support of right|leftallowany flag
This commit is contained in:
parent
571bca865b
commit
d0f55e236d
|
@ -122,7 +122,7 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
|
|||
for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
|
||||
{
|
||||
if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
|
||||
&& sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
|
||||
&& sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
|
||||
{
|
||||
if (prev != NULL)
|
||||
{
|
||||
|
@ -162,15 +162,21 @@ connect_to_host_pair(struct connection *c)
|
|||
{
|
||||
if (oriented(*c))
|
||||
{
|
||||
struct host_pair *hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
|
||||
, &c->spd.that.host_addr, c->spd.that.host_port);
|
||||
struct host_pair *hp;
|
||||
|
||||
ip_address his_addr = (c->spd.that.allow_any)
|
||||
? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
|
||||
: c->spd.that.host_addr;
|
||||
|
||||
hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
|
||||
, &his_addr, c->spd.that.host_port);
|
||||
|
||||
if (hp == NULL)
|
||||
{
|
||||
/* no suitable host_pair -- build one */
|
||||
hp = alloc_thing(struct host_pair, "host_pair");
|
||||
hp->me.addr = c->spd.this.host_addr;
|
||||
hp->him.addr = c->spd.that.host_addr;
|
||||
hp->him.addr = his_addr;
|
||||
hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
|
||||
hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
|
||||
hp->initial_connection_sent = FALSE;
|
||||
|
@ -633,11 +639,13 @@ format_end(char *buf
|
|||
}
|
||||
|
||||
if (is_left)
|
||||
snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s"
|
||||
snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
|
||||
, open_brackets, client, close_brackets, client_sep
|
||||
, this->allow_any? "%":""
|
||||
, host, host_port, host_id, protoport);
|
||||
else
|
||||
snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s"
|
||||
snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
|
||||
, this->allow_any? "%":""
|
||||
, host, host_port, host_id, protoport, client_sep
|
||||
, open_brackets, client, close_brackets);
|
||||
return strlen(buf);
|
||||
|
@ -844,6 +852,7 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which)
|
|||
dst->has_client_wildcard = src->has_client_wildcard;
|
||||
dst->modecfg = src->modecfg;
|
||||
dst->hostaccess = src->hostaccess;
|
||||
dst->allow_any = src->allow_any;
|
||||
dst->sendcert = src->sendcert;
|
||||
dst->updown = src->updown;
|
||||
dst->host_port = src->host_port;
|
||||
|
@ -1056,7 +1065,8 @@ add_connection(const whack_message_t *wm)
|
|||
* or any wildcard ID to that end
|
||||
*/
|
||||
if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
|
||||
|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards)
|
||||
|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
|
||||
|| c->spd.this.allow_any)
|
||||
{
|
||||
struct end t = c->spd.this;
|
||||
|
||||
|
@ -1084,7 +1094,7 @@ add_connection(const whack_message_t *wm)
|
|||
}
|
||||
else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
|
||||
|| c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
|
||||
|| c->spd.that.has_id_wildcards)
|
||||
|| c->spd.that.has_id_wildcards || c->spd.that.allow_any)
|
||||
{
|
||||
/* Opportunistic or Road Warrior or wildcard client subnet
|
||||
* or wildcard ID */
|
||||
|
@ -1252,6 +1262,8 @@ instantiate(struct connection *c, const ip_address *him
|
|||
|
||||
c->instance_serial++;
|
||||
d = clone_thing(*c, "temporary connection");
|
||||
d->spd.that.allow_any = FALSE;
|
||||
|
||||
if (his_id != NULL)
|
||||
{
|
||||
passert(match_id(his_id, &d->spd.that.id, &wildcards));
|
||||
|
@ -1792,7 +1804,7 @@ initiate_connection(const char *name, int whackfd)
|
|||
loglog(RC_INITSHUNT
|
||||
, "cannot initiate an authby=never connection");
|
||||
}
|
||||
else if (c->kind != CK_PERMANENT)
|
||||
else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
|
||||
{
|
||||
if (isanyaddr(&c->spd.that.host_addr))
|
||||
loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
|
||||
|
@ -1801,22 +1813,30 @@ initiate_connection(const char *name, int whackfd)
|
|||
}
|
||||
else
|
||||
{
|
||||
/* We will only request an IPsec SA if policy isn't empty
|
||||
* (ignoring Main Mode items).
|
||||
* This is a fudge, but not yet important.
|
||||
* If we are to proceed asynchronously, whackfd will be NULL_FD.
|
||||
*/
|
||||
c->policy |= POLICY_UP;
|
||||
/* do we have to prompt for a PIN code? */
|
||||
if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
|
||||
{
|
||||
scx_get_pin(c->spd.this.sc, whackfd);
|
||||
|
||||
}
|
||||
if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
|
||||
{
|
||||
loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
if (c->spd.that.allow_any)
|
||||
{
|
||||
c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
|
||||
, &c->spd.that.id);
|
||||
}
|
||||
|
||||
/* We will only request an IPsec SA if policy isn't empty
|
||||
* (ignoring Main Mode items).
|
||||
* This is a fudge, but not yet important.
|
||||
* If we are to proceed asynchronously, whackfd will be NULL_FD.
|
||||
*/
|
||||
c->policy |= POLICY_UP;
|
||||
ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
|
||||
whackfd = NULL_FD; /* protect from close */
|
||||
}
|
||||
|
|
|
@ -155,6 +155,7 @@ struct end {
|
|||
/* that end: give local addresses to clients */
|
||||
bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */
|
||||
/* rules if client behind host is a subnet */
|
||||
bool allow_any; /* IP address is subject to change */
|
||||
certpolicy_t sendcert; /* whether or not to send the certificate */
|
||||
};
|
||||
|
||||
|
|
|
@ -229,6 +229,7 @@ static const token_info_t token_info[] =
|
|||
{ ARG_MISC, 0, NULL /* KW_NATIP */ },
|
||||
{ ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool },
|
||||
{ ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool },
|
||||
{ ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool },
|
||||
{ ARG_STR, offsetof(starter_end_t, updown), NULL },
|
||||
{ ARG_STR, offsetof(starter_end_t, id), NULL },
|
||||
{ ARG_STR, offsetof(starter_end_t, rsakey), NULL },
|
||||
|
|
|
@ -75,6 +75,7 @@ struct starter_end {
|
|||
certpolicy_t sendcert;
|
||||
bool firewall;
|
||||
bool hostaccess;
|
||||
bool allow_any;
|
||||
char *updown;
|
||||
u_int16_t port;
|
||||
u_int8_t protocol;
|
||||
|
|
|
@ -112,6 +112,7 @@ typedef enum {
|
|||
KW_NATIP,
|
||||
KW_FIREWALL,
|
||||
KW_HOSTACCESS,
|
||||
KW_ALLOWANY,
|
||||
KW_UPDOWN,
|
||||
KW_ID,
|
||||
KW_RSASIGKEY,
|
||||
|
@ -134,6 +135,7 @@ typedef enum {
|
|||
KW_LEFTNATIP,
|
||||
KW_LEFTFIREWALL,
|
||||
KW_LEFTHOSTACCESS,
|
||||
KW_LEFTALLOWANY,
|
||||
KW_LEFTUPDOWN,
|
||||
KW_LEFTID,
|
||||
KW_LEFTRSASIGKEY,
|
||||
|
@ -155,6 +157,7 @@ typedef enum {
|
|||
KW_RIGHTNATIP,
|
||||
KW_RIGHTFIREWALL,
|
||||
KW_RIGHTHOSTACCESS,
|
||||
KW_RIGHTALLOWANY,
|
||||
KW_RIGHTUPDOWN,
|
||||
KW_RIGHTID,
|
||||
KW_RIGHTRSASIGKEY,
|
||||
|
|
|
@ -91,6 +91,7 @@ leftsourceip, KW_LEFTSOURCEIP
|
|||
leftnatip, KW_LEFTNATIP
|
||||
leftfirewall, KW_LEFTFIREWALL
|
||||
lefthostaccess, KW_LEFTHOSTACCESS
|
||||
leftallowany, KW_LEFTALLOWANY
|
||||
leftupdown, KW_LEFTUPDOWN
|
||||
leftid, KW_LEFTID
|
||||
leftrsasigkey, KW_LEFTRSASIGKEY
|
||||
|
@ -107,6 +108,7 @@ rightsourceip, KW_RIGHTSOURCEIP
|
|||
rightnatip, KW_RIGHTNATIP
|
||||
rightfirewall, KW_RIGHTFIREWALL
|
||||
righthostaccess, KW_RIGHTHOSTACCESS
|
||||
rightallowany, KW_RIGHTALLOWANY
|
||||
rightupdown, KW_RIGHTUPDOWN
|
||||
rightid, KW_RIGHTID
|
||||
rightrsasigkey, KW_RIGHTRSASIGKEY
|
||||
|
|
|
@ -170,6 +170,7 @@ set_whack_end(whack_end_t *w, starter_end_t *end)
|
|||
w->has_natip = end->has_natip;
|
||||
w->modecfg = end->modecfg;
|
||||
w->hostaccess = end->hostaccess;
|
||||
w->allow_any = end->allow_any;
|
||||
w->sendcert = end->sendcert;
|
||||
w->updown = end->updown;
|
||||
w->host_port = IKE_UDP_PORT;
|
||||
|
|
|
@ -65,6 +65,7 @@ struct whack_end {
|
|||
bool has_natip;
|
||||
bool modecfg;
|
||||
bool hostaccess;
|
||||
bool allow_any;
|
||||
certpolicy_t sendcert;
|
||||
char *updown; /* string */
|
||||
u_int16_t host_port; /* host order */
|
||||
|
|
Loading…
Reference in New Issue