ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Merge branch 'passthrough-policies-priority' 

Introduces a new priority class for policies, which allows us to install
passthrough policies with a strictly higher priority than IPsec
policies, which was not the case previously depending on the traffic
selectors.
This commit is contained in:
Tobias Brunner 2014-06-19 14:24:48 +02:00
parent 3bf98189d7 2ef6f57456
commit 73b22aa842
32 changed files with 165 additions and 3298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
conf/Makefile.am
View File

@ -56,7 +56,6 @@ plugins = \
plugins/imv-test.opt \
plugins/ipseckey.opt \
plugins/led.opt \
plugins/kernel-klips.opt \
plugins/kernel-libipsec.opt \
plugins/kernel-netlink.opt \
plugins/kernel-pfroute.opt \

5
conf/plugins/kernel-klips.opt
View File

@ -1,5 +0,0 @@
charon.plugins.kernel-klips.ipsec_dev_count = 4
Number of ipsecN devices.
charon.plugins.kernel-klips.ipsec_dev_mtu = 0
Set MTU of ipsecN device.

4
configure.ac
View File

@ -203,7 +203,6 @@ ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actua
ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.])
ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
ARG_ENABL_SET([kernel-klips], [enable the KLIPS kernel interface.])
ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.])
ARG_ENABL_SET([kernel-iph], [enable the Windows IP Helper based networking backend.])
ARG_ENABL_SET([kernel-wfp], [enable the Windows Filtering Platform IPsec backend.])
@ -1222,7 +1221,6 @@ ADD_PLUGIN([kernel-wfp], [c charon])
ADD_PLUGIN([kernel-iph], [c charon])
ADD_PLUGIN([kernel-pfkey], [h charon starter nm cmd])
ADD_PLUGIN([kernel-pfroute], [h charon starter nm cmd])
ADD_PLUGIN([kernel-klips], [h charon starter])
ADD_PLUGIN([kernel-netlink], [h charon starter nm cmd])
ADD_PLUGIN([resolve], [h charon cmd])
ADD_PLUGIN([socket-default], [c charon nm cmd])
@ -1442,7 +1440,6 @@ AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
# ---------------
AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
@ -1601,7 +1598,6 @@ AC_CONFIG_FILES([
src/libhydra/Makefile
src/libhydra/plugins/attr/Makefile
src/libhydra/plugins/attr_sql/Makefile
src/libhydra/plugins/kernel_klips/Makefile
src/libhydra/plugins/kernel_netlink/Makefile
src/libhydra/plugins/kernel_pfkey/Makefile
src/libhydra/plugins/kernel_pfroute/Makefile

43
src/libcharon/sa/shunt_manager.c
View File

@ -49,11 +49,24 @@ static bool install_shunt_policy(child_cfg_t *child)
traffic_selector_t *my_ts, *other_ts;
host_t *host_any;
policy_type_t policy_type;
policy_priority_t policy_prio;
status_t status = SUCCESS;
ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT };
policy_type = (child->get_mode(child) == MODE_PASS) ?
POLICY_PASS : POLICY_DROP;
switch (child->get_mode(child))
{
case MODE_PASS:
policy_type = POLICY_PASS;
policy_prio = POLICY_PRIORITY_PASS;
break;
case MODE_DROP:
policy_type = POLICY_DROP;
policy_prio = POLICY_PRIORITY_FALLBACK;
break;
default:
return FALSE;
}
my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
host_any = host_create_any(AF_INET);
@ -70,21 +83,21 @@ static bool install_shunt_policy(child_cfg_t *child)
hydra->kernel_interface, host_any, host_any,
my_ts, other_ts, POLICY_OUT, policy_type,
&sa, child->get_mark(child, FALSE),
POLICY_PRIORITY_DEFAULT);
policy_prio);
/* install in policy */
status |= hydra->kernel_interface->add_policy(
hydra->kernel_interface, host_any, host_any,
other_ts, my_ts, POLICY_IN, policy_type,
&sa, child->get_mark(child, TRUE),
POLICY_PRIORITY_DEFAULT);
policy_prio);
/* install forward policy */
status |= hydra->kernel_interface->add_policy(
hydra->kernel_interface, host_any, host_any,
other_ts, my_ts, POLICY_FWD, policy_type,
&sa, child->get_mark(child, TRUE),
POLICY_PRIORITY_DEFAULT);
policy_prio);
}
e_other_ts->destroy(e_other_ts);
}
@ -137,8 +150,21 @@ static void uninstall_shunt_policy(child_cfg_t *child)
enumerator_t *e_my_ts, *e_other_ts;
linked_list_t *my_ts_list, *other_ts_list;
traffic_selector_t *my_ts, *other_ts;
policy_priority_t policy_prio;
status_t status = SUCCESS;
switch (child->get_mode(child))
{
case MODE_PASS:
policy_prio = POLICY_PRIORITY_PASS;
break;
case MODE_DROP:
policy_prio = POLICY_PRIORITY_FALLBACK;
break;
default:
return;
}
my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
@ -153,19 +179,19 @@ static void uninstall_shunt_policy(child_cfg_t *child)
status |= hydra->kernel_interface->del_policy(
hydra->kernel_interface, my_ts, other_ts,
POLICY_OUT, 0, child->get_mark(child, FALSE),
POLICY_PRIORITY_DEFAULT);
policy_prio);
/* uninstall in policy */
status |= hydra->kernel_interface->del_policy(
hydra->kernel_interface, other_ts, my_ts,
POLICY_IN, 0, child->get_mark(child, TRUE),
POLICY_PRIORITY_DEFAULT);
policy_prio);
/* uninstall forward policy */
status |= hydra->kernel_interface->del_policy(
hydra->kernel_interface, other_ts, my_ts,
POLICY_FWD, 0, child->get_mark(child, TRUE),
POLICY_PRIORITY_DEFAULT);
policy_prio);
}
e_other_ts->destroy(e_other_ts);
}
@ -249,4 +275,3 @@ shunt_manager_t *shunt_manager_create()
return &this->public;
}

7
src/libhydra/Makefile.am
View File

@ -66,13 +66,6 @@ if MONOLITHIC
endif
endif
if USE_KERNEL_KLIPS
SUBDIRS += plugins/kernel_klips
if MONOLITHIC
libhydra_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la
endif
endif
if USE_KERNEL_NETLINK
SUBDIRS += plugins/kernel_netlink
if MONOLITHIC

18
src/libhydra/plugins/kernel_klips/Makefile.am
View File

@ -1,18 +0,0 @@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libhydra
AM_CFLAGS = \
$(PLUGIN_CFLAGS)
if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
else
plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
endif
libstrongswan_kernel_klips_la_SOURCES = \
kernel_klips_plugin.h kernel_klips_plugin.c \
kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version

2653
src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
View File

File diff suppressed because it is too large Load Diff

46
src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h
View File

@ -1,46 +0,0 @@
/*
* Copyright (C) 2008 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
* @{ @ingroup kernel_klips
*/
#ifndef KERNEL_KLIPS_IPSEC_H_
#define KERNEL_KLIPS_IPSEC_H_
#include <kernel/kernel_ipsec.h>
typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
/**
* Implementation of the kernel ipsec interface using PF_KEY.
*/
struct kernel_klips_ipsec_t {
/**
* Implements kernel_ipsec_t interface
*/
kernel_ipsec_t interface;
};
/**
* Create a PF_KEY kernel ipsec interface instance.
*
* @return kernel_klips_ipsec_t instance
*/
kernel_klips_ipsec_t *kernel_klips_ipsec_create();
#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/

76
src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
View File

@ -1,76 +0,0 @@
/*
* Copyright (C) 2008 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "kernel_klips_plugin.h"
#include "kernel_klips_ipsec.h"
#include <hydra.h>
typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
/**
* private data of kernel PF_KEY plugin
*/
struct private_kernel_klips_plugin_t {
/**
* implements plugin interface
*/
kernel_klips_plugin_t public;
};
METHOD(plugin_t, get_name, char*,
private_kernel_klips_plugin_t *this)
{
return "kernel-klips";
}
METHOD(plugin_t, get_features, int,
private_kernel_klips_plugin_t *this, plugin_feature_t *features[])
{
static plugin_feature_t f[] = {
PLUGIN_CALLBACK(kernel_ipsec_register, kernel_klips_ipsec_create),
PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
};
*features = f;
return countof(f);
}
METHOD(plugin_t, destroy, void,
private_kernel_klips_plugin_t *this)
{
free(this);
}
/*
* see header file
*/
plugin_t *kernel_klips_plugin_create()
{
private_kernel_klips_plugin_t *this;
INIT(this,
.public = {
.plugin = {
.get_name = _get_name,
.get_features = _get_features,
.destroy = _destroy,
},
},
);
return &this->public.plugin;
}

42
src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h
View File

@ -1,42 +0,0 @@
/*
* Copyright (C) 2008 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup kernel_klips kernel_klips
* @ingroup hplugins
*
* @defgroup kernel_klips_plugin kernel_klips_plugin
* @{ @ingroup kernel_klips
*/
#ifndef KERNEL_KLIPS_PLUGIN_H_
#define KERNEL_KLIPS_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
/**
* PF_KEY kernel interface plugin
*/
struct kernel_klips_plugin_t {
/**
* implements plugin interface
*/
plugin_t plugin;
};
#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/

322
src/libhydra/plugins/kernel_klips/pfkeyv2.h
View File

@ -1,322 +0,0 @@
/*
RFC 2367 PF_KEY Key Management API July 1998
Appendix D: Sample Header File
This file defines structures and symbols for the PF_KEY Version 2
key management interface. It was written at the U.S. Naval Research
Laboratory. This file is in the public domain. The authors ask that
you leave this credit intact on any copies of this file.
*/
#ifndef __PFKEY_V2_H
#define __PFKEY_V2_H 1
#define PF_KEY_V2 2
#define PFKEYV2_REVISION 199806L
#define SADB_RESERVED 0
#define SADB_GETSPI 1
#define SADB_UPDATE 2
#define SADB_ADD 3
#define SADB_DELETE 4
#define SADB_GET 5
#define SADB_ACQUIRE 6
#define SADB_REGISTER 7
#define SADB_EXPIRE 8
#define SADB_FLUSH 9
#define SADB_DUMP 10
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
#define SADB_X_GRPSA 13
#define SADB_X_ADDFLOW 14
#define SADB_X_DELFLOW 15
#define SADB_X_DEBUG 16
#define SADB_X_NAT_T_NEW_MAPPING 17
#define SADB_MAX 17
struct sadb_msg {
uint8_t sadb_msg_version;
uint8_t sadb_msg_type;
uint8_t sadb_msg_errno;
uint8_t sadb_msg_satype;
uint16_t sadb_msg_len;
uint16_t sadb_msg_reserved;
uint32_t sadb_msg_seq;
uint32_t sadb_msg_pid;
};
struct sadb_ext {
uint16_t sadb_ext_len;
uint16_t sadb_ext_type;
};
struct sadb_sa {
uint16_t sadb_sa_len;
uint16_t sadb_sa_exttype;
uint32_t sadb_sa_spi;
uint8_t sadb_sa_replay;
uint8_t sadb_sa_state;
uint8_t sadb_sa_auth;
uint8_t sadb_sa_encrypt;
uint32_t sadb_sa_flags;
};
struct sadb_lifetime {
uint16_t sadb_lifetime_len;
uint16_t sadb_lifetime_exttype;
uint32_t sadb_lifetime_allocations;
uint64_t sadb_lifetime_bytes;
uint64_t sadb_lifetime_addtime;
uint64_t sadb_lifetime_usetime;
uint32_t sadb_x_lifetime_packets;
uint32_t sadb_x_lifetime_reserved;
};
struct sadb_address {
uint16_t sadb_address_len;
uint16_t sadb_address_exttype;
uint8_t sadb_address_proto;
uint8_t sadb_address_prefixlen;
uint16_t sadb_address_reserved;
};
struct sadb_key {
uint16_t sadb_key_len;
uint16_t sadb_key_exttype;
uint16_t sadb_key_bits;
uint16_t sadb_key_reserved;
};
struct sadb_ident {
uint16_t sadb_ident_len;
uint16_t sadb_ident_exttype;
uint16_t sadb_ident_type;
uint16_t sadb_ident_reserved;
uint64_t sadb_ident_id;
};
struct sadb_sens {
uint16_t sadb_sens_len;
uint16_t sadb_sens_exttype;
uint32_t sadb_sens_dpd;
uint8_t sadb_sens_sens_level;
uint8_t sadb_sens_sens_len;
uint8_t sadb_sens_integ_level;
uint8_t sadb_sens_integ_len;
uint32_t sadb_sens_reserved;
};
struct sadb_prop {
uint16_t sadb_prop_len;
uint16_t sadb_prop_exttype;
uint8_t sadb_prop_replay;
uint8_t sadb_prop_reserved[3];
};
struct sadb_comb {
uint8_t sadb_comb_auth;
uint8_t sadb_comb_encrypt;
uint16_t sadb_comb_flags;
uint16_t sadb_comb_auth_minbits;
uint16_t sadb_comb_auth_maxbits;
uint16_t sadb_comb_encrypt_minbits;
uint16_t sadb_comb_encrypt_maxbits;
uint32_t sadb_comb_reserved;
uint32_t sadb_comb_soft_allocations;
uint32_t sadb_comb_hard_allocations;
uint64_t sadb_comb_soft_bytes;
uint64_t sadb_comb_hard_bytes;
uint64_t sadb_comb_soft_addtime;
uint64_t sadb_comb_hard_addtime;
uint64_t sadb_comb_soft_usetime;
uint64_t sadb_comb_hard_usetime;
uint32_t sadb_x_comb_soft_packets;
uint32_t sadb_x_comb_hard_packets;
};
struct sadb_supported {
uint16_t sadb_supported_len;
uint16_t sadb_supported_exttype;
uint32_t sadb_supported_reserved;
};
struct sadb_alg {
uint8_t sadb_alg_id;
uint8_t sadb_alg_ivlen;
uint16_t sadb_alg_minbits;
uint16_t sadb_alg_maxbits;
uint16_t sadb_alg_reserved;
};
struct sadb_spirange {
uint16_t sadb_spirange_len;
uint16_t sadb_spirange_exttype;
uint32_t sadb_spirange_min;
uint32_t sadb_spirange_max;
uint32_t sadb_spirange_reserved;
};
struct sadb_x_kmprivate {
uint16_t sadb_x_kmprivate_len;
uint16_t sadb_x_kmprivate_exttype;
uint32_t sadb_x_kmprivate_reserved;
};
struct sadb_x_satype {
uint16_t sadb_x_satype_len;
uint16_t sadb_x_satype_exttype;
uint8_t sadb_x_satype_satype;
uint8_t sadb_x_satype_reserved[3];
};
struct sadb_x_debug {
uint16_t sadb_x_debug_len;
uint16_t sadb_x_debug_exttype;
uint32_t sadb_x_debug_tunnel;
uint32_t sadb_x_debug_netlink;
uint32_t sadb_x_debug_xform;
uint32_t sadb_x_debug_eroute;
uint32_t sadb_x_debug_spi;
uint32_t sadb_x_debug_radij;
uint32_t sadb_x_debug_esp;
uint32_t sadb_x_debug_ah;
uint32_t sadb_x_debug_rcv;
uint32_t sadb_x_debug_pfkey;
uint32_t sadb_x_debug_ipcomp;
uint32_t sadb_x_debug_verbose;
uint8_t sadb_x_debug_reserved[4];
};
struct sadb_x_nat_t_type {
uint16_t sadb_x_nat_t_type_len;
uint16_t sadb_x_nat_t_type_exttype;
uint8_t sadb_x_nat_t_type_type;
uint8_t sadb_x_nat_t_type_reserved[3];
};
struct sadb_x_nat_t_port {
uint16_t sadb_x_nat_t_port_len;
uint16_t sadb_x_nat_t_port_exttype;
uint16_t sadb_x_nat_t_port_port;
uint16_t sadb_x_nat_t_port_reserved;
};
/*
* A protocol structure for passing through the transport level
* protocol. It contains more fields than are actually used/needed
* but it is this way to be compatible with the structure used in
* OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
*/
struct sadb_protocol {
uint16_t sadb_protocol_len;
uint16_t sadb_protocol_exttype;
uint8_t sadb_protocol_proto;
uint8_t sadb_protocol_direction;
uint8_t sadb_protocol_flags;
uint8_t sadb_protocol_reserved2;
};
#define SADB_EXT_RESERVED 0
#define SADB_EXT_SA 1
#define SADB_EXT_LIFETIME_CURRENT 2
#define SADB_EXT_LIFETIME_HARD 3
#define SADB_EXT_LIFETIME_SOFT 4
#define SADB_EXT_ADDRESS_SRC 5
#define SADB_EXT_ADDRESS_DST 6
#define SADB_EXT_ADDRESS_PROXY 7
#define SADB_EXT_KEY_AUTH 8
#define SADB_EXT_KEY_ENCRYPT 9
#define SADB_EXT_IDENTITY_SRC 10
#define SADB_EXT_IDENTITY_DST 11
#define SADB_EXT_SENSITIVITY 12
#define SADB_EXT_PROPOSAL 13
#define SADB_EXT_SUPPORTED_AUTH 14
#define SADB_EXT_SUPPORTED_ENCRYPT 15
#define SADB_EXT_SPIRANGE 16
#define SADB_X_EXT_KMPRIVATE 17
#define SADB_X_EXT_SATYPE2 18
#define SADB_X_EXT_SA2 19
#define SADB_X_EXT_ADDRESS_DST2 20
#define SADB_X_EXT_ADDRESS_SRC_FLOW 21
#define SADB_X_EXT_ADDRESS_DST_FLOW 22
#define SADB_X_EXT_ADDRESS_SRC_MASK 23
#define SADB_X_EXT_ADDRESS_DST_MASK 24
#define SADB_X_EXT_DEBUG 25
#define SADB_X_EXT_PROTOCOL 26
#define SADB_X_EXT_NAT_T_TYPE 27
#define SADB_X_EXT_NAT_T_SPORT 28
#define SADB_X_EXT_NAT_T_DPORT 29
#define SADB_X_EXT_NAT_T_OA 30
#define SADB_EXT_MAX 30
/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
#define SADB_X_EXT_ADDRESS_DELFLOW \
( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
#define SADB_SATYPE_UNSPEC 0
#define SADB_SATYPE_AH 2
#define SADB_SATYPE_ESP 3
#define SADB_SATYPE_RSVP 5
#define SADB_SATYPE_OSPFV2 6
#define SADB_SATYPE_RIPV2 7
#define SADB_SATYPE_MIP 8
#define SADB_X_SATYPE_IPIP 9
#define SADB_X_SATYPE_COMP 10
#define SADB_X_SATYPE_INT 11
#define SADB_SATYPE_MAX 11
#define SADB_SASTATE_LARVAL 0
#define SADB_SASTATE_MATURE 1
#define SADB_SASTATE_DYING 2
#define SADB_SASTATE_DEAD 3
#define SADB_SASTATE_MAX 3
#define SADB_SAFLAGS_PFS 1
#define SADB_X_SAFLAGS_REPLACEFLOW 2
#define SADB_X_SAFLAGS_CLEARFLOW 4
#define SADB_X_SAFLAGS_INFLOW 8
#define SADB_AALG_NONE 0
#define SADB_AALG_MD5HMAC 2
#define SADB_AALG_SHA1HMAC 3
#define SADB_AALG_SHA256_HMAC 5
#define SADB_AALG_SHA384_HMAC 6
#define SADB_AALG_SHA512_HMAC 7
#define SADB_AALG_RIPEMD160HMAC 8
#define SADB_AALG_MAX 15
#define SADB_EALG_NONE 0
#define SADB_EALG_DESCBC 2
#define SADB_EALG_3DESCBC 3
#define SADB_EALG_BFCBC 7
#define SADB_EALG_NULL 11
#define SADB_EALG_AESCBC 12
#define SADB_EALG_MAX 255
#define SADB_X_CALG_NONE 0
#define SADB_X_CALG_OUI 1
#define SADB_X_CALG_DEFLATE 2
#define SADB_X_CALG_LZS 3
#define SADB_X_CALG_V42BIS 4
#define SADB_X_CALG_MAX 4
#define SADB_X_TALG_NONE 0
#define SADB_X_TALG_IPv4_in_IPv4 1
#define SADB_X_TALG_IPv6_in_IPv4 2
#define SADB_X_TALG_IPv4_in_IPv6 3
#define SADB_X_TALG_IPv6_in_IPv6 4
#define SADB_X_TALG_MAX 4
#define SADB_IDENTTYPE_RESERVED 0
#define SADB_IDENTTYPE_PREFIX 1
#define SADB_IDENTTYPE_FQDN 2
#define SADB_IDENTTYPE_USERFQDN 3
#define SADB_X_IDENTTYPE_CONNECTION 4
#define SADB_IDENTTYPE_MAX 4
#define SADB_KEY_FLAGS_MAX 0
#endif /* __PFKEY_V2_H */

7
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
View File

@ -70,8 +70,8 @@
#define SOL_UDP IPPROTO_UDP
#endif
/** Default priority of installed policies */
#define PRIO_BASE 512
/** Base priority for installed policies */
#define PRIO_BASE 384
/** Default lifetime of an acquire XFRM state (in seconds) */
#define DEFAULT_ACQUIRE_LIFETIME 165
@ -606,6 +606,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
priority <<= 1;
/* fall-through */
case POLICY_PRIORITY_DEFAULT:
priority <<= 1;
/* fall-through */
case POLICY_PRIORITY_PASS:
break;
}
/* calculate priority based on selector size, small size = high prio */

7
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
View File

@ -135,8 +135,8 @@
#define SOL_UDP IPPROTO_UDP
#endif
/** default priority of installed policies */
#define PRIO_BASE 512
/** base priority for installed policies */
#define PRIO_BASE 384
#ifdef __APPLE__
/** from xnu/bsd/net/pfkeyv2.h */
@ -583,6 +583,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
priority <<= 1;
/* fall-through */
case POLICY_PRIORITY_DEFAULT:
priority <<= 1;
/* fall-trough */
case POLICY_PRIORITY_PASS:
break;
}
/* calculate priority based on selector size, small size = high prio */

5
src/libipsec/ipsec_policy_mgr.c
View File

@ -22,7 +22,7 @@
#include <collections/linked_list.h>
/** Base priority for installed policies */
#define PRIO_BASE 512
#define PRIO_BASE 384
typedef struct private_ipsec_policy_mgr_t private_ipsec_policy_mgr_t;
@ -88,6 +88,9 @@ static u_int32_t calculate_priority(policy_priority_t policy_priority,
priority <<= 1;
/* fall-through */
case POLICY_PRIORITY_DEFAULT:
priority <<= 1;
/* fall-through */
case POLICY_PRIORITY_PASS:
break;
}
/* calculate priority based on selector size, small size = high prio */

4
src/libstrongswan/ipsec/ipsec_types.h
View File

@ -90,7 +90,9 @@ enum policy_type_t {
* High-level priority of a policy.
*/
enum policy_priority_t {
/** Default priority */
/** Priority for passthrough policies */
POLICY_PRIORITY_PASS,
/** Priority for regular IPsec policies */
POLICY_PRIORITY_DEFAULT,
/** Priority for trap policies */
POLICY_PRIORITY_ROUTED,

7
testing/tests/ikev2/shunt-policies-nat-rw/description.txt Normal file
View File

@ -0,0 +1,7 @@
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway. In order to prevent
local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
shunt policy with <b>type=pass</b>.
<p/>
In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.

10
testing/tests/ikev2/shunt-policies-nat-rw/evaltest.dat Normal file
View File

@ -0,0 +1,10 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES

33
testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf → testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
View File

@ -8,7 +8,16 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn nat-t
left=%any
leftcert=aliceCert.pem
leftid=alice@strongswan.org
leftsourceip=%config
right=PH_IP_SUN
rightid=@sun.strongswan.org
rightsubnet=0.0.0.0/0
auto=add
conn local-net
leftsubnet=10.1.0.0/16
@ -16,25 +25,3 @@ conn local-net
authby=never
type=pass
auto=route
conn venus-icmp
leftsubnet=PH_IP_VENUS/32
rightsubnet=0.0.0.0/0
leftprotoport=icmp
rightprotoport=icmp
leftauth=any
rightauth=any
type=drop
auto=route
conn net-net
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
lefthostaccess=yes
right=PH_IP_SUN
rightid=@sun.strongswan.org
rightsubnet=0.0.0.0/0
auto=add

5
testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf → testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
View File

@ -1,6 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}

12
testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf → testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
View File

@ -6,17 +6,15 @@ conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyingtries=1
keyexchange=ikev2
mobike=no
conn net-net
conn nat-t
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=10.3.0.0/28
auto=add

24
testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules Normal file
View File

@ -0,0 +1,24 @@
*filter
# default policy is DROP
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
# allow IKE
-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
# allow MobIKE
-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
# allow ssh
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
COMMIT

4
testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf → testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
View File

@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
install_routes = no
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
}

27
testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf Normal file
View File

@ -0,0 +1,27 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn nat-t
left=%any
leftcert=venusCert.pem
leftid=@venus.strongswan.org
leftsourceip=%config
right=PH_IP_SUN
rightid=@sun.strongswan.org
rightsubnet=0.0.0.0/0
auto=add
conn local-net
leftsubnet=10.1.0.0/16
rightsubnet=10.1.0.0/16
authby=never
type=pass
auto=route

7
testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf Normal file
View File

@ -0,0 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}

5
testing/tests/ikev2/shunt-policies-nat-rw/posttest.dat Normal file
View File

@ -0,0 +1,5 @@
sun::ipsec stop
alice::ipsec stop
venus::ipsec stop
sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -F

11
testing/tests/ikev2/shunt-policies-nat-rw/pretest.dat Normal file
View File

@ -0,0 +1,11 @@
sun::iptables-restore < /etc/iptables.rules
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
alice::ipsec start
venus::ipsec start
sun::ipsec start
alice::expect-connection nat-t
venus::expect-connection nat-t
sun::expect-connection nat-t
alice::ipsec up nat-t
venus::ipsec up nat-t

8
testing/tests/ikev2/shunt-policies/test.conf → testing/tests/ikev2/shunt-policies-nat-rw/test.conf
View File

@ -5,17 +5,17 @@
# All guest instances that are required for this test
#
VIRTHOSTS="alice moon winnetou sun bob"
VIRTHOSTS="alice venus moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-v-m-w-s-b.png"
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
TCPDUMPHOSTS="alice moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
IPSECHOSTS="alice venus sun"

11
testing/tests/ikev2/shunt-policies/description.txt
View File

@ -1,11 +0,0 @@
All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
In order for the shunt to work, automatic route insertion must be disabled
by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
<p/>
In order to demonstrate the use of <b>type=drop</b> shunt policies, the
<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
to use the IPsec tunnel by dropping such packets. Since this policy does not
apply to the localnet, <b>venus</b> and <b>moon</b> can still ping each other.

16
testing/tests/ikev2/shunt-policies/evaltest.dat
View File

@ -1,16 +0,0 @@
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
venus::ssh PH_IP_BOB hostname::bob::YES
bob:: ssh PH_IP_VENUS hostname::venus::YES

32
testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
View File

@ -1,32 +0,0 @@
*filter
# default policy is DROP
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
# allow esp
-A INPUT -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
# allow IKE
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
# allow MobIKE
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
# allow ssh
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow crl fetch from winnetou
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
# allow icmp in local net
-A INPUT -i eth1 -p icmp -j ACCEPT
-A OUTPUT -o eth1 -p icmp -j ACCEPT
COMMIT

5
testing/tests/ikev2/shunt-policies/posttest.dat
View File

@ -1,5 +0,0 @@
moon::ipsec stop
sun::ipsec stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush

6
testing/tests/ikev2/shunt-policies/pretest.dat
View File

@ -1,6 +0,0 @@
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::ipsec start
sun::ipsec start
moon::sleep 1
moon::ipsec up net-net