implementation of an CFG attribute framework, currently supporting virtual IPs
authorMartin Willi <martin@strongswan.org>
Wed, 9 Apr 2008 12:54:47 +0000 (12:54 -0000)
committerMartin Willi <martin@strongswan.org>
Wed, 9 Apr 2008 12:54:47 +0000 (12:54 -0000)
updated ipsec.conf sourceip parameter to support
CIDR notatation to serve from a pool
%poolname to query a separate (database?) pool

19 files changed:
src/charon/Makefile.am
src/charon/config/attributes/attribute_manager.c [new file with mode: 0644]
src/charon/config/attributes/attribute_manager.h [new file with mode: 0644]
src/charon/config/attributes/attribute_provider.h [new file with mode: 0644]
src/charon/config/peer_cfg.c
src/charon/config/peer_cfg.h
src/charon/daemon.c
src/charon/daemon.h
src/charon/plugins/stroke/stroke_config.c
src/charon/sa/ike_sa.c
src/charon/sa/tasks/child_create.c
src/charon/sa/tasks/ike_config.c
src/starter/cmp.c
src/starter/confread.c
src/starter/confread.h
src/starter/starterstroke.c
src/starter/starterwhack.c
src/stroke/stroke.c
src/stroke/stroke_msg.h

index b0404ea..7a1c2e5 100644 (file)
@@ -10,6 +10,8 @@ config/ike_cfg.c config/ike_cfg.h \
 config/peer_cfg.c config/peer_cfg.h \
 config/proposal.c config/proposal.h \
 config/traffic_selector.c config/traffic_selector.h \
+config/attributes/attribute_provider.h \
+config/attributes/attribute_manager.c config/attributes/attribute_manager.h \
 control/controller.c control/controller.h \
 daemon.c daemon.h \
 encoding/generator.c encoding/generator.h \
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
new file mode 100644 (file)
index 0000000..0ec84c7
--- /dev/null
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "attribute_manager.h"
+
+#include <utils/linked_list.h>
+#include <utils/mutex.h>
+
+typedef struct private_attribute_manager_t private_attribute_manager_t;
+
+/**
+ * private data of attribute_manager
+ */
+struct private_attribute_manager_t {
+
+       /**
+        * public functions
+        */
+       attribute_manager_t public;
+       
+       /**
+        * list of registered providers
+        */
+       linked_list_t *providers;
+       
+       /**
+        * mutex to lock provider list
+        */
+       mutex_t *mutex;
+};
+
+/**
+ * Implementation of attribute_manager_t.acquire_address.
+ */
+static host_t* acquire_address(private_attribute_manager_t *this,
+                                                          char *pool, identification_t *id,
+                                                          auth_info_t *auth, host_t *requested)
+{
+       enumerator_t *enumerator;
+       attribute_provider_t *current;
+       host_t *host = NULL;
+
+       this->mutex->lock(this->mutex);
+       enumerator = this->providers->create_enumerator(this->providers);
+       while (enumerator->enumerate(enumerator, &current))
+       {
+               host = current->acquire_address(current, pool, id, auth, requested);
+               if (host)
+               {
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->mutex->unlock(this->mutex);
+       
+       return host;
+}
+
+/**
+ * Implementation of attribute_manager_t.release_address.
+ */
+static void release_address(private_attribute_manager_t *this,
+                                                       char *pool, host_t *address)
+{
+       enumerator_t *enumerator;
+       attribute_provider_t *current;
+
+       this->mutex->lock(this->mutex);
+       enumerator = this->providers->create_enumerator(this->providers);
+       while (enumerator->enumerate(enumerator, &current))
+       {
+               if (current->release_address(current, pool, address))
+               {
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of attribute_manager_t.add_provider.
+ */
+static void add_provider(private_attribute_manager_t *this,
+                                                attribute_provider_t *provider)
+{
+       this->mutex->lock(this->mutex);
+       this->providers->insert_last(this->providers, provider);
+       this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_provider.
+ */
+static void remove_provider(private_attribute_manager_t *this,
+                                                       attribute_provider_t *provider)
+{
+       this->mutex->lock(this->mutex);
+       this->providers->remove(this->providers, provider, NULL);
+       this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of attribute_manager_t.destroy
+ */
+static void destroy(private_attribute_manager_t *this)
+{
+       this->providers->destroy(this->providers);
+       this->mutex->destroy(this->mutex);
+       free(this);
+}
+
+/*
+ * see header file
+ */
+attribute_manager_t *attribute_manager_create()
+{
+       private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
+       
+       this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address;
+       this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*))release_address;
+       this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
+       this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
+       this->public.destroy = (void(*)(attribute_manager_t*))destroy;
+       
+       this->providers = linked_list_create();
+       this->mutex = mutex_create(MUTEX_DEFAULT);
+       
+       return &this->public;
+}
+
diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h
new file mode 100644 (file)
index 0000000..540e054
--- /dev/null
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup attribute_manager attribute_manager
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_MANAGER_H_
+#define ATTRIBUTE_MANAGER_H_
+
+#include <config/attributes/attribute_provider.h>
+
+typedef struct attribute_manager_t attribute_manager_t;
+
+/**
+ * Provide configuration attributes to include in CFG Payloads.
+ */
+struct attribute_manager_t {
+
+       /**
+        * Acquire a virtual IP address to assign to a peer.
+        *
+        * @param pool                  pool name to acquire address from
+        * @param id                    peer identity to get address for
+        * @param auth                  authorization infos of peer
+        * @param requested             IP in configuration request
+        * @return                              allocated address, NULL to serve none
+        */
+       host_t* (*acquire_address)(attribute_manager_t *this,
+                                                          char *pool, identification_t *id,
+                                                          auth_info_t *auth, host_t *requested);
+       
+       /**
+        * Release a previously acquired address.
+        *
+        * @param pool                  pool name from which the address was acquired
+        * @param address               address to release
+        */
+       void (*release_address)(attribute_manager_t *this,
+                                                       char *pool, host_t *address);
+       
+       /**
+        * Register an attribute provider to the manager.
+        *
+        * @param provider              attribute provider to register
+        */
+       void (*add_provider)(attribute_manager_t *this,
+                                                attribute_provider_t *provider);
+       /**
+        * Unregister an attribute provider from the manager.
+        *
+        * @param provider              attribute provider to unregister
+        */
+       void (*remove_provider)(attribute_manager_t *this,
+                                                       attribute_provider_t *provider);
+       /**
+     * Destroy a attribute_manager instance.
+     */
+    void (*destroy)(attribute_manager_t *this);
+};
+
+/**
+ * Create a attribute_manager instance.
+ */
+attribute_manager_t *attribute_manager_create();
+
+#endif /* ATTRIBUTE_MANAGER_H_ @}*/
diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h
new file mode 100644 (file)
index 0000000..1712bd1
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup attribute_provider attribute_provider
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_PROVIDER_H_
+#define ATTRIBUTE_PROVIDER_H_
+
+#include <library.h>
+#include <utils/host.h>
+#include <credentials/auth_info.h>
+
+typedef struct attribute_provider_t attribute_provider_t;
+
+/**
+ * Interface to provide attributes to peers through attribute manager.
+ */
+struct attribute_provider_t {
+
+       /**
+        * Acquire a virtual IP address to assign to a peer.
+        *
+        * @param pool                  name of the pool to acquire address from
+        * @param id                    peer ID
+        * @param auth                  authorization infos
+        * @param requested             IP in configuration request
+        * @return                              allocated address, NULL to serve none
+        */
+       host_t* (*acquire_address)(attribute_provider_t *this,
+                                                          char *pool, identification_t *id, 
+                                                          auth_info_t *auth, host_t *requested);
+       /**
+        * Release a previously acquired address.
+        *
+        * @param pool                  name of the pool this address was acquired from
+        * @param address               address to release
+        * @return                              TRUE if the address has been released by the provider
+        */
+       bool (*release_address)(attribute_provider_t *this,
+                                                       char *pool, host_t *address);
+};
+
+#endif /* ATTRIBUTE_PROVIDER_H_ @}*/
index d85935c..f0804d9 100644 (file)
@@ -153,12 +153,12 @@ struct private_peer_cfg_t {
        /**
         * virtual IP to use locally
         */
-       host_t *my_virtual_ip;
+       host_t *virtual_ip;
        
        /**
-        * virtual IP to use remotly
+        * pool to acquire configuration attributes from
         */
-       host_t *other_virtual_ip;
+       char *pool;
        
        /**
         * required authorization constraints
@@ -396,35 +396,19 @@ static dpd_action_t get_dpd_action(private_peer_cfg_t *this)
 }
 
 /**
- * Implementation of peer_cfg_t.get_my_virtual_ip.
+ * Implementation of peer_cfg_t.get_virtual_ip.
  */
-static host_t* get_my_virtual_ip(private_peer_cfg_t *this)
+static host_t* get_virtual_ip(private_peer_cfg_t *this)
 {
-       if (this->my_virtual_ip == NULL)
-       {
-               return NULL;
-       }
-       return this->my_virtual_ip->clone(this->my_virtual_ip);
+       return this->virtual_ip;
 }
-
+       
 /**
- * Implementation of peer_cfg_t.get_other_virtual_ip.
+ * Implementation of peer_cfg_t.get_pool.
  */
-static host_t* get_other_virtual_ip(private_peer_cfg_t *this, host_t *suggestion)
+static char* get_pool(private_peer_cfg_t *this)
 {
-       if (this->other_virtual_ip == NULL)
-       {       /* disallow */
-               return NULL;
-       }
-       if (!this->other_virtual_ip->is_anyaddr(this->other_virtual_ip))
-       {       /* force own configuration */
-               return this->other_virtual_ip->clone(this->other_virtual_ip);
-       }
-       if (suggestion == NULL || suggestion->is_anyaddr(suggestion))
-       {
-               return NULL;
-       }
-       return suggestion->clone(suggestion);
+       return this->pool;
 }
        
 /**
@@ -491,12 +475,10 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
                this->over_time == other->over_time &&
                this->dpd_delay == other->dpd_delay &&
                this->dpd_action == other->dpd_action &&
-               (this->my_virtual_ip == other->my_virtual_ip ||
-                (this->my_virtual_ip && other->my_virtual_ip &&
-                 this->my_virtual_ip->equals(this->my_virtual_ip, other->my_virtual_ip))) &&
-               (this->other_virtual_ip == other->other_virtual_ip ||
-                (this->other_virtual_ip && other->other_virtual_ip &&
-                 this->other_virtual_ip->equals(this->other_virtual_ip, other->other_virtual_ip))) &&
+               (this->virtual_ip == other->virtual_ip ||
+                (this->virtual_ip && other->virtual_ip &&
+                 this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
+               (this->pool == other->pool || streq(this->pool, other->pool)) &&
                this->auth->equals(this->auth, other->auth) 
 #ifdef ME
                && this->mediation == other->mediation &&
@@ -527,14 +509,14 @@ static void destroy(private_peer_cfg_t *this)
                this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy));
                this->my_id->destroy(this->my_id);
                this->other_id->destroy(this->other_id);
-               DESTROY_IF(this->my_virtual_ip);
-               DESTROY_IF(this->other_virtual_ip);
+               DESTROY_IF(this->virtual_ip);
                this->auth->destroy(this->auth);
 #ifdef ME
                DESTROY_IF(this->mediated_by);
                DESTROY_IF(this->peer_id);
 #endif /* ME */
                free(this->name);
+               free(this->pool);
                free(this);
        }
 }
@@ -551,7 +533,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
                                                        u_int32_t reauth_time, u_int32_t jitter_time,
                                                        u_int32_t over_time, bool mobike,
                                                        u_int32_t dpd_delay, dpd_action_t dpd_action,
-                                                       host_t *my_virtual_ip, host_t *other_virtual_ip,
+                                                       host_t *virtual_ip, char *pool,
                                                        bool mediation, peer_cfg_t *mediated_by,
                                                        identification_t *peer_id)
 {
@@ -577,8 +559,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
        this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
        this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay;
        this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action;
-       this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip;
-       this->public.get_other_virtual_ip = (host_t* (*) (peer_cfg_t *, host_t *))get_other_virtual_ip;
+       this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip;
+       this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool;
        this->public.get_auth = (auth_info_t*(*)(peer_cfg_t*))get_auth;
        this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals;
        this->public.get_ref = (void(*)(peer_cfg_t *))get_ref;
@@ -617,8 +599,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
        this->use_mobike = mobike;
        this->dpd_delay = dpd_delay;
        this->dpd_action = dpd_action;
-       this->my_virtual_ip = my_virtual_ip;
-       this->other_virtual_ip = other_virtual_ip;
+       this->virtual_ip = virtual_ip;
+       this->pool = pool ? strdup(pool) : NULL;
        this->auth = auth_info_create();
        this->refcount = 1;
 #ifdef ME
index 43bcb8e..dedabf0 100644 (file)
@@ -276,21 +276,16 @@ struct peer_cfg_t {
         * used for a request and may be changed by the server.
         *
         * @param suggestion    NULL, %any or specific
-        * @return                              clone of an IP, %any or NULL
+        * @return                              virtual IP, %any or NULL
         */
-       host_t* (*get_my_virtual_ip) (peer_cfg_t *this);
+       host_t* (*get_virtual_ip) (peer_cfg_t *this);
        
        /**
-        * Get a virtual IP for the remote peer.
+        * Get the name of the pool to acquire configuration attributes from.
         *
-        * An IP may be supplied, if one was requested by the initiator. However,
-        * the suggestion is not more as it says, any address may be returned, even
-        * NULL to not use virtual IPs.
-        *
-        * @param suggestion    NULL, %any or specific
-        * @return                              clone of an IP to use
+        * @return                              pool name, NULL if none defined
         */
-       host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
+       char* (*get_pool)(peer_cfg_t *this);
        
 #ifdef ME
        /**
@@ -378,8 +373,8 @@ struct peer_cfg_t {
  * @param mobike                       use MOBIKE (RFC4555) if peer supports it
  * @param dpd_delay                    after how many seconds of inactivity to check DPD
  * @param dpd_action           what to do with CHILD_SAs when detected a dead peer
- * @param my_virtual_ip                virtual IP for local host, or NULL
- * @param other_virtual_ip     virtual IP for remote host, or NULL
+ * @param virtual_ip           virtual IP for local host, or NULL
+ * @param pool                         pool name to get configuration attributes from, or NULL
  * @param mediation                    TRUE if this is a mediation connection
  * @param mediated_by          peer_cfg_t of the mediation connection to mediate through
  * @param peer_id                      ID that identifies our peer at the mediation server
@@ -394,7 +389,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
                                                        u_int32_t reauth_time, u_int32_t jitter_time,
                                                        u_int32_t over_time, bool mobike,
                                                        u_int32_t dpd_delay, dpd_action_t dpd_action,
-                                                       host_t *my_virtual_ip, host_t *other_virtual_ip,
+                                                       host_t *virtual_ip, char *pool,
                                                        bool mediation, peer_cfg_t *mediated_by,
                                                        identification_t *peer_id);
 
index 689bad9..e1e9a71 100644 (file)
@@ -35,8 +35,6 @@
 #include "daemon.h"
 
 #include <library.h>
-#include <credentials/credential_manager.h>
-#include <config/backend_manager.h>
 #include <config/traffic_selector.h>
 
 /* on some distros, a capset definition is missing */
@@ -185,6 +183,7 @@ static void destroy(private_daemon_t *this)
        DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
        DESTROY_IF(this->public.backends);
+       DESTROY_IF(this->public.attributes);
        DESTROY_IF(this->public.credentials);
        DESTROY_IF(this->public.sender);
        DESTROY_IF(this->public.receiver);
@@ -338,6 +337,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
        this->public.controller = controller_create();
        this->public.eap = eap_manager_create();
        this->public.backends = backend_manager_create();
+       this->public.attributes = attribute_manager_create();
        this->public.plugins = plugin_loader_create();
        this->public.kernel_interface = kernel_interface_create();
        this->public.socket = socket_create();
@@ -408,6 +408,7 @@ private_daemon_t *daemon_create(void)
        this->public.ike_sa_manager = NULL;
        this->public.credentials = NULL;
        this->public.backends = NULL;
+       this->public.attributes = NULL;
        this->public.sender= NULL;
        this->public.receiver = NULL;
        this->public.scheduler = NULL;
index 9da7953..5d59075 100644 (file)
@@ -30,6 +30,9 @@
  * @defgroup config config
  * @ingroup charon
  *
+ * @defgroup attributes attributes
+ * @ingroup config
+ *
  * @defgroup control control
  * @ingroup charon
  *
@@ -157,6 +160,7 @@ typedef struct daemon_t daemon_t;
 #include <bus/listeners/sys_logger.h>
 #include <sa/ike_sa_manager.h>
 #include <config/backend_manager.h>
+#include <config/attributes/attribute_manager.h>
 #include <credentials/credential_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
 #include <plugins/plugin_loader.h>
@@ -213,6 +217,11 @@ struct daemon_t {
        backend_manager_t *backends;
        
        /**
+        * Manager IKEv2 cfg payload attributes
+        */
+       attribute_manager_t *attributes;
+       
+       /**
         * Manager for the credential backends
         */
        credential_manager_t *credentials;
index ef8ceed..f4f3dbc 100644 (file)
@@ -354,7 +354,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 {
        identification_t *me, *other, *peer_id = NULL;
        peer_cfg_t *mediated_by = NULL;
-       host_t *my_vip = NULL, *other_vip = NULL;
+       host_t *vip = NULL;
        certificate_t *cert;
        u_int32_t rekey = 0, reauth = 0, over, jitter;
        
@@ -457,21 +457,43 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
        {
                rekey = msg->add_conn.rekey.ike_lifetime - over;
        }       
-       if (msg->add_conn.me.virtual_ip && msg->add_conn.me.sourceip)
+       if (msg->add_conn.me.sourceip_size)
        {
-               my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
-       }
-       if (msg->add_conn.other.virtual_ip && msg->add_conn.other.sourceip)
-       {
-               other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0);
+               if (msg->add_conn.me.sourceip)
+               {
+                       vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
+               }
+               if (!vip)
+               {       /* if it is set to something like %poolname, request an address */
+                       if (msg->add_conn.me.subnet)
+                       {       /* use the same addreass as in subnet, if any */
+                               if (strchr(msg->add_conn.me.subnet, '.'))
+                               {
+                                       vip = host_create_any(AF_INET);
+                               }
+                               else
+                               {
+                                       vip = host_create_any(AF_INET6);
+                               }
+                       }
+                       else
+                       {
+                               host_t* my_host = ike_cfg->get_my_host(ike_cfg);
+                               vip = host_create_any(my_host->get_family(my_host));
+                       }
+               }
        }
+       /* other.sourceip is managed in stroke_attributes. If it is set, we define
+        * the pool name as the connection name, which the attribute provider
+        * uses to serve pool addresses. */
        return peer_cfg_create(msg->add_conn.name,
                msg->add_conn.ikev2 ? 2 : 1, ike_cfg, me, other,
                msg->add_conn.me.sendcert, msg->add_conn.auth_method,
                msg->add_conn.eap_type, msg->add_conn.eap_vendor,
                msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
                msg->add_conn.mobike, msg->add_conn.dpd.delay, msg->add_conn.dpd.action,
-               my_vip, other_vip, msg->add_conn.ikeme.mediation, mediated_by, peer_id);
+               vip, msg->add_conn.other.sourceip ? msg->add_conn.name : NULL,
+               msg->add_conn.ikeme.mediation, mediated_by, peer_id);
 }
 
 /**
index 1420079..20bbd06 100644 (file)
@@ -2315,7 +2315,16 @@ static void destroy(private_ike_sa_t *this)
                                                                                 this->my_virtual_ip);
                this->my_virtual_ip->destroy(this->my_virtual_ip);
        }
-       DESTROY_IF(this->other_virtual_ip);
+       if (this->other_virtual_ip)
+       {
+               if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
+               {
+                       charon->attributes->release_address(charon->attributes,
+                                                                       this->peer_cfg->get_pool(this->peer_cfg),
+                                                                       this->other_virtual_ip);
+               }
+               this->other_virtual_ip->destroy(this->other_virtual_ip);
+       }
        
        remove_dns_servers(this);
        this->dns_servers->destroy_offset(this->dns_servers,
index 8b711e8..f4f8143 100644 (file)
@@ -535,11 +535,10 @@ static status_t build_i(private_child_create_t *this, message_t *message)
        if (!this->reqid)
        {
                peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-               vip = peer_cfg->get_my_virtual_ip(peer_cfg);
+               vip = peer_cfg->get_virtual_ip(peer_cfg);
                if (vip)
                {
                        propose_all = TRUE;
-                       vip->destroy(vip);
                }
        }
        
index 2af0aed..7bd214f 100644 (file)
@@ -261,14 +261,14 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
                
                /* reuse virtual IP if we already have one */
                vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-               if (vip)
+               if (!vip)
                {
-                       this->virtual_ip = vip->clone(vip);
+                       config = this->ike_sa->get_peer_cfg(this->ike_sa);
+                       vip = config->get_virtual_ip(config);
                }
-               else
+               if (vip)
                {
-                       config = this->ike_sa->get_peer_cfg(this->ike_sa);
-                       this->virtual_ip = config->get_my_virtual_ip(config);
+                       this->virtual_ip = vip->clone(vip);
                }
                
                build_payloads(this, message, CFG_REQUEST);
@@ -305,11 +305,14 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
                        host_t *ip;
                        
                        DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
-                       ip = config->get_other_virtual_ip(config, this->virtual_ip);
-                       if (ip == NULL || ip->is_anyaddr(ip))
+                       ip = charon->attributes->acquire_address(charon->attributes, 
+                                                                       config->get_pool(config),
+                                                                       this->ike_sa->get_other_id(this->ike_sa),
+                                                                       this->ike_sa->get_other_auth(this->ike_sa),
+                                                                       this->virtual_ip);
+                       if (ip == NULL)
                        {
                                DBG1(DBG_IKE, "not assigning a virtual IP to peer");
-                               DESTROY_IF(ip);
                                return SUCCESS;
                        }
                        DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
@@ -318,16 +321,6 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
                        this->virtual_ip->destroy(this->virtual_ip);
                        this->virtual_ip = ip;
                        
-                       /* DNS testing values
-                       if (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS)
-                       {
-                               ip->destroy(ip);
-                               ip = host_create_from_string("10.3.0.1", 0);
-                               this->dns->insert_last(this->dns, ip);
-                               ip = host_create_from_string("10.3.0.2", 0);
-                               this->dns->insert_last(this->dns, ip);
-                       } */
-                       
                        build_payloads(this, message, CFG_REPLY);
                }
                return SUCCESS;
@@ -354,7 +347,11 @@ static status_t process_i(private_ike_config_t *this, message_t *message)
                if (this->virtual_ip == NULL)
                {       /* force a configured virtual IP, even server didn't return one */
                        config = this->ike_sa->get_peer_cfg(this->ike_sa);
-                       this->virtual_ip = config->get_my_virtual_ip(config);
+                       this->virtual_ip = config->get_virtual_ip(config);
+                       if (this->virtual_ip)
+                       {
+                               this->virtual_ip = this->virtual_ip->clone(this->virtual_ip);
+                       }
                }
 
                if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip))
index 03d98cb..610b089 100644 (file)
@@ -29,6 +29,7 @@
 #define VARCMP(obj) if (c1->obj != c2->obj) return FALSE
 #define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE
 #define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE
+#define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE
 
 static bool
 starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
@@ -45,12 +46,11 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
        ADDCMP(addr);
     }
     ADDCMP(nexthop);
-    ADDCMP(srcip);
+    STRCMP(srcip);
     SUBCMP(subnet);
     VARCMP(has_client);
     VARCMP(has_client_wildcard);
     VARCMP(has_port_wildcard);
-    VARCMP(has_srcip);
     VARCMP(modecfg);
     VARCMP(port);
     VARCMP(protocol);
index 0c188ee..bae3437 100644 (file)
@@ -88,10 +88,8 @@ static void default_values(starter_config_t *cfg)
 
        anyaddr(AF_INET, &cfg->conn_default.left.addr);
        anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
-       anyaddr(AF_INET, &cfg->conn_default.left.srcip);
        anyaddr(AF_INET, &cfg->conn_default.right.addr);
        anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
-       anyaddr(AF_INET, &cfg->conn_default.right.srcip);
 
        cfg->ca_default.seen = LEMPTY;
 }
@@ -284,28 +282,41 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
                }
                else
                {
+                       ip_address addr;
+                       ip_subnet net;
+               
                        conn->tunnel_addr_family = ip_version(value);
-                       ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+                       if (strchr(value, '/'))
+                       {       /* CIDR notation, address pool */
+                               ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
+                       }
+                       else if (value[0] != '%')
+                       {       /* old style fixed srcip, a %poolname otherwise */
+                               ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
+                       }
                        if (ugh != NULL)
                        {
                                plog("# bad addr: %s=%s [%s]", name, value, ugh);
                                goto err;
                        }
-                       end->has_srcip = TRUE;
+                       end->srcip = clone_str(value, "srcip");
                }
                conn->policy |= POLICY_TUNNEL;
                break;
        case KW_NATIP:
-               if (end->has_srcip)
+               if (end->srcip)
                {
                        plog("# natip and sourceip cannot be defined at the same time");
                        goto err;
                }
                if (streq(value, "%defaultroute"))
                {
+                       char buf[64];
+               
                        if (cfg->defaultroute.defined)
                        {
-                               end->srcip    = cfg->defaultroute.addr;
+                               addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
+                               end->srcip = clone_str(buf, "natip");
                        }
                        else
                        {
@@ -315,13 +326,16 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
                }
                else
                {
+                       ip_address addr;
+                       
                        conn->tunnel_addr_family = ip_version(value);
-                       ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+                       ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
                        if (ugh != NULL)
                        {
                                plog("# bad addr: %s=%s [%s]", name, value, ugh);
                                goto err;
                        }
+                       end->srcip = clone_str(value, "srcip");
                }
                end->has_natip = TRUE;
                conn->policy |= POLICY_TUNNEL;
index 4ccf628..ae25a08 100644 (file)
@@ -67,12 +67,10 @@ struct starter_end {
        char            *iface;
        ip_address      addr;
        ip_address      nexthop;
-       ip_address      srcip;
        ip_subnet       subnet;
        bool            has_client;
        bool            has_client_wildcard;
        bool            has_port_wildcard;
-       bool            has_srcip;
        bool            has_natip;
        bool            modecfg;
        certpolicy_t    sendcert;
@@ -84,6 +82,7 @@ struct starter_end {
        u_int16_t       port;
        u_int8_t        protocol;
        char            *virt;
+       char            *srcip;
 };
 
 typedef struct also also_t;
index 83db143..025cd66 100644 (file)
@@ -170,15 +170,47 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
        msg_end->tohost = !conn_end->has_client;
        msg_end->protocol = conn_end->protocol;
        msg_end->port = conn_end->port;
-       msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip;
-       ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
-       msg_end->sourceip = push_string(msg, buffer);
+       if (conn_end->srcip)
+       {
+               if (conn_end->srcip[0] == '%')
+               {       /* %poolname, strip % */
+                       msg_end->sourceip_size = 0;
+                       msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
+               }
+               else
+               {
+                       char *pos = strchr(conn_end->srcip, '/');
+                       if (pos)
+                       {       /* CIDR subnet definition */
+                               snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
+                               msg_end->sourceip = push_string(msg, buffer);
+                               msg_end->sourceip_size = atoi(pos + 1);
+                       }
+                       else
+                       {       /* a sigle address */
+                               msg_end->sourceip = push_string(msg, conn_end->srcip);
+                               if (strchr(conn_end->srcip, ':'))
+                               {       /* IPv6 */
+                                       msg_end->sourceip_size = 128;
+                               }
+                               else
+                               {       /* IPv4 */
+                                       msg_end->sourceip_size = 32;
+                               }
+                       }
+               }
+       }
+       else if (conn_end->modecfg)
+       {
+               msg_end->sourceip_size = 1;
+       }
 }
 
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 {
        stroke_msg_t msg;
 
+       memset(&msg, 0, sizeof(msg));
        msg.type = STR_ADD_CONN;
        msg.length = offsetof(stroke_msg_t, buffer);
        msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
@@ -213,15 +245,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
                msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
        }
  
-       if (conn->policy & POLICY_DONT_REKEY)
-       {
-               msg.add_conn.rekey.ipsec_lifetime = 0;
-               msg.add_conn.rekey.ike_lifetime = 0;
-               msg.add_conn.rekey.margin = 0;
-               msg.add_conn.rekey.tries = 0;
-               msg.add_conn.rekey.fuzz = 0;
-       }
-       else
+       if (!(conn->policy & POLICY_DONT_REKEY))
        {
                msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
                msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
index 019489e..970c74d 100644 (file)
@@ -149,13 +149,28 @@ connection_name(starter_conn_t *conn)
 
 static void
 set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{
+{   
+    if (end->srcip && end->srcip[0] != '%')
+    {
+       int len = 0;
+       char *pos, *v6;
+
+       pos = strchr(end->srcip, '/');
+       v6 = strchr(end->srcip, ':');
+       if (pos)
+       {
+           /* use first address only for pluto */
+           len = pos - end->srcip;
+       }
+       w->has_srcip = 1;
+       ttoaddr(end->srcip, len, v6 ? AF_INET6 : AF_INET, &w->host_srcip);
+    }
+    
     w->id                  = end->id;
     w->cert                = end->cert;
     w->ca                  = end->ca;
     w->groups              = end->groups;
     w->host_addr           = end->addr;
-    w->host_srcip          = end->srcip;
     w->has_client          = end->has_client;
 
     if (family == AF_INET6 && isanyaddr(&end->nexthop))
@@ -171,7 +186,6 @@ set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
 
     w->has_client_wildcard = end->has_client_wildcard;
     w->has_port_wildcard   = end->has_port_wildcard;
-    w->has_srcip           = end->has_srcip;
     w->has_natip           = end->has_natip;
     w->allow_any           = end->allow_any && !end->dns_failed;
     w->modecfg             = end->modecfg;
index 3f2a661..7743680 100644 (file)
@@ -105,61 +105,28 @@ static int add_connection(char *name,
 {
        stroke_msg_t msg;
        
+       memset(&msg, 0, sizeof(msg));
        msg.length = offsetof(stroke_msg_t, buffer);
        msg.type = STR_ADD_CONN;
        
        msg.add_conn.name = push_string(&msg, name);
        msg.add_conn.ikev2 = 1;
        msg.add_conn.auth_method = 2;
-       msg.add_conn.eap_type = 0;
        msg.add_conn.mode = 1;
        msg.add_conn.mobike = 1;
-       msg.add_conn.force_encap = 0;
-       
-       msg.add_conn.rekey.reauth = 0;
-       msg.add_conn.rekey.ipsec_lifetime = 0;
-       msg.add_conn.rekey.ike_lifetime = 0;
-       msg.add_conn.rekey.margin = 0;
-       msg.add_conn.rekey.tries = 0;
-       msg.add_conn.rekey.fuzz = 0;
-       
-       msg.add_conn.algorithms.ike = NULL;
-       msg.add_conn.algorithms.esp = NULL;
-       
-       msg.add_conn.dpd.delay = 0;
        msg.add_conn.dpd.action = 1;
        
-       msg.add_conn.ikeme.mediation = 0;
-       msg.add_conn.ikeme.mediated_by = NULL;
-       msg.add_conn.ikeme.peerid = NULL;
-       
        msg.add_conn.me.id = push_string(&msg, my_id);
        msg.add_conn.me.address = push_string(&msg, my_addr);
        msg.add_conn.me.subnet = push_string(&msg, my_net);
        msg.add_conn.me.subnet_mask = my_netmask;
-       msg.add_conn.me.sourceip = NULL;
-       msg.add_conn.me.virtual_ip = 0;
-       msg.add_conn.me.cert = NULL;
-       msg.add_conn.me.ca = NULL;
        msg.add_conn.me.sendcert = 1;
-       msg.add_conn.me.hostaccess = 0;
-       msg.add_conn.me.tohost = 0;
-       msg.add_conn.me.protocol = 0;
-       msg.add_conn.me.port = 0;
        
        msg.add_conn.other.id = push_string(&msg, other_id);
        msg.add_conn.other.address = push_string(&msg, other_addr);
        msg.add_conn.other.subnet = push_string(&msg, other_net);
        msg.add_conn.other.subnet_mask = other_netmask;
-       msg.add_conn.other.sourceip = NULL;
-       msg.add_conn.other.virtual_ip = 0;
-       msg.add_conn.other.cert = NULL;
-       msg.add_conn.other.ca = NULL;
        msg.add_conn.other.sendcert = 1;
-       msg.add_conn.other.hostaccess = 0;
-       msg.add_conn.other.tohost = 0;
-       msg.add_conn.other.protocol = 0;
-       msg.add_conn.other.port = 0;
        
        return send_stroke_msg(&msg);
 }
index c48ebe8..4ba4b5d 100644 (file)
@@ -126,7 +126,7 @@ struct stroke_end_t {
        char *updown;
        char *address;
        char *sourceip;
-       u_int8_t virtual_ip;
+       int sourceip_size;
        char *subnet;
        int subnet_mask;
        int sendcert;