/** is_virtual_net_allowed -
* Check if the virtual network the client proposes is acceptable to us
*
* @param c Connection structure (active)
* @param peer_net IP Subnet the peer proposes
* @param his_addr Peers IP Address
* @return bool True if allowed
*/
err_t is_virtual_net_allowed(const struct connection *c,
const ip_subnet *peer_net,
const ip_address *his_addr)
{
err_t why = NULL;
if (!c->spd.that.virt)
return NULL;
if (c->spd.that.virt->flags & F_VIRTUAL_HOST) {
if (!subnetishost(peer_net)) {
why = "only virtual host IPs are allowed";
return why;
}
}
if (c->spd.that.virt->flags & F_VIRTUAL_NO) {
if (subnetishost(peer_net) &&
addrinsubnet(his_addr, peer_net))
return NULL;
}
if (c->spd.that.virt->flags & F_VIRTUAL_PRIVATE) {
if (net_in_list(peer_net, private_net_ok,
private_net_ok_len) &&
!net_in_list(peer_net, private_net_ko, private_net_ko_len))
return NULL;
why =
"a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)";
}
if (c->spd.that.virt->n_net) {
if (net_in_list(peer_net, c->spd.that.virt->net,
c->spd.that.virt->n_net))
return NULL;
why =
"a specific network IP was required, but the proposed IP did not match our list (subnet=vhost:list)";
}
if (c->spd.that.virt->flags & F_VIRTUAL_ALL) {
/* %all must only be used for testing - log it */
loglog(RC_LOG_SERIOUS, "Warning - "
"v%s:%%all must only be used for testing",
(c->spd.that.virt->flags &
F_VIRTUAL_HOST) ? "host" : "net");
return NULL;
}
return why;
}
/*
* check_virtual_net_allowed -
* Check if the virtual network the client proposes is acceptable to us
*
* @param c Connection structure (active)
* @param peer_net IP Subnet the peer proposes
* @param his_addr Peers IP Address
* @return bool True if allowed
*/
err_t check_virtual_net_allowed(const struct connection *c,
const ip_subnet *peer_net,
const ip_address *his_addr)
{
const struct virtual_t *virt = c->spd.that.virt;
err_t why = NULL;
if (virt == NULL)
return NULL;
if (virt->flags & F_VIRTUAL_HOST) {
if (!subnetishost(peer_net)) {
return "only virtual host IPs are allowed";
}
}
if (virt->flags & F_VIRTUAL_NO) {
if (subnetishost(peer_net) && addrinsubnet(his_addr, peer_net))
return NULL;
}
if (virt->flags & F_VIRTUAL_PRIVATE) {
if (net_in_list(peer_net, private_net_incl,
private_net_incl_len) &&
!net_in_list(peer_net, private_net_excl,
private_net_excl_len))
return NULL;
why = "a private network virtual IP was required, but the proposed IP did not match our list (virtual-private=)";
}
if (virt->n_net != 0) {
/* ??? if why is already set, is this behaviour correct? */
if (net_in_list(peer_net, virt->net, virt->n_net))
return NULL;
why = "a specific network IP was required, but the proposed IP did not match our list (subnet=vhost:list)";
}
if (virt->flags & F_VIRTUAL_ALL) {
/* ??? if why is already set, is this behaviour correct? */
/* %all must only be used for testing - log it */
loglog(RC_LOG_SERIOUS, "Warning - v%s:%%all must only be used for testing",
(virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
return NULL;
}
return why;
}
bool subnetisnone(const ip_subnet *sn)
{
ip_address base;
networkof(sn, &base);
return isanyaddr(&base) && subnetishost(sn);
}
bool
is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
const ip_address *his_addr)
{
if (!c->that.virt) return FALSE;
if (c->that.virt->flags & F_VIRTUAL_HOST) {
if (!subnetishost(peer_net))
return FALSE;
}
if (c->that.virt->flags & F_VIRTUAL_NO) {
if (subnetishost(peer_net) &&
addrinsubnet(his_addr, peer_net))
return TRUE;
}
if (c->that.virt->flags & F_VIRTUAL_PRIVATE) {
if (net_in_list(peer_net, private_net_ok, private_net_ok_len) &&
!net_in_list(peer_net, private_net_ko, private_net_ko_len))
return TRUE;
}
if (c->that.virt->n_net) {
if (net_in_list(peer_net, c->that.virt->net, c->that.virt->n_net))
return TRUE;
}
if (c->that.virt->flags & F_VIRTUAL_ALL) {
/** %all must only be used for testing - log it **/
loglog(RC_LOG_SERIOUS, "Warning - "
"v%s:%%all must only be used for testing",
(c->that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
return TRUE;
}
return FALSE;
}
void confwrite_side(FILE *out,
struct starter_conn *conn,
struct starter_end *end,
char *side)
{
char databuf[2048]; /* good for a 12288 bit rsa key */
int keyingtype;
if(conn->manualkey) {
keyingtype=kv_manual;
} else {
keyingtype=kv_auto;
}
switch(end->addrtype) {
case KH_NOTSET:
/* nothing! */
break;
case KH_DEFAULTROUTE:
fprintf(out, "\t%s=%%defaultroute\n",side);
break;
case KH_ANY:
fprintf(out, "\t%s=%%any\n",side);
break;
case KH_IFACE:
if(end->strings_set[KSCF_IP]) {
fprintf(out, "\t%s=%s\n",side, end->strings[KSCF_IP]);
}
break;
case KH_OPPO:
fprintf(out, "\t%s=%%opportunistic\n",side);
break;
case KH_OPPOGROUP:
fprintf(out, "\t%s=%%opportunisticgroup\n",side);
break;
case KH_GROUP:
fprintf(out, "\t%s=%%group\n",side);
break;
case KH_IPHOSTNAME:
if(end->strings_set[KSCF_IP]) {
fprintf(out, "\t%s=%s\n",side, end->strings[KSCF_IP]);
}
break;
case KH_IPADDR:
addrtot(&end->addr, 0, databuf, ADDRTOT_BUF);
fprintf(out, "\t%s=%s\n", side, databuf);
break;
}
if(end->strings_set[KSCF_ID] && end->id) {
fprintf(out, "\t%sid=\"%s\"\n", side, end->id);
}
switch(end->nexttype) {
case KH_NOTSET:
/* nothing! */
break;
case KH_DEFAULTROUTE:
fprintf(out, "\t%snexthop=%%defaultroute\n",side);
break;
case KH_IPADDR:
addrtot(&end->nexthop, 0, databuf, ADDRTOT_BUF);
fprintf(out, "\t%snexthop=%s\n", side, databuf);
break;
default:
break;
}
if(end->has_client) {
if(isvalidsubnet(&end->subnet)
&& (!subnetishost(&end->subnet)
|| !addrinsubnet(&end->addr, &end->subnet)))
{
subnettot(&end->subnet, 0, databuf, SUBNETTOT_BUF);
fprintf(out, "\t%ssubnet=%s\n", side, databuf);
}
}
if(end->rsakey1) {
fprintf(out, "\t%srsakey=%s\n", side, end->rsakey1);
}
if(end->rsakey2) {
fprintf(out, "\t%srsakey2=%s\n", side, end->rsakey2);
}
if(end->port || end->protocol) {
char b2[32];
strcpy(b2, "%any");
strcpy(databuf, "%any");
if(end->port) {
sprintf(b2, "%u", end->port);
}
if(end->protocol) {
sprintf(databuf, "%u", end->protocol);
}
fprintf(out, "\t%sprotoport=%s/%s\n", side,
databuf, b2);
}
if(end->cert) {
fprintf(out, "\t%scert=%s\n", side, end->cert);
}
if(!isanyaddr(&end->sourceip)) {
addrtot(&end->sourceip, 0, databuf, ADDRTOT_BUF);
fprintf(out, "\t%ssourceip=%s\n", side, databuf);
}
confwrite_int(out, side,
kv_conn|kv_leftright,
keyingtype,
end->options, end->options_set, end->strings);
confwrite_str(out, side, kv_conn|kv_leftright,
keyingtype,
end->strings, end->strings_set);
}
