Understand IPPROTO_ESP and IPPROTO_AH packets

Submitted by: Angelos D. Keromytis <angelos@dsl.cis.upenn.edu>

usr.sbin/ppp/filter.h

@@ -32,6 +32,8 @@
 #ifdef IPPROTO_GRE
 #define P_GRE   6
 #endif
+#define P_ESP   7
+#define P_AH    8
 
 /* Operations - f_srcop, f_dstop */
 #define	OP_NONE	0

usr.sbin/ppp/ip.c

@@ -269,6 +269,16 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
             sport = ntohs(0);
             break;
 #endif
+          case IPPROTO_ESP:
+            cproto = P_ESP;
+            estab = syn = finrst = -1;
+            sport = ntohs(0);
+            break;
+          case IPPROTO_AH:
+            cproto = P_AH;
+            estab = syn = finrst = -1;
+            sport = ntohs(0);
+            break;
           case IPPROTO_UDP:
           case IPPROTO_IPIP:
             cproto = P_UDP;
@@ -636,6 +646,30 @@ PacketCheck(struct bundle *bundle, unsigned char *cp, int nb,
     }
     break;
 
+  case IPPROTO_ESP:
+    if (logit && loglen < sizeof logbuf) {
+      snprintf(logbuf + loglen, sizeof logbuf - loglen,
+               "ESP: %s ---> ", inet_ntoa(pip->ip_src));
+      loglen += strlen(logbuf + loglen);
+      snprintf(logbuf + loglen, sizeof logbuf - loglen,
+               "%s, spi %08x", inet_ntoa(pip->ip_dst),
+               (u_int32_t) ptop);
+      loglen += strlen(logbuf + loglen);
+    }
+    break;
+
+  case IPPROTO_AH:
+    if (logit && loglen < sizeof logbuf) {
+      snprintf(logbuf + loglen, sizeof logbuf - loglen,
+               "AH: %s ---> ", inet_ntoa(pip->ip_src));
+      loglen += strlen(logbuf + loglen);
+      snprintf(logbuf + loglen, sizeof logbuf - loglen,
+               "%s, spi %08x", inet_ntoa(pip->ip_dst),
+               (u_int32_t) (ptop + sizeof(u_int32_t)));
+      loglen += strlen(logbuf + loglen);
+    }
+    break;
+
   case IPPROTO_IGMP:
     if (logit && loglen < sizeof logbuf) {
       uh = (struct udphdr *) ptop;