support of right|leftallowany flag

src/pluto/connections.c

@@ -122,7 +122,7 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
     for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
     {
 	if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
-	&& sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
+	&&  sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
 	{
 	    if (prev != NULL)
 	    {
@@ -162,15 +162,21 @@ connect_to_host_pair(struct connection *c)
 {
     if (oriented(*c))
     {
-	struct host_pair *hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
-	    , &c->spd.that.host_addr, c->spd.that.host_port);
+	struct host_pair *hp;
+
+	ip_address his_addr = (c->spd.that.allow_any)
+			      ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
+			      : c->spd.that.host_addr;
+
+	hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
+	    , &his_addr, c->spd.that.host_port);
 
 	if (hp == NULL)
 	{
 	    /* no suitable host_pair -- build one */
 	    hp = alloc_thing(struct host_pair, "host_pair");
 	    hp->me.addr = c->spd.this.host_addr;
-	    hp->him.addr = c->spd.that.host_addr;
+	    hp->him.addr = his_addr;
 	    hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
 	    hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
 	    hp->initial_connection_sent = FALSE;
@@ -633,11 +639,13 @@ format_end(char *buf
     }
 
     if (is_left)
-	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s"
+	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
 	    , open_brackets, client, close_brackets, client_sep
+	    , this->allow_any? "%":""
 	    , host, host_port, host_id, protoport);
     else
-	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s"
+	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
+	    , this->allow_any? "%":""
 	    , host, host_port, host_id, protoport, client_sep
 	    , open_brackets, client, close_brackets);
     return strlen(buf);
@@ -844,6 +852,7 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which)
     dst->has_client_wildcard = src->has_client_wildcard;
     dst->modecfg = src->modecfg;
     dst->hostaccess = src->hostaccess;
+    dst->allow_any = src->allow_any;
     dst->sendcert = src->sendcert;
     dst->updown = src->updown;
     dst->host_port = src->host_port;
@@ -1056,7 +1065,8 @@ add_connection(const whack_message_t *wm)
 	 * or any wildcard ID to that end
 	 */
 	if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
-	|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards)
+	|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
+	|| c->spd.this.allow_any)
 	{
 	    struct end t = c->spd.this;
 
@@ -1084,7 +1094,7 @@ add_connection(const whack_message_t *wm)
 	}
 	else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
 	|| c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
-	|| c->spd.that.has_id_wildcards)
+	|| c->spd.that.has_id_wildcards || c->spd.that.allow_any)
 	{
 	    /* Opportunistic or Road Warrior or wildcard client subnet
 	     * or wildcard ID */
@@ -1252,6 +1262,8 @@ instantiate(struct connection *c, const ip_address *him
 
     c->instance_serial++;
     d = clone_thing(*c, "temporary connection");
+    d->spd.that.allow_any = FALSE;
+
     if (his_id != NULL)
     {
 	passert(match_id(his_id, &d->spd.that.id, &wildcards));
@@ -1792,7 +1804,7 @@ initiate_connection(const char *name, int whackfd)
 	    loglog(RC_INITSHUNT
 		, "cannot initiate an authby=never connection");
 	}
-	else if (c->kind != CK_PERMANENT)
+	else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
 	{
 	    if (isanyaddr(&c->spd.that.host_addr))
 		loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
@@ -1801,22 +1813,30 @@ initiate_connection(const char *name, int whackfd)
 	}
 	else
 	{
-	    /* We will only request an IPsec SA if policy isn't empty
-	     * (ignoring Main Mode items).
-	     * This is a fudge, but not yet important.
-	     * If we are to proceed asynchronously, whackfd will be NULL_FD.
-	     */
-	    c->policy |= POLICY_UP;
 	    /* do we have to prompt for a PIN code? */
 	    if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
+	    {
 		scx_get_pin(c->spd.this.sc, whackfd);
-
+	    }
 	    if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
 	    {
 		loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
 	    }
 	    else
 	    {
+
+		if (c->spd.that.allow_any)
+		{
+		    c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
+				  , &c->spd.that.id);
+		}
+
+		/* We will only request an IPsec SA if policy isn't empty
+		 * (ignoring Main Mode items).
+		 * This is a fudge, but not yet important.
+		 * If we are to proceed asynchronously, whackfd will be NULL_FD.
+		 */
+		c->policy |= POLICY_UP;
 		ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
 		whackfd = NULL_FD;	/* protect from close */
 	    }

src/pluto/connections.h

@@ -155,6 +155,7 @@ struct end {
 				/* that end: give local addresses to clients */
     bool hostaccess;		/* allow access to host via iptables INPUT/OUTPUT */
 				/* rules if client behind host is a subnet */
+    bool allow_any;		/* IP address is subject to change */
     certpolicy_t sendcert;	/* whether or not to send the certificate */
 };
 

src/starter/args.c

@@ -229,6 +229,7 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
     { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
     { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
+    { ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool                       },
     { ARG_STR,  offsetof(starter_end_t, updown), NULL                              },
     { ARG_STR,  offsetof(starter_end_t, id), NULL                                  },
     { ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },

src/starter/confread.h

@@ -75,6 +75,7 @@ struct starter_end {
 	certpolicy_t	sendcert;
 	bool		firewall;
 	bool		hostaccess;
+	bool		allow_any;
 	char 		*updown;
 	u_int16_t	port;
 	u_int8_t	protocol;

src/starter/keywords.h

@@ -112,6 +112,7 @@ typedef enum {
     KW_NATIP,
     KW_FIREWALL,
     KW_HOSTACCESS,
+    KW_ALLOWANY,
     KW_UPDOWN,
     KW_ID,
     KW_RSASIGKEY,
@@ -134,6 +135,7 @@ typedef enum {
     KW_LEFTNATIP,
     KW_LEFTFIREWALL,
     KW_LEFTHOSTACCESS,
+    KW_LEFTALLOWANY,
     KW_LEFTUPDOWN,
     KW_LEFTID,
     KW_LEFTRSASIGKEY,
@@ -155,6 +157,7 @@ typedef enum {
     KW_RIGHTNATIP,
     KW_RIGHTFIREWALL,
     KW_RIGHTHOSTACCESS,
+    KW_RIGHTALLOWANY,
     KW_RIGHTUPDOWN,
     KW_RIGHTID,
     KW_RIGHTRSASIGKEY,

src/starter/keywords.txt

@@ -91,6 +91,7 @@ leftsourceip,      KW_LEFTSOURCEIP
 leftnatip,         KW_LEFTNATIP
 leftfirewall,      KW_LEFTFIREWALL
 lefthostaccess,    KW_LEFTHOSTACCESS
+leftallowany,      KW_LEFTALLOWANY
 leftupdown,        KW_LEFTUPDOWN
 leftid,            KW_LEFTID
 leftrsasigkey,     KW_LEFTRSASIGKEY
@@ -107,6 +108,7 @@ rightsourceip,     KW_RIGHTSOURCEIP
 rightnatip,        KW_RIGHTNATIP
 rightfirewall,     KW_RIGHTFIREWALL
 righthostaccess,   KW_RIGHTHOSTACCESS
+rightallowany,     KW_RIGHTALLOWANY
 rightupdown,       KW_RIGHTUPDOWN
 rightid,           KW_RIGHTID
 rightrsasigkey,    KW_RIGHTRSASIGKEY

src/starter/starterwhack.c

@@ -170,6 +170,7 @@ set_whack_end(whack_end_t *w, starter_end_t *end)
     w->has_natip           = end->has_natip;
     w->modecfg             = end->modecfg;
     w->hostaccess          = end->hostaccess;
+    w->allow_any           = end->allow_any;
     w->sendcert            = end->sendcert;
     w->updown              = end->updown;
     w->host_port           = IKE_UDP_PORT;

src/whack/whack.h

@@ -65,6 +65,7 @@ struct whack_end {
     bool has_natip;
     bool modecfg;
     bool hostaccess;
+    bool allow_any;
     certpolicy_t sendcert;
     char *updown;		/* string */
     u_int16_t host_port;	/* host order */