ike-sa: Add flags to force updating hosts/CHILD_SAs
This allows more fine grained control over what's updated and does not require multiple calls of the method. Plus we'll be able to use it in the ike-mobike task.
This commit is contained in:
parent
08a3ee0cce
commit
51c7cf9a04
|
@ -76,7 +76,7 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
}
|
||||
else
|
||||
{
|
||||
ike_sa->update_hosts(ike_sa, NULL, this->new, FALSE);
|
||||
ike_sa->update_hosts(ike_sa, NULL, this->new, 0);
|
||||
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||
}
|
||||
return JOB_REQUEUE_NONE;
|
||||
|
|
|
@ -1114,7 +1114,7 @@ METHOD(ike_sa_t, float_ports, void,
|
|||
}
|
||||
|
||||
METHOD(ike_sa_t, update_hosts, void,
|
||||
private_ike_sa_t *this, host_t *me, host_t *other, bool force)
|
||||
private_ike_sa_t *this, host_t *me, host_t *other, update_hosts_flag_t flags)
|
||||
{
|
||||
host_t *new_me = NULL, *new_other = NULL;
|
||||
bool silent = FALSE;
|
||||
|
@ -1138,18 +1138,18 @@ METHOD(ike_sa_t, update_hosts, void,
|
|||
}
|
||||
else
|
||||
{
|
||||
/* update our address in any case */
|
||||
if (force && !me->equals(me, this->my_host))
|
||||
/* update our address only if forced */
|
||||
if ((flags & UPDATE_HOSTS_FORCE_LOCAL) && !me->equals(me, this->my_host))
|
||||
{
|
||||
new_me = me;
|
||||
}
|
||||
|
||||
if (!other->equals(other, this->other_host) &&
|
||||
(force || has_condition(this, COND_NAT_THERE)))
|
||||
((flags & UPDATE_HOSTS_FORCE_REMOTE) || has_condition(this, COND_NAT_THERE)))
|
||||
{
|
||||
/* only update other's address if we are behind a static NAT,
|
||||
* which we assume is the case if we are not initiator */
|
||||
if (force ||
|
||||
if ((flags & UPDATE_HOSTS_FORCE_REMOTE) ||
|
||||
(!has_condition(this, COND_NAT_HERE) ||
|
||||
!has_condition(this, COND_ORIGINAL_INITIATOR)))
|
||||
{
|
||||
|
@ -1158,13 +1158,13 @@ METHOD(ike_sa_t, update_hosts, void,
|
|||
}
|
||||
}
|
||||
|
||||
if (new_me || new_other)
|
||||
if (new_me || new_other || (flags & UPDATE_HOSTS_FORCE_CHILDREN))
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
child_sa_t *child_sa;
|
||||
linked_list_t *vips;
|
||||
|
||||
if (!silent)
|
||||
if ((new_me || new_other) && !silent)
|
||||
{
|
||||
charon->bus->ike_update(charon->bus, &this->public,
|
||||
new_me ?: this->my_host,
|
||||
|
|
|
@ -28,6 +28,7 @@ typedef enum ike_extension_t ike_extension_t;
|
|||
typedef enum ike_condition_t ike_condition_t;
|
||||
typedef enum ike_sa_state_t ike_sa_state_t;
|
||||
typedef enum statistic_t statistic_t;
|
||||
typedef enum update_hosts_flag_t update_hosts_flag_t;
|
||||
typedef struct ike_sa_t ike_sa_t;
|
||||
|
||||
#include <library.h>
|
||||
|
@ -264,6 +265,25 @@ enum statistic_t {
|
|||
STAT_MAX
|
||||
};
|
||||
|
||||
/**
|
||||
* Flags used when updating addresses
|
||||
*/
|
||||
enum update_hosts_flag_t {
|
||||
/** Force updating the local address (otherwise not updated if an address
|
||||
* is already set). */
|
||||
UPDATE_HOSTS_FORCE_LOCAL = (1<<0),
|
||||
/** Force updating the remote address (otherwise only updated if peer is
|
||||
* behind a NAT). */
|
||||
UPDATE_HOSTS_FORCE_REMOTE = (1<<1),
|
||||
/** Force updating both addresses. */
|
||||
UPDATE_HOSTS_FORCE_ADDRS = UPDATE_HOSTS_FORCE_LOCAL|UPDATE_HOSTS_FORCE_REMOTE,
|
||||
/** Force updating the CHILD_SAs even if no addresses changed, useful if
|
||||
* NAT state may have changed. */
|
||||
UPDATE_HOSTS_FORCE_CHILDREN = (1<<2),
|
||||
/** Force updating everything. */
|
||||
UPDATE_HOSTS_FORCE_ALL = UPDATE_HOSTS_FORCE_ADDRS|UPDATE_HOSTS_FORCE_CHILDREN,
|
||||
};
|
||||
|
||||
/**
|
||||
* State of an IKE_SA.
|
||||
*
|
||||
|
@ -454,15 +474,16 @@ struct ike_sa_t {
|
|||
void (*float_ports)(ike_sa_t *this);
|
||||
|
||||
/**
|
||||
* Update the IKE_SAs host.
|
||||
* Update the IKE_SAs host and CHILD_SAs.
|
||||
*
|
||||
* Hosts may be NULL to use current host.
|
||||
*
|
||||
* @param me new local host address, or NULL
|
||||
* @param other new remote host address, or NULL
|
||||
* @param force force update
|
||||
* @param flags flags to force certain updates
|
||||
*/
|
||||
void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
|
||||
void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other,
|
||||
update_hosts_flag_t flags);
|
||||
|
||||
/**
|
||||
* Get the own identification.
|
||||
|
|
|
@ -1408,7 +1408,7 @@ METHOD(task_manager_t, process_message, status_t,
|
|||
}
|
||||
this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
|
||||
time_monotonic(NULL));
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, other, UPDATE_HOSTS_FORCE_ADDRS);
|
||||
charon->bus->message(charon->bus, msg, TRUE, TRUE);
|
||||
if (process_response(this, msg) != SUCCESS)
|
||||
{
|
||||
|
@ -1528,7 +1528,7 @@ METHOD(task_manager_t, process_message, status_t,
|
|||
"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
|
||||
lib->ns));
|
||||
}
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, other, UPDATE_HOSTS_FORCE_ADDRS);
|
||||
charon->bus->message(charon->bus, msg, TRUE, TRUE);
|
||||
if (process_request(this, msg) != SUCCESS)
|
||||
{
|
||||
|
|
|
@ -384,7 +384,8 @@ METHOD(task_t, process_r, status_t,
|
|||
|
||||
this->ike_sa->update_hosts(this->ike_sa,
|
||||
message->get_destination(message),
|
||||
message->get_source(message), TRUE);
|
||||
message->get_source(message),
|
||||
UPDATE_HOSTS_FORCE_ADDRS);
|
||||
|
||||
sa_payload = (sa_payload_t*)message->get_payload(message,
|
||||
PLV1_SECURITY_ASSOCIATION);
|
||||
|
|
|
@ -376,7 +376,8 @@ METHOD(task_t, process_r, status_t,
|
|||
|
||||
this->ike_sa->update_hosts(this->ike_sa,
|
||||
message->get_destination(message),
|
||||
message->get_source(message), TRUE);
|
||||
message->get_source(message),
|
||||
UPDATE_HOSTS_FORCE_ADDRS);
|
||||
|
||||
sa_payload = (sa_payload_t*)message->get_payload(message,
|
||||
PLV1_SECURITY_ASSOCIATION);
|
||||
|
|
|
@ -1649,8 +1649,10 @@ METHOD(task_manager_t, process_message, status_t,
|
|||
return FAILED;
|
||||
}
|
||||
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
|
||||
{ /* with MOBIKE, we do no implicit updates */
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
|
||||
{ /* only do implicit updates without MOBIKE, and only force
|
||||
* updates for IKE_AUTH (ports might change due to NAT-T) */
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, other,
|
||||
mid == 1 ? UPDATE_HOSTS_FORCE_ADDRS : 0);
|
||||
}
|
||||
status = handle_fragment(this, &this->responding.defrag, msg);
|
||||
if (status != SUCCESS)
|
||||
|
@ -1718,11 +1720,11 @@ METHOD(task_manager_t, process_message, status_t,
|
|||
msg->get_exchange_type(msg) != IKE_SA_INIT)
|
||||
{ /* only do updates based on verified messages (or initial ones) */
|
||||
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
|
||||
{ /* with MOBIKE, we do no implicit updates. we force an
|
||||
* update of the local address on IKE_SA_INIT, but never
|
||||
* for the remote address */
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
|
||||
this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
|
||||
{ /* only do implicit updates without MOBIKE, we force an
|
||||
* update of the local address on IKE_SA_INIT as we might
|
||||
* not know it yet, but never for the remote address */
|
||||
this->ike_sa->update_hosts(this->ike_sa, me, other,
|
||||
mid == 0 ? UPDATE_HOSTS_FORCE_LOCAL : 0);
|
||||
}
|
||||
}
|
||||
status = handle_fragment(this, &this->initiating.defrag, msg);
|
||||
|
|
Loading…
Reference in New Issue