kernel-netlink: Associate routes with IN policies instead of FWD policies
This allows us to install more than one FWD policy. We already do this in the kernel-pfkey plugin (there the original reason was that not all kernels support FWD policies).
This commit is contained in:
parent
89da06ace9
commit
c4387e991a
|
@ -463,7 +463,7 @@ static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
|
|||
}
|
||||
|
||||
typedef struct policy_sa_t policy_sa_t;
|
||||
typedef struct policy_sa_fwd_t policy_sa_fwd_t;
|
||||
typedef struct policy_sa_in_t policy_sa_in_t;
|
||||
|
||||
/**
|
||||
* Mapping between a policy and an IPsec SA.
|
||||
|
@ -480,10 +480,10 @@ struct policy_sa_t {
|
|||
};
|
||||
|
||||
/**
|
||||
* For forward policies we also cache the traffic selectors in order to install
|
||||
* For inbound policies we also cache the traffic selectors in order to install
|
||||
* the route.
|
||||
*/
|
||||
struct policy_sa_fwd_t {
|
||||
struct policy_sa_in_t {
|
||||
/** Generic interface */
|
||||
policy_sa_t generic;
|
||||
|
||||
|
@ -495,7 +495,7 @@ struct policy_sa_fwd_t {
|
|||
};
|
||||
|
||||
/**
|
||||
* Create a policy_sa(_fwd)_t object
|
||||
* Create a policy_sa(_in)_t object
|
||||
*/
|
||||
static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
|
||||
policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
|
||||
|
@ -504,14 +504,14 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
|
|||
{
|
||||
policy_sa_t *policy;
|
||||
|
||||
if (dir == POLICY_FWD)
|
||||
if (dir == POLICY_IN)
|
||||
{
|
||||
policy_sa_fwd_t *fwd;
|
||||
INIT(fwd,
|
||||
policy_sa_in_t *in;
|
||||
INIT(in,
|
||||
.src_ts = src_ts->clone(src_ts),
|
||||
.dst_ts = dst_ts->clone(dst_ts),
|
||||
);
|
||||
policy = &fwd->generic;
|
||||
policy = &in->generic;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -523,16 +523,16 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
|
|||
}
|
||||
|
||||
/**
|
||||
* Destroy a policy_sa(_fwd)_t object
|
||||
* Destroy a policy_sa(_in)_t object
|
||||
*/
|
||||
static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
|
||||
private_kernel_netlink_ipsec_t *this)
|
||||
{
|
||||
if (*dir == POLICY_FWD)
|
||||
if (*dir == POLICY_IN)
|
||||
{
|
||||
policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
|
||||
fwd->src_ts->destroy(fwd->src_ts);
|
||||
fwd->dst_ts->destroy(fwd->dst_ts);
|
||||
policy_sa_in_t *in = (policy_sa_in_t*)policy;
|
||||
in->src_ts->destroy(in->src_ts);
|
||||
in->dst_ts->destroy(in->dst_ts);
|
||||
}
|
||||
ipsec_sa_destroy(this, policy->sa);
|
||||
free(policy);
|
||||
|
@ -2243,14 +2243,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
|
|||
}
|
||||
|
||||
/* install a route, if:
|
||||
* - this is a forward policy (to just get one for each child)
|
||||
* - this is a inbound policy (to just get one for each child)
|
||||
* - we are in tunnel/BEET mode or install a bypass policy
|
||||
* - routing is not disabled via strongswan.conf
|
||||
*/
|
||||
if (policy->direction == POLICY_FWD && this->install_routes &&
|
||||
if (policy->direction == POLICY_IN && this->install_routes &&
|
||||
(mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
|
||||
{
|
||||
policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
|
||||
policy_sa_in_t *in = (policy_sa_in_t*)mapping;
|
||||
route_entry_t *route;
|
||||
host_t *iface;
|
||||
|
||||
|
@ -2258,10 +2258,10 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
|
|||
.prefixlen = policy->sel.prefixlen_s,
|
||||
);
|
||||
|
||||
if (charon->kernel->get_address_by_ts(charon->kernel, fwd->dst_ts,
|
||||
if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts,
|
||||
&route->src_ip, NULL) == SUCCESS)
|
||||
{
|
||||
/* get the nexthop to src (src as we are in POLICY_FWD) */
|
||||
/* get the nexthop to src (src as we are in POLICY_IN) */
|
||||
if (!ipsec->src->is_anyaddr(ipsec->src))
|
||||
{
|
||||
route->gateway = charon->kernel->get_nexthop(charon->kernel,
|
||||
|
@ -2310,8 +2310,8 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
|
|||
old->src_ip, old->if_name) != SUCCESS)
|
||||
{
|
||||
DBG1(DBG_KNL, "error uninstalling route installed with "
|
||||
"policy %R === %R %N", fwd->src_ts,
|
||||
fwd->dst_ts, policy_dir_names,
|
||||
"policy %R === %R %N", in->src_ts,
|
||||
in->dst_ts, policy_dir_names,
|
||||
policy->direction);
|
||||
}
|
||||
route_entry_destroy(old);
|
||||
|
@ -2319,7 +2319,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
|
|||
}
|
||||
|
||||
DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
|
||||
fwd->src_ts, route->gateway, route->src_ip, route->if_name);
|
||||
in->src_ts, route->gateway, route->src_ip, route->if_name);
|
||||
switch (charon->kernel->add_route(charon->kernel, route->dst_net,
|
||||
route->prefixlen, route->gateway,
|
||||
route->src_ip, route->if_name))
|
||||
|
|
Loading…
Reference in New Issue