Re: iked wrongly processes traffic selectors
Hi Tobias,
the patch works for me. Thanks.
пн, 20 июл. 2020 г. в 23:51, Tobias Heider :
> On Mon, Jul 20, 2020 at 12:03:57PM +0300, Антон Касимов wrote:
> > I am using OpenBSD 6.7
> > iked does not respect mixing ports in the source and the destination of
> > traffic selectors.
> >
> > Such policy in iked.conf
> > ikev2 "epsilon" active \
> > proto tcp \
> > from ::::30 to :::10::2 port 8000 \
> > from ::::30 port postgresql to ::::/48 \
> > from ::::30 port postgresql to ::::/48 \
> > peer d.d.d
> >
> > Produces wrong flows (specifying only destination port from first
> selector):
> >
> > flow esp in proto tcp from ::::/48 port 8000 to
> > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp in proto tcp from ::::/48 *port 8000* to
> > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp in proto tcp from ::::2 *port 8000* to
> > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp out proto tcp from ::::30 to ::::/48
> port
> > 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48
> *port
> > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2
> *port
> > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> >
> > --
> > Антон Касимов / Anton Kasimov
>
> Hi Anton,
>
> thanks for the report.
> Below is a diff that should fix your problem.
>
> Index: parse.y
> ===
> RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v
> retrieving revision 1.102
> diff -u -p -r1.102 parse.y
> --- parse.y 25 Jun 2020 13:05:58 - 1.102
> +++ parse.y 20 Jul 2020 20:06:53 -
> @@ -344,6 +344,7 @@ struct ipsec_addr_wrap {
> sa_family_t af;
> unsigned int type;
> unsigned int action;
> + uint16_t port;
> char*name;
> struct ipsec_addr_wrap *next;
> struct ipsec_addr_wrap *tail;
> @@ -353,8 +354,6 @@ struct ipsec_addr_wrap {
> struct ipsec_hosts {
> struct ipsec_addr_wrap *src;
> struct ipsec_addr_wrap *dst;
> - uint16_t sport;
> - uint16_t dport;
> };
>
> struct ipsec_filters {
> @@ -649,9 +648,9 @@ hosts : FROM host port TO host port
> {
> err(1, "hosts: calloc");
>
> $$->src = $2;
> - $$->sport = $3;
> + $$->src->port = $3;
> $$->dst = $5;
> - $$->dport = $6;
> + $$->dst->port = $6;
> }
> | TO host port FROM host port {
> struct ipsec_addr_wrap *ipa;
> @@ -667,9 +666,9 @@ hosts : FROM host port TO host port
> {
> err(1, "hosts: calloc");
>
> $$->src = $5;
> - $$->sport = $6;
> + $$->src->port = $6;
> $$->dst = $2;
> - $$->dport = $3;
> + $$->dst->port = $3;
> }
> ;
>
> @@ -2936,14 +2935,14 @@ create_ike(char *name, int af, uint8_t i
> flow->flow_src.addr_af = ipa->af;
> flow->flow_src.addr_mask = ipa->mask;
> flow->flow_src.addr_net = ipa->netaddress;
> - flow->flow_src.addr_port = hosts->sport;
> + flow->flow_src.addr_port = ipa->port;
>
> memcpy(>flow_dst.addr, >address,
> sizeof(ipb->address));
> flow->flow_dst.addr_af = ipb->af;
> flow->flow_dst.addr_mask = ipb->mask;
> flow->flow_dst.addr_net = ipb->netaddress;
> - flow->flow_dst.addr_port = hosts->dport;
> + flow->flow_dst.addr_port = ipb->port;
>
> ippn = ipa->srcnat;
> if (ippn) {
>
--
Антон Касимов / Anton Kasimov
Re: iked wrongly processes traffic selectors
On Mon, Jul 20, 2020 at 12:03:57PM +0300, Антон Касимов wrote:
> I am using OpenBSD 6.7
> iked does not respect mixing ports in the source and the destination of
> traffic selectors.
>
> Such policy in iked.conf
> ikev2 "epsilon" active \
> proto tcp \
> from ::::30 to :::10::2 port 8000 \
> from ::::30 port postgresql to ::::/48 \
> from ::::30 port postgresql to ::::/48 \
> peer d.d.d
>
> Produces wrong flows (specifying only destination port from first selector):
>
> flow esp in proto tcp from ::::/48 port 8000 to
> ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp in proto tcp from ::::/48 *port 8000* to
> ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp in proto tcp from ::::2 *port 8000* to
> ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp out proto tcp from ::::30 to ::::/48 port
> 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port
> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port
> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>
> --
> Антон Касимов / Anton Kasimov
Hi Anton,
thanks for the report.
Below is a diff that should fix your problem.
Index: parse.y
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v
retrieving revision 1.102
diff -u -p -r1.102 parse.y
--- parse.y 25 Jun 2020 13:05:58 - 1.102
+++ parse.y 20 Jul 2020 20:06:53 -
@@ -344,6 +344,7 @@ struct ipsec_addr_wrap {
sa_family_t af;
unsigned int type;
unsigned int action;
+ uint16_t port;
char*name;
struct ipsec_addr_wrap *next;
struct ipsec_addr_wrap *tail;
@@ -353,8 +354,6 @@ struct ipsec_addr_wrap {
struct ipsec_hosts {
struct ipsec_addr_wrap *src;
struct ipsec_addr_wrap *dst;
- uint16_t sport;
- uint16_t dport;
};
struct ipsec_filters {
@@ -649,9 +648,9 @@ hosts : FROM host port TO host port
{
err(1, "hosts: calloc");
$$->src = $2;
- $$->sport = $3;
+ $$->src->port = $3;
$$->dst = $5;
- $$->dport = $6;
+ $$->dst->port = $6;
}
| TO host port FROM host port {
struct ipsec_addr_wrap *ipa;
@@ -667,9 +666,9 @@ hosts : FROM host port TO host port
{
err(1, "hosts: calloc");
$$->src = $5;
- $$->sport = $6;
+ $$->src->port = $6;
$$->dst = $2;
- $$->dport = $3;
+ $$->dst->port = $3;
}
;
@@ -2936,14 +2935,14 @@ create_ike(char *name, int af, uint8_t i
flow->flow_src.addr_af = ipa->af;
flow->flow_src.addr_mask = ipa->mask;
flow->flow_src.addr_net = ipa->netaddress;
- flow->flow_src.addr_port = hosts->sport;
+ flow->flow_src.addr_port = ipa->port;
memcpy(>flow_dst.addr, >address,
sizeof(ipb->address));
flow->flow_dst.addr_af = ipb->af;
flow->flow_dst.addr_mask = ipb->mask;
flow->flow_dst.addr_net = ipb->netaddress;
- flow->flow_dst.addr_port = hosts->dport;
+ flow->flow_dst.addr_port = ipb->port;
ippn = ipa->srcnat;
if (ippn) {
Re: iked wrongly processes traffic selectors
Moving to bugs@: In gmane.os.openbsd.misc, Anton Kasmov wrote: > I am using OpenBSD 6.7 > iked does not respect mixing ports in the source and the destination of > traffic selectors. > > Such policy in iked.conf > ikev2 "epsilon" active \ > proto tcp \ > from ::::30 to :::10::2 port 8000 \ > from ::::30 port postgresql to ::::/48 \ > from ::::30 port postgresql to ::::/48 \ > peer d.d.d > > Produces wrong flows (specifying only destination port from first selector): > > flow esp in proto tcp from ::::/48 port 8000 to > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from ::::/48 *port 8000* to > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from ::::2 *port 8000* to > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from ::::30 to ::::/48 port > 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require Actually whatever is used as "port" on the first selector is used for all other selectors; if there is no port on the first selector, no port is used for any others. I had a look but I think it's beyond my yacc skills.
iked wrongly processes traffic selectors
I am using OpenBSD 6.7 iked does not respect mixing ports in the source and the destination of traffic selectors. Such policy in iked.conf ikev2 "epsilon" active \ proto tcp \ from ::::30 to :::10::2 port 8000 \ from ::::30 port postgresql to ::::/48 \ from ::::30 port postgresql to ::::/48 \ peer d.d.d Produces wrong flows (specifying only destination port from first selector): flow esp in proto tcp from ::::/48 port 8000 to ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp in proto tcp from ::::/48 *port 8000* to ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp in proto tcp from ::::2 *port 8000* to ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp out proto tcp from ::::30 to ::::/48 port 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require -- Антон Касимов / Anton Kasimov
