Support of IP address ranges in traffic selectors
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 10 Mar 2016 11:00:56 +0000 (12:00 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 10 Mar 2016 12:59:37 +0000 (13:59 +0100)
src/libcharon/plugins/updown/updown_listener.c
src/libcharon/plugins/vici/vici_config.c

index e472a17..e51caab 100644 (file)
@@ -311,11 +311,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
                         ike_sa->get_unique_id(ike_sa));
        push_env(envp, countof(envp), "PLUTO_ME=%H", me);
        push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
-       if (my_ts->to_subnet(my_ts, &host, &mask))
+       if (!my_ts->to_subnet(my_ts, &host, &mask))
        {
-               push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
-               host->destroy(host);
+               DBG1(DBG_CHD, "updown approximates local TS %R "
+                                         "by next larger subnet", my_ts);
        }
+       push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
+       host->destroy(host);
        push_env(envp, countof(envp), "PLUTO_MY_PORT=%s",
                         get_port(my_ts, other_ts, port_buf, TRUE));
        push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
@@ -323,11 +325,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
        push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
        push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
                         ike_sa->get_other_id(ike_sa));
-       if (other_ts->to_subnet(other_ts, &host, &mask))
+       if (!other_ts->to_subnet(other_ts, &host, &mask))
        {
-               push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
-               host->destroy(host);
+               DBG1(DBG_CHD, "updown approximates remote TS %R "
+                                         "by next larger subnet", other_ts);
        }
+       push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
+       host->destroy(host);
        push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s",
                         get_port(my_ts, other_ts, port_buf, FALSE));
        push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",
index 27268a5..6da663b 100644 (file)
@@ -3,7 +3,7 @@
  * Copyright (C) 2014 revosec AG
  *
  * Copyright (C) 2015-2016 Tobias Brunner
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -646,6 +646,22 @@ CALLBACK(parse_ts, bool,
        {
                ts = traffic_selector_create_dynamic(proto, from, to);
        }
+       else if (strchr(buf, '-'))
+       {
+               host_t *lower, *upper;
+               ts_type_t type;
+
+               if (host_create_from_range(buf, &lower, &upper))
+               {
+                       type = (lower->get_family(lower) == AF_INET) ?
+                                                               TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+                       ts = traffic_selector_create_from_bytes(proto, type,
+                                                               lower->get_address(lower), from,
+                                                               upper->get_address(upper), to);
+                       lower->destroy(lower);
+                       upper->destroy(upper);
+               }
+       }
        else
        {
                ts = traffic_selector_create_from_cidr(buf, proto, from, to);