management of any attribute by ipsec pool

6 files changed, 693 insertions, 218 deletions

diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am
index 376a8259c..a3dac863f 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libhydra/plugins/attr_sql/Makefile.am
@@ -18,6 +18,8 @@ libstrongswan_attr_sql_la_SOURCES = \
 libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
 
 ipsec_PROGRAMS = pool
-pool_SOURCES = pool.c
-pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pool_SOURCES = pool.c pool_attributes.c pool_attributes.h \
+			   pool_usage.h pool_usage.c
+pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+			 $(top_builddir)/src/libhydra/libhydra.la
 pool.o :	$(top_builddir)/config.status
diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c
index fed89fc51..771281467 100644
--- a/src/libhydra/plugins/attr_sql/pool.c
+++ b/src/libhydra/plugins/attr_sql/pool.c
@@ -27,15 +27,18 @@
 #include <utils/identification.h>
 #include <attributes/attributes.h>
 
+#include "pool_attributes.h"
+#include "pool_usage.h"
+
 /**
  * global database handle
  */
 database_t *db;
 
 /**
- * --start/--end/--server addresses of various subcommands
+ * --start/--end addresses of various subcommands
  */
-host_t *start = NULL, *end = NULL, *server = NULL;
+host_t *start = NULL, *end = NULL;
 
 /**
  * whether --add should --replace an existing pool
@@ -126,23 +129,6 @@ static bool is_attribute(char *name)
 }
 
 /**
- * determine configuration attribute type
- */
-static configuration_attribute_type_t get_attribute_type(char *name, host_t* addr)
-{
-	if (strcaseeq(name, "dns"))
-	{
-		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_DNS :
-													 INTERNAL_IP6_DNS;
-	}
-	else
-	{
-		return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_NBNS :
-													 INTERNAL_IP6_NBNS;
-	}
-}
-
-/**
  * calculate the size of a pool using start and end address chunk
  */
 static u_int get_pool_size(chunk_t start, chunk_t end)
@@ -159,85 +145,6 @@ static u_int get_pool_size(chunk_t start, chunk_t end)
 }
 
 /**
- * print usage info
- */
-static void usage(void)
-{
-	printf("\
-Usage:\n\
-  ipsec pool --status|--add|--replace|--del|--resize|--purge [options]\n\
-  \n\
-  ipsec pool --status\n\
-    Show a list of installed pools with statistics.\n\
-  \n\
-  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
-  ipsec pool --replace <name> --start <start> --end <end> [--timeout <timeout>]\n\
-    Add a new pool to or replace an existing pool in the database.\n\
-      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
-      start:   Start address of the pool\n\
-      end:     End address of the pool\n\
-      timeout: Lease time in hours, 0 for static leases\n\
-  \n\
-  ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\
-  ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\
-    Add a new pool to or replace an existing pool in the database.\n\
-      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
-      file:    File newline separated addresses for the pool are read from.\n\
-               Optionally each address can be pre-assigned to a roadwarrior\n\
-               identity, e.g. 10.231.14.2=alice@strongswan.org.\n\
-               If a - (hyphen) is given instead of a file name, the addresses\n\
-               are read from STDIN. Reading addresses stops at the end of file\n\
-               or an empty line. Pools created with this command can not be\n\
-               resized.\n\
-      timeout: Lease time in hours, 0 for static leases\n\
-  \n\
-  ipsec pool --add dns|nbns|wins --server <server>\n\
-    Add a new DNS or NBNS server to the database.\n\
-      server:  IP address of the name server\n\
-  \n\
-  ipsec pool --del <name>\n\
-    Delete a pool from the database.\n\
-      name:    Name of the pool to delete\n\
-  \n\
-  ipsec pool --del dns|nbns|wins [--server <server>]\n\
-    Delete a specific or all DNS or NBNS servers from the database.\n\
-      server:  IP address of the name server to delete\n\
-  \n\
-  ipsec pool --resize <name> --end <end>\n\
-    Grow or shrink an existing pool.\n\
-      name:    Name of the pool to resize\n\
-      end:     New end address for the pool\n\
-  \n\
-  ipsec pool --leases [--filter <filter>] [--utc]\n\
-    Show lease information using filters:\n\
-      filter:  Filter string containing comma separated key=value filters,\n\
-               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
-                  pool:   name of the pool\n\
-                  id:     assigned identity of the lease\n\
-                  addr:   lease IP address\n\
-                  tstamp: UNIX timestamp when lease was valid, as integer\n\
-                  status: status of the lease: online|valid|expired\n\
-      utc:    Show times in UTC instead of local time\n\
-  \n\
-  ipsec pool --purge <name>\n\
-    Delete lease history of a pool:\n\
-      name:    Name of the pool to purge\n\
-  \n\
-  ipsec pool --batch <file>\n\
-    Read commands from a file and execute them atomically.\n\
-      file:    File to read the newline separated commands from. Commands\n\
-               appear as they are written on the command line, e.g.\n\
-                  --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\
-                  --del dns\n\
-                  --add dns --server 10.1.0.1\n\
-                  --add dns --server 10.1.1.1\n\
-               If a - (hyphen) is given as a file name, the commands are read\n\
-               from STDIN. Readin commands stops at the end of file. Empty\n\
-               lines are ignored. The file may not contain a --batch command.\n\
-  \n");
-}
-
-/**
  * ipsec pool --status - show pool overview
  */
 static void status(void)
@@ -593,26 +500,6 @@ static void add_addresses(char *pool, char *path, int timeout)
 }
 
 /**
- * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry
- */
-static void add_attr(char *name, host_t *server)
-{
-	configuration_attribute_type_t type;
-	chunk_t value;
-
-	type = get_attribute_type(name, server);
-	value = server->get_address(server);
-	if (db->execute(db, NULL,
-			"INSERT INTO attributes (type, value) VALUES (?, ?)",
-			DB_INT, type, DB_BLOB, value) != 1)
-	{
-		fprintf(stderr, "adding %s server %H failed.\n", name, server);
-		exit(EXIT_FAILURE);
-	}
-	printf("added %s server %H\n", name, server);
-}
-
-/**
  * ipsec pool --del - delete a pool
  */
 static void del(char *name)
@@ -653,88 +540,6 @@ static void del(char *name)
 }
 
 /**
- * ipsec pool --del dns|nbns|wins - delete a DNS or NBNS server entry
- */
-static void del_attr(char *name, host_t *server)
-{
-	configuration_attribute_type_t type;
-	chunk_t value;
-	u_int id;
-	enumerator_t *query;
-	bool found = FALSE;
-
-	if (server)
-	{
-		type = get_attribute_type(name, server);
-		value = server->get_address(server);
-		query = db->query(db,
-					"SELECT id, type, value FROM attributes "
-					"WHERE type = ? AND value = ?",
-					DB_INT, type, DB_BLOB, value,
-					DB_UINT, DB_INT, DB_BLOB);
-	}
-	else
-	{
-		configuration_attribute_type_t type_ip4, type_ip6;
-
-		if (strcaseeq(name, "dns"))
-		{
-			type_ip4 = INTERNAL_IP4_DNS;
-			type_ip6 = INTERNAL_IP6_DNS;
-		}
-		else
-		{
-			type_ip4 = INTERNAL_IP4_NBNS;
-			type_ip6 = INTERNAL_IP6_NBNS;
-		}
-
-		query = db->query(db,
-					"SELECT id, type, value FROM attributes "
-					"WHERE type = ? OR type = ?",
-					DB_INT, type_ip4, DB_INT, type_ip6,
-					DB_UINT, DB_INT, DB_BLOB);
-	}
-	if (!query)
-	{
-		fprintf(stderr, "deleting %s servers failed.\n", name);
-		exit(EXIT_FAILURE);
-	}
-
-	while (query->enumerate(query, &id, &type, &value))
-	{
-		int family;
-		host_t *host;
-
-		found = TRUE;
-		family = (type == INTERNAL_IP4_DNS || type == INTERNAL_IP4_NBNS) ?
-				  AF_INET : AF_INET6;
-		host = host_create_from_chunk(family, value, 0);
-		if (db->execute(db, NULL,
-					"DELETE FROM attributes WHERE id = ?",
-					 DB_UINT, id) != 1)
-		{
-			fprintf(stderr, "deleting %s server %H failed\n", name, host);
-			query->destroy(query);
-			DESTROY_IF(host);
-			exit(EXIT_FAILURE);
-		}
-		printf("deleted %s server %H\n", name, host);
-		DESTROY_IF(host);
-	}
-	query->destroy(query);
-
-	if (!found && server)
-	{
-		printf("%s server %H not found\n", name, server);
-		exit(EXIT_FAILURE);
-	}
-	else if (!found)
-	{
-		printf("no %s servers found\n", name);
-	}
-}
-
-/**
  * ipsec pool --resize - resize a pool
  */
 static void resize(char *name, host_t *end)
@@ -1134,18 +939,20 @@ static void cleanup(void)
 	db->destroy(db);
 	DESTROY_IF(start);
 	DESTROY_IF(end);
-	DESTROY_IF(server);
 }
 
 static void do_args(int argc, char *argv[])
 {
-	char *name = "", *filter = "", *addresses = NULL;
+	char *name = "", *value = "", *filter = "", *addresses = NULL;
+	value_type_t value_type = VALUE_NONE;
 	int timeout = 0;
 	bool utc = FALSE;
+
 	enum {
 		OP_UNDEF,
 		OP_USAGE,
 		OP_STATUS,
+		OP_STATUS_ATTR,
 		OP_ADD,
 		OP_ADD_ATTR,
 		OP_DEL,
@@ -1174,14 +981,20 @@ static void do_args(int argc, char *argv[])
 			{ "resize", required_argument, NULL, 'r' },
 			{ "leases", no_argument, NULL, 'l' },
 			{ "purge", required_argument, NULL, 'p' },
+			{ "statusattr", no_argument, NULL, '1' },
+			{ "addattr", required_argument, NULL, '2' },
+			{ "delattr", required_argument, NULL, '3' },
 			{ "batch", required_argument, NULL, 'b' },
 
 			{ "start", required_argument, NULL, 's' },
 			{ "end", required_argument, NULL, 'e' },
-			{ "addresses", required_argument, NULL, 'x' },
+			{ "addresses", required_argument, NULL, 'y' },
 			{ "timeout", required_argument, NULL, 't' },
 			{ "filter", required_argument, NULL, 'f' },
 			{ "server", required_argument, NULL, 'v' },
+			{ "subnet", required_argument, NULL, 'n' },
+			{ "string", required_argument, NULL, 'g' },
+			{ "hex", required_argument, NULL, 'x' },
 			{ 0,0,0,0 }
 		};
 
@@ -1196,6 +1009,8 @@ static void do_args(int argc, char *argv[])
 			case 'w':
 				operation = OP_STATUS;
 				break;
+			case '1':
+				operation = OP_STATUS_ATTR;
 			case 'u':
 				utc = TRUE;
 				continue;
@@ -1207,15 +1022,24 @@ static void do_args(int argc, char *argv[])
 				operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD;
 				if (replace_pool && operation == OP_ADD_ATTR)
 				{
-					fprintf(stderr, "invalid pool name: '%s'.\n", optarg);
+					fprintf(stderr, "invalid pool name: "
+									"reserved for '%s' attribute.\n", optarg);
 					usage();
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			case '2':
+				name = optarg;
+				operation = OP_ADD_ATTR;
+				continue;
 			case 'd':
 				name = optarg;
 				operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL;
 				continue;
+			case '3':
+				name = optarg;
+				operation = OP_DEL_ATTR;
+				continue;
 			case 'r':
 				name = optarg;
 				operation = OP_RESIZE;
@@ -1268,18 +1092,24 @@ static void do_args(int argc, char *argv[])
 			case 'f':
 				filter = optarg;
 				continue;
-			case 'x':
+			case 'y':
 				addresses = optarg;
 				continue;
+			case 'g':
+				value_type = VALUE_STRING;
+				value = optarg;
+				continue;
+			case 'n':
+				value_type = VALUE_SUBNET;
+				value = optarg;
+				continue;
 			case 'v':
-				DESTROY_IF(server);
-				server = host_create_from_string(optarg, 0);
-				if (server == NULL)
-				{
-					fprintf(stderr, "invalid server address: '%s'.\n", optarg);
-					usage();
-					exit(EXIT_FAILURE);
-				}
+				value_type = VALUE_ADDR;
+				value = optarg;
+				continue;
+			case 'x':
+				value_type = VALUE_HEX;
+				value = optarg;
 				continue;
 			default:
 				usage();
@@ -1297,6 +1127,9 @@ static void do_args(int argc, char *argv[])
 		case OP_STATUS:
 			status();
 			break;
+		case OP_STATUS_ATTR:
+			status_attr();
+			break;
 		case OP_ADD:
 			if (addresses != NULL)
 			{
@@ -1314,19 +1147,20 @@ static void do_args(int argc, char *argv[])
 			}
 			break;
 		case OP_ADD_ATTR:
-			if (server == NULL)
+			if (value_type == VALUE_NONE)
 			{
 				fprintf(stderr, "missing arguments.\n");
 				usage();
 				exit(EXIT_FAILURE);
 			}
-			add_attr(name, server);
+			add_attr(name, value, value_type);
 			break;
 		case OP_DEL:
 			del(name);
 			break;
 		case OP_DEL_ATTR:
-			del_attr(name, server);
+			
+			del_attr(name, value, value_type);
 			break;
 		case OP_RESIZE:
 			if (end == NULL)
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c
new file mode 100644
index 000000000..5b1c670bc
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.c
@@ -0,0 +1,450 @@
+/*
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <string.h>
+
+#include <library.h>
+#include <utils/host.h>
+
+#include "pool_attributes.h"
+#include "pool_usage.h"
+
+/**
+ * global database handle
+ */
+extern database_t *db;
+
+#define UNITY_NETWORK_LEN	14
+
+typedef struct attr_info_t attr_info_t;
+
+struct attr_info_t {
+	char*                           keyword;
+	value_type_t                    value_type;
+	configuration_attribute_type_t  type;
+	configuration_attribute_type_t  type_ip6;
+};
+
+static const attr_info_t attr_info[] = {
+	{ "internal_ip4_dns",    VALUE_ADDR,   INTERNAL_IP4_DNS,    0 },
+	{ "internal_ip6_dns",    VALUE_ADDR,   INTERNAL_IP6_DNS,    0 },
+	{ "dns",                 VALUE_ADDR,   INTERNAL_IP4_DNS,
+										   INTERNAL_IP6_DNS       },
+	{ "internal_ip4_nbns",   VALUE_ADDR,   INTERNAL_IP4_NBNS,   0 },
+	{ "internal_ip6_nbns",   VALUE_ADDR,   INTERNAL_IP6_NBNS,   0 },
+	{ "nbns",                VALUE_ADDR,   INTERNAL_IP4_NBNS,
+										   INTERNAL_IP6_NBNS      },
+	{ "wins",                VALUE_ADDR,   INTERNAL_IP4_NBNS,
+										   INTERNAL_IP6_NBNS      },
+	{ "internal_ip4_dhcp",   VALUE_ADDR,   INTERNAL_IP4_DHCP,   0 },
+	{ "internal_ip6_dhcp",   VALUE_ADDR,   INTERNAL_IP6_DHCP,   0 },
+	{ "dhcp",                VALUE_ADDR,   INTERNAL_IP4_DHCP,
+										   INTERNAL_IP6_DHCP      },
+	{ "internal_ip4_server", VALUE_ADDR,   INTERNAL_IP4_SERVER, 0 },
+	{ "internal_ip6_server", VALUE_ADDR,   INTERNAL_IP6_SERVER, 0 },
+	{ "server",              VALUE_ADDR,   INTERNAL_IP4_SERVER,
+										   INTERNAL_IP6_SERVER    },
+	{ "application_version", VALUE_STRING, APPLICATION_VERSION, 0 },
+	{ "version",             VALUE_STRING, APPLICATION_VERSION, 0 },
+	{ "unity_banner",        VALUE_STRING, UNITY_BANNER,        0 },
+	{ "banner",              VALUE_STRING, UNITY_BANNER,        0 },
+	{ "unity_splitdns_name", VALUE_STRING, UNITY_SPLITDNS_NAME, 0 },
+	{ "unity_split_include", VALUE_SUBNET, UNITY_SPLIT_INCLUDE, 0 },
+	{ "unity_local_lan",     VALUE_SUBNET, UNITY_LOCAL_LAN,     0 },
+};
+
+/**
+ * Determine the type of the attribute and its value
+ */
+static bool parse_attributes(char *name, char *value, value_type_t *value_type,
+							 configuration_attribute_type_t *type,
+							 configuration_attribute_type_t *type_ip6,
+							 chunk_t *blob)
+{
+	host_t *addr = NULL, *mask = NULL;
+	chunk_t addr_chunk, mask_chunk;
+	char *text = "", *pos, *endptr;
+	int i;
+
+	switch (*value_type)
+	{
+		case VALUE_STRING:
+			*blob = chunk_create(value, strlen(value));
+			*blob = chunk_clone(*blob);
+			break;
+		case VALUE_HEX:
+			*blob = chunk_from_hex(chunk_create(value, strlen(value)), NULL);
+			break;
+		case VALUE_ADDR:
+			addr = host_create_from_string(value, 0);
+			if (addr == NULL)
+			{
+				fprintf(stderr, "invalid IP address: '%s'.\n", value);
+				return FALSE;
+			}
+			addr_chunk = addr->get_address(addr);
+			*blob = chunk_clone(addr_chunk);
+			break;
+		case VALUE_SUBNET:
+			pos = strchr(value, '/');
+			if (pos == NULL || (value - pos) == strlen(value))
+			{
+				fprintf(stderr, "invalid IPv4 subnet: '%s'.\n", value);
+				return FALSE;
+			}
+			*pos = '\0';
+			addr = host_create_from_string(value, 0);
+			mask = host_create_from_string(pos+1, 0);
+			if (addr == NULL || addr->get_family(addr) != AF_INET ||
+				mask == NULL || mask->get_family(addr) != AF_INET)
+			{
+				fprintf(stderr, "invalid IPv4 subnet: '%s'.\n", value);
+				DESTROY_IF(addr);
+				DESTROY_IF(mask);
+				return FALSE;
+			}
+			addr_chunk = addr->get_address(addr);
+			mask_chunk = mask->get_address(mask);
+			*blob = chunk_alloc(UNITY_NETWORK_LEN);
+			memset(blob->ptr, 0x00, UNITY_NETWORK_LEN);
+			memcpy(blob->ptr,     addr_chunk.ptr, 4);
+			memcpy(blob->ptr + 4, mask_chunk.ptr, 4);
+			addr->destroy(addr);
+			mask->destroy(mask);
+			break;
+		case VALUE_NONE:
+			*blob = chunk_empty;
+			break;
+	}
+
+	/* init the attribute type */
+	*type     = 0;
+	*type_ip6 = 0;
+
+	for (i = 0; i < countof(attr_info); i++)
+	{
+		if (strcaseeq(name, attr_info[i].keyword))
+		{
+			if (*value_type == VALUE_NONE)
+			{
+				*value_type = attr_info[i].value_type;
+				*type       = attr_info[i].type;
+				*type_ip6   = attr_info[i].type_ip6;
+				return TRUE;
+			}
+			if (*value_type != attr_info[i].value_type &&
+				*value_type != VALUE_HEX)
+			{
+				switch (attr_info[i].value_type)
+				{
+					case VALUE_STRING:
+						text = "a string";
+						break;
+					case VALUE_HEX:
+						text = "a hex";
+						break;
+					case VALUE_ADDR:
+						text = "an IP address";
+						break;
+					case VALUE_SUBNET:
+						text = "a subnet";
+						break;
+					case VALUE_NONE:
+						text = "no";
+						break;
+				}
+				fprintf(stderr, "the %s attribute requires %s value.\n",
+								 name, text);
+				DESTROY_IF(addr);
+				free(blob->ptr);
+				return FALSE;
+			}
+			if (*value_type == VALUE_ADDR)
+			{
+				*type = (addr->get_family(addr) == AF_INET) ?
+						 	attr_info[i].type : attr_info[i].type_ip6;
+				addr->destroy(addr);
+			}
+			if (*value_type == VALUE_HEX)
+			{
+				*value_type = attr_info[i].value_type;
+
+				if (*value_type == VALUE_ADDR)
+				{
+					if (blob->len == 4)
+					{
+						*type = attr_info[i].type;
+					}
+					else if (blob->len == 16)
+					{
+						*type = attr_info[i].type_ip6;
+					}
+					else
+					{
+						fprintf(stderr, "the %s attribute requires "
+										"a valid IP address.\n", name);
+						free(blob->ptr);
+						return FALSE;
+					}
+				}
+				else
+				{
+					*type = attr_info[i].type;
+				}			
+			}
+			else
+			{
+				*type = attr_info[i].type;
+			}
+			return TRUE;
+		}
+	}
+
+	/* clean up */
+	DESTROY_IF(addr);
+
+	/* is the attribute type numeric? */	
+	*type = strtol(name, &endptr, 10);
+
+	if (*endptr != '\0')
+	{
+		fprintf(stderr, "the %s attribute is not recognized.\n", name);
+		free(blob->ptr);
+		return FALSE;
+	}
+	if (*value_type == VALUE_NONE)
+	{
+		*value_type = VALUE_HEX;
+	}
+	return TRUE;
+}
+ 
+/**
+ * ipsec pool --addattr <type> --string|server|subnet - add attribute entry
+ */
+void add_attr(char *name, char *value, value_type_t value_type)
+{
+	configuration_attribute_type_t type, type_ip6;
+	chunk_t blob;
+	bool success;
+
+	if (value_type == VALUE_NONE)
+	{
+		fprintf(stderr, "the value of the %s attribute is missing.\n", name);
+		usage();
+		exit(EXIT_FAILURE);
+	}	
+	if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob))
+	{
+		exit(EXIT_FAILURE);
+	}
+	success = db->execute(db, NULL,
+				"INSERT INTO attributes (type, value) VALUES (?, ?)",
+				DB_INT, type, DB_BLOB, blob) == 1;
+	free(blob.ptr);
+
+	if (success)
+	{
+		printf("added %s attribute (%N).\n", name,
+				configuration_attribute_type_names, type);
+	}
+	else
+	{
+		fprintf(stderr, "adding %s attribute (%N) failed.\n", name,
+						 configuration_attribute_type_names, type);
+		exit(EXIT_FAILURE);
+	}
+}
+
+/**
+ * ipsec pool --delattr <type> --string|server|subnet - delete attribute entry
+ */
+void del_attr(char *name, char *value, value_type_t value_type)
+{
+	configuration_attribute_type_t type, type_ip6, type_db;
+	chunk_t blob, blob_db;
+	u_int id;
+	enumerator_t *query;
+	bool found = FALSE;
+
+	if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob))
+	{
+		exit(EXIT_FAILURE);
+	}
+	if (blob.len > 0)
+	{
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE type = ? AND value = ?",
+					DB_INT, type, DB_BLOB, blob,
+					DB_UINT, DB_INT, DB_BLOB);
+	}
+	else if (type_ip6 == 0)
+	{
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE type = ?",
+					DB_INT, type, 
+					DB_UINT, DB_INT, DB_BLOB);
+	}
+	else
+	{
+		query = db->query(db,
+					"SELECT id, type, value FROM attributes "
+					"WHERE type = ? OR type = ?",
+					DB_INT, type, DB_INT, type_ip6,
+					DB_UINT, DB_INT, DB_BLOB);
+	}
+
+	if (!query)
+	{
+		fprintf(stderr, "deleting '%s' attribute (%N) failed.\n",
+						 name, configuration_attribute_type_names, type);
+		free(blob.ptr);
+		exit(EXIT_FAILURE);
+	}
+
+	while (query->enumerate(query, &id, &type_db, &blob_db))
+	{
+		host_t *server = NULL;
+
+		found = TRUE;
+
+		if (value_type == VALUE_ADDR)
+		{
+			int family = (type_db == type_ip6) ? AF_INET6 : AF_INET;
+
+			server = host_create_from_chunk(family, blob_db, 0);
+		}
+
+		if (db->execute(db, NULL,
+					"DELETE FROM attributes WHERE id = ?",
+					 DB_UINT, id) != 1)
+		{
+			if (server)
+			{
+				fprintf(stderr, "deleting %s server %H failed\n", name, server);
+				server->destroy(server);
+			}
+			else if (value_type == VALUE_STRING)
+			{
+				fprintf(stderr, "deleting %s attribute (%N) with value '%.*s' failed.\n",
+						 		name, configuration_attribute_type_names, type,
+								blob_db.len, blob_db.ptr);
+			}
+
+			else
+			{
+				fprintf(stderr, "deleting %s attribute (%N) with value %#B failed.\n",
+						 		name, configuration_attribute_type_names, type,
+								&blob_db);
+			}
+			query->destroy(query);
+			free(blob.ptr);
+			exit(EXIT_FAILURE);
+		}
+		if (server)
+		{
+			printf("deleted %s server %H\n", name, server);
+			server->destroy(server);
+		}
+		else if (value_type == VALUE_STRING)
+		{
+			printf("deleted %s attribute (%N) with value '%.*s'.\n",
+				   name, configuration_attribute_type_names, type,
+				   blob_db.len, blob_db.ptr);
+		}
+		else
+		{
+			printf("deleted %s attribute (%N) with value %#B.\n",
+				   name, configuration_attribute_type_names, type,
+				   &blob_db);
+		}
+	}
+	query->destroy(query);
+
+	if (!found)
+	{
+	 	if (blob.len == 0)
+		{
+			if (type_ip6 == 0)
+			{
+				fprintf(stderr, "no %s attribute (%N) was found.\n", name,
+								 configuration_attribute_type_names, type);
+			}
+			else
+			{
+				fprintf(stderr, "no %s attribute was found.\n",	name);
+			}
+		}
+		else
+		{	
+			if (value_type == VALUE_ADDR)
+			{
+				host_t *server = host_create_from_chunk(AF_UNSPEC, blob, 0);
+	
+				fprintf(stderr, "the %s server %H was not found.\n", name,
+								 server);
+				server->destroy(server);
+			}
+			else
+			{
+				fprintf(stderr, "the %s attribute (%N) with value '%*.s' "
+								"was not found.\n", name,
+								 configuration_attribute_type_names, type,
+								 blob.len, blob.ptr);
+			}
+		}
+		free(blob.ptr);
+		exit(EXIT_FAILURE);
+	}
+	free(blob.ptr);
+}
+
+/**
+ * ipsec pool --statusattr - show all attribute entries
+ */
+void status_attr(void)
+{
+	configuration_attribute_type_t type;
+	chunk_t value;
+	enumerator_t *enumerator;
+	char type_name[30];
+	bool first = TRUE;
+
+	/* enumerate over all attributes */
+	enumerator = db->query(db, "SELECT type, value FROM attributes ORDER BY type",
+								DB_INT, DB_BLOB);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			if (first)
+			{
+				printf(" type  description          value\n");
+				first = FALSE;
+			}
+			snprintf(type_name, sizeof(type_name), "%N",
+					 configuration_attribute_type_names, type);
+			if (type_name[0] == '(')
+			{
+				type_name[0] = '\0';
+			}
+			printf("%5d  %-20s %#B\n",type, type_name, &value);
+		}
+		enumerator->destroy(enumerator);
+	}
+}
diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.h b/src/libhydra/plugins/attr_sql/pool_attributes.h
new file mode 100644
index 000000000..df7b57de4
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_attributes.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef POOL_ATTRIBUTES_H_
+#define POOL_ATTRIBUTES_H_
+
+#include <attributes/attributes.h>
+
+typedef enum value_type_t value_type_t;
+
+enum value_type_t {
+	VALUE_NONE,
+	VALUE_HEX,
+	VALUE_STRING,
+	VALUE_ADDR,
+	VALUE_SUBNET
+};
+
+/**
+ * ipsec pool --addattr <type>  - add attribute entry
+ */
+void add_attr(char *name, char *value, value_type_t value_type);
+
+/**
+ * ipsec pool --delattr <type>  - delete attribute entry
+ */
+void del_attr(char *name, char *value, value_type_t value_type);
+
+/**
+ * ipsec pool --statusattr      - show all attribute entries
+ */
+void status_attr(void);
+
+#endif /* POOL_ATTRIBUTES_H_ */
+
+
diff --git a/src/libhydra/plugins/attr_sql/pool_usage.c b/src/libhydra/plugins/attr_sql/pool_usage.c
new file mode 100644
index 000000000..a671994a7
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_usage.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+/**
+ * print pool usage info
+ */
+void usage(void)
+{
+	printf("\
+Usage:\n\
+  ipsec pool --status|--add|--replace|--del|--resize|--purge [options]\n\
+  ipsec pool --statusattr|--addattr|--delattr [options]\n\
+  \n\
+  ipsec pool --status\n\
+    Show a list of installed pools with statistics plus nameserver info.\n\
+  \n\
+  ipsec pool --statusattr\n\
+    Show a list of all attributes stored in the database.\n\
+  \n\
+  ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
+  ipsec pool --replace <name> --start <start> --end <end> [--timeout <timeout>]\n\
+    Add a new pool to or replace an existing pool in the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      start:   Start address of the pool\n\
+      end:     End address of the pool\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
+  ipsec pool --add <name> --addresses <file> [--timeout <timeout>]\n\
+  ipsec pool --replace <name> --addresses <file> [--timeout <timeout>]\n\
+    Add a new pool to or replace an existing pool in the database.\n\
+      name:    Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
+      file:    File newline separated addresses for the pool are read from.\n\
+               Optionally each address can be pre-assigned to a roadwarrior\n\
+               identity, e.g. 10.231.14.2=alice@strongswan.org.\n\
+               If a - (hyphen) is given instead of a file name, the addresses\n\
+               are read from STDIN. Reading addresses stops at the end of file\n\
+               or an empty line. Pools created with this command can not be\n\
+               resized.\n\
+      timeout: Lease time in hours, 0 for static leases\n\
+  \n\
+  ipsec pool --add dns|nbns|wins --server <server>\n\
+    Add a new DNS or NBNS server to the database.\n\
+      server:  IPv4 or IPv6 address of a name server\n\
+  \n\
+  ipsec pool --addattr <type> --server|--subnet|--string|--hex <value>\n\
+    Add a new attribute to the database.\n\
+      server:  IPv4 or IPv6 address of a server\n\
+      subnet:  IPv4 subnet given by network/mask\n\
+      string:  value of a string-type attribute\n\
+      hex:     hex value of any attribute\n\
+  \n\
+  ipsec pool --del <name>\n\
+    Delete a pool from the database.\n\
+      name:    Name of the pool to delete\n\
+  \n\
+  ipsec pool --del dns|nbns|wins [--server <server>]\n\
+    Delete a specific or all DNS or NBNS servers from the database.\n\
+      server:  IP address of the name server to delete\n\
+  \n\
+  ipsec pool --delattr <type> [--server|--subnet|--string|--hex <value>]\n\
+    Delete a specific or all attributes of a given type from the database.\n\
+      server:  IPv4 or IPv6 address of a server\n\
+      subnet:  IPv4 subnet given by network/mask\n\
+      string:  value of a string-type attribute\n\
+      hex:     hex value of any attribute\n\
+  \n\
+  ipsec pool --resize <name> --end <end>\n\
+    Grow or shrink an existing pool.\n\
+      name:    Name of the pool to resize\n\
+      end:     New end address for the pool\n\
+  \n\
+  ipsec pool --leases [--filter <filter>] [--utc]\n\
+    Show lease information using filters:\n\
+      filter:  Filter string containing comma separated key=value filters,\n\
+               e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
+                  pool:   name of the pool\n\
+                  id:     assigned identity of the lease\n\
+                  addr:   lease IP address\n\
+                  tstamp: UNIX timestamp when lease was valid, as integer\n\
+                  status: status of the lease: online|valid|expired\n\
+      utc:    Show times in UTC instead of local time\n\
+  \n\
+  ipsec pool --purge <name>\n\
+    Delete lease history of a pool:\n\
+      name:    Name of the pool to purge\n\
+  \n\
+  ipsec pool --batch <file>\n\
+    Read commands from a file and execute them atomically.\n\
+      file:    File to read the newline separated commands from. Commands\n\
+               appear as they are written on the command line, e.g.\n\
+                  --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\
+                  --del dns\n\
+                  --add dns --server 10.1.0.1\n\
+                  --add dns --server 10.1.1.1\n\
+               If a - (hyphen) is given as a file name, the commands are read\n\
+               from STDIN. Readin commands stops at the end of file. Empty\n\
+               lines are ignored. The file may not contain a --batch command.\n\
+  \n");
+}
+
diff --git a/src/libhydra/plugins/attr_sql/pool_usage.h b/src/libhydra/plugins/attr_sql/pool_usage.h
new file mode 100644
index 000000000..a98b0d680
--- /dev/null
+++ b/src/libhydra/plugins/attr_sql/pool_usage.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2009-2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef POOL_USAGE_H_
+#define POOL_USAGE_H_
+
+/**
+ * print pool usage info
+ */
+void usage(void);
+
+
+#endif /* POOL_USAGE_H_ */