pluto: Added PLUTO_UDP_ENC argument to updown script.
This contains the remote UDP port in case of UDP encapsulated ESP.
This commit is contained in:
parent
3251294ceb
commit
f23e7394ae
|
@ -250,7 +250,7 @@ static void escape_metachar(const char *src, char *dst, size_t dstlen)
|
|||
# define DEFAULT_UPDOWN "ipsec _updown"
|
||||
#endif
|
||||
|
||||
static bool do_command(connection_t *c, struct spd_route *sr,
|
||||
static bool do_command(connection_t *c, struct spd_route *sr, struct state *st,
|
||||
const char *verb)
|
||||
{
|
||||
char cmd[1536]; /* arbitrary limit on shell command length */
|
||||
|
@ -294,6 +294,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
peerclientnet_str[ADDRTOT_BUF],
|
||||
peerclientmask_str[ADDRTOT_BUF],
|
||||
peerca_str[BUF_LEN],
|
||||
udp_encap[BUF_LEN] = "",
|
||||
xauth_id_str[BUF_LEN] = "",
|
||||
secure_myid_str[BUF_LEN] = "",
|
||||
secure_peerid_str[BUF_LEN] = "",
|
||||
|
@ -326,6 +327,12 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
strncat(srcip_str, "' ", sizeof(srcip_str));
|
||||
}
|
||||
|
||||
if (st && (st->nat_traversal & NAT_T_DETECTED))
|
||||
{
|
||||
snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ",
|
||||
sr->that.host_port);
|
||||
}
|
||||
|
||||
addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
|
||||
snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
|
||||
escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
|
||||
|
@ -403,6 +410,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
"PLUTO_PEER_CA='%s' "
|
||||
"%s" /* optional PLUTO_MY_SRCIP */
|
||||
"%s" /* optional PLUTO_XAUTH_ID */
|
||||
"%s" /* optional PLUTO_UDP_ENC */
|
||||
"%s" /* actual script */
|
||||
, verb, verb_suffix
|
||||
, c->name
|
||||
|
@ -427,6 +435,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
, secure_peerca_str
|
||||
, srcip_str
|
||||
, xauth_id_str
|
||||
, udp_encap
|
||||
, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
|
||||
|
@ -716,7 +725,7 @@ void unroute_connection(connection_t *c)
|
|||
/* only unroute if no other connection shares it */
|
||||
if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
|
||||
{
|
||||
(void) do_command(c, sr, "unroute");
|
||||
(void) do_command(c, sr, NULL, "unroute");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1755,7 +1764,7 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
|||
*/
|
||||
firewall_notified = st == NULL /* not a tunnel eroute */
|
||||
|| sr->eroute_owner != SOS_NOBODY /* already notified */
|
||||
|| do_command(c, sr, "up"); /* go ahead and notify */
|
||||
|| do_command(c, sr, st, "up"); /* go ahead and notify */
|
||||
}
|
||||
|
||||
/* install the route */
|
||||
|
@ -1770,8 +1779,8 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
|||
else if (ro == NULL)
|
||||
{
|
||||
/* a new route: no deletion required, but preparation is */
|
||||
(void) do_command(c, sr, "prepare"); /* just in case; ignore failure */
|
||||
route_installed = do_command(c, sr, "route");
|
||||
(void) do_command(c, sr, st, "prepare"); /* just in case; ignore failure */
|
||||
route_installed = do_command(c, sr, st, "route");
|
||||
}
|
||||
else if (routed(sr->routing) || routes_agree(ro, c))
|
||||
{
|
||||
|
@ -1790,13 +1799,13 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
|||
*/
|
||||
if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
|
||||
{
|
||||
(void) do_command(ro, sr, "unroute");
|
||||
route_installed = do_command(c, sr, "route");
|
||||
(void) do_command(ro, sr, st, "unroute");
|
||||
route_installed = do_command(c, sr, st, "route");
|
||||
}
|
||||
else
|
||||
{
|
||||
route_installed = do_command(c, sr, "route");
|
||||
(void) do_command(ro, sr, "unroute");
|
||||
route_installed = do_command(c, sr, st, "route");
|
||||
(void) do_command(ro, sr, st, "unroute");
|
||||
}
|
||||
|
||||
/* record unrouting */
|
||||
|
@ -1863,7 +1872,7 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
|||
{
|
||||
/* Failure! Unwind our work. */
|
||||
if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
|
||||
(void) do_command(c, sr, "down");
|
||||
(void) do_command(c, sr, st, "down");
|
||||
|
||||
if (eroute_installed)
|
||||
{
|
||||
|
@ -1998,7 +2007,7 @@ void delete_ipsec_sa(struct state *st, bool inbound_only)
|
|||
sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
|
||||
? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
|
||||
|
||||
(void) do_command(c, sr, "down");
|
||||
(void) do_command(c, sr, st, "down");
|
||||
if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE)
|
||||
{
|
||||
/* in this special case, even if the connection
|
||||
|
|
|
@ -124,7 +124,7 @@
|
|||
# PLUTO_MARK_OUT
|
||||
# is an optional XFRM mark set on the outbound IPsec SA
|
||||
#
|
||||
# PLUTO_ESP_ENC
|
||||
# PLUTO_UDP_ENC
|
||||
# contains the remote UDP port in the case of ESP_IN_UDP
|
||||
# encapsulation
|
||||
#
|
||||
|
|
|
@ -124,7 +124,7 @@
|
|||
# PLUTO_MARK_OUT
|
||||
# is an optional XFRM mark set on the outbound IPsec SA
|
||||
#
|
||||
# PLUTO_ESP_ENC
|
||||
# PLUTO_UDP_ENC
|
||||
# contains the remote UDP port in the case of ESP_IN_UDP
|
||||
# encapsulation
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue