On Wed, Oct 09, 2024 at 10:34:20AM +0200, Claudio Jeker wrote:
> This adds the parse.y and printconf.c bits to configure tcp md5sum and
> ipsec for rtr sessions.
> 
> I tested that this does not break tcp md5 for BGP sessions but I have no
> rtr cache that supports tcp md5 at hand so that part is untested. Also
> ipsec is untested.
> 
> As usual with touching parse.y it can't be easy. I wanted to use one
> single set of yacc rules for the auth_config.  Since manual IPsec
> requires two flows (in and out) one needs to merge the authconf and
> so there is now merge_auth_conf() with a overly complex if statement.
> I hope I got that one right.

It reads fine.

ok tb

Just one thing:

> +static int
> +merge_auth_conf(struct auth_config *to, struct auth_config *from)
> +{
> +	if (to->method != 0) {
> +		/* extra magic for manual ipsec rules */
> +		if (to->method == from->method &&
> +		    (to->method == AUTH_IPSEC_MANUAL_ESP ||
> +		    to->method == AUTH_IPSEC_MANUAL_AH)) {
> +			if (to->spi_in == 0 && from->spi_in != 0) {
> +				to->spi_in = from->spi_in;
> +				to->auth_alg_in = from->auth_alg_in;
> +				to->enc_alg_in = from->enc_alg_in;
> +				memcpy(to->enc_key_in, from->enc_key_in,
> +				    sizeof(to->enc_key_in));
> +				to->enc_keylen_in = from->enc_keylen_in;
> +				to->auth_keylen_in = from->auth_keylen_in;
> +				return 1;
> +			} else if (to->spi_out == 0 && from->spi_out != 0) {
> +				to->spi_out = from->spi_out;
> +				to->auth_alg_out = from->auth_alg_out;
> +				to->enc_alg_out = from->enc_alg_out;
> +				memcpy(to->enc_key_out, from->enc_key_out,
> +				    sizeof(to->enc_key_out));
> +				to->enc_keylen_out = from->enc_keylen_out;
> +				to->auth_keylen_out = from->auth_keylen_out;
> +				return 1;
> +			}

Should we really "fall through" and raise the redefined auth method
error from here? Feels like something else is badly wrong.

> +		}
> +		yyerror("auth method cannot be redefined");
> +		return 0;
> +	}
> +	*to = *from;
> +	return 1;
> +}
> +