From a6bcba92419d4e18dcd565b47ebebb02bfc697ba Mon Sep 17 00:00:00 2001 From: bluhm Date: Wed, 19 Apr 2017 15:59:38 +0000 Subject: [PATCH] Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@ --- sbin/ipsecctl/ipsecctl.c | 16 +++++++-------- sbin/ipsecctl/ipsecctl.h | 16 +++++++-------- sbin/ipsecctl/parse.y | 42 ++++++++++++++++++++-------------------- sbin/ipsecctl/pfkdump.c | 4 ++-- sbin/ipsecctl/pfkey.c | 10 +++++----- 5 files changed, 44 insertions(+), 44 deletions(-) diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index a2819c58bcb..8cb34d04528 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.81 2017/03/02 17:44:32 bluhm Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.82 2017/04/19 15:59:38 bluhm Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer * @@ -48,7 +48,7 @@ void ipsecctl_print_port(u_int16_t, const char *); void ipsecctl_print_key(struct ipsec_key *); void ipsecctl_print_flow(struct ipsec_rule *, int); void ipsecctl_print_sa(struct ipsec_rule *, int); -void ipsecctl_print_sagroup(struct ipsec_rule *, int); +void ipsecctl_print_sabundle(struct ipsec_rule *, int); int ipsecctl_flush(int); void ipsecctl_get_rules(struct ipsecctl *); void ipsecctl_print_title(char *); @@ -103,7 +103,7 @@ ipsecctl_rules(char *filename, int opts) bzero(&ipsec, sizeof(ipsec)); ipsec.opts = opts; TAILQ_INIT(&ipsec.rule_queue); - TAILQ_INIT(&ipsec.group_queue); + TAILQ_INIT(&ipsec.bundle_queue); if (parse_rules(filename, &ipsec) < 0) { warnx("Syntax error in config file: ipsec rules not loaded"); @@ -119,7 +119,7 @@ ipsecctl_rules(char *filename, int opts) } - /* This also frees the rules in ipsec.group_queue. */ + /* This also frees the rules in ipsec.bundle_queue. */ while ((rp = TAILQ_FIRST(&ipsec.rule_queue))) { TAILQ_REMOVE(&ipsec.rule_queue, rp, rule_entry); ipsecctl_free_rule(rp); @@ -382,9 +382,9 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) } void -ipsecctl_print_sagroup(struct ipsec_rule *r, int opts) +ipsecctl_print_sabundle(struct ipsec_rule *r, int opts) { - printf("[group %s to ", satype[r->proto]); + printf("[bundle %s to ", satype[r->proto]); ipsecctl_print_addr(r->dst); printf(" spi 0x%08x with %s to ", r->spi, satype[r->proto2]); ipsecctl_print_addr(r->dst2); @@ -405,8 +405,8 @@ ipsecctl_print_rule(struct ipsec_rule *r, int opts) ipsecctl_print_sa(r, opts); if (r->type & RULE_IKE) ike_print_config(r, opts); - if (r->type & RULE_GROUP) - ipsecctl_print_sagroup(r, opts); + if (r->type & RULE_BUNDLE) + ipsecctl_print_sabundle(r, opts); } int diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index cb35cb2f817..680ed1a7d92 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.70 2017/04/14 18:06:28 bluhm Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.71 2017/04/19 15:59:38 bluhm Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer * @@ -37,7 +37,7 @@ enum { #define RULE_FLOW 0x01 #define RULE_SA 0x02 #define RULE_IKE 0x04 -#define RULE_GROUP 0x08 +#define RULE_BUNDLE 0x08 enum { DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT @@ -169,7 +169,7 @@ extern const struct ipsec_xf authxfs[]; extern const struct ipsec_xf encxfs[]; extern const struct ipsec_xf compxfs[]; -TAILQ_HEAD(dst_group_queue, ipsec_rule); +TAILQ_HEAD(dst_bundle_queue, ipsec_rule); /* Complete state of one rule. */ struct ipsec_rule { @@ -212,21 +212,21 @@ struct ipsec_rule { u_int32_t nr; TAILQ_ENTRY(ipsec_rule) rule_entry; - TAILQ_ENTRY(ipsec_rule) group_entry; - TAILQ_ENTRY(ipsec_rule) dst_group_entry; + TAILQ_ENTRY(ipsec_rule) bundle_entry; + TAILQ_ENTRY(ipsec_rule) dst_bundle_entry; - struct dst_group_queue dst_group_queue; + struct dst_bundle_queue dst_bundle_queue; char *bundle; }; TAILQ_HEAD(ipsec_rule_queue, ipsec_rule); -TAILQ_HEAD(ipsec_group_queue, ipsec_rule); +TAILQ_HEAD(ipsec_bundle_queue, ipsec_rule); struct ipsecctl { u_int32_t rule_nr; int opts; struct ipsec_rule_queue rule_queue; - struct ipsec_group_queue group_queue; + struct ipsec_bundle_queue bundle_queue; }; int parse_rules(const char *, struct ipsecctl *); diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 09612749cdd..64016a22172 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.167 2017/04/14 18:06:28 bluhm Exp $ */ +/* $OpenBSD: parse.y,v 1.168 2017/04/19 15:59:38 bluhm Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -191,7 +191,7 @@ struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *, struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, struct ipsec_key *, struct ipsec_key *); -struct ipsec_rule *create_sagroup(struct ipsec_addr_wrap *, u_int8_t, +struct ipsec_rule *create_sabundle(struct ipsec_addr_wrap *, u_int8_t, u_int32_t, struct ipsec_addr_wrap *, u_int8_t, u_int32_t); struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *, @@ -207,7 +207,7 @@ struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *, struct ike_mode *, struct ike_mode *, u_int8_t, u_int8_t, u_int8_t, char *, char *, struct ike_auth *, char *); -int add_sagroup(struct ipsec_rule *, char *); +int add_sabundle(struct ipsec_rule *, char *); int get_id_type(char *); struct ipsec_transforms *ipsec_transforms; @@ -2344,12 +2344,12 @@ validate_sa(u_int32_t spi, u_int8_t satype, struct ipsec_transforms *xfs, } int -add_sagroup(struct ipsec_rule *r, char *bundle) +add_sabundle(struct ipsec_rule *r, char *bundle) { - struct ipsec_rule *rp, *last, *group; + struct ipsec_rule *rp, *last, *sabundle; int found = 0; - TAILQ_FOREACH(rp, &ipsec->group_queue, group_entry) { + TAILQ_FOREACH(rp, &ipsec->bundle_queue, bundle_entry) { if ((strcmp(rp->src->name, r->src->name) == 0) && (strcmp(rp->dst->name, r->dst->name) == 0) && (strcmp(rp->bundle, bundle) == 0)) { @@ -2358,20 +2358,20 @@ add_sagroup(struct ipsec_rule *r, char *bundle) } } if (found) { - last = TAILQ_LAST(&rp->dst_group_queue, dst_group_queue); - TAILQ_INSERT_TAIL(&rp->dst_group_queue, r, dst_group_entry); + last = TAILQ_LAST(&rp->dst_bundle_queue, dst_bundle_queue); + TAILQ_INSERT_TAIL(&rp->dst_bundle_queue, r, dst_bundle_entry); - group = create_sagroup(last->dst, last->satype, last->spi, + sabundle = create_sabundle(last->dst, last->satype, last->spi, r->dst, r->satype, r->spi); - if (group == NULL) + if (sabundle == NULL) return (1); - group->nr = ipsec->rule_nr++; - if (ipsecctl_add_rule(ipsec, group)) + sabundle->nr = ipsec->rule_nr++; + if (ipsecctl_add_rule(ipsec, sabundle)) return (1); } else { - TAILQ_INSERT_TAIL(&ipsec->group_queue, r, group_entry); - TAILQ_INIT(&r->dst_group_queue); - TAILQ_INSERT_TAIL(&r->dst_group_queue, r, dst_group_entry); + TAILQ_INSERT_TAIL(&ipsec->bundle_queue, r, bundle_entry); + TAILQ_INIT(&r->dst_bundle_queue); + TAILQ_INSERT_TAIL(&r->dst_bundle_queue, r, dst_bundle_entry); r->bundle = bundle; } @@ -2433,16 +2433,16 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, } struct ipsec_rule * -create_sagroup(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi, +create_sabundle(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi, struct ipsec_addr_wrap *dst2, u_int8_t proto2, u_int32_t spi2) { struct ipsec_rule *r; r = calloc(1, sizeof(struct ipsec_rule)); if (r == NULL) - err(1, "create_sagroup: calloc"); + err(1, "create_sabundle: calloc"); - r->type |= RULE_GROUP; + r->type |= RULE_BUNDLE; r->dst = copyhost(dst); r->dst2 = copyhost(dst2); @@ -2661,7 +2661,7 @@ expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers, r->nr = ipsec->rule_nr++; if (ipsecctl_add_rule(ipsec, r)) goto out; - if (bundle && add_sagroup(r, bundle)) + if (bundle && add_sabundle(r, bundle)) goto out; if (direction == IPSEC_INOUT) { @@ -2673,7 +2673,7 @@ expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers, revr->nr = ipsec->rule_nr++; if (ipsecctl_add_rule(ipsec, revr)) goto out; - if (bundle && add_sagroup(revr, bundle)) + if (bundle && add_sabundle(revr, bundle)) goto out; } else if (spi != 0 || authkey || enckey) { /* Create and add reverse sa rule. */ @@ -2684,7 +2684,7 @@ expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers, revr->nr = ipsec->rule_nr++; if (ipsecctl_add_rule(ipsec, revr)) goto out; - if (bundle && add_sagroup(revr, bundle)) + if (bundle && add_sabundle(revr, bundle)) goto out; } added++; diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c index 5073b06a23e..d4767fd6ba7 100644 --- a/sbin/ipsecctl/pfkdump.c +++ b/sbin/ipsecctl/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.45 2017/04/10 14:32:47 deraadt Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.46 2017/04/19 15:59:38 bluhm Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -818,7 +818,7 @@ pfkey_print_sa(struct sadb_msg *msg, int opts) extensions[SADB_EXT_KEY_ENCRYPT] = NULL; } if (extensions[SADB_X_EXT_SA2]) { - r.type |= RULE_GROUP; + r.type |= RULE_BUNDLE; sa2 = (struct sadb_sa *)extensions[SADB_X_EXT_SA2]; r.spi2 = ntohl(sa2->sadb_sa_spi); parse_addr(extensions[SADB_X_EXT_DST2], &dst2); diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index 6361db928c3..d49ad4e0d2c 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.59 2017/04/18 02:29:56 deraadt Exp $ */ +/* $OpenBSD: pfkey.c,v 1.60 2017/04/19 15:59:38 bluhm Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer * Copyright (c) 2003, 2004 Markus Friedl @@ -51,7 +51,7 @@ static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_transforms *, struct ipsec_key *, struct ipsec_key *, u_int8_t); -static int pfkey_sagroup(int, u_int8_t, u_int8_t, u_int8_t, +static int pfkey_sabundle(int, u_int8_t, u_int8_t, u_int8_t, struct ipsec_addr_wrap *, u_int32_t, struct ipsec_addr_wrap *, u_int32_t); static int pfkey_reply(int, u_int8_t **, ssize_t *); @@ -626,7 +626,7 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, } static int -pfkey_sagroup(int sd, u_int8_t satype, u_int8_t satype2, u_int8_t action, +pfkey_sabundle(int sd, u_int8_t satype, u_int8_t satype2, u_int8_t action, struct ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_addr_wrap *dst2, u_int32_t spi2) { @@ -1180,7 +1180,7 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) default: return -1; } - } else if (r->type == RULE_GROUP) { + } else if (r->type == RULE_BUNDLE) { switch (r->satype) { case IPSEC_AH: satype = SADB_SATYPE_AH; @@ -1221,7 +1221,7 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) } switch (action) { case ACTION_ADD: - ret = pfkey_sagroup(fd, satype, satype2, + ret = pfkey_sabundle(fd, satype, satype2, SADB_X_GRPSPIS, r->dst, r->spi, r->dst2, r->spi2); break; case ACTION_DELETE: -- 2.20.1