diff options
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 16 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 51 |
2 files changed, 57 insertions, 10 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 7fd8245eb0b..ada8e694ad5 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.40 2006/04/13 11:55:07 hshoexer Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.41 2006/04/19 15:49:49 hshoexer Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -134,17 +134,18 @@ This rule applies for packets with source address .Aq Ar src and destination address .Aq Ar dst . -All addresses are specified in CIDR notation. +All addresses are specified either in CIDR notation or as FQDN. The keyword .Ar any will match any address (i.e. 0.0.0.0/0). The .Ar local -parameter specifies the address of the local endpoint of this particular +parameter specifies the address or FQDN of the local endpoint of this flow and can be usually left out. The .Ar peer -parameter specifies the address of the remote endpoint of this flow. +parameter specifies the address or FQDN of the remote endpoint of this +flow. For host-to-host connections where .Aq Ar dst is identical to @@ -397,7 +398,7 @@ This rule applies for packets with source address .Aq Ar src and destination address .Aq Ar dst . -All addresses are specified in CIDR notation. +All addresses are specified either in CIDR notation or as FQDN. The keyword .Ar any will match any address (i.e. 0.0.0.0/0). @@ -408,7 +409,8 @@ or have aliases. Usually this parameter can be left out. The .Ar peer -parameter specifies the address of the remote endpoint of this particular flow. +parameter specifies the address or FQDN of the remote endpoint of this +particular flow. For host-to-host connections where .Aq Ar dst is identical to @@ -531,7 +533,7 @@ This rule applies for packets with source address .Aq Ar src and destination address .Aq Ar dst . -All addresses are specified in CIDR notation. +All addresses are specified either in CIDR notation or as FQDN. The parameter .Ar spi is a 32-bit value defining the Security Parameter Index (SPI) for this SA. diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index b2eea4a863e..e17f70e7933 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.58 2006/04/13 11:55:07 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.59 2006/04/19 15:49:49 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -37,6 +37,7 @@ #include <fcntl.h> #include <ifaddrs.h> #include <limits.h> +#include <netdb.h> #include <stdarg.h> #include <stdio.h> #include <string.h> @@ -115,6 +116,7 @@ struct ipsec_key *parsekey(unsigned char *, size_t); struct ipsec_key *parsekeyfile(char *); struct ipsec_addr_wrap *host(const char *); struct ipsec_addr_wrap *host_v4(const char *, int); +struct ipsec_addr_wrap *host_dns(const char *, int, int); struct ipsec_addr_wrap *host_if(const char *, int); void ifa_load(void); int ifa_exists(const char *); @@ -1173,14 +1175,18 @@ host(const char *s) cont = 0; /* IPv4 address? */ - if (cont && (ipa = host_v4(s, mask)) != NULL) + if (cont && (ipa = host_v4(s, v4mask)) != NULL) cont = 0; #if notyet /* IPv6 address? */ - if (cont && (ipa = host_dns(ps, v4mask, 0)) != NULL) + if (cont && (ipa = host_v6(s, v6mask)) != NULL) cont = 0; #endif + + /* dns lookup */ + if (cont && (ipa = host_dns(s, v4mask, 0)) != NULL) + cont = 0; free(ps); if (ipa == NULL || cont == 1) { @@ -1224,6 +1230,45 @@ host_v4(const char *s, int mask) } struct ipsec_addr_wrap * +host_dns(const char *s, int v4mask, int v6mask) +{ + struct ipsec_addr_wrap *ipa = NULL; + struct addrinfo hints, *res0, *res; + int error; + int bits = 32; + + bzero(&hints, sizeof(struct addrinfo)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + error = getaddrinfo(s, NULL, &hints, &res0); + if (error) + return (NULL); + + for (res = res0; res; res = res->ai_next) { + if (res->ai_family != AF_INET) + continue; + ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); + if (ipa == NULL) + err(1, "host_dns: calloc"); + memcpy(&ipa->address.v4, + &((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr, + sizeof(struct in_addr)); + ipa->name = strdup(inet_ntoa(ipa->address.v4)); + if (ipa->name == NULL) + err(1, "host_dns: strdup"); + ipa->af = AF_INET; + + set_ipmask(ipa, bits); + if (bits != (ipa->af == AF_INET ? 32 : 128)) + ipa->netaddress = 1; + break; + } + freeaddrinfo(res0); + + return (ipa); +} + +struct ipsec_addr_wrap * host_if(const char *s, int mask) { struct ipsec_addr_wrap *ipa = NULL; |