/** is_virtual_net_allowed - * Check if the virtual network the client proposes is acceptable to us * * @param c Connection structure (active) * @param peer_net IP Subnet the peer proposes * @param his_addr Peers IP Address * @return bool True if allowed */ err_t is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net, const ip_address *his_addr) { err_t why = NULL; if (!c->spd.that.virt) return NULL; if (c->spd.that.virt->flags & F_VIRTUAL_HOST) { if (!subnetishost(peer_net)) { why = "only virtual host IPs are allowed"; return why; } } if (c->spd.that.virt->flags & F_VIRTUAL_NO) { if (subnetishost(peer_net) && addrinsubnet(his_addr, peer_net)) return NULL; } if (c->spd.that.virt->flags & F_VIRTUAL_PRIVATE) { if (net_in_list(peer_net, private_net_ok, private_net_ok_len) && !net_in_list(peer_net, private_net_ko, private_net_ko_len)) return NULL; why = "a private network virtual IP was required, but the proposed IP did not match our list (virtual_private=)"; } if (c->spd.that.virt->n_net) { if (net_in_list(peer_net, c->spd.that.virt->net, c->spd.that.virt->n_net)) return NULL; why = "a specific network IP was required, but the proposed IP did not match our list (subnet=vhost:list)"; } if (c->spd.that.virt->flags & F_VIRTUAL_ALL) { /* %all must only be used for testing - log it */ loglog(RC_LOG_SERIOUS, "Warning - " "v%s:%%all must only be used for testing", (c->spd.that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net"); return NULL; } return why; }
/* * check_virtual_net_allowed - * Check if the virtual network the client proposes is acceptable to us * * @param c Connection structure (active) * @param peer_net IP Subnet the peer proposes * @param his_addr Peers IP Address * @return bool True if allowed */ err_t check_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net, const ip_address *his_addr) { const struct virtual_t *virt = c->spd.that.virt; err_t why = NULL; if (virt == NULL) return NULL; if (virt->flags & F_VIRTUAL_HOST) { if (!subnetishost(peer_net)) { return "only virtual host IPs are allowed"; } } if (virt->flags & F_VIRTUAL_NO) { if (subnetishost(peer_net) && addrinsubnet(his_addr, peer_net)) return NULL; } if (virt->flags & F_VIRTUAL_PRIVATE) { if (net_in_list(peer_net, private_net_incl, private_net_incl_len) && !net_in_list(peer_net, private_net_excl, private_net_excl_len)) return NULL; why = "a private network virtual IP was required, but the proposed IP did not match our list (virtual-private=)"; } if (virt->n_net != 0) { /* ??? if why is already set, is this behaviour correct? */ if (net_in_list(peer_net, virt->net, virt->n_net)) return NULL; why = "a specific network IP was required, but the proposed IP did not match our list (subnet=vhost:list)"; } if (virt->flags & F_VIRTUAL_ALL) { /* ??? if why is already set, is this behaviour correct? */ /* %all must only be used for testing - log it */ loglog(RC_LOG_SERIOUS, "Warning - v%s:%%all must only be used for testing", (virt->flags & F_VIRTUAL_HOST) ? "host" : "net"); return NULL; } return why; }
bool subnetisnone(const ip_subnet *sn) { ip_address base; networkof(sn, &base); return isanyaddr(&base) && subnetishost(sn); }
bool is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net, const ip_address *his_addr) { if (!c->that.virt) return FALSE; if (c->that.virt->flags & F_VIRTUAL_HOST) { if (!subnetishost(peer_net)) return FALSE; } if (c->that.virt->flags & F_VIRTUAL_NO) { if (subnetishost(peer_net) && addrinsubnet(his_addr, peer_net)) return TRUE; } if (c->that.virt->flags & F_VIRTUAL_PRIVATE) { if (net_in_list(peer_net, private_net_ok, private_net_ok_len) && !net_in_list(peer_net, private_net_ko, private_net_ko_len)) return TRUE; } if (c->that.virt->n_net) { if (net_in_list(peer_net, c->that.virt->net, c->that.virt->n_net)) return TRUE; } if (c->that.virt->flags & F_VIRTUAL_ALL) { /** %all must only be used for testing - log it **/ loglog(RC_LOG_SERIOUS, "Warning - " "v%s:%%all must only be used for testing", (c->that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net"); return TRUE; } return FALSE; }
void confwrite_side(FILE *out, struct starter_conn *conn, struct starter_end *end, char *side) { char databuf[2048]; /* good for a 12288 bit rsa key */ int keyingtype; if(conn->manualkey) { keyingtype=kv_manual; } else { keyingtype=kv_auto; } switch(end->addrtype) { case KH_NOTSET: /* nothing! */ break; case KH_DEFAULTROUTE: fprintf(out, "\t%s=%%defaultroute\n",side); break; case KH_ANY: fprintf(out, "\t%s=%%any\n",side); break; case KH_IFACE: if(end->strings_set[KSCF_IP]) { fprintf(out, "\t%s=%s\n",side, end->strings[KSCF_IP]); } break; case KH_OPPO: fprintf(out, "\t%s=%%opportunistic\n",side); break; case KH_OPPOGROUP: fprintf(out, "\t%s=%%opportunisticgroup\n",side); break; case KH_GROUP: fprintf(out, "\t%s=%%group\n",side); break; case KH_IPHOSTNAME: if(end->strings_set[KSCF_IP]) { fprintf(out, "\t%s=%s\n",side, end->strings[KSCF_IP]); } break; case KH_IPADDR: addrtot(&end->addr, 0, databuf, ADDRTOT_BUF); fprintf(out, "\t%s=%s\n", side, databuf); break; } if(end->strings_set[KSCF_ID] && end->id) { fprintf(out, "\t%sid=\"%s\"\n", side, end->id); } switch(end->nexttype) { case KH_NOTSET: /* nothing! */ break; case KH_DEFAULTROUTE: fprintf(out, "\t%snexthop=%%defaultroute\n",side); break; case KH_IPADDR: addrtot(&end->nexthop, 0, databuf, ADDRTOT_BUF); fprintf(out, "\t%snexthop=%s\n", side, databuf); break; default: break; } if(end->has_client) { if(isvalidsubnet(&end->subnet) && (!subnetishost(&end->subnet) || !addrinsubnet(&end->addr, &end->subnet))) { subnettot(&end->subnet, 0, databuf, SUBNETTOT_BUF); fprintf(out, "\t%ssubnet=%s\n", side, databuf); } } if(end->rsakey1) { fprintf(out, "\t%srsakey=%s\n", side, end->rsakey1); } if(end->rsakey2) { fprintf(out, "\t%srsakey2=%s\n", side, end->rsakey2); } if(end->port || end->protocol) { char b2[32]; strcpy(b2, "%any"); strcpy(databuf, "%any"); if(end->port) { sprintf(b2, "%u", end->port); } if(end->protocol) { sprintf(databuf, "%u", end->protocol); } fprintf(out, "\t%sprotoport=%s/%s\n", side, databuf, b2); } if(end->cert) { fprintf(out, "\t%scert=%s\n", side, end->cert); } if(!isanyaddr(&end->sourceip)) { addrtot(&end->sourceip, 0, databuf, ADDRTOT_BUF); fprintf(out, "\t%ssourceip=%s\n", side, databuf); } confwrite_int(out, side, kv_conn|kv_leftright, keyingtype, end->options, end->options_set, end->strings); confwrite_str(out, side, kv_conn|kv_leftright, keyingtype, end->strings, end->strings_set); }