1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
diff -ru a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
--- a/src/libcharon/plugins/vici/vici_control.c 2019-01-14 12:13:40.000000000 +0100
+++ b/src/libcharon/plugins/vici/vici_control.c 2019-01-14 13:37:26.367382864 +0100
@@ -268,12 +268,13 @@
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
{
enumerator_t *enumerator, *isas, *csas;
- char *child, *ike, *errmsg = NULL;
+ char *child, *ike, *errmsg = NULL, *my_host_str, *other_host_str;
u_int child_id, ike_id, current, *del, done = 0;
bool force;
int timeout;
ike_sa_t *ike_sa;
child_sa_t *child_sa;
+ host_t *my_host = NULL, *other_host = NULL;
array_t *ids;
vici_builder_t *builder;
controller_cb_t log_cb = NULL;
@@ -289,12 +290,23 @@
force = request->get_bool(request, FALSE, "force");
timeout = request->get_int(request, 0, "timeout");
log.level = request->get_int(request, 1, "loglevel");
+ my_host_str = request->get_str(request, NULL, "my-host");
+ other_host_str = request->get_str(request, NULL, "other-host");
- if (!child && !ike && !ike_id && !child_id)
+ if (!child && !ike && !ike_id && !child_id && !my_host_str &&!other_host_str)
{
return send_reply(this, "missing terminate selector");
}
-
+ if (my_host_str && !other_host_str || other_host_str && !my_host_str)
+ {
+ return send_reply(this, "missing source or remote");
+ }
+ else
+ {
+ my_host = host_create_from_string(my_host_str, 0);
+ other_host = host_create_from_string(other_host_str, 0);
+ DBG1(DBG_CFG, "vici terminate with source me %H and other %H", my_host, other_host);
+ }
if (ike_id)
{
DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
@@ -357,6 +369,15 @@
{
array_insert(ids, ARRAY_TAIL, &ike_id);
}
+ else if (my_host && other_host)
+ {
+ if (!my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)) || !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa)))
+ {
+ continue;
+ }
+ current = ike_sa->get_unique_id(ike_sa);
+ array_insert(ids, ARRAY_TAIL, ¤t);
+ }
}
isas->destroy(isas);
diff -ru a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
--- a/src/swanctl/commands/terminate.c 2019-01-14 11:16:46.000000000 +0100
+++ b/src/swanctl/commands/terminate.c 2019-01-14 14:03:12.119459847 +0100
@@ -37,7 +37,7 @@
vici_req_t *req;
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
- char *arg, *child = NULL, *ike = NULL;
+ char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
int ret = 0, timeout = 0, level = 1, child_id = 0, ike_id = 0;
bool force = FALSE;
@@ -74,6 +74,12 @@
case 'l':
level = atoi(arg);
continue;
+ case 'S':
+ my_host = arg;
+ continue;
+ case 'R':
+ other_host = arg;
+ continue;
case EOF:
break;
default:
@@ -109,6 +115,14 @@
{
vici_add_key_valuef(req, "force", "yes");
}
+ if (my_host)
+ {
+ vici_add_key_valuef(req, "my-host", "%s", my_host);
+ }
+ if (other_host)
+ {
+ vici_add_key_valuef(req, "other-host", "%s", other_host);
+ }
if (timeout)
{
vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
@@ -155,6 +169,8 @@
{
{"help", 'h', 0, "show usage information"},
{"child", 'c', 1, "terminate by CHILD_SA name"},
+ {"source", 'S', 1, "override source address"},
+ {"remote", 'R', 1, "override remote address"},
{"ike", 'i', 1, "terminate by IKE_SA name"},
{"child-id", 'C', 1, "terminate by CHILD_SA reqid"},
{"ike-id", 'I', 1, "terminate by IKE_SA unique identifier"},
|
