- fixed host-host tunnel traffic selection, host-host works now
This commit is contained in:
parent
1df544d063
commit
bd72398729
|
@ -24,6 +24,7 @@
|
||||||
|
|
||||||
#include <utils/linked_list.h>
|
#include <utils/linked_list.h>
|
||||||
#include <utils/identification.h>
|
#include <utils/identification.h>
|
||||||
|
#include <utils/logger_manager.h>
|
||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
@ -72,6 +73,11 @@ struct private_traffic_selector_t {
|
||||||
* end of port range
|
* end of port range
|
||||||
*/
|
*/
|
||||||
u_int16_t to_port;
|
u_int16_t to_port;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Logger reference
|
||||||
|
*/
|
||||||
|
logger_t *logger;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -92,12 +98,18 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
|
||||||
u_int16_t from_port, to_port;
|
u_int16_t from_port, to_port;
|
||||||
private_traffic_selector_t *new_ts;
|
private_traffic_selector_t *new_ts;
|
||||||
|
|
||||||
|
/* TODO: make output more human readable */
|
||||||
|
this->logger->log(this->logger, CONTROL|LEVEL2,
|
||||||
|
"matching traffic selector ranges %x:%d-%x:%d <=> %x:%d-%x:%d",
|
||||||
|
this->from_addr_ipv4, this->from_port, this->to_addr_ipv4, this->to_port,
|
||||||
|
other->from_addr_ipv4, other->from_port, other->to_addr_ipv4, other->to_port);
|
||||||
/* calculate the maximum address range allowed for both */
|
/* calculate the maximum address range allowed for both */
|
||||||
from_addr = max(this->from_addr_ipv4, other->from_addr_ipv4);
|
from_addr = max(this->from_addr_ipv4, other->from_addr_ipv4);
|
||||||
to_addr = min(this->to_addr_ipv4, other->to_addr_ipv4);
|
to_addr = min(this->to_addr_ipv4, other->to_addr_ipv4);
|
||||||
if (from_addr > to_addr)
|
if (from_addr > to_addr)
|
||||||
{
|
{
|
||||||
/* no match */
|
this->logger->log(this->logger, CONTROL|LEVEL2,
|
||||||
|
"no match in address range");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -106,7 +118,8 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
|
||||||
to_port = min(this->to_port, other->to_port);
|
to_port = min(this->to_port, other->to_port);
|
||||||
if (from_port > to_port)
|
if (from_port > to_port)
|
||||||
{
|
{
|
||||||
/* no match */
|
this->logger->log(this->logger, CONTROL|LEVEL2,
|
||||||
|
"no match in port range");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -115,6 +128,10 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
|
||||||
new_ts->from_addr_ipv4 = from_addr;
|
new_ts->from_addr_ipv4 = from_addr;
|
||||||
new_ts->to_addr_ipv4 = to_addr;
|
new_ts->to_addr_ipv4 = to_addr;
|
||||||
new_ts->type = TS_IPV4_ADDR_RANGE;
|
new_ts->type = TS_IPV4_ADDR_RANGE;
|
||||||
|
|
||||||
|
this->logger->log(this->logger, CONTROL|LEVEL2,
|
||||||
|
"got a match: %x:%d-%x:%d",
|
||||||
|
new_ts->from_addr_ipv4, new_ts->from_port, new_ts->to_addr_ipv4, new_ts->to_port);
|
||||||
return &(new_ts->public);
|
return &(new_ts->public);
|
||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -256,7 +273,7 @@ static void update_address_range(private_traffic_selector_t *this, host_t *host)
|
||||||
/**
|
/**
|
||||||
* Implements traffic_selector_t.clone.
|
* Implements traffic_selector_t.clone.
|
||||||
*/
|
*/
|
||||||
static traffic_selector_t *clone(private_traffic_selector_t *this)
|
static traffic_selector_t *clone_(private_traffic_selector_t *this)
|
||||||
{
|
{
|
||||||
private_traffic_selector_t *clone = traffic_selector_create(this->protocol, this->type, this->from_port, this->to_port);
|
private_traffic_selector_t *clone = traffic_selector_create(this->protocol, this->type, this->from_port, this->to_port);
|
||||||
clone->type = this->type;
|
clone->type = this->type;
|
||||||
|
@ -335,8 +352,8 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, u_int8_t ne
|
||||||
this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr));
|
this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr));
|
||||||
if (this->from_addr_ipv4 == 0)
|
if (this->from_addr_ipv4 == 0)
|
||||||
{
|
{
|
||||||
/* use /32 for 0.0.0.0 */
|
/* use /0 for 0.0.0.0 */
|
||||||
this->to_addr_ipv4 = 0xFFFFFF;
|
this->to_addr_ipv4 = ~0;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -413,13 +430,14 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts
|
||||||
this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
|
this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
|
||||||
this->public.get_netmask = (u_int8_t(*)(traffic_selector_t*))get_netmask;
|
this->public.get_netmask = (u_int8_t(*)(traffic_selector_t*))get_netmask;
|
||||||
this->public.update_address_range = (void(*)(traffic_selector_t*,host_t*))update_address_range;
|
this->public.update_address_range = (void(*)(traffic_selector_t*,host_t*))update_address_range;
|
||||||
this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone;
|
this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone_;
|
||||||
this->public.destroy = (void(*)(traffic_selector_t*))destroy;
|
this->public.destroy = (void(*)(traffic_selector_t*))destroy;
|
||||||
|
|
||||||
this->from_port = from_port;
|
this->from_port = from_port;
|
||||||
this->to_port = to_port;
|
this->to_port = to_port;
|
||||||
this->protocol = protocol;
|
this->protocol = protocol;
|
||||||
this->type = type;
|
this->type = type;
|
||||||
|
this->logger = logger_manager->get_logger(logger_manager, CONFIG);
|
||||||
|
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
|
@ -318,7 +318,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger, CONTROL, "No CHILD_SA requested, no CHILD_SA built");
|
this->logger->log(this->logger, CONTROL, "No CHILD_SA requested, no CHILD_SA built");
|
||||||
}
|
}
|
||||||
if (!this->proposal)
|
else if (!this->proposal)
|
||||||
{
|
{
|
||||||
this->logger->log(this->logger, CONTROL, "Proposal negotiation failed, no CHILD_SA built");
|
this->logger->log(this->logger, CONTROL, "Proposal negotiation failed, no CHILD_SA built");
|
||||||
this->child_sa->destroy(this->child_sa);
|
this->child_sa->destroy(this->child_sa);
|
||||||
|
|
|
@ -225,7 +225,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
|
||||||
u_int64_t responder_spi;
|
u_int64_t responder_spi;
|
||||||
ike_sa_id_t *ike_sa_id;
|
ike_sa_id_t *ike_sa_id;
|
||||||
iterator_t *payloads;
|
iterator_t *payloads;
|
||||||
host_t *me;
|
host_t *me, *other;
|
||||||
connection_t *connection;
|
connection_t *connection;
|
||||||
policy_t *policy;
|
policy_t *policy;
|
||||||
|
|
||||||
|
@ -357,9 +357,12 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
|
||||||
/* apply the address on wich we really received the packet */
|
/* apply the address on wich we really received the packet */
|
||||||
connection = this->ike_sa->get_connection(this->ike_sa);
|
connection = this->ike_sa->get_connection(this->ike_sa);
|
||||||
me = ike_sa_init_reply->get_destination(ike_sa_init_reply);
|
me = ike_sa_init_reply->get_destination(ike_sa_init_reply);
|
||||||
|
other = ike_sa_init_reply->get_source(ike_sa_init_reply);
|
||||||
connection->update_my_host(connection, me->clone(me));
|
connection->update_my_host(connection, me->clone(me));
|
||||||
|
connection->update_other_host(connection, other->clone(other));
|
||||||
policy = this->ike_sa->get_policy(this->ike_sa);
|
policy = this->ike_sa->get_policy(this->ike_sa);
|
||||||
policy->update_my_ts(policy, me);
|
policy->update_my_ts(policy, me);
|
||||||
|
policy->update_other_ts(policy, other);
|
||||||
|
|
||||||
/* build empty message */
|
/* build empty message */
|
||||||
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
|
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
|
||||||
|
|
|
@ -411,6 +411,7 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
|
||||||
my_id = this->policy->get_my_id(this->policy);
|
my_id = this->policy->get_my_id(this->policy);
|
||||||
|
|
||||||
/* update others traffic selectors with actually used address */
|
/* update others traffic selectors with actually used address */
|
||||||
|
this->policy->update_my_ts(this->policy, response->get_source(response));
|
||||||
this->policy->update_other_ts(this->policy, response->get_destination(response));
|
this->policy->update_other_ts(this->policy, response->get_destination(response));
|
||||||
|
|
||||||
/* set policy in ike_sa for other states */
|
/* set policy in ike_sa for other states */
|
||||||
|
|
Loading…
Reference in New Issue