bin/39056: setkey doesn't support correctly icmp

[degroote%netbsd.org@localhost]

>Number:         39056
>Category:       bin
>Synopsis:       setkey doesn't support correctly icmp
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 27 23:25:00 +0000 2008
>Originator:     Arnaud Degroote
>Release:        4.99.66
>Organization:
TNF
>Environment:
NetBSD Amilo.at.home 4.99.66 NetBSD 4.99.66 (GENERIC) #0: Sat Jun 21 14:13:46 
CEST 2008  
zul%Amilo.at.home@localhost:/home/zul/netbsd-dev/build_temp/objdir/sys/arch/i386/compile/GENERIC
 i386

>Description:
Something like that

spdadd $A $B icmp 8 -P in ipsec esp/tunnel/$A-$B/require;

failed with the error 

line 0: syntax error at [8]

If I understand correctly rfc 4301, we probably need to support it. (4.4.1.1).

>How-To-Repeat:
spdadd $A $B icmp 8 -P in ipsec esp/tunnel/$A-$B/require;
>Fix:
the current code of spdadd_command in parse.y

                        /* fixed port fields if ulp is icmpv6 */
                        if ($10.buf != NULL) { 
                                if ( ($9 != IPPROTO_ICMPV6) &&
                                         ($9 != IPPROTO_MH))
                                        return -1;
                                free($5.buf);
                                free($8.buf);
                                if (fix_portstr(&$10, &$5, &$8))
                                        return -1;
                        }

I suspect that just adding the test case for IPPROTO_ICMP is probably enough. 
The same thing will be necessary in spddelete_command. 

I don't test it atm, so it may be completly wrong. We need to be sure that 
fix_portstr will be ok too in IPPROTO_ICMP case (if the problem come from here).