With this patch, starter sends DNS names to charon instead of resolving
them to IP adresses. Charon can then handle a change of its IKE peer's
IP adress if the DNS entry has been updated accordingly.
Connections can be sustained even when both ends are on dial-up.
The patch has only undergone light testing, although I tried not to break
existing functionality.
Please comment, and consider for inclusion in strongSwan.
Regards
Mirko Parthey
diff --git a/src/starter/args.c b/src/starter/args.c
index 78439e2..544c07b 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -255,7 +255,7 @@ static const token_info_t token_info[] =
{ ARG_STR, offsetof(starter_ca_t, certuribase), NULL },
/* end keywords */
- { ARG_MISC, 0, NULL /* KW_HOST */ },
+ { ARG_STR, offsetof(starter_end_t, dnsname), NULL /* KW_HOST */ },
{ ARG_UINT, offsetof(starter_end_t, ikeport), NULL },
{ ARG_MISC, 0, NULL /* KW_NEXTHOP */ },
{ ARG_STR, offsetof(starter_end_t, subnet), NULL },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 5c94787..bbe4f0f 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -94,6 +94,8 @@ static void default_values(starter_config_t *cfg)
cfg->conn_default.left.sendcert = CERT_SEND_IF_ASKED;
cfg->conn_default.right.sendcert = CERT_SEND_IF_ASKED;
+ cfg->conn_default.left.has_dnsname = FALSE;
+ cfg->conn_default.right.has_dnsname = FALSE;
anyaddr(AF_INET, &cfg->conn_default.left.addr);
anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
anyaddr(AF_INET, &cfg->conn_default.right.addr);
@@ -155,6 +157,71 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
/* post processing of some keywords that were assigned automatically */
switch (token)
{
+ case KW_HOST:
+ end->has_dnsname = FALSE;
+ if (streq(value, "%defaultroute"))
+ {
+ if (cfg->defaultroute.defined)
+ {
+ end->addr = cfg->defaultroute.addr;
+ end->nexthop = cfg->defaultroute.nexthop;
+ }
+ else if (!cfg->defaultroute.supported)
+ {
+ plog("%%defaultroute not supported, fallback to %%any");
+ }
+ else
+ {
+ plog("# default route not known: %s=%s", name, value);
+ goto err;
+ }
+ }
+ else if (streq(value, "%any") || streq(value, "%any4"))
+ {
+ anyaddr(conn->addr_family, &end->addr);
+ }
+ else if (streq(value, "%any6"))
+ {
+ conn->addr_family = AF_INET6;
+ anyaddr(conn->addr_family, &end->addr);
+ }
+ else if (streq(value, "%group"))
+ {
+ ip_address any;
+
+ conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
+ anyaddr(conn->addr_family, &end->addr);
+ anyaddr(conn->tunnel_addr_family, &any);
+ end->has_client = TRUE;
+ }
+ else
+ {
+ /* check for allow_any prefix */
+ if (value[0] == '%')
+ {
+ end->allow_any = TRUE;
+ value++;
+ free(end->dnsname);
+ end->dnsname = clone_str(value);
+ }
+ conn->addr_family = ip_version(value);
+ ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
+ if (ugh != NULL)
+ {
+ plog("# bad addr: %s=%s [%s]", name, value, ugh);
+ if (streq(ugh, "does not look numeric and name lookup failed"))
+ {
+ end->dns_failed = TRUE;
+ anyaddr(conn->addr_family, &end->addr);
+ }
+ else
+ {
+ goto err;
+ }
+ }
+ end->has_dnsname = TRUE;
+ }
+ break;
case KW_SUBNET:
if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
|| (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
@@ -264,67 +331,6 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
/* individual processing of keywords that were not assigned automatically */
switch (token)
{
- case KW_HOST:
- if (streq(value, "%defaultroute"))
- {
- if (cfg->defaultroute.defined)
- {
- end->addr = cfg->defaultroute.addr;
- end->nexthop = cfg->defaultroute.nexthop;
- }
- else if (!cfg->defaultroute.supported)
- {
- plog("%%defaultroute not supported, fallback to %%any");
- }
- else
- {
- plog("# default route not known: %s=%s", name, value);
- goto err;
- }
- }
- else if (streq(value, "%any") || streq(value, "%any4"))
- {
- anyaddr(conn->addr_family, &end->addr);
- }
- else if (streq(value, "%any6"))
- {
- conn->addr_family = AF_INET6;
- anyaddr(conn->addr_family, &end->addr);
- }
- else if (streq(value, "%group"))
- {
- ip_address any;
-
- conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
- anyaddr(conn->addr_family, &end->addr);
- anyaddr(conn->tunnel_addr_family, &any);
- end->has_client = TRUE;
- }
- else
- {
- /* check for allow_any prefix */
- if (value[0] == '%')
- {
- end->allow_any = TRUE;
- value++;
- }
- conn->addr_family = ip_version(value);
- ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
- if (ugh != NULL)
- {
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- if (streq(ugh, "does not look numeric and name lookup failed"))
- {
- end->dns_failed = TRUE;
- anyaddr(conn->addr_family, &end->addr);
- }
- else
- {
- goto err;
- }
- }
- }
- break;
case KW_NEXTHOP:
if (streq(value, "%defaultroute"))
{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index fe3219f..ef54c1f 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -66,6 +66,8 @@ struct starter_end {
char *groups;
char *cert_policy;
char *iface;
+ char *dnsname;
+ bool has_dnsname;
ip_address addr;
u_int ikeport;
ip_address nexthop;
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 6ead95c..7076919 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -169,8 +169,15 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
msg_end->ca2 = push_string(msg, conn_end->ca2);
msg_end->groups = push_string(msg, conn_end->groups);
msg_end->updown = push_string(msg, conn_end->updown);
- ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
- msg_end->address = push_string(msg, buffer);
+ if (conn_end->has_dnsname)
+ {
+ msg_end->address = push_string(msg, conn_end->dnsname);
+ }
+ else
+ {
+ ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
+ msg_end->address = push_string(msg, buffer);
+ }
msg_end->ikeport = conn_end->ikeport;
msg_end->subnets = push_string(msg, conn_end->subnet);
msg_end->sourceip = push_string(msg, conn_end->sourceip);
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
