1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <stdio.h> 26 #include <sys/types.h> 27 #include <sys/stat.h> 28 #include <strings.h> 29 #include <stropts.h> 30 #include <fcntl.h> 31 #include <stdlib.h> 32 #include <unistd.h> 33 #include <string.h> 34 #include <ctype.h> 35 #include <arpa/inet.h> 36 #include <locale.h> 37 #include <syslog.h> 38 #include <pwd.h> 39 #include <sys/param.h> 40 #include <sys/sysmacros.h> /* MIN, MAX */ 41 #include <sys/sockio.h> 42 #include <net/pfkeyv2.h> 43 #include <net/pfpolicy.h> 44 #include <inet/ipsec_impl.h> 45 #include <signal.h> 46 #include <errno.h> 47 #include <netdb.h> 48 #include <sys/socket.h> 49 #include <sys/systeminfo.h> 50 #include <nss_dbdefs.h> /* NSS_BUFLEN_HOSTS */ 51 #include <netinet/in.h> 52 #include <assert.h> 53 #include <inet/ip.h> 54 #include <ipsec_util.h> 55 #include <netinet/in_systm.h> 56 #include <netinet/ip_icmp.h> 57 #include <netinet/icmp6.h> 58 59 /* 60 * Globals 61 */ 62 int lfd; 63 char *my_fmri; 64 FILE *debugfile = stderr; 65 66 #define USAGE() if (!smf_managed) usage() 67 /* 68 * Buffer length to read in pattern/properties. 69 */ 70 #define MAXLEN 1024 71 72 /* Max length of tunnel interface string identifier */ 73 #define TUNNAMEMAXLEN LIFNAMSIZ 74 75 /* 76 * Used by parse_one and parse/parse_action to communicate 77 * the errors. -1 is failure, which is not defined here. 78 */ 79 enum parse_errors {PARSE_SUCCESS, PARSE_EOF}; 80 81 /* 82 * For spdsock_get_ext() diagnostics. 83 */ 84 #define SPDSOCK_DIAG_BUF_LEN 128 85 static char spdsock_diag_buf[SPDSOCK_DIAG_BUF_LEN]; 86 87 /* 88 * Define CURL here so that while you are reading 89 * this code, it does not affect "vi" in pattern 90 * matching. 91 */ 92 #define CURL_BEGIN '{' 93 #define CURL_END '}' 94 #define BACK_SLASH '\\' 95 #define MAXARGS 20 96 #define NOERROR 0 97 98 /* 99 * IPSEC_CONF_ADD should start with 1, so that when multiple commands 100 * are given, we can fail the request. 101 */ 102 103 enum ipsec_cmds {IPSEC_CONF_ADD = 1, IPSEC_CONF_DEL, IPSEC_CONF_VIEW, 104 IPSEC_CONF_FLUSH, IPSEC_CONF_LIST, IPSEC_CONF_SUB, IPSEC_CONF_REPLACE}; 105 106 static const char policy_conf_file[] = "/var/run/ipsecpolicy.conf"; 107 static const char lock_file[] = "/var/run/ipsecconf.lock"; 108 static const char index_tag[] = "#INDEX"; 109 110 #define POLICY_CONF_FILE policy_conf_file 111 #define LOCK_FILE lock_file 112 #define INDEX_TAG index_tag 113 114 /* 115 * Valid algorithm length. 116 */ 117 #define VALID_ALG_LEN 40 118 119 /* Types of Error messages */ 120 typedef enum error_type {BAD_ERROR, DUP_ERROR, REQ_ERROR} error_type_t; 121 122 /* Error message human readable conversions */ 123 static char *sys_error_message(int); 124 static void error_message(error_type_t, int, int); 125 static int get_pf_pol_socket(void); 126 127 static int cmd; 128 static char *filename; 129 static char lo_buf[MAXLEN]; /* Leftover buffer */ 130 131 /* 132 * The new SPD_EXT_TUN_NAME extension has a tunnel name in it. Use the empty 133 * string ("", stored in the char value "all_polheads") for all policy heads 134 * (global and all tunnels). Set interface_name to NULL for global-only, or 135 * specify a name of an IP-in-IP tunnel. 136 */ 137 static char *interface_name; 138 static char all_polheads; /* So we can easily get "". */ 139 140 /* Error reporting stuff */ 141 #define CBUF_LEN 8192 /* Maximum size of the cmd */ 142 /* 143 * Following are used for reporting errors with arguments. 144 * We store the line numbers of each argument as we parse them, 145 * so that the error reporting is more specific. We can have only 146 * (MAXARGS - 1) arguments between any pair of CURL_BEGIN CURL_END. 147 * Because a single command can be made up of multiple action/property 148 * combinations, the maximum command size is (2 * (MAXARGS -1)) for each 149 * of patterns, properties and actions. 150 */ 151 #define ARG_BUF_LEN ((2 * 3 * (MAXARGS - 1)) + 1) 152 static int arg_indices[ARG_BUF_LEN]; 153 static int argindex; 154 static int linecount; 155 static char cbuf[CBUF_LEN]; /* Command buffer */ 156 static int cbuf_offset; 157 158 159 #define BYPASS_POLICY_BOOST 0x00800000 160 #define ESP_POLICY_BOOST 0x00400000 161 #define AH_POLICY_BOOST 0x00200000 162 #define INITIAL_BASE_PRIORITY 0x000fffff 163 164 /* 165 * the number used to order the 166 * rules starts at a certain base and 167 * goes down. i.e. rules earlier in 168 * the file are checked first 169 */ 170 static uint32_t priority = INITIAL_BASE_PRIORITY; 171 172 #define AH_AUTH 0 173 #define ESP_ENCR 1 174 #define ESP_AUTH 2 175 176 177 /* 178 * for deleting adds on error 179 */ 180 181 typedef struct d_list_s 182 { 183 struct d_list_s *next; 184 int index; 185 } d_list_t; 186 187 static d_list_t *d_list = NULL; 188 static d_list_t *d_tail = NULL; 189 190 191 /* 192 * Used for multi-homed source/dest hosts. 193 */ 194 static struct hostent *shp, *dhp; 195 static unsigned int splen, dplen; 196 static char tunif[TUNNAMEMAXLEN]; 197 static boolean_t has_saprefix, has_daprefix; 198 static uint32_t seq_cnt = 0; 199 200 /* lexxed out action and related properties */ 201 typedef struct ap_s 202 { 203 char *act; 204 char *prop[MAXARGS + 1]; 205 } ap_t; 206 207 208 /* one lexxed out rule */ 209 typedef struct act_prop_s { 210 char *pattern[MAXARGS + 1]; 211 ap_t ap[MAXARGS + 1]; 212 } act_prop_t; 213 214 typedef struct 215 { 216 uint8_t alg_id; 217 uint32_t alg_minbits; 218 uint32_t alg_maxbits; 219 } algreq_t; 220 221 /* structure to hold all information for one act_prop_t */ 222 typedef struct ips_act_props_s { 223 struct ips_act_props_s *iap_next; 224 struct ips_conf_s *iap_head; 225 226 /* 227 * IPsec action types (in SPD_ATTR_TYPE attribute) 228 * SPD_ACTTYPE_DROP 0x0001 229 * SPD_ACTTYPE_PASS 0x0002 230 * SPD_ACTTYPE_IPSEC 0x0003 231 */ 232 uint16_t iap_action; 233 uint16_t iap_act_tok; 234 235 /* 236 * Action ATTR flags (in SPD_ATTR_FLAGS attribute) 237 * SPD_APPLY_AH 0x0001 238 * SPD_APPLY_ESP 0x0002 239 * SPD_APPLY_SE 0x0004 * self-encapsulation * 240 * SPD_APPLY_COMP 0x0008 * compression; NYI * 241 * SPD_APPLY_UNIQUE 0x0010 * unique per-flow SA * 242 * SPD_APPLY_BYPASS 0x0020 * bypass policy * 243 */ 244 uint16_t iap_attr; 245 uint16_t iap_attr_tok[5]; 246 247 algreq_t iap_aauth; 248 algreq_t iap_eencr; 249 algreq_t iap_eauth; 250 251 uint32_t iap_life_soft_time; 252 uint32_t iap_life_hard_time; 253 uint32_t iap_life_soft_bytes; 254 uint32_t iap_life_hard_bytes; 255 256 } ips_act_props_t; 257 258 #define V4_PART_OF_V6(v6) v6._S6_un._S6_u32[3] 259 260 typedef struct ips_conf_s { 261 /* selector */ 262 uint16_t patt_tok[8]; 263 uint8_t has_saddr; 264 uint8_t has_daddr; 265 uint8_t has_smask; 266 uint8_t has_dmask; 267 uint8_t has_type; 268 uint8_t has_code; 269 uint8_t has_negotiate; 270 uint8_t has_tunnel; 271 uint16_t swap; 272 273 struct in6_addr ips_src_addr_v6; 274 struct in6_addr ips_src_mask_v6; 275 struct in6_addr ips_dst_addr_v6; 276 struct in6_addr ips_dst_mask_v6; 277 uint8_t ips_src_mask_len; 278 uint8_t ips_dst_mask_len; 279 in_port_t ips_src_port_min; 280 in_port_t ips_src_port_max; 281 in_port_t ips_dst_port_min; 282 in_port_t ips_dst_port_max; 283 uint8_t ips_icmp_type; 284 uint8_t ips_icmp_type_end; 285 uint8_t ips_icmp_code; 286 uint8_t ips_icmp_code_end; 287 uint8_t ips_ulp_prot; 288 uint8_t ips_ipsec_prot; 289 uint8_t ips_isv4; 290 /* 291 * SPD_RULE_FLAG_INBOUND 0x0001 292 * SPD_RULE_FLAG_OUTBOUND 0x0002 293 */ 294 uint8_t ips_dir; 295 /* 296 * Keep track of tunnel separately due to explosion of ways to set 297 * inbound/outbound. 298 */ 299 boolean_t ips_tunnel; 300 uint64_t ips_policy_index; 301 uint32_t ips_act_cnt; 302 ips_act_props_t *ips_acts; 303 } ips_conf_t; 304 305 #define ips_src_addr V4_PART_OF_V6(ips_src_addr_v6) 306 #define ips_dst_addr V4_PART_OF_V6(ips_dst_addr_v6) 307 308 static int ipsecconf_nflag; /* Used only with -l option */ 309 static int ipsecconf_qflag; /* Used only with -a|-r option */ 310 311 typedef struct str_val { 312 const char *string; 313 int value; 314 } str_val_t; 315 316 typedef struct str_tval { 317 const char *string; 318 int tok_val; 319 int value; 320 } str_tval_t; 321 322 static int parse_int(const char *); 323 static int parse_index(const char *, char *); 324 static int attach_tunname(spd_if_t *); 325 static void usage(void); 326 static int ipsec_conf_del(int, boolean_t); 327 static int ipsec_conf_add(boolean_t, boolean_t, boolean_t); 328 static int ipsec_conf_sub(void); 329 static int ipsec_conf_flush(int); 330 static int ipsec_conf_view(void); 331 static int ipsec_conf_list(void); 332 static int lock(void); 333 static int unlock(int); 334 static int parse_one(FILE *, act_prop_t *); 335 static void reconfigure(); 336 static void in_prefixlentomask(unsigned int, uchar_t *); 337 static int in_getprefixlen(char *); 338 static int parse_address(int, char *); 339 #ifdef DEBUG_HEAVY 340 static void pfpol_msg_dump(spd_msg_t *msg, char *); 341 #endif /* DEBUG_HEAVY */ 342 static void print_pfpol_msg(spd_msg_t *); 343 static int pfp_delete_rule(uint64_t); 344 static void ipsec_conf_admin(uint8_t); 345 static void print_bit_range(int, int); 346 static void nuke_adds(); 347 static boolean_t combined_mode(uint_t); 348 349 #ifdef DEBUG 350 static void dump_conf(ips_conf_t *); 351 #endif 352 353 typedef struct 354 { 355 uint32_t id; 356 uint32_t minkeybits; 357 uint32_t maxkeybits; 358 uint32_t defkeybits; 359 uint32_t incr; 360 } alginfo_t; 361 362 static int ipsec_nalgs[3]; 363 static alginfo_t known_algs[3][256]; 364 365 #define IPS_SRC_MASK SPD_EXT_LCLADDR + 100 366 #define IPS_DST_MASK SPD_EXT_REMADDR + 100 367 368 /* 369 * if inbound, src=remote, dst=local 370 * if outbound, src=local, dst=remote 371 */ 372 373 #define TOK_saddr 1 374 #define TOK_daddr 2 375 #define TOK_sport 3 376 #define TOK_dport 4 377 #define TOK_smask 5 378 #define TOK_dmask 6 379 #define TOK_ulp 7 380 #define TOK_local 8 381 #define TOK_lport 9 382 #define TOK_remote 10 383 #define TOK_rport 11 384 #define TOK_dir 12 385 #define TOK_type 13 386 #define TOK_code 14 387 #define TOK_negotiate 15 388 #define TOK_tunnel 16 389 390 #define IPS_SA SPD_ATTR_END 391 #define IPS_DIR SPD_ATTR_EMPTY 392 #define IPS_NEG SPD_ATTR_NOP 393 394 395 static str_tval_t pattern_table[] = { 396 {"saddr", TOK_saddr, SPD_EXT_LCLADDR}, 397 {"src", TOK_saddr, SPD_EXT_LCLADDR}, 398 {"srcaddr", TOK_saddr, SPD_EXT_LCLADDR}, 399 {"daddr", TOK_daddr, SPD_EXT_REMADDR}, 400 {"dst", TOK_daddr, SPD_EXT_REMADDR}, 401 {"dstaddr", TOK_daddr, SPD_EXT_REMADDR}, 402 {"sport", TOK_sport, SPD_EXT_LCLPORT}, 403 {"dport", TOK_dport, SPD_EXT_REMPORT}, 404 {"smask", TOK_smask, IPS_SRC_MASK}, 405 {"dmask", TOK_dmask, IPS_DST_MASK}, 406 {"ulp", TOK_ulp, SPD_EXT_PROTO}, 407 {"proto", TOK_ulp, SPD_EXT_PROTO}, 408 {"local", TOK_local, SPD_EXT_LCLADDR}, 409 {"laddr", TOK_local, SPD_EXT_LCLADDR}, 410 {"lport", TOK_lport, SPD_EXT_LCLPORT}, 411 {"remote", TOK_remote, SPD_EXT_REMADDR}, 412 {"raddr", TOK_remote, SPD_EXT_REMADDR}, 413 {"rport", TOK_rport, SPD_EXT_REMPORT}, 414 {"dir", TOK_dir, IPS_DIR}, 415 {"type", TOK_type, SPD_EXT_ICMP_TYPECODE}, 416 {"code", TOK_code, SPD_EXT_ICMP_TYPECODE}, 417 {"negotiate", TOK_negotiate, IPS_NEG}, 418 {"tunnel", TOK_tunnel, SPD_EXT_TUN_NAME}, 419 {NULL, 0, 0}, 420 }; 421 422 #define TOK_apply 1 423 #define TOK_permit 2 424 #define TOK_ipsec 3 425 #define TOK_bypass 4 426 #define TOK_drop 5 427 #define TOK_or 6 428 429 static str_tval_t action_table[] = { 430 {"apply", TOK_apply, SPD_ACTTYPE_IPSEC}, 431 {"permit", TOK_permit, SPD_ACTTYPE_IPSEC}, 432 {"ipsec", TOK_ipsec, SPD_ACTTYPE_IPSEC}, 433 {"bypass", TOK_bypass, SPD_ACTTYPE_PASS}, 434 {"pass", TOK_bypass, SPD_ACTTYPE_PASS}, 435 {"drop", TOK_drop, SPD_ACTTYPE_DROP}, 436 {"or", TOK_or, 0}, 437 {NULL, 0, 0}, 438 }; 439 440 static str_val_t property_table[] = { 441 {"auth_algs", SPD_ATTR_AH_AUTH}, 442 {"encr_algs", SPD_ATTR_ESP_ENCR}, 443 {"encr_auth_algs", SPD_ATTR_ESP_AUTH}, 444 {"sa", IPS_SA}, 445 {"dir", IPS_DIR}, 446 {NULL, 0}, 447 }; 448 449 static str_val_t icmp_type_table[] = { 450 {"unreach", ICMP_UNREACH}, 451 {"echo", ICMP_ECHO}, 452 {"echorep", ICMP_ECHOREPLY}, 453 {"squench", ICMP_SOURCEQUENCH}, 454 {"redir", ICMP_REDIRECT}, 455 {"timex", ICMP_TIMXCEED}, 456 {"paramprob", ICMP_PARAMPROB}, 457 {"timest", ICMP_TSTAMP}, 458 {"timestrep", ICMP_TSTAMPREPLY}, 459 {"inforeq", ICMP_IREQ}, 460 {"inforep", ICMP_IREQREPLY}, 461 {"maskreq", ICMP_MASKREQ}, 462 {"maskrep", ICMP_MASKREPLY}, 463 {"unreach6", ICMP6_DST_UNREACH}, 464 {"pkttoobig6", ICMP6_PACKET_TOO_BIG}, 465 {"timex6", ICMP6_TIME_EXCEEDED}, 466 {"paramprob6", ICMP6_PARAM_PROB}, 467 {"echo6", ICMP6_ECHO_REQUEST}, 468 {"echorep6", ICMP6_ECHO_REPLY}, 469 {"router-sol6", ND_ROUTER_SOLICIT}, 470 {"router-ad6", ND_ROUTER_ADVERT}, 471 {"neigh-sol6", ND_NEIGHBOR_SOLICIT}, 472 {"neigh-ad6", ND_NEIGHBOR_ADVERT}, 473 {"redir6", ND_REDIRECT}, 474 {NULL, 0}, 475 }; 476 477 static str_val_t icmp_code_table[] = { 478 {"net-unr", ICMP_UNREACH_NET}, 479 {"host-unr", ICMP_UNREACH_HOST}, 480 {"proto-unr", ICMP_UNREACH_PROTOCOL}, 481 {"port-unr", ICMP_UNREACH_PORT}, 482 {"needfrag", ICMP_UNREACH_NEEDFRAG}, 483 {"srcfail", ICMP_UNREACH_SRCFAIL}, 484 {"net-unk", ICMP_UNREACH_NET_UNKNOWN}, 485 {"host-unk", ICMP_UNREACH_HOST_UNKNOWN}, 486 {"isolate", ICMP_UNREACH_ISOLATED}, 487 {"net-prohib", ICMP_UNREACH_NET_PROHIB}, 488 {"host-prohib", ICMP_UNREACH_HOST_PROHIB}, 489 {"net-tos", ICMP_UNREACH_TOSNET}, 490 {"host-tos", ICMP_UNREACH_TOSHOST}, 491 {"filter-prohib", ICMP_UNREACH_FILTER_PROHIB}, 492 {"host-preced", ICMP_UNREACH_HOST_PRECEDENCE}, 493 {"cutoff-preced", ICMP_UNREACH_PRECEDENCE_CUTOFF}, 494 {"no-route6", ICMP6_DST_UNREACH_NOROUTE}, 495 {"adm-prohib6", ICMP6_DST_UNREACH_ADMIN}, 496 {"addr-unr6", ICMP6_DST_UNREACH_ADDR}, 497 {"port-unr6", ICMP6_DST_UNREACH_NOPORT}, 498 {"hop-limex6", ICMP6_TIME_EXCEED_TRANSIT}, 499 {"frag-re-timex6", ICMP6_TIME_EXCEED_REASSEMBLY}, 500 {"err-head6", ICMP6_PARAMPROB_HEADER}, 501 {"unrec-head6", ICMP6_PARAMPROB_NEXTHEADER}, 502 {"unreq-opt6", ICMP6_PARAMPROB_OPTION}, 503 {NULL, 0}, 504 }; 505 506 static sigset_t set, oset; 507 508 509 static boolean_t 510 add_index(int index) 511 { 512 d_list_t *temp = malloc(sizeof (d_list_t)); 513 514 if (temp == NULL) { 515 warn("malloc"); 516 return (B_TRUE); 517 } 518 519 temp->index = index; 520 temp->next = NULL; 521 522 if (d_tail == NULL) { 523 d_list = d_tail = temp; 524 return (B_FALSE); 525 } 526 527 d_tail->next = temp; 528 d_tail = temp; 529 530 return (B_FALSE); 531 } 532 533 static int 534 block_all_signals() 535 { 536 if (sigfillset(&set) == -1) { 537 warn("sigfillset"); 538 return (-1); 539 } 540 if (sigprocmask(SIG_SETMASK, &set, &oset) == -1) { 541 warn("sigprocmask"); 542 return (-1); 543 } 544 return (0); 545 } 546 547 static int 548 restore_all_signals() 549 { 550 if (sigprocmask(SIG_SETMASK, &oset, NULL) == -1) { 551 warn("sigprocmask"); 552 return (-1); 553 } 554 return (0); 555 } 556 557 /* allocate an ips_act_props_t and link it in correctly */ 558 static ips_act_props_t * 559 alloc_iap(ips_conf_t *parent) 560 { 561 ips_act_props_t *ret; 562 ips_act_props_t *next = parent->ips_acts; 563 ips_act_props_t *current = NULL; 564 565 ret = (ips_act_props_t *)calloc(sizeof (ips_act_props_t), 1); 566 567 if (ret == NULL) 568 return (NULL); 569 570 ret->iap_head = parent; 571 572 while (next != NULL) { 573 current = next; 574 next = next->iap_next; 575 } 576 577 if (current != NULL) 578 current->iap_next = ret; 579 else 580 parent->ips_acts = ret; 581 582 parent->ips_act_cnt++; 583 584 return (ret); 585 } 586 587 /* 588 * This function exit()s if it fails. 589 */ 590 static void 591 fetch_algorithms() 592 { 593 struct spd_msg msg; 594 struct spd_ext_actions *actp; 595 struct spd_attribute *attr, *endattr; 596 spd_ext_t *exts[SPD_EXT_MAX+1]; 597 uint64_t reply_buf[256]; 598 int sfd; 599 int cnt, retval; 600 uint64_t *start, *end; 601 alginfo_t alg = {0, 0, 0, 0, 0}; 602 uint_t algtype; 603 static boolean_t has_run = B_FALSE; 604 605 if (has_run) 606 return; 607 else 608 has_run = B_TRUE; 609 610 sfd = get_pf_pol_socket(); 611 if (sfd < 0) { 612 err(-1, gettext("unable to open policy socket")); 613 } 614 615 (void) memset(&msg, 0, sizeof (msg)); 616 msg.spd_msg_version = PF_POLICY_V1; 617 msg.spd_msg_type = SPD_ALGLIST; 618 msg.spd_msg_len = SPD_8TO64(sizeof (msg)); 619 620 cnt = write(sfd, &msg, sizeof (msg)); 621 if (cnt != sizeof (msg)) { 622 if (cnt < 0) { 623 err(-1, gettext("alglist failed: write")); 624 } else { 625 errx(-1, gettext("alglist failed: short write")); 626 } 627 } 628 629 cnt = read(sfd, reply_buf, sizeof (reply_buf)); 630 631 retval = spdsock_get_ext(exts, (spd_msg_t *)reply_buf, SPD_8TO64(cnt), 632 spdsock_diag_buf, SPDSOCK_DIAG_BUF_LEN); 633 634 if (retval == KGE_LEN && exts[0]->spd_ext_len == 0) { 635 /* 636 * No algorithms are defined in the kernel, which caused 637 * the extension length to be zero, and spdsock_get_ext() 638 * to fail with a KGE_LEN error. This is not an error 639 * condition, so we return nicely. 640 */ 641 (void) close(sfd); 642 return; 643 } else if (retval != 0) { 644 if (strlen(spdsock_diag_buf) != 0) 645 warnx(spdsock_diag_buf); 646 err(1, gettext("fetch_algorithms failed")); 647 } 648 649 if (!exts[SPD_EXT_ACTION]) { 650 errx(1, gettext("fetch_algorithms: action missing?!")); 651 } 652 653 actp = (struct spd_ext_actions *)exts[SPD_EXT_ACTION]; 654 start = (uint64_t *)actp; 655 end = (start + actp->spd_actions_len); 656 endattr = (struct spd_attribute *)end; 657 attr = (struct spd_attribute *)&actp[1]; 658 659 algtype = 0; 660 661 while (attr < endattr) { 662 switch (attr->spd_attr_tag) { 663 case SPD_ATTR_NOP: 664 case SPD_ATTR_EMPTY: 665 break; 666 case SPD_ATTR_END: 667 attr = endattr; 668 /* FALLTHRU */ 669 case SPD_ATTR_NEXT: 670 known_algs[algtype][ipsec_nalgs[algtype]] = alg; 671 ipsec_nalgs[algtype]++; 672 break; 673 674 case SPD_ATTR_ENCR_MINBITS: 675 case SPD_ATTR_AH_MINBITS: 676 case SPD_ATTR_ESPA_MINBITS: 677 alg.minkeybits = attr->spd_attr_value; 678 break; 679 680 case SPD_ATTR_ENCR_MAXBITS: 681 case SPD_ATTR_AH_MAXBITS: 682 case SPD_ATTR_ESPA_MAXBITS: 683 alg.maxkeybits = attr->spd_attr_value; 684 break; 685 686 case SPD_ATTR_ENCR_DEFBITS: 687 case SPD_ATTR_AH_DEFBITS: 688 case SPD_ATTR_ESPA_DEFBITS: 689 alg.defkeybits = attr->spd_attr_value; 690 break; 691 692 case SPD_ATTR_ENCR_INCRBITS: 693 case SPD_ATTR_AH_INCRBITS: 694 case SPD_ATTR_ESPA_INCRBITS: 695 alg.incr = attr->spd_attr_value; 696 break; 697 698 case SPD_ATTR_AH_AUTH: 699 case SPD_ATTR_ESP_AUTH: 700 case SPD_ATTR_ESP_ENCR: 701 alg.id = attr->spd_attr_value; 702 algtype = attr->spd_attr_tag - SPD_ATTR_AH_AUTH; 703 break; 704 } 705 attr++; 706 } 707 708 (void) close(sfd); 709 } 710 711 /* data dependant transform (act_cnt) */ 712 #define ATTR(ap, tag, value) \ 713 do { (ap)->spd_attr_tag = (tag); \ 714 (ap)->spd_attr_value = (value); \ 715 ap++; } while (0) 716 717 static struct spd_attribute * 718 emit_alg(struct spd_attribute *ap, int type, const algreq_t *ar, 719 int algattr, int minbitattr, int maxbitattr) 720 { 721 int id = ar->alg_id; 722 int minbits, i; 723 724 if (id != 0) { 725 /* LINTED E_CONST_COND */ 726 ATTR(ap, algattr, ar->alg_id); 727 728 minbits = ar->alg_minbits; 729 if (minbits == 0) { 730 for (i = 0; i < ipsec_nalgs[type]; i++) { 731 if (known_algs[type][i].id == id) 732 break; 733 } 734 if (i < ipsec_nalgs[type]) 735 minbits = known_algs[type][i].defkeybits; 736 } 737 if (minbits != 0) 738 /* LINTED E_CONST_COND */ 739 ATTR(ap, minbitattr, minbits); 740 if (ar->alg_maxbits != SPD_MAX_MAXBITS) 741 /* LINTED E_CONST_COND */ 742 ATTR(ap, maxbitattr, ar->alg_maxbits); 743 } 744 745 return (ap); 746 } 747 748 749 750 static struct spd_attribute * 751 ips_act_props_to_action(struct spd_attribute *ap, uint32_t *rule_priorityp, 752 const ips_act_props_t *act_ptr) 753 { 754 uint32_t rule_priority = *rule_priorityp; 755 756 /* LINTED E_CONST_COND */ 757 ATTR(ap, SPD_ATTR_EMPTY, 0); 758 759 /* type */ 760 /* LINTED E_CONST_COND */ 761 ATTR(ap, SPD_ATTR_TYPE, act_ptr->iap_action); 762 763 if (act_ptr->iap_action == SPD_ACTTYPE_PASS) 764 rule_priority |= BYPASS_POLICY_BOOST; 765 766 /* flags */ 767 if (act_ptr->iap_attr != 0) 768 /* LINTED E_CONST_COND */ 769 ATTR(ap, SPD_ATTR_FLAGS, act_ptr->iap_attr); 770 771 /* esp */ 772 if (act_ptr->iap_attr & SPD_APPLY_ESP) { 773 rule_priority |= ESP_POLICY_BOOST; 774 775 /* encr */ 776 ap = emit_alg(ap, ESP_ENCR, &act_ptr->iap_eencr, 777 SPD_ATTR_ESP_ENCR, 778 SPD_ATTR_ENCR_MINBITS, SPD_ATTR_ENCR_MAXBITS); 779 780 /* auth */ 781 ap = emit_alg(ap, ESP_AUTH, &act_ptr->iap_eauth, 782 SPD_ATTR_ESP_AUTH, 783 SPD_ATTR_ESPA_MINBITS, SPD_ATTR_ESPA_MAXBITS); 784 } 785 786 /* ah */ 787 if (act_ptr->iap_attr & SPD_APPLY_AH) { 788 rule_priority |= AH_POLICY_BOOST; 789 /* auth */ 790 ap = emit_alg(ap, AH_AUTH, &act_ptr->iap_aauth, 791 SPD_ATTR_AH_AUTH, 792 SPD_ATTR_AH_MINBITS, SPD_ATTR_AH_MAXBITS); 793 } 794 795 /* lifetimes */ 796 if (act_ptr->iap_life_soft_time != 0) 797 /* LINTED E_CONST_COND */ 798 ATTR(ap, SPD_ATTR_LIFE_SOFT_TIME, act_ptr->iap_life_soft_time); 799 if (act_ptr->iap_life_hard_time != 0) 800 /* LINTED E_CONST_COND */ 801 ATTR(ap, SPD_ATTR_LIFE_HARD_TIME, act_ptr->iap_life_hard_time); 802 if (act_ptr->iap_life_soft_bytes != 0) 803 /* LINTED E_CONST_COND */ 804 ATTR(ap, SPD_ATTR_LIFE_SOFT_BYTES, 805 act_ptr->iap_life_soft_bytes); 806 if (act_ptr->iap_life_hard_bytes != 0) 807 /* LINTED E_CONST_COND */ 808 ATTR(ap, SPD_ATTR_LIFE_HARD_BYTES, 809 act_ptr->iap_life_hard_bytes); 810 811 /* LINTED E_CONST_COND */ 812 ATTR(ap, SPD_ATTR_NEXT, 0); 813 814 *rule_priorityp = rule_priority; 815 816 return (ap); 817 } 818 819 static boolean_t 820 alg_rangecheck(uint_t type, uint_t algid, const algreq_t *ar) 821 { 822 int i; 823 uint_t minbits = ar->alg_minbits; 824 uint_t maxbits = ar->alg_maxbits; 825 826 for (i = 0; i < ipsec_nalgs[type]; i++) { 827 if (known_algs[type][i].id == algid) 828 break; 829 } 830 831 if (i >= ipsec_nalgs[type]) { 832 /* 833 * The kernel (where we populate known_algs from) doesn't 834 * return the id's associated with NONE algorithms so we 835 * test here if this was the reason the algorithm wasn't 836 * found before wrongly failing. 837 */ 838 if (((type == ESP_ENCR) && (algid == SADB_EALG_NONE)) || 839 ((type == ESP_AUTH) && (algid == SADB_AALG_NONE)) || 840 ((type == AH_AUTH) && (algid == SADB_AALG_NONE))) { 841 return (B_TRUE); 842 } else { 843 return (B_FALSE); /* not found */ 844 } 845 } 846 847 if ((minbits == 0) && (maxbits == 0)) 848 return (B_TRUE); 849 850 minbits = MAX(minbits, known_algs[type][i].minkeybits); 851 maxbits = MIN(maxbits, known_algs[type][i].maxkeybits); 852 853 /* we could also check key increments here.. */ 854 return (minbits <= maxbits); /* non-null intersection */ 855 } 856 857 /* 858 * Inspired by uts/common/inet/spd.c:ipsec_act_wildcard_expand() 859 */ 860 861 static struct spd_attribute * 862 ips_act_wild_props_to_action(struct spd_attribute *ap, 863 uint32_t *rule_priorityp, uint16_t *act_cntp, 864 const ips_act_props_t *act_ptr) 865 { 866 ips_act_props_t tact = *act_ptr; 867 boolean_t use_ah, use_esp, use_espa, combined; 868 boolean_t wild_auth, wild_encr, wild_eauth; 869 uint_t auth_alg, auth_idx, auth_min, auth_max; 870 uint_t eauth_alg, eauth_idx, eauth_min, eauth_max; 871 uint_t encr_alg, encr_idx, encr_min, encr_max; 872 873 use_ah = !!(act_ptr->iap_attr & SPD_APPLY_AH); 874 use_esp = !!(act_ptr->iap_attr & SPD_APPLY_ESP); 875 use_espa = !!(act_ptr->iap_attr & SPD_APPLY_ESPA); 876 auth_alg = act_ptr->iap_aauth.alg_id; 877 eauth_alg = act_ptr->iap_eauth.alg_id; 878 encr_alg = act_ptr->iap_eencr.alg_id; 879 880 wild_auth = use_ah && (auth_alg == SADB_AALG_NONE); 881 wild_eauth = use_espa && (eauth_alg == SADB_AALG_NONE); 882 wild_encr = use_esp && (encr_alg == SADB_EALG_NONE); 883 884 auth_min = auth_max = auth_alg; 885 eauth_min = eauth_max = eauth_alg; 886 encr_min = encr_max = encr_alg; 887 888 /* 889 * set up for explosion.. for each dimension, expand output 890 * size by the explosion factor. 891 */ 892 if (wild_auth) { 893 auth_min = 0; 894 auth_max = ipsec_nalgs[AH_AUTH] - 1; 895 } 896 if (wild_eauth) { 897 eauth_min = 0; 898 eauth_max = ipsec_nalgs[ESP_AUTH] - 1; 899 } 900 if (wild_encr) { 901 encr_min = 0; 902 encr_max = ipsec_nalgs[ESP_ENCR] - 1; 903 } 904 905 #define WHICH_ALG(type, wild, idx) ((wild)?(known_algs[type][idx].id):(idx)) 906 907 for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) { 908 encr_alg = WHICH_ALG(ESP_ENCR, wild_encr, encr_idx); 909 910 if (use_esp && 911 !alg_rangecheck(ESP_ENCR, encr_alg, &act_ptr->iap_eencr)) 912 continue; 913 914 combined = combined_mode(encr_alg); 915 916 for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) { 917 auth_alg = WHICH_ALG(AH_AUTH, wild_auth, auth_idx); 918 919 if (use_ah && 920 !alg_rangecheck(AH_AUTH, auth_alg, 921 &act_ptr->iap_aauth)) 922 continue; 923 924 925 for (eauth_idx = eauth_min; eauth_idx <= eauth_max; 926 eauth_idx++) { 927 eauth_alg = WHICH_ALG(ESP_AUTH, wild_eauth, 928 eauth_idx); 929 930 if (!combined && use_espa && 931 !alg_rangecheck(ESP_AUTH, eauth_alg, 932 &act_ptr->iap_eauth)) 933 continue; 934 935 tact.iap_eencr.alg_id = encr_alg; 936 tact.iap_aauth.alg_id = auth_alg; 937 938 /* 939 * If the cipher is combined-mode don't do any 940 * ESP authentication. 941 */ 942 tact.iap_eauth.alg_id = 943 combined ? SADB_AALG_NONE : eauth_alg; 944 945 (*act_cntp)++; 946 ap = ips_act_props_to_action(ap, 947 rule_priorityp, &tact); 948 949 /* Stop now if the cipher is combined-mode. */ 950 if (combined) 951 break; /* Out of for loop. */ 952 } 953 } 954 } 955 956 #undef WHICH_ALG 957 958 return (ap); 959 } 960 961 /* huge, but not safe since no length checking is done */ 962 #define MAX_POL_MSG_LEN 16384 963 964 965 /* 966 * hand in some ips_conf_t's, get back an 967 * iovec of pfpol messages. 968 * this function converts the internal ips_conf_t into 969 * a form that pf_pol can use. 970 * return 0 on success, 1 on failure 971 */ 972 static int 973 ips_conf_to_pfpol_msg(int ipsec_cmd, ips_conf_t *inConf, int num_ips, 974 struct iovec *msg) 975 { 976 int i; 977 ips_conf_t *conf; 978 uint64_t *scratch = NULL; 979 980 for (i = 0; i < num_ips; i++) { 981 uint16_t *msg_len; 982 uint16_t act_cnt = 0; 983 uint64_t *next = NULL; 984 spd_msg_t *spd_msg; 985 spd_address_t *spd_address; 986 struct spd_rule *spd_rule; 987 struct spd_proto *spd_proto; 988 struct spd_portrange *spd_portrange; 989 struct spd_ext_actions *spd_ext_actions; 990 struct spd_attribute *ap; 991 struct spd_typecode *spd_typecode; 992 spd_if_t *spd_if; 993 ips_act_props_t *act_ptr; 994 uint32_t rule_priority = 0; 995 996 scratch = calloc(1, MAX_POL_MSG_LEN); 997 msg[i].iov_base = (char *)scratch; 998 if (scratch == NULL) { 999 warn(gettext("memory")); 1000 return (1); 1001 } 1002 conf = &(inConf[i]); 1003 1004 spd_msg = (spd_msg_t *)scratch; 1005 next = (uint64_t *)&(spd_msg[1]); 1006 1007 msg_len = &(spd_msg->spd_msg_len); 1008 1009 spd_msg->spd_msg_version = PF_POLICY_V1; 1010 spd_msg->spd_msg_pid = getpid(); 1011 spd_msg->spd_msg_seq = ++seq_cnt; 1012 1013 switch (ipsec_cmd) { 1014 case SPD_ADDRULE: 1015 spd_msg->spd_msg_type = SPD_ADDRULE; 1016 break; 1017 1018 default: 1019 warnx("%s %d", gettext("bad command:"), ipsec_cmd); 1020 spd_msg->spd_msg_type = SPD_ADDRULE; 1021 break; 1022 } 1023 1024 /* 1025 * SELECTOR 1026 */ 1027 1028 spd_msg->spd_msg_spdid = SPD_STANDBY; 1029 1030 /* rule */ 1031 spd_rule = (struct spd_rule *)next; 1032 1033 spd_rule->spd_rule_len = SPD_8TO64(sizeof (struct spd_rule)); 1034 spd_rule->spd_rule_type = SPD_EXT_RULE; 1035 spd_rule->spd_rule_flags = conf->ips_dir; 1036 if (conf->ips_tunnel) 1037 spd_rule->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL; 1038 1039 next = (uint64_t *)&(spd_rule[1]); 1040 1041 /* proto */ 1042 if (conf->ips_ulp_prot != 0) { 1043 spd_proto = (struct spd_proto *)next; 1044 spd_proto->spd_proto_len = 1045 SPD_8TO64(sizeof (struct spd_proto)); 1046 spd_proto->spd_proto_exttype = SPD_EXT_PROTO; 1047 spd_proto->spd_proto_number = conf->ips_ulp_prot; 1048 next = (uint64_t *)&(spd_proto[1]); 1049 } 1050 1051 /* tunnel */ 1052 if (conf->has_tunnel != 0) { 1053 spd_if = (spd_if_t *)next; 1054 spd_if->spd_if_len = 1055 SPD_8TO64(P2ROUNDUP(strlen(tunif) + 1, 8) + 1056 sizeof (spd_if_t)); 1057 spd_if->spd_if_exttype = SPD_EXT_TUN_NAME; 1058 (void) strlcpy((char *)spd_if->spd_if_name, tunif, 1059 TUNNAMEMAXLEN); 1060 next = (uint64_t *)(spd_if) + spd_if->spd_if_len; 1061 } 1062 1063 /* icmp type/code */ 1064 if (conf->ips_ulp_prot == IPPROTO_ICMP || 1065 conf->ips_ulp_prot == IPPROTO_ICMPV6) { 1066 if (conf->has_type) { 1067 spd_typecode = (struct spd_typecode *)next; 1068 spd_typecode->spd_typecode_len = 1069 SPD_8TO64(sizeof (struct spd_typecode)); 1070 spd_typecode->spd_typecode_exttype = 1071 SPD_EXT_ICMP_TYPECODE; 1072 spd_typecode->spd_typecode_type = 1073 conf->ips_icmp_type; 1074 spd_typecode->spd_typecode_type_end = 1075 conf->ips_icmp_type_end; 1076 if (conf->has_code) { 1077 spd_typecode->spd_typecode_code = 1078 conf->ips_icmp_code; 1079 spd_typecode->spd_typecode_code_end = 1080 conf->ips_icmp_code_end; 1081 } else { 1082 spd_typecode->spd_typecode_code = 255; 1083 spd_typecode->spd_typecode_code_end 1084 = 255; 1085 } 1086 next = (uint64_t *)&(spd_typecode[1]); 1087 } 1088 } 1089 1090 /* src port */ 1091 if (conf->ips_src_port_min != 0 || 1092 conf->ips_src_port_max != 0) { 1093 spd_portrange = (struct spd_portrange *)next; 1094 spd_portrange->spd_ports_len = 1095 SPD_8TO64(sizeof (struct spd_portrange)); 1096 spd_portrange->spd_ports_exttype = 1097 (conf->swap)?SPD_EXT_REMPORT:SPD_EXT_LCLPORT; 1098 spd_portrange->spd_ports_minport = 1099 conf->ips_src_port_min; 1100 spd_portrange->spd_ports_maxport = 1101 conf->ips_src_port_max; 1102 next = (uint64_t *)&(spd_portrange[1]); 1103 } 1104 /* dst port */ 1105 if (conf->ips_dst_port_min != 0 || 1106 conf->ips_dst_port_max != 0) { 1107 spd_portrange = (struct spd_portrange *)next; 1108 spd_portrange->spd_ports_len = 1109 SPD_8TO64(sizeof (struct spd_portrange)); 1110 spd_portrange->spd_ports_exttype = 1111 (conf->swap)?SPD_EXT_LCLPORT:SPD_EXT_REMPORT; 1112 spd_portrange->spd_ports_minport = 1113 conf->ips_dst_port_min; 1114 spd_portrange->spd_ports_maxport = 1115 conf->ips_dst_port_max; 1116 next = (uint64_t *)&(spd_portrange[1]); 1117 } 1118 1119 /* saddr */ 1120 if (conf->has_saddr) { 1121 spd_address = (spd_address_t *)next; 1122 next = (uint64_t *)(spd_address + 1); 1123 1124 spd_address->spd_address_exttype = 1125 (conf->swap)?SPD_EXT_REMADDR:SPD_EXT_LCLADDR; 1126 spd_address->spd_address_prefixlen = 1127 conf->ips_src_mask_len; 1128 1129 if (conf->ips_isv4) { 1130 spd_address->spd_address_af = AF_INET; 1131 (void) memcpy(next, &(conf->ips_src_addr), 1132 sizeof (ipaddr_t)); 1133 spd_address->spd_address_len = 2; 1134 next += SPD_8TO64(sizeof (ipaddr_t) + 4); 1135 if (!conf->has_smask) 1136 spd_address->spd_address_prefixlen = 32; 1137 } else { 1138 spd_address->spd_address_af = AF_INET6; 1139 (void) memcpy(next, &(conf->ips_src_addr_v6), 1140 sizeof (in6_addr_t)); 1141 spd_address->spd_address_len = 3; 1142 next += SPD_8TO64(sizeof (in6_addr_t)); 1143 if (!conf->has_smask) 1144 spd_address->spd_address_prefixlen 1145 = 128; 1146 } 1147 } 1148 1149 /* daddr */ 1150 if (conf->has_daddr) { 1151 spd_address = (spd_address_t *)next; 1152 1153 next = (uint64_t *)(spd_address + 1); 1154 1155 spd_address->spd_address_exttype = 1156 (conf->swap)?SPD_EXT_LCLADDR:SPD_EXT_REMADDR; 1157 spd_address->spd_address_prefixlen = 1158 conf->ips_dst_mask_len; 1159 1160 if (conf->ips_isv4) { 1161 spd_address->spd_address_af = AF_INET; 1162 (void) memcpy(next, &conf->ips_dst_addr, 1163 sizeof (ipaddr_t)); 1164 spd_address->spd_address_len = 2; 1165 /* "+ 4" below is for padding. */ 1166 next += SPD_8TO64(sizeof (ipaddr_t) + 4); 1167 if (!conf->has_dmask) 1168 spd_address->spd_address_prefixlen = 32; 1169 } else { 1170 spd_address->spd_address_af = AF_INET6; 1171 (void) memcpy(next, &(conf->ips_dst_addr_v6), 1172 sizeof (in6_addr_t)); 1173 spd_address->spd_address_len = 3; 1174 next += SPD_8TO64(sizeof (in6_addr_t)); 1175 if (!conf->has_dmask) 1176 spd_address->spd_address_prefixlen 1177 = 128; 1178 } 1179 } 1180 1181 /* actions */ 1182 spd_ext_actions = (struct spd_ext_actions *)next; 1183 1184 spd_ext_actions->spd_actions_exttype = SPD_EXT_ACTION; 1185 1186 act_ptr = conf->ips_acts; 1187 ap = (struct spd_attribute *)(&spd_ext_actions[1]); 1188 1189 rule_priority = priority--; 1190 1191 for (act_ptr = conf->ips_acts; act_ptr != NULL; 1192 act_ptr = act_ptr->iap_next) { 1193 ap = ips_act_wild_props_to_action(ap, &rule_priority, 1194 &act_cnt, act_ptr); 1195 } 1196 ap[-1].spd_attr_tag = SPD_ATTR_END; 1197 1198 next = (uint64_t *)ap; 1199 1200 spd_rule->spd_rule_priority = rule_priority; 1201 1202 msg[i].iov_len = (uintptr_t)next - (uintptr_t)msg[i].iov_base; 1203 *msg_len = (uint16_t)SPD_8TO64(msg[i].iov_len); 1204 spd_ext_actions->spd_actions_count = act_cnt; 1205 spd_ext_actions->spd_actions_len = 1206 SPD_8TO64((uintptr_t)next - (uintptr_t)spd_ext_actions); 1207 #ifdef DEBUG_HEAVY 1208 printf("pfpol msg len in uint64_t's = %d\n", *msg_len); 1209 printf("pfpol test_len in bytes = %d\n", msg[i].iov_len); 1210 pfpol_msg_dump((spd_msg_t *)scratch, 1211 "ips_conf_to_pfpol_msg"); 1212 #endif 1213 } 1214 1215 #undef ATTR 1216 return (0); 1217 } 1218 1219 static int 1220 get_pf_pol_socket(void) 1221 { 1222 int s = socket(PF_POLICY, SOCK_RAW, PF_POLICY_V1); 1223 if (s < 0) { 1224 if (errno == EPERM) { 1225 EXIT_BADPERM("Insufficient privileges to open " 1226 "PF_POLICY socket."); 1227 } else { 1228 warn(gettext("(loading pf_policy) socket:")); 1229 } 1230 } 1231 1232 return (s); 1233 } 1234 1235 1236 static int 1237 send_pf_pol_message(int ipsec_cmd, ips_conf_t *conf, int *diag) 1238 { 1239 int retval; 1240 int cnt; 1241 int total_len; 1242 struct iovec polmsg; 1243 spd_msg_t *return_buf; 1244 spd_ext_t *exts[SPD_EXT_MAX+1]; 1245 int fd = get_pf_pol_socket(); 1246 1247 *diag = 0; 1248 1249 if (fd < 0) 1250 return (EBADF); 1251 1252 retval = ips_conf_to_pfpol_msg(ipsec_cmd, conf, 1, &polmsg); 1253 1254 if (retval) { 1255 (void) close(fd); 1256 return (ENOMEM); 1257 } 1258 1259 total_len = polmsg.iov_len; 1260 1261 cnt = writev(fd, &polmsg, 1); 1262 1263 #ifdef DEBUG_HEAVY 1264 (void) printf("cnt = %d\n", cnt); 1265 #endif 1266 if (cnt < 0) { 1267 warn(gettext("pf_pol write")); 1268 } else { 1269 return_buf = (spd_msg_t *)calloc(total_len, 1); 1270 1271 if (return_buf == NULL) { 1272 warn(gettext("memory")); 1273 } else { 1274 cnt = read(fd, (void*)return_buf, total_len); 1275 #ifdef DEBUG_HEAVY 1276 (void) printf("pf_pol read: cnt = %d(%d)\n", cnt, 1277 total_len); 1278 #endif 1279 1280 if (cnt > 8 && return_buf->spd_msg_errno) { 1281 *diag = return_buf->spd_msg_diagnostic; 1282 if (!ipsecconf_qflag) { 1283 warnx("%s: %s", 1284 gettext("Kernel returned"), 1285 sys_error_message( 1286 return_buf->spd_msg_errno)); 1287 } 1288 if (*diag != 0) 1289 (void) printf(gettext( 1290 "\t(spdsock diagnostic: %s)\n"), 1291 spdsock_diag(*diag)); 1292 #ifdef DEBUG_HEAVY 1293 pfpol_msg_dump((spd_msg_t *)polmsg.iov_base, 1294 "message in"); 1295 pfpol_msg_dump(return_buf, 1296 "send_pf_pol_message"); 1297 #endif 1298 retval = return_buf->spd_msg_errno; 1299 free(return_buf); 1300 free(polmsg.iov_base); 1301 (void) close(fd); 1302 return (retval); 1303 } 1304 1305 retval = spdsock_get_ext(exts, return_buf, 1306 return_buf->spd_msg_len, NULL, 0); 1307 /* ignore retval */ 1308 1309 if (exts[SPD_EXT_RULE]) { 1310 conf->ips_policy_index = 1311 ((struct spd_rule *) 1312 exts[SPD_EXT_RULE])->spd_rule_index; 1313 1314 if (add_index(conf->ips_policy_index)) { 1315 free(return_buf); 1316 free(polmsg.iov_base); 1317 (void) close(fd); 1318 return (ENOMEM); 1319 } 1320 } 1321 1322 free(return_buf); 1323 } 1324 } 1325 1326 free(polmsg.iov_base); 1327 (void) close(fd); 1328 1329 return (0); 1330 1331 } 1332 1333 int 1334 main(int argc, char *argv[]) 1335 { 1336 int ret, flushret; 1337 int c; 1338 int index; 1339 boolean_t smf_managed; 1340 boolean_t just_check = B_FALSE; 1341 boolean_t replace_policy = B_FALSE; 1342 1343 char *smf_warning = gettext( 1344 "\n\tIPsec policy should be managed using smf(5). Modifying\n" 1345 "\tthe IPsec policy from the command line while the 'policy'\n" 1346 "\tservice is enabled could result in an inconsistent\n" 1347 "\tsecurity policy.\n\n"); 1348 1349 flushret = 0; 1350 cmd = 0; 1351 1352 (void) setlocale(LC_ALL, ""); 1353 #if !defined(TEXT_DOMAIN) 1354 #define TEXT_DOMAIN "SYS_TEST" 1355 #endif 1356 (void) textdomain(TEXT_DOMAIN); 1357 1358 openlog("ipsecconf", LOG_CONS, LOG_AUTH); 1359 1360 /* 1361 * We don't immediately check for privilege here. This is done by IP 1362 * when we open /dev/ip below. 1363 */ 1364 1365 if (argc == 1) { 1366 cmd = IPSEC_CONF_VIEW; 1367 goto done; 1368 } 1369 my_fmri = getenv("SMF_FMRI"); 1370 if (my_fmri == NULL) 1371 smf_managed = B_FALSE; 1372 else 1373 smf_managed = B_TRUE; 1374 1375 while ((c = getopt(argc, argv, "nlfLFa:qd:r:i:c:")) != EOF) { 1376 switch (c) { 1377 case 'F': 1378 if (interface_name != NULL) { 1379 USAGE(); 1380 EXIT_FATAL("interface name not required."); 1381 } 1382 /* Apply to all policy heads - global and tunnels. */ 1383 interface_name = &all_polheads; 1384 /* FALLTHRU */ 1385 case 'f': 1386 /* 1387 * The policy flush command can be specified with -a 1388 * to perform an atomic policy replace. It can't be 1389 * specified with any other flags. 1390 */ 1391 if (cmd == IPSEC_CONF_ADD) { 1392 cmd = IPSEC_CONF_REPLACE; 1393 break; 1394 } 1395 if (cmd != 0) { 1396 USAGE(); 1397 EXIT_FATAL("Multiple commands specified"); 1398 } 1399 cmd = IPSEC_CONF_FLUSH; 1400 break; 1401 case 'L': 1402 if (interface_name != NULL) { 1403 USAGE(); 1404 EXIT_FATAL("interface name not required."); 1405 } 1406 /* Apply to all policy heads - global and tunnels. */ 1407 interface_name = &all_polheads; 1408 /* FALLTHRU */ 1409 case 'l': 1410 /* Only one command at a time */ 1411 if (cmd != 0) { 1412 USAGE(); 1413 EXIT_FATAL("Multiple commands specified"); 1414 } 1415 cmd = IPSEC_CONF_LIST; 1416 break; 1417 case 'c': 1418 just_check = B_TRUE; 1419 ipsecconf_qflag++; 1420 /* FALLTHRU */ 1421 case 'a': 1422 if (cmd == IPSEC_CONF_FLUSH) { 1423 cmd = IPSEC_CONF_REPLACE; 1424 filename = optarg; 1425 break; 1426 } 1427 /* Only one command at a time, and no interface name */ 1428 if (cmd != 0 || interface_name != NULL) { 1429 USAGE(); 1430 EXIT_FATAL("Multiple commands or interface " 1431 "not required."); 1432 } 1433 cmd = IPSEC_CONF_ADD; 1434 filename = optarg; 1435 break; 1436 case 'd': 1437 /* 1438 * Only one command at a time. Interface name is 1439 * optional. 1440 */ 1441 if (cmd != 0) { 1442 USAGE(); 1443 EXIT_FATAL("Multiple commands specified"); 1444 } 1445 cmd = IPSEC_CONF_DEL; 1446 index = parse_index(optarg, NULL); 1447 break; 1448 case 'n' : 1449 ipsecconf_nflag++; 1450 break; 1451 case 'q' : 1452 ipsecconf_qflag++; 1453 break; 1454 case 'r' : 1455 /* Only one command at a time, and no interface name */ 1456 if (cmd != 0 || interface_name != NULL) { 1457 USAGE(); 1458 EXIT_FATAL("Multiple commands or interface " 1459 "not required."); 1460 } 1461 cmd = IPSEC_CONF_SUB; 1462 filename = optarg; 1463 break; 1464 case 'i': 1465 if (interface_name != NULL) { 1466 EXIT_FATAL("Interface name already selected"); 1467 } 1468 interface_name = optarg; 1469 /* Check for some cretin using the all-polheads name. */ 1470 if (strlen(optarg) == 0) { 1471 USAGE(); 1472 EXIT_FATAL("Invalid interface name."); 1473 } 1474 break; 1475 default : 1476 USAGE(); 1477 EXIT_FATAL("Bad usage."); 1478 } 1479 } 1480 1481 done: 1482 ret = 0; 1483 lfd = lock(); 1484 1485 /* 1486 * ADD, FLUSH, DELETE needs to do two operations. 1487 * 1488 * 1) Update/delete/empty the POLICY_CONF_FILE. 1489 * 2) Make an ioctl and tell IP to update its state. 1490 * 1491 * We already lock()ed so that only one instance of this 1492 * program runs. We also need to make sure that the above 1493 * operations are atomic i.e we don't want to update the file 1494 * and get interrupted before we could tell IP. To make it 1495 * atomic we block all the signals and restore them. 1496 */ 1497 switch (cmd) { 1498 case IPSEC_CONF_LIST: 1499 fetch_algorithms(); 1500 ret = ipsec_conf_list(); 1501 break; 1502 case IPSEC_CONF_FLUSH: 1503 if ((ret = block_all_signals()) == -1) { 1504 break; 1505 } 1506 if (!smf_managed && !ipsecconf_qflag) 1507 (void) fprintf(stdout, "%s", smf_warning); 1508 ret = ipsec_conf_flush(SPD_ACTIVE); 1509 (void) restore_all_signals(); 1510 break; 1511 case IPSEC_CONF_VIEW: 1512 if (interface_name != NULL) { 1513 EXIT_FATAL("Cannot view for one interface only."); 1514 } 1515 ret = ipsec_conf_view(); 1516 break; 1517 case IPSEC_CONF_DEL: 1518 if (index == -1) { 1519 warnx(gettext("Invalid index")); 1520 ret = -1; 1521 break; 1522 } 1523 if ((ret = block_all_signals()) == -1) { 1524 break; 1525 } 1526 if (!smf_managed && !ipsecconf_qflag) 1527 (void) fprintf(stdout, "%s", smf_warning); 1528 ret = ipsec_conf_del(index, B_FALSE); 1529 (void) restore_all_signals(); 1530 flushret = ipsec_conf_flush(SPD_STANDBY); 1531 break; 1532 case IPSEC_CONF_REPLACE: 1533 replace_policy = B_TRUE; 1534 /* FALLTHRU */ 1535 case IPSEC_CONF_ADD: 1536 /* 1537 * The IPsec kernel modules should only be loaded 1538 * if there is a policy to install, for this 1539 * reason ipsec_conf_add() calls fetch_algorithms() 1540 * and ipsec_conf_flush() only when appropriate. 1541 */ 1542 if ((ret = block_all_signals()) == -1) { 1543 break; 1544 } 1545 if (!smf_managed && !ipsecconf_qflag) 1546 (void) fprintf(stdout, "%s", smf_warning); 1547 ret = ipsec_conf_add(just_check, smf_managed, replace_policy); 1548 (void) restore_all_signals(); 1549 break; 1550 case IPSEC_CONF_SUB: 1551 fetch_algorithms(); 1552 if ((ret = block_all_signals()) == -1) { 1553 break; 1554 } 1555 if (!smf_managed && !ipsecconf_qflag) 1556 (void) fprintf(stdout, "%s", smf_warning); 1557 ret = ipsec_conf_sub(); 1558 (void) restore_all_signals(); 1559 flushret = ipsec_conf_flush(SPD_STANDBY); 1560 break; 1561 default : 1562 /* If no argument is given but a "-" */ 1563 USAGE(); 1564 EXIT_FATAL("Bad usage."); 1565 } 1566 1567 (void) unlock(lfd); 1568 if (ret != 0 || flushret != 0) 1569 ret = 1; 1570 return (ret); 1571 } 1572 1573 static void 1574 perm_check(void) 1575 { 1576 if (errno == EACCES) 1577 EXIT_BADPERM("Insufficient privilege to run ipsecconf."); 1578 else 1579 warn(gettext("Cannot open lock file %s"), LOCK_FILE); 1580 1581 EXIT_BADPERM(NULL); 1582 } 1583 1584 static int 1585 lock() 1586 { 1587 int fd; 1588 struct stat sbuf1; 1589 struct stat sbuf2; 1590 1591 /* 1592 * Open the file with O_CREAT|O_EXCL. If it exists already, it 1593 * will fail. If it already exists, check whether it looks like 1594 * the one we created. 1595 */ 1596 (void) umask(0077); 1597 if ((fd = open(LOCK_FILE, O_EXCL|O_CREAT|O_RDWR, S_IRUSR|S_IWUSR)) 1598 == -1) { 1599 if (errno != EEXIST) { 1600 /* Some other problem. Will exit. */ 1601 perm_check(); 1602 } 1603 1604 /* 1605 * open() returned an EEXIST error. We don't fail yet 1606 * as it could be a residual from a previous 1607 * execution. 1608 * File exists. make sure it is OK. We need to lstat() 1609 * as fstat() stats the file pointed to by the symbolic 1610 * link. 1611 */ 1612 if (lstat(LOCK_FILE, &sbuf1) == -1) { 1613 EXIT_FATAL2("Cannot lstat lock file %s", LOCK_FILE); 1614 } 1615 /* 1616 * Check whether it is a regular file and not a symbolic 1617 * link. Its link count should be 1. The owner should be 1618 * root and the file should be empty. 1619 */ 1620 if (!S_ISREG(sbuf1.st_mode) || 1621 sbuf1.st_nlink != 1 || 1622 sbuf1.st_uid != 0 || 1623 sbuf1.st_size != 0) { 1624 EXIT_FATAL2("Bad lock file %s", LOCK_FILE); 1625 } 1626 if ((fd = open(LOCK_FILE, O_CREAT|O_RDWR, 1627 S_IRUSR|S_IWUSR)) == -1) { 1628 /* Will exit */ 1629 perm_check(); 1630 } 1631 /* 1632 * Check whether we opened the file that we lstat()ed. 1633 */ 1634 if (fstat(fd, &sbuf2) == -1) { 1635 EXIT_FATAL2("Cannot lstat lock file %s", LOCK_FILE); 1636 } 1637 if (sbuf1.st_dev != sbuf2.st_dev || 1638 sbuf1.st_ino != sbuf2.st_ino) { 1639 /* File changed after we did the lstat() above */ 1640 EXIT_FATAL2("Bad lock file %s", LOCK_FILE); 1641 } 1642 } 1643 if (lockf(fd, F_LOCK, 0) == -1) { 1644 EXIT_FATAL2("Cannot lockf %s", LOCK_FILE); 1645 } 1646 return (fd); 1647 } 1648 1649 static int 1650 unlock(int fd) 1651 { 1652 if (lockf(fd, F_ULOCK, 0) == -1) { 1653 warn("lockf"); 1654 return (-1); 1655 } 1656 return (0); 1657 } 1658 1659 /* send in TOK_* */ 1660 static void 1661 print_pattern_string(int type) 1662 { 1663 int j; 1664 1665 for (j = 0; pattern_table[j].string != NULL; j++) { 1666 if (type == pattern_table[j].tok_val) { 1667 (void) printf("%s ", pattern_table[j].string); 1668 return; 1669 } 1670 } 1671 } 1672 1673 static void 1674 print_icmp_typecode(uint8_t type, uint8_t type_end, uint8_t code, 1675 uint8_t code_end) 1676 { 1677 (void) printf("type %d", type); 1678 if (type_end != type) 1679 (void) printf("-%d ", type_end); 1680 else 1681 (void) printf(" "); 1682 if (code != 255) { 1683 (void) printf("code %d", code); 1684 if (code_end != code) 1685 (void) printf("-%d ", code_end); 1686 else 1687 (void) printf(" "); 1688 } 1689 } 1690 1691 1692 static void 1693 print_spd_flags(uint32_t flags) 1694 { 1695 flags &= (SPD_RULE_FLAG_INBOUND|SPD_RULE_FLAG_OUTBOUND); 1696 1697 if (flags == SPD_RULE_FLAG_OUTBOUND) 1698 (void) printf("dir out "); 1699 else if (flags == SPD_RULE_FLAG_INBOUND) 1700 (void) printf("dir in "); 1701 else if (flags == (SPD_RULE_FLAG_INBOUND|SPD_RULE_FLAG_OUTBOUND)) 1702 (void) printf("dir both "); 1703 } 1704 1705 static void 1706 print_bit_range(int min, int max) 1707 { 1708 if (min != 0 || (max != 0 && max != SPD_MAX_MAXBITS)) { 1709 (void) printf("("); 1710 if (min != 0) 1711 (void) printf("%d", min); 1712 if (min != 0 && max != 0 && min != max) { 1713 (void) printf(".."); 1714 if (max != 0 && max != SPD_MAX_MAXBITS) 1715 (void) printf("%d", max); 1716 } 1717 (void) printf(")"); 1718 } 1719 } 1720 1721 static void 1722 print_alg(const char *tag, algreq_t *algreq, int proto_num) 1723 { 1724 int min = algreq->alg_minbits; 1725 int max = algreq->alg_maxbits; 1726 struct ipsecalgent *alg; 1727 1728 /* 1729 * This function won't be called with alg_id == 0, so we don't 1730 * have to worry about ANY vs. NONE here. 1731 */ 1732 1733 (void) printf("%s ", tag); 1734 1735 alg = getipsecalgbynum(algreq->alg_id, proto_num, NULL); 1736 if (alg == NULL) { 1737 (void) printf("%d", algreq->alg_id); 1738 } else { 1739 (void) printf("%s", alg->a_names[0]); 1740 freeipsecalgent(alg); 1741 } 1742 1743 print_bit_range(min, max); 1744 (void) printf(" "); 1745 } 1746 1747 static void 1748 print_ulp(uint8_t proto) 1749 { 1750 struct protoent *pe; 1751 1752 if (proto == 0) 1753 return; 1754 1755 print_pattern_string(TOK_ulp); 1756 pe = NULL; 1757 if (!ipsecconf_nflag) { 1758 pe = getprotobynumber(proto); 1759 } 1760 if (pe != NULL) 1761 (void) printf("%s ", pe->p_name); 1762 else 1763 (void) printf("%d ", proto); 1764 } 1765 1766 /* needs to do ranges */ 1767 static void 1768 print_port(uint16_t in_port, int type) 1769 { 1770 in_port_t port = ntohs(in_port); 1771 struct servent *sp; 1772 1773 if (port == 0) 1774 return; 1775 1776 print_pattern_string(type); 1777 sp = NULL; 1778 if (!ipsecconf_nflag) 1779 sp = getservbyport(port, NULL); 1780 1781 if (sp != NULL) 1782 (void) printf("%s ", sp->s_name); 1783 else 1784 (void) printf("%d ", port); 1785 } 1786 1787 /* 1788 * Print the address, given as "raw" input via the void pointer. 1789 */ 1790 static void 1791 print_raw_address(void *input, boolean_t isv4) 1792 { 1793 char *cp; 1794 struct hostent *hp; 1795 char domain[MAXHOSTNAMELEN + 1]; 1796 struct in_addr addr; 1797 struct in6_addr addr6; 1798 char abuf[INET6_ADDRSTRLEN]; 1799 int error_num; 1800 struct in6_addr in_addr; 1801 uchar_t *addr_ptr; 1802 sa_family_t af; 1803 int addr_len; 1804 1805 if (isv4) { 1806 af = AF_INET; 1807 (void) memcpy(&V4_PART_OF_V6(in_addr), input, 4); 1808 /* we don't print unspecified addresses */ 1809 IN6_V4MAPPED_TO_INADDR(&in_addr, &addr); 1810 if (addr.s_addr == INADDR_ANY) 1811 return; 1812 addr_ptr = (uchar_t *)&addr.s_addr; 1813 addr_len = IPV4_ADDR_LEN; 1814 } else { 1815 (void) memcpy(&addr6, input, 16); 1816 af = AF_INET6; 1817 /* we don't print unspecified addresses */ 1818 if (IN6_IS_ADDR_UNSPECIFIED(&addr6)) 1819 return; 1820 addr_ptr = (uchar_t *)&addr6.s6_addr; 1821 addr_len = sizeof (struct in6_addr); 1822 } 1823 1824 cp = NULL; 1825 if (!ipsecconf_nflag) { 1826 if (sysinfo(SI_HOSTNAME, domain, MAXHOSTNAMELEN) != -1 && 1827 (cp = strchr(domain, '.')) != NULL) { 1828 (void) strlcpy(domain, cp + 1, sizeof (domain)); 1829 } else { 1830 domain[0] = 0; 1831 } 1832 cp = NULL; 1833 hp = getipnodebyaddr(addr_ptr, addr_len, af, &error_num); 1834 if (hp) { 1835 if ((cp = strchr(hp->h_name, '.')) != 0 && 1836 strcasecmp(cp + 1, domain) == 0) 1837 *cp = 0; 1838 cp = hp->h_name; 1839 } 1840 } 1841 1842 if (cp) { 1843 (void) printf("%s", cp); 1844 } else { 1845 (void) printf("%s", inet_ntop(af, addr_ptr, abuf, 1846 INET6_ADDRSTRLEN)); 1847 } 1848 } 1849 1850 /* 1851 * Get the next SPD_DUMP message from the PF_POLICY socket. A single 1852 * read may contain multiple messages. This function uses static buffers, 1853 * and is therefore non-reentrant, so if you lift it for an MT application, 1854 * be careful. 1855 * 1856 * Return NULL if there's an error. 1857 */ 1858 static spd_msg_t * 1859 ipsec_read_dump(int pfd) 1860 { 1861 static uint64_t buf[SADB_8TO64(CBUF_LEN)]; 1862 static uint64_t *offset; 1863 static int len; /* In uint64_t units. */ 1864 spd_msg_t *retval; 1865 1866 /* Assume offset and len are initialized to NULL and 0. */ 1867 1868 if ((offset - len == buf) || (offset == NULL)) { 1869 /* read a new block from the socket. */ 1870 len = read(pfd, &buf, sizeof (buf)); 1871 if (len == -1) { 1872 warn(gettext("rule dump: bad read")); 1873 return (NULL); 1874 } 1875 offset = buf; 1876 len = SADB_8TO64(len); 1877 } /* Else I still have more messages from a previous read. */ 1878 1879 retval = (spd_msg_t *)offset; 1880 offset += retval->spd_msg_len; 1881 if (offset > buf + len) { 1882 warnx(gettext("dump read: message corruption," 1883 " %d len exceeds %d boundary."), 1884 SADB_64TO8((uintptr_t)(offset - buf)), 1885 SADB_64TO8((uintptr_t)(len))); 1886 return (NULL); 1887 } 1888 1889 return (retval); 1890 } 1891 1892 /* 1893 * returns 0 on success 1894 * -1 on read error 1895 * >0 on invalid returned message 1896 */ 1897 1898 static int 1899 ipsec_conf_list(void) 1900 { 1901 int ret; 1902 int pfd; 1903 struct spd_msg *msg; 1904 int cnt; 1905 spd_msg_t *rmsg; 1906 spd_ext_t *exts[SPD_EXT_MAX+1]; 1907 /* 1908 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation 1909 * issues. 1910 */ 1911 uint64_t buffer[ 1912 SPD_8TO64(sizeof (*msg) + sizeof (spd_if_t) + LIFNAMSIZ) + 1]; 1913 1914 pfd = get_pf_pol_socket(); 1915 1916 if (pfd == -1) { 1917 warnx(gettext("Error getting list of policies from kernel")); 1918 return (-1); 1919 } 1920 1921 (void) memset(buffer, 0, sizeof (buffer)); 1922 msg = (struct spd_msg *)buffer; 1923 msg->spd_msg_version = PF_POLICY_V1; 1924 msg->spd_msg_type = SPD_DUMP; 1925 msg->spd_msg_len = SPD_8TO64(sizeof (*msg)); 1926 1927 msg->spd_msg_len += attach_tunname((spd_if_t *)(msg + 1)); 1928 1929 cnt = write(pfd, msg, SPD_64TO8(msg->spd_msg_len)); 1930 1931 if (cnt < 0) { 1932 warn(gettext("dump: invalid write() return")); 1933 (void) close(pfd); 1934 return (-1); 1935 } 1936 1937 rmsg = ipsec_read_dump(pfd); 1938 1939 if (rmsg == NULL || rmsg->spd_msg_errno != 0) { 1940 warnx("%s: %s", gettext("ruleset dump failed"), 1941 (rmsg == NULL ? 1942 gettext("read error") : 1943 sys_error_message(rmsg->spd_msg_errno))); 1944 (void) close(pfd); 1945 return (-1); 1946 } 1947 1948 1949 for (;;) { 1950 /* read rule */ 1951 rmsg = ipsec_read_dump(pfd); 1952 1953 if (rmsg == NULL) { 1954 (void) close(pfd); 1955 return (-1); 1956 } 1957 1958 if (rmsg->spd_msg_errno != 0) { 1959 warnx("%s: %s", gettext("dump read: bad message"), 1960 sys_error_message(rmsg->spd_msg_errno)); 1961 (void) close(pfd); 1962 return (-1); 1963 } 1964 1965 ret = spdsock_get_ext(exts, rmsg, rmsg->spd_msg_len, 1966 spdsock_diag_buf, SPDSOCK_DIAG_BUF_LEN); 1967 if (ret != 0) { 1968 if (strlen(spdsock_diag_buf) != 0) 1969 warnx(spdsock_diag_buf); 1970 warnx("%s: %s", gettext("dump read: bad message"), 1971 sys_error_message(rmsg->spd_msg_errno)); 1972 (void) close(pfd); 1973 return (ret); 1974 } 1975 1976 /* 1977 * End of dump.. 1978 */ 1979 if (exts[SPD_EXT_RULESET] != NULL) 1980 break; /* and return 0. */ 1981 1982 print_pfpol_msg(rmsg); 1983 } 1984 1985 (void) close(pfd); 1986 return (0); 1987 } 1988 1989 static void 1990 print_iap(ips_act_props_t *iap) 1991 { 1992 1993 /* action */ 1994 switch (iap->iap_action) { 1995 case SPD_ACTTYPE_PASS: 1996 (void) printf("pass "); 1997 break; 1998 case SPD_ACTTYPE_DROP: 1999 (void) printf("drop "); 2000 break; 2001 case SPD_ACTTYPE_IPSEC: 2002 (void) printf("ipsec "); 2003 break; 2004 } 2005 2006 /* properties */ 2007 (void) printf("%c ", CURL_BEGIN); 2008 if (iap->iap_action == SPD_ACTTYPE_IPSEC) { 2009 if (iap->iap_attr & SPD_APPLY_AH && 2010 iap->iap_aauth.alg_id != 0) 2011 print_alg("auth_algs", &iap->iap_aauth, 2012 IPSEC_PROTO_AH); 2013 2014 if (iap->iap_attr & SPD_APPLY_ESP) { 2015 print_alg("encr_algs", &iap->iap_eencr, 2016 IPSEC_PROTO_ESP); 2017 if (iap->iap_eauth.alg_id != 0) 2018 print_alg("encr_auth_algs", &iap->iap_eauth, 2019 IPSEC_PROTO_AH); 2020 } 2021 if (iap->iap_attr & SPD_APPLY_UNIQUE) 2022 (void) printf("sa unique "); 2023 else 2024 (void) printf("sa shared "); 2025 } 2026 (void) printf("%c ", CURL_END); 2027 } 2028 2029 2030 static void 2031 print_pfpol_msg(spd_msg_t *msg) 2032 { 2033 spd_ext_t *exts[SPD_EXT_MAX+1]; 2034 spd_address_t *spd_address; 2035 struct spd_rule *spd_rule; 2036 struct spd_proto *spd_proto; 2037 struct spd_portrange *spd_portrange; 2038 struct spd_ext_actions *spd_ext_actions; 2039 struct spd_typecode *spd_typecode; 2040 struct spd_attribute *app; 2041 spd_if_t *spd_if; 2042 uint32_t rv; 2043 uint16_t act_count; 2044 2045 rv = spdsock_get_ext(exts, msg, msg->spd_msg_len, spdsock_diag_buf, 2046 SPDSOCK_DIAG_BUF_LEN); 2047 2048 if (rv == KGE_OK && exts[SPD_EXT_RULE] != NULL) { 2049 spd_if = (spd_if_t *)exts[SPD_EXT_TUN_NAME]; 2050 spd_rule = (struct spd_rule *)exts[SPD_EXT_RULE]; 2051 if (spd_if == NULL) { 2052 (void) printf("%s %lld\n", INDEX_TAG, 2053 spd_rule->spd_rule_index); 2054 } else { 2055 (void) printf("%s %s,%lld\n", INDEX_TAG, 2056 (char *)spd_if->spd_if_name, 2057 spd_rule->spd_rule_index); 2058 } 2059 } else { 2060 if (strlen(spdsock_diag_buf) != 0) 2061 warnx(spdsock_diag_buf); 2062 warnx(gettext("print_pfpol_msg: malformed PF_POLICY message.")); 2063 return; 2064 } 2065 2066 (void) printf("%c ", CURL_BEGIN); 2067 2068 if (spd_if != NULL) { 2069 (void) printf("tunnel %s negotiate %s ", 2070 (char *)spd_if->spd_if_name, 2071 (spd_rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL) ? 2072 "tunnel" : "transport"); 2073 } 2074 2075 if (exts[SPD_EXT_PROTO] != NULL) { 2076 spd_proto = (struct spd_proto *)exts[SPD_EXT_PROTO]; 2077 print_ulp(spd_proto->spd_proto_number); 2078 } 2079 2080 if (exts[SPD_EXT_LCLADDR] != NULL) { 2081 spd_address = (spd_address_t *)exts[SPD_EXT_LCLADDR]; 2082 2083 (void) printf("laddr "); 2084 print_raw_address((spd_address + 1), 2085 (spd_address->spd_address_len == 2)); 2086 (void) printf("/%d ", spd_address->spd_address_prefixlen); 2087 } 2088 2089 if (exts[SPD_EXT_LCLPORT] != NULL) { 2090 spd_portrange = (struct spd_portrange *)exts[SPD_EXT_LCLPORT]; 2091 if (spd_portrange->spd_ports_minport != 0) { 2092 print_port(spd_portrange->spd_ports_minport, 2093 TOK_lport); 2094 } 2095 } 2096 2097 2098 if (exts[SPD_EXT_REMADDR] != NULL) { 2099 spd_address = (spd_address_t *)exts[SPD_EXT_REMADDR]; 2100 2101 (void) printf("raddr "); 2102 print_raw_address((spd_address + 1), 2103 (spd_address->spd_address_len == 2)); 2104 (void) printf("/%d ", spd_address->spd_address_prefixlen); 2105 } 2106 2107 if (exts[SPD_EXT_REMPORT] != NULL) { 2108 spd_portrange = 2109 (struct spd_portrange *)exts[SPD_EXT_REMPORT]; 2110 if (spd_portrange->spd_ports_minport != 0) { 2111 print_port( 2112 spd_portrange->spd_ports_minport, TOK_rport); 2113 } 2114 } 2115 2116 if (exts[SPD_EXT_ICMP_TYPECODE] != NULL) { 2117 spd_typecode = 2118 (struct spd_typecode *)exts[SPD_EXT_ICMP_TYPECODE]; 2119 print_icmp_typecode(spd_typecode->spd_typecode_type, 2120 spd_typecode->spd_typecode_type_end, 2121 spd_typecode->spd_typecode_code, 2122 spd_typecode->spd_typecode_code_end); 2123 } 2124 2125 if (exts[SPD_EXT_RULE] != NULL) { 2126 spd_rule = (struct spd_rule *)exts[SPD_EXT_RULE]; 2127 print_spd_flags(spd_rule->spd_rule_flags); 2128 } 2129 2130 2131 (void) printf("%c ", CURL_END); 2132 2133 if (exts[SPD_EXT_ACTION] != NULL) { 2134 ips_act_props_t iap; 2135 int or_needed = 0; 2136 2137 (void) memset(&iap, 0, sizeof (iap)); 2138 spd_ext_actions = 2139 (struct spd_ext_actions *)exts[SPD_EXT_ACTION]; 2140 app = (struct spd_attribute *)(spd_ext_actions + 1); 2141 2142 for (act_count = 0; 2143 act_count < spd_ext_actions->spd_actions_len -1; 2144 act_count++) { 2145 2146 switch (app->spd_attr_tag) { 2147 2148 case SPD_ATTR_NOP: 2149 break; 2150 2151 case SPD_ATTR_END: 2152 /* print */ 2153 if (or_needed) { 2154 (void) printf("or "); 2155 } else { 2156 or_needed = 1; 2157 } 2158 print_iap(&iap); 2159 break; 2160 2161 case SPD_ATTR_EMPTY: 2162 /* clear */ 2163 (void) memset(&iap, 0, sizeof (iap)); 2164 break; 2165 2166 case SPD_ATTR_NEXT: 2167 /* print */ 2168 if (or_needed) { 2169 (void) printf("or "); 2170 } else { 2171 or_needed = 1; 2172 } 2173 2174 print_iap(&iap); 2175 break; 2176 2177 case SPD_ATTR_TYPE: 2178 iap.iap_action = app->spd_attr_value; 2179 break; 2180 2181 case SPD_ATTR_FLAGS: 2182 iap.iap_attr = app->spd_attr_value; 2183 break; 2184 2185 case SPD_ATTR_AH_AUTH: 2186 iap.iap_aauth.alg_id = app->spd_attr_value; 2187 break; 2188 2189 case SPD_ATTR_ESP_ENCR: 2190 iap.iap_eencr.alg_id = app->spd_attr_value; 2191 break; 2192 2193 case SPD_ATTR_ESP_AUTH: 2194 iap.iap_eauth.alg_id = app->spd_attr_value; 2195 break; 2196 2197 case SPD_ATTR_ENCR_MINBITS: 2198 iap.iap_eencr.alg_minbits = app->spd_attr_value; 2199 break; 2200 2201 case SPD_ATTR_ENCR_MAXBITS: 2202 iap.iap_eencr.alg_maxbits = app->spd_attr_value; 2203 break; 2204 2205 case SPD_ATTR_AH_MINBITS: 2206 iap.iap_aauth.alg_minbits = app->spd_attr_value; 2207 break; 2208 2209 case SPD_ATTR_AH_MAXBITS: 2210 iap.iap_aauth.alg_maxbits = app->spd_attr_value; 2211 break; 2212 2213 case SPD_ATTR_ESPA_MINBITS: 2214 iap.iap_eauth.alg_minbits = app->spd_attr_value; 2215 break; 2216 2217 case SPD_ATTR_ESPA_MAXBITS: 2218 iap.iap_eauth.alg_maxbits = app->spd_attr_value; 2219 break; 2220 2221 case SPD_ATTR_LIFE_SOFT_TIME: 2222 case SPD_ATTR_LIFE_HARD_TIME: 2223 case SPD_ATTR_LIFE_SOFT_BYTES: 2224 case SPD_ATTR_LIFE_HARD_BYTES: 2225 default: 2226 (void) printf("\tattr %d: %X-%d\n", 2227 act_count, 2228 app->spd_attr_tag, 2229 app->spd_attr_value); 2230 break; 2231 } 2232 app++; 2233 } 2234 } 2235 2236 (void) printf("\n"); 2237 } 2238 2239 #ifdef DEBUG_HEAVY 2240 static void 2241 pfpol_msg_dump(spd_msg_t *msg, char *tag) 2242 { 2243 spd_ext_t *exts[SPD_EXT_MAX+1]; 2244 uint32_t i; 2245 spd_address_t *spd_address; 2246 struct spd_rule *spd_rule; 2247 struct spd_proto *spd_proto; 2248 struct spd_portrange *spd_portrange; 2249 struct spd_typecode *spd_typecode; 2250 struct spd_ext_actions *spd_ext_actions; 2251 struct spd_attribute *app; 2252 spd_if_t *spd_if; 2253 char abuf[INET6_ADDRSTRLEN]; 2254 uint32_t rv; 2255 uint16_t act_count; 2256 2257 rv = spdsock_get_ext(exts, msg, msg->spd_msg_len, NULL, 0); 2258 if (rv != KGE_OK) 2259 return; 2260 2261 (void) printf("===========%s==============\n", tag); 2262 (void) printf("pfpol_msg_dump %d\n-------------------\n", rv); 2263 2264 (void) printf("spd_msg_version:%d\n", msg->spd_msg_version); 2265 (void) printf("spd_msg_type:%d\n", msg->spd_msg_type); 2266 (void) printf("spd_msg_errno:%d\n", msg->spd_msg_errno); 2267 (void) printf("spd_msg_spdid:%d\n", msg->spd_msg_spdid); 2268 (void) printf("spd_msg_len:%d\n", msg->spd_msg_len); 2269 (void) printf("spd_msg_diagnostic:%d\n", msg->spd_msg_diagnostic); 2270 (void) printf("spd_msg_seq:%d\n", msg->spd_msg_seq); 2271 (void) printf("spd_msg_pid:%d\n", msg->spd_msg_pid); 2272 2273 for (i = 1; i <= SPD_EXT_MAX; i++) { 2274 if (exts[i] == NULL) { 2275 printf("skipped %d\n", i); 2276 continue; 2277 } 2278 2279 switch (i) { 2280 case SPD_EXT_TUN_NAME: 2281 spd_if = (spd_if_t *)exts[i]; 2282 (void) printf("spd_if = %s\n", spd_if->spd_if_name); 2283 break; 2284 2285 case SPD_EXT_ICMP_TYPECODE: 2286 spd_typecode = (struct spd_typecode *)exts[i]; 2287 (void) printf("icmp type %d-%d code %d-%d\n", 2288 spd_typecode->spd_typecode_type, 2289 spd_typecode->spd_typecode_type_end, 2290 spd_typecode->spd_typecode_code, 2291 spd_typecode->spd_typecode_code_end); 2292 break; 2293 2294 case SPD_EXT_LCLPORT: 2295 spd_portrange = (struct spd_portrange *)exts[i]; 2296 (void) printf("local ports %d-%d\n", 2297 spd_portrange->spd_ports_minport, 2298 spd_portrange->spd_ports_maxport); 2299 2300 break; 2301 2302 case SPD_EXT_REMPORT: 2303 spd_portrange = (struct spd_portrange *)exts[i]; 2304 (void) printf("remote ports %d-%d\n", 2305 spd_portrange->spd_ports_minport, 2306 spd_portrange->spd_ports_maxport); 2307 2308 break; 2309 2310 case SPD_EXT_PROTO: 2311 spd_proto = (struct spd_proto *)exts[i]; 2312 (void) printf("proto:spd_proto_exttype %d\n", 2313 spd_proto->spd_proto_exttype); 2314 (void) printf("proto:spd_proto_number %d\n", 2315 spd_proto->spd_proto_number); 2316 break; 2317 2318 case SPD_EXT_LCLADDR: 2319 case SPD_EXT_REMADDR: 2320 spd_address = (spd_address_t *)exts[i]; 2321 if (i == SPD_EXT_LCLADDR) 2322 (void) printf("local addr "); 2323 else 2324 (void) printf("remote addr "); 2325 2326 2327 (void) printf("%s\n", 2328 inet_ntop(spd_address->spd_address_af, 2329 (void *) (spd_address +1), abuf, 2330 INET6_ADDRSTRLEN)); 2331 2332 (void) printf("prefixlen: %d\n", 2333 spd_address->spd_address_prefixlen); 2334 break; 2335 2336 case SPD_EXT_ACTION: 2337 spd_ext_actions = (struct spd_ext_actions *)exts[i]; 2338 (void) printf("spd_ext_action\n"); 2339 (void) printf("spd_actions_count %d\n", 2340 spd_ext_actions->spd_actions_count); 2341 app = (struct spd_attribute *)(spd_ext_actions + 1); 2342 2343 for (act_count = 0; 2344 act_count < spd_ext_actions->spd_actions_len -1; 2345 act_count++) { 2346 (void) printf("\tattr %d: %X-%d\n", act_count, 2347 app->spd_attr_tag, app->spd_attr_value); 2348 app++; 2349 } 2350 2351 break; 2352 2353 case SPD_EXT_RULE: 2354 spd_rule = (struct spd_rule *)exts[i]; 2355 (void) printf("spd_rule_priority: 0x%x\n", 2356 spd_rule->spd_rule_priority); 2357 (void) printf("spd_rule_flags: %d\n", 2358 spd_rule->spd_rule_flags); 2359 break; 2360 2361 case SPD_EXT_RULESET: 2362 (void) printf("spd_ext_ruleset\n"); 2363 break; 2364 default: 2365 (void) printf("default\n"); 2366 break; 2367 } 2368 } 2369 2370 (void) printf("-------------------\n"); 2371 (void) printf("=========================\n"); 2372 } 2373 #endif /* DEBUG_HEAVY */ 2374 2375 static int 2376 ipsec_conf_view() 2377 { 2378 char buf[MAXLEN]; 2379 FILE *fp; 2380 2381 fp = fopen(POLICY_CONF_FILE, "r"); 2382 if (fp == NULL) { 2383 if (errno == ENOENT) { 2384 /* 2385 * The absence of POLICY_CONF_FILE should 2386 * not cause the command to exit with a 2387 * non-zero status, since this condition 2388 * is valid when no policies were previously 2389 * defined. 2390 */ 2391 return (0); 2392 } 2393 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE); 2394 return (-1); 2395 } 2396 while (fgets(buf, MAXLEN, fp) != NULL) { 2397 /* Don't print removed entries */ 2398 if (*buf == ';') 2399 continue; 2400 if (strlen(buf) != 0) 2401 buf[strlen(buf) - 1] = '\0'; 2402 (void) puts(buf); 2403 } 2404 return (0); 2405 } 2406 2407 /* 2408 * Delete nlines from start in the POLICY_CONF_FILE. 2409 */ 2410 static int 2411 delete_from_file(int start, int nlines) 2412 { 2413 FILE *fp; 2414 char ibuf[MAXLEN]; 2415 int len; 2416 2417 if ((fp = fopen(POLICY_CONF_FILE, "r+b")) == NULL) { 2418 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE); 2419 return (-1); 2420 } 2421 2422 /* 2423 * Insert a ";", read the line and discard it. Repeat 2424 * this logic nlines - 1 times. For the last line there 2425 * is just a newline character. We can't just insert a 2426 * single ";" character instead of the newline character 2427 * as it would affect the next line. Thus when we comment 2428 * the last line we seek one less and insert a ";" 2429 * character, which will replace the newline of the 2430 * penultimate line with ; and newline of the last line 2431 * will become part of the previous line. 2432 */ 2433 do { 2434 /* 2435 * It is not enough to seek just once and expect the 2436 * subsequent fgets below to take you to the right 2437 * offset of the next line. fgets below seems to affect 2438 * the offset. Thus we need to seek, replace with ";", 2439 * and discard a line using fgets for every line. 2440 */ 2441 if (fseek(fp, start, SEEK_SET) == -1) { 2442 warn("fseek"); 2443 return (-1); 2444 } 2445 if (fputc(';', fp) < 0) { 2446 warn("fputc"); 2447 return (-1); 2448 } 2449 /* 2450 * Flush the above ";" character before we do the fgets(). 2451 * Without this, fgets() gets confused with offsets. 2452 */ 2453 (void) fflush(fp); 2454 len = 0; 2455 while (fgets(ibuf, MAXLEN, fp) != NULL) { 2456 len += strlen(ibuf); 2457 if (ibuf[len - 1] == '\n') { 2458 /* 2459 * We have read a complete line. 2460 */ 2461 break; 2462 } 2463 } 2464 /* 2465 * We read the line after ";" character has been inserted. 2466 * Thus len does not count ";". To advance to the next line 2467 * increment by 1. 2468 */ 2469 start += (len + 1); 2470 /* 2471 * If nlines == 2, we will be commenting out the last 2472 * line next, which has only one newline character. 2473 * If we blindly replace it with ";", it will be 2474 * read as part of the next line which could have 2475 * a INDEX string and thus confusing ipsec_conf_view. 2476 * Thus, we seek one less and replace the previous 2477 * line's newline character with ";", and the 2478 * last line's newline character will become part of 2479 * the previous line. 2480 */ 2481 if (nlines == 2) 2482 start--; 2483 } while (--nlines != 0); 2484 (void) fclose(fp); 2485 if (nlines != 0) 2486 return (-1); 2487 else 2488 return (0); 2489 } 2490 2491 /* 2492 * Delete an entry from the file by inserting a ";" at the 2493 * beginning of the lines to be removed. 2494 */ 2495 static int 2496 ipsec_conf_del(int policy_index, boolean_t ignore_spd) 2497 { 2498 act_prop_t *act_props = malloc(sizeof (act_prop_t)); 2499 char *buf; 2500 FILE *fp; 2501 char ibuf[MAXLEN]; 2502 int ibuf_len, index_len, index; 2503 int ret = 0; 2504 int offset, prev_offset; 2505 int nlines; 2506 char lifname[LIFNAMSIZ]; 2507 2508 if (act_props == NULL) { 2509 warn(gettext("memory")); 2510 return (-1); 2511 } 2512 2513 fp = fopen(POLICY_CONF_FILE, "r"); 2514 if (fp == NULL) { 2515 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE); 2516 free(act_props); 2517 return (-1); 2518 } 2519 2520 index_len = strlen(INDEX_TAG); 2521 index = 0; 2522 for (offset = prev_offset = 0; fgets(ibuf, MAXLEN, fp) != NULL; 2523 offset += ibuf_len) { 2524 prev_offset = offset; 2525 ibuf_len = strlen(ibuf); 2526 2527 if (strncmp(ibuf, INDEX_TAG, index_len) != 0) { 2528 continue; 2529 } 2530 2531 /* 2532 * This line contains INDEX_TAG 2533 */ 2534 buf = ibuf + index_len; 2535 buf++; /* Skip the space */ 2536 index = parse_index(buf, lifname); 2537 if (index == -1) { 2538 warnx(gettext("Invalid index in the file")); 2539 free(act_props); 2540 return (-1); 2541 } 2542 if (index == policy_index && 2543 (interface_name == NULL || 2544 strncmp(interface_name, lifname, LIFNAMSIZ) == 0)) { 2545 if (!ignore_spd) { 2546 ret = parse_one(fp, act_props); 2547 if (ret == -1) { 2548 warnx(gettext("Invalid policy entry " 2549 "in the file")); 2550 free(act_props); 2551 return (-1); 2552 } 2553 } 2554 /* 2555 * nlines is the number of lines we should comment 2556 * out. linecount tells us how many lines this command 2557 * spans. And we need to remove the line with INDEX 2558 * and an extra line we added during ipsec_conf_add. 2559 * 2560 * NOTE : If somebody added a policy entry which does 2561 * not have a newline, ipsec_conf_add() fills in the 2562 * newline. Hence, there is always 2 extra lines 2563 * to delete. 2564 */ 2565 nlines = linecount + 2; 2566 goto delete; 2567 } 2568 } 2569 2570 if (!ignore_spd) 2571 ret = pfp_delete_rule(policy_index); 2572 2573 if (ret != 0) { 2574 warnx(gettext("Deletion incomplete. Please " 2575 "flush all the entries and re-configure :")); 2576 reconfigure(); 2577 free(act_props); 2578 return (ret); 2579 } 2580 free(act_props); 2581 return (ret); 2582 2583 delete: 2584 /* Delete nlines from prev_offset */ 2585 (void) fclose(fp); 2586 ret = delete_from_file(prev_offset, nlines); 2587 2588 if (ret != 0) { 2589 warnx(gettext("Deletion incomplete. Please " 2590 "flush all the entries and re-configure :")); 2591 reconfigure(); 2592 free(act_props); 2593 return (ret); 2594 } 2595 2596 if (!ignore_spd) 2597 ret = pfp_delete_rule(policy_index); 2598 2599 if (ret != 0) { 2600 warnx(gettext("Deletion incomplete. Please " 2601 "flush all the entries and re-configure :")); 2602 reconfigure(); 2603 free(act_props); 2604 return (ret); 2605 } 2606 free(act_props); 2607 return (0); 2608 } 2609 2610 static int 2611 pfp_delete_rule(uint64_t index) 2612 { 2613 struct spd_msg *msg; 2614 struct spd_rule *rule; 2615 int sfd; 2616 int cnt, len, alloclen; 2617 2618 sfd = get_pf_pol_socket(); 2619 if (sfd < 0) { 2620 warn(gettext("unable to open policy socket")); 2621 return (-1); 2622 } 2623 2624 /* 2625 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation 2626 * issues. 2627 */ 2628 alloclen = sizeof (spd_msg_t) + sizeof (struct spd_rule) + 2629 sizeof (spd_if_t) + LIFNAMSIZ + 8; 2630 msg = (spd_msg_t *)malloc(alloclen); 2631 2632 if (msg == NULL) { 2633 warn("malloc"); 2634 return (-1); 2635 } 2636 2637 rule = (struct spd_rule *)(msg + 1); 2638 2639 (void) memset(msg, 0, alloclen); 2640 msg->spd_msg_version = PF_POLICY_V1; 2641 msg->spd_msg_type = SPD_DELETERULE; 2642 msg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t) 2643 + sizeof (struct spd_rule)); 2644 2645 rule->spd_rule_type = SPD_EXT_RULE; 2646 rule->spd_rule_len = SPD_8TO64(sizeof (struct spd_rule)); 2647 rule->spd_rule_index = index; 2648 2649 msg->spd_msg_len += attach_tunname((spd_if_t *)(rule + 1)); 2650 2651 len = SPD_64TO8(msg->spd_msg_len); 2652 cnt = write(sfd, msg, len); 2653 2654 if (cnt != len) { 2655 if (cnt < 0) { 2656 (void) close(sfd); 2657 free(msg); 2658 warn(gettext("Delete failed: write")); 2659 return (-1); 2660 } else { 2661 (void) close(sfd); 2662 free(msg); 2663 warnx(gettext("Delete failed: short write")); 2664 return (-1); 2665 } 2666 } 2667 2668 cnt = read(sfd, msg, len); 2669 if (cnt != len) { 2670 if (cnt < 0) { 2671 (void) close(sfd); 2672 free(msg); 2673 warn(gettext("Delete failed: read")); 2674 return (-1); 2675 } else { 2676 (void) close(sfd); 2677 free(msg); 2678 warnx(gettext("Delete failed while reading reply")); 2679 return (-1); 2680 } 2681 } 2682 (void) close(sfd); 2683 if (msg->spd_msg_errno != 0) { 2684 free(msg); 2685 errno = msg->spd_msg_errno; 2686 warn(gettext("Delete failed: SPD_FLUSH")); 2687 return (-1); 2688 } 2689 2690 free(msg); 2691 return (0); 2692 } 2693 2694 static int 2695 ipsec_conf_flush(int db) 2696 { 2697 int pfd, cnt, len; 2698 int sfd; 2699 struct spd_msg *msg; 2700 /* 2701 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation 2702 * issues. 2703 */ 2704 uint64_t buffer[ 2705 SPD_8TO64(sizeof (*msg) + sizeof (spd_if_t) + LIFNAMSIZ) + 1]; 2706 2707 sfd = get_pf_pol_socket(); 2708 if (sfd < 0) { 2709 warn(gettext("unable to open policy socket")); 2710 return (-1); 2711 } 2712 2713 (void) memset(buffer, 0, sizeof (buffer)); 2714 msg = (struct spd_msg *)buffer; 2715 msg->spd_msg_version = PF_POLICY_V1; 2716 msg->spd_msg_type = SPD_FLUSH; 2717 msg->spd_msg_len = SPD_8TO64(sizeof (*msg)); 2718 msg->spd_msg_spdid = db; 2719 2720 msg->spd_msg_len += attach_tunname((spd_if_t *)(msg + 1)); 2721 2722 len = SPD_64TO8(msg->spd_msg_len); 2723 cnt = write(sfd, msg, len); 2724 if (cnt != len) { 2725 if (cnt < 0) { 2726 warn(gettext("Flush failed: write")); 2727 return (-1); 2728 } else { 2729 warnx(gettext("Flush failed: short write")); 2730 return (-1); 2731 } 2732 } 2733 2734 cnt = read(sfd, msg, len); 2735 if (cnt != len) { 2736 if (cnt < 0) { 2737 warn(gettext("Flush failed: read")); 2738 return (-1); 2739 } else { 2740 warnx(gettext("Flush failed while reading reply")); 2741 return (-1); 2742 } 2743 } 2744 (void) close(sfd); 2745 if (msg->spd_msg_errno != 0) { 2746 warnx("%s: %s", gettext("Flush failed: SPD_FLUSH"), 2747 sys_error_message(msg->spd_msg_errno)); 2748 return (-1); 2749 } 2750 2751 /* Truncate the file */ 2752 if (db == SPD_ACTIVE) { 2753 if ((pfd = open(POLICY_CONF_FILE, O_TRUNC|O_RDWR)) == -1) { 2754 if (errno == ENOENT) { 2755 /* 2756 * The absence of POLICY_CONF_FILE should 2757 * not cause the command to exit with a 2758 * non-zero status, since this condition 2759 * is valid when no policies were previously 2760 * defined. 2761 */ 2762 return (0); 2763 } 2764 warn(gettext("%s cannot be truncated"), 2765 POLICY_CONF_FILE); 2766 return (-1); 2767 } 2768 (void) close(pfd); 2769 } 2770 return (0); 2771 } 2772 2773 /* 2774 * function to send SPD_FLIP and SPD_CLONE messages 2775 * Do it for ALL polheads for simplicity's sake. 2776 */ 2777 static void 2778 ipsec_conf_admin(uint8_t type) 2779 { 2780 int cnt; 2781 int sfd; 2782 struct spd_msg *msg; 2783 uint64_t buffer[ 2784 SPD_8TO64(sizeof (struct spd_msg) + sizeof (spd_if_t))]; 2785 char *save_ifname; 2786 2787 sfd = get_pf_pol_socket(); 2788 if (sfd < 0) { 2789 err(-1, gettext("unable to open policy socket")); 2790 } 2791 2792 (void) memset(buffer, 0, sizeof (buffer)); 2793 msg = (struct spd_msg *)buffer; 2794 msg->spd_msg_version = PF_POLICY_V1; 2795 msg->spd_msg_type = type; 2796 msg->spd_msg_len = SPD_8TO64(sizeof (buffer)); 2797 2798 save_ifname = interface_name; 2799 /* Apply to all policy heads - global and tunnels. */ 2800 interface_name = &all_polheads; 2801 (void) attach_tunname((spd_if_t *)(msg + 1)); 2802 interface_name = save_ifname; 2803 2804 cnt = write(sfd, msg, sizeof (buffer)); 2805 if (cnt != sizeof (buffer)) { 2806 if (cnt < 0) { 2807 err(-1, gettext("admin failed: write")); 2808 } else { 2809 errx(-1, gettext("admin failed: short write")); 2810 } 2811 } 2812 2813 cnt = read(sfd, msg, sizeof (buffer)); 2814 if (cnt != sizeof (buffer)) { 2815 if (cnt < 0) { 2816 err(-1, gettext("admin failed: read")); 2817 } else { 2818 errx(-1, gettext("admin failed while reading reply")); 2819 } 2820 } 2821 (void) close(sfd); 2822 if (msg->spd_msg_errno != 0) { 2823 errno = msg->spd_msg_errno; 2824 err(-1, gettext("admin failed")); 2825 } 2826 } 2827 2828 static void 2829 reconfigure() 2830 { 2831 (void) fprintf(stderr, gettext( 2832 "\tipsecconf -f \n " 2833 "\tipsecconf -a policy_file\n")); 2834 } 2835 2836 static void 2837 usage(void) 2838 { 2839 (void) fprintf(stderr, gettext( 2840 "Usage: ipsecconf\n" 2841 "\tipsecconf -a ([-]|<filename>) [-q]\n" 2842 "\tipsecconf -c <filename>\n" 2843 "\tipsecconf -r ([-]|<filename>) [-q]\n" 2844 "\tipsecconf -d [-i tunnel-interface] <index>\n" 2845 "\tipsecconf -d <tunnel-interface,index>\n" 2846 "\tipsecconf -l [-n] [-i tunnel-interface]\n" 2847 "\tipsecconf -f [-i tunnel-interface]\n" 2848 "\tipsecconf -L [-n]\n" 2849 "\tipsecconf -F\n")); 2850 } 2851 2852 /* 2853 * a type consists of 2854 * "type" <int>{ "-" <int>} 2855 * or 2856 * "type" keyword 2857 * 2858 * a code consists of 2859 * "code" <int>{ "-" <int>} 2860 * or 2861 * "code" keyword 2862 */ 2863 2864 2865 static int 2866 parse_type_code(const char *str, const str_val_t *table) 2867 { 2868 char *end1, *end2; 2869 int res1 = 0, res2 = 0; 2870 int i; 2871 2872 if (isdigit(str[0])) { 2873 res1 = strtol(str, &end1, 0); 2874 2875 if (end1 == str) { 2876 return (-1); 2877 } 2878 2879 if (res1 > 255 || res1 < 0) { 2880 return (-1); 2881 } 2882 2883 if (*end1 == '-') { 2884 end1++; 2885 res2 = strtol(end1, &end2, 0); 2886 if (res2 > 255 || res2 < 0) { 2887 return (-1); 2888 } 2889 } else { 2890 end2 = end1; 2891 } 2892 2893 while (isspace(*end2)) 2894 end2++; 2895 2896 if (*end2 != '\0') { 2897 return (-1); 2898 } 2899 2900 return (res1 + (res2 << 8)); 2901 } 2902 2903 for (i = 0; table[i].string; i++) { 2904 if (strcmp(str, table[i].string) == 0) { 2905 return (table[i].value); 2906 } 2907 } 2908 2909 return (-1); 2910 } 2911 2912 static int 2913 parse_int(const char *str) 2914 { 2915 char *end; 2916 int res; 2917 2918 res = strtol(str, &end, 0); 2919 if (end == str) 2920 return (-1); 2921 while (isspace(*end)) 2922 end++; 2923 if (*end != '\0') 2924 return (-1); 2925 return (res); 2926 } 2927 2928 /* 2929 * Parses <interface>,<index>. Sets iname or the global interface_name (if 2930 * iname == NULL) to <interface> and returns <index>. Calls exit() if we have 2931 * an interface_name already set. 2932 */ 2933 static int 2934 parse_index(const char *str, char *iname) 2935 { 2936 char *intf, *num, *copy; 2937 int rc; 2938 2939 copy = strdup(str); 2940 if (copy == NULL) { 2941 EXIT_FATAL("Out of memory."); 2942 } 2943 2944 intf = strtok(copy, ","); 2945 /* Just want the rest of the string unmolested, so use "" for arg2. */ 2946 num = strtok(NULL, ""); 2947 if (num == NULL) { 2948 /* No comma found, just parse it like an int. */ 2949 free(copy); 2950 return (parse_int(str)); 2951 } 2952 2953 if (iname != NULL) { 2954 (void) strlcpy(iname, intf, LIFNAMSIZ); 2955 } else { 2956 if (interface_name != NULL) { 2957 EXIT_FATAL("Interface name already selected"); 2958 } 2959 2960 interface_name = strdup(intf); 2961 if (interface_name == NULL) { 2962 EXIT_FATAL("Out of memory."); 2963 } 2964 } 2965 2966 rc = parse_int(num); 2967 free(copy); 2968 return (rc); 2969 } 2970 2971 /* 2972 * Convert a mask to a prefix length. 2973 * Returns prefix length on success, -1 otherwise. 2974 */ 2975 static int 2976 in_getprefixlen(char *mask) 2977 { 2978 int prefixlen; 2979 char *end; 2980 2981 prefixlen = (int)strtol(mask, &end, 10); 2982 if (prefixlen < 0) { 2983 return (-1); 2984 } 2985 if (mask == end) { 2986 return (-1); 2987 } 2988 if (*end != '\0') { 2989 return (-1); 2990 } 2991 return (prefixlen); 2992 } 2993 2994 /* 2995 * Convert a prefix length to a mask. 2996 * Assumes the mask array is zero'ed by the caller. 2997 */ 2998 static void 2999 in_prefixlentomask(unsigned int prefixlen, uchar_t *mask) 3000 { 3001 while (prefixlen > 0) { 3002 if (prefixlen >= 8) { 3003 *mask++ = 0xFF; 3004 prefixlen -= 8; 3005 continue; 3006 } 3007 *mask |= 1 << (8 - prefixlen); 3008 prefixlen--; 3009 } 3010 } 3011 3012 3013 static int 3014 parse_address(int type, char *addr_str) 3015 { 3016 char *ptr; 3017 int prefix_len = 0; 3018 struct netent *ne = NULL; 3019 struct hostent *hp = NULL; 3020 int h_errno; 3021 struct in_addr netaddr; 3022 struct in6_addr *netaddr6; 3023 struct hostent *ne_hent; 3024 boolean_t has_mask = B_FALSE; 3025 3026 ptr = strchr(addr_str, '/'); 3027 if (ptr != NULL) { 3028 has_mask = B_TRUE; 3029 *ptr++ = NULL; 3030 3031 prefix_len = in_getprefixlen(ptr); 3032 if (prefix_len < 0) { 3033 warnx(gettext("Unparseable prefix: '%s'."), ptr); 3034 return (-1); 3035 } 3036 } 3037 3038 /* 3039 * getipnodebyname() is thread safe. This allows us to hold on to the 3040 * returned hostent structure, which is pointed to by the shp and 3041 * dhp globals for the source and destination addresses, respectively. 3042 */ 3043 hp = getipnodebyname(addr_str, AF_INET6, AI_DEFAULT | AI_ALL, &h_errno); 3044 if (hp != NULL) { 3045 /* 3046 * We come here for both a hostname and 3047 * any host address /network address. 3048 */ 3049 assert(hp->h_addrtype == AF_INET6); 3050 } else if ((ne = getnetbyname(addr_str)) != NULL) { 3051 switch (ne->n_addrtype) { 3052 case AF_INET: 3053 /* 3054 * Allocate a struct hostent and initialize 3055 * it with the address corresponding to the 3056 * network number previously returned by 3057 * getnetbyname(). Freed by do_address_adds() 3058 * once the policy is defined. 3059 */ 3060 ne_hent = malloc(sizeof (struct hostent)); 3061 if (ne_hent == NULL) { 3062 warn("malloc"); 3063 return (-1); 3064 } 3065 ne_hent->h_addr_list = malloc(2*sizeof (char *)); 3066 if (ne_hent->h_addr_list == NULL) { 3067 warn("malloc"); 3068 free(ne_hent); 3069 return (-1); 3070 } 3071 netaddr6 = malloc(sizeof (struct in6_addr)); 3072 if (netaddr6 == NULL) { 3073 warn("malloc"); 3074 free(ne_hent->h_addr_list); 3075 free(ne_hent); 3076 return (-1); 3077 } 3078 ne_hent->h_addr_list[0] = (char *)netaddr6; 3079 ne_hent->h_addr_list[1] = NULL; 3080 netaddr = inet_makeaddr(ne->n_net, INADDR_ANY); 3081 IN6_INADDR_TO_V4MAPPED(&netaddr, netaddr6); 3082 hp = ne_hent; 3083 break; 3084 default: 3085 warnx(gettext("Address type %d not supported."), 3086 ne->n_addrtype); 3087 return (-1); 3088 } 3089 } else { 3090 warnx(gettext("Could not resolve address %s."), addr_str); 3091 return (-1); 3092 } 3093 3094 if (type == IPSEC_CONF_SRC_ADDRESS) { 3095 shp = hp; 3096 if (has_mask) 3097 splen = prefix_len; 3098 has_saprefix = has_mask; 3099 } else { 3100 dhp = hp; 3101 if (has_mask) 3102 dplen = prefix_len; 3103 has_daprefix = has_mask; 3104 } 3105 3106 return (0); 3107 } 3108 3109 /* 3110 * Add port-only entries. Make sure to add them in both the V6 and V4 tables! 3111 */ 3112 static int 3113 do_port_adds(ips_conf_t *cptr) 3114 { 3115 int ret, diag; 3116 3117 assert(IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_addr_v6)); 3118 assert(IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_dst_addr_v6)); 3119 3120 #ifdef DEBUG_HEAVY 3121 (void) dump_conf(cptr); 3122 #endif 3123 3124 ret = send_pf_pol_message(SPD_ADDRULE, cptr, &diag); 3125 if (ret != 0 && !ipsecconf_qflag) { 3126 warnx( 3127 gettext("Could not add IPv4 policy for sport %d, dport %d " 3128 "- diagnostic %d - %s"), ntohs(cptr->ips_src_port_min), 3129 ntohs(cptr->ips_dst_port_min), diag, spdsock_diag(diag)); 3130 } 3131 3132 return (ret); 3133 } 3134 3135 /* 3136 * Nuke a list of policy entries. 3137 * rewrite this to use flipping 3138 * d_list isn't freed because we will be 3139 * exiting the program soon. 3140 */ 3141 static void 3142 nuke_adds() 3143 { 3144 d_list_t *temp = d_list; 3145 FILE *policy_fp; 3146 3147 policy_fp = fopen(POLICY_CONF_FILE, "a"); 3148 if (policy_fp == NULL) { 3149 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE); 3150 } else { 3151 (void) fprintf(policy_fp, "\n\n"); 3152 (void) fflush(policy_fp); 3153 } 3154 3155 while (temp != NULL) { 3156 (void) ipsec_conf_del(temp->index, B_TRUE); 3157 temp = temp->next; 3158 } 3159 } 3160 3161 /* 3162 * Set mask info from the specified prefix len. Fail if multihomed. 3163 */ 3164 static int 3165 set_mask_info(struct hostent *hp, unsigned int plen, struct in6_addr *mask_v6) 3166 { 3167 struct in6_addr addr; 3168 struct in_addr mask_v4; 3169 3170 if (hp->h_addr_list[1] != NULL) { 3171 return (EOPNOTSUPP); 3172 } 3173 3174 if (!IN6_IS_ADDR_UNSPECIFIED(mask_v6)) { 3175 return (EBUSY); 3176 } 3177 3178 bcopy(hp->h_addr_list[0], &addr, sizeof (struct in6_addr)); 3179 if (IN6_IS_ADDR_V4MAPPED(&addr)) { 3180 if (plen > IP_ABITS) { 3181 return (ERANGE); 3182 } 3183 (void) memset(&mask_v4, 0, sizeof (mask_v4)); 3184 in_prefixlentomask(plen, (uchar_t *)&mask_v4); 3185 IN6_INADDR_TO_V4MAPPED(&mask_v4, mask_v6); 3186 } else { 3187 if (plen > IPV6_ABITS) { 3188 return (ERANGE); 3189 } 3190 /* mask_v6 is already zero (unspecified), see test above */ 3191 in_prefixlentomask(plen, (uchar_t *)mask_v6); 3192 } 3193 return (0); 3194 } 3195 3196 /* 3197 * Initialize the specified IPv6 address with all f's. 3198 */ 3199 static void 3200 init_addr_wildcard(struct in6_addr *addr_v6, boolean_t isv4) 3201 { 3202 if (isv4) { 3203 uint32_t addr_v4 = 0xffffffff; 3204 IN6_INADDR_TO_V4MAPPED((struct in_addr *)&addr_v4, addr_v6); 3205 } else { 3206 (void) memset(addr_v6, 0xff, sizeof (struct in6_addr)); 3207 } 3208 } 3209 3210 /* 3211 * Called at the end to actually add policy. Handles single and multi-homed 3212 * cases. 3213 */ 3214 static int 3215 do_address_adds(ips_conf_t *cptr, int *diag) 3216 { 3217 int i, j; 3218 int ret = 0; /* For ioctl() call. */ 3219 int rc = 0; /* My own return code. */ 3220 struct in6_addr zeroes = {0, 0, 0, 0}; 3221 char *ptr[2]; 3222 struct hostent hent; 3223 boolean_t isv4; 3224 int add_count = 0; 3225 3226 /* 3227 * dst_hent may not be initialized if a destination 3228 * address was not given. It will be initalized with just 3229 * one address if a destination address was given. In both 3230 * the cases, we initialize here with ipsc_dst_addr and enter 3231 * the loop below. 3232 */ 3233 if (dhp == NULL) { 3234 assert(shp != NULL); 3235 hent.h_addr_list = ptr; 3236 ptr[0] = (char *)&zeroes.s6_addr; 3237 ptr[1] = NULL; 3238 dhp = &hent; 3239 } else if (shp == NULL) { 3240 assert(dhp != NULL); 3241 hent.h_addr_list = ptr; 3242 ptr[0] = (char *)&zeroes.s6_addr; 3243 ptr[1] = NULL; 3244 shp = &hent; 3245 } 3246 3247 /* 3248 * Set mask info here. Bail if multihomed and there's a prefix len. 3249 */ 3250 if (has_saprefix) { 3251 rc = set_mask_info(shp, splen, &cptr->ips_src_mask_v6); 3252 if (rc != 0) 3253 goto bail; 3254 cptr->ips_src_mask_len = splen; 3255 } 3256 3257 if (has_daprefix) { 3258 rc = set_mask_info(dhp, dplen, &cptr->ips_dst_mask_v6); 3259 if (rc != 0) 3260 goto bail; 3261 cptr->ips_dst_mask_len = dplen; 3262 } 3263 3264 for (i = 0; shp->h_addr_list[i] != NULL; i++) { 3265 bcopy(shp->h_addr_list[i], &cptr->ips_src_addr_v6, 3266 sizeof (struct in6_addr)); 3267 isv4 = cptr->ips_isv4 = 3268 IN6_IS_ADDR_V4MAPPED(&cptr->ips_src_addr_v6); 3269 if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_mask_v6) && 3270 shp != &hent) { 3271 init_addr_wildcard(&cptr->ips_src_mask_v6, isv4); 3272 } 3273 3274 for (j = 0; dhp->h_addr_list[j] != NULL; j++) { 3275 bcopy(dhp->h_addr_list[j], &cptr->ips_dst_addr_v6, 3276 sizeof (struct in6_addr)); 3277 if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_addr_v6)) { 3278 /* 3279 * Src was not specified, so update isv4 flag 3280 * for this policy according to the family 3281 * of the destination address. 3282 */ 3283 isv4 = cptr->ips_isv4 = 3284 IN6_IS_ADDR_V4MAPPED( 3285 &cptr->ips_dst_addr_v6); 3286 } else if ((dhp != &hent) && (isv4 != 3287 IN6_IS_ADDR_V4MAPPED(&cptr->ips_dst_addr_v6))) { 3288 /* v6/v4 mismatch. */ 3289 continue; 3290 } 3291 if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_dst_mask_v6) && 3292 dhp != &hent) { 3293 init_addr_wildcard(&cptr->ips_dst_mask_v6, 3294 isv4); 3295 } 3296 3297 ret = send_pf_pol_message(SPD_ADDRULE, cptr, diag); 3298 3299 if (ret == 0) { 3300 add_count++; 3301 } else { 3302 /* For now, allow duplicate/overlap policies. */ 3303 if (ret != EEXIST) { 3304 /* 3305 * We have an error where we added 3306 * some, but had errors with others. 3307 * Undo the previous adds, and 3308 * bail. 3309 */ 3310 rc = ret; 3311 goto bail; 3312 } 3313 } 3314 3315 bzero(&cptr->ips_dst_mask_v6, 3316 sizeof (struct in6_addr)); 3317 } 3318 3319 bzero(&cptr->ips_src_mask_v6, sizeof (struct in6_addr)); 3320 } 3321 3322 bail: 3323 if (shp != &hent) 3324 freehostent(shp); 3325 shp = NULL; 3326 if (dhp != &hent) 3327 freehostent(dhp); 3328 dhp = NULL; 3329 splen = 0; 3330 dplen = 0; 3331 3332 if ((add_count == 0) && (rc == 0)) { 3333 /* 3334 * No entries were added. We failed all adds 3335 * because the entries already existed, or because 3336 * no v4 or v6 src/dst pairs were found. Either way, 3337 * we must fail here with an appropriate error 3338 * to avoid a corresponding entry from being added 3339 * to ipsecpolicy.conf. 3340 */ 3341 if ((ret == EEXIST)) { 3342 /* All adds failed with EEXIST */ 3343 rc = EEXIST; 3344 } else { 3345 /* No matching v4 or v6 src/dst pairs */ 3346 rc = ESRCH; 3347 } 3348 } 3349 3350 return (rc); 3351 } 3352 3353 static int 3354 parse_mask(int type, char *mask_str, ips_conf_t *cptr) 3355 { 3356 struct in_addr mask; 3357 struct in6_addr *mask6; 3358 3359 if (type == IPSEC_CONF_SRC_MASK) { 3360 mask6 = &cptr->ips_src_mask_v6; 3361 } else { 3362 mask6 = &cptr->ips_dst_mask_v6; 3363 } 3364 3365 if ((strncasecmp(mask_str, "0x", 2) == 0) && 3366 (strchr(mask_str, '.') == NULL)) { 3367 /* Is it in the form 0xff000000 ? */ 3368 char *end; 3369 3370 mask.s_addr = strtoul(mask_str, &end, 0); 3371 if (end == mask_str) { 3372 return (-1); 3373 } 3374 if (*end != '\0') { 3375 return (-1); 3376 } 3377 mask.s_addr = htonl(mask.s_addr); 3378 } else { 3379 /* 3380 * Since inet_addr() returns -1 on error, we have 3381 * to convert a broadcast address ourselves. 3382 */ 3383 if (strcmp(mask_str, "255.255.255.255") == 0) { 3384 mask.s_addr = 0xffffffff; 3385 } else { 3386 mask.s_addr = inet_addr(mask_str); 3387 if (mask.s_addr == (unsigned int)-1) 3388 return (-1); 3389 } 3390 } 3391 3392 /* Should we check for non-contiguous masks ? */ 3393 if (mask.s_addr == 0) 3394 return (-1); 3395 IN6_INADDR_TO_V4MAPPED(&mask, mask6); 3396 3397 3398 if (type == IPSEC_CONF_SRC_MASK) { 3399 cptr->ips_src_mask_len = in_masktoprefix(mask6->s6_addr, 3400 B_TRUE); 3401 } else { 3402 cptr->ips_dst_mask_len = in_masktoprefix(mask6->s6_addr, 3403 B_TRUE); 3404 } 3405 3406 return (0); 3407 } 3408 3409 static int 3410 parse_port(int type, char *port_str, ips_conf_t *conf) 3411 { 3412 struct servent *sent; 3413 in_port_t port; 3414 int ret; 3415 3416 sent = getservbyname(port_str, NULL); 3417 if (sent == NULL) { 3418 ret = parse_int(port_str); 3419 if (ret < 0 || ret >= 65536) { 3420 return (-1); 3421 } 3422 port = htons((in_port_t)ret); 3423 } else { 3424 port = sent->s_port; 3425 } 3426 if (type == IPSEC_CONF_SRC_PORT) { 3427 conf->ips_src_port_min = conf->ips_src_port_max = port; 3428 } else { 3429 conf->ips_dst_port_min = conf->ips_dst_port_max = port; 3430 } 3431 return (0); 3432 } 3433 3434 static boolean_t 3435 combined_mode(uint_t alg_id) 3436 { 3437 struct ipsecalgent *alg; 3438 boolean_t rc; 3439 3440 alg = getipsecalgbynum(alg_id, IPSEC_PROTO_ESP, NULL); 3441 if (alg != NULL) { 3442 rc = (ALG_FLAG_COMBINED & alg->a_alg_flags); 3443 freeipsecalgent(alg); 3444 } else { 3445 rc = B_FALSE; 3446 } 3447 3448 return (rc); 3449 } 3450 3451 static int 3452 valid_algorithm(int proto_num, const char *str) 3453 { 3454 const char *tmp; 3455 int ret; 3456 struct ipsecalgent *alg; 3457 3458 /* Short-circuit "none" */ 3459 if (strncasecmp("none", str, 5) == 0) 3460 return (-2); 3461 3462 alg = getipsecalgbyname(str, proto_num, NULL); 3463 if (alg != NULL) { 3464 ret = alg->a_alg_num; 3465 freeipsecalgent(alg); 3466 return (ret); 3467 } 3468 3469 /* 3470 * Look whether it could be a valid number. 3471 * We support numbers also so that users can 3472 * load algorithms as they need it. We can't 3473 * check for validity of numbers here. It will 3474 * be checked when the SA is negotiated/looked up. 3475 * parse_int uses strtol(str), which converts 3DES 3476 * to a valid number i.e looks only at initial 3477 * number part. If we come here we should expect 3478 * only a decimal number. 3479 */ 3480 tmp = str; 3481 while (*tmp) { 3482 if (!isdigit(*tmp)) 3483 return (-1); 3484 tmp++; 3485 } 3486 3487 ret = parse_int(str); 3488 if (ret > 0 && ret <= 255) 3489 return (ret); 3490 else 3491 return (-1); 3492 } 3493 3494 static int 3495 parse_ipsec_alg(char *str, ips_act_props_t *iap, int alg_type) 3496 { 3497 int alg_value; 3498 int remainder; 3499 char tstr[VALID_ALG_LEN]; 3500 char *lens = NULL; 3501 char *l1_str; 3502 int l1 = 0; 3503 char *l2_str; 3504 int l2 = SPD_MAX_MAXBITS; 3505 algreq_t *ap; 3506 uint_t a_type; 3507 3508 fetch_algorithms(); 3509 3510 /* 3511 * Make sure that we get a null terminated string. 3512 * For a bad input, we truncate at VALID_ALG_LEN. 3513 */ 3514 remainder = strlen(str); 3515 (void) strlcpy(tstr, str, VALID_ALG_LEN); 3516 lens = strtok(tstr, "()"); 3517 remainder -= strlen(lens); 3518 lens = strtok(NULL, "()"); 3519 3520 if (lens != NULL) { 3521 int len1 = 0; 3522 int len2 = SPD_MAX_MAXBITS; 3523 int len_all = strlen(lens); 3524 int dot_start = (lens[0] == '.'); 3525 3526 /* 3527 * Check to see if the keylength arg is at the end of the 3528 * token, the "()" is 2 characters. 3529 */ 3530 remainder -= strlen(lens); 3531 if (remainder > 2) 3532 return (1); 3533 3534 l1_str = strtok(lens, "."); 3535 l2_str = strtok(NULL, "."); 3536 if (l1_str != NULL) { 3537 l1 = parse_int(l1_str); 3538 len1 = strlen(l1_str); 3539 if (len1 < 0) 3540 return (1); 3541 } 3542 if (l2_str != NULL) { 3543 l2 = parse_int(l2_str); 3544 len2 = strlen(l2_str); 3545 if (len2 < 0) 3546 return (1); 3547 } 3548 3549 if (len_all == len1) { 3550 /* alg(n) */ 3551 l2 = l1; 3552 } else if (dot_start) { 3553 /* alg(..n) */ 3554 l2 = l1; 3555 l1 = 0; 3556 } else if ((len_all - 2) == len1) { 3557 /* alg(n..) */ 3558 l2 = SPD_MAX_MAXBITS; 3559 } /* else alg(n..m) */ 3560 } 3561 3562 if (alg_type == SPD_ATTR_AH_AUTH || 3563 alg_type == SPD_ATTR_ESP_AUTH) { 3564 alg_value = valid_algorithm(IPSEC_PROTO_AH, tstr); 3565 } else { 3566 alg_value = valid_algorithm(IPSEC_PROTO_ESP, tstr); 3567 } 3568 if (alg_value < 0) { 3569 /* Invalid algorithm or "none" */ 3570 return (alg_value); 3571 } 3572 3573 if (alg_type == SPD_ATTR_AH_AUTH) { 3574 a_type = AH_AUTH; 3575 iap->iap_attr |= SPD_APPLY_AH; 3576 ap = &(iap->iap_aauth); 3577 } else if (alg_type == SPD_ATTR_ESP_AUTH) { 3578 a_type = ESP_AUTH; 3579 iap->iap_attr |= SPD_APPLY_ESP|SPD_APPLY_ESPA; 3580 ap = &(iap->iap_eauth); 3581 } else { 3582 a_type = ESP_ENCR; 3583 iap->iap_attr |= SPD_APPLY_ESP; 3584 ap = &(iap->iap_eencr); 3585 } 3586 3587 ap->alg_id = alg_value; 3588 ap->alg_minbits = l1; 3589 ap->alg_maxbits = l2; 3590 3591 if (!alg_rangecheck(a_type, alg_value, ap)) 3592 return (1); 3593 3594 return (0); 3595 } 3596 3597 static char * 3598 sys_error_message(int syserr) 3599 { 3600 char *mesg; 3601 3602 switch (syserr) { 3603 case EEXIST: 3604 mesg = gettext("Entry already exists"); 3605 break; 3606 case ENOENT: 3607 mesg = gettext("Tunnel not found"); 3608 break; 3609 case EINVAL: 3610 mesg = gettext("Invalid entry"); 3611 break; 3612 default : 3613 mesg = strerror(syserr); 3614 } 3615 return (mesg); 3616 } 3617 3618 static void 3619 error_message(error_type_t error, int type, int line) 3620 { 3621 char *mesg; 3622 3623 switch (type) { 3624 case IPSEC_CONF_SRC_ADDRESS: 3625 mesg = gettext("Source Address"); 3626 break; 3627 case IPSEC_CONF_DST_ADDRESS: 3628 mesg = gettext("Destination Address"); 3629 break; 3630 case IPSEC_CONF_SRC_PORT: 3631 mesg = gettext("Source Port"); 3632 break; 3633 case IPSEC_CONF_DST_PORT: 3634 mesg = gettext("Destination Port"); 3635 break; 3636 case IPSEC_CONF_SRC_MASK: 3637 mesg = gettext("Source Mask"); 3638 break; 3639 case IPSEC_CONF_DST_MASK: 3640 mesg = gettext("Destination Mask"); 3641 break; 3642 case IPSEC_CONF_ULP: 3643 mesg = gettext("Upper Layer Protocol"); 3644 break; 3645 case IPSEC_CONF_IPSEC_AALGS: 3646 mesg = gettext("Authentication Algorithm"); 3647 break; 3648 case IPSEC_CONF_IPSEC_EALGS: 3649 mesg = gettext("Encryption Algorithm"); 3650 break; 3651 case IPSEC_CONF_IPSEC_EAALGS: 3652 mesg = gettext("ESP Authentication Algorithm"); 3653 break; 3654 case IPSEC_CONF_IPSEC_SA: 3655 mesg = gettext("SA"); 3656 break; 3657 case IPSEC_CONF_IPSEC_DIR: 3658 mesg = gettext("Direction"); 3659 break; 3660 case IPSEC_CONF_ICMP_TYPE: 3661 mesg = gettext("ICMP type"); 3662 break; 3663 case IPSEC_CONF_ICMP_CODE: 3664 mesg = gettext("ICMP code"); 3665 break; 3666 case IPSEC_CONF_NEGOTIATE: 3667 mesg = gettext("Negotiate"); 3668 break; 3669 case IPSEC_CONF_TUNNEL: 3670 mesg = gettext("Tunnel"); 3671 break; 3672 default : 3673 return; 3674 } 3675 /* 3676 * If we never read a newline character, we don't want 3677 * to print 0. 3678 */ 3679 warnx(gettext("%s%s%s %s on line: %d"), 3680 (error == BAD_ERROR) ? gettext("Bad") : "", 3681 (error == DUP_ERROR) ? gettext("Duplicate") : "", 3682 (error == REQ_ERROR) ? gettext("Requires") : "", 3683 mesg, 3684 (arg_indices[line] == 0) ? 1 : arg_indices[line]); 3685 } 3686 3687 static int 3688 validate_properties(ips_act_props_t *cptr, boolean_t dir, boolean_t is_alg) 3689 { 3690 if (cptr->iap_action == SPD_ACTTYPE_PASS || 3691 cptr->iap_action == SPD_ACTTYPE_DROP) { 3692 if (!dir) { 3693 warnx(gettext("dir string " 3694 "not found for bypass policy")); 3695 } 3696 3697 if (is_alg) { 3698 warnx(gettext("Algorithms found for bypass policy")); 3699 return (-1); 3700 } 3701 return (0); 3702 } 3703 if (!is_alg) { 3704 warnx(gettext("No IPsec algorithms given")); 3705 return (-1); 3706 } 3707 if (cptr->iap_attr == 0) { 3708 warnx(gettext("No SA attribute")); 3709 return (-1); 3710 } 3711 return (0); 3712 } 3713 3714 /* 3715 * This function is called only to parse a single rule's worth of 3716 * action strings. This is called after parsing pattern and before 3717 * parsing properties. Thus we may have something in the leftover 3718 * buffer while parsing the pattern, which we need to handle here. 3719 */ 3720 static int 3721 parse_action(FILE *fp, char **action, char **leftover) 3722 { 3723 char *cp; 3724 char ibuf[MAXLEN]; 3725 char *tmp_buf; 3726 char *buf; 3727 boolean_t new_stuff; 3728 3729 if (*leftover != NULL) { 3730 buf = *leftover; 3731 new_stuff = B_FALSE; 3732 goto scan; 3733 } 3734 while (fgets(ibuf, MAXLEN, fp) != NULL) { 3735 new_stuff = B_TRUE; 3736 if (ibuf[strlen(ibuf) - 1] == '\n') 3737 linecount++; 3738 buf = ibuf; 3739 scan: 3740 /* Truncate at the beginning of a comment */ 3741 cp = strchr(buf, '#'); 3742 if (cp != NULL) 3743 *cp = NULL; 3744 3745 /* Skip any whitespace */ 3746 while (*buf != NULL && isspace(*buf)) 3747 buf++; 3748 3749 /* Empty line */ 3750 if (*buf == NULL) 3751 continue; 3752 3753 /* 3754 * Store the command for error reporting 3755 * and ipsec_conf_add(). 3756 */ 3757 if (new_stuff) { 3758 /* 3759 * Check for buffer overflow including the null 3760 * terminating character. 3761 */ 3762 int len = strlen(ibuf); 3763 if ((cbuf_offset + len + 1) >= CBUF_LEN) 3764 return (-1); 3765 3766 (void) strcpy(cbuf + cbuf_offset, ibuf); 3767 cbuf_offset += len; 3768 } 3769 /* 3770 * Start of the non-empty non-space character. 3771 */ 3772 tmp_buf = buf; 3773 3774 /* Skip until next whitespace or CURL_BEGIN */ 3775 while (*buf != NULL && !isspace(*buf) && 3776 *buf != CURL_BEGIN) 3777 buf++; 3778 3779 if (*buf != NULL) { 3780 if (tmp_buf == buf) /* No action token */ 3781 goto error; 3782 if (*buf == CURL_BEGIN) { 3783 *buf = NULL; 3784 /* Allocate an extra byte for the null also */ 3785 if ((*action = malloc(strlen(tmp_buf) + 1)) == 3786 NULL) { 3787 warn("malloc"); 3788 return (ENOMEM); 3789 } 3790 (void) strcpy(*action, tmp_buf); 3791 *buf = CURL_BEGIN; 3792 } else { 3793 /* We have hit a space */ 3794 *buf++ = NULL; 3795 /* Allocate an extra byte for the null also */ 3796 if ((*action = malloc(strlen(tmp_buf) + 1)) == 3797 NULL) { 3798 warn("malloc"); 3799 return (ENOMEM); 3800 } 3801 (void) strcpy(*action, tmp_buf); 3802 } 3803 /* 3804 * Copy the rest of the line into the 3805 * leftover buffer. 3806 */ 3807 if (*buf != NULL) { 3808 (void) strlcpy(lo_buf, buf, sizeof (lo_buf)); 3809 *leftover = lo_buf; 3810 } else { 3811 *leftover = NULL; 3812 } 3813 } else { 3814 /* Allocate an extra byte for the null also */ 3815 if ((*action = malloc(strlen(tmp_buf) + 1)) == 3816 NULL) { 3817 warn("malloc"); 3818 return (ENOMEM); 3819 } 3820 (void) strcpy(*action, tmp_buf); 3821 *leftover = NULL; 3822 } 3823 if (argindex >= ARG_BUF_LEN) { 3824 warnx(gettext("(parsing one command) " 3825 "Too many selectors before action.")); 3826 return (-1); 3827 } 3828 arg_indices[argindex++] = linecount; 3829 return (PARSE_SUCCESS); 3830 } 3831 /* 3832 * Return error, on an empty action field. 3833 */ 3834 error: 3835 warnx(gettext("(parsing one command) " 3836 "Missing action token.")); 3837 return (-1); 3838 } 3839 3840 /* 3841 * This is called to parse pattern or properties that is enclosed 3842 * between CURL_BEGIN and CURL_END. 3843 */ 3844 static int 3845 parse_pattern_or_prop(FILE *fp, char *argvec[], char **leftover) 3846 { 3847 char *cp; 3848 int i = 0; 3849 boolean_t curl_begin_seen = B_FALSE; 3850 char ibuf[MAXLEN]; 3851 char *tmp_buf; 3852 char *buf; 3853 boolean_t new_stuff; 3854 3855 /* 3856 * When parsing properties, leftover buffer could have the 3857 * leftovers of the previous fgets(). 3858 */ 3859 if (*leftover != NULL) { 3860 buf = *leftover; 3861 new_stuff = B_FALSE; 3862 goto scan; 3863 } 3864 while (fgets(ibuf, MAXLEN, fp) != NULL) { 3865 new_stuff = B_TRUE; 3866 #ifdef DEBUG_HEAVY 3867 (void) printf("%s\n", ibuf); 3868 #endif 3869 if (ibuf[strlen(ibuf) - 1] == '\n') 3870 linecount++; 3871 buf = ibuf; 3872 scan: 3873 /* Truncate at the beginning of a comment */ 3874 cp = strchr(buf, '#'); 3875 if (cp != NULL) 3876 *cp = NULL; 3877 3878 /* Skip any whitespace */ 3879 while (*buf != NULL && isspace(*buf)) 3880 buf++; 3881 3882 /* Empty line */ 3883 if (*buf == NULL) 3884 continue; 3885 /* 3886 * Store the command for error reporting 3887 * and ipsec_conf_add(). 3888 */ 3889 if (new_stuff) { 3890 /* 3891 * Check for buffer overflow including the null 3892 * terminating character. 3893 */ 3894 int len = strlen(ibuf); 3895 if ((cbuf_offset + len + 1) >= CBUF_LEN) 3896 return (-1); 3897 (void) strcpy(cbuf + cbuf_offset, ibuf); 3898 cbuf_offset += len; 3899 } 3900 /* 3901 * First non-space character should be 3902 * a curly bracket. 3903 */ 3904 if (!curl_begin_seen) { 3905 if (*buf != CURL_BEGIN) { 3906 /* 3907 * If we never read a newline character, 3908 * we don't want to print 0. 3909 */ 3910 warnx(gettext("line %d : pattern must start " 3911 "with \"%c\" character"), 3912 (linecount == 0) ? 1 : linecount, 3913 CURL_BEGIN); 3914 return (-1); 3915 } 3916 buf++; 3917 curl_begin_seen = B_TRUE; 3918 } 3919 /* 3920 * Arguments are separated by white spaces or 3921 * newlines. Scan till you see a CURL_END. 3922 */ 3923 while (*buf != NULL) { 3924 if (*buf == CURL_END) { 3925 ret: 3926 *buf++ = NULL; 3927 /* 3928 * Copy the rest of the line into the 3929 * leftover buffer if any. 3930 */ 3931 if (*buf != NULL) { 3932 (void) strlcpy(lo_buf, buf, 3933 sizeof (lo_buf)); 3934 *leftover = lo_buf; 3935 } else { 3936 *leftover = NULL; 3937 } 3938 return (PARSE_SUCCESS); 3939 } 3940 /* 3941 * Skip any trailing whitespace until we see a 3942 * non white-space character. 3943 */ 3944 while (*buf != NULL && isspace(*buf)) 3945 buf++; 3946 3947 if (*buf == CURL_END) 3948 goto ret; 3949 3950 /* Scan the next line as this buffer is empty */ 3951 if (*buf == NULL) 3952 break; 3953 3954 if (i >= MAXARGS) { 3955 warnx( 3956 gettext("Number of Arguments exceeded %d"), 3957 i); 3958 return (-1); 3959 } 3960 /* 3961 * Non-empty, Non-space buffer. 3962 */ 3963 tmp_buf = buf++; 3964 /* 3965 * Real scan of the argument takes place here. 3966 * Skip past till space or CURL_END. 3967 */ 3968 while (*buf != NULL && !isspace(*buf) && 3969 *buf != CURL_END) { 3970 buf++; 3971 } 3972 /* 3973 * Either a space or we have hit the CURL_END or 3974 * the real end. 3975 */ 3976 if (*buf != NULL) { 3977 if (*buf == CURL_END) { 3978 *buf++ = NULL; 3979 if ((argvec[i] = malloc(strlen(tmp_buf) 3980 + 1)) == NULL) { 3981 warn("malloc"); 3982 return (ENOMEM); 3983 } 3984 if (strlen(tmp_buf) != 0) { 3985 (void) strcpy(argvec[i], 3986 tmp_buf); 3987 if (argindex >= ARG_BUF_LEN) 3988 goto toomanyargs; 3989 arg_indices[argindex++] = 3990 linecount; 3991 } 3992 /* 3993 * Copy the rest of the line into the 3994 * leftover buffer. 3995 */ 3996 if (*buf != NULL) { 3997 (void) strlcpy(lo_buf, buf, 3998 sizeof (lo_buf)); 3999 *leftover = lo_buf; 4000 } else { 4001 *leftover = NULL; 4002 } 4003 return (PARSE_SUCCESS); 4004 } else { 4005 *buf++ = NULL; 4006 } 4007 } 4008 /* 4009 * Copy this argument and scan for the buffer more 4010 * if it is non-empty. If it is empty scan for 4011 * the next line. 4012 */ 4013 if ((argvec[i] = malloc(strlen(tmp_buf) + 1)) == 4014 NULL) { 4015 warn("malloc"); 4016 return (ENOMEM); 4017 } 4018 (void) strcpy(argvec[i++], tmp_buf); 4019 if (argindex >= ARG_BUF_LEN) { 4020 /* 4021 * The number of tokens in a single policy entry 4022 * exceeds the number of buffers available to fully 4023 * parse the policy entry. 4024 */ 4025 toomanyargs: 4026 warnx(gettext("(parsing one command) " 4027 "Too many tokens in single policy entry.")); 4028 return (-1); 4029 } 4030 arg_indices[argindex++] = linecount; 4031 } 4032 } 4033 /* 4034 * If nothing is given in the file, it is okay. 4035 * If something is given in the file and it is 4036 * not CURL_BEGIN, we would have returned error 4037 * above. If curl_begin_seen and we are here, 4038 * something is wrong. 4039 */ 4040 if (curl_begin_seen) { 4041 warnx(gettext("(parsing one command) " 4042 "Pattern or Properties incomplete.")); 4043 return (-1); 4044 } 4045 return (PARSE_EOF); /* Nothing more in the file */ 4046 } 4047 4048 /* 4049 * Parse one command i.e {pattern} action {properties}. 4050 * 4051 * {pattern} ( action {prop} | pass | drop ) (or ...)* 4052 */ 4053 static int 4054 parse_one(FILE *fp, act_prop_t *act_props) 4055 { 4056 char *leftover; 4057 int ret; 4058 int i; 4059 int ap_num = 0; 4060 enum parse_state {pattern, action, prop } pstate; 4061 4062 has_daprefix = has_saprefix = B_FALSE; 4063 4064 (void) memset(act_props, 0, sizeof (act_prop_t)); 4065 pstate = pattern; 4066 4067 ret = 0; 4068 leftover = NULL; 4069 argindex = 0; 4070 cbuf_offset = 0; 4071 assert(shp == NULL && dhp == NULL); 4072 4073 for (;;) { 4074 switch (pstate) { 4075 case pattern: 4076 { 4077 #ifdef DEBUG_HEAVY 4078 (void) printf("pattern\n"); 4079 #endif 4080 ret = parse_pattern_or_prop(fp, 4081 act_props->pattern, &leftover); 4082 if (ret == PARSE_EOF) { 4083 /* EOF reached */ 4084 return (PARSE_EOF); 4085 } 4086 if (ret != 0) { 4087 ret = -1; 4088 goto err; 4089 } 4090 pstate = action; 4091 break; 4092 } 4093 case action: 4094 { 4095 #ifdef DEBUG_HEAVY 4096 (void) printf("action\n"); 4097 #endif 4098 ret = parse_action(fp, 4099 &act_props->ap[ap_num].act, &leftover); 4100 if (ret != 0) { 4101 ret = -1; 4102 goto err; 4103 } 4104 4105 /* 4106 * Validate action now itself so that we don't 4107 * proceed too much into the bad world. 4108 */ 4109 for (i = 0; action_table[i].string; i++) { 4110 if (strcmp(act_props->ap[ap_num].act, 4111 action_table[i].string) == 0) 4112 break; 4113 } 4114 4115 if (action_table[i].tok_val == TOK_or) { 4116 /* hit an or, go again */ 4117 break; 4118 } 4119 4120 if (action_table[i].string == NULL) { 4121 /* 4122 * If we never read a newline 4123 * character, we don't want 4124 * to print 0. 4125 */ 4126 warnx(gettext("(parsing one command) " 4127 "Invalid action on line %d: %s"), 4128 (linecount == 0) ? 1 : linecount, 4129 act_props->ap[ap_num].act); 4130 return (-1); 4131 } 4132 4133 pstate = prop; 4134 break; 4135 } 4136 case prop: 4137 { 4138 #ifdef DEBUG_HEAVY 4139 (void) printf("prop\n"); 4140 #endif 4141 ret = parse_pattern_or_prop(fp, 4142 act_props->ap[ap_num].prop, &leftover); 4143 if (ret != 0) { 4144 if (ret == PARSE_EOF) { 4145 warnx(gettext("(parsing one command) " 4146 "Missing properties.")); 4147 } 4148 ret = -1; 4149 goto err; 4150 } 4151 4152 if (leftover != NULL) { 4153 /* Accomodate spaces at the end */ 4154 while (*leftover != NULL) { 4155 if (*leftover == BACK_SLASH) { 4156 warnx(gettext("Invalid line " 4157 "continuation character.")); 4158 ret = -1; 4159 goto err; 4160 } 4161 if (*leftover == 'o') { 4162 leftover++; 4163 if (*leftover == 'r') { 4164 leftover++; 4165 ap_num++; 4166 pstate = action; 4167 goto again; 4168 } 4169 } 4170 if (!isspace(*leftover)) { 4171 ret = -1; 4172 goto err; 4173 } 4174 leftover++; 4175 } 4176 return (0); 4177 } 4178 ap_num++; 4179 if (ap_num > MAXARGS) 4180 return (0); 4181 pstate = action; /* or */ 4182 break; 4183 } /* case prop: */ 4184 } /* switch(pstate) */ 4185 4186 again: 4187 if (ap_num > MAXARGS) { 4188 warnx(gettext("Too many actions.")); 4189 return (-1); 4190 } 4191 } /* for(;;) */ 4192 err: 4193 if (ret != 0) { 4194 /* 4195 * If we never read a newline character, we don't want 4196 * to print 0. 4197 */ 4198 warnx(gettext("Error before or at line %d"), 4199 (linecount == 0) ? 1 : linecount); 4200 } 4201 return (ret); 4202 } 4203 4204 /* 4205 * convert an act_propts_t to an ips_conf_t 4206 */ 4207 4208 static int 4209 form_ipsec_conf(act_prop_t *act_props, ips_conf_t *cptr) 4210 { 4211 int i, j, k; 4212 int tok_count = 0; 4213 struct protoent *pent; 4214 boolean_t saddr, daddr, ipsec_aalg, ipsec_ealg, ipsec_eaalg, dir; 4215 boolean_t old_style, new_style, auth_covered, is_no_alg; 4216 boolean_t is_combined_mode; 4217 struct in_addr mask; 4218 int line_no; 4219 int ret; 4220 int ap_num = 0; 4221 int type, code, type_end, code_end; 4222 #ifdef DEBUG_HEAVY 4223 /* 4224 * pattern => act_props->pattern 4225 * action => act_props->ap[].act 4226 * properties => act_props->ap[].prop 4227 */ 4228 (void) printf("\npattern\n------------\n"); 4229 for (i = 0; act_props->pattern[i] != NULL; i++) 4230 (void) printf("%s\n", act_props->pattern[i]); 4231 (void) printf("apz\n----------\n"); 4232 for (j = 0; act_props->ap[j].act != NULL; j++) { 4233 4234 (void) printf("act%d->%s\n", j, act_props->ap[j].act); 4235 for (i = 0; act_props->ap[j].prop[i] != NULL; i++) 4236 (void) printf("%dprop%d->%s\n", 4237 j, i, act_props->ap[j].prop[i]); 4238 } 4239 (void) printf("------------\n\n"); 4240 #endif 4241 4242 (void) memset(cptr, 0, sizeof (ips_conf_t)); 4243 saddr = daddr = ipsec_aalg = ipsec_ealg = ipsec_eaalg = dir = B_FALSE; 4244 old_style = new_style = is_no_alg = is_combined_mode = B_FALSE; 4245 /* 4246 * Get the Pattern. NULL pattern is valid. 4247 */ 4248 for (i = 0, line_no = 0; act_props->pattern[i]; i++, line_no++) { 4249 for (j = 0; pattern_table[j].string; j++) { 4250 if (strcmp(act_props->pattern[i], 4251 pattern_table[j].string) == 0) 4252 break; 4253 } 4254 4255 if (pattern_table[j].string == NULL) { 4256 /* 4257 * If we never read a newline character, we don't want 4258 * to print 0. 4259 */ 4260 warnx(gettext("Invalid pattern on line %d: %s"), 4261 (arg_indices[line_no] == 0) ? 1 : 4262 arg_indices[line_no], act_props->pattern[i]); 4263 return (-1); 4264 } 4265 4266 cptr->patt_tok[tok_count++] = pattern_table[j].tok_val; 4267 4268 switch (pattern_table[j].tok_val) { 4269 4270 case TOK_dir: 4271 i++, line_no++; 4272 if (act_props->pattern[i] == NULL) { 4273 error_message(BAD_ERROR, 4274 IPSEC_CONF_IPSEC_DIR, line_no); 4275 return (-1); 4276 } 4277 4278 if (strncmp(act_props->pattern[i], "in", 2) == 0) { 4279 cptr->ips_dir = SPD_RULE_FLAG_INBOUND; 4280 } else if (strncmp( 4281 act_props->pattern[i], "out", 3) == 0) { 4282 cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND; 4283 } else if (strncmp( 4284 act_props->pattern[i], "both", 4) == 0) { 4285 if (old_style) { 4286 error_message(BAD_ERROR, 4287 IPSEC_CONF_IPSEC_DIR, line_no); 4288 return (-1); 4289 } 4290 new_style = B_TRUE; 4291 cptr->ips_dir = 4292 SPD_RULE_FLAG_OUTBOUND | 4293 SPD_RULE_FLAG_INBOUND; 4294 } else { 4295 error_message(BAD_ERROR, 4296 IPSEC_CONF_IPSEC_DIR, line_no); 4297 return (-1); 4298 } 4299 dir = B_TRUE; 4300 break; 4301 4302 case TOK_local: 4303 if (old_style) { 4304 error_message(BAD_ERROR, 4305 IPSEC_CONF_SRC_ADDRESS, line_no); 4306 return (-1); 4307 } 4308 new_style = B_TRUE; 4309 4310 if (saddr) { 4311 error_message(DUP_ERROR, 4312 IPSEC_CONF_SRC_ADDRESS, line_no); 4313 return (-1); 4314 } 4315 /* 4316 * Use this to detect duplicates rather 4317 * than 0 like other cases, because 0 for 4318 * address means INADDR_ANY. 4319 */ 4320 saddr = B_TRUE; 4321 cptr->has_saddr = 1; 4322 /* 4323 * Advance to the string containing 4324 * the address. 4325 */ 4326 i++, line_no++; 4327 if (act_props->pattern[i] == NULL) { 4328 error_message(BAD_ERROR, 4329 IPSEC_CONF_SRC_ADDRESS, line_no); 4330 return (-1); 4331 } 4332 if (parse_address(IPSEC_CONF_SRC_ADDRESS, 4333 act_props->pattern[i]) != 0) { 4334 error_message(BAD_ERROR, 4335 IPSEC_CONF_SRC_ADDRESS, line_no); 4336 return (-1); 4337 } 4338 if (!cptr->has_smask) 4339 cptr->has_smask = has_saprefix; 4340 4341 break; 4342 case TOK_remote: 4343 if (old_style) { 4344 error_message(BAD_ERROR, 4345 IPSEC_CONF_DST_ADDRESS, line_no); 4346 return (-1); 4347 } 4348 new_style = B_TRUE; 4349 4350 if (daddr) { 4351 error_message(DUP_ERROR, 4352 IPSEC_CONF_DST_ADDRESS, line_no); 4353 return (-1); 4354 } 4355 /* 4356 * Use this to detect duplicates rather 4357 * than 0 like other cases, because 0 for 4358 * address means INADDR_ANY. 4359 */ 4360 daddr = B_TRUE; 4361 cptr->has_daddr = 1; 4362 /* 4363 * Advance to the string containing 4364 * the address. 4365 */ 4366 i++, line_no++; 4367 if (act_props->pattern[i] == NULL) { 4368 error_message(BAD_ERROR, 4369 IPSEC_CONF_DST_ADDRESS, line_no); 4370 return (-1); 4371 } 4372 if (parse_address(IPSEC_CONF_DST_ADDRESS, 4373 act_props->pattern[i]) != 0) { 4374 error_message(BAD_ERROR, 4375 IPSEC_CONF_DST_ADDRESS, line_no); 4376 return (-1); 4377 } 4378 if (!cptr->has_dmask) 4379 cptr->has_dmask = has_daprefix; 4380 break; 4381 4382 case TOK_saddr: 4383 if (new_style) { 4384 error_message(BAD_ERROR, 4385 IPSEC_CONF_SRC_ADDRESS, line_no); 4386 return (-1); 4387 } 4388 old_style = B_TRUE; 4389 4390 if (saddr) { 4391 error_message(DUP_ERROR, 4392 IPSEC_CONF_SRC_ADDRESS, line_no); 4393 return (-1); 4394 } 4395 /* 4396 * Use this to detect duplicates rather 4397 * than 0 like other cases, because 0 for 4398 * address means INADDR_ANY. 4399 */ 4400 saddr = B_TRUE; 4401 cptr->has_saddr = 1; 4402 /* 4403 * Advance to the string containing 4404 * the address. 4405 */ 4406 i++, line_no++; 4407 if (act_props->pattern[i] == NULL) { 4408 error_message(BAD_ERROR, 4409 IPSEC_CONF_SRC_ADDRESS, line_no); 4410 return (-1); 4411 } 4412 4413 if (parse_address(IPSEC_CONF_SRC_ADDRESS, 4414 act_props->pattern[i]) != 0) { 4415 error_message(BAD_ERROR, 4416 IPSEC_CONF_SRC_ADDRESS, line_no); 4417 return (-1); 4418 } 4419 /* shp or bhp? */ 4420 if (!cptr->has_smask) 4421 cptr->has_smask = has_saprefix; 4422 break; 4423 4424 case TOK_daddr: 4425 if (new_style) { 4426 error_message(BAD_ERROR, 4427 IPSEC_CONF_DST_ADDRESS, line_no); 4428 return (-1); 4429 } 4430 old_style = B_TRUE; 4431 4432 if (daddr) { 4433 error_message(DUP_ERROR, 4434 IPSEC_CONF_DST_ADDRESS, line_no); 4435 return (-1); 4436 } 4437 /* 4438 * Use this to detect duplicates rather 4439 * than 0 like other cases, because 0 for 4440 * address means INADDR_ANY. 4441 */ 4442 daddr = B_TRUE; 4443 cptr->has_daddr = 1; 4444 /* 4445 * Advance to the string containing 4446 * the address. 4447 */ 4448 i++, line_no++; 4449 if (act_props->pattern[i] == NULL) { 4450 error_message(BAD_ERROR, 4451 IPSEC_CONF_DST_ADDRESS, line_no); 4452 return (-1); 4453 } 4454 if (parse_address(IPSEC_CONF_DST_ADDRESS, 4455 act_props->pattern[i]) != 0) { 4456 error_message(BAD_ERROR, 4457 IPSEC_CONF_DST_ADDRESS, line_no); 4458 return (-1); 4459 } 4460 if (!cptr->has_dmask) 4461 cptr->has_dmask = has_daprefix; 4462 break; 4463 4464 case TOK_sport: 4465 if (new_style) { 4466 error_message(BAD_ERROR, 4467 IPSEC_CONF_SRC_PORT, line_no); 4468 return (-1); 4469 } 4470 old_style = B_TRUE; 4471 4472 if (cptr->ips_src_port_min != 0) { 4473 error_message(DUP_ERROR, IPSEC_CONF_SRC_PORT, 4474 line_no); 4475 return (-1); 4476 } 4477 i++, line_no++; 4478 if (act_props->pattern[i] == NULL) { 4479 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT, 4480 line_no); 4481 return (-1); 4482 } 4483 ret = parse_port(IPSEC_CONF_SRC_PORT, 4484 act_props->pattern[i], cptr); 4485 if (ret != 0) { 4486 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT, 4487 line_no); 4488 return (-1); 4489 } 4490 break; 4491 case TOK_dport: 4492 if (new_style) { 4493 error_message(BAD_ERROR, 4494 IPSEC_CONF_DST_PORT, line_no); 4495 return (-1); 4496 } 4497 old_style = B_TRUE; 4498 4499 if (cptr->ips_dst_port_min != 0) { 4500 error_message(DUP_ERROR, IPSEC_CONF_DST_PORT, 4501 line_no); 4502 return (-1); 4503 } 4504 i++, line_no++; 4505 if (act_props->pattern[i] == NULL) { 4506 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT, 4507 line_no); 4508 return (-1); 4509 } 4510 ret = parse_port(IPSEC_CONF_DST_PORT, 4511 act_props->pattern[i], 4512 cptr); 4513 if (ret != 0) { 4514 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT, 4515 line_no); 4516 return (-1); 4517 } 4518 break; 4519 4520 case TOK_lport: 4521 if (old_style) { 4522 error_message(BAD_ERROR, 4523 IPSEC_CONF_SRC_PORT, line_no); 4524 return (-1); 4525 } 4526 new_style = B_TRUE; 4527 4528 if (cptr->ips_src_port_min != 0) { 4529 error_message(DUP_ERROR, IPSEC_CONF_SRC_PORT, 4530 line_no); 4531 return (-1); 4532 } 4533 i++, line_no++; 4534 if (act_props->pattern[i] == NULL) { 4535 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT, 4536 line_no); 4537 return (-1); 4538 } 4539 ret = parse_port(IPSEC_CONF_SRC_PORT, 4540 act_props->pattern[i], 4541 cptr); 4542 if (ret != 0) { 4543 error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT, 4544 line_no); 4545 return (-1); 4546 } 4547 break; 4548 4549 case TOK_rport: 4550 if (old_style) { 4551 error_message(BAD_ERROR, 4552 IPSEC_CONF_DST_PORT, line_no); 4553 return (-1); 4554 } 4555 new_style = B_TRUE; 4556 4557 if (cptr->ips_dst_port_min != 0) { 4558 error_message(DUP_ERROR, IPSEC_CONF_DST_PORT, 4559 line_no); 4560 return (-1); 4561 } 4562 i++, line_no++; 4563 if (act_props->pattern[i] == NULL) { 4564 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT, 4565 line_no); 4566 return (-1); 4567 } 4568 ret = parse_port(IPSEC_CONF_DST_PORT, 4569 act_props->pattern[i], 4570 cptr); 4571 if (ret != 0) { 4572 error_message(BAD_ERROR, IPSEC_CONF_DST_PORT, 4573 line_no); 4574 return (-1); 4575 } 4576 break; 4577 4578 case TOK_smask: 4579 if (new_style) { 4580 error_message(BAD_ERROR, 4581 IPSEC_CONF_SRC_MASK, line_no); 4582 return (-1); 4583 } 4584 old_style = B_TRUE; 4585 cptr->has_smask = B_TRUE; 4586 4587 IN6_V4MAPPED_TO_INADDR(&cptr->ips_src_mask_v6, &mask); 4588 if (mask.s_addr != 0) { 4589 error_message(DUP_ERROR, IPSEC_CONF_SRC_MASK, 4590 line_no); 4591 return (-1); 4592 } 4593 i++, line_no++; 4594 if (act_props->pattern[i] == NULL) { 4595 error_message(BAD_ERROR, IPSEC_CONF_SRC_MASK, 4596 line_no); 4597 return (-1); 4598 } 4599 ret = parse_mask(IPSEC_CONF_SRC_MASK, 4600 act_props->pattern[i], 4601 cptr); 4602 if (ret != 0) { 4603 error_message(BAD_ERROR, IPSEC_CONF_SRC_MASK, 4604 line_no); 4605 return (-1); 4606 } 4607 break; 4608 case TOK_dmask: 4609 if (new_style) { 4610 error_message(BAD_ERROR, 4611 IPSEC_CONF_DST_MASK, line_no); 4612 return (-1); 4613 } 4614 old_style = B_TRUE; 4615 cptr->has_dmask = B_TRUE; 4616 4617 IN6_V4MAPPED_TO_INADDR(&cptr->ips_dst_mask_v6, &mask); 4618 if (mask.s_addr != 0) { 4619 error_message(DUP_ERROR, IPSEC_CONF_DST_MASK, 4620 line_no); 4621 return (-1); 4622 } 4623 i++, line_no++; 4624 if (act_props->pattern[i] == NULL) { 4625 error_message(BAD_ERROR, IPSEC_CONF_DST_MASK, 4626 line_no); 4627 return (-1); 4628 } 4629 ret = parse_mask(IPSEC_CONF_DST_MASK, 4630 act_props->pattern[i], 4631 cptr); 4632 if (ret != 0) { 4633 error_message(BAD_ERROR, IPSEC_CONF_DST_MASK, 4634 line_no); 4635 return (-1); 4636 } 4637 break; 4638 case TOK_ulp: 4639 if (cptr->ips_ulp_prot != 0) { 4640 error_message(DUP_ERROR, 4641 IPSEC_CONF_ULP, line_no); 4642 return (-1); 4643 } 4644 i++, line_no++; 4645 if (act_props->pattern[i] == NULL) { 4646 error_message(BAD_ERROR, 4647 IPSEC_CONF_ULP, line_no); 4648 return (-1); 4649 } 4650 pent = getprotobyname(act_props->pattern[i]); 4651 if (pent == NULL) { 4652 int ulp; 4653 ulp = parse_int(act_props->pattern[i]); 4654 if (ulp == -1) { 4655 error_message(BAD_ERROR, 4656 IPSEC_CONF_ULP, line_no); 4657 return (-1); 4658 } 4659 cptr->ips_ulp_prot = ulp; 4660 } else { 4661 cptr->ips_ulp_prot = pent->p_proto; 4662 } 4663 break; 4664 case TOK_type: 4665 if (cptr->has_type) { 4666 error_message(DUP_ERROR, 4667 IPSEC_CONF_ICMP_TYPE, line_no); 4668 return (-1); 4669 } 4670 4671 i++, line_no++; 4672 type = parse_type_code(act_props->pattern[i], 4673 icmp_type_table); 4674 4675 if (type > 65536 || type < 0) { 4676 error_message(BAD_ERROR, 4677 IPSEC_CONF_ICMP_TYPE, line_no); 4678 return (-1); 4679 } 4680 4681 type_end = type / 256; 4682 type = type % 256; 4683 4684 if (type_end < type) 4685 type_end = type; 4686 4687 cptr->has_type = 1; 4688 cptr->ips_icmp_type = (uint8_t)type; 4689 cptr->ips_icmp_type_end = (uint8_t)type_end; 4690 break; 4691 case TOK_code: 4692 if (!cptr->has_type) { 4693 error_message(BAD_ERROR, 4694 IPSEC_CONF_ICMP_CODE, line_no); 4695 return (-1); 4696 } 4697 4698 if (cptr->has_code) { 4699 error_message(DUP_ERROR, 4700 IPSEC_CONF_ICMP_CODE, line_no); 4701 return (-1); 4702 } 4703 4704 i++, line_no++; 4705 4706 code = parse_type_code(act_props->pattern[i], 4707 icmp_code_table); 4708 if (type > 65536 || type < 0) { 4709 error_message(BAD_ERROR, 4710 IPSEC_CONF_ICMP_CODE, line_no); 4711 return (-1); 4712 } 4713 code_end = code / 256; 4714 code = code % 256; 4715 4716 if (code_end < code) 4717 code_end = code; 4718 4719 cptr->has_code = 1; 4720 cptr->ips_icmp_code = (uint8_t)code; 4721 cptr->ips_icmp_code_end = (uint8_t)code_end; 4722 break; 4723 case TOK_tunnel: 4724 if (cptr->has_tunnel == 1) { 4725 error_message(BAD_ERROR, 4726 IPSEC_CONF_TUNNEL, line_no); 4727 return (-1); 4728 } 4729 i++, line_no++; 4730 if (act_props->pattern[i] == NULL) { 4731 error_message(BAD_ERROR, 4732 IPSEC_CONF_TUNNEL, line_no); 4733 return (-1); 4734 } 4735 4736 if (strlcpy(tunif, act_props->pattern[i], 4737 TUNNAMEMAXLEN) >= TUNNAMEMAXLEN) { 4738 error_message(BAD_ERROR, 4739 IPSEC_CONF_TUNNEL, line_no); 4740 return (-1); 4741 } 4742 cptr->has_tunnel = 1; 4743 break; 4744 case TOK_negotiate: 4745 if (cptr->has_negotiate == 1) { 4746 error_message(BAD_ERROR, 4747 IPSEC_CONF_NEGOTIATE, line_no); 4748 return (-1); 4749 } 4750 i++, line_no++; 4751 if (act_props->pattern[i] == NULL) { 4752 error_message(BAD_ERROR, 4753 IPSEC_CONF_NEGOTIATE, line_no); 4754 return (-1); 4755 } 4756 4757 if (strncmp(act_props->pattern[i], "tunnel", 6) == 0) { 4758 cptr->ips_tunnel = B_TRUE; 4759 } else if (strncmp( 4760 act_props->pattern[i], "transport", 9) != 0) { 4761 error_message(BAD_ERROR, 4762 IPSEC_CONF_NEGOTIATE, line_no); 4763 return (-1); 4764 } 4765 cptr->has_negotiate = 1; 4766 break; 4767 } 4768 4769 } 4770 4771 /* Sanity check that certain tokens occur together */ 4772 if (cptr->has_tunnel + cptr->has_negotiate == 1) { 4773 if (cptr->has_negotiate == 0) { 4774 error_message(REQ_ERROR, IPSEC_CONF_NEGOTIATE, line_no); 4775 } else { 4776 error_message(REQ_ERROR, IPSEC_CONF_TUNNEL, line_no); 4777 } 4778 errx(1, gettext( 4779 "tunnel and negotiate tokens must occur together")); 4780 return (-1); 4781 } 4782 4783 /* 4784 * Get the actions. 4785 */ 4786 4787 for (ap_num = 0; act_props->ap[ap_num].act != NULL; ap_num++) { 4788 ips_act_props_t *iap; 4789 4790 if (ap_num > 0) { 4791 /* or's only with new style */ 4792 if (old_style) { 4793 (void) printf("%s\n", gettext( 4794 "or's only with new style")); 4795 return (-1); 4796 } 4797 new_style = B_TRUE; 4798 } 4799 4800 ipsec_aalg = ipsec_ealg = ipsec_eaalg = auth_covered = B_FALSE; 4801 tok_count = 0; 4802 4803 for (k = 0; action_table[k].string; k++) { 4804 if (strcmp(act_props->ap[ap_num].act, 4805 action_table[k].string) == 0) 4806 break; 4807 } 4808 /* 4809 * The following thing should never happen as 4810 * we have already tested for its validity in parse. 4811 */ 4812 if (action_table[k].string == NULL) { 4813 warnx(gettext("(form act)Invalid action on line " 4814 "%d: %s"), (arg_indices[line_no] == 0) ? 1 : 4815 arg_indices[line_no], 4816 act_props->ap[ap_num].act); 4817 warnx("%s", act_props->ap[ap_num].act); 4818 return (-1); 4819 } 4820 4821 /* we have a good action alloc an iap */ 4822 iap = alloc_iap(cptr); 4823 4824 iap->iap_action = action_table[k].value; 4825 iap->iap_act_tok = action_table[k].tok_val; 4826 4827 switch (action_table[k].tok_val) { 4828 case TOK_apply: 4829 cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND; 4830 break; 4831 case TOK_permit: 4832 cptr->ips_dir = SPD_RULE_FLAG_INBOUND; 4833 break; 4834 case TOK_ipsec: 4835 if (old_style) { 4836 /* Using saddr/daddr with ipsec action. */ 4837 if (!dir) { 4838 /* No direction specified */ 4839 error_message(REQ_ERROR, 4840 IPSEC_CONF_IPSEC_DIR, line_no); 4841 return (-1); 4842 } 4843 if (cptr->ips_dir == SPD_RULE_FLAG_INBOUND) 4844 /* 4845 * Need to swap addresses if 4846 * 'dir in' or translation to 4847 * laddr/raddr will be incorrect. 4848 */ 4849 cptr->swap = 1; 4850 } 4851 if (!dir) 4852 cptr->ips_dir = 4853 SPD_RULE_FLAG_INBOUND 4854 |SPD_RULE_FLAG_OUTBOUND; 4855 break; 4856 case TOK_bypass: 4857 case TOK_drop: 4858 is_no_alg = B_TRUE; 4859 break; 4860 } 4861 4862 line_no++; 4863 /* 4864 * Get the properties. NULL properties is not valid. 4865 * Later checks will catch it. 4866 */ 4867 for (i = 0; act_props->ap[ap_num].prop[i]; i++, line_no++) { 4868 for (j = 0; property_table[j].string; j++) { 4869 if (strcmp(act_props->ap[ap_num].prop[i], 4870 property_table[j].string) == 0) { 4871 break; 4872 } 4873 } 4874 if (property_table[j].string == NULL) { 4875 warnx(gettext("Invalid properties on line " 4876 "%d: %s"), 4877 (arg_indices[line_no] == 0) ? 4878 1 : arg_indices[line_no], 4879 act_props->ap[ap_num].prop[i]); 4880 return (-1); 4881 } 4882 4883 iap->iap_attr_tok[tok_count++] 4884 = property_table[j].value; 4885 4886 switch (property_table[j].value) { 4887 case SPD_ATTR_AH_AUTH: 4888 if (ipsec_aalg) { 4889 error_message(DUP_ERROR, 4890 IPSEC_CONF_IPSEC_AALGS, line_no); 4891 return (-1); 4892 } 4893 i++, line_no++; 4894 if (act_props->ap[ap_num].prop[i] == NULL) { 4895 error_message(BAD_ERROR, 4896 IPSEC_CONF_IPSEC_AALGS, line_no); 4897 return (-1); 4898 } 4899 ret = parse_ipsec_alg( 4900 act_props->ap[ap_num].prop[i], 4901 iap, SPD_ATTR_AH_AUTH); 4902 if (ret == -2) { 4903 /* "none" - ignore */ 4904 break; 4905 } 4906 if (ret != 0) { 4907 error_message(BAD_ERROR, 4908 IPSEC_CONF_IPSEC_AALGS, line_no); 4909 return (-1); 4910 } 4911 ipsec_aalg = B_TRUE; 4912 auth_covered = B_TRUE; 4913 break; 4914 case SPD_ATTR_ESP_ENCR: 4915 /* 4916 * If this option was not given 4917 * and encr_auth_algs was given, 4918 * we provide null-encryption. We do the 4919 * setting after we parse all the options. 4920 */ 4921 if (ipsec_ealg) { 4922 error_message(DUP_ERROR, 4923 IPSEC_CONF_IPSEC_EALGS, line_no); 4924 return (-1); 4925 } 4926 i++, line_no++; 4927 if (act_props->ap[ap_num].prop[i] == NULL) { 4928 error_message(BAD_ERROR, 4929 IPSEC_CONF_IPSEC_EALGS, line_no); 4930 return (-1); 4931 } 4932 ret = parse_ipsec_alg( 4933 act_props->ap[ap_num].prop[i], 4934 iap, SPD_ATTR_ESP_ENCR); 4935 if (ret == -2) { 4936 /* "none" - ignore */ 4937 break; 4938 } 4939 if (ret != 0) { 4940 error_message(BAD_ERROR, 4941 IPSEC_CONF_IPSEC_EALGS, line_no); 4942 return (-1); 4943 } 4944 is_combined_mode = 4945 combined_mode(iap->iap_eencr.alg_id); 4946 ipsec_ealg = B_TRUE; 4947 break; 4948 case SPD_ATTR_ESP_AUTH: 4949 /* 4950 * If this option was not given and encr_algs 4951 * option was given, we still pass a default 4952 * value in ipsc_esp_auth_algs. This is to 4953 * encourage the use of authentication with 4954 * ESP. 4955 */ 4956 if (ipsec_eaalg) { 4957 error_message(DUP_ERROR, 4958 IPSEC_CONF_IPSEC_EAALGS, line_no); 4959 return (-1); 4960 } 4961 i++, line_no++; 4962 if (act_props->ap[ap_num].prop[i] == NULL) { 4963 error_message(BAD_ERROR, 4964 IPSEC_CONF_IPSEC_EAALGS, line_no); 4965 return (-1); 4966 } 4967 ret = parse_ipsec_alg( 4968 act_props->ap[ap_num].prop[i], 4969 iap, SPD_ATTR_ESP_AUTH); 4970 if (ret == -2) { 4971 /* "none" - ignore */ 4972 break; 4973 } 4974 if (ret != 0) { 4975 error_message(BAD_ERROR, 4976 IPSEC_CONF_IPSEC_EAALGS, line_no); 4977 return (-1); 4978 } 4979 ipsec_eaalg = B_TRUE; 4980 auth_covered = B_TRUE; 4981 break; 4982 case IPS_SA: 4983 i++, line_no++; 4984 if (act_props->ap[ap_num].prop[i] == NULL) { 4985 error_message(BAD_ERROR, 4986 IPSEC_CONF_IPSEC_SA, line_no); 4987 return (-1); 4988 } 4989 4990 if (strcmp(act_props->ap[ap_num].prop[i], 4991 "unique") == 0) { 4992 iap->iap_attr |= SPD_APPLY_UNIQUE; 4993 } else if (strcmp(act_props->ap[ap_num].prop[i], 4994 "shared") != 0) { 4995 /* "shared" is default. */ 4996 error_message(BAD_ERROR, 4997 IPSEC_CONF_IPSEC_SA, line_no); 4998 return (-1); 4999 } 5000 5001 break; 5002 case IPS_DIR: 5003 if (dir) { 5004 error_message(DUP_ERROR, 5005 IPSEC_CONF_IPSEC_DIR, line_no); 5006 return (-1); 5007 } 5008 if (new_style) { 5009 error_message(BAD_ERROR, 5010 IPSEC_CONF_IPSEC_DIR, line_no); 5011 return (-1); 5012 } 5013 old_style = B_TRUE; 5014 dir = B_TRUE; 5015 i++, line_no++; 5016 if (act_props->ap[ap_num].prop[i] == NULL) { 5017 error_message(BAD_ERROR, 5018 IPSEC_CONF_IPSEC_DIR, line_no); 5019 return (-1); 5020 } 5021 if (strcmp(act_props->ap[ap_num].prop[i], 5022 "out") == 0) { 5023 cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND; 5024 } else if (strcmp(act_props->ap[ap_num].prop[i], 5025 "in") == 0) { 5026 cptr->ips_dir = SPD_RULE_FLAG_INBOUND; 5027 } else { 5028 error_message(BAD_ERROR, 5029 IPSEC_CONF_IPSEC_DIR, line_no); 5030 return (-1); 5031 } 5032 if ((cptr->ips_dir & SPD_RULE_FLAG_INBOUND) && 5033 iap->iap_act_tok == TOK_apply) { 5034 warnx(gettext("Direction" 5035 " in conflict with action")); 5036 return (-1); 5037 } 5038 if ((cptr->ips_dir & SPD_RULE_FLAG_OUTBOUND) && 5039 iap->iap_act_tok == TOK_permit) { 5040 warnx(gettext("Direction" 5041 "in conflict with action")); 5042 return (-1); 5043 } 5044 5045 break; 5046 } 5047 } 5048 5049 if (is_combined_mode) { 5050 if (ipsec_eaalg) { 5051 warnx(gettext("ERROR: Rule on line %d: " 5052 "Combined mode and esp authentication not " 5053 "supported together."), 5054 arg_indices[line_no] == 0 ? 1 : 5055 arg_indices[line_no]); 5056 return (-1); 5057 } 5058 auth_covered = B_TRUE; 5059 } 5060 /* Warn here about no authentication! */ 5061 if (!auth_covered && !is_no_alg) { 5062 warnx(gettext("DANGER: Rule on line %d " 5063 "has encryption with no authentication."), 5064 arg_indices[line_no] == 0 ? 1 : 5065 arg_indices[line_no]); 5066 } 5067 5068 if (!ipsec_ealg && ipsec_eaalg) { 5069 /* 5070 * If the user has specified the auth alg to be used 5071 * with encryption and did not provide a encryption 5072 * algorithm, provide null encryption. 5073 */ 5074 iap->iap_eencr.alg_id = SADB_EALG_NULL; 5075 ipsec_ealg = B_TRUE; 5076 } 5077 5078 /* Set the level of IPSEC protection we want */ 5079 if (ipsec_aalg && (ipsec_ealg || ipsec_eaalg)) { 5080 iap->iap_attr |= SPD_APPLY_AH|SPD_APPLY_ESP; 5081 } else if (ipsec_aalg) { 5082 iap->iap_attr |= SPD_APPLY_AH; 5083 } else if (ipsec_ealg || ipsec_eaalg) { 5084 iap->iap_attr |= SPD_APPLY_ESP; 5085 } 5086 5087 /* convert src/dst to local/remote */ 5088 if (!new_style) { 5089 switch (cptr->ips_acts->iap_act_tok) { 5090 case TOK_apply: 5091 /* outbound */ 5092 /* src=local, dst=remote */ 5093 /* this is ok. */ 5094 break; 5095 5096 case TOK_permit: 5097 /* inbound */ 5098 /* src=remote, dst=local */ 5099 /* switch */ 5100 cptr->swap = 1; 5101 break; 5102 case TOK_bypass: 5103 case TOK_drop: 5104 /* check the direction for what to do */ 5105 if (cptr->ips_dir == SPD_RULE_FLAG_INBOUND) 5106 cptr->swap = 1; 5107 break; 5108 default: 5109 break; 5110 } 5111 } 5112 /* Validate the properties */ 5113 if (ret = validate_properties(iap, dir, 5114 (ipsec_aalg || ipsec_ealg || ipsec_eaalg))) { 5115 return (ret); 5116 } 5117 } 5118 5119 return (0); 5120 5121 } 5122 5123 static int 5124 print_cmd_buf(FILE *fp, int error) 5125 { 5126 *(cbuf + cbuf_offset) = '\0'; 5127 5128 if (fp == stderr) { 5129 if (error != EEXIST) { 5130 warnx(gettext("Malformed command (fatal):\n%s"), cbuf); 5131 return (0); 5132 } 5133 if (ipsecconf_qflag) { 5134 return (0); 5135 } 5136 warnx(gettext("Duplicate policy entry (ignored):\n%s"), cbuf); 5137 } else { 5138 if (fprintf(fp, "%s", cbuf) == -1) { 5139 warn("fprintf"); 5140 return (-1); 5141 } 5142 } 5143 5144 return (0); 5145 } 5146 5147 #ifdef DEBUG 5148 5149 static uchar_t * 5150 addr_ptr(int isv4, struct in6_addr *addr6, struct in_addr *addr4) 5151 { 5152 if (isv4) { 5153 IN6_V4MAPPED_TO_INADDR(addr6, addr4); 5154 return ((uchar_t *)&addr4->s_addr); 5155 } else { 5156 return ((uchar_t *)&addr6->s6_addr); 5157 } 5158 } 5159 5160 static void 5161 dump_algreq(const char *tag, algreq_t *alg) 5162 { 5163 (void) printf("%s algid %d, bits %d..%d\n", 5164 tag, alg->alg_id, alg->alg_minbits, alg->alg_maxbits); 5165 } 5166 5167 static void 5168 dump_conf(ips_conf_t *conf) 5169 { 5170 boolean_t isv4 = conf->ips_isv4; 5171 struct in_addr addr; 5172 char buf[INET6_ADDRSTRLEN]; 5173 int af; 5174 ips_act_props_t *iap = conf->ips_acts; 5175 5176 af = isv4 ? AF_INET : AF_INET6; 5177 5178 (void) printf("Source Addr is %s\n", 5179 inet_ntop(af, addr_ptr(isv4, &conf->ips_src_addr_v6, &addr), 5180 buf, INET6_ADDRSTRLEN)); 5181 5182 (void) printf("Dest Addr is %s\n", 5183 inet_ntop(af, addr_ptr(isv4, &conf->ips_dst_addr_v6, &addr), 5184 buf, INET6_ADDRSTRLEN)); 5185 5186 (void) printf("Source Mask is %s\n", 5187 inet_ntop(af, addr_ptr(isv4, &conf->ips_src_mask_v6, &addr), 5188 buf, INET6_ADDRSTRLEN)); 5189 5190 (void) printf("Dest Mask is %s\n", 5191 inet_ntop(af, addr_ptr(isv4, &conf->ips_dst_mask_v6, &addr), 5192 buf, INET6_ADDRSTRLEN)); 5193 5194 (void) printf("Source port %d\n", ntohs(conf->ips_src_port_min)); 5195 (void) printf("Dest port %d\n", ntohs(conf->ips_dst_port_min)); 5196 (void) printf("ULP %d\n", conf->ips_ulp_prot); 5197 5198 (void) printf("ICMP type %d-%d code %d-%d", conf->ips_icmp_type, 5199 conf->ips_icmp_type_end, 5200 conf->ips_icmp_code, 5201 conf->ips_icmp_code_end); 5202 5203 while (iap != NULL) { 5204 (void) printf("------------------------------------\n"); 5205 (void) printf("IPsec act is %d\n", iap->iap_action); 5206 (void) printf("IPsec attr is %d\n", iap->iap_attr); 5207 dump_algreq("AH authentication", &iap->iap_aauth); 5208 dump_algreq("ESP authentication", &iap->iap_eauth); 5209 dump_algreq("ESP encryption", &iap->iap_eencr); 5210 (void) printf("------------------------------------\n"); 5211 iap = iap->iap_next; 5212 } 5213 5214 (void) fflush(stdout); 5215 } 5216 #endif /* DEBUG */ 5217 5218 5219 static int 5220 ipsec_conf_add(boolean_t just_check, boolean_t smf_managed, boolean_t replace) 5221 { 5222 act_prop_t *act_props = malloc(sizeof (act_prop_t)); 5223 ips_conf_t conf; 5224 FILE *fp, *policy_fp; 5225 int ret, flushret, i, j, diag, num_rules, good_rules; 5226 char *warning = gettext( 5227 "\tWARNING : New policy entries that are being added may\n " 5228 "\taffect the existing connections. Existing connections\n" 5229 "\tthat are not subjected to policy constraints, may be\n" 5230 "\tsubjected to policy constraints because of the new\n" 5231 "\tpolicy. This can disrupt the communication of the\n" 5232 "\texisting connections.\n\n"); 5233 5234 boolean_t first_time = B_TRUE; 5235 num_rules = 0; 5236 good_rules = 0; 5237 5238 if (act_props == NULL) { 5239 warn(gettext("memory")); 5240 return (-1); 5241 } 5242 5243 if (strcmp(filename, "-") == 0) 5244 fp = stdin; 5245 else 5246 fp = fopen(filename, "r"); 5247 5248 /* 5249 * Treat the non-existence of a policy file as a special 5250 * case when ipsecconf is being managed by smf(5). 5251 * The assumption is the administrator has not yet 5252 * created a policy file, this should not force the service 5253 * into maintenance mode. 5254 */ 5255 5256 if (fp == NULL) { 5257 if (smf_managed) { 5258 (void) fprintf(stdout, gettext( 5259 "Policy configuration file (%s) does not exist.\n" 5260 "IPsec policy not configured.\n"), filename); 5261 return (0); 5262 } 5263 warn(gettext("%s : Policy config file cannot be opened"), 5264 filename); 5265 usage(); 5266 return (-1); 5267 } 5268 /* 5269 * This will create the file if it does not exist. 5270 * Make sure the umask is right. 5271 */ 5272 (void) umask(0022); 5273 policy_fp = fopen(POLICY_CONF_FILE, "a"); 5274 if (policy_fp == NULL) { 5275 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE); 5276 return (-1); 5277 } 5278 5279 /* 5280 * Pattern, action, and properties are allocated in 5281 * parse_pattern_or_prop and in parse_action (called by 5282 * parse_one) as we parse arguments. 5283 */ 5284 while ((ret = parse_one(fp, act_props)) != PARSE_EOF) { 5285 num_rules++; 5286 if (ret != 0) { 5287 (void) print_cmd_buf(stderr, NOERROR); 5288 continue; 5289 } 5290 5291 /* 5292 * If there is no action and parse returned success, 5293 * it means that there is nothing to add. 5294 */ 5295 if (act_props->pattern[0] == NULL && 5296 act_props->ap[0].act == NULL) 5297 break; 5298 5299 ret = form_ipsec_conf(act_props, &conf); 5300 if (ret != 0) { 5301 warnx(gettext("form_ipsec_conf error")); 5302 (void) print_cmd_buf(stderr, NOERROR); 5303 /* Reset globals before trying the next rule. */ 5304 if (shp != NULL) { 5305 freehostent(shp); 5306 shp = NULL; 5307 } 5308 if (dhp != NULL) { 5309 freehostent(dhp); 5310 dhp = NULL; 5311 } 5312 splen = 0; 5313 dplen = 0; 5314 continue; 5315 } 5316 5317 good_rules++; 5318 5319 if (first_time) { 5320 /* 5321 * Time to assume that there are valid policy entries. 5322 * If the IPsec kernel modules are not loaded this 5323 * will load them now. 5324 */ 5325 first_time = B_FALSE; 5326 fetch_algorithms(); 5327 ipsec_conf_admin(SPD_CLONE); 5328 5329 /* 5330 * The default behaviour for IPSEC_CONF_ADD is to append 5331 * the new rules to the existing policy. If a new rule 5332 * collides with an existing rule, the new rule won't be 5333 * added. 5334 * 5335 * To perform an atomic policy replace, we really don't 5336 * care what the existing policy was, just replace it 5337 * with the new one. Remove all rules from the SPD_CLONE 5338 * policy before checking the new rules. 5339 */ 5340 if (replace) { 5341 flushret = ipsec_conf_flush(SPD_STANDBY); 5342 if (flushret != 0) 5343 return (flushret); 5344 } 5345 } 5346 5347 /* 5348 * shp, dhp, splen, and dplen are globals set by 5349 * form_ipsec_conf() while parsing the addresses. 5350 */ 5351 if (shp == NULL && dhp == NULL) { 5352 switch (do_port_adds(&conf)) { 5353 case 0: 5354 /* no error */ 5355 break; 5356 case EEXIST: 5357 /* duplicate entries, continue adds */ 5358 (void) print_cmd_buf(stderr, EEXIST); 5359 goto next; 5360 default: 5361 /* other error, bail */ 5362 ret = -1; 5363 goto bail; 5364 } 5365 } else { 5366 ret = do_address_adds(&conf, &diag); 5367 switch (ret) { 5368 case 0: 5369 /* no error. */ 5370 break; 5371 case EEXIST: 5372 (void) print_cmd_buf(stderr, EEXIST); 5373 goto next; 5374 case EBUSY: 5375 warnx(gettext( 5376 "Can't set mask and /NN prefix.")); 5377 ret = -1; 5378 break; 5379 case ENOENT: 5380 warnx(gettext("Cannot find tunnel " 5381 "interface %s."), interface_name); 5382 ret = -1; 5383 break; 5384 case EINVAL: 5385 /* 5386 * PF_POLICY didn't like what we sent. We 5387 * can't check all input up here, but we 5388 * do in-kernel. 5389 */ 5390 warnx(gettext("PF_POLICY invalid input:\n\t%s"), 5391 spdsock_diag(diag)); 5392 break; 5393 case EOPNOTSUPP: 5394 warnx(gettext("Can't set /NN" 5395 " prefix on multi-host name.")); 5396 ret = -1; 5397 break; 5398 case ERANGE: 5399 warnx(gettext("/NN prefix is too big!")); 5400 ret = -1; 5401 break; 5402 case ESRCH: 5403 warnx(gettext("No matching IPv4 or " 5404 "IPv6 saddr/daddr pairs")); 5405 ret = -1; 5406 break; 5407 default: 5408 /* Should never get here. */ 5409 errno = ret; 5410 warn(gettext("Misc. error")); 5411 ret = -1; 5412 } 5413 if (ret == -1) 5414 goto bail; 5415 } 5416 5417 /* 5418 * Go ahead and add policy entries to config file. 5419 * The # should help re-using the ipsecpolicy.conf 5420 * for input again as # will be treated as comment. 5421 */ 5422 if (fprintf(policy_fp, "%s %lld \n", INDEX_TAG, 5423 conf.ips_policy_index) == -1) { 5424 warn("fprintf"); 5425 warnx(gettext("Addition incomplete, Please " 5426 "flush all the entries and re-configure :")); 5427 reconfigure(); 5428 ret = -1; 5429 break; 5430 } 5431 if (print_cmd_buf(policy_fp, NOERROR) == -1) { 5432 warnx(gettext("Addition incomplete. Please " 5433 "flush all the entries and re-configure :")); 5434 reconfigure(); 5435 ret = -1; 5436 break; 5437 } 5438 /* 5439 * We add one newline by default to separate out the 5440 * entries. If the last character is not a newline, we 5441 * insert a newline for free. This makes sure that all 5442 * entries look consistent in the file. 5443 */ 5444 if (*(cbuf + cbuf_offset - 1) == '\n') { 5445 if (fprintf(policy_fp, "\n") == -1) { 5446 warn("fprintf"); 5447 warnx(gettext("Addition incomplete. " 5448 "Please flush all the entries and " 5449 "re-configure :")); 5450 reconfigure(); 5451 ret = -1; 5452 break; 5453 } 5454 } else { 5455 if (fprintf(policy_fp, "\n\n") == -1) { 5456 warn("fprintf"); 5457 warnx(gettext("Addition incomplete. " 5458 "Please flush all the entries and " 5459 "re-configure :")); 5460 reconfigure(); 5461 ret = -1; 5462 break; 5463 } 5464 } 5465 next: 5466 /* 5467 * Make sure this gets to the disk before 5468 * we parse the next entry. 5469 */ 5470 (void) fflush(policy_fp); 5471 for (i = 0; act_props->pattern[i] != NULL; i++) 5472 free(act_props->pattern[i]); 5473 for (j = 0; act_props->ap[j].act != NULL; j++) { 5474 free(act_props->ap[j].act); 5475 for (i = 0; act_props->ap[j].prop[i] != NULL; i++) 5476 free(act_props->ap[j].prop[i]); 5477 } 5478 } 5479 if (ret == PARSE_EOF) 5480 ret = 0; /* Not an error */ 5481 bail: 5482 if (ret == -1) { 5483 (void) print_cmd_buf(stderr, EINVAL); 5484 for (i = 0; act_props->pattern[i] != NULL; i++) 5485 free(act_props->pattern[i]); 5486 for (j = 0; act_props->ap[j].act != NULL; j++) { 5487 free(act_props->ap[j].act); 5488 for (i = 0; act_props->ap[j].prop[i] != NULL; i++) 5489 free(act_props->ap[j].prop[i]); 5490 } 5491 } 5492 #ifdef DEBUG_HEAVY 5493 (void) printf("ipsec_conf_add: ret val = %d\n", ret); 5494 (void) fflush(stdout); 5495 #endif 5496 if (num_rules == 0 && ret == 0) { 5497 nuke_adds(); 5498 (void) restore_all_signals(); 5499 (void) unlock(lfd); 5500 EXIT_OK("Policy file does not contain any valid rules."); 5501 } 5502 if (num_rules != good_rules) { 5503 /* This is an error */ 5504 nuke_adds(); 5505 (void) restore_all_signals(); 5506 (void) unlock(lfd); 5507 EXIT_BADCONFIG2("%d policy rule(s) contained errors.", 5508 num_rules - good_rules); 5509 } 5510 /* looks good, flip it in */ 5511 if (ret == 0 && !just_check) { 5512 if (!ipsecconf_qflag) { 5513 (void) printf("%s", warning); 5514 } 5515 if (smf_managed) 5516 warnx(gettext("%d policy rules added."), good_rules); 5517 ipsec_conf_admin(SPD_FLIP); 5518 } else { 5519 nuke_adds(); 5520 if (just_check) { 5521 (void) fprintf(stdout, gettext("IPsec configuration " 5522 "does not contain any errors.\n")); 5523 (void) fprintf(stdout, gettext( 5524 "IPsec policy was not modified.\n")); 5525 (void) fflush(stdout); 5526 } 5527 } 5528 flushret = ipsec_conf_flush(SPD_STANDBY); 5529 if (flushret != 0) 5530 return (flushret); 5531 return (ret); 5532 } 5533 5534 5535 static int 5536 ipsec_conf_sub() 5537 { 5538 act_prop_t *act_props = malloc(sizeof (act_prop_t)); 5539 FILE *remove_fp, *policy_fp; 5540 char rbuf[MAXLEN], pbuf[MAXLEN], /* remove buffer, and policy buffer */ 5541 *warning = gettext( 5542 "\tWARNING: Policy entries that are being removed may\n" 5543 "\taffect the existing connections. Existing connections\n" 5544 "\tthat are subjected to policy constraints may no longer\n" 5545 "\tbe subjected to policy contraints because of its\n" 5546 "\tremoval. This can compromise security, and disrupt\n" 5547 "\tthe communication of the existing connection.\n" 5548 "\tConnections that are latched will remain unaffected\n" 5549 "\tuntil they close.\n"); 5550 int ret = 0; 5551 int index_len, pindex = 0; /* init value in case of pfile error */ 5552 5553 if (act_props == NULL) { 5554 warn(gettext("memory")); 5555 return (-1); 5556 } 5557 5558 /* clone into standby DB */ 5559 (void) ipsec_conf_admin(SPD_CLONE); 5560 5561 if (strcmp(filename, "-") == 0) 5562 remove_fp = stdin; 5563 else 5564 remove_fp = fopen(filename, "r"); 5565 5566 if (remove_fp == NULL) { 5567 warn(gettext("%s : Input file cannot be opened"), filename); 5568 usage(); 5569 free(act_props); 5570 return (-1); 5571 } 5572 5573 /* open policy file so we can locate the correct policy */ 5574 (void) umask(0022); /* in case it gets created! */ 5575 policy_fp = fopen(POLICY_CONF_FILE, "r+"); 5576 if (policy_fp == NULL) { 5577 warn(gettext("%s cannot be opened"), POLICY_CONF_FILE); 5578 (void) fclose(remove_fp); 5579 free(act_props); 5580 return (-1); 5581 } 5582 5583 /* don't print the warning if we're in q[uiet] mode */ 5584 if (!ipsecconf_qflag) 5585 (void) printf("%s", warning); 5586 5587 /* this bit is done primarily so we can read what we write */ 5588 index_len = strlen(INDEX_TAG); 5589 5590 /* 5591 * We want to look for the policy in rbuf in the policy file. 5592 * Go through the list of policies to remove, locating each one. 5593 */ 5594 while (fgets(rbuf, MAXLEN, remove_fp) != NULL) { 5595 char *buf; 5596 int offset, prev_offset, prev_prev_offset, nlines; 5597 fpos_t ipos; 5598 int pbuf_len = 0; 5599 char *tmp; 5600 /* skip blanks here (so we don't need to do it below)! */ 5601 for (tmp = rbuf; (*tmp != '\0') && isspace(*tmp); ) 5602 tmp++; 5603 5604 if (*tmp == '\0') 5605 continue; /* while(); */ 5606 5607 /* skip the INDEX_TAG lines in the remove buffer */ 5608 if (strncasecmp(rbuf, INDEX_TAG, index_len) == 0) 5609 continue; 5610 5611 /* skip commented lines */ 5612 if (*tmp == '#') 5613 continue; /* while(); */ 5614 5615 /* 5616 * We start by presuming only good policies are in the pfile, 5617 * and so only good policies from the rfile will match them. 5618 * ipsec_conf_del ensures this later by calling parse_one() on 5619 * pfile before it deletes the entry. 5620 */ 5621 for (offset = prev_offset = prev_prev_offset = 0; 5622 fgets(pbuf, MAXLEN, policy_fp) != NULL; 5623 offset += pbuf_len) { 5624 prev_offset = offset; 5625 pbuf_len = strlen(pbuf); 5626 5627 /* skip blank lines which seperate policy entries */ 5628 if (pbuf[0] == '\n') 5629 continue; 5630 5631 /* if we found an index, save it */ 5632 if (strncasecmp(pbuf, INDEX_TAG, index_len) == 0) { 5633 buf = pbuf + index_len; 5634 buf++; 5635 if ((pindex = parse_index(buf, NULL)) == -1) { 5636 /* bad index, we can't continue */ 5637 warnx(gettext( 5638 "Invalid index in the file")); 5639 (void) fclose(remove_fp); 5640 (void) fclose(policy_fp); 5641 free(act_props); 5642 return (-1); 5643 } 5644 5645 /* save this position in case it's the one */ 5646 if (fgetpos(policy_fp, &ipos) != 0) { 5647 (void) fclose(remove_fp); 5648 (void) fclose(policy_fp); 5649 free(act_props); 5650 return (-1); 5651 } 5652 } 5653 5654 /* Does pbuf contain the remove policy? */ 5655 if (strncasecmp(rbuf, pbuf, pbuf_len) == 0) { 5656 /* we found the one to remove! */ 5657 if (pindex == 0) { 5658 warnx(gettext("Didn't find a valid " 5659 "index for policy")); 5660 (void) fclose(remove_fp); 5661 (void) fclose(policy_fp); 5662 free(act_props); 5663 return (-1); 5664 } 5665 5666 /* off it - back up to the last INDEX! */ 5667 if (fsetpos(policy_fp, &ipos) != 0) { 5668 (void) fclose(remove_fp); 5669 (void) fclose(policy_fp); 5670 free(act_props); 5671 return (-1); 5672 } 5673 5674 /* parse_one sets linecount = #lines to off */ 5675 if (parse_one(policy_fp, act_props) == -1) { 5676 warnx(gettext("Invalid policy entry " 5677 "in the file")); 5678 (void) fclose(remove_fp); 5679 (void) fclose(policy_fp); 5680 free(act_props); 5681 return (-1); 5682 } 5683 5684 nlines = linecount + 2; 5685 goto delete; 5686 } 5687 /* 5688 * When we find a match, we want to pass the offset 5689 * of the line that is before it - the INDEX_TAG line. 5690 */ 5691 prev_prev_offset = prev_offset; 5692 } 5693 /* Didn't find a match - look at the next remove policy */ 5694 continue; /* while(); */ 5695 5696 delete: 5697 (void) fclose(policy_fp); 5698 5699 if (delete_from_file(prev_prev_offset, nlines) != 0) { 5700 warnx(gettext("delete_from_file failure. " 5701 "Please flush all entries and re-configure :")); 5702 reconfigure(); 5703 (void) fclose(remove_fp); 5704 free(act_props); 5705 return (-1); 5706 } 5707 5708 if (pfp_delete_rule(pindex) != 0) { 5709 warnx(gettext("Deletion incomplete. Please flush" 5710 "all the entries and re-configure :")); 5711 reconfigure(); 5712 (void) fclose(remove_fp); 5713 free(act_props); 5714 return (-1); 5715 } 5716 5717 /* reset the globals */ 5718 linecount = 0; 5719 pindex = 0; 5720 /* free(NULL) also works. */ 5721 free(interface_name); 5722 interface_name = NULL; 5723 5724 /* reopen for next pass, automagically starting over. */ 5725 policy_fp = fopen(POLICY_CONF_FILE, "r"); 5726 if (policy_fp == NULL) { 5727 warn(gettext("%s cannot be re-opened, can't continue"), 5728 POLICY_CONF_FILE); 5729 (void) fclose(remove_fp); 5730 free(act_props); 5731 return (-1); 5732 } 5733 5734 } /* read next remove policy */ 5735 5736 if ((ret = pfp_delete_rule(pindex)) != 0) { 5737 warnx(gettext("Removal incomplete. Please flush " 5738 "all the entries and re-configure :")); 5739 reconfigure(); 5740 free(act_props); 5741 return (ret); 5742 } 5743 5744 /* nothing left to look for */ 5745 (void) fclose(remove_fp); 5746 free(act_props); 5747 5748 return (0); 5749 } 5750 5751 /* 5752 * Constructs a tunnel interface ID extension. Returns the length 5753 * of the extension in 64-bit-words. 5754 */ 5755 static int 5756 attach_tunname(spd_if_t *tunname) 5757 { 5758 if (tunname == NULL || interface_name == NULL) 5759 return (0); 5760 5761 tunname->spd_if_exttype = SPD_EXT_TUN_NAME; 5762 /* 5763 * Use "-3" because there's 4 bytes in the message itself, and 5764 * we lose one because of the '\0' terminator. 5765 */ 5766 tunname->spd_if_len = SPD_8TO64( 5767 P2ROUNDUP(sizeof (*tunname) + strlen(interface_name) - 3, 8)); 5768 (void) strlcpy((char *)tunname->spd_if_name, interface_name, LIFNAMSIZ); 5769 return (tunname->spd_if_len); 5770 } 5771