pluto: Added PLUTO_UDP_ENC argument to updown script.
This contains the remote UDP port in case of UDP encapsulated ESP.
This commit is contained in:
parent
3251294ceb
commit
f23e7394ae
|
@ -250,7 +250,7 @@ static void escape_metachar(const char *src, char *dst, size_t dstlen)
|
||||||
# define DEFAULT_UPDOWN "ipsec _updown"
|
# define DEFAULT_UPDOWN "ipsec _updown"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static bool do_command(connection_t *c, struct spd_route *sr,
|
static bool do_command(connection_t *c, struct spd_route *sr, struct state *st,
|
||||||
const char *verb)
|
const char *verb)
|
||||||
{
|
{
|
||||||
char cmd[1536]; /* arbitrary limit on shell command length */
|
char cmd[1536]; /* arbitrary limit on shell command length */
|
||||||
|
@ -294,6 +294,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
||||||
peerclientnet_str[ADDRTOT_BUF],
|
peerclientnet_str[ADDRTOT_BUF],
|
||||||
peerclientmask_str[ADDRTOT_BUF],
|
peerclientmask_str[ADDRTOT_BUF],
|
||||||
peerca_str[BUF_LEN],
|
peerca_str[BUF_LEN],
|
||||||
|
udp_encap[BUF_LEN] = "",
|
||||||
xauth_id_str[BUF_LEN] = "",
|
xauth_id_str[BUF_LEN] = "",
|
||||||
secure_myid_str[BUF_LEN] = "",
|
secure_myid_str[BUF_LEN] = "",
|
||||||
secure_peerid_str[BUF_LEN] = "",
|
secure_peerid_str[BUF_LEN] = "",
|
||||||
|
@ -326,6 +327,12 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
||||||
strncat(srcip_str, "' ", sizeof(srcip_str));
|
strncat(srcip_str, "' ", sizeof(srcip_str));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (st && (st->nat_traversal & NAT_T_DETECTED))
|
||||||
|
{
|
||||||
|
snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ",
|
||||||
|
sr->that.host_port);
|
||||||
|
}
|
||||||
|
|
||||||
addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
|
addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
|
||||||
snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
|
snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
|
||||||
escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
|
escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
|
||||||
|
@ -403,6 +410,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
||||||
"PLUTO_PEER_CA='%s' "
|
"PLUTO_PEER_CA='%s' "
|
||||||
"%s" /* optional PLUTO_MY_SRCIP */
|
"%s" /* optional PLUTO_MY_SRCIP */
|
||||||
"%s" /* optional PLUTO_XAUTH_ID */
|
"%s" /* optional PLUTO_XAUTH_ID */
|
||||||
|
"%s" /* optional PLUTO_UDP_ENC */
|
||||||
"%s" /* actual script */
|
"%s" /* actual script */
|
||||||
, verb, verb_suffix
|
, verb, verb_suffix
|
||||||
, c->name
|
, c->name
|
||||||
|
@ -427,6 +435,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
||||||
, secure_peerca_str
|
, secure_peerca_str
|
||||||
, srcip_str
|
, srcip_str
|
||||||
, xauth_id_str
|
, xauth_id_str
|
||||||
|
, udp_encap
|
||||||
, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
|
, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
|
||||||
{
|
{
|
||||||
loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
|
loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
|
||||||
|
@ -716,7 +725,7 @@ void unroute_connection(connection_t *c)
|
||||||
/* only unroute if no other connection shares it */
|
/* only unroute if no other connection shares it */
|
||||||
if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
|
if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
|
||||||
{
|
{
|
||||||
(void) do_command(c, sr, "unroute");
|
(void) do_command(c, sr, NULL, "unroute");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1755,7 +1764,7 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
||||||
*/
|
*/
|
||||||
firewall_notified = st == NULL /* not a tunnel eroute */
|
firewall_notified = st == NULL /* not a tunnel eroute */
|
||||||
|| sr->eroute_owner != SOS_NOBODY /* already notified */
|
|| sr->eroute_owner != SOS_NOBODY /* already notified */
|
||||||
|| do_command(c, sr, "up"); /* go ahead and notify */
|
|| do_command(c, sr, st, "up"); /* go ahead and notify */
|
||||||
}
|
}
|
||||||
|
|
||||||
/* install the route */
|
/* install the route */
|
||||||
|
@ -1770,8 +1779,8 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
||||||
else if (ro == NULL)
|
else if (ro == NULL)
|
||||||
{
|
{
|
||||||
/* a new route: no deletion required, but preparation is */
|
/* a new route: no deletion required, but preparation is */
|
||||||
(void) do_command(c, sr, "prepare"); /* just in case; ignore failure */
|
(void) do_command(c, sr, st, "prepare"); /* just in case; ignore failure */
|
||||||
route_installed = do_command(c, sr, "route");
|
route_installed = do_command(c, sr, st, "route");
|
||||||
}
|
}
|
||||||
else if (routed(sr->routing) || routes_agree(ro, c))
|
else if (routed(sr->routing) || routes_agree(ro, c))
|
||||||
{
|
{
|
||||||
|
@ -1790,13 +1799,13 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
||||||
*/
|
*/
|
||||||
if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
|
if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
|
||||||
{
|
{
|
||||||
(void) do_command(ro, sr, "unroute");
|
(void) do_command(ro, sr, st, "unroute");
|
||||||
route_installed = do_command(c, sr, "route");
|
route_installed = do_command(c, sr, st, "route");
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
route_installed = do_command(c, sr, "route");
|
route_installed = do_command(c, sr, st, "route");
|
||||||
(void) do_command(ro, sr, "unroute");
|
(void) do_command(ro, sr, st, "unroute");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* record unrouting */
|
/* record unrouting */
|
||||||
|
@ -1863,7 +1872,7 @@ bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
||||||
{
|
{
|
||||||
/* Failure! Unwind our work. */
|
/* Failure! Unwind our work. */
|
||||||
if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
|
if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
|
||||||
(void) do_command(c, sr, "down");
|
(void) do_command(c, sr, st, "down");
|
||||||
|
|
||||||
if (eroute_installed)
|
if (eroute_installed)
|
||||||
{
|
{
|
||||||
|
@ -1998,7 +2007,7 @@ void delete_ipsec_sa(struct state *st, bool inbound_only)
|
||||||
sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
|
sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
|
||||||
? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
|
? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
|
||||||
|
|
||||||
(void) do_command(c, sr, "down");
|
(void) do_command(c, sr, st, "down");
|
||||||
if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE)
|
if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE)
|
||||||
{
|
{
|
||||||
/* in this special case, even if the connection
|
/* in this special case, even if the connection
|
||||||
|
|
|
@ -124,7 +124,7 @@
|
||||||
# PLUTO_MARK_OUT
|
# PLUTO_MARK_OUT
|
||||||
# is an optional XFRM mark set on the outbound IPsec SA
|
# is an optional XFRM mark set on the outbound IPsec SA
|
||||||
#
|
#
|
||||||
# PLUTO_ESP_ENC
|
# PLUTO_UDP_ENC
|
||||||
# contains the remote UDP port in the case of ESP_IN_UDP
|
# contains the remote UDP port in the case of ESP_IN_UDP
|
||||||
# encapsulation
|
# encapsulation
|
||||||
#
|
#
|
||||||
|
|
|
@ -124,7 +124,7 @@
|
||||||
# PLUTO_MARK_OUT
|
# PLUTO_MARK_OUT
|
||||||
# is an optional XFRM mark set on the outbound IPsec SA
|
# is an optional XFRM mark set on the outbound IPsec SA
|
||||||
#
|
#
|
||||||
# PLUTO_ESP_ENC
|
# PLUTO_UDP_ENC
|
||||||
# contains the remote UDP port in the case of ESP_IN_UDP
|
# contains the remote UDP port in the case of ESP_IN_UDP
|
||||||
# encapsulation
|
# encapsulation
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in New Issue