Hi Tobias,
the patch works for me. Thanks.
пн, 20 июл. 2020 г. в 23:51, Tobias Heider <tobias.hei...@stusta.de>:
> On Mon, Jul 20, 2020 at 12:03:57PM +0300, Антон Касимов wrote:
> > I am using OpenBSD 6.7
> > iked does not respect mixing ports in the source and the destination of
> > traffic selectors.
> >
> > Such policy in iked.conf
> > ikev2 "epsilon" active \
> > proto tcp \
> > from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \
> > from aaaa:aaaa:aaaa::30 port postgresql to cccc:cccc:cccc::/48 \
> > from aaaa:aaaa:aaaa::30 port postgresql to bbbb:bbbb:bbbb::/48 \
> > peer d.d.d
> >
> > Produces wrong flows (specifying only destination port from first
> selector):
> >
> > flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to
> > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to
> > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to
> > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48
> port
> > 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48
> *port
> > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2
> *port
> > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> >
> > --
> > Антон Касимов / Anton Kasimov
>
> Hi Anton,
>
> thanks for the report.
> Below is a diff that should fix your problem.
>
> Index: parse.y
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v
> retrieving revision 1.102
> diff -u -p -r1.102 parse.y
> --- parse.y 25 Jun 2020 13:05:58 -0000 1.102
> +++ parse.y 20 Jul 2020 20:06:53 -0000
> @@ -344,6 +344,7 @@ struct ipsec_addr_wrap {
> sa_family_t af;
> unsigned int type;
> unsigned int action;
> + uint16_t port;
> char *name;
> struct ipsec_addr_wrap *next;
> struct ipsec_addr_wrap *tail;
> @@ -353,8 +354,6 @@ struct ipsec_addr_wrap {
> struct ipsec_hosts {
> struct ipsec_addr_wrap *src;
> struct ipsec_addr_wrap *dst;
> - uint16_t sport;
> - uint16_t dport;
> };
>
> struct ipsec_filters {
> @@ -649,9 +648,9 @@ hosts : FROM host port TO host port
> {
> err(1, "hosts: calloc");
>
> $$->src = $2;
> - $$->sport = $3;
> + $$->src->port = $3;
> $$->dst = $5;
> - $$->dport = $6;
> + $$->dst->port = $6;
> }
> | TO host port FROM host port {
> struct ipsec_addr_wrap *ipa;
> @@ -667,9 +666,9 @@ hosts : FROM host port TO host port
> {
> err(1, "hosts: calloc");
>
> $$->src = $5;
> - $$->sport = $6;
> + $$->src->port = $6;
> $$->dst = $2;
> - $$->dport = $3;
> + $$->dst->port = $3;
> }
> ;
>
> @@ -2936,14 +2935,14 @@ create_ike(char *name, int af, uint8_t i
> flow->flow_src.addr_af = ipa->af;
> flow->flow_src.addr_mask = ipa->mask;
> flow->flow_src.addr_net = ipa->netaddress;
> - flow->flow_src.addr_port = hosts->sport;
> + flow->flow_src.addr_port = ipa->port;
>
> memcpy(&flow->flow_dst.addr, &ipb->address,
> sizeof(ipb->address));
> flow->flow_dst.addr_af = ipb->af;
> flow->flow_dst.addr_mask = ipb->mask;
> flow->flow_dst.addr_net = ipb->netaddress;
> - flow->flow_dst.addr_port = hosts->dport;
> + flow->flow_dst.addr_port = ipb->port;
>
> ippn = ipa->srcnat;
> if (ippn) {
>
--
Антон Касимов / Anton Kasimov
