isakmpd.policy check

Thu, 04 Jan 2018 03:48:41 -0800 

I'm not writing any isakmpd.policy(5) file.  I don't know anybody sane
we do.  I'd like to enforce some policy based on what I write in
ipsec.conf(5)...  So I don't understand why I have to pass '-K' in
every of the machine I setup.  If I don't specify any policy file, then
I'd assume isakmpd(8) would do the right thing.

Diff below makes '-K' the default if isakmpd.policy doesn't exist AND
you didn't specify a "Policy-file".

ok?

Index: conf.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/conf.c,v
retrieving revision 1.107
diff -u -p -r1.107 conf.c
--- conf.c      27 Oct 2017 08:29:32 -0000      1.107
+++ conf.c      4 Jan 2018 11:41:25 -0000
@@ -514,7 +514,6 @@ conf_load_defaults(int tr)
        conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME,
            0, 1);
        conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1);
-       conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1);
        conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0,
            1);
 
Index: policy.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/policy.c,v
retrieving revision 1.97
diff -u -p -r1.97 policy.c
--- policy.c    22 Nov 2013 04:12:47 -0000      1.97
+++ policy.c    4 Jan 2018 11:42:07 -0000
@@ -1937,14 +1937,18 @@ policy_init(void)
 
        /* Get policy file from configuration.  */
        policy_file = conf_get_str("General", "Policy-file");
-       if (!policy_file)
-               policy_file = CONF_DFLT_POLICY_FILE;
-
-       /* Open policy file.  */
-       fd = monitor_open(policy_file, O_RDONLY, 0);
-       if (fd == -1)
-               log_fatal("policy_init: open (\"%s\", O_RDONLY) failed",
-                   policy_file);
+       if (!policy_file) {
+               /* Try to open default policy file.  */
+               fd = monitor_open(CONF_DFLT_POLICY_FILE, O_RDONLY, 0);
+               if (fd == -1)
+                       return;
+       } else {
+               /* Open policy file.  */
+               fd = monitor_open(policy_file, O_RDONLY, 0);
+               if (fd == -1)
+                       log_fatal("policy_init: open (\"%s\", O_RDONLY) failed",
+                           policy_file);
+       }
 
        /* Check file modes and collect file size */
        if (check_file_secrecy_fd(fd, policy_file, &sz)) {

Reply via email to