Allow to specify ike and flow explicitly without peer. The any

keyword as argument for the peer parameter will do that.  An ike
without peer creates the peer-default config.  A flow without peer
acquires a host-to-host SA.

tested by grunk@, todd@,  ok grunk@, hshoexer@, todd@

7 files changed, 114 insertions, 20 deletions

diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile
index 4fce7c55f97..033906db91c 100644
--- a/regress/sbin/ipsecctl/Makefile
+++ b/regress/sbin/ipsecctl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.53 2009/01/20 14:40:36 mpf Exp $
+# $OpenBSD: Makefile,v 1.54 2009/01/28 18:07:19 bluhm Exp $
 
 # you can update the *.ok files with: make -i | patch
 # TARGETS
@@ -10,7 +10,7 @@
 
 IPSECTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
 IPSECTESTS+=25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
-IPSECTESTS+=51 52 53 54 55 56 57
+IPSECTESTS+=51 52 53 54 55 56 57 58
 TCPMD5TESTS=1 2 3
 SATESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
 SAFAIL=1 2
@@ -19,7 +19,7 @@ IKEFAIL=1 3 4 5 6 8 9 10 11 12 13
 IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
 IKETESTS+=16 17 18 19 20 21 22 23
 IKETESTS+=29 30 31 32 33 34 35 36 37 38 39 40
-IKETESTS+=41 42 43 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
+IKETESTS+=41 42 43 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
 
 IKEDELTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
 IKEDELTESTS+=16 17 18 19 20 21 22 23
diff --git a/regress/sbin/ipsecctl/ike62.in b/regress/sbin/ipsecctl/ike62.in
new file mode 100644
index 00000000000..a255d588bb0
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike62.in
@@ -0,0 +1,3 @@
+ike from 1.1.1.1 to 2.2.2.2
+ike from 3.3.3.3 to 4.4.4.4 peer any
+ike from 5.5.5.5 to 6.6.6.6 peer 9.9.9.9
diff --git a/regress/sbin/ipsecctl/ike62.ok b/regress/sbin/ipsecctl/ike62.ok
new file mode 100644
index 00000000000..c50b3a2f5e0
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike62.ok
@@ -0,0 +1,53 @@
+C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force
+C set [peer-2.2.2.2]:Phase=1 force
+C set [peer-2.2.2.2]:Address=2.2.2.2 force
+C set [peer-2.2.2.2]:Configuration=phase1-peer-2.2.2.2 force
+C set [phase1-peer-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-2.2.2.2]:Transforms=AES-SHA-RSA_SIG force
+C set [from-1.1.1.1-to-2.2.2.2]:Phase=2 force
+C set [from-1.1.1.1-to-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force
+C set [from-1.1.1.1-to-2.2.2.2]:Configuration=phase2-from-1.1.1.1-to-2.2.2.2 force
+C set [from-1.1.1.1-to-2.2.2.2]:Local-ID=from-1.1.1.1 force
+C set [from-1.1.1.1-to-2.2.2.2]:Remote-ID=to-2.2.2.2 force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-1.1.1.1-to-2.2.2.2]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-1.1.1.1]:ID-type=IPV4_ADDR force
+C set [from-1.1.1.1]:Address=1.1.1.1 force
+C set [to-2.2.2.2]:ID-type=IPV4_ADDR force
+C set [to-2.2.2.2]:Address=2.2.2.2 force
+C add [Phase 2]:Connections=from-1.1.1.1-to-2.2.2.2
+C set [Phase 1]:Default=peer-default force
+C set [peer-default]:Phase=1 force
+C set [peer-default]:Configuration=phase1-peer-default force
+C set [phase1-peer-default]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-default]:Transforms=AES-SHA-RSA_SIG force
+C set [from-3.3.3.3-to-4.4.4.4]:Phase=2 force
+C set [from-3.3.3.3-to-4.4.4.4]:ISAKMP-peer=peer-default force
+C set [from-3.3.3.3-to-4.4.4.4]:Configuration=phase2-from-3.3.3.3-to-4.4.4.4 force
+C set [from-3.3.3.3-to-4.4.4.4]:Local-ID=from-3.3.3.3 force
+C set [from-3.3.3.3-to-4.4.4.4]:Remote-ID=to-4.4.4.4 force
+C set [phase2-from-3.3.3.3-to-4.4.4.4]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-3.3.3.3-to-4.4.4.4]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-3.3.3.3]:ID-type=IPV4_ADDR force
+C set [from-3.3.3.3]:Address=3.3.3.3 force
+C set [to-4.4.4.4]:ID-type=IPV4_ADDR force
+C set [to-4.4.4.4]:Address=4.4.4.4 force
+C add [Phase 2]:Connections=from-3.3.3.3-to-4.4.4.4
+C set [Phase 1]:9.9.9.9=peer-9.9.9.9 force
+C set [peer-9.9.9.9]:Phase=1 force
+C set [peer-9.9.9.9]:Address=9.9.9.9 force
+C set [peer-9.9.9.9]:Configuration=phase1-peer-9.9.9.9 force
+C set [phase1-peer-9.9.9.9]:EXCHANGE_TYPE=ID_PROT force
+C add [phase1-peer-9.9.9.9]:Transforms=AES-SHA-RSA_SIG force
+C set [from-5.5.5.5-to-6.6.6.6]:Phase=2 force
+C set [from-5.5.5.5-to-6.6.6.6]:ISAKMP-peer=peer-9.9.9.9 force
+C set [from-5.5.5.5-to-6.6.6.6]:Configuration=phase2-from-5.5.5.5-to-6.6.6.6 force
+C set [from-5.5.5.5-to-6.6.6.6]:Local-ID=from-5.5.5.5 force
+C set [from-5.5.5.5-to-6.6.6.6]:Remote-ID=to-6.6.6.6 force
+C set [phase2-from-5.5.5.5-to-6.6.6.6]:EXCHANGE_TYPE=QUICK_MODE force
+C set [phase2-from-5.5.5.5-to-6.6.6.6]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [from-5.5.5.5]:ID-type=IPV4_ADDR force
+C set [from-5.5.5.5]:Address=5.5.5.5 force
+C set [to-6.6.6.6]:ID-type=IPV4_ADDR force
+C set [to-6.6.6.6]:Address=6.6.6.6 force
+C add [Phase 2]:Connections=from-5.5.5.5-to-6.6.6.6
diff --git a/regress/sbin/ipsecctl/ipsec58.in b/regress/sbin/ipsecctl/ipsec58.in
new file mode 100644
index 00000000000..e21d557b1f3
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec58.in
@@ -0,0 +1,3 @@
+flow from 1.1.1.1 to 2.2.2.2
+flow from 3.3.3.3 to 4.4.4.4 peer any
+flow from 5.5.5.5 to 6.6.6.6 peer 9.9.9.9
diff --git a/regress/sbin/ipsecctl/ipsec58.ok b/regress/sbin/ipsecctl/ipsec58.ok
new file mode 100644
index 00000000000..972bbbc332e
--- /dev/null
+++ b/regress/sbin/ipsecctl/ipsec58.ok
@@ -0,0 +1,6 @@
+flow esp out from 1.1.1.1 to 2.2.2.2 peer 2.2.2.2 type require
+flow esp in from 2.2.2.2 to 1.1.1.1 peer 2.2.2.2 type require
+flow esp out from 3.3.3.3 to 4.4.4.4 type require
+flow esp in from 4.4.4.4 to 3.3.3.3 type require
+flow esp out from 5.5.5.5 to 6.6.6.6 peer 9.9.9.9 type require
+flow esp in from 6.6.6.6 to 5.5.5.5 peer 9.9.9.9 type require
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 936aeb1cf09..dd8c50a979b 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.120 2009/01/20 14:36:19 mpf Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.121 2009/01/28 18:07:19 bluhm Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 20 2009 $
+.Dd $Mdocdate: January 28 2009 $
 .Dt IPSEC.CONF 5
 .Os
 .Sh NAME
@@ -293,7 +293,12 @@ For host-to-host connections where
 .Ar dst
 is identical to
 .Ar remote ,
-this option is generally not needed.
+this option is generally not needed as it will be set to
+.Ar dst
+automatically.
+If it is not specified or if the keyword
+.Ar any
+is given, the default peer is used.
 .It Xo
 .Ar mode
 .Ic auth Ar algorithm
@@ -745,7 +750,12 @@ is identical to
 .Ar remote ,
 the
 .Ic peer
-specification can be left out.
+specification can be left out as it will be set to
+.Ar dst
+automatically.
+Only if the keyword
+.Ar any
+is given, a flow without peer is created.
 .It Ic type Ar modifier
 This optional parameter sets up special flows using modifiers.
 By default,
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 27b0d9066c0..de5d70f0836 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.141 2009/01/20 14:36:19 mpf Exp $	*/
+/*	$OpenBSD: parse.y,v 1.142 2009/01/28 18:07:19 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -152,6 +152,7 @@ struct ipsec_addr_wrap	*host_v6(const char *, int);
 struct ipsec_addr_wrap	*host_v4(const char *, int);
 struct ipsec_addr_wrap	*host_dns(const char *, int);
 struct ipsec_addr_wrap	*host_if(const char *, int);
+struct ipsec_addr_wrap	*host_any(void);
 void			 ifa_load(void);
 int			 ifa_exists(const char *);
 struct ipsec_addr_wrap	*ifa_lookup(const char *ifa_name);
@@ -210,6 +211,7 @@ typedef struct {
 		u_int16_t	 port;
 		struct ipsec_hosts hosts;
 		struct ipsec_hosts peers;
+		struct ipsec_addr_wrap *anyhost;
 		struct ipsec_addr_wrap *singlehost;
 		struct ipsec_addr_wrap *host;
 		struct {
@@ -261,6 +263,7 @@ typedef struct {
 %type	<v.port>		port
 %type	<v.number>		portval
 %type	<v.peers>		peers
+%type	<v.anyhost>		anyhost
 %type	<v.singlehost>		singlehost
 %type	<v.host>		host host_list host_spec
 %type	<v.ids>			ids
@@ -464,15 +467,15 @@ peers		: /* empty */				{
 			$$.dst = NULL;
 			$$.src = NULL;
 		}
-		| PEER singlehost LOCAL singlehost	{
+		| PEER anyhost LOCAL singlehost		{
 			$$.dst = $2;
 			$$.src = $4;
 		}
-		| LOCAL singlehost PEER singlehost	{
+		| LOCAL singlehost PEER anyhost		{
 			$$.dst = $4;
 			$$.src = $2;
 		}
-		| PEER singlehost			{
+		| PEER anyhost				{
 			$$.dst = $2;
 			$$.src = NULL;
 		}
@@ -482,6 +485,11 @@ peers		: /* empty */				{
 		}
 		;
 
+anyhost		: singlehost			{ $$ = $1; }
+		| ANY				{
+			$$ = host_any();
+		}
+
 singlehost	: /* empty */			{ $$ = NULL; }
 		| STRING			{
 			if (($$ = host($1)) == NULL) {
@@ -540,15 +548,7 @@ host		: host_spec			{ $$ = $1; }
 			$$->srcnat = $3;
 		}
 		| ANY				{
-			struct ipsec_addr_wrap	*ipa;
-
-			ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
-			if (ipa == NULL)
-				err(1, "host: calloc");
-			ipa->af = AF_UNSPEC;
-			ipa->netaddress = 1;
-			ipa->tail = ipa;
-			$$ = ipa;
+			$$ = host_any();
 		}
 		| '{' host_list '}'		{ $$ = $2; }
 		;
@@ -1694,6 +1694,20 @@ host_if(const char *s, int mask)
 	return (ipa);
 }
 
+struct ipsec_addr_wrap *
+host_any(void)
+{
+	struct ipsec_addr_wrap	*ipa;
+
+	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
+	if (ipa == NULL)
+		err(1, "host_any: calloc");
+	ipa->af = AF_UNSPEC;
+	ipa->netaddress = 1;
+	ipa->tail = ipa;
+	return (ipa);
+}
+
 /* interface lookup routintes */
 
 struct ipsec_addr_wrap	*iftab;
@@ -2449,6 +2463,11 @@ set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers)
 			else
 				r->peer = copyhost(r->dst);
 		}
+	} else if (r->peer->af == AF_UNSPEC) {
+		/* If peer has been specified as any, use the default peer. */
+		free(r->peer);
+		r->peer = NULL;
+		return (0);
 	}
 
 	if (r->type == RULE_FLOW && r->peer == NULL) {