sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-11-22 00:01:45 -05:00
Code Issues Projects Releases Wiki Activity

configuration of different marks for inbound and outbound direction

Browse Source
This commit is contained in:
Andreas Steffen 2010-07-09 09:06:02 +02:00
parent 6f07f5e3d4
commit 26c4d0102a
17 changed files with 110 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/libcharon/config/child_cfg.c
View File

@ -539,7 +539,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
ipsec_mode_t mode, action_t dpd_action,
action_t close_action, bool ipcomp,
u_int32_t inactivity, u_int32_t reqid,
mark_t *mark)
mark_t *mark_in, mark_t *mark_out)
{
private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
@ -576,16 +576,21 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
this->inactivity = inactivity;
this->reqid = reqid;
/* TODO configure separate inbound and outbound marks */
if (mark)
if (mark_in)
{
this->mark_in = *mark;
this->mark_out = *mark;
this->mark_in = *mark_in;
}
else
{
this->mark_in.value = 0;
this->mark_in.mask = 0;
}
if (mark_out)
{
this->mark_out = *mark_out;
}
else
{
this->mark_in.value = 0;
this->mark_in.mask = 0;
this->mark_out.value = 0;
this->mark_out.mask = 0;
}

5
src/libcharon/config/child_cfg.h
View File

@ -326,7 +326,8 @@ struct child_cfg_t {
* @param ipcomp use IPComp, if peer supports it
* @param inactivity inactivity timeout in s before closing a CHILD_SA
* @param reqid specific reqid to use for CHILD_SA, 0 for auto assign
* @param mark optional mark (can be NULL)
* @param mark_in optional inbound mark (can be NULL)
* @param mark_out optional outbound mark (can be NULL)
* @return child_cfg_t object
*/
child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
@ -334,6 +335,6 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
ipsec_mode_t mode, action_t dpd_action,
action_t close_action, bool ipcomp,
u_int32_t inactivity, u_int32_t reqid,
mark_t *mark);
mark_t *mark_in, mark_t *mark_out);
#endif /** CHILD_CFG_H_ @}*/

3
src/libcharon/plugins/android/android_service.c
View File

@ -291,7 +291,8 @@ static job_requeue_t initiate(private_android_service_t *this)
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
NULL, NULL);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);

3
src/libcharon/plugins/ha/ha_tunnel.c
View File

@ -234,7 +234,8 @@ static void setup_tunnel(private_ha_tunnel_t *this,
peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
NULL, NULL);
ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);

5
src/libcharon/plugins/load_tester/load_tester_config.c
View File

@ -223,8 +223,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
}
child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
NULL, NULL);
proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
child_cfg->add_proposal(child_cfg, proposal);
ts = traffic_selector_create_dynamic(0, 0, 65535);

6
src/libcharon/plugins/medcli/medcli_config.c
View File

@ -182,7 +182,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
NULL, NULL);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));
@ -260,7 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
this->current->add_auth_cfg(this->current, auth, FALSE);
child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
NULL, NULL);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net));

3
src/libcharon/plugins/nm/nm_service.c
View File

@ -444,7 +444,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
child_cfg = child_cfg_create(priv->name, &lifetime,
NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, NULL);
ACTION_NONE, ACTION_NONE, ipcomp, 0, 0,
NULL, NULL);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);

2
src/libcharon/plugins/sql/sql_config.c
View File

@ -134,7 +134,7 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e)
.time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
};
child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
dpd, close, ipcomp, 0, 0, NULL);
dpd, close, ipcomp, 0, 0, NULL, NULL);
/* TODO: read proposal from db */
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
add_traffic_selectors(this, child_cfg, id);

13
src/libcharon/plugins/stroke/stroke_config.c
View File

@ -768,9 +768,13 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
}
};
mark_t mark = {
.value = msg->add_conn.mark.value,
.mask = msg->add_conn.mark.mask
mark_t mark_in = {
.value = msg->add_conn.mark_in.value,
.mask = msg->add_conn.mark_in.mask
};
mark_t mark_out = {
.value = msg->add_conn.mark_out.value,
.mask = msg->add_conn.mark_out.mask
};
switch (msg->add_conn.dpd.action)
@ -790,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
msg->add_conn.name, &lifetime,
msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
msg->add_conn.inactivity, msg->add_conn.reqid, &mark);
msg->add_conn.inactivity, msg->add_conn.reqid,
&mark_in, &mark_out);
child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
msg->add_conn.install_policy);
add_ts(this, &msg->add_conn.me, child_cfg, TRUE);

3
src/libcharon/plugins/uci/uci_config.c
View File

@ -196,7 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL);
ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
NULL, NULL);
child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));

2
src/starter/args.c
View File

@ -236,6 +236,8 @@ static const token_info_t token_info[] =
{ ARG_STR, offsetof(starter_conn_t, me_peerid), NULL },
{ ARG_UINT, offsetof(starter_conn_t, reqid), NULL },
{ ARG_MISC, 0, NULL /* KW_MARK */ },
{ ARG_MISC, 0, NULL /* KW_MARK_IN */ },
{ ARG_MISC, 0, NULL /* KW_MARK_OUT */ },
/* ca section keywords */
{ ARG_STR, offsetof(starter_ca_t, name), NULL },

78
src/starter/confread.c
View File

@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end,
}
}
static bool handle_mark(char *value, mark_t *mark)
{
char *pos, *endptr;
pos = strchr(value, '/');
if (pos)
{
*pos = '\0';
mark->mask = strtoul(pos+1, &endptr, 0);
if (*endptr != '\0')
{
plog("# invalid mark mask: %s", pos+1);
return FALSE;
}
}
else
{
mark->mask = 0xffffffff;
}
if (value == '\0')
{
mark->value = 0;
}
else
{
mark->value = strtoul(value, &endptr, 0);
if (*endptr != '\0')
{
plog("# invalid mark value: %s", value);
return FALSE;
}
}
return TRUE;
}
/*
* parse a conn section
*/
@ -672,40 +707,25 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
break;
}
case KW_MARK:
{
char *pos, *endptr;
pos = strchr(kw->value, '/');
if (pos)
if (!handle_mark(kw->value, &conn->mark_in))
{
*pos = '\0';
conn->mark_mask = strtoul(pos+1, &endptr, 0);
if (*endptr != '\0')
{
plog("# invalid mark mask: %s", pos+1);
cfg->err++;
break;
}
cfg->err++;
break;
}
else
conn->mark_out = conn->mark_in;
break;
case KW_MARK_IN:
if (!handle_mark(kw->value, &conn->mark_in))
{
conn->mark_mask = 0xffffffff;
}
if (*kw->value == '\0')
{
conn->mark_value = 0;
}
else
{
conn->mark_value = strtoul(kw->value, &endptr, 0);
if (*endptr != '\0')
{
plog("# invalid mark value: %s", kw->value);
cfg->err++;
}
cfg->err++;
}
break;
case KW_MARK_OUT:
if (!handle_mark(kw->value, &conn->mark_out))
{
cfg->err++;
}
break;
}
case KW_KEYINGTRIES:
if (streq(kw->value, "%forever"))
{

11
src/starter/confread.h
View File

@ -95,6 +95,13 @@ struct also {
also_t *next;
};
typedef struct mark_t mark_t;
struct mark_t{
u_int32_t value;
u_int32_t mask;
};
typedef struct starter_conn starter_conn_t;
struct starter_conn {
@ -122,8 +129,8 @@ struct starter_conn {
unsigned long sa_keying_tries;
unsigned long sa_rekey_fuzz;
u_int32_t reqid;
u_int32_t mark_value;
u_int32_t mark_mask;
mark_t mark_in;
mark_t mark_out;
sa_family_t addr_family;
sa_family_t tunnel_addr_family;
bool install_policy;

4
src/starter/keywords.h
View File

@ -99,9 +99,11 @@ typedef enum {
KW_ME_PEERID,
KW_REQID,
KW_MARK,
KW_MARK_IN,
KW_MARK_OUT,
#define KW_CONN_FIRST KW_CONN_SETUP
#define KW_CONN_LAST KW_MARK
#define KW_CONN_LAST KW_MARK_OUT
/* ca section keywords */
KW_CA_NAME,

2
src/starter/keywords.txt
View File

@ -90,6 +90,8 @@ mediated_by, KW_MEDIATED_BY
me_peerid, KW_ME_PEERID
reqid, KW_REQID
mark, KW_MARK
mark_in, KW_MARK_IN
mark_out, KW_MARK_OUT
cacert, KW_CACERT
ldaphost, KW_LDAPHOST
ldapbase, KW_LDAPBASE

6
src/starter/starterstroke.c
View File

@ -270,8 +270,10 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
msg.add_conn.reqid = conn->reqid;
msg.add_conn.mark.value = conn->mark_value;
msg.add_conn.mark.mask = conn->mark_mask;
msg.add_conn.mark_in.value = conn->mark_in.value;
msg.add_conn.mark_in.mask = conn->mark_in.mask;
msg.add_conn.mark_out.value = conn->mark_out.value;
msg.add_conn.mark_out.mask = conn->mark_out.mask;
starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);

2
src/stroke/stroke_msg.h
View File

@ -259,7 +259,7 @@ struct stroke_msg_t {
struct {
u_int32_t value;
u_int32_t mask;
} mark;
} mark_in, mark_out;
stroke_end_t me, other;
} add_conn;