From 5c4cedf27f7a9003364fc9ba3c9bcb9d1d320d4b Mon Sep 17 00:00:00 2001 From: tobhe Date: Wed, 14 Sep 2022 13:07:49 +0000 Subject: [PATCH] Compare 'srcnat' when comparing policies. Fixes a bug where policy lookup could not differentiate between similar policies that only differ in srcnat. Also include srcnat when logging flows or policies. ok markus@ --- sbin/iked/ikev2.c | 32 +++++++++++++++++++++++++++++--- sbin/iked/policy.c | 4 +++- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 9ad1e5e2df0..6f07d4f35a0 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.350 2022/07/22 15:53:33 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.351 2022/09/14 13:07:49 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -6391,6 +6391,7 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa) struct ibuf *spibuf = NULL; struct ibuf *flowbuf = NULL; char *buf; + char prenat_mask[10]; uint16_t encrid = 0, integrid = 0, groupid = 0; size_t encrlen = 0, integrlen = 0; int esn = 0; @@ -6505,10 +6506,22 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa) /* append flow to log buffer */ if (flow->flow_dir == IPSP_DIRECTION_OUT && - asprintf(&buf, "%s-%s/%d=%s/%d(%u)%s", + flow->flow_prenat.addr_af != 0) + snprintf(prenat_mask, sizeof(prenat_mask), "%d", + flow->flow_prenat.addr_mask); + else + prenat_mask[0] = '\0'; + if (flow->flow_dir == IPSP_DIRECTION_OUT && + asprintf(&buf, "%s-%s/%d%s%s%s%s%s=%s/%d(%u)%s", print_map(flow->flow_saproto, ikev2_saproto_map), print_host((struct sockaddr *)&flow->flow_src.addr, NULL, 0), flow->flow_src.addr_mask, + flow->flow_prenat.addr_af != 0 ? "[": "", + flow->flow_prenat.addr_af != 0 ? print_host((struct sockaddr *) + &flow->flow_prenat.addr, NULL, 0) : "", + flow->flow_prenat.addr_af != 0 ? "/" : "", + flow->flow_prenat.addr_af != 0 ? prenat_mask : "", + flow->flow_prenat.addr_af != 0 ? "]": "", print_host((struct sockaddr *)&flow->flow_dst.addr, NULL, 0), flow->flow_dst.addr_mask, flow->flow_ipproto, @@ -7448,17 +7461,30 @@ ikev2_info_csa(struct iked *env, int dolog, const char *msg, struct iked_childsa void ikev2_info_flow(struct iked *env, int dolog, const char *msg, struct iked_flow *flow) { + char prenat_mask[10]; char *buf; int buflen; + if (flow->flow_prenat.addr_af != 0) + snprintf(prenat_mask, sizeof(prenat_mask), "%d", + flow->flow_prenat.addr_mask); + else + prenat_mask[0] = '\0'; + buflen = asprintf(&buf, - "%s: %p %s %s %s/%d -> %s/%d [%u]@%d (%s) @%p\n", msg, flow, + "%s: %p %s %s %s/%d -> %s/%d %s%s%s%s%s[%u]@%d (%s) @%p\n", msg, flow, print_map(flow->flow_saproto, ikev2_saproto_map), flow->flow_dir == IPSP_DIRECTION_IN ? "in" : "out", print_host((struct sockaddr *)&flow->flow_src.addr, NULL, 0), flow->flow_src.addr_mask, print_host((struct sockaddr *)&flow->flow_dst.addr, NULL, 0), flow->flow_dst.addr_mask, + flow->flow_prenat.addr_af != 0 ? "[": "", + flow->flow_prenat.addr_af != 0 ? print_host((struct sockaddr *) + &flow->flow_prenat.addr, NULL, 0) : "", + flow->flow_prenat.addr_af != 0 ? "/" : "", + flow->flow_prenat.addr_af != 0 ? prenat_mask : "", + flow->flow_prenat.addr_af != 0 ? "] ": "", flow->flow_ipproto, flow->flow_rdomain, flow->flow_loaded ? "L" : "", diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index fd94939a6e0..ad2b1dc2ccc 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.89 2021/12/01 16:42:13 deraadt Exp $ */ +/* $OpenBSD: policy.c,v 1.90 2022/09/14 13:07:50 tobhe Exp $ */ /* * Copyright (c) 2020-2021 Tobias Heider @@ -1216,6 +1216,8 @@ flow_cmp(struct iked_flow *a, struct iked_flow *b) diff = addr_cmp(&a->flow_dst, &b->flow_dst, 1); if (!diff) diff = addr_cmp(&a->flow_src, &b->flow_src, 1); + if (!diff) + diff = addr_cmp(&a->flow_prenat, &b->flow_prenat, 0); return (diff); } -- 2.20.1