Added options and a lookup function that will allow filtering of network interfaces

man/strongswan.conf.5.in

@@ -173,7 +173,7 @@ keys, which is discouraged due to security concerns (offline attacks on the
 openly transmitted hash of the PSK)
 .TP
 .BR charon.ignore_routing_tables
-A list of routing tables to be excluded from route lookup
+A space-separated list of routing tables to be excluded from route lookups
 .TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
@@ -198,6 +198,14 @@ Install routes into a separate routing table for established IPsec tunnels
 .BR charon.install_virtual_ip " [yes]"
 Install virtual IP addresses
 .TP
+.BR charon.interfaces_ignore
+A comma-separated list of network interfaces that should be ignored, if
+charon.interfaces_use is specified this option has no effect.
+.TP
+.BR charon.interfaces_use
+A comma-separated list of network interfaces that sould be used by charon.
+All other interfaces are ignored.
+.TP
 .BR charon.keep_alive " [20s]"
 NAT keep alive interval
 .TP

src/libhydra/hydra.c

@@ -58,12 +58,13 @@ bool libhydra_init(const char *daemon)
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
-			.kernel_interface = kernel_interface_create(),
 			.daemon = strdup(daemon ?: "libhydra"),
 		},
 	);
 	hydra = &this->public;
 
+	this->public.kernel_interface = kernel_interface_create();
+
 	if (lib->integrity &&
 		!lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
 	{

src/libhydra/kernel/kernel_interface.c

@@ -39,6 +39,7 @@
 
 #include "kernel_interface.h"
 
+#include <hydra.h>
 #include <debug.h>
 #include <threading/mutex.h>
 #include <utils/linked_list.h>
@@ -122,6 +123,18 @@ struct private_kernel_interface_t {
 	 * List of algorithm mappings (kernel_algorithm_t*)
 	 */
 	linked_list_t *algorithms;
+
+	/**
+	 * List of interface names to include or exclude (char*), NULL if interfaces
+	 * are not filtered
+	 */
+	linked_list_t *ifaces_filter;
+
+	/**
+	 * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider
+	 * only those listed there
+	 */
+	bool ifaces_exclude;
 };
 
 METHOD(kernel_interface_t, get_spi, status_t,
@@ -364,6 +377,20 @@ METHOD(kernel_interface_t, enable_udp_decap, bool,
 	return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port);
 }
 
+METHOD(kernel_interface_t, is_interface_usable, bool,
+	private_kernel_interface_t *this, const char *iface)
+{
+	status_t expected;
+
+	if (!this->ifaces_filter)
+	{
+		return TRUE;
+	}
+	expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS;
+	return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq,
+										   NULL, iface) == expected;
+}
+
 METHOD(kernel_interface_t, get_address_by_ts, status_t,
 	private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
 {
@@ -634,6 +661,7 @@ METHOD(kernel_interface_t, destroy, void,
 	this->mutex_algs->destroy(this->mutex_algs);
 	DESTROY_IF(this->ipsec);
 	DESTROY_IF(this->net);
+	DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
 	this->listeners->destroy(this->listeners);
 	this->mutex->destroy(this->mutex);
 	free(this);
@@ -645,6 +673,7 @@ METHOD(kernel_interface_t, destroy, void,
 kernel_interface_t *kernel_interface_create()
 {
 	private_kernel_interface_t *this;
+	char *ifaces;
 
 	INIT(this,
 		.public = {
@@ -670,6 +699,7 @@ kernel_interface_t *kernel_interface_create()
 			.bypass_socket = _bypass_socket,
 			.enable_udp_decap = _enable_udp_decap,
 
+			.is_interface_usable = _is_interface_usable,
 			.get_address_by_ts = _get_address_by_ts,
 			.add_ipsec_interface = _add_ipsec_interface,
 			.remove_ipsec_interface = _remove_ipsec_interface,
@@ -693,6 +723,35 @@ kernel_interface_t *kernel_interface_create()
 		.algorithms = linked_list_create(),
 	);
 
+	ifaces = lib->settings->get_str(lib->settings,
+					"%s.interfaces_use", NULL, hydra->daemon);
+	if (!ifaces)
+	{
+		ifaces = lib->settings->get_str(lib->settings,
+					"%s.interfaces_ignore", NULL, hydra->daemon);
+		if (ifaces)
+		{
+			this->ifaces_exclude = TRUE;
+		}
+	}
+	if (ifaces)
+	{
+		enumerator_t *enumerator;
+		char *iface;
+
+		enumerator = enumerator_create_token(ifaces, ",", " ");
+		while (enumerator->enumerate(enumerator, &iface))
+		{
+			if (!this->ifaces_filter)
+			{
+				this->ifaces_filter = linked_list_create();
+			}
+			this->ifaces_filter->insert_last(this->ifaces_filter,
+											 strdup(iface));
+		}
+		enumerator->destroy(enumerator);
+	}
+
 	return &this->public;
 }
 

src/libhydra/kernel/kernel_interface.h

@@ -406,11 +406,20 @@ struct kernel_interface_t {
 	 */
 
 	/**
-	 * Tries to find an ip address of a local interface that is included in the
+	 * Verifies that the given interface is usable and not excluded by
+	 * configuration.
+	 *
+	 * @param iface			interface name
+	 * @return				TRUE if usable
+	 */
+	bool (*is_interface_usable)(kernel_interface_t *this, const char *iface);
+
+	/**
+	 * Tries to find an IP address of a local interface that is included in the
 	 * supplied traffic selector.
 	 *
 	 * @param ts			traffic selector
-	 * @param ip			returned ip (has to be destroyed)
+	 * @param ip			returned IP address (has to be destroyed)
 	 * @return				SUCCESS if address found
 	 */
 	status_t (*get_address_by_ts)(kernel_interface_t *this,