On Mon, Jul 20, 2020 at 12:03:57PM +0300, Антон Касимов wrote:
> I am using OpenBSD 6.7
> iked does not respect mixing ports in the source and the destination of
> traffic selectors.
>
> Such policy in iked.conf
> ikev2 "epsilon" active \
> proto tcp \
> from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \
> from aaaa:aaaa:aaaa::30 port postgresql to cccc:cccc:cccc::/48 \
> from aaaa:aaaa:aaaa::30 port postgresql to bbbb:bbbb:bbbb::/48 \
> peer d.d.d
>
> Produces wrong flows (specifying only destination port from first selector):
>
> flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to
> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to
> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to
> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48 port
> 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port
> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port
> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>
> --
> Антон Касимов / Anton Kasimov
Hi Anton,
thanks for the report.
Below is a diff that should fix your problem.
Index: parse.y
===================================================================
RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v
retrieving revision 1.102
diff -u -p -r1.102 parse.y
--- parse.y 25 Jun 2020 13:05:58 -0000 1.102
+++ parse.y 20 Jul 2020 20:06:53 -0000
@@ -344,6 +344,7 @@ struct ipsec_addr_wrap {
sa_family_t af;
unsigned int type;
unsigned int action;
+ uint16_t port;
char *name;
struct ipsec_addr_wrap *next;
struct ipsec_addr_wrap *tail;
@@ -353,8 +354,6 @@ struct ipsec_addr_wrap {
struct ipsec_hosts {
struct ipsec_addr_wrap *src;
struct ipsec_addr_wrap *dst;
- uint16_t sport;
- uint16_t dport;
};
struct ipsec_filters {
@@ -649,9 +648,9 @@ hosts : FROM host port TO host port
{
err(1, "hosts: calloc");
$$->src = $2;
- $$->sport = $3;
+ $$->src->port = $3;
$$->dst = $5;
- $$->dport = $6;
+ $$->dst->port = $6;
}
| TO host port FROM host port {
struct ipsec_addr_wrap *ipa;
@@ -667,9 +666,9 @@ hosts : FROM host port TO host port
{
err(1, "hosts: calloc");
$$->src = $5;
- $$->sport = $6;
+ $$->src->port = $6;
$$->dst = $2;
- $$->dport = $3;
+ $$->dst->port = $3;
}
;
@@ -2936,14 +2935,14 @@ create_ike(char *name, int af, uint8_t i
flow->flow_src.addr_af = ipa->af;
flow->flow_src.addr_mask = ipa->mask;
flow->flow_src.addr_net = ipa->netaddress;
- flow->flow_src.addr_port = hosts->sport;
+ flow->flow_src.addr_port = ipa->port;
memcpy(&flow->flow_dst.addr, &ipb->address,
sizeof(ipb->address));
flow->flow_dst.addr_af = ipb->af;
flow->flow_dst.addr_mask = ipb->mask;
flow->flow_dst.addr_net = ipb->netaddress;
- flow->flow_dst.addr_port = hosts->dport;
+ flow->flow_dst.addr_port = ipb->port;
ippn = ipa->srcnat;
if (ippn) {
