support of right|leftallowany flag
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 18 Jun 2007 17:51:45 +0000 (17:51 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 18 Jun 2007 17:51:45 +0000 (17:51 -0000)
src/pluto/connections.c
src/pluto/connections.h
src/starter/args.c
src/starter/confread.h
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterwhack.c
src/whack/whack.h

index 499e5ed..7bf64b4 100644 (file)
@@ -122,7 +122,7 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
     for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
     {
        if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
-       && sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
+       &&  sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
        {
            if (prev != NULL)
            {
@@ -162,15 +162,21 @@ connect_to_host_pair(struct connection *c)
 {
     if (oriented(*c))
     {
-       struct host_pair *hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
-           , &c->spd.that.host_addr, c->spd.that.host_port);
+       struct host_pair *hp;
+
+       ip_address his_addr = (c->spd.that.allow_any)
+                             ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
+                             : c->spd.that.host_addr;
+
+       hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
+           , &his_addr, c->spd.that.host_port);
 
        if (hp == NULL)
        {
            /* no suitable host_pair -- build one */
            hp = alloc_thing(struct host_pair, "host_pair");
            hp->me.addr = c->spd.this.host_addr;
-           hp->him.addr = c->spd.that.host_addr;
+           hp->him.addr = his_addr;
            hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
            hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
            hp->initial_connection_sent = FALSE;
@@ -633,11 +639,13 @@ format_end(char *buf
     }
 
     if (is_left)
-       snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s"
+       snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
            , open_brackets, client, close_brackets, client_sep
+           , this->allow_any? "%":""
            , host, host_port, host_id, protoport);
     else
-       snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s"
+       snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
+           , this->allow_any? "%":""
            , host, host_port, host_id, protoport, client_sep
            , open_brackets, client, close_brackets);
     return strlen(buf);
@@ -844,6 +852,7 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which)
     dst->has_client_wildcard = src->has_client_wildcard;
     dst->modecfg = src->modecfg;
     dst->hostaccess = src->hostaccess;
+    dst->allow_any = src->allow_any;
     dst->sendcert = src->sendcert;
     dst->updown = src->updown;
     dst->host_port = src->host_port;
@@ -1056,7 +1065,8 @@ add_connection(const whack_message_t *wm)
         * or any wildcard ID to that end
         */
        if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
-       || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards)
+       || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
+       || c->spd.this.allow_any)
        {
            struct end t = c->spd.this;
 
@@ -1084,7 +1094,7 @@ add_connection(const whack_message_t *wm)
        }
        else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
        || c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
-       || c->spd.that.has_id_wildcards)
+       || c->spd.that.has_id_wildcards || c->spd.that.allow_any)
        {
            /* Opportunistic or Road Warrior or wildcard client subnet
             * or wildcard ID */
@@ -1252,6 +1262,8 @@ instantiate(struct connection *c, const ip_address *him
 
     c->instance_serial++;
     d = clone_thing(*c, "temporary connection");
+    d->spd.that.allow_any = FALSE;
+
     if (his_id != NULL)
     {
        passert(match_id(his_id, &d->spd.that.id, &wildcards));
@@ -1792,7 +1804,7 @@ initiate_connection(const char *name, int whackfd)
            loglog(RC_INITSHUNT
                , "cannot initiate an authby=never connection");
        }
-       else if (c->kind != CK_PERMANENT)
+       else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
        {
            if (isanyaddr(&c->spd.that.host_addr))
                loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
@@ -1801,22 +1813,30 @@ initiate_connection(const char *name, int whackfd)
        }
        else
        {
-           /* We will only request an IPsec SA if policy isn't empty
-            * (ignoring Main Mode items).
-            * This is a fudge, but not yet important.
-            * If we are to proceed asynchronously, whackfd will be NULL_FD.
-            */
-           c->policy |= POLICY_UP;
            /* do we have to prompt for a PIN code? */
            if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
+           {
                scx_get_pin(c->spd.this.sc, whackfd);
-
+           }
            if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
            {
                loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
            }
            else
            {
+
+               if (c->spd.that.allow_any)
+               {
+                   c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
+                                 , &c->spd.that.id);
+               }
+
+               /* We will only request an IPsec SA if policy isn't empty
+                * (ignoring Main Mode items).
+                * This is a fudge, but not yet important.
+                * If we are to proceed asynchronously, whackfd will be NULL_FD.
+                */
+               c->policy |= POLICY_UP;
                ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
                whackfd = NULL_FD;      /* protect from close */
            }
index df3af9d..40cbfc4 100644 (file)
@@ -155,6 +155,7 @@ struct end {
                                /* that end: give local addresses to clients */
     bool hostaccess;           /* allow access to host via iptables INPUT/OUTPUT */
                                /* rules if client behind host is a subnet */
+    bool allow_any;            /* IP address is subject to change */
     certpolicy_t sendcert;     /* whether or not to send the certificate */
 };
 
index fb84248..1079263 100644 (file)
@@ -229,6 +229,7 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
     { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
     { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
+    { ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool                       },
     { ARG_STR,  offsetof(starter_end_t, updown), NULL                              },
     { ARG_STR,  offsetof(starter_end_t, id), NULL                                  },
     { ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },
index 2fe75fc..c0993f2 100644 (file)
@@ -75,6 +75,7 @@ struct starter_end {
        certpolicy_t    sendcert;
        bool            firewall;
        bool            hostaccess;
+       bool            allow_any;
        char            *updown;
        u_int16_t       port;
        u_int8_t        protocol;
index 08d50fe..62821aa 100644 (file)
@@ -112,6 +112,7 @@ typedef enum {
     KW_NATIP,
     KW_FIREWALL,
     KW_HOSTACCESS,
+    KW_ALLOWANY,
     KW_UPDOWN,
     KW_ID,
     KW_RSASIGKEY,
@@ -134,6 +135,7 @@ typedef enum {
     KW_LEFTNATIP,
     KW_LEFTFIREWALL,
     KW_LEFTHOSTACCESS,
+    KW_LEFTALLOWANY,
     KW_LEFTUPDOWN,
     KW_LEFTID,
     KW_LEFTRSASIGKEY,
@@ -155,6 +157,7 @@ typedef enum {
     KW_RIGHTNATIP,
     KW_RIGHTFIREWALL,
     KW_RIGHTHOSTACCESS,
+    KW_RIGHTALLOWANY,
     KW_RIGHTUPDOWN,
     KW_RIGHTID,
     KW_RIGHTRSASIGKEY,
index 0f943fc..b089471 100644 (file)
@@ -91,6 +91,7 @@ leftsourceip,      KW_LEFTSOURCEIP
 leftnatip,         KW_LEFTNATIP
 leftfirewall,      KW_LEFTFIREWALL
 lefthostaccess,    KW_LEFTHOSTACCESS
+leftallowany,      KW_LEFTALLOWANY
 leftupdown,        KW_LEFTUPDOWN
 leftid,            KW_LEFTID
 leftrsasigkey,     KW_LEFTRSASIGKEY
@@ -107,6 +108,7 @@ rightsourceip,     KW_RIGHTSOURCEIP
 rightnatip,        KW_RIGHTNATIP
 rightfirewall,     KW_RIGHTFIREWALL
 righthostaccess,   KW_RIGHTHOSTACCESS
+rightallowany,     KW_RIGHTALLOWANY
 rightupdown,       KW_RIGHTUPDOWN
 rightid,           KW_RIGHTID
 rightrsasigkey,    KW_RIGHTRSASIGKEY
index 4232884..e920fc7 100644 (file)
@@ -170,6 +170,7 @@ set_whack_end(whack_end_t *w, starter_end_t *end)
     w->has_natip           = end->has_natip;
     w->modecfg             = end->modecfg;
     w->hostaccess          = end->hostaccess;
+    w->allow_any           = end->allow_any;
     w->sendcert            = end->sendcert;
     w->updown              = end->updown;
     w->host_port           = IKE_UDP_PORT;
index 49ef679..91463b0 100644 (file)
@@ -65,6 +65,7 @@ struct whack_end {
     bool has_natip;
     bool modecfg;
     bool hostaccess;
+    bool allow_any;
     certpolicy_t sendcert;
     char *updown;              /* string */
     u_int16_t host_port;       /* host order */