sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

charon-nm: Add option to configure local traffic selectors

Browse Source 
Closes strongswan/strongswan#2084
This commit is contained in:
Tobias Brunner 2024-11-12 13:56:16 +01:00
parent 941b7194a5
commit 9aa2be8411
1 changed files with 58 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
src/charon-nm/nm/nm_service.c
View File

@ -674,6 +674,51 @@ static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv,
return TRUE; return TRUE;
} }
/**
* Add traffic selectors to the given config, optionally parse them from a
* semicolon-separated list.
*/
static bool add_traffic_selectors(child_cfg_t *child_cfg, bool local,
const char *list, GError **err)
{
enumerator_t *enumerator;
traffic_selector_t *ts;
char *token;
if (list && strlen(list))
{
enumerator = enumerator_create_token(list, ";", "");
while (enumerator->enumerate(enumerator, &token))
{
ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
if (!ts)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR,
NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
"Invalid %s traffic selector '%s'.",
local ? "local" : "remote", token);
enumerator->destroy(enumerator);
return FALSE;
}
child_cfg->add_traffic_selector(child_cfg, local, ts);
}
enumerator->destroy(enumerator);
}
else if (local)
{
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
}
else
{
ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
}
return TRUE;
}
/** /**
* Connect function called from NM via DBUS * Connect function called from NM via DBUS
*/ */
@ -692,7 +737,6 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
ike_cfg_t *ike_cfg; ike_cfg_t *ike_cfg;
peer_cfg_t *peer_cfg; peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg; child_cfg_t *child_cfg;
traffic_selector_t *ts;
ike_sa_t *ike_sa; ike_sa_t *ike_sa;
auth_cfg_t *auth; auth_cfg_t *auth;
certificate_t *cert = NULL; certificate_t *cert = NULL;
@ -945,36 +989,22 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
} }
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts); str = nm_setting_vpn_get_data_item(vpn, "local-ts");
if (!add_traffic_selectors(child_cfg, TRUE, str, err))
{
child_cfg->destroy(child_cfg);
peer_cfg->destroy(peer_cfg);
return FALSE;
}
str = nm_setting_vpn_get_data_item(vpn, "remote-ts"); str = nm_setting_vpn_get_data_item(vpn, "remote-ts");
if (str && strlen(str)) if (!add_traffic_selectors(child_cfg, FALSE, str, err))
{ {
enumerator = enumerator_create_token(str, ";", ""); child_cfg->destroy(child_cfg);
while (enumerator->enumerate(enumerator, &str)) peer_cfg->destroy(peer_cfg);
{ return FALSE;
ts = traffic_selector_create_from_cidr((char*)str, 0, 0, 65535);
if (!ts)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR,
NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
"Invalid remote traffic selector.");
enumerator->destroy(enumerator);
child_cfg->destroy(child_cfg);
peer_cfg->destroy(peer_cfg);
return FALSE;
}
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
}
enumerator->destroy(enumerator);
}
else
{
ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
} }
peer_cfg->add_child_cfg(peer_cfg, child_cfg); peer_cfg->add_child_cfg(peer_cfg, child_cfg);
/** /**