handle dns lookup failures
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 2 Aug 2007 18:38:28 +0000 (18:38 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 2 Aug 2007 18:38:28 +0000 (18:38 -0000)
src/starter/cmp.c
src/starter/confread.c
src/starter/confread.h
src/starter/starterwhack.c

index 9222bf5..ea8e736 100644 (file)
@@ -36,7 +36,14 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
     if ((c1 == NULL) || (c2 == NULL))
        return FALSE;
 
-    ADDCMP(addr);
+    if (c2->dns_failed)
+    {
+       c2->addr = c1->addr;
+    }
+    else
+    {
+       ADDCMP(addr);
+    }
     ADDCMP(nexthop);
     ADDCMP(srcip);
     SUBCMP(subnet);
index 2fe5b8c..f754f26 100644 (file)
@@ -193,11 +193,9 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
                }
                else
                {
-                       bool fallback_to_any = FALSE;
-
+                       /* check for allow_any prefix */
                        if (value[0] == '%')
                        {
-                               fallback_to_any = TRUE;
                                end->allow_any = TRUE;
                                value++;
                        }
@@ -206,12 +204,10 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
                        if (ugh != NULL)
                        {
                                plog("# bad addr: %s=%s [%s]", name, value, ugh);
-                               if (fallback_to_any)
+                               if (streq(ugh, "does not look numeric and name lookup failed"))
                                {
-                                       plog("# fallback to %s=%%any due to '%%' prefix");
+                                       end->dns_failed = TRUE;
                                        anyaddr(conn->addr_family, &end->addr);
-                                       end->allow_any = FALSE;
-                                       cfg->non_fatal_err++;
                                }
                                else
                                {
@@ -340,6 +336,27 @@ err:
 }
 
 /*
+ * handles left|right=<FQDN> DNS resolution failure
+ */
+static void
+handle_dns_failure( const char *label, starter_end_t *end, starter_config_t *cfg)
+{
+       if (end->dns_failed)
+       {
+               if (end->allow_any)
+               {
+                       plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes",
+                               label, label);
+               }
+               else
+               {
+                       /* declare an error */
+                       cfg->err++;
+               }
+       }
+}
+
+/*
  * handles left|rightfirewall and left|rightupdown parameters
  */
 static void
@@ -543,6 +560,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
                        break;
                }
        }
+
+       handle_dns_failure("left", &conn->left, cfg);
+       handle_dns_failure("right", &conn->right, cfg);
        handle_firewall("left", &conn->left, cfg);
        handle_firewall("right", &conn->right, cfg);
 }
index 970166c..912af49 100644 (file)
@@ -76,6 +76,7 @@ struct starter_end {
        bool            firewall;
        bool            hostaccess;
        bool            allow_any;
+       bool            dns_failed;
        char            *updown;
        u_int16_t       port;
        u_int8_t        protocol;
index e920fc7..a546304 100644 (file)
@@ -168,9 +168,9 @@ set_whack_end(whack_end_t *w, starter_end_t *end)
     w->has_port_wildcard   = end->has_port_wildcard;
     w->has_srcip           = end->has_srcip;
     w->has_natip           = end->has_natip;
+    w->allow_any           = end->allow_any && !end->dns_failed;
     w->modecfg             = end->modecfg;
     w->hostaccess          = end->hostaccess;
-    w->allow_any           = end->allow_any;
     w->sendcert            = end->sendcert;
     w->updown              = end->updown;
     w->host_port           = IKE_UDP_PORT;