Allow ``ip4'' as an ``upperspec'' value, and update the man

page with *all* the permissible values.

This should really be spelt ipencap (as /etc/protocols does),
but a precedent has already been set by the ipproto array in
setkey.c.

It would be nice if /etc/protocols was parsed for the upperspec
field, but I don't do yacc/lex...

This change allows policies that only encrypt the encapsulated
packets passing between the endpoints of a gif tunnel.  Setting
such a policy means that you can still talk directly (and
unencrypted) between the public IP numbers with (say) ssh.

MFC after:	1 week

2 files changed, 4 insertions, 0 deletions

diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8
index 3bfcada11b46..792180064ecc 100644
--- a/sbin/setkey/setkey.8
+++ b/sbin/setkey/setkey.8
@@ -366,6 +366,9 @@ They must be in numeric form.
 .It Ar upperspec
 Upper-layer protocol to be used.
 Currently
+.Li icmp ,
+.Li icmp6 ,
+.Li ip4 ,
 .Li tcp ,
 .Li udp
 and
diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l
index 8916fdd79ee8..c2eaad5ac5e8 100644
--- a/sbin/setkey/token.l
+++ b/sbin/setkey/token.l
@@ -200,6 +200,7 @@ nocyclic-seq	{ PREPROC; return(NOCYCLICSEQ); }
 	/* upper layer protocols */
 icmp		{ PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); }
 icmp6		{ PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); }
+ip4		{ PREPROC; yylval.num = IPPROTO_IPV4; return(UP_PROTO); }
 tcp		{ PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); }
 udp		{ PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); }