sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

vici: Report security label on CHILD_SA, policies and configs

Browse Source
This commit is contained in:
Tobias Brunner 2021-12-21 12:10:34 +01:00
parent 7cf6f29ac5
commit 2994347d18
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/libcharon/plugins/vici/README.md
View File

@ -817,6 +817,7 @@ command.
mark-mask-out = <hex encoded outbound Netfilter mark mask>
if-id-in = <hex encoded inbound XFRM interface ID>
if-id-out = <hex encoded outbound XFRM interface ID>
label = <hex encoded security label>
encr-alg = <ESP encryption algorithm name, if any>
encr-keysize = <ESP encryption key size, if applicable>
integ-alg = <ESP or AH integrity algorithm name, if any>
@ -854,6 +855,7 @@ _list-policies_ command.
child = <CHILD_SA configuration name>
ike = <IKE_SA configuration name or namespace, if available>
mode = <policy mode, tunnel|transport|pass|drop>
label = <hex encoded security label>
local-ts = [
<list of local traffic selectors>
]
@ -903,6 +905,7 @@ _list-conns_ command.
children = {
<CHILD_SA config name>* = {
mode = <IPsec mode>
label = <hex encoded security label>
rekey_time = <CHILD_SA rekeying interval in seconds>
rekey_bytes = <CHILD_SA rekeying interval in bytes>
rekey_packets = <CHILD_SA rekeying interval in packets>

27
src/libcharon/plugins/vici/vici_query.c
View File

@ -150,6 +150,29 @@ static void list_mode(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
}
}
/**
* List the security label of a CHILD_SA or config
*/
static void list_label(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
{
sec_label_t *label = NULL;
chunk_t enc;
if (child)
{
label = child->get_label(child);
}
else if (cfg)
{
label = cfg->get_label(cfg);
}
if (label)
{
enc = label->get_encoding(label);
b->add_kv(b, "label", "%+B", &enc);
}
}
/**
* List IPsec-related details about a CHILD_SA
*/
@ -275,6 +298,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
state = child->get_state(child);
b->add_kv(b, "state", "%N", child_sa_state_names, state);
list_mode(b, child, NULL);
list_label(b, child, NULL);
switch (state)
{
@ -576,6 +600,7 @@ static void raise_policy(private_vici_query_t *this, u_int id, char *ike,
b->add_kv(b, "ike", "%s", ike);
list_mode(b, child, NULL);
list_label(b, child, NULL);
b->begin_list(b, "local-ts");
enumerator = child->create_ts_enumerator(child, TRUE);
@ -624,6 +649,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike,
}
list_mode(b, NULL, cfg);
list_label(b, NULL, cfg);
b->begin_list(b, "local-ts");
list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL, FALSE);
@ -930,6 +956,7 @@ CALLBACK(list_conns, vici_message_t*,
b->begin_section(b, child_cfg->get_name(child_cfg));
list_mode(b, NULL, child_cfg);
list_label(b, NULL, child_cfg);
lft = child_cfg->get_lifetime(child_cfg, FALSE);
b->add_kv(b, "rekey_time", "%"PRIu64, lft->time.rekey);