/** is_virtual_net_allowed -
* Check if the virtual network the client proposes is acceptable to us
*
* @param c Connection structure (active)
* @param peer_net IP Subnet the peer proposes
* @param his_addr Peers IP Address
* @return bool True if allowed
*/
err_t is_virtual_net_allowed(const struct connection *c,
const ip_subnet *peer_net,
const ip_address *his_addr)
{
err_t why = NULL;
if (!c->spd.that.virt)
return NULL;
if (c->spd.that.virt->flags & F_VIRTUAL_HOST) {
if (!subnetishost(peer_net)) {
why = "only virtual host IPs are allowed";
return why;
}
}
if (c->spd.that.virt->flags & F_VIRTUAL_NO) {
if (subnetishost(peer_net) &&
addrinsubnet(his_addr, peer_net))
return NULL;
}
if (c->spd.that.virt->flags & F_VIRTUAL_PRIVATE) {
if (net_in_list(peer_net, private_net_ok,
private_net_ok_len) &&
!net_in_list(peer_net, private_net_ko, private_net_ko_len))
return NULL;
why =
"a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)";
}
if (c->spd.that.virt->n_net) {
if (net_in_list(peer_net, c->spd.that.virt->net,
c->spd.that.virt->n_net))
return NULL;
why =
"a specific network IP was required, but the proposed IP did not match our list (subnet=vhost:list)";
}
if (c->spd.that.virt->flags & F_VIRTUAL_ALL) {
/* %all must only be used for testing - log it */
loglog(RC_LOG_SERIOUS, "Warning - "
"v%s:%%all must only be used for testing",
(c->spd.that.virt->flags &
F_VIRTUAL_HOST) ? "host" : "net");
return NULL;
}
return why;
}
/*
* check_virtual_net_allowed -
* Check if the virtual network the client proposes is acceptable to us
*
* @param c Connection structure (active)
* @param peer_net IP Subnet the peer proposes
* @param his_addr Peers IP Address
* @return bool True if allowed
*/
err_t check_virtual_net_allowed(const struct connection *c,
const ip_subnet *peer_net,
const ip_address *his_addr)
{
const struct virtual_t *virt = c->spd.that.virt;
err_t why = NULL;
if (virt == NULL)
return NULL;
if (virt->flags & F_VIRTUAL_HOST) {
if (!subnetishost(peer_net)) {
return "only virtual host IPs are allowed";
}
}
if (virt->flags & F_VIRTUAL_NO) {
if (subnetishost(peer_net) && addrinsubnet(his_addr, peer_net))
return NULL;
}
if (virt->flags & F_VIRTUAL_PRIVATE) {
if (net_in_list(peer_net, private_net_incl,
private_net_incl_len) &&
!net_in_list(peer_net, private_net_excl,
private_net_excl_len))
return NULL;
why = "a private network virtual IP was required, but the proposed IP did not match our list (virtual-private=)";
}
if (virt->n_net != 0) {
/* ??? if why is already set, is this behaviour correct? */
if (net_in_list(peer_net, virt->net, virt->n_net))
return NULL;
why = "a specific network IP was required, but the proposed IP did not match our list (subnet=vhost:list)";
}
if (virt->flags & F_VIRTUAL_ALL) {
/* ??? if why is already set, is this behaviour correct? */
/* %all must only be used for testing - log it */
loglog(RC_LOG_SERIOUS, "Warning - v%s:%%all must only be used for testing",
(virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
return NULL;
}
return why;
}
bool
is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
const ip_address *his_addr)
{
if (!c->that.virt) return FALSE;
if (c->that.virt->flags & F_VIRTUAL_HOST) {
if (!subnetishost(peer_net))
return FALSE;
}
if (c->that.virt->flags & F_VIRTUAL_NO) {
if (subnetishost(peer_net) &&
addrinsubnet(his_addr, peer_net))
return TRUE;
}
if (c->that.virt->flags & F_VIRTUAL_PRIVATE) {
if (net_in_list(peer_net, private_net_ok, private_net_ok_len) &&
!net_in_list(peer_net, private_net_ko, private_net_ko_len))
return TRUE;
}
if (c->that.virt->n_net) {
if (net_in_list(peer_net, c->that.virt->net, c->that.virt->n_net))
return TRUE;
}
if (c->that.virt->flags & F_VIRTUAL_ALL) {
/** %all must only be used for testing - log it **/
loglog(RC_LOG_SERIOUS, "Warning - "
"v%s:%%all must only be used for testing",
(c->that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
return TRUE;
}
return FALSE;
}
