vici: Add option to disable policy installation for CHILD_SAs

2015-08-05 11:01:10 +02:00 · 2015-08-05 11:01:10 +02:00 · 9322e5b398
parent 3665adef19
commit 9322e5b398
2 changed files with 12 additions and 1 deletions
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@ -391,7 +391,7 @@ typedef struct {
 	char* updown;
 	bool hostaccess;
 	bool ipcomp;
-	bool route;
+	bool policies;
 	ipsec_mode_t mode;
 	u_int32_t replay_window;
 	action_t dpd_action;
@ -426,6 +426,7 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   hostaccess = %u", data->hostaccess);
 	DBG2(DBG_CFG, "   ipcomp = %u", data->ipcomp);
 	DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, data->mode);
+	DBG2(DBG_CFG, "   policies = %u", data->policies);
 	if (data->replay_window != REPLAY_UNDEFINED)
 	{
 		DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
@ -1249,6 +1250,7 @@ CALLBACK(child_kv, bool,
 		{ "updown",			parse_string,		&child->updown				},
 		{ "hostaccess",		parse_bool,			&child->hostaccess			},
 		{ "mode",			parse_mode,			&child->mode				},
+		{ "policies",		parse_bool,			&child->policies			},
 		{ "replay_window",	parse_uint32,		&child->replay_window		},
 		{ "rekey_time",		parse_time,			&child->lft.time.rekey		},
 		{ "life_time",		parse_time,			&child->lft.time.life		},
@ -1356,6 +1358,7 @@ CALLBACK(children_sn, bool,
 		.local_ts = linked_list_create(),
 		.remote_ts = linked_list_create(),
 		.mode = MODE_TUNNEL,
+		.policies = TRUE,
 		.replay_window = REPLAY_UNDEFINED,
 		.dpd_action = ACTION_NONE,
 		.start_action = ACTION_NONE,
@ -1459,6 +1462,8 @@ CALLBACK(children_sn, bool,
 						child.inactivity, child.reqid, &child.mark_in,
 						&child.mark_out, child.tfc);

+	cfg->set_mipv6_options(cfg, FALSE, child.policies);
+
 	if (child.replay_window != REPLAY_UNDEFINED)
 	{
 		cfg->set_replay_window(cfg, child.replay_window);
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@ -589,6 +589,12 @@ connections.<conn>.children.<child>.mode = tunnel
 	_pass_ and _drop_ are used to install shunt policies, which explicitly
 	bypass the defined traffic from IPsec processing, or drop it, respectively.

+connections.<conn>.children.<child>.policies = yes
+	Whether to install IPsec policies or not.
+
+	Whether to install IPsec policies or not. Disabling this can be useful in
+	some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
+
 connections.<conn>.children.<child>.dpd_action = clear
 	Action to perform on DPD timeout (_clear_, _trap_ or _restart_).