vici: Add redirect command

author Tobias Brunner <tobias@strongswan.org>

Tue, 28 Apr 2015 15:45:52 +0000 (17:45 +0200)

committer Tobias Brunner <tobias@strongswan.org>

Fri, 4 Mar 2016 15:02:59 +0000 (16:02 +0100)
author Tobias Brunner <tobias@strongswan.org>
Tue, 28 Apr 2015 15:45:52 +0000 (17:45 +0200)
committer Tobias Brunner <tobias@strongswan.org>
Fri, 4 Mar 2016 15:02:59 +0000 (16:02 +0100)
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md

index 773ef1aa5c2ccc8dc3b8012f0c44240a4e70c494..d084883104c05cf40c909cad8263978d292c0598 100644 (file)
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -289,6 +289,21 @@ Terminates an SA while streaming _control-log_ events.
  The default timeout of 0 waits indefinitely for a result, and a timeout value
  of -1 returns a result immediately.
  
+### redirect() ###
+
+Redirect a client-initiated IKE_SA to another gateway.  Only for IKEv2 and if
+supported by the peer.
+
+       {
+               ike = <redirect an IKE_SA by configuration name>
+               ike-id = <redirect an IKE_SA by its unique id>
+               peer-ip = <redirect an IKE_SA with matching peer IP>
+               peer-id = <redirect an IKE_SA with matching peer identity>
+       } => {
+               success = <yes or no>
+               errmsg = <error string on failure>
+       }
+
  ### install() ###
  
  Install a trap, drop or bypass policy defined by a CHILD_SA config.
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm

index 5252296cfe496049851ded2411b4d2fa3432b2d2..78197136aed8bcfa0603d66413cf182c76ed0ca8 100644 (file)
--- a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
@@ -36,6 +36,10 @@ sub terminate {
      return request_vars_res('terminate', @_);
  }
  
+sub redirect {
+    return request_vars_res('redirect', @_);
+}
+
  sub install {
      return request_vars_res('install', @_);
  }
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py

index 283e3d13d7fe3c9634eaaa84cd6947385535a0a3..66de8590a92b1f159814161e2feec13d55100ce6 100644 (file)
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -53,6 +53,14 @@ class Session(object):
          """
          return self.handler.streamed_request("terminate", "control-log", sa)
  
+    def redirect(self, sa):
+        """Redirect an IKE_SA.
+
+        :param sa: the SA to redirect
+        :type sa: dict
+        """
+        self.handler.request("redirect", sa)
+
      def install(self, policy):
          """Install a trap, drop or bypass policy defined by a CHILD_SA config.
  
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb

index f8169add0706e06beefae20d6d6256e388747e39..018f507661c0ed401fdeeb392d3421a5548503ea 100644 (file)
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -504,6 +504,12 @@ module Vici
                      "control-log", &block))
      end
  
+    ##
+    # Redirect an IKE_SA.
+    def redirect(options)
+      check_success(@transp.request("redirect", Message.new(options)))
+    end
+
      ##
      # Install a shunt/route policy.
      def install(policy)
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c

index 87794d24dda28ca464ab82523d2591fff4e11d39..7bcab0e86e0f55ea1f33270f9026d843eb423bd4 100644 (file)
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -1,4 +1,7 @@
  /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
   * Copyright (C) 2014 Martin Willi
   * Copyright (C) 2014 revosec AG
   *
@@ -20,6 +23,7 @@
  
  #include <daemon.h>
  #include <collections/array.h>
+#include <processing/jobs/redirect_job.h>
  
  typedef struct private_vici_control_t private_vici_control_t;
  
@@ -356,6 +360,118 @@ CALLBACK(terminate, vici_message_t*,
         return builder->finalize(builder);
  }
  
+CALLBACK(redirect, vici_message_t*,
+       private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+{
+       enumerator_t *sas;
+       char *ike, *peer_ip, *peer_id, *gw, *errmsg = NULL;
+       u_int ike_id, current, found = 0;
+       identification_t *gateway, *identity = NULL;
+       host_t *address = NULL;
+       ike_sa_t *ike_sa;
+       vici_builder_t *builder;
+
+       ike = request->get_str(request, NULL, "ike");
+       ike_id = request->get_int(request, 0, "ike-id");
+       peer_ip = request->get_str(request, NULL, "peer-ip");
+       peer_id = request->get_str(request, NULL, "peer-id");
+       gw = request->get_str(request, NULL, "gateway");
+
+       if (!gw || !(gateway = identification_create_from_string(gw)))
+       {
+               return send_reply(this, "missing target gateway");
+       }
+       switch (gateway->get_type(gateway))
+       {
+               case ID_IPV4_ADDR:
+               case ID_IPV6_ADDR:
+               case ID_FQDN:
+                       break;
+               default:
+                       return send_reply(this, "unsupported gateway identity");
+       }
+       if (peer_ip)
+       {
+               address = host_create_from_string(peer_ip, 0);
+               if (!address)
+               {
+                       return send_reply(this, "invalid peer IP selector");
+               }
+               DBG1(DBG_CFG, "vici redirect IKE_SAs with src %H to %Y", address,
+                        gateway);
+       }
+       if (peer_id)
+       {
+               identity = identification_create_from_string(peer_id);
+               if (!identity)
+               {
+                       DESTROY_IF(address);
+                       return send_reply(this, "invalid peer identity selector");
+               }
+               DBG1(DBG_CFG, "vici redirect IKE_SAs with ID '%Y' to %Y", identity,
+                        gateway);
+       }
+       if (ike_id)
+       {
+               DBG1(DBG_CFG, "vici redirect IKE_SA #%d to %Y", ike_id, gateway);
+       }
+       if (ike)
+       {
+               DBG1(DBG_CFG, "vici redirect IKE_SA '%s' to %Y", ike, gateway);
+       }
+       if (!peer_ip && !peer_id && !ike && !ike_id)
+       {
+               DBG1(DBG_CFG, "vici redirect all IKE_SAs to %Y", gateway);
+       }
+
+       sas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE);
+       while (sas->enumerate(sas, &ike_sa))
+       {
+               if (ike_sa->get_version(ike_sa) != IKEV2)
+               {
+                       continue;
+               }
+               current = ike_sa->get_unique_id(ike_sa);
+               if (ike_id && ike_id != current)
+               {
+                       continue;
+               }
+               if (ike && !streq(ike, ike_sa->get_name(ike_sa)))
+               {
+                       continue;
+               }
+               if (address &&
+                       !address->ip_equals(address, ike_sa->get_other_host(ike_sa)))
+               {
+                       continue;
+               }
+               if (identity &&
+                       !identity->equals(identity, ike_sa->get_other_eap_id(ike_sa)))
+               {
+                       continue;
+               }
+               lib->processor->queue_job(lib->processor,
+                               (job_t*)redirect_job_create(ike_sa->get_id(ike_sa), gateway));
+               found++;
+       }
+       sas->destroy(sas);
+
+       builder = vici_builder_create();
+       if (!found)
+       {
+               errmsg = "no matching SAs to redirect found";
+       }
+       builder->add_kv(builder, "success", errmsg ? "no" : "yes");
+       if (errmsg)
+       {
+               builder->add_kv(builder, "errmsg", "%s", errmsg);
+       }
+       gateway->destroy(gateway);
+       DESTROY_IF(identity);
+       DESTROY_IF(address);
+       return builder->finalize(builder);
+}
+
  /**
   * Find reqid of an existing CHILD_SA
   */
@@ -498,6 +614,7 @@ static void manage_commands(private_vici_control_t *this, bool reg)
  {
         manage_command(this, "initiate", initiate, reg);
         manage_command(this, "terminate", terminate, reg);
+       manage_command(this, "redirect", redirect, reg);
         manage_command(this, "install", install, reg);
         manage_command(this, "uninstall", uninstall, reg);
         manage_command(this, "reload-settings", reload_settings, reg);
author	Tobias Brunner <tobias@strongswan.org>
	Tue, 28 Apr 2015 15:45:52 +0000 (17:45 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 4 Mar 2016 15:02:59 +0000 (16:02 +0100)
src/libcharon/plugins/vici/README.md		patch \| blob \| blame \| history
src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm		patch \| blob \| blame \| history
src/libcharon/plugins/vici/python/vici/session.py		patch \| blob \| blame \| history
src/libcharon/plugins/vici/ruby/lib/vici.rb		patch \| blob \| blame \| history
src/libcharon/plugins/vici/vici_control.c		patch \| blob \| blame \| history