Merge branch 'opaque-ports'

Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
2025-10-04 00:00:14 -04:00 · 2013-03-01 11:27:12 +01:00 · 2013-03-01 11:27:12 +01:00 · a36b49f3cb
commit a36b49f3cb
parent 53fcc70acc b443fa6123
19 changed files with 201 additions and 120 deletions
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@ -742,6 +742,14 @@ can be used to the same effect, e.g.
 .B leftprotoport=udp/%any
 or
 .BR leftprotoport=%any/53 .
 The port value can alternatively take the value
 .B %opaque
 for RFC 4301 OPAQUE selectors, or a numerical range in the form
 .BR 1024-65535 .
 None of the kernel backends currently supports opaque or port ranges and uses
 .B %any
 for policy installation instead.
 .TP
 .BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
 the left participant's public key for RSA signature authentication, in RFC 2537
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@ -188,7 +188,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
 			if (ts)
 			{
 				child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@ -212,7 +212,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
 		enumerator = enumerator_create_token(token, ",", " ");
 		while (enumerator->enumerate(enumerator, &token))
 		{
-			ts = traffic_selector_create_from_cidr(token, 0, 0);
+			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
 			if (ts)
 			{
 				child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@ -114,7 +114,11 @@ METHOD(payload_t, verify, status_t,
 {
 	if (this->start_port > this->end_port)
 	{
-		return FAILED;
+		/* OPAQUE ports are the only exception */
 		if (this->start_port != 0xffff && this->end_port != 0)
 		{
 			return FAILED;
 		}
 	}
 	switch (this->ts_type)
 	{
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@ -369,7 +369,7 @@ static void add_ts(char *string, child_cfg_t *cfg, bool local)
 	if (string)
 	{
-		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
 		if (!ts)
 		{
 			DBG1(DBG_CFG, "parsing TS string '%s' failed", string);
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@ -63,7 +63,7 @@ static traffic_selector_t *ts_from_string(char *str)
 	{
 		traffic_selector_t *ts;
-		ts = traffic_selector_create_from_cidr(str, 0, 0);
+		ts = traffic_selector_create_from_cidr(str, 0, 0, 65535);
 		if (ts)
 		{
 			return ts;
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@ -878,7 +878,7 @@ static void add_ts(private_stroke_config_t *this,
 	if (end->tohost)
 	{
 		ts = traffic_selector_create_dynamic(end->protocol,
-					end->port ? end->port : 0, end->port ? end->port : 65535);
+											 end->from_port, end->to_port);
 		child_cfg->add_traffic_selector(child_cfg, local, ts);
 	}
 	else
@ -891,7 +891,7 @@ static void add_ts(private_stroke_config_t *this,
 			if (net)
 			{
 				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
-														 end->port);
+												end->from_port, end->to_port);
 				child_cfg->add_traffic_selector(child_cfg, local, ts);
 			}
 		}
@ -903,8 +903,8 @@ static void add_ts(private_stroke_config_t *this,
 			enumerator = enumerator_create_token(end->subnets, ",", " ");
 			while (enumerator->enumerate(enumerator, &subnet))
 			{
-				ts = traffic_selector_create_from_cidr(subnet,
+				ts = traffic_selector_create_from_cidr(subnet, end->protocol,
-													end->protocol, end->port);
+												end->from_port, end->to_port);
 				if (ts)
 				{
 					child_cfg->add_traffic_selector(child_cfg, local, ts);
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@ -89,7 +89,7 @@ static traffic_selector_t *create_ts(char *string)
 	{
 		traffic_selector_t *ts;
-		ts = traffic_selector_create_from_cidr(string, 0, 0);
+		ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
 		if (ts)
 		{
 			return ts;
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@ -192,7 +192,8 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 		{
 			has_vip = TRUE;
 			child_cfg->add_traffic_selector(child_cfg, TRUE,
-				traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
+				traffic_selector_create_from_subnet(host->clone(host),
 													32, 0, 0, 65535));
 		}
 		enumerator->destroy(enumerator);
@ -200,7 +201,8 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 		{
 			host = ike_sa->get_my_host(ike_sa);
 			child_cfg->add_traffic_selector(child_cfg, TRUE,
-				traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
+				traffic_selector_create_from_subnet(host->clone(host), 32, 0,
 													0, 65535));
 		}
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@ -576,12 +576,12 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 	if (!tsi)
 	{
 		tsi = traffic_selector_create_from_subnet(hsi->clone(hsi),
-							hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0);
+					hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (!tsr)
 	{
 		tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
-							hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0);
+					hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (this->mode == MODE_TRANSPORT && this->udp &&
 	   (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@ -787,7 +787,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
 	if (host)
 	{
 		return traffic_selector_create_from_subnet(host, prefixlen,
-												   sel->proto, port);
+											sel->proto, port, port ?: 65535);
 	}
 	return NULL;
 }
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@ -953,7 +953,8 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
 	ts = traffic_selector_create_from_subnet(host,
 											 address->sadb_address_prefixlen,
 											 address->sadb_address_proto,
-											 host->get_port(host));
+											 host->get_port(host),
 											 host->get_port(host) ?: 65535);
 	return ts;
 }
@ -2654,4 +2655,3 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	return &this->public;
 }
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@ -174,7 +174,24 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this)
 /**
 * internal generic constructor
 */
-static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 						ts_type_t type, u_int16_t from_port, u_int16_t to_port);
 /**
 * Check if TS contains "opaque" ports
 */
 static bool is_opaque(private_traffic_selector_t *this)
 {
 	return this->from_port == 0xffff && this->to_port == 0;
 }
 /**
 * Check if TS contains "any" ports
 */
 static bool is_any(private_traffic_selector_t *this)
 {
 	return this->from_port == 0 && this->to_port == 0xffff;
 }
 /**
 * Described in header.
@ -248,7 +265,7 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	/* check if we have protocol and/or port selectors */
 	has_proto = this->protocol != 0;
-	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+	has_ports = !is_any(this);
 	if (!has_proto && !has_ports)
 	{
@ -283,8 +300,9 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	{
 		if (this->from_port == this->to_port)
 		{
-			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+			struct servent *serv;
 			serv = getservbyport(htons(this->from_port), serv_proto);
 			if (serv)
 			{
 				written += print_in_hook(data, "%s", serv->s_name);
@ -294,9 +312,14 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 				written += print_in_hook(data, "%d", this->from_port);
 			}
 		}
 		else if (is_opaque(this))
 		{
 			written += print_in_hook(data, "OPAQUE");
 		}
 		else
 		{
-			written += print_in_hook(data, "%d-%d", this->from_port, this->to_port);
+			written += print_in_hook(data, "%d-%d",
 									 this->from_port, this->to_port);
 		}
 	}
@ -305,24 +328,55 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	return written;
 }
-/**
+METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
- * Implements traffic_selector_t.get_subset
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 */
 static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
 {
 	private_traffic_selector_t *other, *subset;
 	u_int16_t from_port, to_port;
 	u_char *from, *to;
 	u_int8_t protocol;
 	size_t size;
 	other = (private_traffic_selector_t*)other_public;
 	if (this->dynamic || other->dynamic)
 	{	/* no set_address() applied, TS has no subset */
 		return NULL;
 	}
 	if (this->type == other->type && (this->protocol == other->protocol ||
 								this->protocol == 0 || other->protocol == 0))
 	{
 		u_int16_t from_port, to_port;
 		u_char *from, *to;
 		u_int8_t protocol;
 		size_t size;
 		private_traffic_selector_t *new_ts;
 	if (this->type != other->type)
 	{
 		return NULL;
 	}
 	switch (this->type)
 	{
 		case TS_IPV4_ADDR_RANGE:
 			size = sizeof(this->from4);
 			break;
 		case TS_IPV6_ADDR_RANGE:
 			size = sizeof(this->from6);
 			break;
 		default:
 			return NULL;
 	}
 	if (this->protocol != other->protocol &&
 		this->protocol != 0 && other->protocol != 0)
 	{
 		return NULL;
 	}
 	/* select protocol, which is not zero */
 	protocol = max(this->protocol, other->protocol);
 	if ((is_opaque(this) && is_opaque(other)) ||
 		(is_opaque(this) && is_any(other)) ||
 		(is_opaque(other) && is_any(this)))
 	{
 		from_port = 0xffff;
 		to_port = 0;
 	}
 	else
 	{
 		/* calculate the maximum port range allowed for both */
 		from_port = max(this->from_port, other->from_port);
 		to_port = min(this->to_port, other->to_port);
@ -330,60 +384,46 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
 		{
 			return NULL;
 		}
 		/* select protocol, which is not zero */
 		protocol = max(this->protocol, other->protocol);
 		switch (this->type)
 		{
 			case TS_IPV4_ADDR_RANGE:
 				size = sizeof(this->from4);
 				break;
 			case TS_IPV6_ADDR_RANGE:
 				size = sizeof(this->from6);
 				break;
 			default:
 				return NULL;
 		}
 		/* get higher from-address */
 		if (memcmp(this->from, other->from, size) > 0)
 		{
 			from = this->from;
 		}
 		else
 		{
 			from = other->from;
 		}
 		/* get lower to-address */
 		if (memcmp(this->to, other->to, size) > 0)
 		{
 			to = other->to;
 		}
 		else
 		{
 			to = this->to;
 		}
 		/* if "from" > "to", we don't have a match */
 		if (memcmp(from, to, size) > 0)
 		{
 			return NULL;
 		}
 		/* we have a match in protocol, port, and address: return it... */
 		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
 		memcpy(new_ts->from, from, size);
 		memcpy(new_ts->to, to, size);
 		calc_netbits(new_ts);
 		return &new_ts->public;
 	}
-	return NULL;
+	/* get higher from-address */
 	if (memcmp(this->from, other->from, size) > 0)
 	{
 		from = this->from;
 	}
 	else
 	{
 		from = other->from;
 	}
 	/* get lower to-address */
 	if (memcmp(this->to, other->to, size) > 0)
 	{
 		to = other->to;
 	}
 	else
 	{
 		to = this->to;
 	}
 	/* if "from" > "to", we don't have a match */
 	if (memcmp(from, to, size) > 0)
 	{
 		return NULL;
 	}
 	/* we have a match in protocol, port, and address: return it... */
 	subset = traffic_selector_create(protocol, this->type, from_port, to_port);
 	memcpy(subset->from, from, size);
 	memcpy(subset->to, to, size);
 	calc_netbits(subset);
 	return &subset->public;
 }
-/**
+METHOD(traffic_selector_t, equals, bool,
- * Implements traffic_selector_t.equals
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 */
 static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
 {
 	private_traffic_selector_t *other;
 	other = (private_traffic_selector_t*)other_public;
 	if (this->type != other->type)
 	{
 		return FALSE;
@ -535,11 +575,8 @@ METHOD(traffic_selector_t, set_address, void,
 	}
 }
-/**
+METHOD(traffic_selector_t, is_contained_in, bool,
- * Implements traffic_selector_t.is_contained_in.
+	private_traffic_selector_t *this, traffic_selector_t *other)
 */
 static bool is_contained_in(private_traffic_selector_t *this,
 							private_traffic_selector_t *other)
 {
 	private_traffic_selector_t *subset;
 	bool contained_in = FALSE;
@ -548,7 +585,7 @@ static bool is_contained_in(private_traffic_selector_t *this,
 	if (subset)
 	{
-		if (equals(subset, this))
+		if (equals(subset, &this->public))
 		{
 			contained_in = TRUE;
 		}
@ -739,12 +776,13 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
 * see header
 */
 traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
-							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+							u_int8_t netbits, u_int8_t protocol,
 							u_int16_t from_port, u_int16_t to_port)
 {
 	private_traffic_selector_t *this;
 	chunk_t from;
-	this = traffic_selector_create(protocol, 0, 0, 65535);
+	this = traffic_selector_create(protocol, 0, from_port, to_port);
 	switch (net->get_family(net))
 	{
@ -763,11 +801,6 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
 	memcpy(this->from, from.ptr, from.len);
 	netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
 	calc_range(this, netbits);
 	if (port)
 	{
 		this->from_port = port;
 		this->to_port = port;
 	}
 	net->destroy(net);
 	return &this->public;
@ -818,8 +851,9 @@ traffic_selector_t *traffic_selector_create_from_string(
 /*
 * see header
 */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
+traffic_selector_t *traffic_selector_create_from_cidr(
-									u_int8_t protocol, u_int16_t port)
+										char *string, u_int8_t protocol,
 										u_int16_t from_port, u_int16_t to_port)
 {
 	host_t *net;
 	int bits;
@ -827,7 +861,8 @@ traffic_selector_t *traffic_selector_create_from_cidr(char *string,
 	net = host_create_from_subnet(string, &bits);
 	if (net)
 	{
-		return traffic_selector_create_from_subnet(net, bits, protocol, port);
+		return traffic_selector_create_from_subnet(net, bits, protocol,
 												   from_port, to_port);
 	}
 	return NULL;
 }
@ -859,8 +894,8 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 	INIT(this,
 		.public = {
-			.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset,
+			.get_subset = _get_subset,
-			.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals,
+			.equals = _equals,
 			.get_from_address = _get_from_address,
 			.get_to_address = _get_to_address,
 			.get_from_port = _get_from_port,
@ -869,7 +904,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 			.get_protocol = _get_protocol,
 			.is_host = _is_host,
 			.is_dynamic = _is_dynamic,
-			.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in,
+			.is_contained_in = _is_contained_in,
 			.includes = _includes,
 			.set_address = _set_address,
 			.to_subnet = _to_subnet,
@ -884,4 +919,3 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 	return this;
 }
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@ -238,11 +238,13 @@ traffic_selector_t *traffic_selector_create_from_string(
 *
 * @param string		CIDR string, such as 10.1.0.0/16
 * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			single port for this TS, 0 for any port
+ * @param from_port		start of allowed port range
 * @param to_port		end of port range
 * @return				traffic selector, NULL if string invalid
 */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
+traffic_selector_t *traffic_selector_create_from_cidr(
-									u_int8_t protocol, u_int16_t port);
+										char *string, u_int8_t protocol,
 										u_int16_t from_port, u_int16_t to_port);
 /**
 * Create a new traffic selector using data read from the net.
@ -288,14 +290,15 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
 * @param net			subnet to use
 * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
 * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			port number, host order
+ * @param from_port		start of allowed port range
 * @param to_port		end of port range
 * @return
 *						- traffic_selector_t object
 *						- NULL if address family of net not supported
 */
 traffic_selector_t *traffic_selector_create_from_subnet(
-									host_t *net, u_int8_t netbits,
+							host_t *net, u_int8_t netbits, u_int8_t protocol,
-									u_int8_t protocol, u_int16_t port);
+							u_int16_t from_port, u_int16_t to_port);
 /**
 * Create a traffic selector for host-to-host cases.
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@ -27,7 +27,8 @@ static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 		return FALSE;
 	VARCMP(modecfg);
-	VARCMP(port);
+	VARCMP(from_port);
 	VARCMP(to_port);
 	VARCMP(protocol);
 	return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
@ -63,4 +64,3 @@ bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
 	return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2);
 }
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@ -142,6 +142,9 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.left.ikeport = 500;
 	cfg->conn_default.right.ikeport = 500;
 	cfg->conn_default.left.to_port = 0xffff;
 	cfg->conn_default.right.to_port = 0xffff;
 	cfg->ca_default.seen = SEEN_NONE;
 }
@ -292,24 +295,46 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
 		}
 		if (streq(port, "%any"))
 		{
-			end->port = 0;
+			end->from_port = 0;
 			end->to_port = 0xffff;
 		}
-		else
+		else if (streq(port, "%opaque"))
 		{
 			end->from_port = 0xffff;
 			end->to_port = 0;
 		}
 		else if (*port)
 		{
 			svc = getservbyname(port, NULL);
 			if (svc)
 			{
-				end->port = ntohs(svc->s_port);
+				end->from_port = end->to_port = ntohs(svc->s_port);
 			}
 			else
 			{
 				p = strtol(port, &endptr, 0);
-				if ((*port && *endptr) || p < 0 || p > 0xffff)
+				if (p < 0 || p > 0xffff)
 				{
-					DBG1(DBG_APP, "# bad port: %s=%s", name, value);
+					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
 					goto err;
 				}
 				end->from_port = p;
 				if (*endptr == '-')
 				{
 					port = endptr + 1;
 					p = strtol(port, &endptr, 0);
 					if (p < 0 || p > 0xffff)
 					{
 						DBG1(DBG_APP, "# bad port: %s=%s", name, port);
 						goto err;
 					}
 				}
 				end->to_port = p;
 				if (*endptr)
 				{
 					DBG1(DBG_APP, "# bad port: %s=%s", name, port);
 					goto err;
 				}
 				end->port = (u_int16_t)p;
 			}
 		}
 		if (sep)
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@ -115,7 +115,8 @@ struct starter_end {
 		bool            hostaccess;
 		bool            allow_any;
 		char            *updown;
-		u_int16_t       port;
+		u_int16_t       from_port;
 		u_int16_t       to_port;
 		u_int8_t        protocol;
 		char            *sourceip;
 		char            *dns;
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@ -146,7 +146,8 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->tohost = !conn_end->subnet;
 	msg_end->allow_any = conn_end->allow_any;
 	msg_end->protocol = conn_end->protocol;
-	msg_end->port = conn_end->port;
+	msg_end->from_port = conn_end->from_port;
 	msg_end->to_port = conn_end->to_port;
 }
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@ -151,12 +151,14 @@ static int add_connection(char *name,
 	msg.add_conn.me.ikeport = 500;
 	msg.add_conn.me.subnets = push_string(&msg, my_nets);
 	msg.add_conn.me.sendcert = 1;
 	msg.add_conn.me.to_port = 65535;
 	msg.add_conn.other.id = push_string(&msg, other_id);
 	msg.add_conn.other.address = push_string(&msg, other_addr);
 	msg.add_conn.other.ikeport = 500;
 	msg.add_conn.other.subnets = push_string(&msg, other_nets);
 	msg.add_conn.other.sendcert = 1;
 	msg.add_conn.other.to_port = 65535;
 	return send_stroke_msg(&msg);
 }
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@ -167,7 +167,8 @@ struct stroke_end_t {
 	int tohost;
 	int allow_any;
 	u_int8_t protocol;
-	u_int16_t port;
+	u_int16_t from_port;
 	u_int16_t to_port;
 };
 typedef struct stroke_msg_t stroke_msg_t;