295 lines
7.2 KiB
C
295 lines
7.2 KiB
C
/*
|
|
* Copyright (C) 2012 Tobias Brunner
|
|
* Copyright (C) 2012 Giuliano Grassi
|
|
* Copyright (C) 2012 Ralf Sager
|
|
* HSR Hochschule fuer Technik Rapperswil
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*/
|
|
|
|
#include "ipsec_policy_mgr.h"
|
|
|
|
#include <utils/debug.h>
|
|
#include <threading/rwlock.h>
|
|
#include <collections/linked_list.h>
|
|
|
|
/** Base priority for installed policies */
|
|
#define PRIO_BASE 384
|
|
|
|
typedef struct private_ipsec_policy_mgr_t private_ipsec_policy_mgr_t;
|
|
|
|
/**
|
|
* Private additions to ipsec_policy_mgr_t.
|
|
*/
|
|
struct private_ipsec_policy_mgr_t {
|
|
|
|
/**
|
|
* Public members of ipsec_policy_mgr_t.
|
|
*/
|
|
ipsec_policy_mgr_t public;
|
|
|
|
/**
|
|
* Installed policies (ipsec_policy_entry_t*)
|
|
*/
|
|
linked_list_t *policies;
|
|
|
|
/**
|
|
* Lock to safely access the list of policies
|
|
*/
|
|
rwlock_t *lock;
|
|
|
|
};
|
|
|
|
/**
|
|
* Helper struct to store policies in a list sorted by the same pseudo-priority
|
|
* used by the NETLINK kernel interface.
|
|
*/
|
|
typedef struct {
|
|
|
|
/**
|
|
* Priority used to sort policies
|
|
*/
|
|
uint32_t priority;
|
|
|
|
/**
|
|
* The policy
|
|
*/
|
|
ipsec_policy_t *policy;
|
|
|
|
} ipsec_policy_entry_t;
|
|
|
|
/**
|
|
* Calculate the pseudo-priority to sort policies. This is the same algorithm
|
|
* used by the NETLINK kernel interface (i.e. high priority -> low value).
|
|
*/
|
|
static uint32_t calculate_priority(policy_priority_t policy_priority,
|
|
traffic_selector_t *src,
|
|
traffic_selector_t *dst)
|
|
{
|
|
uint32_t priority = PRIO_BASE;
|
|
uint16_t port;
|
|
uint8_t mask, proto;
|
|
host_t *net;
|
|
|
|
switch (policy_priority)
|
|
{
|
|
case POLICY_PRIORITY_FALLBACK:
|
|
priority <<= 1;
|
|
/* fall-through */
|
|
case POLICY_PRIORITY_ROUTED:
|
|
priority <<= 1;
|
|
/* fall-through */
|
|
case POLICY_PRIORITY_DEFAULT:
|
|
priority <<= 1;
|
|
/* fall-through */
|
|
case POLICY_PRIORITY_PASS:
|
|
break;
|
|
}
|
|
/* calculate priority based on selector size, small size = high prio */
|
|
src->to_subnet(src, &net, &mask);
|
|
priority -= mask;
|
|
proto = src->get_protocol(src);
|
|
port = net->get_port(net);
|
|
net->destroy(net);
|
|
|
|
dst->to_subnet(dst, &net, &mask);
|
|
priority -= mask;
|
|
proto = max(proto, dst->get_protocol(dst));
|
|
port = max(port, net->get_port(net));
|
|
net->destroy(net);
|
|
|
|
priority <<= 2; /* make some room for the two flags */
|
|
priority += port ? 0 : 2;
|
|
priority += proto ? 0 : 1;
|
|
return priority;
|
|
}
|
|
|
|
/**
|
|
* Create a policy entry
|
|
*/
|
|
static ipsec_policy_entry_t *policy_entry_create(ipsec_policy_t *policy)
|
|
{
|
|
ipsec_policy_entry_t *this;
|
|
|
|
INIT(this,
|
|
.policy = policy,
|
|
.priority = calculate_priority(policy->get_priority(policy),
|
|
policy->get_source_ts(policy),
|
|
policy->get_destination_ts(policy)),
|
|
);
|
|
return this;
|
|
}
|
|
|
|
/**
|
|
* Destroy a policy entry
|
|
*/
|
|
static void policy_entry_destroy(ipsec_policy_entry_t *this)
|
|
{
|
|
this->policy->destroy(this->policy);
|
|
free(this);
|
|
}
|
|
|
|
METHOD(ipsec_policy_mgr_t, add_policy, status_t,
|
|
private_ipsec_policy_mgr_t *this, host_t *src, host_t *dst,
|
|
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
|
|
policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
|
|
policy_priority_t priority)
|
|
{
|
|
enumerator_t *enumerator;
|
|
ipsec_policy_entry_t *entry, *current;
|
|
ipsec_policy_t *policy;
|
|
|
|
if (type != POLICY_IPSEC || direction == POLICY_FWD)
|
|
{ /* we ignore these policies as we currently have no use for them */
|
|
return SUCCESS;
|
|
}
|
|
|
|
DBG2(DBG_ESP, "adding policy %R === %R %N", src_ts, dst_ts,
|
|
policy_dir_names, direction);
|
|
|
|
policy = ipsec_policy_create(src, dst, src_ts, dst_ts, direction, type, sa,
|
|
mark, priority);
|
|
entry = policy_entry_create(policy);
|
|
|
|
this->lock->write_lock(this->lock);
|
|
enumerator = this->policies->create_enumerator(this->policies);
|
|
while (enumerator->enumerate(enumerator, (void**)¤t))
|
|
{
|
|
if (current->priority >= entry->priority)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
this->policies->insert_before(this->policies, enumerator, entry);
|
|
enumerator->destroy(enumerator);
|
|
this->lock->unlock(this->lock);
|
|
return SUCCESS;
|
|
}
|
|
|
|
METHOD(ipsec_policy_mgr_t, del_policy, status_t,
|
|
private_ipsec_policy_mgr_t *this, host_t *src, host_t *dst,
|
|
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
|
|
policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
|
|
policy_priority_t policy_priority)
|
|
{
|
|
enumerator_t *enumerator;
|
|
ipsec_policy_entry_t *current, *found = NULL;
|
|
uint32_t priority;
|
|
|
|
if (type != POLICY_IPSEC || direction == POLICY_FWD)
|
|
{ /* we ignore these policies as we currently have no use for them */
|
|
return SUCCESS;
|
|
}
|
|
DBG2(DBG_ESP, "deleting policy %R === %R %N", src_ts, dst_ts,
|
|
policy_dir_names, direction);
|
|
|
|
priority = calculate_priority(policy_priority, src_ts, dst_ts);
|
|
|
|
this->lock->write_lock(this->lock);
|
|
enumerator = this->policies->create_enumerator(this->policies);
|
|
while (enumerator->enumerate(enumerator, (void**)¤t))
|
|
{
|
|
if (current->priority == priority &&
|
|
current->policy->match(current->policy, src_ts, dst_ts, direction,
|
|
sa->reqid, mark, policy_priority))
|
|
{
|
|
this->policies->remove_at(this->policies, enumerator);
|
|
found = current;
|
|
break;
|
|
}
|
|
}
|
|
enumerator->destroy(enumerator);
|
|
this->lock->unlock(this->lock);
|
|
if (found)
|
|
{
|
|
policy_entry_destroy(found);
|
|
return SUCCESS;
|
|
}
|
|
return FAILED;
|
|
}
|
|
|
|
METHOD(ipsec_policy_mgr_t, flush_policies, status_t,
|
|
private_ipsec_policy_mgr_t *this)
|
|
{
|
|
ipsec_policy_entry_t *entry;
|
|
|
|
DBG2(DBG_ESP, "flushing policies");
|
|
|
|
this->lock->write_lock(this->lock);
|
|
while (this->policies->remove_last(this->policies,
|
|
(void**)&entry) == SUCCESS)
|
|
{
|
|
policy_entry_destroy(entry);
|
|
}
|
|
this->lock->unlock(this->lock);
|
|
return SUCCESS;
|
|
}
|
|
|
|
METHOD(ipsec_policy_mgr_t, find_by_packet, ipsec_policy_t*,
|
|
private_ipsec_policy_mgr_t *this, ip_packet_t *packet, bool inbound,
|
|
uint32_t reqid)
|
|
{
|
|
enumerator_t *enumerator;
|
|
ipsec_policy_entry_t *current;
|
|
ipsec_policy_t *found = NULL;
|
|
|
|
this->lock->read_lock(this->lock);
|
|
enumerator = this->policies->create_enumerator(this->policies);
|
|
while (enumerator->enumerate(enumerator, (void**)¤t))
|
|
{
|
|
ipsec_policy_t *policy = current->policy;
|
|
|
|
if ((inbound == (policy->get_direction(policy) == POLICY_IN)) &&
|
|
policy->match_packet(policy, packet))
|
|
{
|
|
if (reqid == 0 || reqid == policy->get_reqid(policy))
|
|
{
|
|
found = policy->get_ref(policy);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
enumerator->destroy(enumerator);
|
|
this->lock->unlock(this->lock);
|
|
return found;
|
|
}
|
|
|
|
METHOD(ipsec_policy_mgr_t, destroy, void,
|
|
private_ipsec_policy_mgr_t *this)
|
|
{
|
|
flush_policies(this);
|
|
this->policies->destroy(this->policies);
|
|
this->lock->destroy(this->lock);
|
|
free(this);
|
|
}
|
|
|
|
/**
|
|
* Described in header.
|
|
*/
|
|
ipsec_policy_mgr_t *ipsec_policy_mgr_create()
|
|
{
|
|
private_ipsec_policy_mgr_t *this;
|
|
|
|
INIT(this,
|
|
.public = {
|
|
.add_policy = _add_policy,
|
|
.del_policy = _del_policy,
|
|
.flush_policies = _flush_policies,
|
|
.find_by_packet = _find_by_packet,
|
|
.destroy = _destroy,
|
|
},
|
|
.policies = linked_list_create(),
|
|
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
|
|
);
|
|
|
|
return &this->public;
|
|
}
|