Use whack_attribute in pluto to provide in-memory IP address pools.
authorTobias Brunner <tobias@strongswan.org>
Tue, 30 Mar 2010 17:10:05 +0000 (19:10 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 6 Apr 2010 10:47:39 +0000 (12:47 +0200)
The pools are configured by setting rightsourceip in ipsec.conf to a
network in CIDR notation.

src/pluto/connections.c
src/pluto/modecfg.c
src/pluto/plutomain.c

index 421dd79..38803ea 100644 (file)
@@ -62,6 +62,7 @@
 #include "kernel_alg.h"
 #include "nat_traversal.h"
 #include "virtual.h"
+#include "whack_attribute.h"
 
 static void flush_pending_by_connection(connection_t *c);  /* forward */
 
@@ -854,7 +855,7 @@ static void load_end_certificate(char *filename, struct end *dst)
 }
 
 static bool extract_end(struct end *dst, const whack_end_t *src,
-                                               const char *which)
+                                               const char *name, const char *which)
 {
        bool same_ca = FALSE;
 
@@ -911,10 +912,22 @@ static bool extract_end(struct end *dst, const whack_end_t *src,
        dst->updown = clone_str(src->updown);
        dst->host_port = src->host_port;
 
-       /* if the sourceip netmask is zero a named pool exists */
-       if (src->sourceip_mask == 0)
+       if (streq(which, "right"))
        {
-               dst->pool = clone_str(src->sourceip);
+               /* if the sourceip netmask is zero a named pool exists */
+               if (src->sourceip_mask == 0)
+               {
+                       dst->pool = clone_str(src->sourceip);
+               }
+               else if (whack_attr->add_pool(whack_attr, name, src))
+               {       /* otherwise we try to add a new in-memory pool, which in case of
+                        * %config (sourceip == NULL, sourceip_maks == 1) just returns
+                        * the requested address */
+                       dst->pool = clone_str(name);
+                       dst->modecfg = TRUE;
+                       /* reset the host sourceip so it gets assigned in modecfg */
+                       anyaddr(AF_INET, &dst->host_srcip);
+               }
        }
 
        /* if host sourceip is defined but no client is present
@@ -1119,8 +1132,8 @@ void add_connection(const whack_message_t *wm)
 
                c->requested_ca = NULL;
 
-               same_leftca  = extract_end(&c->spd.this, &wm->left, "left");
-               same_rightca = extract_end(&c->spd.that, &wm->right, "right");
+               same_leftca  = extract_end(&c->spd.this, &wm->left, wm->name, "left");
+               same_rightca = extract_end(&c->spd.that, &wm->right, wm->name, "right");
 
                if (same_rightca && c->spd.this.ca)
                {
index 5622dc9..dcb8b3c 100644 (file)
@@ -151,7 +151,7 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip,
        {
                ia->ipaddr = c->spd.that.host_srcip;
                vip = host_create_from_sockaddr((sockaddr_t*)&ia->ipaddr);
-               plog("assigning virtual IP  %H to peer", vip);
+               plog("assigning virtual IP %H to peer", vip);
        }
 
        if (!isanyaddr(&ia->ipaddr))        /* We got an IP address, send it */
index 98195ca..9c1cb77 100644 (file)
@@ -75,6 +75,7 @@
 #include "timer.h"
 #include "vendor.h"
 #include "builder.h"
+#include "whack_attribute.h"
 
 static void usage(const char *mess)
 {
@@ -684,6 +685,7 @@ int main(int argc, char **argv)
        init_myid();
        fetch_initialize();
        ac_initialize();
+       whack_attribute_initialize();
 
        /* drop unneeded capabilities and change UID/GID */
        prctl(PR_SET_KEEPCAPS, 1);
@@ -758,6 +760,7 @@ void exit_pluto(int status)
        free_preshared_secrets();
        free_remembered_public_keys();
        delete_every_connection();
+       whack_attribute_finalize(); /* free in-memory pools */
        fetch_finalize();           /* stop fetching thread */
        free_crl_fetch();           /* free chain of crl fetch requests */
        free_ocsp_fetch();          /* free chain of ocsp fetch requests */