From b7d69e8bbbcc1a179fa7e3daf0c42081bfd8fdb5 Mon Sep 17 00:00:00 2001 From: Julian Elischer Date: Mon, 13 Apr 1998 00:17:45 +0000 Subject: Submitted by: archie Cobbs (archie@whistle.com) updates to make skip port work better, from the original porter. --- security/skip/files/patch-au | 14 +++- security/skip/files/patch-bf | 36 ++++++++-- security/skip/files/patch-bg | 20 ++++-- security/skip/files/patch-cj | 13 ++++ security/skip/files/patch-ck | 161 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 234 insertions(+), 10 deletions(-) create mode 100644 security/skip/files/patch-cj create mode 100644 security/skip/files/patch-ck (limited to 'security/skip') diff --git a/security/skip/files/patch-au b/security/skip/files/patch-au index 4e9ebdb29a27..74ff7c7d6a86 100644 --- a/security/skip/files/patch-au +++ b/security/skip/files/patch-au @@ -1,7 +1,7 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/README.FreeBSD skipsrc-1.0/doc/README.FreeBSD --- skipsrc-1.0.orig/doc/README.FreeBSD Wed Dec 31 16:00:00 1969 -+++ skipsrc-1.0/doc/README.FreeBSD Tue Dec 23 16:23:06 1997 -@@ -0,0 +1,64 @@ ++++ skipsrc-1.0/doc/README.FreeBSD Sun Apr 12 16:10:32 1998 +@@ -0,0 +1,74 @@ + +Some notes regarding the FreeBSD port of SKIP +December 8, 1997 @@ -13,6 +13,16 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/README.FreeBSD skipsrc-1 + you set ${PREFIX}). This documentation can be found under + /usr/local/share/doc/skip. + ++- Thanks to S. Wehner, skiphost now takes a new argument for specifying ++ the source address for encrypted packets. This allows encrypted packets ++ that are being tunnelled between two routers to have source and dest ++ IP addresses of only those two routers. This reduces firewall complexity ++ in many cases. From his description: ++ ++ This adds another command line option to skiphost, namely ++ -f . Every packet going out to the other host ++ will then have this source address in the packet. ++ +- SKIP is applied to packets *after* any ipfw(8) filtering is applied. + This is true for both incoming and outgoing packets. Note that SKIP + has its own access control functionality. diff --git a/security/skip/files/patch-bf b/security/skip/files/patch-bf index 0752ad7ffcbe..ebd38cf05397 100644 --- a/security/skip/files/patch-bf +++ b/security/skip/files/patch-bf @@ -1,6 +1,6 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_es.c skipsrc-1.0/skip/freebsd/skip_es.c --- skipsrc-1.0.orig/skip/freebsd/skip_es.c Fri Oct 25 13:12:42 1996 -+++ skipsrc-1.0/skip/freebsd/skip_es.c Tue Mar 3 16:58:54 1998 ++++ skipsrc-1.0/skip/freebsd/skip_es.c Sun Apr 12 15:51:32 1998 @@ -81,6 +81,11 @@ static unsigned short skip_pktid; static skip_softc_t skip_softc[SKIP_MAX_OPENS]; @@ -71,7 +71,21 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_es.c skips decryptbuf->m_len, decryptbuf->m_data); } -@@ -2005,7 +2026,7 @@ +@@ -1910,6 +1931,13 @@ + */ + IPADDRCOPY(¶ms.tunnel_addr, &newip->ip_dst); + ++ /* ++ * insert different source address if specified ++ */ ++ ++ if(params.source != 0) ++ (&newip->ip_src)->s_addr = params.source; ++ + encryptbuf->m_len += sizeof (struct ip); + + /* +@@ -2005,7 +2033,7 @@ if (params.kp_alg) { newip->ip_p = SKIP_NEXT_ESP; } else { @@ -80,7 +94,21 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_es.c skips } } skip_if->stats.skip_if_raw_out++; -@@ -2097,7 +2118,7 @@ +@@ -2028,6 +2056,13 @@ + * insert tunnel address as destination + */ + IPADDRCOPY(¶ms.tunnel_addr, &newip->ip_dst); ++ ++ /* ++ * insert different source address if specified ++ */ ++ ++ if(params.source != 0) ++ (&newip->ip_src)->s_addr = params.source; + } + + if (params.s_nsid == 0) { +@@ -2097,7 +2132,7 @@ register skip_param_t *params = &res->params; register struct ip *ip = mtod(original, struct ip *); int rc, s, iphlen; @@ -89,7 +117,7 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_es.c skips SKIP_PRINT("skip_decrypt_done", params); -@@ -2125,7 +2146,7 @@ +@@ -2125,7 +2160,7 @@ */ outbuf = (res->modes & SKIP_CRYPT_ON) ? m : original; diff --git a/security/skip/files/patch-bg b/security/skip/files/patch-bg index 0560cf4e73f5..0823694663d8 100644 --- a/security/skip/files/patch-bg +++ b/security/skip/files/patch-bg @@ -1,6 +1,6 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_os.h skipsrc-1.0/skip/freebsd/skip_os.h --- skipsrc-1.0.orig/skip/freebsd/skip_os.h Fri Oct 25 13:12:43 1996 -+++ skipsrc-1.0/skip/freebsd/skip_os.h Tue Jan 13 11:19:16 1998 ++++ skipsrc-1.0/skip/freebsd/skip_os.h Sun Apr 12 15:52:01 1998 @@ -54,7 +54,6 @@ #ifndef KERNEL #include @@ -93,7 +93,19 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_os.h skips #define ALIGNED(x) (((unsigned int)(x)&(skip_alignment - 1)) == 0) -@@ -205,26 +225,21 @@ +@@ -182,7 +202,11 @@ + /* + * 4.x timing defines + */ ++#if __FreeBSD__ >= 3 ++#define SKIP_ES_CURRENTTIME ((long)time_second) ++#else + #define SKIP_ES_CURRENTTIME (time.tv_sec) ++#endif + #define SKIP_ES_DELTATIME(then) (SKIP_ES_CURRENTTIME - then) + + /* +@@ -205,26 +229,21 @@ } /* @@ -130,7 +142,7 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_os.h skips #else /* KERNEL */ /* -@@ -251,37 +266,12 @@ +@@ -251,37 +270,12 @@ #endif #define STATIC @@ -170,7 +182,7 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/freebsd/skip_os.h skips #define KEYMGR "/dev/skip_key" /* -@@ -306,12 +296,6 @@ +@@ -306,12 +300,6 @@ /* General purpose */ typedef unsigned char byte; diff --git a/security/skip/files/patch-cj b/security/skip/files/patch-cj new file mode 100644 index 000000000000..91502b82bb53 --- /dev/null +++ b/security/skip/files/patch-cj @@ -0,0 +1,13 @@ + +diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/include/skip_types.h skipsrc-1.0/skip/include/skip_types.h +--- skipsrc-1.0.orig/skip/include/skip_types.h Fri Oct 25 13:12:45 1996 ++++ skipsrc-1.0/skip/include/skip_types.h Sun Apr 12 15:29:53 1998 +@@ -142,6 +142,7 @@ + unsigned char flags; /* ACL info for this system */ + struct in_addr mask; /* network/host mask */ + struct in_addr tunnel_addr; /* tunneling address */ ++ unsigned long source; /* source address */ + } skip_param_t; + + /* + diff --git a/security/skip/files/patch-ck b/security/skip/files/patch-ck new file mode 100644 index 000000000000..1a2154430e58 --- /dev/null +++ b/security/skip/files/patch-ck @@ -0,0 +1,161 @@ +diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/tools/skiphost/skiphost.c skipsrc-1.0/skip/tools/skiphost/skiphost.c +--- skipsrc-1.0.orig/skip/tools/skiphost/skiphost.c Fri Oct 25 13:13:03 1996 ++++ skipsrc-1.0/skip/tools/skiphost/skiphost.c Sun Apr 12 15:29:52 1998 +@@ -76,6 +76,7 @@ + static char *skip_version = NULL; + static char *skip_mode = NULL; + static char *tunnel = NULL; ++static char *srcaddr = NULL; + + static int opt, opt_cpt; + static int opt_action, opt_more; +@@ -89,11 +90,14 @@ + static int opt_prt, opt_sh, opt_sel; + static int opt_trs, opt_tunnel; + static int opt_msk, opt_nomadic; ++static int opt_source; + + boolean_t on_boot = B_FALSE; + + #define SKIP_HOST_MASK "255.255.255.255" + ++struct in_addr source_addr; ++ + static void usage(); + + /* +@@ -218,6 +222,11 @@ + if (params->ip_addr.s_addr != params->tunnel_addr.s_addr) { + printf(" -A %s", inet_ntoa(params->tunnel_addr)); + } ++ ++ if(params->source != 0) { ++ source_addr.s_addr = params->source; ++ printf(" -f %s", inet_ntoa(source_addr)); ++ } + + switch (params->version) { + +@@ -376,6 +385,11 @@ + printf(" tunnel=%s", inet_ntoa(params->tunnel_addr)); + } + ++ if (params->source != 0) { ++ source_addr.s_addr = params->source; ++ printf(" source=%s", inet_ntoa(source_addr)); ++ } ++ + switch (params->version) { + + case SKIP_NONE: +@@ -907,12 +921,18 @@ + } + } + ++ if(opt_source) { ++ parms.source = inet_addr(srcaddr); ++ } else { ++ parms.source = 0; ++ } ++ + /* + * Check if a cleartext host... + */ + opt_sel = opt_r_nsid + opt_s_nsid + opt_r_keyid; + opt_sel += opt_kij + opt_crypt + opt_mac + opt_comp; +- opt_sel += opt_vers + opt_nomadic + opt_tunnel; ++ opt_sel += opt_vers + opt_nomadic + opt_tunnel + opt_source; + + if (!opt_sel) { + /* +@@ -1531,6 +1551,7 @@ + "\t\t[-r ] [-R ]...\n" + "\t\t[-s ] [-S ]...\n" + "\t\t[-v ] [-A ] [-T]\n" ++ "\t\t[-f ]\n" + "\t%s [-i ] " + "-x [-M ]...\n" + "\t\t[-k ] [-t ]...\n" +@@ -1592,6 +1613,7 @@ + opt_trs = opt_msk = 0; + opt_prt = opt_sh = opt_mode = 0; + opt_nomadic = opt_tunnel = 0; ++ opt_source = 0; + + ifname = skip_default_if(); + +@@ -1614,7 +1636,7 @@ + */ + optind = 1; + while ((opt = getopt(argc, argv, +- "phuPVTa:d:o:x:i:s:r:S:R:k:t:m:c:v:M:A:")) != -1) { ++ "phuPVTa:d:o:x:i:s:r:S:R:k:t:m:c:v:M:A:f:")) != -1) { + + switch (opt) { + +@@ -1761,7 +1783,10 @@ + SKIP_ONE(&opt_tunnel); + tunnel = optarg; + break; +- ++ case 'f': ++ SKIP_ONE(&opt_source); ++ srcaddr = optarg; ++ break; + case 'h': + default: + usage(); +@@ -1890,7 +1915,7 @@ + opt_sel = opt_r_nsid + opt_s_nsid + opt_r_keyid + opt_s_keyid; + opt_sel += opt_kij + opt_crypt + opt_mac + opt_comp; + opt_sel += opt_mode + opt_vers + opt_trs + opt_msk; +- opt_sel += opt_tunnel; ++ opt_sel += opt_tunnel + opt_source; + + if (opt_sel) { + fprintf(stderr, "%s -u does not take options\n", +@@ -1912,7 +1937,7 @@ + opt_sel = opt_r_nsid + opt_s_nsid + opt_r_keyid + opt_s_keyid; + opt_sel += opt_kij + opt_crypt + opt_mac + opt_comp; + opt_sel += opt_mode + opt_vers + opt_trs + opt_msk; +- opt_sel += opt_tunnel; ++ opt_sel += opt_tunnel + opt_source; + + if (opt_sel) { + fprintf(stderr, "%s -p does not take options\n", +@@ -1941,7 +1966,7 @@ + opt_sel = opt_r_nsid + opt_s_nsid + opt_r_keyid + opt_s_keyid; + opt_sel += opt_kij + opt_crypt + opt_mac + opt_comp; + opt_sel += opt_mode + opt_vers + opt_trs + opt_msk; +- opt_sel += opt_tunnel; ++ opt_sel += opt_tunnel + opt_source; + + if (opt_sel) { + fprintf(stderr, "%s -P does not take options\n", +@@ -1963,7 +1988,7 @@ + opt_sel = opt_r_nsid + opt_s_nsid + opt_r_keyid + opt_s_keyid; + opt_sel += opt_kij + opt_crypt + opt_mac + opt_comp; + opt_sel += opt_mode + opt_vers + opt_trs + opt_msk; +- opt_sel += opt_tunnel; ++ opt_sel += opt_tunnel + opt_source; + + if (opt_sel) { + fprintf(stderr, "%s -V does not take options\n", +@@ -1985,7 +2010,7 @@ + opt_sel = opt_r_nsid + opt_s_nsid + opt_r_keyid + opt_s_keyid; + opt_sel += opt_kij + opt_crypt + opt_mac + opt_comp; + opt_sel += opt_vers + opt_trs + opt_msk; +- opt_sel += opt_tunnel; ++ opt_sel += opt_tunnel + opt_source; + + if (opt_sel) { + usage(); +@@ -2018,7 +2043,7 @@ + */ + opt_sel = opt_s_nsid + opt_s_keyid; + opt_sel += opt_kij + opt_crypt + opt_mac + opt_comp; +- opt_sel += opt_mode + opt_trs + opt_tunnel; ++ opt_sel += opt_mode + opt_trs + opt_tunnel + opt_source; + + if (opt_sel) { + usage(); -- cgit v1.2.3