2774
2775 /*
2776 * function to send SPD_FLIP and SPD_CLONE messages
2777 * Do it for ALL polheads for simplicity's sake.
2778 */
2779 static void
2780 ipsec_conf_admin(uint8_t type)
2781 {
2782 int cnt;
2783 int sfd;
2784 struct spd_msg *msg;
2785 uint64_t buffer[
2786 SPD_8TO64(sizeof (struct spd_msg) + sizeof (spd_if_t))];
2787 char *save_ifname;
2788
2789 sfd = get_pf_pol_socket();
2790 if (sfd < 0) {
2791 err(-1, gettext("unable to open policy socket"));
2792 }
2793
2794 (void) memset(buffer, 0, sizeof (buffer));
2795 msg = (struct spd_msg *)buffer;
2796 msg->spd_msg_version = PF_POLICY_V1;
2797 msg->spd_msg_type = type;
2798 msg->spd_msg_len = SPD_8TO64(sizeof (buffer));
2799
2800 save_ifname = interface_name;
2801 /* Apply to all policy heads - global and tunnels. */
2802 interface_name = &all_polheads;
2803 (void) attach_tunname((spd_if_t *)(msg + 1));
2804 interface_name = save_ifname;
2805
2806 cnt = write(sfd, msg, sizeof (buffer));
2807 if (cnt != sizeof (buffer)) {
2808 if (cnt < 0) {
2809 err(-1, gettext("admin failed: write"));
2810 } else {
2811 errx(-1, gettext("admin failed: short write"));
2812 }
2813 }
2814
2815 cnt = read(sfd, msg, sizeof (buffer));
2816 if (cnt != sizeof (buffer)) {
2817 if (cnt < 0) {
2818 err(-1, gettext("admin failed: read"));
2819 } else {
2820 errx(-1, gettext("admin failed while reading reply"));
2821 }
2822 }
2823 (void) close(sfd);
2824 if (msg->spd_msg_errno != 0) {
2825 errno = msg->spd_msg_errno;
2826 err(-1, gettext("admin failed"));
2827 }
2828 }
2829
2830 static void
2831 reconfigure()
2832 {
2833 (void) fprintf(stderr, gettext(
2834 "\tipsecconf -f \n "
2835 "\tipsecconf -a policy_file\n"));
2836 }
2837
2838 static void
2839 usage(void)
2840 {
2841 (void) fprintf(stderr, gettext(
2842 "Usage: ipsecconf\n"
2843 "\tipsecconf -a ([-]|<filename>) [-q]\n"
2844 "\tipsecconf -c <filename>\n"
2845 "\tipsecconf -r ([-]|<filename>) [-q]\n"
2846 "\tipsecconf -d [-i tunnel-interface] <index>\n"
2847 "\tipsecconf -d <tunnel-interface,index>\n"
2848 "\tipsecconf -l [-n] [-i tunnel-interface]\n"
2849 "\tipsecconf -f [-i tunnel-interface]\n"
2850 "\tipsecconf -L [-n]\n"
2851 "\tipsecconf -F\n"));
2852 }
2853
2854 /*
2855 * a type consists of
2856 * "type" <int>{ "-" <int>}
2857 * or
2858 * "type" keyword
2859 *
2860 * a code consists of
2861 * "code" <int>{ "-" <int>}
2862 * or
2863 * "code" keyword
2864 */
2865
2866
2867 static int
2868 parse_type_code(const char *str, const str_val_t *table)
2869 {
2870 char *end1, *end2;
2871 int res1 = 0, res2 = 0;
2872 int i;
2873
2874 if (isdigit(str[0])) {
2875 res1 = strtol(str, &end1, 0);
2876
2877 if (end1 == str) {
2878 return (-1);
2879 }
2880
2881 if (res1 > 255 || res1 < 0) {
2882 return (-1);
2883 }
2884
2885 if (*end1 == '-') {
2886 end1++;
2887 res2 = strtol(end1, &end2, 0);
2888 if (res2 > 255 || res2 < 0) {
2889 return (-1);
2890 }
2891 } else {
2892 end2 = end1;
2893 }
2894
2895 while (isspace(*end2))
2896 end2++;
2897
2898 if (*end2 != '\0') {
2899 return (-1);
2900 }
2901
2902 return (res1 + (res2 << 8));
2903 }
2904
2905 for (i = 0; table[i].string; i++) {
2906 if (strcmp(str, table[i].string) == 0) {
2907 return (table[i].value);
2908 }
2909 }
2910
2911 return (-1);
2912 }
2913
2914 static int
2915 parse_int(const char *str)
2916 {
2917 char *end;
2918 int res;
2919
2920 res = strtol(str, &end, 0);
2921 if (end == str)
2922 return (-1);
2923 while (isspace(*end))
2924 end++;
2925 if (*end != '\0')
2926 return (-1);
2927 return (res);
2928 }
2929
2930 /*
2931 * Parses <interface>,<index>. Sets iname or the global interface_name (if
2932 * iname == NULL) to <interface> and returns <index>. Calls exit() if we have
2933 * an interface_name already set.
2934 */
2935 static int
2936 parse_index(const char *str, char *iname)
2937 {
2938 char *intf, *num, *copy;
2939 int rc;
2940
2941 copy = strdup(str);
2942 if (copy == NULL) {
2943 EXIT_FATAL("Out of memory.");
2944 }
2945
2946 intf = strtok(copy, ",");
2947 /* Just want the rest of the string unmolested, so use "" for arg2. */
2948 num = strtok(NULL, "");
2949 if (num == NULL) {
2950 /* No comma found, just parse it like an int. */
2951 free(copy);
2952 return (parse_int(str));
2953 }
2954
2955 if (iname != NULL) {
2956 (void) strlcpy(iname, intf, LIFNAMSIZ);
2957 } else {
2958 if (interface_name != NULL) {
2959 EXIT_FATAL("Interface name already selected");
2960 }
2961
2962 interface_name = strdup(intf);
2963 if (interface_name == NULL) {
2964 EXIT_FATAL("Out of memory.");
2965 }
2966 }
2967
2968 rc = parse_int(num);
2969 free(copy);
2970 return (rc);
2971 }
2972
2973 /*
2974 * Convert a mask to a prefix length.
2975 * Returns prefix length on success, -1 otherwise.
2976 */
2977 static int
2978 in_getprefixlen(char *mask)
2979 {
2980 int prefixlen;
2981 char *end;
2982
2983 prefixlen = (int)strtol(mask, &end, 10);
2984 if (prefixlen < 0) {
2985 return (-1);
2986 }
2987 if (mask == end) {
2988 return (-1);
2989 }
2990 if (*end != '\0') {
2991 return (-1);
2992 }
2993 return (prefixlen);
2994 }
2995
2996 /*
2997 * Convert a prefix length to a mask.
2998 * Assumes the mask array is zero'ed by the caller.
2999 */
3000 static void
3001 in_prefixlentomask(unsigned int prefixlen, uchar_t *mask)
3002 {
3003 while (prefixlen > 0) {
3004 if (prefixlen >= 8) {
3005 *mask++ = 0xFF;
3006 prefixlen -= 8;
3007 continue;
3008 }
3009 *mask |= 1 << (8 - prefixlen);
3010 prefixlen--;
3011 }
3012 }
3013
3014
3015 static int
3016 parse_address(int type, char *addr_str)
3017 {
3018 char *ptr;
3019 int prefix_len = 0;
3020 struct netent *ne = NULL;
3021 struct hostent *hp = NULL;
3022 int h_errno;
3023 struct in_addr netaddr;
3024 struct in6_addr *netaddr6;
3025 struct hostent *ne_hent;
3026 boolean_t has_mask = B_FALSE;
3027
3028 ptr = strchr(addr_str, '/');
3029 if (ptr != NULL) {
3030 has_mask = B_TRUE;
3031 *ptr++ = '\0';
3032
3033 prefix_len = in_getprefixlen(ptr);
3034 if (prefix_len < 0) {
3035 warnx(gettext("Unparseable prefix: '%s'."), ptr);
3036 return (-1);
3037 }
3038 }
3039
3040 /*
3041 * getipnodebyname() is thread safe. This allows us to hold on to the
3042 * returned hostent structure, which is pointed to by the shp and
3043 * dhp globals for the source and destination addresses, respectively.
3044 */
3045 hp = getipnodebyname(addr_str, AF_INET6, AI_DEFAULT | AI_ALL, &h_errno);
3046 if (hp != NULL) {
3047 /*
3048 * We come here for both a hostname and
3049 * any host address /network address.
3050 */
3051 assert(hp->h_addrtype == AF_INET6);
3052 } else if ((ne = getnetbyname(addr_str)) != NULL) {
3053 switch (ne->n_addrtype) {
3054 case AF_INET:
3055 /*
3056 * Allocate a struct hostent and initialize
3057 * it with the address corresponding to the
3058 * network number previously returned by
3059 * getnetbyname(). Freed by do_address_adds()
3060 * once the policy is defined.
3061 */
3062 ne_hent = malloc(sizeof (struct hostent));
3063 if (ne_hent == NULL) {
3064 warn("malloc");
3065 return (-1);
3066 }
3067 ne_hent->h_addr_list = malloc(2*sizeof (char *));
3068 if (ne_hent->h_addr_list == NULL) {
3069 warn("malloc");
3070 free(ne_hent);
3071 return (-1);
3072 }
3073 netaddr6 = malloc(sizeof (struct in6_addr));
3074 if (netaddr6 == NULL) {
3075 warn("malloc");
3076 free(ne_hent->h_addr_list);
3077 free(ne_hent);
3078 return (-1);
3079 }
3080 ne_hent->h_addr_list[0] = (char *)netaddr6;
3081 ne_hent->h_addr_list[1] = NULL;
3082 netaddr = inet_makeaddr(ne->n_net, INADDR_ANY);
3083 IN6_INADDR_TO_V4MAPPED(&netaddr, netaddr6);
3084 hp = ne_hent;
3085 break;
3086 default:
3087 warnx(gettext("Address type %d not supported."),
3088 ne->n_addrtype);
3089 return (-1);
3090 }
3091 } else {
3092 warnx(gettext("Could not resolve address %s."), addr_str);
3093 return (-1);
3094 }
3095
3096 if (type == IPSEC_CONF_SRC_ADDRESS) {
3097 shp = hp;
3098 if (has_mask)
3099 splen = prefix_len;
3100 has_saprefix = has_mask;
3101 } else {
3102 dhp = hp;
3103 if (has_mask)
3104 dplen = prefix_len;
3105 has_daprefix = has_mask;
3106 }
3107
3108 return (0);
3109 }
3110
3111 /*
3112 * Add port-only entries. Make sure to add them in both the V6 and V4 tables!
3113 */
3114 static int
3115 do_port_adds(ips_conf_t *cptr)
3116 {
3117 int ret, diag;
3118
3119 assert(IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_addr_v6));
3120 assert(IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_dst_addr_v6));
3121
3122 #ifdef DEBUG_HEAVY
3123 (void) dump_conf(cptr);
3124 #endif
3125
3126 ret = send_pf_pol_message(SPD_ADDRULE, cptr, &diag);
3127 if (ret != 0 && !ipsecconf_qflag) {
3128 warnx(
3129 gettext("Could not add IPv4 policy for sport %d, dport %d "
3130 "- diagnostic %d - %s"), ntohs(cptr->ips_src_port_min),
3131 ntohs(cptr->ips_dst_port_min), diag, spdsock_diag(diag));
3132 }
3133
3134 return (ret);
3135 }
3136
3137 /*
3138 * Nuke a list of policy entries.
3139 * rewrite this to use flipping
3140 * d_list isn't freed because we will be
3141 * exiting the program soon.
3142 */
3143 static void
3144 nuke_adds()
3145 {
3146 d_list_t *temp = d_list;
3147 FILE *policy_fp;
3148
3149 policy_fp = fopen(POLICY_CONF_FILE, "a");
3150 if (policy_fp == NULL) {
3151 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
3152 } else {
3153 (void) fprintf(policy_fp, "\n\n");
3154 (void) fflush(policy_fp);
3155 }
3156
3157 while (temp != NULL) {
3158 (void) ipsec_conf_del(temp->index, B_TRUE);
3159 temp = temp->next;
3160 }
3161 }
3162
3163 /*
3164 * Set mask info from the specified prefix len. Fail if multihomed.
3165 */
3166 static int
3167 set_mask_info(struct hostent *hp, unsigned int plen, struct in6_addr *mask_v6)
3168 {
3169 struct in6_addr addr;
3170 struct in_addr mask_v4;
3171
3172 if (hp->h_addr_list[1] != NULL) {
3173 return (EOPNOTSUPP);
3174 }
3175
3176 if (!IN6_IS_ADDR_UNSPECIFIED(mask_v6)) {
3177 return (EBUSY);
3178 }
3179
3180 bcopy(hp->h_addr_list[0], &addr, sizeof (struct in6_addr));
3181 if (IN6_IS_ADDR_V4MAPPED(&addr)) {
3182 if (plen > IP_ABITS) {
3183 return (ERANGE);
3184 }
3185 (void) memset(&mask_v4, 0, sizeof (mask_v4));
3186 in_prefixlentomask(plen, (uchar_t *)&mask_v4);
3187 IN6_INADDR_TO_V4MAPPED(&mask_v4, mask_v6);
3188 } else {
3189 if (plen > IPV6_ABITS) {
3190 return (ERANGE);
3191 }
3192 /* mask_v6 is already zero (unspecified), see test above */
3193 in_prefixlentomask(plen, (uchar_t *)mask_v6);
3194 }
3195 return (0);
3196 }
3197
3198 /*
3199 * Initialize the specified IPv6 address with all f's.
3200 */
3201 static void
3202 init_addr_wildcard(struct in6_addr *addr_v6, boolean_t isv4)
3203 {
3204 if (isv4) {
3205 uint32_t addr_v4 = 0xffffffff;
3206 IN6_INADDR_TO_V4MAPPED((struct in_addr *)&addr_v4, addr_v6);
3207 } else {
3208 (void) memset(addr_v6, 0xff, sizeof (struct in6_addr));
3209 }
3210 }
3211
3212 /*
3213 * Called at the end to actually add policy. Handles single and multi-homed
3214 * cases.
3215 */
3216 static int
3217 do_address_adds(ips_conf_t *cptr, int *diag)
3218 {
3219 int i, j;
3220 int ret = 0; /* For ioctl() call. */
3221 int rc = 0; /* My own return code. */
3222 struct in6_addr zeroes = { { { 0, 0, 0, 0, 0, 0, 0, 0,
3223 0, 0, 0, 0, 0, 0, 0, 0 } } };
3224 char *ptr[2];
3225 struct hostent hent;
3226 boolean_t isv4;
3227 int add_count = 0;
3228
3229 /*
3230 * dst_hent may not be initialized if a destination
3231 * address was not given. It will be initalized with just
3232 * one address if a destination address was given. In both
3233 * the cases, we initialize here with ipsc_dst_addr and enter
3234 * the loop below.
3235 */
3236 if (dhp == NULL) {
3237 assert(shp != NULL);
3238 hent.h_addr_list = ptr;
3239 ptr[0] = (char *)&zeroes.s6_addr;
3240 ptr[1] = NULL;
3241 dhp = &hent;
3242 } else if (shp == NULL) {
3243 assert(dhp != NULL);
3244 hent.h_addr_list = ptr;
3245 ptr[0] = (char *)&zeroes.s6_addr;
3246 ptr[1] = NULL;
3247 shp = &hent;
3248 }
3249
3250 /*
3251 * Set mask info here. Bail if multihomed and there's a prefix len.
3252 */
3253 if (has_saprefix) {
3254 rc = set_mask_info(shp, splen, &cptr->ips_src_mask_v6);
3255 if (rc != 0)
3256 goto bail;
3257 cptr->ips_src_mask_len = splen;
3258 }
3259
3260 if (has_daprefix) {
3261 rc = set_mask_info(dhp, dplen, &cptr->ips_dst_mask_v6);
3262 if (rc != 0)
3263 goto bail;
3264 cptr->ips_dst_mask_len = dplen;
3265 }
3266
3267 for (i = 0; shp->h_addr_list[i] != NULL; i++) {
3268 bcopy(shp->h_addr_list[i], &cptr->ips_src_addr_v6,
3269 sizeof (struct in6_addr));
3270 isv4 = cptr->ips_isv4 =
3271 IN6_IS_ADDR_V4MAPPED(&cptr->ips_src_addr_v6);
3272 if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_mask_v6) &&
3273 shp != &hent) {
3274 init_addr_wildcard(&cptr->ips_src_mask_v6, isv4);
3275 }
3276
3277 for (j = 0; dhp->h_addr_list[j] != NULL; j++) {
3278 bcopy(dhp->h_addr_list[j], &cptr->ips_dst_addr_v6,
3279 sizeof (struct in6_addr));
3280 if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_addr_v6)) {
3281 /*
3282 * Src was not specified, so update isv4 flag
3283 * for this policy according to the family
3284 * of the destination address.
3285 */
3286 isv4 = cptr->ips_isv4 =
3287 IN6_IS_ADDR_V4MAPPED(
3288 &cptr->ips_dst_addr_v6);
3289 } else if ((dhp != &hent) && (isv4 !=
3290 IN6_IS_ADDR_V4MAPPED(&cptr->ips_dst_addr_v6))) {
3291 /* v6/v4 mismatch. */
3292 continue;
3293 }
3294 if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_dst_mask_v6) &&
3295 dhp != &hent) {
3296 init_addr_wildcard(&cptr->ips_dst_mask_v6,
3297 isv4);
3298 }
3299
3300 ret = send_pf_pol_message(SPD_ADDRULE, cptr, diag);
3301
3302 if (ret == 0) {
3303 add_count++;
3304 } else {
3305 /* For now, allow duplicate/overlap policies. */
3306 if (ret != EEXIST) {
3307 /*
3308 * We have an error where we added
3309 * some, but had errors with others.
3310 * Undo the previous adds, and
3311 * bail.
3312 */
3313 rc = ret;
3314 goto bail;
3315 }
3316 }
3317
3318 bzero(&cptr->ips_dst_mask_v6,
3319 sizeof (struct in6_addr));
3320 }
3321
3322 bzero(&cptr->ips_src_mask_v6, sizeof (struct in6_addr));
3323 }
3324
3325 bail:
3326 if (shp != &hent)
3327 freehostent(shp);
3328 shp = NULL;
3329 if (dhp != &hent)
3330 freehostent(dhp);
3331 dhp = NULL;
3332 splen = 0;
3333 dplen = 0;
3334
3335 if ((add_count == 0) && (rc == 0)) {
3336 /*
3337 * No entries were added. We failed all adds
3338 * because the entries already existed, or because
3339 * no v4 or v6 src/dst pairs were found. Either way,
3340 * we must fail here with an appropriate error
3341 * to avoid a corresponding entry from being added
3342 * to ipsecpolicy.conf.
3343 */
3344 if ((ret == EEXIST)) {
3345 /* All adds failed with EEXIST */
3346 rc = EEXIST;
3347 } else {
3348 /* No matching v4 or v6 src/dst pairs */
3349 rc = ESRCH;
3350 }
3351 }
3352
3353 return (rc);
3354 }
3355
3356 static int
3357 parse_mask(int type, char *mask_str, ips_conf_t *cptr)
3358 {
3359 struct in_addr mask;
3360 struct in6_addr *mask6;
3361
3362 if (type == IPSEC_CONF_SRC_MASK) {
3363 mask6 = &cptr->ips_src_mask_v6;
3364 } else {
3365 mask6 = &cptr->ips_dst_mask_v6;
3366 }
3367
3368 if ((strncasecmp(mask_str, "0x", 2) == 0) &&
3369 (strchr(mask_str, '.') == NULL)) {
3370 /* Is it in the form 0xff000000 ? */
3371 char *end;
3372
3373 mask.s_addr = strtoul(mask_str, &end, 0);
3374 if (end == mask_str) {
3375 return (-1);
3376 }
3377 if (*end != '\0') {
3378 return (-1);
3379 }
3380 mask.s_addr = htonl(mask.s_addr);
3381 } else {
3382 /*
3383 * Since inet_addr() returns -1 on error, we have
3384 * to convert a broadcast address ourselves.
3385 */
3386 if (strcmp(mask_str, "255.255.255.255") == 0) {
3387 mask.s_addr = 0xffffffff;
3388 } else {
3389 mask.s_addr = inet_addr(mask_str);
3390 if (mask.s_addr == (unsigned int)-1)
3391 return (-1);
3392 }
3393 }
3394
3395 /* Should we check for non-contiguous masks ? */
3396 if (mask.s_addr == 0)
3397 return (-1);
3398 IN6_INADDR_TO_V4MAPPED(&mask, mask6);
3399
3400
3401 if (type == IPSEC_CONF_SRC_MASK) {
3402 cptr->ips_src_mask_len = in_masktoprefix(mask6->s6_addr,
3403 B_TRUE);
3404 } else {
3405 cptr->ips_dst_mask_len = in_masktoprefix(mask6->s6_addr,
3406 B_TRUE);
3407 }
3408
3409 return (0);
3410 }
3411
3412 static int
3413 parse_port(int type, char *port_str, ips_conf_t *conf)
3414 {
3415 struct servent *sent;
3416 in_port_t port;
3417 int ret;
3418
3419 sent = getservbyname(port_str, NULL);
3420 if (sent == NULL) {
3421 ret = parse_int(port_str);
3422 if (ret < 0 || ret >= 65536) {
3423 return (-1);
3424 }
3425 port = htons((in_port_t)ret);
3426 } else {
3427 port = sent->s_port;
3428 }
3429 if (type == IPSEC_CONF_SRC_PORT) {
3430 conf->ips_src_port_min = conf->ips_src_port_max = port;
3431 } else {
3432 conf->ips_dst_port_min = conf->ips_dst_port_max = port;
3433 }
3434 return (0);
3435 }
3436
3437 static boolean_t
3438 combined_mode(uint_t alg_id)
3439 {
3440 struct ipsecalgent *alg;
3441 boolean_t rc;
3442
3443 alg = getipsecalgbynum(alg_id, IPSEC_PROTO_ESP, NULL);
3444 if (alg != NULL) {
3445 rc = (ALG_FLAG_COMBINED & alg->a_alg_flags);
3446 freeipsecalgent(alg);
3447 } else {
3448 rc = B_FALSE;
3449 }
3450
3451 return (rc);
3452 }
3453
3454 static int
3455 valid_algorithm(int proto_num, const char *str)
3456 {
3457 const char *tmp;
3458 int ret;
3459 struct ipsecalgent *alg;
3460
3461 /* Short-circuit "none" */
3462 if (strncasecmp("none", str, 5) == 0)
3463 return (-2);
3464
3465 alg = getipsecalgbyname(str, proto_num, NULL);
3466 if (alg != NULL) {
3467 ret = alg->a_alg_num;
3468 freeipsecalgent(alg);
3469 return (ret);
3470 }
3471
3472 /*
3473 * Look whether it could be a valid number.
3474 * We support numbers also so that users can
3475 * load algorithms as they need it. We can't
3476 * check for validity of numbers here. It will
3477 * be checked when the SA is negotiated/looked up.
3478 * parse_int uses strtol(str), which converts 3DES
3479 * to a valid number i.e looks only at initial
3480 * number part. If we come here we should expect
3481 * only a decimal number.
3482 */
3483 tmp = str;
3484 while (*tmp) {
3485 if (!isdigit(*tmp))
3486 return (-1);
3487 tmp++;
3488 }
3489
3490 ret = parse_int(str);
3491 if (ret > 0 && ret <= 255)
3492 return (ret);
3493 else
3494 return (-1);
3495 }
3496
3497 static int
3498 parse_ipsec_alg(char *str, ips_act_props_t *iap, int alg_type)
3499 {
3500 int alg_value;
3501 int remainder;
3502 char tstr[VALID_ALG_LEN];
3503 char *lens = NULL;
3504 char *l1_str;
3505 int l1 = 0;
3506 char *l2_str;
3507 int l2 = SPD_MAX_MAXBITS;
3508 algreq_t *ap;
3509 uint_t a_type;
3510
3511 fetch_algorithms();
3512
3513 /*
3514 * Make sure that we get a null terminated string.
3515 * For a bad input, we truncate at VALID_ALG_LEN.
3516 */
3517 remainder = strlen(str);
3518 (void) strlcpy(tstr, str, VALID_ALG_LEN);
3519 lens = strtok(tstr, "()");
3520 remainder -= strlen(lens);
3521 lens = strtok(NULL, "()");
3522
3523 if (lens != NULL) {
3524 int len1 = 0;
3525 int len2 = SPD_MAX_MAXBITS;
3526 int len_all = strlen(lens);
3527 int dot_start = (lens[0] == '.');
3528
3529 /*
3530 * Check to see if the keylength arg is at the end of the
3531 * token, the "()" is 2 characters.
3532 */
3533 remainder -= strlen(lens);
3534 if (remainder > 2)
3535 return (1);
3536
3537 l1_str = strtok(lens, ".");
3538 l2_str = strtok(NULL, ".");
3539 if (l1_str != NULL) {
3540 l1 = parse_int(l1_str);
3541 len1 = strlen(l1_str);
3542 if (len1 < 0)
3543 return (1);
3544 }
3545 if (l2_str != NULL) {
3546 l2 = parse_int(l2_str);
3547 len2 = strlen(l2_str);
3548 if (len2 < 0)
3549 return (1);
3550 }
3551
3552 if (len_all == len1) {
3553 /* alg(n) */
3554 l2 = l1;
3555 } else if (dot_start) {
3556 /* alg(..n) */
3557 l2 = l1;
3558 l1 = 0;
3559 } else if ((len_all - 2) == len1) {
3560 /* alg(n..) */
3561 l2 = SPD_MAX_MAXBITS;
3562 } /* else alg(n..m) */
3563 }
3564
3565 if (alg_type == SPD_ATTR_AH_AUTH ||
3566 alg_type == SPD_ATTR_ESP_AUTH) {
3567 alg_value = valid_algorithm(IPSEC_PROTO_AH, tstr);
3568 } else {
3569 alg_value = valid_algorithm(IPSEC_PROTO_ESP, tstr);
3570 }
3571 if (alg_value < 0) {
3572 /* Invalid algorithm or "none" */
3573 return (alg_value);
3574 }
3575
3576 if (alg_type == SPD_ATTR_AH_AUTH) {
3577 a_type = AH_AUTH;
3578 iap->iap_attr |= SPD_APPLY_AH;
3579 ap = &(iap->iap_aauth);
3580 } else if (alg_type == SPD_ATTR_ESP_AUTH) {
3581 a_type = ESP_AUTH;
3582 iap->iap_attr |= SPD_APPLY_ESP|SPD_APPLY_ESPA;
3583 ap = &(iap->iap_eauth);
3584 } else {
3585 a_type = ESP_ENCR;
3586 iap->iap_attr |= SPD_APPLY_ESP;
3587 ap = &(iap->iap_eencr);
3588 }
3589
3590 ap->alg_id = alg_value;
3591 ap->alg_minbits = l1;
3592 ap->alg_maxbits = l2;
3593
3594 if (!alg_rangecheck(a_type, alg_value, ap))
3595 return (1);
3596
3597 return (0);
3598 }
3599
3600 static char *
3601 sys_error_message(int syserr)
3602 {
3603 char *mesg;
3604
3605 switch (syserr) {
3606 case EEXIST:
3607 mesg = gettext("Entry already exists");
3608 break;
3609 case ENOENT:
3610 mesg = gettext("Tunnel not found");
3611 break;
3612 case EINVAL:
3613 mesg = gettext("Invalid entry");
3614 break;
3615 default :
3616 mesg = strerror(syserr);
3617 }
3618 return (mesg);
3619 }
3620
3621 static void
3622 error_message(error_type_t error, int type, int line)
3623 {
3624 char *mesg;
3625
3626 switch (type) {
3627 case IPSEC_CONF_SRC_ADDRESS:
3628 mesg = gettext("Source Address");
3629 break;
3630 case IPSEC_CONF_DST_ADDRESS:
3631 mesg = gettext("Destination Address");
3632 break;
3633 case IPSEC_CONF_SRC_PORT:
3634 mesg = gettext("Source Port");
3635 break;
3636 case IPSEC_CONF_DST_PORT:
3637 mesg = gettext("Destination Port");
3638 break;
3639 case IPSEC_CONF_SRC_MASK:
3640 mesg = gettext("Source Mask");
3641 break;
3642 case IPSEC_CONF_DST_MASK:
3643 mesg = gettext("Destination Mask");
3644 break;
3645 case IPSEC_CONF_ULP:
3646 mesg = gettext("Upper Layer Protocol");
3647 break;
3648 case IPSEC_CONF_IPSEC_AALGS:
3649 mesg = gettext("Authentication Algorithm");
3650 break;
3651 case IPSEC_CONF_IPSEC_EALGS:
3652 mesg = gettext("Encryption Algorithm");
3653 break;
3654 case IPSEC_CONF_IPSEC_EAALGS:
3655 mesg = gettext("ESP Authentication Algorithm");
3656 break;
3657 case IPSEC_CONF_IPSEC_SA:
3658 mesg = gettext("SA");
3659 break;
3660 case IPSEC_CONF_IPSEC_DIR:
3661 mesg = gettext("Direction");
3662 break;
3663 case IPSEC_CONF_ICMP_TYPE:
3664 mesg = gettext("ICMP type");
3665 break;
3666 case IPSEC_CONF_ICMP_CODE:
3667 mesg = gettext("ICMP code");
3668 break;
3669 case IPSEC_CONF_NEGOTIATE:
3670 mesg = gettext("Negotiate");
3671 break;
3672 case IPSEC_CONF_TUNNEL:
3673 mesg = gettext("Tunnel");
3674 break;
3675 default :
3676 return;
3677 }
3678 /*
3679 * If we never read a newline character, we don't want
3680 * to print 0.
3681 */
3682 warnx(gettext("%s%s%s %s on line: %d"),
3683 (error == BAD_ERROR) ? gettext("Bad") : "",
3684 (error == DUP_ERROR) ? gettext("Duplicate") : "",
3685 (error == REQ_ERROR) ? gettext("Requires") : "",
3686 mesg,
3687 (arg_indices[line] == 0) ? 1 : arg_indices[line]);
3688 }
3689
3690 static int
3691 validate_properties(ips_act_props_t *cptr, boolean_t dir, boolean_t is_alg)
3692 {
3693 if (cptr->iap_action == SPD_ACTTYPE_PASS ||
3694 cptr->iap_action == SPD_ACTTYPE_DROP) {
3695 if (!dir) {
3696 warnx(gettext("dir string "
3697 "not found for bypass policy"));
3698 }
3699
3700 if (is_alg) {
3701 warnx(gettext("Algorithms found for bypass policy"));
3702 return (-1);
3703 }
3704 return (0);
3705 }
3706 if (!is_alg) {
3707 warnx(gettext("No IPsec algorithms given"));
3708 return (-1);
3709 }
3710 if (cptr->iap_attr == 0) {
3711 warnx(gettext("No SA attribute"));
3712 return (-1);
3713 }
3714 return (0);
3715 }
3716
3717 /*
3718 * This function is called only to parse a single rule's worth of
3719 * action strings. This is called after parsing pattern and before
3720 * parsing properties. Thus we may have something in the leftover
3721 * buffer while parsing the pattern, which we need to handle here.
3722 */
3723 static int
3724 parse_action(FILE *fp, char **action, char **leftover)
3725 {
3726 char *cp;
3727 char ibuf[MAXLEN];
3728 char *tmp_buf;
3729 char *buf;
3730 boolean_t new_stuff;
3731
3732 if (*leftover != NULL) {
3733 buf = *leftover;
3734 new_stuff = B_FALSE;
3735 goto scan;
3736 }
3737 while (fgets(ibuf, MAXLEN, fp) != NULL) {
3738 new_stuff = B_TRUE;
3739 if (ibuf[strlen(ibuf) - 1] == '\n')
3740 linecount++;
3741 buf = ibuf;
3742 scan:
3743 /* Truncate at the beginning of a comment */
3744 cp = strchr(buf, '#');
3745 if (cp != NULL)
3746 *cp = '\0';
3747
3748 /* Skip any whitespace */
3749 while (*buf != '\0' && isspace(*buf))
3750 buf++;
3751
3752 /* Empty line */
3753 if (*buf == '\0')
3754 continue;
3755
3756 /*
3757 * Store the command for error reporting
3758 * and ipsec_conf_add().
3759 */
3760 if (new_stuff) {
3761 /*
3762 * Check for buffer overflow including the null
3763 * terminating character.
3764 */
3765 int len = strlen(ibuf);
3766 if ((cbuf_offset + len + 1) >= CBUF_LEN)
3767 return (-1);
3768
3769 (void) strcpy(cbuf + cbuf_offset, ibuf);
3770 cbuf_offset += len;
3771 }
3772 /*
3773 * Start of the non-empty non-space character.
3774 */
3775 tmp_buf = buf;
3776
3777 /* Skip until next whitespace or CURL_BEGIN */
3778 while (*buf != '\0' && !isspace(*buf) &&
3779 *buf != CURL_BEGIN)
3780 buf++;
3781
3782 if (*buf != '\0') {
3783 if (tmp_buf == buf) /* No action token */
3784 goto error;
3785 if (*buf == CURL_BEGIN) {
3786 *buf = '\0';
3787 /* Allocate an extra byte for the null also */
3788 if ((*action = malloc(strlen(tmp_buf) + 1)) ==
3789 NULL) {
3790 warn("malloc");
3791 return (ENOMEM);
3792 }
3793 (void) strcpy(*action, tmp_buf);
3794 *buf = CURL_BEGIN;
3795 } else {
3796 /* We have hit a space */
3797 *buf++ = '\0';
3798 /* Allocate an extra byte for the null also */
3799 if ((*action = malloc(strlen(tmp_buf) + 1)) ==
3800 NULL) {
3801 warn("malloc");
3802 return (ENOMEM);
3803 }
3804 (void) strcpy(*action, tmp_buf);
3805 }
3806 /*
3807 * Copy the rest of the line into the
3808 * leftover buffer.
3809 */
3810 if (*buf != '\0') {
3811 (void) strlcpy(lo_buf, buf, sizeof (lo_buf));
3812 *leftover = lo_buf;
3813 } else {
3814 *leftover = NULL;
3815 }
3816 } else {
3817 /* Allocate an extra byte for the null also */
3818 if ((*action = malloc(strlen(tmp_buf) + 1)) ==
3819 NULL) {
3820 warn("malloc");
3821 return (ENOMEM);
3822 }
3823 (void) strcpy(*action, tmp_buf);
3824 *leftover = NULL;
3825 }
3826 if (argindex >= ARG_BUF_LEN) {
3827 warnx(gettext("(parsing one command) "
3828 "Too many selectors before action."));
3829 return (-1);
3830 }
3831 arg_indices[argindex++] = linecount;
3832 return (PARSE_SUCCESS);
3833 }
3834 /*
3835 * Return error, on an empty action field.
3836 */
3837 error:
3838 warnx(gettext("(parsing one command) "
3839 "Missing action token."));
3840 return (-1);
3841 }
3842
3843 /*
3844 * This is called to parse pattern or properties that is enclosed
3845 * between CURL_BEGIN and CURL_END.
3846 */
3847 static int
3848 parse_pattern_or_prop(FILE *fp, char *argvec[], char **leftover)
3849 {
3850 char *cp;
3851 int i = 0;
3852 boolean_t curl_begin_seen = B_FALSE;
3853 char ibuf[MAXLEN];
3854 char *tmp_buf;
3855 char *buf;
3856 boolean_t new_stuff;
3857
3858 /*
3859 * When parsing properties, leftover buffer could have the
3860 * leftovers of the previous fgets().
3861 */
3862 if (*leftover != NULL) {
3863 buf = *leftover;
3864 new_stuff = B_FALSE;
3865 goto scan;
3866 }
3867 while (fgets(ibuf, MAXLEN, fp) != NULL) {
3868 new_stuff = B_TRUE;
3869 #ifdef DEBUG_HEAVY
3870 (void) printf("%s\n", ibuf);
3871 #endif
3872 if (ibuf[strlen(ibuf) - 1] == '\n')
3873 linecount++;
3874 buf = ibuf;
3875 scan:
3876 /* Truncate at the beginning of a comment */
3877 cp = strchr(buf, '#');
3878 if (cp != NULL)
3879 *cp = '\0';
3880
3881 /* Skip any whitespace */
3882 while (*buf != '\0' && isspace(*buf))
3883 buf++;
3884
3885 /* Empty line */
3886 if (*buf == '\0')
3887 continue;
3888 /*
3889 * Store the command for error reporting
3890 * and ipsec_conf_add().
3891 */
3892 if (new_stuff) {
3893 /*
3894 * Check for buffer overflow including the null
3895 * terminating character.
3896 */
3897 int len = strlen(ibuf);
3898 if ((cbuf_offset + len + 1) >= CBUF_LEN)
3899 return (-1);
3900 (void) strcpy(cbuf + cbuf_offset, ibuf);
3901 cbuf_offset += len;
3902 }
3903 /*
3904 * First non-space character should be
3905 * a curly bracket.
3906 */
3907 if (!curl_begin_seen) {
3908 if (*buf != CURL_BEGIN) {
3909 /*
3910 * If we never read a newline character,
3911 * we don't want to print 0.
3912 */
3913 warnx(gettext("line %d : pattern must start "
3914 "with \"%c\" character"),
3915 (linecount == 0) ? 1 : linecount,
3916 CURL_BEGIN);
3917 return (-1);
3918 }
3919 buf++;
3920 curl_begin_seen = B_TRUE;
3921 }
3922 /*
3923 * Arguments are separated by white spaces or
3924 * newlines. Scan till you see a CURL_END.
3925 */
3926 while (*buf != '\0') {
3927 if (*buf == CURL_END) {
3928 ret:
3929 *buf++ = '\0';
3930 /*
3931 * Copy the rest of the line into the
3932 * leftover buffer if any.
3933 */
3934 if (*buf != '\0') {
3935 (void) strlcpy(lo_buf, buf,
3936 sizeof (lo_buf));
3937 *leftover = lo_buf;
3938 } else {
3939 *leftover = NULL;
3940 }
3941 return (PARSE_SUCCESS);
3942 }
3943 /*
3944 * Skip any trailing whitespace until we see a
3945 * non white-space character.
3946 */
3947 while (*buf != '\0' && isspace(*buf))
3948 buf++;
3949
3950 if (*buf == CURL_END)
3951 goto ret;
3952
3953 /* Scan the next line as this buffer is empty */
3954 if (*buf == '\0')
3955 break;
3956
3957 if (i >= MAXARGS) {
3958 warnx(
3959 gettext("Number of Arguments exceeded %d"),
3960 i);
3961 return (-1);
3962 }
3963 /*
3964 * Non-empty, Non-space buffer.
3965 */
3966 tmp_buf = buf++;
3967 /*
3968 * Real scan of the argument takes place here.
3969 * Skip past till space or CURL_END.
3970 */
3971 while (*buf != '\0' && !isspace(*buf) &&
3972 *buf != CURL_END) {
3973 buf++;
3974 }
3975 /*
3976 * Either a space or we have hit the CURL_END or
3977 * the real end.
3978 */
3979 if (*buf != '\0') {
3980 if (*buf == CURL_END) {
3981 *buf++ = '\0';
3982 if ((argvec[i] = malloc(strlen(tmp_buf)
3983 + 1)) == NULL) {
3984 warn("malloc");
3985 return (ENOMEM);
3986 }
3987 if (strlen(tmp_buf) != 0) {
3988 (void) strcpy(argvec[i],
3989 tmp_buf);
3990 if (argindex >= ARG_BUF_LEN)
3991 goto toomanyargs;
3992 arg_indices[argindex++] =
3993 linecount;
3994 }
3995 /*
3996 * Copy the rest of the line into the
3997 * leftover buffer.
3998 */
3999 if (*buf != '\0') {
4000 (void) strlcpy(lo_buf, buf,
4001 sizeof (lo_buf));
4002 *leftover = lo_buf;
4003 } else {
4004 *leftover = NULL;
4005 }
4006 return (PARSE_SUCCESS);
4007 } else {
4008 *buf++ = '\0';
4009 }
4010 }
4011 /*
4012 * Copy this argument and scan for the buffer more
4013 * if it is non-empty. If it is empty scan for
4014 * the next line.
4015 */
4016 if ((argvec[i] = malloc(strlen(tmp_buf) + 1)) ==
4017 NULL) {
4018 warn("malloc");
4019 return (ENOMEM);
4020 }
4021 (void) strcpy(argvec[i++], tmp_buf);
4022 if (argindex >= ARG_BUF_LEN) {
4023 /*
4024 * The number of tokens in a single policy entry
4025 * exceeds the number of buffers available to fully
4026 * parse the policy entry.
4027 */
4028 toomanyargs:
4029 warnx(gettext("(parsing one command) "
4030 "Too many tokens in single policy entry."));
4031 return (-1);
4032 }
4033 arg_indices[argindex++] = linecount;
4034 }
4035 }
4036 /*
4037 * If nothing is given in the file, it is okay.
4038 * If something is given in the file and it is
4039 * not CURL_BEGIN, we would have returned error
4040 * above. If curl_begin_seen and we are here,
4041 * something is wrong.
4042 */
4043 if (curl_begin_seen) {
4044 warnx(gettext("(parsing one command) "
4045 "Pattern or Properties incomplete."));
4046 return (-1);
4047 }
4048 return (PARSE_EOF); /* Nothing more in the file */
4049 }
4050
4051 /*
4052 * Parse one command i.e {pattern} action {properties}.
4053 *
4054 * {pattern} ( action {prop} | pass | drop ) (or ...)*
4055 */
4056 static int
4057 parse_one(FILE *fp, act_prop_t *act_props)
4058 {
4059 char *leftover;
4060 int ret;
4061 int i;
4062 int ap_num = 0;
4063 enum parse_state {pattern, action, prop } pstate;
4064
4065 has_daprefix = has_saprefix = B_FALSE;
4066
4067 (void) memset(act_props, 0, sizeof (act_prop_t));
4068 pstate = pattern;
4069
4070 ret = 0;
4071 leftover = NULL;
4072 argindex = 0;
4073 cbuf_offset = 0;
4074 assert(shp == NULL && dhp == NULL);
4075
4076 for (;;) {
4077 switch (pstate) {
4078 case pattern:
4079 {
4080 #ifdef DEBUG_HEAVY
4081 (void) printf("pattern\n");
4082 #endif
4083 ret = parse_pattern_or_prop(fp,
4084 act_props->pattern, &leftover);
4085 if (ret == PARSE_EOF) {
4086 /* EOF reached */
4087 return (PARSE_EOF);
4088 }
4089 if (ret != 0) {
4090 ret = -1;
4091 goto err;
4092 }
4093 pstate = action;
4094 break;
4095 }
4096 case action:
4097 {
4098 #ifdef DEBUG_HEAVY
4099 (void) printf("action\n");
4100 #endif
4101 ret = parse_action(fp,
4102 &act_props->ap[ap_num].act, &leftover);
4103 if (ret != 0) {
4104 ret = -1;
4105 goto err;
4106 }
4107
4108 /*
4109 * Validate action now itself so that we don't
4110 * proceed too much into the bad world.
4111 */
4112 for (i = 0; action_table[i].string; i++) {
4113 if (strcmp(act_props->ap[ap_num].act,
4114 action_table[i].string) == 0)
4115 break;
4116 }
4117
4118 if (action_table[i].tok_val == TOK_or) {
4119 /* hit an or, go again */
4120 break;
4121 }
4122
4123 if (action_table[i].string == NULL) {
4124 /*
4125 * If we never read a newline
4126 * character, we don't want
4127 * to print 0.
4128 */
4129 warnx(gettext("(parsing one command) "
4130 "Invalid action on line %d: %s"),
4131 (linecount == 0) ? 1 : linecount,
4132 act_props->ap[ap_num].act);
4133 return (-1);
4134 }
4135
4136 pstate = prop;
4137 break;
4138 }
4139 case prop:
4140 {
4141 #ifdef DEBUG_HEAVY
4142 (void) printf("prop\n");
4143 #endif
4144 ret = parse_pattern_or_prop(fp,
4145 act_props->ap[ap_num].prop, &leftover);
4146 if (ret != 0) {
4147 if (ret == PARSE_EOF) {
4148 warnx(gettext("(parsing one command) "
4149 "Missing properties."));
4150 }
4151 ret = -1;
4152 goto err;
4153 }
4154
4155 if (leftover != NULL) {
4156 /* Accomodate spaces at the end */
4157 while (*leftover != '\0') {
4158 if (*leftover == BACK_SLASH) {
4159 warnx(gettext("Invalid line "
4160 "continuation character."));
4161 ret = -1;
4162 goto err;
4163 }
4164 if (*leftover == 'o') {
4165 leftover++;
4166 if (*leftover == 'r') {
4167 leftover++;
4168 ap_num++;
4169 pstate = action;
4170 goto again;
4171 }
4172 }
4173 if (!isspace(*leftover)) {
4174 ret = -1;
4175 goto err;
4176 }
4177 leftover++;
4178 }
4179 return (0);
4180 }
4181 ap_num++;
4182 if (ap_num > MAXARGS)
4183 return (0);
4184 pstate = action; /* or */
4185 break;
4186 } /* case prop: */
4187 } /* switch(pstate) */
4188
4189 again:
4190 if (ap_num > MAXARGS) {
4191 warnx(gettext("Too many actions."));
4192 return (-1);
4193 }
4194 } /* for(;;) */
4195 err:
4196 if (ret != 0) {
4197 /*
4198 * If we never read a newline character, we don't want
4199 * to print 0.
4200 */
4201 warnx(gettext("Error before or at line %d"),
4202 (linecount == 0) ? 1 : linecount);
4203 }
4204 return (ret);
4205 }
4206
4207 /*
4208 * convert an act_propts_t to an ips_conf_t
4209 */
4210
4211 static int
4212 form_ipsec_conf(act_prop_t *act_props, ips_conf_t *cptr)
4213 {
4214 int i, j, k;
4215 int tok_count = 0;
4216 struct protoent *pent;
4217 boolean_t saddr, daddr, ipsec_aalg, ipsec_ealg, ipsec_eaalg, dir;
4218 boolean_t old_style, new_style, auth_covered, is_no_alg;
4219 boolean_t is_combined_mode;
4220 struct in_addr mask;
4221 int line_no;
4222 int ret;
4223 int ap_num = 0;
4224 int type, code, type_end, code_end;
4225 #ifdef DEBUG_HEAVY
4226 /*
4227 * pattern => act_props->pattern
4228 * action => act_props->ap[].act
4229 * properties => act_props->ap[].prop
4230 */
4231 (void) printf("\npattern\n------------\n");
4232 for (i = 0; act_props->pattern[i] != NULL; i++)
4233 (void) printf("%s\n", act_props->pattern[i]);
4234 (void) printf("apz\n----------\n");
4235 for (j = 0; act_props->ap[j].act != NULL; j++) {
4236
4237 (void) printf("act%d->%s\n", j, act_props->ap[j].act);
4238 for (i = 0; act_props->ap[j].prop[i] != NULL; i++)
4239 (void) printf("%dprop%d->%s\n",
4240 j, i, act_props->ap[j].prop[i]);
4241 }
4242 (void) printf("------------\n\n");
4243 #endif
4244
4245 (void) memset(cptr, 0, sizeof (ips_conf_t));
4246 saddr = daddr = ipsec_aalg = ipsec_ealg = ipsec_eaalg = dir = B_FALSE;
4247 old_style = new_style = is_no_alg = is_combined_mode = B_FALSE;
4248 /*
4249 * Get the Pattern. NULL pattern is valid.
4250 */
4251 for (i = 0, line_no = 0; act_props->pattern[i]; i++, line_no++) {
4252 for (j = 0; pattern_table[j].string; j++) {
4253 if (strcmp(act_props->pattern[i],
4254 pattern_table[j].string) == 0)
4255 break;
4256 }
4257
4258 if (pattern_table[j].string == NULL) {
4259 /*
4260 * If we never read a newline character, we don't want
4261 * to print 0.
4262 */
4263 warnx(gettext("Invalid pattern on line %d: %s"),
4264 (arg_indices[line_no] == 0) ? 1 :
4265 arg_indices[line_no], act_props->pattern[i]);
4266 return (-1);
4267 }
4268
4269 cptr->patt_tok[tok_count++] = pattern_table[j].tok_val;
4270
4271 switch (pattern_table[j].tok_val) {
4272
4273 case TOK_dir:
4274 i++, line_no++;
4275 if (act_props->pattern[i] == NULL) {
4276 error_message(BAD_ERROR,
4277 IPSEC_CONF_IPSEC_DIR, line_no);
4278 return (-1);
4279 }
4280
4281 if (strncmp(act_props->pattern[i], "in", 2) == 0) {
4282 cptr->ips_dir = SPD_RULE_FLAG_INBOUND;
4283 } else if (strncmp(
4284 act_props->pattern[i], "out", 3) == 0) {
4285 cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND;
4286 } else if (strncmp(
4287 act_props->pattern[i], "both", 4) == 0) {
4288 if (old_style) {
4289 error_message(BAD_ERROR,
4290 IPSEC_CONF_IPSEC_DIR, line_no);
4291 return (-1);
4292 }
4293 new_style = B_TRUE;
4294 cptr->ips_dir =
4295 SPD_RULE_FLAG_OUTBOUND |
4296 SPD_RULE_FLAG_INBOUND;
4297 } else {
4298 error_message(BAD_ERROR,
4299 IPSEC_CONF_IPSEC_DIR, line_no);
4300 return (-1);
4301 }
4302 dir = B_TRUE;
4303 break;
4304
4305 case TOK_local:
4306 if (old_style) {
4307 error_message(BAD_ERROR,
4308 IPSEC_CONF_SRC_ADDRESS, line_no);
4309 return (-1);
4310 }
4311 new_style = B_TRUE;
4312
4313 if (saddr) {
4314 error_message(DUP_ERROR,
4315 IPSEC_CONF_SRC_ADDRESS, line_no);
4316 return (-1);
4317 }
4318 /*
4319 * Use this to detect duplicates rather
4320 * than 0 like other cases, because 0 for
4321 * address means INADDR_ANY.
4322 */
4323 saddr = B_TRUE;
4324 cptr->has_saddr = 1;
4325 /*
4326 * Advance to the string containing
4327 * the address.
4328 */
4329 i++, line_no++;
4330 if (act_props->pattern[i] == NULL) {
4331 error_message(BAD_ERROR,
4332 IPSEC_CONF_SRC_ADDRESS, line_no);
4333 return (-1);
4334 }
4335 if (parse_address(IPSEC_CONF_SRC_ADDRESS,
4336 act_props->pattern[i]) != 0) {
4337 error_message(BAD_ERROR,
4338 IPSEC_CONF_SRC_ADDRESS, line_no);
4339 return (-1);
4340 }
4341 if (!cptr->has_smask)
4342 cptr->has_smask = has_saprefix;
4343
4344 break;
4345 case TOK_remote:
4346 if (old_style) {
4347 error_message(BAD_ERROR,
4348 IPSEC_CONF_DST_ADDRESS, line_no);
4349 return (-1);
4350 }
4351 new_style = B_TRUE;
4352
4353 if (daddr) {
4354 error_message(DUP_ERROR,
4355 IPSEC_CONF_DST_ADDRESS, line_no);
4356 return (-1);
4357 }
4358 /*
4359 * Use this to detect duplicates rather
4360 * than 0 like other cases, because 0 for
4361 * address means INADDR_ANY.
4362 */
4363 daddr = B_TRUE;
4364 cptr->has_daddr = 1;
4365 /*
4366 * Advance to the string containing
4367 * the address.
4368 */
4369 i++, line_no++;
4370 if (act_props->pattern[i] == NULL) {
4371 error_message(BAD_ERROR,
4372 IPSEC_CONF_DST_ADDRESS, line_no);
4373 return (-1);
4374 }
4375 if (parse_address(IPSEC_CONF_DST_ADDRESS,
4376 act_props->pattern[i]) != 0) {
4377 error_message(BAD_ERROR,
4378 IPSEC_CONF_DST_ADDRESS, line_no);
4379 return (-1);
4380 }
4381 if (!cptr->has_dmask)
4382 cptr->has_dmask = has_daprefix;
4383 break;
4384
4385 case TOK_saddr:
4386 if (new_style) {
4387 error_message(BAD_ERROR,
4388 IPSEC_CONF_SRC_ADDRESS, line_no);
4389 return (-1);
4390 }
4391 old_style = B_TRUE;
4392
4393 if (saddr) {
4394 error_message(DUP_ERROR,
4395 IPSEC_CONF_SRC_ADDRESS, line_no);
4396 return (-1);
4397 }
4398 /*
4399 * Use this to detect duplicates rather
4400 * than 0 like other cases, because 0 for
4401 * address means INADDR_ANY.
4402 */
4403 saddr = B_TRUE;
4404 cptr->has_saddr = 1;
4405 /*
4406 * Advance to the string containing
4407 * the address.
4408 */
4409 i++, line_no++;
4410 if (act_props->pattern[i] == NULL) {
4411 error_message(BAD_ERROR,
4412 IPSEC_CONF_SRC_ADDRESS, line_no);
4413 return (-1);
4414 }
4415
4416 if (parse_address(IPSEC_CONF_SRC_ADDRESS,
4417 act_props->pattern[i]) != 0) {
4418 error_message(BAD_ERROR,
4419 IPSEC_CONF_SRC_ADDRESS, line_no);
4420 return (-1);
4421 }
4422 /* shp or bhp? */
4423 if (!cptr->has_smask)
4424 cptr->has_smask = has_saprefix;
4425 break;
4426
4427 case TOK_daddr:
4428 if (new_style) {
4429 error_message(BAD_ERROR,
4430 IPSEC_CONF_DST_ADDRESS, line_no);
4431 return (-1);
4432 }
4433 old_style = B_TRUE;
4434
4435 if (daddr) {
4436 error_message(DUP_ERROR,
4437 IPSEC_CONF_DST_ADDRESS, line_no);
4438 return (-1);
4439 }
4440 /*
4441 * Use this to detect duplicates rather
4442 * than 0 like other cases, because 0 for
4443 * address means INADDR_ANY.
4444 */
4445 daddr = B_TRUE;
4446 cptr->has_daddr = 1;
4447 /*
4448 * Advance to the string containing
4449 * the address.
4450 */
4451 i++, line_no++;
4452 if (act_props->pattern[i] == NULL) {
4453 error_message(BAD_ERROR,
4454 IPSEC_CONF_DST_ADDRESS, line_no);
4455 return (-1);
4456 }
4457 if (parse_address(IPSEC_CONF_DST_ADDRESS,
4458 act_props->pattern[i]) != 0) {
4459 error_message(BAD_ERROR,
4460 IPSEC_CONF_DST_ADDRESS, line_no);
4461 return (-1);
4462 }
4463 if (!cptr->has_dmask)
4464 cptr->has_dmask = has_daprefix;
4465 break;
4466
4467 case TOK_sport:
4468 if (new_style) {
4469 error_message(BAD_ERROR,
4470 IPSEC_CONF_SRC_PORT, line_no);
4471 return (-1);
4472 }
4473 old_style = B_TRUE;
4474
4475 if (cptr->ips_src_port_min != 0) {
4476 error_message(DUP_ERROR, IPSEC_CONF_SRC_PORT,
4477 line_no);
4478 return (-1);
4479 }
4480 i++, line_no++;
4481 if (act_props->pattern[i] == NULL) {
4482 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4483 line_no);
4484 return (-1);
4485 }
4486 ret = parse_port(IPSEC_CONF_SRC_PORT,
4487 act_props->pattern[i], cptr);
4488 if (ret != 0) {
4489 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4490 line_no);
4491 return (-1);
4492 }
4493 break;
4494 case TOK_dport:
4495 if (new_style) {
4496 error_message(BAD_ERROR,
4497 IPSEC_CONF_DST_PORT, line_no);
4498 return (-1);
4499 }
4500 old_style = B_TRUE;
4501
4502 if (cptr->ips_dst_port_min != 0) {
4503 error_message(DUP_ERROR, IPSEC_CONF_DST_PORT,
4504 line_no);
4505 return (-1);
4506 }
4507 i++, line_no++;
4508 if (act_props->pattern[i] == NULL) {
4509 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4510 line_no);
4511 return (-1);
4512 }
4513 ret = parse_port(IPSEC_CONF_DST_PORT,
4514 act_props->pattern[i],
4515 cptr);
4516 if (ret != 0) {
4517 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4518 line_no);
4519 return (-1);
4520 }
4521 break;
4522
4523 case TOK_lport:
4524 if (old_style) {
4525 error_message(BAD_ERROR,
4526 IPSEC_CONF_SRC_PORT, line_no);
4527 return (-1);
4528 }
4529 new_style = B_TRUE;
4530
4531 if (cptr->ips_src_port_min != 0) {
4532 error_message(DUP_ERROR, IPSEC_CONF_SRC_PORT,
4533 line_no);
4534 return (-1);
4535 }
4536 i++, line_no++;
4537 if (act_props->pattern[i] == NULL) {
4538 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4539 line_no);
4540 return (-1);
4541 }
4542 ret = parse_port(IPSEC_CONF_SRC_PORT,
4543 act_props->pattern[i],
4544 cptr);
4545 if (ret != 0) {
4546 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4547 line_no);
4548 return (-1);
4549 }
4550 break;
4551
4552 case TOK_rport:
4553 if (old_style) {
4554 error_message(BAD_ERROR,
4555 IPSEC_CONF_DST_PORT, line_no);
4556 return (-1);
4557 }
4558 new_style = B_TRUE;
4559
4560 if (cptr->ips_dst_port_min != 0) {
4561 error_message(DUP_ERROR, IPSEC_CONF_DST_PORT,
4562 line_no);
4563 return (-1);
4564 }
4565 i++, line_no++;
4566 if (act_props->pattern[i] == NULL) {
4567 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4568 line_no);
4569 return (-1);
4570 }
4571 ret = parse_port(IPSEC_CONF_DST_PORT,
4572 act_props->pattern[i],
4573 cptr);
4574 if (ret != 0) {
4575 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4576 line_no);
4577 return (-1);
4578 }
4579 break;
4580
4581 case TOK_smask:
4582 if (new_style) {
4583 error_message(BAD_ERROR,
4584 IPSEC_CONF_SRC_MASK, line_no);
4585 return (-1);
4586 }
4587 old_style = B_TRUE;
4588 cptr->has_smask = B_TRUE;
4589
4590 IN6_V4MAPPED_TO_INADDR(&cptr->ips_src_mask_v6, &mask);
4591 if (mask.s_addr != 0) {
4592 error_message(DUP_ERROR, IPSEC_CONF_SRC_MASK,
4593 line_no);
4594 return (-1);
4595 }
4596 i++, line_no++;
4597 if (act_props->pattern[i] == NULL) {
4598 error_message(BAD_ERROR, IPSEC_CONF_SRC_MASK,
4599 line_no);
4600 return (-1);
4601 }
4602 ret = parse_mask(IPSEC_CONF_SRC_MASK,
4603 act_props->pattern[i],
4604 cptr);
4605 if (ret != 0) {
4606 error_message(BAD_ERROR, IPSEC_CONF_SRC_MASK,
4607 line_no);
4608 return (-1);
4609 }
4610 break;
4611 case TOK_dmask:
4612 if (new_style) {
4613 error_message(BAD_ERROR,
4614 IPSEC_CONF_DST_MASK, line_no);
4615 return (-1);
4616 }
4617 old_style = B_TRUE;
4618 cptr->has_dmask = B_TRUE;
4619
4620 IN6_V4MAPPED_TO_INADDR(&cptr->ips_dst_mask_v6, &mask);
4621 if (mask.s_addr != 0) {
4622 error_message(DUP_ERROR, IPSEC_CONF_DST_MASK,
4623 line_no);
4624 return (-1);
4625 }
4626 i++, line_no++;
4627 if (act_props->pattern[i] == NULL) {
4628 error_message(BAD_ERROR, IPSEC_CONF_DST_MASK,
4629 line_no);
4630 return (-1);
4631 }
4632 ret = parse_mask(IPSEC_CONF_DST_MASK,
4633 act_props->pattern[i],
4634 cptr);
4635 if (ret != 0) {
4636 error_message(BAD_ERROR, IPSEC_CONF_DST_MASK,
4637 line_no);
4638 return (-1);
4639 }
4640 break;
4641 case TOK_ulp:
4642 if (cptr->ips_ulp_prot != 0) {
4643 error_message(DUP_ERROR,
4644 IPSEC_CONF_ULP, line_no);
4645 return (-1);
4646 }
4647 i++, line_no++;
4648 if (act_props->pattern[i] == NULL) {
4649 error_message(BAD_ERROR,
4650 IPSEC_CONF_ULP, line_no);
4651 return (-1);
4652 }
4653 pent = getprotobyname(act_props->pattern[i]);
4654 if (pent == NULL) {
4655 int ulp;
4656 ulp = parse_int(act_props->pattern[i]);
4657 if (ulp == -1) {
4658 error_message(BAD_ERROR,
4659 IPSEC_CONF_ULP, line_no);
4660 return (-1);
4661 }
4662 cptr->ips_ulp_prot = ulp;
4663 } else {
4664 cptr->ips_ulp_prot = pent->p_proto;
4665 }
4666 break;
4667 case TOK_type:
4668 if (cptr->has_type) {
4669 error_message(DUP_ERROR,
4670 IPSEC_CONF_ICMP_TYPE, line_no);
4671 return (-1);
4672 }
4673
4674 i++, line_no++;
4675 type = parse_type_code(act_props->pattern[i],
4676 icmp_type_table);
4677
4678 if (type > 65536 || type < 0) {
4679 error_message(BAD_ERROR,
4680 IPSEC_CONF_ICMP_TYPE, line_no);
4681 return (-1);
4682 }
4683
4684 type_end = type / 256;
4685 type = type % 256;
4686
4687 if (type_end < type)
4688 type_end = type;
4689
4690 cptr->has_type = 1;
4691 cptr->ips_icmp_type = (uint8_t)type;
4692 cptr->ips_icmp_type_end = (uint8_t)type_end;
4693 break;
4694 case TOK_code:
4695 if (!cptr->has_type) {
4696 error_message(BAD_ERROR,
4697 IPSEC_CONF_ICMP_CODE, line_no);
4698 return (-1);
4699 }
4700
4701 if (cptr->has_code) {
4702 error_message(DUP_ERROR,
4703 IPSEC_CONF_ICMP_CODE, line_no);
4704 return (-1);
4705 }
4706
4707 i++, line_no++;
4708
4709 code = parse_type_code(act_props->pattern[i],
4710 icmp_code_table);
4711 if (type > 65536 || type < 0) {
4712 error_message(BAD_ERROR,
4713 IPSEC_CONF_ICMP_CODE, line_no);
4714 return (-1);
4715 }
4716 code_end = code / 256;
4717 code = code % 256;
4718
4719 if (code_end < code)
4720 code_end = code;
4721
4722 cptr->has_code = 1;
4723 cptr->ips_icmp_code = (uint8_t)code;
4724 cptr->ips_icmp_code_end = (uint8_t)code_end;
4725 break;
4726 case TOK_tunnel:
4727 if (cptr->has_tunnel == 1) {
4728 error_message(BAD_ERROR,
4729 IPSEC_CONF_TUNNEL, line_no);
4730 return (-1);
4731 }
4732 i++, line_no++;
4733 if (act_props->pattern[i] == NULL) {
4734 error_message(BAD_ERROR,
4735 IPSEC_CONF_TUNNEL, line_no);
4736 return (-1);
4737 }
4738
4739 if (strlcpy(tunif, act_props->pattern[i],
4740 TUNNAMEMAXLEN) >= TUNNAMEMAXLEN) {
4741 error_message(BAD_ERROR,
4742 IPSEC_CONF_TUNNEL, line_no);
4743 return (-1);
4744 }
4745 cptr->has_tunnel = 1;
4746 break;
4747 case TOK_negotiate:
4748 if (cptr->has_negotiate == 1) {
4749 error_message(BAD_ERROR,
4750 IPSEC_CONF_NEGOTIATE, line_no);
4751 return (-1);
4752 }
4753 i++, line_no++;
4754 if (act_props->pattern[i] == NULL) {
4755 error_message(BAD_ERROR,
4756 IPSEC_CONF_NEGOTIATE, line_no);
4757 return (-1);
4758 }
4759
4760 if (strncmp(act_props->pattern[i], "tunnel", 6) == 0) {
4761 cptr->ips_tunnel = B_TRUE;
4762 } else if (strncmp(
4763 act_props->pattern[i], "transport", 9) != 0) {
4764 error_message(BAD_ERROR,
4765 IPSEC_CONF_NEGOTIATE, line_no);
4766 return (-1);
4767 }
4768 cptr->has_negotiate = 1;
4769 break;
4770 }
4771
4772 }
4773
4774 /* Sanity check that certain tokens occur together */
4775 if (cptr->has_tunnel + cptr->has_negotiate == 1) {
4776 if (cptr->has_negotiate == 0) {
4777 error_message(REQ_ERROR, IPSEC_CONF_NEGOTIATE, line_no);
4778 } else {
4779 error_message(REQ_ERROR, IPSEC_CONF_TUNNEL, line_no);
4780 }
4781 errx(1, gettext(
4782 "tunnel and negotiate tokens must occur together"));
4783 return (-1);
4784 }
4785
4786 /*
4787 * Get the actions.
4788 */
4789
4790 for (ap_num = 0; act_props->ap[ap_num].act != NULL; ap_num++) {
4791 ips_act_props_t *iap;
4792
4793 if (ap_num > 0) {
4794 /* or's only with new style */
4795 if (old_style) {
4796 (void) printf("%s\n", gettext(
4797 "or's only with new style"));
4798 return (-1);
4799 }
4800 new_style = B_TRUE;
4801 }
4802
4803 ipsec_aalg = ipsec_ealg = ipsec_eaalg = auth_covered = B_FALSE;
4804 tok_count = 0;
4805
4806 for (k = 0; action_table[k].string; k++) {
4807 if (strcmp(act_props->ap[ap_num].act,
4808 action_table[k].string) == 0)
4809 break;
4810 }
4811 /*
4812 * The following thing should never happen as
4813 * we have already tested for its validity in parse.
4814 */
4815 if (action_table[k].string == NULL) {
4816 warnx(gettext("(form act)Invalid action on line "
4817 "%d: %s"), (arg_indices[line_no] == 0) ? 1 :
4818 arg_indices[line_no],
4819 act_props->ap[ap_num].act);
4820 warnx("%s", act_props->ap[ap_num].act);
4821 return (-1);
4822 }
4823
4824 /* we have a good action alloc an iap */
4825 iap = alloc_iap(cptr);
4826
4827 iap->iap_action = action_table[k].value;
4828 iap->iap_act_tok = action_table[k].tok_val;
4829
4830 switch (action_table[k].tok_val) {
4831 case TOK_apply:
4832 cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND;
4833 break;
4834 case TOK_permit:
4835 cptr->ips_dir = SPD_RULE_FLAG_INBOUND;
4836 break;
4837 case TOK_ipsec:
4838 if (old_style) {
4839 /* Using saddr/daddr with ipsec action. */
4840 if (!dir) {
4841 /* No direction specified */
4842 error_message(REQ_ERROR,
4843 IPSEC_CONF_IPSEC_DIR, line_no);
4844 return (-1);
4845 }
4846 if (cptr->ips_dir == SPD_RULE_FLAG_INBOUND)
4847 /*
4848 * Need to swap addresses if
4849 * 'dir in' or translation to
4850 * laddr/raddr will be incorrect.
4851 */
4852 cptr->swap = 1;
4853 }
4854 if (!dir)
4855 cptr->ips_dir =
4856 SPD_RULE_FLAG_INBOUND
4857 |SPD_RULE_FLAG_OUTBOUND;
4858 break;
4859 case TOK_bypass:
4860 case TOK_drop:
4861 is_no_alg = B_TRUE;
4862 break;
4863 }
4864
4865 line_no++;
4866 /*
4867 * Get the properties. NULL properties is not valid.
4868 * Later checks will catch it.
4869 */
4870 for (i = 0; act_props->ap[ap_num].prop[i]; i++, line_no++) {
4871 for (j = 0; property_table[j].string; j++) {
4872 if (strcmp(act_props->ap[ap_num].prop[i],
4873 property_table[j].string) == 0) {
4874 break;
4875 }
4876 }
4877 if (property_table[j].string == NULL) {
4878 warnx(gettext("Invalid properties on line "
4879 "%d: %s"),
4880 (arg_indices[line_no] == 0) ?
4881 1 : arg_indices[line_no],
4882 act_props->ap[ap_num].prop[i]);
4883 return (-1);
4884 }
4885
4886 iap->iap_attr_tok[tok_count++]
4887 = property_table[j].value;
4888
4889 switch (property_table[j].value) {
4890 case SPD_ATTR_AH_AUTH:
4891 if (ipsec_aalg) {
4892 error_message(DUP_ERROR,
4893 IPSEC_CONF_IPSEC_AALGS, line_no);
4894 return (-1);
4895 }
4896 i++, line_no++;
4897 if (act_props->ap[ap_num].prop[i] == NULL) {
4898 error_message(BAD_ERROR,
4899 IPSEC_CONF_IPSEC_AALGS, line_no);
4900 return (-1);
4901 }
4902 ret = parse_ipsec_alg(
4903 act_props->ap[ap_num].prop[i],
4904 iap, SPD_ATTR_AH_AUTH);
4905 if (ret == -2) {
4906 /* "none" - ignore */
4907 break;
4908 }
4909 if (ret != 0) {
4910 error_message(BAD_ERROR,
4911 IPSEC_CONF_IPSEC_AALGS, line_no);
4912 return (-1);
4913 }
4914 ipsec_aalg = B_TRUE;
4915 auth_covered = B_TRUE;
4916 break;
4917 case SPD_ATTR_ESP_ENCR:
4918 /*
4919 * If this option was not given
4920 * and encr_auth_algs was given,
4921 * we provide null-encryption. We do the
4922 * setting after we parse all the options.
4923 */
4924 if (ipsec_ealg) {
4925 error_message(DUP_ERROR,
4926 IPSEC_CONF_IPSEC_EALGS, line_no);
4927 return (-1);
4928 }
4929 i++, line_no++;
4930 if (act_props->ap[ap_num].prop[i] == NULL) {
4931 error_message(BAD_ERROR,
4932 IPSEC_CONF_IPSEC_EALGS, line_no);
4933 return (-1);
4934 }
4935 ret = parse_ipsec_alg(
4936 act_props->ap[ap_num].prop[i],
4937 iap, SPD_ATTR_ESP_ENCR);
4938 if (ret == -2) {
4939 /* "none" - ignore */
4940 break;
4941 }
4942 if (ret != 0) {
4943 error_message(BAD_ERROR,
4944 IPSEC_CONF_IPSEC_EALGS, line_no);
4945 return (-1);
4946 }
4947 is_combined_mode =
4948 combined_mode(iap->iap_eencr.alg_id);
4949 ipsec_ealg = B_TRUE;
4950 break;
4951 case SPD_ATTR_ESP_AUTH:
4952 /*
4953 * If this option was not given and encr_algs
4954 * option was given, we still pass a default
4955 * value in ipsc_esp_auth_algs. This is to
4956 * encourage the use of authentication with
4957 * ESP.
4958 */
4959 if (ipsec_eaalg) {
4960 error_message(DUP_ERROR,
4961 IPSEC_CONF_IPSEC_EAALGS, line_no);
4962 return (-1);
4963 }
4964 i++, line_no++;
4965 if (act_props->ap[ap_num].prop[i] == NULL) {
4966 error_message(BAD_ERROR,
4967 IPSEC_CONF_IPSEC_EAALGS, line_no);
4968 return (-1);
4969 }
4970 ret = parse_ipsec_alg(
4971 act_props->ap[ap_num].prop[i],
4972 iap, SPD_ATTR_ESP_AUTH);
4973 if (ret == -2) {
4974 /* "none" - ignore */
4975 break;
4976 }
4977 if (ret != 0) {
4978 error_message(BAD_ERROR,
4979 IPSEC_CONF_IPSEC_EAALGS, line_no);
4980 return (-1);
4981 }
4982 ipsec_eaalg = B_TRUE;
4983 auth_covered = B_TRUE;
4984 break;
4985 case IPS_SA:
4986 i++, line_no++;
4987 if (act_props->ap[ap_num].prop[i] == NULL) {
4988 error_message(BAD_ERROR,
4989 IPSEC_CONF_IPSEC_SA, line_no);
4990 return (-1);
4991 }
4992
4993 if (strcmp(act_props->ap[ap_num].prop[i],
4994 "unique") == 0) {
4995 iap->iap_attr |= SPD_APPLY_UNIQUE;
4996 } else if (strcmp(act_props->ap[ap_num].prop[i],
4997 "shared") != 0) {
4998 /* "shared" is default. */
4999 error_message(BAD_ERROR,
5000 IPSEC_CONF_IPSEC_SA, line_no);
5001 return (-1);
5002 }
5003
5004 break;
5005 case IPS_DIR:
5006 if (dir) {
5007 error_message(DUP_ERROR,
5008 IPSEC_CONF_IPSEC_DIR, line_no);
5009 return (-1);
5010 }
5011 if (new_style) {
5012 error_message(BAD_ERROR,
5013 IPSEC_CONF_IPSEC_DIR, line_no);
5014 return (-1);
5015 }
5016 old_style = B_TRUE;
5017 dir = B_TRUE;
5018 i++, line_no++;
5019 if (act_props->ap[ap_num].prop[i] == NULL) {
5020 error_message(BAD_ERROR,
5021 IPSEC_CONF_IPSEC_DIR, line_no);
5022 return (-1);
5023 }
5024 if (strcmp(act_props->ap[ap_num].prop[i],
5025 "out") == 0) {
5026 cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND;
5027 } else if (strcmp(act_props->ap[ap_num].prop[i],
5028 "in") == 0) {
5029 cptr->ips_dir = SPD_RULE_FLAG_INBOUND;
5030 } else {
5031 error_message(BAD_ERROR,
5032 IPSEC_CONF_IPSEC_DIR, line_no);
5033 return (-1);
5034 }
5035 if ((cptr->ips_dir & SPD_RULE_FLAG_INBOUND) &&
5036 iap->iap_act_tok == TOK_apply) {
5037 warnx(gettext("Direction"
5038 " in conflict with action"));
5039 return (-1);
5040 }
5041 if ((cptr->ips_dir & SPD_RULE_FLAG_OUTBOUND) &&
5042 iap->iap_act_tok == TOK_permit) {
5043 warnx(gettext("Direction"
5044 "in conflict with action"));
5045 return (-1);
5046 }
5047
5048 break;
5049 }
5050 }
5051
5052 if (is_combined_mode) {
5053 if (ipsec_eaalg) {
5054 warnx(gettext("ERROR: Rule on line %d: "
5055 "Combined mode and esp authentication not "
5056 "supported together."),
5057 arg_indices[line_no] == 0 ? 1 :
5058 arg_indices[line_no]);
5059 return (-1);
5060 }
5061 auth_covered = B_TRUE;
5062 }
5063 /* Warn here about no authentication! */
5064 if (!auth_covered && !is_no_alg) {
5065 warnx(gettext("DANGER: Rule on line %d "
5066 "has encryption with no authentication."),
5067 arg_indices[line_no] == 0 ? 1 :
5068 arg_indices[line_no]);
5069 }
5070
5071 if (!ipsec_ealg && ipsec_eaalg) {
5072 /*
5073 * If the user has specified the auth alg to be used
5074 * with encryption and did not provide a encryption
5075 * algorithm, provide null encryption.
5076 */
5077 iap->iap_eencr.alg_id = SADB_EALG_NULL;
5078 ipsec_ealg = B_TRUE;
5079 }
5080
5081 /* Set the level of IPSEC protection we want */
5082 if (ipsec_aalg && (ipsec_ealg || ipsec_eaalg)) {
5083 iap->iap_attr |= SPD_APPLY_AH|SPD_APPLY_ESP;
5084 } else if (ipsec_aalg) {
5085 iap->iap_attr |= SPD_APPLY_AH;
5086 } else if (ipsec_ealg || ipsec_eaalg) {
5087 iap->iap_attr |= SPD_APPLY_ESP;
5088 }
5089
5090 /* convert src/dst to local/remote */
5091 if (!new_style) {
5092 switch (cptr->ips_acts->iap_act_tok) {
5093 case TOK_apply:
5094 /* outbound */
5095 /* src=local, dst=remote */
5096 /* this is ok. */
5097 break;
5098
5099 case TOK_permit:
5100 /* inbound */
5101 /* src=remote, dst=local */
5102 /* switch */
5103 cptr->swap = 1;
5104 break;
5105 case TOK_bypass:
5106 case TOK_drop:
5107 /* check the direction for what to do */
5108 if (cptr->ips_dir == SPD_RULE_FLAG_INBOUND)
5109 cptr->swap = 1;
5110 break;
5111 default:
5112 break;
5113 }
5114 }
5115 /* Validate the properties */
5116 if (ret = validate_properties(iap, dir,
5117 (ipsec_aalg || ipsec_ealg || ipsec_eaalg))) {
5118 return (ret);
5119 }
5120 }
5121
5122 return (0);
5123
5124 }
5125
5126 static int
5127 print_cmd_buf(FILE *fp, int error)
5128 {
5129 *(cbuf + cbuf_offset) = '\0';
5130
5131 if (fp == stderr) {
5132 if (error != EEXIST) {
5133 warnx(gettext("Malformed command (fatal):\n%s"), cbuf);
5134 return (0);
5135 }
5136 if (ipsecconf_qflag) {
5137 return (0);
5138 }
5139 warnx(gettext("Duplicate policy entry (ignored):\n%s"), cbuf);
5140 } else {
5141 if (fprintf(fp, "%s", cbuf) == -1) {
5142 warn("fprintf");
5143 return (-1);
5144 }
5145 }
5146
5147 return (0);
5148 }
5149
5150 #ifdef DEBUG
5151
5152 static uchar_t *
5153 addr_ptr(int isv4, struct in6_addr *addr6, struct in_addr *addr4)
5154 {
5155 if (isv4) {
5156 IN6_V4MAPPED_TO_INADDR(addr6, addr4);
5157 return ((uchar_t *)&addr4->s_addr);
5158 } else {
5159 return ((uchar_t *)&addr6->s6_addr);
5160 }
5161 }
5162
5163 static void
5164 dump_algreq(const char *tag, algreq_t *alg)
5165 {
5166 (void) printf("%s algid %d, bits %d..%d\n",
5167 tag, alg->alg_id, alg->alg_minbits, alg->alg_maxbits);
5168 }
5169
5170 static void
5171 dump_conf(ips_conf_t *conf)
5172 {
5173 boolean_t isv4 = conf->ips_isv4;
5174 struct in_addr addr;
5175 char buf[INET6_ADDRSTRLEN];
5176 int af;
5177 ips_act_props_t *iap = conf->ips_acts;
5178
5179 af = isv4 ? AF_INET : AF_INET6;
5180
5181 (void) printf("Source Addr is %s\n",
5182 inet_ntop(af, addr_ptr(isv4, &conf->ips_src_addr_v6, &addr),
5183 buf, INET6_ADDRSTRLEN));
5184
5185 (void) printf("Dest Addr is %s\n",
5186 inet_ntop(af, addr_ptr(isv4, &conf->ips_dst_addr_v6, &addr),
5187 buf, INET6_ADDRSTRLEN));
5188
5189 (void) printf("Source Mask is %s\n",
5190 inet_ntop(af, addr_ptr(isv4, &conf->ips_src_mask_v6, &addr),
5191 buf, INET6_ADDRSTRLEN));
5192
5193 (void) printf("Dest Mask is %s\n",
5194 inet_ntop(af, addr_ptr(isv4, &conf->ips_dst_mask_v6, &addr),
5195 buf, INET6_ADDRSTRLEN));
5196
5197 (void) printf("Source port %d\n", ntohs(conf->ips_src_port_min));
5198 (void) printf("Dest port %d\n", ntohs(conf->ips_dst_port_min));
5199 (void) printf("ULP %d\n", conf->ips_ulp_prot);
5200
5201 (void) printf("ICMP type %d-%d code %d-%d", conf->ips_icmp_type,
5202 conf->ips_icmp_type_end,
5203 conf->ips_icmp_code,
5204 conf->ips_icmp_code_end);
5205
5206 while (iap != NULL) {
5207 (void) printf("------------------------------------\n");
5208 (void) printf("IPsec act is %d\n", iap->iap_action);
5209 (void) printf("IPsec attr is %d\n", iap->iap_attr);
5210 dump_algreq("AH authentication", &iap->iap_aauth);
5211 dump_algreq("ESP authentication", &iap->iap_eauth);
5212 dump_algreq("ESP encryption", &iap->iap_eencr);
5213 (void) printf("------------------------------------\n");
5214 iap = iap->iap_next;
5215 }
5216
5217 (void) fflush(stdout);
5218 }
5219 #endif /* DEBUG */
5220
5221
5222 static int
5223 ipsec_conf_add(boolean_t just_check, boolean_t smf_managed, boolean_t replace)
5224 {
5225 act_prop_t *act_props = malloc(sizeof (act_prop_t));
5226 ips_conf_t conf;
5227 FILE *fp, *policy_fp;
5228 int ret, flushret, i, j, diag, num_rules, good_rules;
5229 char *warning = gettext(
5230 "\tWARNING : New policy entries that are being added may\n "
5231 "\taffect the existing connections. Existing connections\n"
5232 "\tthat are not subjected to policy constraints, may be\n"
5233 "\tsubjected to policy constraints because of the new\n"
5234 "\tpolicy. This can disrupt the communication of the\n"
5235 "\texisting connections.\n\n");
5236
5237 boolean_t first_time = B_TRUE;
5238 num_rules = 0;
5239 good_rules = 0;
5240
5241 if (act_props == NULL) {
5242 warn(gettext("memory"));
5243 return (-1);
5244 }
5245
5246 if (strcmp(filename, "-") == 0)
5247 fp = stdin;
5248 else
5249 fp = fopen(filename, "r");
5250
5251 /*
5252 * Treat the non-existence of a policy file as a special
5253 * case when ipsecconf is being managed by smf(5).
5254 * The assumption is the administrator has not yet
5255 * created a policy file, this should not force the service
5256 * into maintenance mode.
5257 */
5258
5259 if (fp == NULL) {
5260 if (smf_managed) {
5261 (void) fprintf(stdout, gettext(
5262 "Policy configuration file (%s) does not exist.\n"
5263 "IPsec policy not configured.\n"), filename);
5264 return (0);
5265 }
5266 warn(gettext("%s : Policy config file cannot be opened"),
5267 filename);
5268 usage();
5269 return (-1);
5270 }
5271 /*
5272 * This will create the file if it does not exist.
5273 * Make sure the umask is right.
5274 */
5275 (void) umask(0022);
5276 policy_fp = fopen(POLICY_CONF_FILE, "a");
5277 if (policy_fp == NULL) {
5278 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
5279 return (-1);
5280 }
5281
5282 /*
5283 * Pattern, action, and properties are allocated in
5284 * parse_pattern_or_prop and in parse_action (called by
5285 * parse_one) as we parse arguments.
5286 */
5287 while ((ret = parse_one(fp, act_props)) != PARSE_EOF) {
5288 num_rules++;
5289 if (ret != 0) {
5290 (void) print_cmd_buf(stderr, NOERROR);
5291 continue;
5292 }
5293
5294 /*
5295 * If there is no action and parse returned success,
5296 * it means that there is nothing to add.
5297 */
5298 if (act_props->pattern[0] == NULL &&
5299 act_props->ap[0].act == NULL)
5300 break;
5301
5302 ret = form_ipsec_conf(act_props, &conf);
5303 if (ret != 0) {
5304 warnx(gettext("form_ipsec_conf error"));
5305 (void) print_cmd_buf(stderr, NOERROR);
5306 /* Reset globals before trying the next rule. */
5307 if (shp != NULL) {
5308 freehostent(shp);
5309 shp = NULL;
5310 }
5311 if (dhp != NULL) {
5312 freehostent(dhp);
5313 dhp = NULL;
5314 }
5315 splen = 0;
5316 dplen = 0;
5317 continue;
5318 }
5319
5320 good_rules++;
5321
5322 if (first_time) {
5323 /*
5324 * Time to assume that there are valid policy entries.
5325 * If the IPsec kernel modules are not loaded this
5326 * will load them now.
5327 */
5328 first_time = B_FALSE;
5329 fetch_algorithms();
5330 ipsec_conf_admin(SPD_CLONE);
5331
5332 /*
5333 * The default behaviour for IPSEC_CONF_ADD is to append
5334 * the new rules to the existing policy. If a new rule
5335 * collides with an existing rule, the new rule won't be
5336 * added.
5337 *
5338 * To perform an atomic policy replace, we really don't
5339 * care what the existing policy was, just replace it
5340 * with the new one. Remove all rules from the SPD_CLONE
5341 * policy before checking the new rules.
5342 */
5343 if (replace) {
5344 flushret = ipsec_conf_flush(SPD_STANDBY);
5345 if (flushret != 0)
5346 return (flushret);
5347 }
5348 }
5349
5350 /*
5351 * shp, dhp, splen, and dplen are globals set by
5352 * form_ipsec_conf() while parsing the addresses.
5353 */
5354 if (shp == NULL && dhp == NULL) {
5355 switch (do_port_adds(&conf)) {
5356 case 0:
5357 /* no error */
5358 break;
5359 case EEXIST:
5360 /* duplicate entries, continue adds */
5361 (void) print_cmd_buf(stderr, EEXIST);
5362 goto next;
5363 default:
5364 /* other error, bail */
5365 ret = -1;
5366 goto bail;
5367 }
5368 } else {
5369 ret = do_address_adds(&conf, &diag);
5370 switch (ret) {
5371 case 0:
5372 /* no error. */
5373 break;
5374 case EEXIST:
5375 (void) print_cmd_buf(stderr, EEXIST);
5376 goto next;
5377 case EBUSY:
5378 warnx(gettext(
5379 "Can't set mask and /NN prefix."));
5380 ret = -1;
5381 break;
5382 case ENOENT:
5383 warnx(gettext("Cannot find tunnel "
5384 "interface %s."), interface_name);
5385 ret = -1;
5386 break;
5387 case EINVAL:
5388 /*
5389 * PF_POLICY didn't like what we sent. We
5390 * can't check all input up here, but we
5391 * do in-kernel.
5392 */
5393 warnx(gettext("PF_POLICY invalid input:\n\t%s"),
5394 spdsock_diag(diag));
5395 break;
5396 case EOPNOTSUPP:
5397 warnx(gettext("Can't set /NN"
5398 " prefix on multi-host name."));
5399 ret = -1;
5400 break;
5401 case ERANGE:
5402 warnx(gettext("/NN prefix is too big!"));
5403 ret = -1;
5404 break;
5405 case ESRCH:
5406 warnx(gettext("No matching IPv4 or "
5407 "IPv6 saddr/daddr pairs"));
5408 ret = -1;
5409 break;
5410 default:
5411 /* Should never get here. */
5412 errno = ret;
5413 warn(gettext("Misc. error"));
5414 ret = -1;
5415 }
5416 if (ret == -1)
5417 goto bail;
5418 }
5419
5420 /*
5421 * Go ahead and add policy entries to config file.
5422 * The # should help re-using the ipsecpolicy.conf
5423 * for input again as # will be treated as comment.
5424 */
5425 if (fprintf(policy_fp, "%s %lld \n", INDEX_TAG,
5426 conf.ips_policy_index) == -1) {
5427 warn("fprintf");
5428 warnx(gettext("Addition incomplete, Please "
5429 "flush all the entries and re-configure :"));
5430 reconfigure();
5431 ret = -1;
5432 break;
5433 }
5434 if (print_cmd_buf(policy_fp, NOERROR) == -1) {
5435 warnx(gettext("Addition incomplete. Please "
5436 "flush all the entries and re-configure :"));
5437 reconfigure();
5438 ret = -1;
5439 break;
5440 }
5441 /*
5442 * We add one newline by default to separate out the
5443 * entries. If the last character is not a newline, we
5444 * insert a newline for free. This makes sure that all
5445 * entries look consistent in the file.
5446 */
5447 if (*(cbuf + cbuf_offset - 1) == '\n') {
5448 if (fprintf(policy_fp, "\n") == -1) {
5449 warn("fprintf");
5450 warnx(gettext("Addition incomplete. "
5451 "Please flush all the entries and "
5452 "re-configure :"));
5453 reconfigure();
5454 ret = -1;
5455 break;
5456 }
5457 } else {
5458 if (fprintf(policy_fp, "\n\n") == -1) {
5459 warn("fprintf");
5460 warnx(gettext("Addition incomplete. "
5461 "Please flush all the entries and "
5462 "re-configure :"));
5463 reconfigure();
5464 ret = -1;
5465 break;
5466 }
5467 }
5468 next:
5469 /*
5470 * Make sure this gets to the disk before
5471 * we parse the next entry.
5472 */
5473 (void) fflush(policy_fp);
5474 for (i = 0; act_props->pattern[i] != NULL; i++)
5475 free(act_props->pattern[i]);
5476 for (j = 0; act_props->ap[j].act != NULL; j++) {
5477 free(act_props->ap[j].act);
5478 for (i = 0; act_props->ap[j].prop[i] != NULL; i++)
5479 free(act_props->ap[j].prop[i]);
5480 }
5481 }
5482 if (ret == PARSE_EOF)
5483 ret = 0; /* Not an error */
5484 bail:
5485 if (ret == -1) {
5486 (void) print_cmd_buf(stderr, EINVAL);
5487 for (i = 0; act_props->pattern[i] != NULL; i++)
5488 free(act_props->pattern[i]);
5489 for (j = 0; act_props->ap[j].act != NULL; j++) {
5490 free(act_props->ap[j].act);
5491 for (i = 0; act_props->ap[j].prop[i] != NULL; i++)
5492 free(act_props->ap[j].prop[i]);
5493 }
5494 }
5495 #ifdef DEBUG_HEAVY
5496 (void) printf("ipsec_conf_add: ret val = %d\n", ret);
5497 (void) fflush(stdout);
5498 #endif
5499 if (num_rules == 0 && ret == 0) {
5500 nuke_adds();
5501 (void) restore_all_signals();
5502 (void) unlock(lfd);
5503 EXIT_OK("Policy file does not contain any valid rules.");
5504 }
5505 if (num_rules != good_rules) {
5506 /* This is an error */
5507 nuke_adds();
5508 (void) restore_all_signals();
5509 (void) unlock(lfd);
5510 EXIT_BADCONFIG2("%d policy rule(s) contained errors.",
5511 num_rules - good_rules);
5512 }
5513 /* looks good, flip it in */
5514 if (ret == 0 && !just_check) {
5515 if (!ipsecconf_qflag) {
5516 (void) printf("%s", warning);
5517 }
5518 if (smf_managed)
5519 warnx(gettext("%d policy rules added."), good_rules);
5520 ipsec_conf_admin(SPD_FLIP);
5521 } else {
5522 nuke_adds();
5523 if (just_check) {
5524 (void) fprintf(stdout, gettext("IPsec configuration "
5525 "does not contain any errors.\n"));
5526 (void) fprintf(stdout, gettext(
5527 "IPsec policy was not modified.\n"));
5528 (void) fflush(stdout);
5529 }
5530 }
5531 flushret = ipsec_conf_flush(SPD_STANDBY);
5532 if (flushret != 0)
5533 return (flushret);
5534 return (ret);
5535 }
5536
5537
5538 static int
5539 ipsec_conf_sub()
5540 {
5541 act_prop_t *act_props = malloc(sizeof (act_prop_t));
5542 FILE *remove_fp, *policy_fp;
5543 char rbuf[MAXLEN], pbuf[MAXLEN], /* remove buffer, and policy buffer */
5544 *warning = gettext(
5545 "\tWARNING: Policy entries that are being removed may\n"
5546 "\taffect the existing connections. Existing connections\n"
5547 "\tthat are subjected to policy constraints may no longer\n"
5548 "\tbe subjected to policy contraints because of its\n"
5549 "\tremoval. This can compromise security, and disrupt\n"
5550 "\tthe communication of the existing connection.\n"
5551 "\tConnections that are latched will remain unaffected\n"
5552 "\tuntil they close.\n");
5553 int ret = 0;
5554 int index_len, pindex = 0; /* init value in case of pfile error */
5555
5556 if (act_props == NULL) {
5557 warn(gettext("memory"));
5558 return (-1);
5559 }
5560
5561 /* clone into standby DB */
5562 (void) ipsec_conf_admin(SPD_CLONE);
5563
5564 if (strcmp(filename, "-") == 0)
5565 remove_fp = stdin;
5566 else
5567 remove_fp = fopen(filename, "r");
5568
5569 if (remove_fp == NULL) {
5570 warn(gettext("%s : Input file cannot be opened"), filename);
5571 usage();
5572 free(act_props);
5573 return (-1);
5574 }
5575
5576 /* open policy file so we can locate the correct policy */
5577 (void) umask(0022); /* in case it gets created! */
5578 policy_fp = fopen(POLICY_CONF_FILE, "r+");
5579 if (policy_fp == NULL) {
5580 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
5581 (void) fclose(remove_fp);
5582 free(act_props);
5583 return (-1);
5584 }
5585
5586 /* don't print the warning if we're in q[uiet] mode */
5587 if (!ipsecconf_qflag)
5588 (void) printf("%s", warning);
5589
5590 /* this bit is done primarily so we can read what we write */
5591 index_len = strlen(INDEX_TAG);
5592
5593 /*
5594 * We want to look for the policy in rbuf in the policy file.
5595 * Go through the list of policies to remove, locating each one.
5596 */
5597 while (fgets(rbuf, MAXLEN, remove_fp) != NULL) {
5598 char *buf;
5599 int offset, prev_offset, prev_prev_offset, nlines;
5600 fpos_t ipos;
5601 int pbuf_len = 0;
5602 char *tmp;
5603 /* skip blanks here (so we don't need to do it below)! */
5604 for (tmp = rbuf; (*tmp != '\0') && isspace(*tmp); )
5605 tmp++;
5606
5607 if (*tmp == '\0')
5608 continue; /* while(); */
5609
5610 /* skip the INDEX_TAG lines in the remove buffer */
5611 if (strncasecmp(rbuf, INDEX_TAG, index_len) == 0)
5612 continue;
5613
5614 /* skip commented lines */
5615 if (*tmp == '#')
5616 continue; /* while(); */
5617
5618 /*
5619 * We start by presuming only good policies are in the pfile,
5620 * and so only good policies from the rfile will match them.
5621 * ipsec_conf_del ensures this later by calling parse_one() on
5622 * pfile before it deletes the entry.
5623 */
5624 for (offset = prev_offset = prev_prev_offset = 0;
5625 fgets(pbuf, MAXLEN, policy_fp) != NULL;
5626 offset += pbuf_len) {
5627 prev_offset = offset;
5628 pbuf_len = strlen(pbuf);
5629
5630 /* skip blank lines which seperate policy entries */
5631 if (pbuf[0] == '\n')
5632 continue;
5633
5634 /* if we found an index, save it */
5635 if (strncasecmp(pbuf, INDEX_TAG, index_len) == 0) {
5636 buf = pbuf + index_len;
5637 buf++;
5638 if ((pindex = parse_index(buf, NULL)) == -1) {
5639 /* bad index, we can't continue */
5640 warnx(gettext(
5641 "Invalid index in the file"));
5642 (void) fclose(remove_fp);
5643 (void) fclose(policy_fp);
5644 free(act_props);
5645 return (-1);
5646 }
5647
5648 /* save this position in case it's the one */
5649 if (fgetpos(policy_fp, &ipos) != 0) {
5650 (void) fclose(remove_fp);
5651 (void) fclose(policy_fp);
5652 free(act_props);
5653 return (-1);
5654 }
5655 }
5656
5657 /* Does pbuf contain the remove policy? */
5658 if (strncasecmp(rbuf, pbuf, pbuf_len) == 0) {
5659 /* we found the one to remove! */
5660 if (pindex == 0) {
5661 warnx(gettext("Didn't find a valid "
5662 "index for policy"));
5663 (void) fclose(remove_fp);
5664 (void) fclose(policy_fp);
5665 free(act_props);
5666 return (-1);
5667 }
5668
5669 /* off it - back up to the last INDEX! */
5670 if (fsetpos(policy_fp, &ipos) != 0) {
5671 (void) fclose(remove_fp);
5672 (void) fclose(policy_fp);
5673 free(act_props);
5674 return (-1);
5675 }
5676
5677 /* parse_one sets linecount = #lines to off */
5678 if (parse_one(policy_fp, act_props) == -1) {
5679 warnx(gettext("Invalid policy entry "
5680 "in the file"));
5681 (void) fclose(remove_fp);
5682 (void) fclose(policy_fp);
5683 free(act_props);
5684 return (-1);
5685 }
5686
5687 nlines = linecount + 2;
5688 goto delete;
5689 }
5690 /*
5691 * When we find a match, we want to pass the offset
5692 * of the line that is before it - the INDEX_TAG line.
5693 */
5694 prev_prev_offset = prev_offset;
5695 }
5696 /* Didn't find a match - look at the next remove policy */
5697 continue; /* while(); */
5698
5699 delete:
5700 (void) fclose(policy_fp);
5701
5702 if (delete_from_file(prev_prev_offset, nlines) != 0) {
5703 warnx(gettext("delete_from_file failure. "
5704 "Please flush all entries and re-configure :"));
5705 reconfigure();
5706 (void) fclose(remove_fp);
5707 free(act_props);
5708 return (-1);
5709 }
5710
5711 if (pfp_delete_rule(pindex) != 0) {
5712 warnx(gettext("Deletion incomplete. Please flush"
5713 "all the entries and re-configure :"));
5714 reconfigure();
5715 (void) fclose(remove_fp);
5716 free(act_props);
5717 return (-1);
5718 }
5719
5720 /* reset the globals */
5721 linecount = 0;
5722 pindex = 0;
5723 /* free(NULL) also works. */
5724 free(interface_name);
5725 interface_name = NULL;
5726
5727 /* reopen for next pass, automagically starting over. */
5728 policy_fp = fopen(POLICY_CONF_FILE, "r");
5729 if (policy_fp == NULL) {
5730 warn(gettext("%s cannot be re-opened, can't continue"),
5731 POLICY_CONF_FILE);
5732 (void) fclose(remove_fp);
5733 free(act_props);
5734 return (-1);
5735 }
5736
5737 } /* read next remove policy */
5738
5739 if ((ret = pfp_delete_rule(pindex)) != 0) {
5740 warnx(gettext("Removal incomplete. Please flush "
5741 "all the entries and re-configure :"));
5742 reconfigure();
5743 free(act_props);
5744 return (ret);
5745 }
5746
5747 /* nothing left to look for */
5748 (void) fclose(remove_fp);
5749 free(act_props);
5750
5751 return (0);
5752 }
5753
5754 /*
5755 * Constructs a tunnel interface ID extension. Returns the length
5756 * of the extension in 64-bit-words.
5757 */
5758 static int
5759 attach_tunname(spd_if_t *tunname)
5760 {
5761 if (tunname == NULL || interface_name == NULL)
5762 return (0);
5763
5764 tunname->spd_if_exttype = SPD_EXT_TUN_NAME;
5765 /*
5766 * Use "-3" because there's 4 bytes in the message itself, and
5767 * we lose one because of the '\0' terminator.
5768 */
5769 tunname->spd_if_len = SPD_8TO64(
5770 P2ROUNDUP(sizeof (*tunname) + strlen(interface_name) - 3, 8));
5771 (void) strlcpy((char *)tunname->spd_if_name, interface_name, LIFNAMSIZ);
5772 return (tunname->spd_if_len);
5773 }
unleashed repo fork