From 833333eae90f8469ca3299e242d8b26e3caf0bf5 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 14 Jul 2022 13:22:55 +0200 Subject: [PATCH] child-cfg: Skip non-matching TS instead of replacing them for transport mode get_traffic_selectors() is called the same way also as responder when selecting child configs via peer_cfg_t::select_child_cfg(). Replacing TS for all child configs could lead to selecting one that later fails to actually narrow the traffic selectors. Ignoring non-matching TS also helps if we have a trap config with multiple remote subnets (otherwise, we'd have to filter duplicates afterwards). When installing traps, the hosts might be %any, in which case we allow the configured (technically non-matching) TS for the wildcard use case. Fixes: da82786b2d8c ("child-cfg: Always apply hosts to traffic selectors if proposing transport mode") Closes strongswan/strongswan#1143 --- src/libcharon/config/child_cfg.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 78d1f3c43b..bc9cff7129 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -298,6 +298,12 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, e2 = hosts->create_enumerator(hosts); while (e2->enumerate(e2, &host)) { + if (!dynamic && !host->is_anyaddr(host) && + !ts1->includes(ts1, host)) + { /* for transport mode, we skip TS that don't match + * specific IPs */ + continue; + } ts2 = ts1->clone(ts1); if (dynamic || !host->is_anyaddr(host)) { /* don't make regular TS larger than they were */