Compare 'srcnat' when comparing policies. Fixes a bug where policy lookup could

not differentiate between similar policies that only differ in srcnat.  Also
include srcnat when logging flows or policies.

ok markus@

2 files changed, 32 insertions, 4 deletions

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 9ad1e5e2df0..6f07d4f35a0 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.350 2022/07/22 15:53:33 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.351 2022/09/14 13:07:49 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -6391,6 +6391,7 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa)
 	struct ibuf		*spibuf = NULL;
 	struct ibuf		*flowbuf = NULL;
 	char			*buf;
+	char			 prenat_mask[10];
 	uint16_t		 encrid = 0, integrid = 0, groupid = 0;
 	size_t			 encrlen = 0, integrlen = 0;
 	int			 esn = 0;
@@ -6505,10 +6506,22 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa)
 
 		/* append flow to log buffer */
 		if (flow->flow_dir == IPSP_DIRECTION_OUT &&
-		    asprintf(&buf, "%s-%s/%d=%s/%d(%u)%s",
+		    flow->flow_prenat.addr_af != 0)
+			snprintf(prenat_mask, sizeof(prenat_mask), "%d",
+			    flow->flow_prenat.addr_mask);
+		else
+			prenat_mask[0] = '\0';
+		if (flow->flow_dir == IPSP_DIRECTION_OUT &&
+		    asprintf(&buf, "%s-%s/%d%s%s%s%s%s=%s/%d(%u)%s",
 		    print_map(flow->flow_saproto, ikev2_saproto_map),
 		    print_host((struct sockaddr *)&flow->flow_src.addr, NULL, 0),
 		    flow->flow_src.addr_mask,
+		    flow->flow_prenat.addr_af != 0 ? "[": "",
+		    flow->flow_prenat.addr_af != 0 ? print_host((struct sockaddr *)
+		    &flow->flow_prenat.addr, NULL, 0) : "",
+		    flow->flow_prenat.addr_af != 0 ? "/" : "",
+		    flow->flow_prenat.addr_af != 0 ? prenat_mask : "",
+		    flow->flow_prenat.addr_af != 0 ? "]": "",
 		    print_host((struct sockaddr *)&flow->flow_dst.addr, NULL, 0),
 		    flow->flow_dst.addr_mask,
 		    flow->flow_ipproto,
@@ -7448,17 +7461,30 @@ ikev2_info_csa(struct iked *env, int dolog, const char *msg, struct iked_childsa
 void
 ikev2_info_flow(struct iked *env, int dolog, const char *msg, struct iked_flow *flow)
 {
+	char		prenat_mask[10];
 	char		*buf;
 	int		buflen;
 
+	if (flow->flow_prenat.addr_af != 0)
+		snprintf(prenat_mask, sizeof(prenat_mask), "%d",
+		    flow->flow_prenat.addr_mask);
+	else
+		prenat_mask[0] = '\0';
+
 	buflen = asprintf(&buf,
-	    "%s: %p %s %s %s/%d -> %s/%d [%u]@%d (%s) @%p\n", msg, flow,
+	    "%s: %p %s %s %s/%d -> %s/%d %s%s%s%s%s[%u]@%d (%s) @%p\n", msg, flow,
 	    print_map(flow->flow_saproto, ikev2_saproto_map),
 	    flow->flow_dir == IPSP_DIRECTION_IN ? "in" : "out",
 	    print_host((struct sockaddr *)&flow->flow_src.addr, NULL, 0),
 	    flow->flow_src.addr_mask,
 	    print_host((struct sockaddr *)&flow->flow_dst.addr, NULL, 0),
 	    flow->flow_dst.addr_mask,
+	    flow->flow_prenat.addr_af != 0 ? "[": "",
+	    flow->flow_prenat.addr_af != 0 ? print_host((struct sockaddr *)
+	    &flow->flow_prenat.addr, NULL, 0) : "",
+	    flow->flow_prenat.addr_af != 0 ? "/" : "",
+	    flow->flow_prenat.addr_af != 0 ? prenat_mask : "",
+	    flow->flow_prenat.addr_af != 0 ? "] ": "",
 	    flow->flow_ipproto,
 	    flow->flow_rdomain,
 	    flow->flow_loaded ? "L" : "",
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index fd94939a6e0..ad2b1dc2ccc 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.89 2021/12/01 16:42:13 deraadt Exp $	*/
+/*	$OpenBSD: policy.c,v 1.90 2022/09/14 13:07:50 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2020-2021 Tobias Heider <tobhe@openbsd.org>
@@ -1216,6 +1216,8 @@ flow_cmp(struct iked_flow *a, struct iked_flow *b)
 		diff = addr_cmp(&a->flow_dst, &b->flow_dst, 1);
 	if (!diff)
 		diff = addr_cmp(&a->flow_src, &b->flow_src, 1);
+	if (!diff)
+		diff = addr_cmp(&a->flow_prenat, &b->flow_prenat, 0);
 
 	return (diff);
 }