Module Name: src Committed By: vanhu Date: Tue Jun 22 09:41:34 UTC 2010
Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l isakmp.c isakmp_inf.c racoon.conf.5 remoteconf.c remoteconf.h Log Message: added a specific script hook when a dead peer is detected To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c cvs rdiff -u -r1.41 -r1.42 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c cvs rdiff -u -r1.59 -r1.60 \ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 cvs rdiff -u -r1.18 -r1.19 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c cvs rdiff -u -r1.11 -r1.12 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37 Thu Mar 12 10:57:26 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.37 2009/03/12 10:57:26 tteras Exp $ */ +/* $NetBSD: cfparse.y,v 1.38 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -237,7 +237,7 @@ %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID -%token SCRIPT PHASE1_UP PHASE1_DOWN +%token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD %token NUMBER SWITCH BOOLEAN %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE @@ -2010,6 +2010,13 @@ cur_rmconf->script[SCRIPT_PHASE1_DOWN] = script_path_add(vdup($2)); } EOS + | SCRIPT QUOTEDSTRING PHASE1_DEAD { + if (cur_rmconf->script[SCRIPT_PHASE1_DEAD] != NULL) + vfree(cur_rmconf->script[SCRIPT_PHASE1_DEAD]); + + cur_rmconf->script[SCRIPT_PHASE1_DEAD] = + script_path_add(vdup($2)); + } EOS | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS | WEAK_PHASE1_CHECK SWITCH { cur_rmconf->weak_phase1_check = $2; Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21 --- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20 Thu Mar 12 10:57:26 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: cftoken.l,v 1.20 2009/03/12 10:57:26 tteras Exp $ */ +/* $NetBSD: cftoken.l,v 1.21 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */ @@ -365,6 +365,7 @@ <S_RMTS>script { YYD; return(SCRIPT); } <S_RMTS>phase1_up { YYD; return(PHASE1_UP); } <S_RMTS>phase1_down { YYD; return(PHASE1_DOWN); } +<S_RMTS>phase1_dead { YYD; return(PHASE1_DEAD); } <S_RMTS>mode_cfg { YYD; return(MODE_CFG); } <S_RMTS>weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); } <S_RMTS>rekey { YYD; return(REKEY); } Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60 Thu Sep 3 09:29:07 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.60 2009/09/03 09:29:07 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -1839,6 +1839,8 @@ plog(LLV_ERROR, LOCATION, NULL, "phase1 negotiation failed due to time up. %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); + /* XXX is the peer really "dead" here ??? */ + script_hook(iph1, SCRIPT_PHASE1_DEAD); evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL); return -1; Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41 Fri Jul 3 06:41:46 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_inf.c,v 1.41 2009/07/03 06:41:46 tteras Exp $ */ +/* $NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ @@ -1506,6 +1506,7 @@ "DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n", isakmp_pindex(&iph1->index, 0)); + script_hook(iph1, SCRIPT_PHASE1_DEAD); evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL); purge_remote(iph1); Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.59 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.60 --- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.59 Wed Oct 14 18:22:04 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -.\" $NetBSD: racoon.conf.5,v 1.59 2009/10/14 18:22:04 joerg Exp $ +.\" $NetBSD: racoon.conf.5,v 1.60 2010/06/22 09:41:33 vanhu Exp $ .\" .\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp .\" @@ -602,11 +602,15 @@ .\" .It Ic script Ar script Ic phase1_up .It Ic script Ar script Ic phase1_down -Shell scripts that get executed when a phase 1 SA goes up or down. -Both scripts get either +.It Ic script Ar script Ic phase1_dead +Shell scripts that get executed when a phase 1 SA goes up or down, or +when it is detected as dead by DPD. +All scripts get either .Ic phase1_up -or +, .Ic phase1_down +or +.Ic phase1_dead as first argument, and the following variables are set in their environment: .Bl -tag -width Ds -compact Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.18 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.19 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.18 Tue Sep 1 09:49:59 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.c,v 1.18 2009/09/01 09:49:59 tteras Exp $ */ +/* $NetBSD: remoteconf.c,v 1.19 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ @@ -84,7 +84,8 @@ /* * Script hook names and script hook paths */ -char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" }; +char *script_names[SCRIPT_MAX + 1] = { + "phase1_up", "phase1_down", "phase1_dead" }; /*%%%*/ Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.11 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.12 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.11 Fri Jul 3 06:41:47 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.h,v 1.11 2009/07/03 06:41:47 tteras Exp $ */ +/* $NetBSD: remoteconf.h,v 1.12 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */ @@ -80,7 +80,8 @@ /* Script hooks */ #define SCRIPT_PHASE1_UP 0 #define SCRIPT_PHASE1_DOWN 1 -#define SCRIPT_MAX 1 +#define SCRIPT_PHASE1_DEAD 2 +#define SCRIPT_MAX 2 extern char *script_names[SCRIPT_MAX + 1]; struct remoteconf {