Merge branch 'ike-dscp'
This commit is contained in:
commit
e212033ef2
|
@ -452,6 +452,11 @@ suites, the strict flag
|
|||
exclamation mark) can be used, e.g:
|
||||
.BR aes256-sha512-modp4096!
|
||||
.TP
|
||||
.BR ikedscp " = " 000000 " | <DSCP field>"
|
||||
Differentiated Services Field Codepoint to set on outgoing IKE packets sent
|
||||
from this connection. The value is a six digit binary encoded string defining
|
||||
the Codepoint to set, as defined in RFC 2474.
|
||||
.TP
|
||||
.BR ikelifetime " = " 3h " | <time>"
|
||||
how long the keying channel of a connection (ISAKMP or IKE SA)
|
||||
should last before being renegotiated. Also see EXPIRY/REKEY below.
|
||||
|
|
|
@ -501,7 +501,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
|||
ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0", FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
(char*)address, FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
||||
peer_cfg = peer_cfg_create(priv->name, ike_cfg,
|
||||
CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
|
||||
|
@ -718,4 +718,3 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
|
|||
}
|
||||
return plugin;
|
||||
}
|
||||
|
||||
|
|
|
@ -107,7 +107,7 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
|
|||
settings->get_int(settings, "configs.%s.lport", 500, config),
|
||||
settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
|
||||
settings->get_int(settings, "configs.%s.rport", 500, config),
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
|
||||
if (token)
|
||||
{
|
||||
|
|
|
@ -472,7 +472,7 @@ static job_requeue_t initiate(private_android_service_t *this)
|
|||
ike_cfg = ike_cfg_create(IKEV2, TRUE, TRUE, "0.0.0.0", FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
this->gateway, FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
||||
|
||||
peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
|
||||
|
|
|
@ -94,6 +94,11 @@ struct private_ike_cfg_t {
|
|||
*/
|
||||
fragmentation_t fragmentation;
|
||||
|
||||
/**
|
||||
* DSCP value to use on sent IKE packets
|
||||
*/
|
||||
u_int8_t dscp;
|
||||
|
||||
/**
|
||||
* List of proposals to use
|
||||
*/
|
||||
|
@ -156,6 +161,12 @@ METHOD(ike_cfg_t, get_other_port, u_int16_t,
|
|||
return this->other_port;
|
||||
}
|
||||
|
||||
METHOD(ike_cfg_t, get_dscp, u_int8_t,
|
||||
private_ike_cfg_t *this)
|
||||
{
|
||||
return this->dscp;
|
||||
}
|
||||
|
||||
METHOD(ike_cfg_t, add_proposal, void,
|
||||
private_ike_cfg_t *this, proposal_t *proposal)
|
||||
{
|
||||
|
@ -312,7 +323,7 @@ METHOD(ike_cfg_t, destroy, void,
|
|||
ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
|
||||
char *me, bool my_allow_any, u_int16_t my_port,
|
||||
char *other, bool other_allow_any, u_int16_t other_port,
|
||||
fragmentation_t fragmentation)
|
||||
fragmentation_t fragmentation, u_int8_t dscp)
|
||||
{
|
||||
private_ike_cfg_t *this;
|
||||
|
||||
|
@ -326,6 +337,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
|
|||
.get_other_addr = _get_other_addr,
|
||||
.get_my_port = _get_my_port,
|
||||
.get_other_port = _get_other_port,
|
||||
.get_dscp = _get_dscp,
|
||||
.add_proposal = _add_proposal,
|
||||
.get_proposals = _get_proposals,
|
||||
.select_proposal = _select_proposal,
|
||||
|
@ -345,6 +357,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
|
|||
.other_allow_any = other_allow_any,
|
||||
.my_port = my_port,
|
||||
.other_port = other_port,
|
||||
.dscp = dscp,
|
||||
.proposals = linked_list_create(),
|
||||
);
|
||||
|
||||
|
|
|
@ -107,6 +107,13 @@ struct ike_cfg_t {
|
|||
*/
|
||||
u_int16_t (*get_other_port)(ike_cfg_t *this);
|
||||
|
||||
/**
|
||||
* Get the DSCP value to use for IKE packets send from connections.
|
||||
*
|
||||
* @return DSCP value
|
||||
*/
|
||||
u_int8_t (*get_dscp)(ike_cfg_t *this);
|
||||
|
||||
/**
|
||||
* Adds a proposal to the list.
|
||||
*
|
||||
|
@ -205,11 +212,12 @@ struct ike_cfg_t {
|
|||
* @param other_allow_any allow override of remote address by any address
|
||||
* @param other_port IKE port to use as dest, 500 uses IKEv2 port floating
|
||||
* @param fragmentation use IKEv1 fragmentation
|
||||
* @param dscp DSCP value to send IKE packets with
|
||||
* @return ike_cfg_t object.
|
||||
*/
|
||||
ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
|
||||
char *me, bool my_allow_any, u_int16_t my_port,
|
||||
char *other, bool other_allow_any, u_int16_t other_port,
|
||||
fragmentation_t fragmentation);
|
||||
fragmentation_t fragmentation, u_int8_t dscp);
|
||||
|
||||
#endif /** IKE_CFG_H_ @}*/
|
||||
|
|
|
@ -266,7 +266,8 @@ static job_requeue_t initiate(private_android_service_t *this)
|
|||
|
||||
ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
|
||||
hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO,
|
||||
0);
|
||||
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
||||
|
||||
peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
|
||||
|
@ -386,4 +387,3 @@ android_service_t *android_service_create(android_creds_t *creds)
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -205,7 +205,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
|
|||
/* create config and backend */
|
||||
ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local, FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
|
||||
remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
|
||||
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
||||
peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
|
||||
UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
|
||||
|
@ -288,4 +288,3 @@ ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret)
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -491,7 +491,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
|
|||
ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
|
||||
local, FALSE, this->port + num - 1,
|
||||
remote, FALSE, IKEV2_NATT_PORT,
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -499,7 +499,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
|
|||
local, FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
remote, FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
}
|
||||
ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
|
||||
peer_cfg = peer_cfg_create("load-test", ike_cfg,
|
||||
|
|
|
@ -325,7 +325,8 @@ static gboolean initiate_connection(private_maemo_service_t *this,
|
|||
|
||||
ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
|
||||
hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO,
|
||||
0);
|
||||
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
||||
|
||||
peer_cfg = peer_cfg_create(this->current, ike_cfg,
|
||||
|
@ -524,4 +525,3 @@ maemo_service_t *maemo_service_create()
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -105,7 +105,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
|
|||
ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
|
||||
"0.0.0.0", FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
|
||||
address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
|
||||
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
||||
med_cfg = peer_cfg_create(
|
||||
"mediation", ike_cfg,
|
||||
|
@ -381,7 +381,7 @@ medcli_config_t *medcli_config_create(database_t *db)
|
|||
"0.0.0.0", FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
"0.0.0.0", FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO),
|
||||
FRAGMENTATION_NO, 0),
|
||||
);
|
||||
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
|
||||
|
||||
|
@ -389,4 +389,3 @@ medcli_config_t *medcli_config_create(database_t *db)
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -143,10 +143,9 @@ medsrv_config_t *medsrv_config_create(database_t *db)
|
|||
"0.0.0.0", FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
"0.0.0.0", FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO),
|
||||
FRAGMENTATION_NO, 0),
|
||||
);
|
||||
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -55,6 +55,9 @@
|
|||
#ifndef SOL_IPV6
|
||||
#define SOL_IPV6 IPPROTO_IPV6
|
||||
#endif
|
||||
#ifndef IPV6_TCLASS
|
||||
#define IPV6_TCLASS 67
|
||||
#endif
|
||||
|
||||
/* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
|
||||
* previously defined IPV6_PKTINFO */
|
||||
|
@ -112,6 +115,26 @@ struct private_socket_default_socket_t {
|
|||
*/
|
||||
int ipv6_natt;
|
||||
|
||||
/**
|
||||
* DSCP value set on IPv4 socket
|
||||
*/
|
||||
u_int8_t dscp4;
|
||||
|
||||
/**
|
||||
* DSCP value set on IPv4 socket for NAT-T (4500 or natt)
|
||||
*/
|
||||
u_int8_t dscp4_natt;
|
||||
|
||||
/**
|
||||
* DSCP value set on IPv6 socket (500 or port)
|
||||
*/
|
||||
u_int8_t dscp6;
|
||||
|
||||
/**
|
||||
* DSCP value set on IPv6 socket for NAT-T (4500 or natt)
|
||||
*/
|
||||
u_int8_t dscp6_natt;
|
||||
|
||||
/**
|
||||
* Maximum packet size to receive
|
||||
*/
|
||||
|
@ -310,6 +333,7 @@ METHOD(socket_t, sender, status_t,
|
|||
struct msghdr msg;
|
||||
struct cmsghdr *cmsg;
|
||||
struct iovec iov;
|
||||
u_int8_t *dscp;
|
||||
|
||||
src = packet->get_source(packet);
|
||||
dst = packet->get_destination(packet);
|
||||
|
@ -322,24 +346,34 @@ METHOD(socket_t, sender, status_t,
|
|||
family = dst->get_family(dst);
|
||||
if (sport == 0 || sport == this->port)
|
||||
{
|
||||
if (family == AF_INET)
|
||||
switch (family)
|
||||
{
|
||||
skt = this->ipv4;
|
||||
}
|
||||
else
|
||||
{
|
||||
skt = this->ipv6;
|
||||
case AF_INET:
|
||||
skt = this->ipv4;
|
||||
dscp = &this->dscp4;
|
||||
break;
|
||||
case AF_INET6:
|
||||
skt = this->ipv6;
|
||||
dscp = &this->dscp6;
|
||||
break;
|
||||
default:
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
else if (sport == this->natt)
|
||||
{
|
||||
if (family == AF_INET)
|
||||
switch (family)
|
||||
{
|
||||
skt = this->ipv4_natt;
|
||||
}
|
||||
else
|
||||
{
|
||||
skt = this->ipv6_natt;
|
||||
case AF_INET:
|
||||
skt = this->ipv4_natt;
|
||||
dscp = &this->dscp4_natt;
|
||||
break;
|
||||
case AF_INET6:
|
||||
skt = this->ipv6_natt;
|
||||
dscp = &this->dscp6_natt;
|
||||
break;
|
||||
default:
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -348,6 +382,43 @@ METHOD(socket_t, sender, status_t,
|
|||
return FAILED;
|
||||
}
|
||||
|
||||
/* setting DSCP values per-packet in a cmsg seems not to be supported
|
||||
* on Linux. We instead setsockopt() before sending it, this should be
|
||||
* safe as only a single thread calls send(). */
|
||||
if (*dscp != packet->get_dscp(packet))
|
||||
{
|
||||
if (family == AF_INET)
|
||||
{
|
||||
u_int8_t ds4;
|
||||
|
||||
ds4 = packet->get_dscp(packet) << 2;
|
||||
if (setsockopt(skt, SOL_IP, IP_TOS, &ds4, sizeof(ds4)) == 0)
|
||||
{
|
||||
*dscp = packet->get_dscp(packet);
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_NET, "unable to set IP_TOS on socket: %s",
|
||||
strerror(errno));
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
u_int ds6;
|
||||
|
||||
ds6 = packet->get_dscp(packet) << 2;
|
||||
if (setsockopt(skt, SOL_IPV6, IPV6_TCLASS, &ds6, sizeof(ds6)) == 0)
|
||||
{
|
||||
*dscp = packet->get_dscp(packet);
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_NET, "unable to set IPV6_TCLASS on socket: %s",
|
||||
strerror(errno));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
memset(&msg, 0, sizeof(struct msghdr));
|
||||
msg.msg_name = dst->get_sockaddr(dst);;
|
||||
msg.msg_namelen = *dst->get_sockaddr_len(dst);
|
||||
|
@ -433,22 +504,24 @@ static int open_socket(private_socket_default_socket_t *this,
|
|||
int family, u_int16_t *port)
|
||||
{
|
||||
int on = TRUE;
|
||||
struct sockaddr_storage addr;
|
||||
union {
|
||||
struct sockaddr sockaddr;
|
||||
struct sockaddr_in sin;
|
||||
struct sockaddr_in6 sin6;
|
||||
} addr;
|
||||
socklen_t addrlen;
|
||||
u_int sol, pktinfo = 0;
|
||||
int skt;
|
||||
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
addr.ss_family = family;
|
||||
addr.sockaddr.sa_family = family;
|
||||
/* precalculate constants depending on address family */
|
||||
switch (family)
|
||||
{
|
||||
case AF_INET:
|
||||
{
|
||||
struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
|
||||
htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
|
||||
htoun16(&sin->sin_port, *port);
|
||||
addrlen = sizeof(struct sockaddr_in);
|
||||
addr.sin.sin_addr.s_addr = htonl(INADDR_ANY);
|
||||
addr.sin.sin_port = htons(*port);
|
||||
addrlen = sizeof(addr.sin);
|
||||
sol = SOL_IP;
|
||||
#ifdef IP_PKTINFO
|
||||
pktinfo = IP_PKTINFO;
|
||||
|
@ -456,17 +529,13 @@ static int open_socket(private_socket_default_socket_t *this,
|
|||
pktinfo = IP_RECVDSTADDR;
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
case AF_INET6:
|
||||
{
|
||||
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
|
||||
memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
|
||||
htoun16(&sin6->sin6_port, *port);
|
||||
addrlen = sizeof(struct sockaddr_in6);
|
||||
memcpy(&addr.sin6.sin6_addr, &in6addr_any, sizeof(in6addr_any));
|
||||
addr.sin6.sin6_port = htons(*port);
|
||||
addrlen = sizeof(addr.sin6);
|
||||
sol = SOL_IPV6;
|
||||
pktinfo = IPV6_RECVPKTINFO;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
|
@ -485,7 +554,7 @@ static int open_socket(private_socket_default_socket_t *this,
|
|||
}
|
||||
|
||||
/* bind the socket */
|
||||
if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
|
||||
if (bind(skt, &addr.sockaddr, addrlen) < 0)
|
||||
{
|
||||
DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
|
||||
close(skt);
|
||||
|
@ -495,7 +564,7 @@ static int open_socket(private_socket_default_socket_t *this,
|
|||
/* retrieve randomly allocated port if needed */
|
||||
if (*port == 0)
|
||||
{
|
||||
if (getsockname(skt, (struct sockaddr *)&addr, &addrlen) < 0)
|
||||
if (getsockname(skt, &addr.sockaddr, &addrlen) < 0)
|
||||
{
|
||||
DBG1(DBG_NET, "unable to determine port: %s", strerror(errno));
|
||||
close(skt);
|
||||
|
@ -504,17 +573,11 @@ static int open_socket(private_socket_default_socket_t *this,
|
|||
switch (family)
|
||||
{
|
||||
case AF_INET:
|
||||
{
|
||||
struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
|
||||
*port = untoh16(&sin->sin_port);
|
||||
*port = ntohs(addr.sin.sin_port);
|
||||
break;
|
||||
}
|
||||
case AF_INET6:
|
||||
{
|
||||
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
|
||||
*port = untoh16(&sin6->sin6_port);
|
||||
*port = ntohs(addr.sin6.sin6_port);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -642,4 +705,3 @@ socket_default_socket_t *socket_default_socket_create()
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -262,7 +262,7 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
|
|||
local, FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
remote, FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
add_ike_proposals(this, ike_cfg, id);
|
||||
return ike_cfg;
|
||||
}
|
||||
|
@ -620,4 +620,3 @@ sql_config_t *sql_config_create(database_t *db)
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -234,7 +234,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
|
|||
msg->add_conn.other.address,
|
||||
msg->add_conn.other.allow_any,
|
||||
msg->add_conn.other.ikeport,
|
||||
msg->add_conn.fragmentation);
|
||||
msg->add_conn.fragmentation,
|
||||
msg->add_conn.ikedscp);
|
||||
add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
|
||||
return ike_cfg;
|
||||
}
|
||||
|
|
|
@ -156,7 +156,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
|
|||
local_addr, FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
remote_addr, FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
|
||||
this->peer_cfg = peer_cfg_create(
|
||||
name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
|
||||
|
@ -255,7 +255,7 @@ METHOD(enumerator_t, ike_enumerator_enumerate, bool,
|
|||
local_addr, FALSE,
|
||||
charon->socket->get_port(charon->socket, FALSE),
|
||||
remote_addr, FALSE, IKEV2_UDP_PORT,
|
||||
FRAGMENTATION_NO);
|
||||
FRAGMENTATION_NO, 0);
|
||||
this->ike_cfg->add_proposal(this->ike_cfg,
|
||||
create_proposal(ike_proposal, PROTO_IKE));
|
||||
|
||||
|
@ -343,4 +343,3 @@ uci_config_t *uci_config_create(uci_parser_t *parser)
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -939,14 +939,38 @@ METHOD(ike_sa_t, update_hosts, void,
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Set configured DSCP value on packet
|
||||
*/
|
||||
static void set_dscp(private_ike_sa_t *this, packet_t *packet)
|
||||
{
|
||||
ike_cfg_t *ike_cfg;
|
||||
|
||||
/* prefer IKE config on peer_cfg, as its selection is more accurate
|
||||
* then the initial IKE config */
|
||||
if (this->peer_cfg)
|
||||
{
|
||||
ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
|
||||
}
|
||||
else
|
||||
{
|
||||
ike_cfg = this->ike_cfg;
|
||||
}
|
||||
if (ike_cfg)
|
||||
{
|
||||
packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(ike_sa_t, generate_message, status_t,
|
||||
private_ike_sa_t *this, message_t *message, packet_t **packet)
|
||||
{
|
||||
status_t status;
|
||||
|
||||
if (message->is_encoded(message))
|
||||
{ /* already done */
|
||||
{ /* already encoded in task, but set DSCP value */
|
||||
*packet = message->get_packet(message);
|
||||
set_dscp(this, *packet);
|
||||
return SUCCESS;
|
||||
}
|
||||
this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
|
||||
|
@ -955,6 +979,7 @@ METHOD(ike_sa_t, generate_message, status_t,
|
|||
status = message->generate(message, this->keymat, packet);
|
||||
if (status == SUCCESS)
|
||||
{
|
||||
set_dscp(this, *packet);
|
||||
charon->bus->message(charon->bus, message, FALSE, FALSE);
|
||||
}
|
||||
return status;
|
||||
|
|
|
@ -97,6 +97,18 @@ METHOD(packet_t, set_data, void,
|
|||
return this->packet->set_data(this->packet, data);
|
||||
}
|
||||
|
||||
METHOD(packet_t, get_dscp, u_int8_t,
|
||||
private_esp_packet_t *this)
|
||||
{
|
||||
return this->packet->get_dscp(this->packet);
|
||||
}
|
||||
|
||||
METHOD(packet_t, set_dscp, void,
|
||||
private_esp_packet_t *this, u_int8_t value)
|
||||
{
|
||||
this->packet->set_dscp(this->packet, value);
|
||||
}
|
||||
|
||||
METHOD(packet_t, skip_bytes, void,
|
||||
private_esp_packet_t *this, size_t bytes)
|
||||
{
|
||||
|
@ -411,6 +423,8 @@ static private_esp_packet_t *esp_packet_create_internal(packet_t *packet)
|
|||
.get_destination = _get_destination,
|
||||
.get_data = _get_data,
|
||||
.set_data = _set_data,
|
||||
.get_dscp = _get_dscp,
|
||||
.set_dscp = _set_dscp,
|
||||
.skip_bytes = _skip_bytes,
|
||||
.clone = _clone,
|
||||
.destroy = _destroy,
|
||||
|
|
|
@ -39,6 +39,11 @@ struct private_packet_t {
|
|||
*/
|
||||
host_t *destination;
|
||||
|
||||
/**
|
||||
* DSCP value on packet
|
||||
*/
|
||||
u_int8_t dscp;
|
||||
|
||||
/**
|
||||
* message data
|
||||
*/
|
||||
|
@ -89,6 +94,17 @@ METHOD(packet_t, set_data, void,
|
|||
this->adjusted_data = this->data = data;
|
||||
}
|
||||
|
||||
METHOD(packet_t, get_dscp, u_int8_t,
|
||||
private_packet_t *this)
|
||||
{
|
||||
return this->dscp;
|
||||
}
|
||||
METHOD(packet_t, set_dscp, void,
|
||||
private_packet_t *this, u_int8_t value)
|
||||
{
|
||||
this->dscp = value;
|
||||
}
|
||||
|
||||
METHOD(packet_t, skip_bytes, void,
|
||||
private_packet_t *this, size_t bytes)
|
||||
{
|
||||
|
@ -123,6 +139,7 @@ METHOD(packet_t, clone_, packet_t*,
|
|||
{
|
||||
other->set_data(other, chunk_clone(this->adjusted_data));
|
||||
}
|
||||
other->set_dscp(other, this->dscp);
|
||||
return other;
|
||||
}
|
||||
|
||||
|
@ -141,6 +158,8 @@ packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data)
|
|||
.get_source = _get_source,
|
||||
.set_destination = _set_destination,
|
||||
.get_destination = _get_destination,
|
||||
.get_dscp = _get_dscp,
|
||||
.set_dscp = _set_dscp,
|
||||
.skip_bytes = _skip_bytes,
|
||||
.clone = _clone_,
|
||||
.destroy = _destroy,
|
||||
|
|
|
@ -75,6 +75,20 @@ struct packet_t {
|
|||
*/
|
||||
void (*set_data)(packet_t *packet, chunk_t data);
|
||||
|
||||
/**
|
||||
* Get the DiffServ Code Point set on this packet.
|
||||
*
|
||||
* @return DSCP value
|
||||
*/
|
||||
u_int8_t (*get_dscp)(packet_t *this);
|
||||
|
||||
/**
|
||||
* Set the DiffServ Code Point to use on this packet.
|
||||
*
|
||||
* @param value DSCP value
|
||||
*/
|
||||
void (*set_dscp)(packet_t *this, u_int8_t value);
|
||||
|
||||
/**
|
||||
* Increase the offset where the actual packet data starts.
|
||||
*
|
||||
|
|
|
@ -88,7 +88,6 @@ static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
|
|||
case AF_INET:
|
||||
{
|
||||
struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr;
|
||||
addr->sin_family = AF_INET;
|
||||
target = (char*)&addr->sin_addr;
|
||||
len = 4;
|
||||
break;
|
||||
|
@ -96,7 +95,6 @@ static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
|
|||
case AF_INET6:
|
||||
{
|
||||
struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr;
|
||||
addr->sin6_family = AF_INET6;
|
||||
target = (char*)&addr->sin6_addr;
|
||||
len = 16;
|
||||
break;
|
||||
|
@ -105,6 +103,8 @@ static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask)
|
|||
return;
|
||||
}
|
||||
|
||||
ifr->ifr_addr.sa_family = family;
|
||||
|
||||
bytes = (netmask + 7) / 8;
|
||||
bits = (bytes * 8) - netmask;
|
||||
|
||||
|
|
|
@ -33,6 +33,7 @@ typedef enum {
|
|||
ARG_TIME,
|
||||
ARG_ULNG,
|
||||
ARG_ULLI,
|
||||
ARG_UBIN,
|
||||
ARG_PCNT,
|
||||
ARG_STR,
|
||||
ARG_LST,
|
||||
|
@ -146,6 +147,7 @@ static const token_info_t token_info[] =
|
|||
{ ARG_MISC, 0, NULL /* KW_MOBIKE */ },
|
||||
{ ARG_MISC, 0, NULL /* KW_FORCEENCAPS */ },
|
||||
{ ARG_ENUM, offsetof(starter_conn_t, fragmentation), LST_fragmentation },
|
||||
{ ARG_UBIN, offsetof(starter_conn_t, ikedscp), NULL },
|
||||
{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL },
|
||||
{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL },
|
||||
{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL },
|
||||
|
@ -399,6 +401,21 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
|
|||
}
|
||||
}
|
||||
break;
|
||||
case ARG_UBIN:
|
||||
{
|
||||
char *endptr;
|
||||
u_int *u = (u_int *)p;
|
||||
|
||||
*u = strtoul(kw->value, &endptr, 2);
|
||||
|
||||
if (*endptr != '\0')
|
||||
{
|
||||
DBG1(DBG_APP, "# bad binary value: %s=%s", kw->entry->name,
|
||||
kw->value);
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case ARG_TIME:
|
||||
{
|
||||
char *endptr;
|
||||
|
|
|
@ -148,6 +148,7 @@ struct starter_conn {
|
|||
ipsec_mode_t mode;
|
||||
bool proxy_mode;
|
||||
fragmentation_t fragmentation;
|
||||
u_int ikedscp;
|
||||
sa_option_t options;
|
||||
time_t sa_ike_life_seconds;
|
||||
time_t sa_ipsec_life_seconds;
|
||||
|
@ -246,4 +247,3 @@ extern starter_config_t *confread_load(const char *file);
|
|||
extern void confread_free(starter_config_t *cfg);
|
||||
|
||||
#endif /* _IPSEC_CONFREAD_H_ */
|
||||
|
||||
|
|
|
@ -43,6 +43,7 @@ typedef enum {
|
|||
KW_MOBIKE,
|
||||
KW_FORCEENCAPS,
|
||||
KW_FRAGMENTATION,
|
||||
KW_IKEDSCP,
|
||||
KW_IKELIFETIME,
|
||||
KW_KEYLIFE,
|
||||
KW_REKEYMARGIN,
|
||||
|
@ -186,4 +187,3 @@ typedef enum {
|
|||
} kw_token_t;
|
||||
|
||||
#endif /* _KEYWORDS_H_ */
|
||||
|
||||
|
|
|
@ -41,6 +41,7 @@ aaa_identity, KW_AAA_IDENTITY
|
|||
mobike, KW_MOBIKE
|
||||
forceencaps, KW_FORCEENCAPS
|
||||
fragmentation, KW_FRAGMENTATION
|
||||
ikedscp, KW_IKEDSCP,
|
||||
ikelifetime, KW_IKELIFETIME
|
||||
lifetime, KW_KEYLIFE
|
||||
keylife, KW_KEYLIFE
|
||||
|
|
|
@ -181,6 +181,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
|
|||
msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
|
||||
msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
|
||||
msg.add_conn.fragmentation = conn->fragmentation;
|
||||
msg.add_conn.ikedscp = conn->ikedscp;
|
||||
msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
|
||||
msg.add_conn.install_policy = conn->install_policy;
|
||||
msg.add_conn.aggressive = conn->aggressive;
|
||||
|
@ -330,4 +331,3 @@ int starter_stroke_configure(starter_config_t *cfg)
|
|||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -262,6 +262,7 @@ struct stroke_msg_t {
|
|||
int close_action;
|
||||
u_int32_t reqid;
|
||||
u_int32_t tfc;
|
||||
u_int8_t ikedscp;
|
||||
|
||||
crl_policy_t crl_policy;
|
||||
int unique;
|
||||
|
|
Loading…
Reference in New Issue