ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

kernel-netlink: Make interface ID configurable on SAs and policies

This commit is contained in:
Tobias Brunner 2019-02-01 17:29:20 +01:00
parent d1cd2a0541
commit b32c3ce8fe
2 changed files with 64 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/libcharon/kernel/kernel_ipsec.h
View File

@ -55,6 +55,8 @@ struct kernel_ipsec_sa_id_t {
uint8_t proto;
/** Optional mark */
mark_t mark;
/** Optional interface ID */
uint32_t if_id;
};
/**
@ -154,6 +156,8 @@ struct kernel_ipsec_policy_id_t {
traffic_selector_t *dst_ts;
/** Optional mark */
mark_t mark;
/** Optional interface ID */
uint32_t if_id;
/** Network interface restricting policy */
char *interface;
};

67
src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (C) 2006-2018 Tobias Brunner
* Copyright (C) 2006-2019 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008-2016 Andreas Steffen
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
@ -430,6 +430,9 @@ struct ipsec_sa_t {
/** Optional mark */
mark_t mark;
/** Optional mark */
uint32_t if_id;
/** Description of this SA */
ipsec_sa_cfg_t cfg;
@ -445,7 +448,8 @@ static u_int ipsec_sa_hash(ipsec_sa_t *sa)
return chunk_hash_inc(sa->src->get_address(sa->src),
chunk_hash_inc(sa->dst->get_address(sa->dst),
chunk_hash_inc(chunk_from_thing(sa->mark),
chunk_hash(chunk_from_thing(sa->cfg)))));
chunk_hash_inc(chunk_from_thing(sa->if_id),
chunk_hash(chunk_from_thing(sa->cfg))))));
}
/**
@ -457,6 +461,7 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
sa->dst->ip_equals(sa->dst, other_sa->dst) &&
sa->mark.value == other_sa->mark.value &&
sa->mark.mask == other_sa->mark.mask &&
sa->if_id == other_sa->if_id &&
ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
}
@ -465,13 +470,14 @@ static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
*/
static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst, mark_t mark,
ipsec_sa_cfg_t *cfg)
uint32_t if_id, ipsec_sa_cfg_t *cfg)
{
ipsec_sa_t *sa, *found;
INIT(sa,
.src = src,
.dst = dst,
.mark = mark,
.if_id = if_id,
.cfg = *cfg,
);
found = this->sas->get(this->sas, sa);
@ -546,7 +552,7 @@ struct policy_sa_out_t {
static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark,
ipsec_sa_cfg_t *cfg)
uint32_t if_id, ipsec_sa_cfg_t *cfg)
{
policy_sa_t *policy;
@ -564,7 +570,7 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
INIT(policy, .priority = 0);
}
policy->type = type;
policy->sa = ipsec_sa_create(this, src, dst, mark, cfg);
policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, cfg);
return policy;
}
@ -610,6 +616,9 @@ struct policy_entry_t {
/** Optional mark */
uint32_t mark;
/** Optional interface ID */
uint32_t if_id;
/** Associated route installed for this policy */
route_entry_t *route;
@ -651,7 +660,8 @@ static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
static u_int policy_hash(policy_entry_t *key)
{
chunk_t chunk = chunk_from_thing(key->sel);
return chunk_hash_inc(chunk, chunk_hash(chunk_from_thing(key->mark)));
return chunk_hash_inc(chunk, chunk_hash_inc(chunk_from_thing(key->mark),
chunk_hash(chunk_from_thing(key->if_id))));
}
/**
@ -661,6 +671,7 @@ static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
{
return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
key->mark == other_key->mark &&
key->if_id == other_key->if_id &&
key->direction == other_key->direction;
}
@ -1577,6 +1588,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
.spi = htonl(ntohs(data->cpi)),
.proto = IPPROTO_COMP,
.mark = id->mark,
.if_id = id->if_id,
};
kernel_ipsec_add_sa_t ipcomp_sa = {
.reqid = data->reqid,
@ -1902,6 +1914,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
goto failed;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
goto failed;
}
if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask))
{
if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK,
@ -2034,6 +2051,10 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
{
return;
}
if (sa->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, sa->if_id))
{
return;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
@ -2132,6 +2153,10 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
@ -2236,6 +2261,10 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
{
@ -2282,6 +2311,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
.spi = htonl(ntohs(data->cpi)),
.proto = IPPROTO_COMP,
.mark = id->mark,
.if_id = id->if_id,
};
kernel_ipsec_update_sa_t ipcomp = {
.new_src = data->new_src,
@ -2312,6 +2342,10 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
@ -2786,6 +2820,12 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
policy_change_done(this, policy);
return FAILED;
}
if (ipsec->if_id &&
!add_uint32(hdr, sizeof(request), XFRMA_IF_ID, ipsec->if_id))
{
policy_change_done(this, policy);
return FAILED;
}
this->mutex->unlock(this->mutex);
status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
@ -2837,6 +2877,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
INIT(policy,
.sel = ts2selector(id->src_ts, id->dst_ts, id->interface),
.mark = id->mark.value & id->mark.mask,
.if_id = id->if_id,
.direction = id->dir,
.reqid = data->sa->reqid,
);
@ -2882,7 +2923,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
/* cache the assigned IPsec SA */
assigned_sa = policy_sa_create(this, id->dir, data->type, data->src,
data->dst, id->src_ts, id->dst_ts, id->mark, data->sa);
data->dst, id->src_ts, id->dst_ts, id->mark,
id->if_id, data->sa);
assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface);
assigned_sa->priority = this->get_priority ? this->get_priority(id, data)
: data->manual_prio;
@ -2980,6 +3022,10 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
@ -3048,6 +3094,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
.src = data->src,
.dst = data->dst,
.mark = id->mark,
.if_id = id->if_id,
.cfg = *data->sa,
};
char markstr[32] = "";
@ -3063,6 +3110,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
memset(&policy, 0, sizeof(policy_entry_t));
policy.sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
policy.mark = id->mark.value & id->mark.mask;
policy.if_id = id->if_id;
policy.direction = id->dir;
/* find the policy */
@ -3153,6 +3201,11 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
policy_change_done(this, current);
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
policy_change_done(this, current);
return FAILED;
}
if (current->route)
{