Add support for specifying an IPsec policy.

Approved by:	maintainer

net/obnc/Makefile

@@ -7,6 +7,7 @@
 
 PORTNAME=	obnc
 PORTVERSION=	20010703
+PORTREVISION=	1
 CATEGORIES=	net ipv6
 MASTER_SITES=	${MASTER_SITE_LOCAL} \
 		http://www.unixfreak.org/~dima/distfiles/
@@ -18,6 +19,9 @@ MANSECTS=	1
 MAN1=		nc.1
 MANCOMPRESSED=	maybe
 
+CFLAGS+=	-DIPSEC
+MAKE_ENV=	LDADD="${LDADD} -lipsec"
+
 # MAN page COMPression SUFFIX
 .if !defined(NOMANCOMPRESS)
 MANCOMPSUFFIX=	.gz

net/obnc/files/patch-nc.1

@@ -0,0 +1,36 @@
+--- nc.1.orig	Fri Oct 19 07:42:18 2001
++++ nc.1	Fri Oct 19 07:52:16 2001
+@@ -33,7 +33,8 @@
+ .Nd "arbitrary TCP and UDP connections and listens"
+ .Sh SYNOPSIS
+ .Nm nc
+-.Op Fl 46hklnrtuvz
++.Op Fl 46Ehklnrtuvz
++.Op Fl e Ar IPsec policy
+ .Op Fl i Ar interval
+ .Op Fl p Ar source port
+ .Op Fl s Ar source ip address
+@@ -90,6 +91,12 @@
+ Prints out
+ .Nm
+ help.
++.It Fl E
++Shortcut for "-e 'in ipsec esp/transport//require' -e 'out ipsec esp/transport//require'", which enables IPsec ESP transport mode in both directions.
++.It Fl e
++If IPsec support is available, then one can specify the IPsec policies to be used using the syntax described in
++.Xr ipsec_set_policy 3 .
++This flag can be specified up to two times, as typically one policy for each direction is needed.
+ .It Fl i Ar interval
+ Specifies a delay time interval between lines of text sent and received.
+ Also causes a delay time between connections to multiple ports.
+@@ -149,6 +156,10 @@
+ .It Li "nc -s 10.1.2.3 example.host 42"
+ Open a TCP connection to port 42 of example.host using 10.1.2.3 as the
+ IP for the local end of the connection.
++.It Li "nc -E example.host 42"
++Open a TCP connection to port 42 of example.host using IPsec ESP for incoming and outgoing traffic.
++.It Li "nc -e 'out ipsec esp/transport//require' example.host 42"
++Open a TCP connection to port 42 of example.host using IPsec ESP for outgoing traffic only.
+ .It Li "nc -v hostname 42"
+ Open a TCP connection to port 42 of hostname, displaying some
+ diagnostic messages on stderr.

net/obnc/files/patch-netcat.c

@@ -0,0 +1,162 @@
+--- netcat.c.orig	Wed Jun 27 02:23:58 2001
++++ netcat.c	Fri Oct 19 07:31:54 2001
+@@ -36,6 +36,9 @@
+ #include <sys/time.h>
+ 
+ #include <netinet/in.h>
++#ifdef IPSEC
++#include <netinet6/ipsec.h>
++#endif
+ #include <arpa/telnet.h>
+ 
+ #include <err.h>
+@@ -51,6 +54,7 @@
+ #define PORT_MAX 65535
+ 
+ /* Command Line Options */
++int	Eflag;					/* Use IPsec ESP */
+ int	iflag;					/* Interval Flag */
+ int	kflag;					/* More than one connect */
+ int	lflag;					/* Bind to local port */
+@@ -77,12 +81,18 @@
+ int	udptest __P((int));
+ void	usage __P((int));
+ 
++#ifdef IPSEC
++void	add_ipsec_policy __P((int, const char *));
++
++char	*ipsec_policy[2];
++#endif
++
+ int
+ main(argc, argv)
+ 	int argc;
+ 	char *argv[];
+ {
+-	int ch, s, ret;
++	int ch, s, ret, ipsec_count;
+ 	char *host, *uport, *endp;
+ 	struct addrinfo hints;
+ 	struct servent *sv;
+@@ -91,12 +101,13 @@
+ 
+ 	ret = 1;
+ 	s = 0;
++	ipsec_count = 0;
+ 	host = NULL;
+ 	uport = NULL;
+ 	endp = NULL;
+ 	sv = NULL;
+ 
+-	while ((ch = getopt(argc, argv, "46hi:klnp:rs:tuvw:z")) != -1) {
++	while ((ch = getopt(argc, argv, "46e:Ehi:klnp:rs:tuvw:z")) != -1) {
+ 		switch (ch) {
+ 		case '4':
+ 			family = AF_INET;
+@@ -104,6 +115,21 @@
+ 		case '6':
+ 			family = AF_INET6;
+ 			break;
++		case 'e':
++#ifdef IPSEC
++			ipsec_policy[ipsec_count++ % 2] = optarg;
++#else
++			errx(1, "IPsec support unavailable.");
++#endif
++			break;
++		case 'E':
++#ifdef IPSEC
++			ipsec_policy[0] = "in  ipsec esp/transport//require";
++			ipsec_policy[1] = "out ipsec esp/transport//require";
++#else
++			errx(1, "IPsec support unavailable.");
++#endif
++			break;
+ 		case 'h':
+ 			help();
+ 			break;
+@@ -295,6 +321,12 @@
+ 		if ((s = socket(res0->ai_family, res0->ai_socktype,
+ 				res0->ai_protocol)) < 0)
+ 			continue;
++#ifdef IPSEC
++		if (ipsec_policy[0] != NULL)
++			add_ipsec_policy(s, ipsec_policy[0]);
++		if (ipsec_policy[1] != NULL)
++			add_ipsec_policy(s, ipsec_policy[1]);
++#endif
+ 
+ 		/* Bind to a local port or source address if specified */
+ 		if (sflag || pflag) {
+@@ -372,6 +404,12 @@
+ 		ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
+ 		if (ret == -1)
+ 			err(1, NULL);
++#ifdef IPSEC
++		if (ipsec_policy[0] != NULL)
++			add_ipsec_policy(s, ipsec_policy[0]);
++		if (ipsec_policy[1] != NULL)
++			add_ipsec_policy(s, ipsec_policy[1]);
++#endif
+ 
+ 		if (bind(s, (struct sockaddr *)res0->ai_addr,
+ 						res0->ai_addrlen) == 0)
+@@ -571,7 +609,13 @@
+ 	usage(0);
+ 	fprintf(stderr, "\tCommand Summary:\n\
+ 	\t-4		Use IPv4\n\
+-	\t-6		Use IPv6\n\
++	\t-6		Use IPv6\n");
++#ifdef IPSEC
++	fprintf(stderr, "\
++	\t-e policy	Use specified IPsec policy\n\
++	\t-E		Use IPsec ESP\n");
++#endif
++	fprintf(stderr, "\
+ 	\t-h		This help text\n\
+ 	\t-i secs\t	Delay interval for lines sent, ports scanned\n\
+ 	\t-k		Keep inbound sockets open for multiple connects\n\
+@@ -586,14 +630,43 @@
+ 	\t-w secs\t	Timeout for connects and final net reads\n\
+ 	\t-z		Zero-I/O mode [used for scanning]\n\
+ 	Port numbers can be individual or ranges: lo-hi [inclusive]\n");
++#ifdef IPSEC
++	fprintf(stderr, "See ipsec_set_policy(3) for -e argument format\n");
++#endif
+ 	exit(1);
+ }
+ 
++#ifdef IPSEC
++void
++add_ipsec_policy(int s, const char *policy)
++{
++	char *raw;
++	int e;
++
++	raw = ipsec_set_policy(policy, strlen(policy));
++	if (raw == NULL)
++		errx(1, "ipsec_set_policy `%s': %s", policy,
++		    ipsec_strerror());
++	e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw,
++	    ipsec_get_policylen(raw));
++	if (e < 0)
++		err(1, "ipsec policy cannot be configured");
++	free(raw);
++	if (vflag)
++		fprintf(stderr, "ipsec policy configured: `%s'\n", policy);
++	return;
++}
++#endif /* IPSEC */
++
+ void
+ usage(ret)
+ 	int ret;
+ {
++#ifdef IPSEC
++	fprintf(stderr, "usage: nc [-46Ehklnrtuvz] [-e policy] [-i interval] [-p source port]\n");
++#else
+ 	fprintf(stderr, "usage: nc [-46hklnrtuvz] [-i interval] [-p source port]\n");
++#endif
+ 	fprintf(stderr, "\t  [-s ip address] [-w timeout] [hostname] [port[s...]]\n");
+ 	if (ret)
+ 		exit(1);