On Mon, Apr 20, 2015 at 07:35:58PM +0059, Jason McIntyre wrote:
> On Wed, Apr 15, 2015 at 05:13:13PM +0200, Vincent Gross wrote:
> > Hello,
> >
> > iked.conf's man page is a bit fuzzy on how local and peer ip defaults
> > are set. This patch below attempts to fix that.
> >
>
> if you can specify one and have the other default to "any", i agree we'd
> want to document it.
>
> for the rest, the diff essentially removes the information about when
> these options might be useful and needed. i'm less sure about that.
>
> i'd appreciate some feedback from a developer that the content is
> correct.
>
> i'm less inclined to rearrange the page this way without good reason.
>
> also note for future man diffs to start new sentences on new lines.
>
I took a second look at parse.y, and found it would choke on configs
like this one :
ikev2 active esp \
from 10.0.1.0/24 to 172.16.0.1 local 10.0.1.1 \
srcid 'client.lan' dstid 'gateway.lan'
To get this config to work you would need to add "peer 172.16.0.1".
It would be more logical to default local to src and peer to dst when
having only one traffic selector, and both to any otherwise.
The diff below changes how defaults are set for peer and local, and
reflects the change in iked.conf(5).
Comments ? Suggestions ?
--- parse.y.orig Fri May 1 15:10:51 2015
+++ parse.y Fri May 1 17:08:51 2015
@@ -2482,25 +2482,21 @@
if (peers) {
if (peers->src)
ipa = peers->src;
+ else if (hosts->src && hosts->src->next == NULL)
+ ipa = hosts->src;
if (peers->dst)
ipb = peers->dst;
- if (ipa == NULL && ipb == NULL) {
- if (hosts->src && hosts->src->next == NULL)
- ipa = hosts->src;
- if (hosts->dst && hosts->dst->next == NULL)
- ipb = hosts->dst;
- }
+ else if (hosts->dst && hosts->dst->next == NULL)
+ ipb = hosts->dst;
}
if (ipa == NULL && ipb == NULL) {
yyerror("could not get local/peer specification");
return (-1);
}
- if (pol.pol_flags & IKED_POLICY_ACTIVE) {
- if (ipb == NULL || ipb->netaddress ||
- (ipa != NULL && ipa->netaddress)) {
- yyerror("active mode requires local/peer address");
+ if ((pol.pol_flags & IKED_POLICY_ACTIVE) &&
+ (ipb == NULL || ipb->netaddress)) {
+ yyerror("active mode requires peer host address");
return (-1);
- }
}
if (ipa) {
memcpy(&pol.pol_local.addr, &ipa->address,
--- iked.conf.5 28 Feb 2015 21:51:57 -0000 1.38
+++ iked.conf.5 1 May 2015 15:12:44 -0000
@@ -341,16 +341,24 @@ this option is generally not needed.
The
.Ic peer
parameter specifies the address or FQDN of the remote endpoint.
-For host-to-host connections where
+For single-traffic-selector host-to-host connections where
.Ar dst
is identical to
.Ar remote ,
this option is generally not needed as it will be set to
.Ar dst
automatically.
-If it is not specified or if the keyword
-.Ar any
-is given, the default peer is used.
+.Pp
+When the policy contains only one traffic selector,
+.Ic local
+and
+.Ic peer
+default values are
+.Ar src
+and
+.Ar dst
+respectively. Otherwise they both default to
+.Ar any .
.It Xo
.Ic ikesa
.Ic auth Ar algorithm
