summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-04-19 15:49:50 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-04-19 15:49:50 +0000
commit18a560b6f77127052a05dcaa809c0a574a9aa268 (patch)
treebe381d199b3956c6f5e1797572d519ccbedccc49
parent57428c6ffce5e2656cdc37b2e38b866366ba58f7 (diff)
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
-rw-r--r--sbin/ipsecctl/ipsec.conf.516
-rw-r--r--sbin/ipsecctl/parse.y51
2 files changed, 57 insertions, 10 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 7fd8245eb0b..ada8e694ad5 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.conf.5,v 1.40 2006/04/13 11:55:07 hshoexer Exp $
+.\" $OpenBSD: ipsec.conf.5,v 1.41 2006/04/19 15:49:49 hshoexer Exp $
.\"
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
.\"
@@ -134,17 +134,18 @@ This rule applies for packets with source address
.Aq Ar src
and destination address
.Aq Ar dst .
-All addresses are specified in CIDR notation.
+All addresses are specified either in CIDR notation or as FQDN.
The keyword
.Ar any
will match any address (i.e. 0.0.0.0/0).
The
.Ar local
-parameter specifies the address of the local endpoint of this particular
+parameter specifies the address or FQDN of the local endpoint of this
flow and can be usually left out.
The
.Ar peer
-parameter specifies the address of the remote endpoint of this flow.
+parameter specifies the address or FQDN of the remote endpoint of this
+flow.
For host-to-host connections where
.Aq Ar dst
is identical to
@@ -397,7 +398,7 @@ This rule applies for packets with source address
.Aq Ar src
and destination address
.Aq Ar dst .
-All addresses are specified in CIDR notation.
+All addresses are specified either in CIDR notation or as FQDN.
The keyword
.Ar any
will match any address (i.e. 0.0.0.0/0).
@@ -408,7 +409,8 @@ or have aliases.
Usually this parameter can be left out.
The
.Ar peer
-parameter specifies the address of the remote endpoint of this particular flow.
+parameter specifies the address or FQDN of the remote endpoint of this
+particular flow.
For host-to-host connections where
.Aq Ar dst
is identical to
@@ -531,7 +533,7 @@ This rule applies for packets with source address
.Aq Ar src
and destination address
.Aq Ar dst .
-All addresses are specified in CIDR notation.
+All addresses are specified either in CIDR notation or as FQDN.
The parameter
.Ar spi
is a 32-bit value defining the Security Parameter Index (SPI) for this SA.
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index b2eea4a863e..e17f70e7933 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.58 2006/04/13 11:55:07 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.59 2006/04/19 15:49:49 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -37,6 +37,7 @@
#include <fcntl.h>
#include <ifaddrs.h>
#include <limits.h>
+#include <netdb.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
@@ -115,6 +116,7 @@ struct ipsec_key *parsekey(unsigned char *, size_t);
struct ipsec_key *parsekeyfile(char *);
struct ipsec_addr_wrap *host(const char *);
struct ipsec_addr_wrap *host_v4(const char *, int);
+struct ipsec_addr_wrap *host_dns(const char *, int, int);
struct ipsec_addr_wrap *host_if(const char *, int);
void ifa_load(void);
int ifa_exists(const char *);
@@ -1173,14 +1175,18 @@ host(const char *s)
cont = 0;
/* IPv4 address? */
- if (cont && (ipa = host_v4(s, mask)) != NULL)
+ if (cont && (ipa = host_v4(s, v4mask)) != NULL)
cont = 0;
#if notyet
/* IPv6 address? */
- if (cont && (ipa = host_dns(ps, v4mask, 0)) != NULL)
+ if (cont && (ipa = host_v6(s, v6mask)) != NULL)
cont = 0;
#endif
+
+ /* dns lookup */
+ if (cont && (ipa = host_dns(s, v4mask, 0)) != NULL)
+ cont = 0;
free(ps);
if (ipa == NULL || cont == 1) {
@@ -1224,6 +1230,45 @@ host_v4(const char *s, int mask)
}
struct ipsec_addr_wrap *
+host_dns(const char *s, int v4mask, int v6mask)
+{
+ struct ipsec_addr_wrap *ipa = NULL;
+ struct addrinfo hints, *res0, *res;
+ int error;
+ int bits = 32;
+
+ bzero(&hints, sizeof(struct addrinfo));
+ hints.ai_family = PF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ error = getaddrinfo(s, NULL, &hints, &res0);
+ if (error)
+ return (NULL);
+
+ for (res = res0; res; res = res->ai_next) {
+ if (res->ai_family != AF_INET)
+ continue;
+ ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
+ if (ipa == NULL)
+ err(1, "host_dns: calloc");
+ memcpy(&ipa->address.v4,
+ &((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr,
+ sizeof(struct in_addr));
+ ipa->name = strdup(inet_ntoa(ipa->address.v4));
+ if (ipa->name == NULL)
+ err(1, "host_dns: strdup");
+ ipa->af = AF_INET;
+
+ set_ipmask(ipa, bits);
+ if (bits != (ipa->af == AF_INET ? 32 : 128))
+ ipa->netaddress = 1;
+ break;
+ }
+ freeaddrinfo(res0);
+
+ return (ipa);
+}
+
+struct ipsec_addr_wrap *
host_if(const char *s, int mask)
{
struct ipsec_addr_wrap *ipa = NULL;