--addresses option for ipsec pool --add command

Introduce the --addresses option for --add that can be used to add a pool
containing non-contiguous addresses. Additionally it allows to preclaim
certain addresses for certain roadwarrior IDs. See the second chunk of
the patch for a more detailed description.

Signed-off-by: Heiko Hund <hhund@astaro.com>

1 files changed, 187 insertions, 5 deletions

diff --git a/src/libstrongswan/plugins/attr_sql/pool.c b/src/libstrongswan/plugins/attr_sql/pool.c
index a901b6741..af6338880 100644
--- a/src/libstrongswan/plugins/attr_sql/pool.c
+++ b/src/libstrongswan/plugins/attr_sql/pool.c
@@ -18,6 +18,8 @@
 #include <unistd.h>
 #include <stdio.h>
 #include <time.h>
+#include <string.h>
+#include <errno.h>
 
 #include <debug.h>
 #include <library.h>
@@ -96,6 +98,18 @@ Usage:\n\
       end:     End address of the pool\n\
       timeout: Lease time in hours, 0 for static leases\n\
   \n\
+  ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\
+    Add a new pool to the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      file:    File newline separated addresses for the pool are read from.\n\
+               Optionally each address can be pre-assigned to a roadwarrior\n\
+               identity, e.g. 10.231.14.2=alice@strongswan.org.\n\
+               If a - (hyphen) is given instead of a file name, the addresses\n\
+               are read from STDIN. Reading addresses stops at the end of file\n\
+               or an empty line. Pools created with this command can not be\n\
+               resized.\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
   ipsec pool --add dns|nbns|wins --server <server>\n\
     Add a new DNS or NBNS server to the database.\n\
       server:  IP address of the name server\n\
@@ -268,8 +282,14 @@ static void status(void)
 
 			start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
 			end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
-			size = get_pool_size(start_chunk, end_chunk);
-			printf("%8s %15H %15H ", name, start, end);
+			if (start->is_anyaddr(start) && end->is_anyaddr(end))
+			{
+				printf("%8s %15s %15s ", name, "n/a", "n/a");
+			}
+			else
+			{
+				printf("%8s %15H %15H ", name, start, end);
+			}
 			if (timeout)
 			{
 				printf("%7dh ", timeout/3600);
@@ -278,6 +298,14 @@ static void status(void)
 			{
 				printf("%8s ", "static");
 			}
+			/* get total number of hosts in the pool */
+			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
+							  "WHERE pool = ?", DB_UINT, id, DB_INT);
+			if (lease)
+			{
+				lease->enumerate(lease, &size);
+				lease->destroy(lease);
+			}
 			printf("%6d ", size);
 			/* get number of online hosts */
 			lease = db->query(db, "SELECT COUNT(*) FROM addresses "
@@ -371,6 +399,138 @@ static void add(char *name, host_t *start, host_t *end, int timeout)
 	exit(0);
 }
 
+static bool add_address(u_int pool_id, char *address_str, int *family)
+{
+	host_t *address;
+	int user_id = 0;
+
+	char *pos_eq = strchr(address_str, '=');
+	if (pos_eq != NULL)
+	{
+		enumerator_t *e;
+		identification_t *id = identification_create_from_string(pos_eq + 1);
+
+		/* look for peer identity in the identities table */
+		e = db->query(db,
+				"SELECT id FROM identities WHERE type = ? AND data = ?",
+				DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
+				DB_UINT);
+
+		if (!e || !e->enumerate(e, &user_id))
+		{
+			/* not found, insert new one */
+			if (db->execute(db, &user_id,
+					"INSERT INTO identities (type, data) VALUES (?, ?)",
+					DB_INT, id->get_type(id),
+					DB_BLOB, id->get_encoding(id)) != 1)
+			{
+				fprintf(stderr, "creating id '%s' failed.\n", pos_eq + 1);
+				return FALSE;
+			}
+		}
+		DESTROY_IF(e);
+		id->destroy(id);
+		*pos_eq = '\0';
+	}
+
+	address = host_create_from_string(address_str, 0);
+	if (address == NULL)
+	{
+		fprintf(stderr, "invalid address '%s'.\n", address_str);
+		return FALSE;
+	}
+	if (family && *family && *family != address->get_family(address))
+	{
+		fprintf(stderr, "invalid address family '%s'.\n", address_str);
+		return FALSE;
+	}
+
+	if (db->execute(db, NULL,
+			"INSERT INTO addresses "
+			"(pool, address, identity, acquired, released) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_UINT, pool_id, DB_BLOB, address->get_address(address),
+			DB_UINT, user_id, DB_UINT, 0, DB_UINT, 1) != 1)
+	{
+		fprintf(stderr, "inserting address '%s' failed.\n", address_str);
+		return FALSE;
+	}
+	*family = address->get_family(address);
+	address->destroy(address);
+
+	return TRUE;
+}
+
+static void add_addresses(char *pool, char *path, int timeout)
+{
+	u_int pool_id, count = 0;
+	int family = AF_UNSPEC;
+	char address_str[512];
+	host_t *addr;
+	FILE *file;
+
+	if (db->get_driver(db) == DB_SQLITE)
+	{	/* run population in a transaction for sqlite */
+		db->execute(db, NULL, "BEGIN TRANSACTION");
+	}
+
+	addr = host_create_from_string("%any", 0);
+	if (addr == NULL ||
+		db->execute(db, &pool_id,
+			"INSERT INTO pools (name, start, end, timeout) "
+			"VALUES (?, ?, ?, ?)",
+			DB_TEXT, pool, DB_BLOB, addr->get_address(addr),
+			DB_BLOB, addr->get_address(addr), DB_INT, timeout*3600) != 1)
+	{
+		fprintf(stderr, "creating pool failed.\n");
+		DESTROY_IF(addr);
+		exit(-1);
+	}
+	addr->destroy(addr);
+
+	file = (strcmp(path, "-") == 0 ? stdin : fopen(path, "r"));
+	if (file == NULL)
+	{
+		fprintf(stderr, "opening '%s' failed: %s\n", path, strerror(errno));
+		exit(-1);
+	}
+
+	printf("starting allocation... ");
+	fflush(stdout);
+
+	while (fgets(address_str, sizeof(address_str), file))
+	{
+		size_t addr_len = strlen(address_str);
+		char *last_chr = address_str + addr_len - 1;
+		if (*last_chr == '\n')
+		{
+			if (addr_len == 1)
+			{	/* end of input */
+				break;
+			}
+			*last_chr = '\0';
+		}
+		if (add_address(pool_id, address_str, &family) == FALSE)
+		{
+			exit(-1);
+		}
+		++count;
+	}
+
+	if (file != stdin)
+	{
+		fclose(file);
+	}
+
+	if (db->get_driver(db) == DB_SQLITE)
+	{
+		db->execute(db, NULL, "END TRANSACTION");
+	}
+
+	printf("%d addresses done.\n", count);
+	exit(0);
+}
+
 /**
  * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry
  */
@@ -536,6 +696,7 @@ static void resize(char *name, host_t *end)
 	enumerator_t *query;
 	chunk_t old_addr, new_addr, cur_addr;
 	u_int id, count;
+	host_t *old_end;
 
 	new_addr = end->get_address(end);
 
@@ -558,6 +719,16 @@ static void resize(char *name, host_t *end)
 	count = get_pool_size(old_addr, new_addr) - 1;
 	query->destroy(query);
 
+	/* Check whether pool is resizable */
+	old_end = host_create_from_chunk(AF_UNSPEC, old_addr, 0);
+	if (old_end && old_end->is_anyaddr(old_end))
+	{
+		fprintf(stderr, "pool is not resizable.\n");
+		old_end->destroy(old_end);
+		exit(-1);
+	}
+	DESTROY_IF(old_end);
+
 	if (db->execute(db, NULL,
 			"UPDATE pools SET end = ? WHERE name = ?",
 			DB_BLOB, new_addr, DB_TEXT, name) <= 0)
@@ -857,7 +1028,7 @@ static void cleanup(void)
 
 int main(int argc, char *argv[])
 {
-	char *uri, *name = "", *filter = "";
+	char *uri, *name = "", *filter = "", *addresses = NULL;
 	int timeout = 0;
 	bool utc = FALSE;
 	enum {
@@ -922,6 +1093,7 @@ int main(int argc, char *argv[])
 
 			{ "start", required_argument, NULL, 's' },
 			{ "end", required_argument, NULL, 'e' },
+			{ "addresses", required_argument, NULL, 'x' },
 			{ "timeout", required_argument, NULL, 't' },
 			{ "filter", required_argument, NULL, 'f' },
 			{ "server", required_argument, NULL, 'v' },
@@ -990,6 +1162,9 @@ int main(int argc, char *argv[])
 			case 'f':
 				filter = optarg;
 				continue;
+			case 'x':
+				addresses = optarg;
+				continue;
 			case 'v':
 				server = host_create_from_string(optarg, 0);
 				if (server == NULL)
@@ -1015,12 +1190,19 @@ int main(int argc, char *argv[])
 			status();
 			break;
 		case OP_ADD:
-			if (start == NULL || end == NULL)
+			if (addresses != NULL)
+			{
+				add_addresses(name, addresses, timeout);
+			}
+			else if (start != NULL && end != NULL)
+			{
+				add(name, start, end, timeout);
+			}
+			else
 			{
 				fprintf(stderr, "missing arguments.\n");
 				usage();
 			}
-			add(name, start, end, timeout);
 			break;
 		case OP_ADD_ATTR:
 			if (server == NULL)