sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

child-cfg: Skip non-matching TS instead of replacing them for transport mode

Browse Source 
get_traffic_selectors() is called the same way also as responder when
selecting child configs via peer_cfg_t::select_child_cfg().  Replacing
TS for all child configs could lead to selecting one that later fails
to actually narrow the traffic selectors.  Ignoring non-matching TS also
helps if we have a trap config with multiple remote subnets (otherwise,
we'd have to filter duplicates afterwards).

When installing traps, the hosts might be %any, in which case we allow
the configured (technically non-matching) TS for the wildcard use case.

Fixes: da82786b2d8c ("child-cfg: Always apply hosts to traffic selectors if proposing transport mode")
Closes strongswan/strongswan#1143
This commit is contained in:
Tobias Brunner 2022-07-14 13:22:55 +02:00
parent 1f242e772b
commit 833333eae9
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libcharon/config/child_cfg.c
View File

@ -298,6 +298,12 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
e2 = hosts->create_enumerator(hosts);
while (e2->enumerate(e2, &host))
{
if (!dynamic && !host->is_anyaddr(host) &&
!ts1->includes(ts1, host))
{ /* for transport mode, we skip TS that don't match
* specific IPs */
continue;
}
ts2 = ts1->clone(ts1);
if (dynamic || !host->is_anyaddr(host))
{ /* don't make regular TS larger than they were */