600, 600, /* jitter, over 10min */
TRUE, FALSE, /* mobike, aggressive */
0, 0, /* DPD delay, timeout */
- NULL, FALSE, NULL, NULL); /* pool, mediation */
+ FALSE, NULL, NULL); /* mediation */
if (virtual)
{
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
ike_cfg = load_ike_config(this, settings, config);
peer_cfg = peer_cfg_create(config, IKEV2, ike_cfg, CERT_ALWAYS_SEND,
UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0,
- NULL, FALSE, NULL, NULL);
+ FALSE, NULL, NULL);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
600, 600, /* jitter, over 10min */
TRUE, FALSE, /* mobike, aggressive */
0, 0, /* DPD delay, timeout */
- NULL, FALSE, NULL, NULL); /* pool, mediation */
+ FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
auth = auth_cfg_create();
linked_list_t *vips;
/**
- * pool to acquire configuration attributes from
+ * List of pool names to use for virtual IP lookup
*/
- char *pool;
+ linked_list_t *pools;
/**
* local authentication configs (rulesets)
return this->vips->create_enumerator(this->vips);
}
-METHOD(peer_cfg_t, get_pool, char*,
+METHOD(peer_cfg_t, add_pool, void,
+ private_peer_cfg_t *this, char *name)
+{
+ this->pools->insert_last(this->pools, strdup(name));
+}
+
+METHOD(peer_cfg_t, create_pool_enumerator, enumerator_t*,
private_peer_cfg_t *this)
{
- return this->pool;
+ return this->pools->create_enumerator(this->pools);
}
METHOD(peer_cfg_t, add_auth_cfg, void,
{
enumerator_t *e1, *e2;
host_t *vip1, *vip2;
+ char *pool1, *pool2;
if (this == other)
{
e1->destroy(e1);
e2->destroy(e2);
+ if (this->pools->get_count(this->pools) !=
+ other->pools->get_count(other->pools))
+ {
+ return FALSE;
+ }
+ e1 = create_pool_enumerator(this);
+ e2 = create_pool_enumerator(other);
+ if (e1->enumerate(e1, &pool1) && e2->enumerate(e2, &pool2))
+ {
+ if (!streq(pool1, pool2))
+ {
+ e1->destroy(e1);
+ e2->destroy(e2);
+ return FALSE;
+ }
+ }
+ e1->destroy(e1);
+ e2->destroy(e2);
+
return (
this->ike_version == other->ike_version &&
this->cert_policy == other->cert_policy &&
this->jitter_time == other->jitter_time &&
this->over_time == other->over_time &&
this->dpd == other->dpd &&
- (this->pool == other->pool ||
- (this->pool && other->pool && streq(this->pool, other->pool))) &&
auth_cfg_equal(this, other)
#ifdef ME
&& this->mediation == other->mediation &&
this->remote_auth->destroy_offset(this->remote_auth,
offsetof(auth_cfg_t, destroy));
this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+ this->pools->destroy_function(this->pools, free);
#ifdef ME
DESTROY_IF(this->mediated_by);
DESTROY_IF(this->peer_id);
#endif /* ME */
this->mutex->destroy(this->mutex);
free(this->name);
- free(this->pool);
free(this);
}
}
u_int32_t rekey_time, u_int32_t reauth_time,
u_int32_t jitter_time, u_int32_t over_time,
bool mobike, bool aggressive, u_int32_t dpd,
- u_int32_t dpd_timeout, char *pool,
+ u_int32_t dpd_timeout,
bool mediation, peer_cfg_t *mediated_by,
identification_t *peer_id)
{
.get_dpd_timeout = _get_dpd_timeout,
.add_virtual_ip = _add_virtual_ip,
.create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
- .get_pool = _get_pool,
+ .add_pool = _add_pool,
+ .create_pool_enumerator = _create_pool_enumerator,
.add_auth_cfg = _add_auth_cfg,
.create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
.equals = (void*)_equals,
.dpd = dpd,
.dpd_timeout = dpd_timeout,
.vips = linked_list_create(),
- .pool = strdupnull(pool),
+ .pools = linked_list_create(),
.local_auth = linked_list_create(),
.remote_auth = linked_list_create(),
.refcount = 1,
enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
/**
- * Get the name of the pool to acquire configuration attributes from.
+ * Add a pool name this configuration uses to select virtual IPs.
*
- * @return pool name, NULL if none defined
+ * @param name pool name to use for virtual IP lookup
*/
- char* (*get_pool)(peer_cfg_t *this);
+ void (*add_pool)(peer_cfg_t *this, char *name);
+
+ /**
+ * Create an enumerator over pool names of this config.
+ *
+ * @return enumerator over char*
+ */
+ enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
#ifdef ME
/**
* @param aggressive use/accept aggressive mode with IKEv1
* @param dpd DPD check interval, 0 to disable
* @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
- * @param pool pool name to get configuration attributes from, or NULL
* @param mediation TRUE if this is a mediation connection
* @param mediated_by peer_cfg_t of the mediation connection to mediate through
* @param peer_id ID that identifies our peer at the mediation server
u_int32_t rekey_time, u_int32_t reauth_time,
u_int32_t jitter_time, u_int32_t over_time,
bool mobike, bool aggressive, u_int32_t dpd,
- u_int32_t dpd_timeout, char *pool,
+ u_int32_t dpd_timeout,
bool mediation, peer_cfg_t *mediated_by,
identification_t *peer_id);
600, 600, /* jitter, over 10min */
TRUE, FALSE, /* mobike, aggressive */
0, 0, /* DPD delay, timeout */
- NULL, FALSE, NULL, NULL); /* pool, mediation */
+ FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
auth = auth_cfg_create();
}
if (received_vip)
{
+ enumerator_t *pools, *vips;
host_t *vip;
char *pool;
peer_cfg = ike_sa->get_peer_cfg(ike_sa);
if (peer_cfg)
{
- pool = peer_cfg->get_pool(peer_cfg);
- if (pool)
+ pools = peer_cfg->create_pool_enumerator(peer_cfg);
+ while (pools->enumerate(pools, &pool))
{
- enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa,
- FALSE);
- while (enumerator->enumerate(enumerator, &vip))
+ vips = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+ while (vips->enumerate(vips, &vip))
{
this->attr->reserve(this->attr, pool, vip);
}
- enumerator->destroy(enumerator);
+ vips->destroy(vips);
}
+ pools->destroy(pools);
}
}
if (ike_sa->get_version(ike_sa) == IKEV1)
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create("ha", IKEV2, ike_cfg, CERT_NEVER_SEND,
UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
- 0, NULL, FALSE, NULL, NULL);
+ 0, FALSE, NULL, NULL);
auth_cfg = auth_cfg_create();
auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
FALSE, FALSE, /* mobike, aggressive mode */
this->dpd_delay, /* dpd_delay */
this->dpd_timeout, /* dpd_timeout */
- this->pool, FALSE, NULL, NULL);
+ FALSE, NULL, NULL);
if (this->vip)
{
peer_cfg->add_virtual_ip(peer_cfg, this->vip->clone(this->vip));
}
+ if (this->pool)
+ {
+ peer_cfg->add_pool(peer_cfg, this->pool);
+ }
if (num)
{ /* initiator */
generate_auth_cfg(this, this->initiator_auth, peer_cfg, TRUE, num);
600, 600, /* jitter, over 10min */
TRUE, FALSE, /* mobike, aggressive */
0, 0, /* DPD delay, timeout */
- NULL, FALSE, NULL, NULL); /* pool, mediation */
+ FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
auth = auth_cfg_create();
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, /* mobike, aggressive */
this->dpd, 0, /* DPD delay, timeout */
- NULL, /* pool */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, /* mobike, aggressive */
this->dpd, 0, /* DPD delay, timeout */
- NULL, /* pool */
FALSE, med_cfg, /* mediation, med by */
identification_create_from_encoding(ID_KEY_ID, other));
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, /* mobike, aggressive */
this->dpd, 0, /* DPD delay, timeout */
- NULL, /* pool */
FALSE, NULL, NULL); /* mediation, med by, peer id */
auth = auth_cfg_create();
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, /* mobike, aggressiv */
this->dpd, 0, /* DPD delay, timeout */
- NULL, /* pool */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
peer_cfg = peer_cfg_create(
name, IKEV2, ike, cert_policy, uniqueid,
keyingtries, rekeytime, reauthtime, jitter, overtime,
- mobike, FALSE, dpd_delay, 0, pool,
+ mobike, FALSE, dpd_delay, 0,
mediation, mediated_cfg, peer_id);
if (vip)
{
peer_cfg->add_virtual_ip(peer_cfg, vip);
}
+ if (pool)
+ {
+ peer_cfg->add_pool(peer_cfg, pool);
+ }
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
auth->add(auth, AUTH_RULE_IDENTITY, local_id);
msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
msg->add_conn.mobike, msg->add_conn.aggressive,
msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
- msg->add_conn.other.sourceip_mask ?
- msg->add_conn.name : msg->add_conn.other.sourceip,
msg->add_conn.ikeme.mediation, mediated_by, peer_id);
if (vip)
{
peer_cfg->add_virtual_ip(peer_cfg, vip);
}
+ if (msg->add_conn.other.sourceip_mask)
+ {
+ peer_cfg->add_pool(peer_cfg, msg->add_conn.name);
+ }
+ else if (msg->add_conn.other.sourceip)
+ {
+ peer_cfg->add_pool(peer_cfg, msg->add_conn.other.sourceip);
+ }
/* build leftauth= */
auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
1800, 900, /* jitter, overtime */
TRUE, FALSE, /* mobike, aggressive */
60, 0, /* DPD delay, timeout */
- NULL, /* pool */
FALSE, NULL, NULL); /* mediation, med by, peer id */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
while (this->other_vips->remove_last(this->other_vips,
(void**)&vip) == SUCCESS)
{
- if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
+ if (this->peer_cfg)
{
- hydra->attributes->release_address(hydra->attributes,
- this->peer_cfg->get_pool(this->peer_cfg),
- vip, get_other_eap_id(this));
+ enumerator_t *enumerator;
+ char *pool;
+
+ enumerator = this->peer_cfg->create_pool_enumerator(this->peer_cfg);
+ while (enumerator->enumerate(enumerator, &pool))
+ {
+ if (hydra->attributes->release_address(hydra->attributes, pool,
+ vip, get_other_eap_id(this)))
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
}
vip->destroy(vip);
}
return found;
}
+METHOD(phase1_t, has_pool, bool,
+ private_phase1_t *this, peer_cfg_t *peer_cfg)
+{
+ enumerator_t *enumerator;
+ bool found = FALSE;
+ char *pool;
+
+ enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+ found = enumerator->enumerate(enumerator, &pool);
+ enumerator->destroy(enumerator);
+
+ return found;
+}
+
METHOD(phase1_t, save_sa_payload, bool,
private_phase1_t *this, message_t *message)
{
.get_id = _get_id,
.select_config = _select_config,
.has_virtual_ip = _has_virtual_ip,
+ .has_pool = _has_pool,
.verify_auth = _verify_auth,
.build_auth = _build_auth,
.save_sa_payload = _save_sa_payload,
*/
identification_t* (*get_id)(phase1_t *this, peer_cfg_t *peer_cfg, bool local);
+ /**
+ * Check if peer config has virtual IPs pool assigned.
+ *
+ * @param peer_cfg peer_config to check
+ * @return TRUE if peer config contains at least one pool
+ */
+ bool (*has_pool)(phase1_t *this, peer_cfg_t *peer_cfg);
+
/**
* Check if peer config has virtual IPs to request
*
{
enumerator_t *enumerator;
peer_cfg_t *peer_cfg;
+ char *pool;
host_t *host;
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (peer_cfg && peer_cfg->get_pool(peer_cfg))
+ if (peer_cfg)
{
+ enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+ if (!enumerator->enumerate(enumerator, &pool))
+ { /* no pool configured */
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ enumerator->destroy(enumerator);
+
enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
FALSE);
if (!enumerator->enumerate(enumerator, &host))
this->ike_sa->get_id(this->ike_sa)));
break;
}
- if (this->peer_cfg->get_pool(this->peer_cfg) == NULL &&
+ if (!this->ph1->has_pool(this->ph1, this->peer_cfg) &&
this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
{
this->ike_sa->queue_task(this->ike_sa,
this->ike_sa->get_id(this->ike_sa)));
break;
}
- if (this->peer_cfg->get_pool(this->peer_cfg) == NULL &&
+ if (!this->ph1->has_pool(this->ph1, this->peer_cfg) &&
this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
{
this->ike_sa->queue_task(this->ike_sa,
cp_payload_t *cp = NULL;
peer_cfg_t *config;
identification_t *id;
+ char *pool;
id = this->ike_sa->get_other_eap_id(this->ike_sa);
config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ enumerator = config->create_pool_enumerator(config);
+ if (!enumerator->enumerate(enumerator, &pool))
+ { /* TODO: currently we query the first pool, only */
+ pool = NULL;
+ }
+ enumerator->destroy(enumerator);
if (this->virtual_ip)
{
DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
- if (config->get_pool(config))
+ if (pool)
{
vip = hydra->attributes->acquire_address(hydra->attributes,
- config->get_pool(config), id, this->virtual_ip);
+ pool, id, this->virtual_ip);
}
cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);
if (vip)
}
/* query registered providers for additional attributes to include */
enumerator = hydra->attributes->create_responder_enumerator(
- hydra->attributes, config->get_pool(config), id, vip);
+ hydra->attributes, pool, id, vip);
while (enumerator->enumerate(enumerator, &type, &value))
{
if (!cp)
cp_payload_t *cp = NULL;
peer_cfg_t *config;
identification_t *id;
+ char *pool;
id = this->ike_sa->get_other_eap_id(this->ike_sa);
config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ enumerator = config->create_pool_enumerator(config);
+ if (!enumerator->enumerate(enumerator, &pool))
+ { /* TODO: currently we query the first pool, only */
+ pool = NULL;
+ }
+ enumerator->destroy(enumerator);
+
if (this->virtual_ip)
{
DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
- if (config->get_pool(config))
+ if (pool)
{
vip = hydra->attributes->acquire_address(hydra->attributes,
- config->get_pool(config), id, this->virtual_ip);
+ pool, id, this->virtual_ip);
}
if (vip == NULL)
{
/* query registered providers for additional attributes to include */
enumerator = hydra->attributes->create_responder_enumerator(
- hydra->attributes, config->get_pool(config), id, vip);
+ hydra->attributes, pool, id, vip);
while (enumerator->enumerate(enumerator, &type, &value))
{
if (!cp)
return host;
}
-METHOD(attribute_manager_t, release_address, void,
+METHOD(attribute_manager_t, release_address, bool,
private_attribute_manager_t *this, char *pool, host_t *address,
identification_t *id)
{
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
- if (!found)
- {
- DBG1(DBG_CFG, "releasing address to pool '%s' failed", pool);
- }
+ return found;
}
/**
* @param pool pool name from which the address was acquired
* @param address address to release
* @param id peer identity to get address for
+ * @return TRUE if address released to pool
*/
- void (*release_address)(attribute_manager_t *this,
+ bool (*release_address)(attribute_manager_t *this,
char *pool, host_t *address, identification_t *id);
/**
projects / thirdparty / strongswan.git / commitdiff
