kernel-netlink: Optionally install protocol and ports on transport mode SAs

2025-11-27 00:00:29 -05:00 · 2014-08-25 14:45:40 +02:00 · 2014-08-25 14:45:40 +02:00 · 90e6675a65
commit 90e6675a65
parent 5dec7d2f9d
2 changed files with 27 additions and 6 deletions
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@ -16,6 +16,15 @@ charon.plugins.kernel-netlink.mtu = 0
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.

+charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel.
+
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel. While doing so enforces policies for inbound
+	traffic, it also prevents the use of a single IPsec SA by more than one
+	traffic selector.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	Lifetime of XFRM acquire state in kernel.

--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@ -309,6 +309,12 @@ struct private_kernel_netlink_ipsec_t {
 	 */
 	bool install_routes;

+	/**
+	 * Whether to set protocol and ports on selector installed with transport
+	 * mode IPsec SAs
+	 */
+	bool proto_port_transport;
+
 	/**
 	 * Whether to track the history of a policy
 	 */
@ -1235,12 +1241,15 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			if (src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
-				/* don't install proto/port on SA. This would break
-				 * potential secondary SAs for the same address using a
-				 * different prot/port. */
-				sa->sel.proto = 0;
-				sa->sel.dport = sa->sel.dport_mask = 0;
-				sa->sel.sport = sa->sel.sport_mask = 0;
+				if (!this->proto_port_transport)
+				{
+					/* don't install proto/port on SA. This would break
+					 * potential secondary SAs for the same address using a
+					 * different prot/port. */
+					sa->sel.proto = 0;
+					sa->sel.dport = sa->sel.dport_mask = 0;
+					sa->sel.sport = sa->sel.sport_mask = 0;
+				}
 			}
 			break;
 		default:
@ -2683,6 +2692,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		.policy_history = TRUE,
 		.install_routes = lib->settings->get_bool(lib->settings,
 							"%s.install_routes", TRUE, lib->ns),
+		.proto_port_transport = lib->settings->get_bool(lib->settings,
+						"%s.plugins.kernel-netlink.set_proto_port_transport_sa",
+						FALSE, lib->ns),
 	);

 	if (streq(lib->ns, "starter"))