vici: Match identity with wildcards against remote ID in redirect command
authorTobias Brunner <tobias@strongswan.org>
Tue, 28 Apr 2015 16:33:31 +0000 (18:33 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 4 Mar 2016 15:02:59 +0000 (16:02 +0100)
src/libcharon/plugins/vici/README.md
src/libcharon/plugins/vici/vici_control.c
src/swanctl/commands/redirect.c

index d084883..54291b8 100644 (file)
@@ -298,7 +298,8 @@ supported by the peer.
                ike = <redirect an IKE_SA by configuration name>
                ike-id = <redirect an IKE_SA by its unique id>
                peer-ip = <redirect an IKE_SA with matching peer IP>
-               peer-id = <redirect an IKE_SA with matching peer identity>
+               peer-id = <redirect an IKE_SA with matching peer identity, may contain
+                                  wildcards>
        } => {
                success = <yes or no>
                errmsg = <error string on failure>
index 7bcab0e..a63caf0 100644 (file)
@@ -366,7 +366,7 @@ CALLBACK(redirect, vici_message_t*,
        enumerator_t *sas;
        char *ike, *peer_ip, *peer_id, *gw, *errmsg = NULL;
        u_int ike_id, current, found = 0;
-       identification_t *gateway, *identity = NULL;
+       identification_t *gateway, *identity = NULL, *other_id;
        host_t *address = NULL;
        ike_sa_t *ike_sa;
        vici_builder_t *builder;
@@ -445,10 +445,13 @@ CALLBACK(redirect, vici_message_t*,
                {
                        continue;
                }
-               if (identity &&
-                       !identity->equals(identity, ike_sa->get_other_eap_id(ike_sa)))
+               if (identity)
                {
-                       continue;
+                       other_id = ike_sa->get_other_eap_id(ike_sa);
+                       if (!other_id->matches(other_id, identity))
+                       {
+                               continue;
+                       }
                }
                lib->processor->queue_job(lib->processor,
                                (job_t*)redirect_job_create(ike_sa->get_id(ike_sa), gateway));
index 0afe96a..295689b 100644 (file)
@@ -117,7 +117,7 @@ static void __attribute__ ((constructor))reg()
        command_register((command_t) {
                redirect, 'd', "redirect", "redirect an IKE_SA",
                {"--ike <name> | --ike-id <id> | --peer-ip <ip>",
-                "--peer-id <id> | --gateway <ip|fqdn> [--raw|--pretty]"},
+                "--peer-id <id|wildcards> | --gateway <ip|fqdn> [--raw|--pretty]"},
                {
                        {"help",                'h', 0, "show usage information"},
                        {"ike",                 'i', 1, "redirect by IKE_SA name"},