diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2010-07-19 18:38:29 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2010-09-02 19:04:19 +0200 |
| commit | bd7a2f3bfc4093ed10097d167bf5f1221bf5bb61 (patch) | |
| tree | b1c03a5ad7f024d4db0da924d90ddcb5f978158f | |
| parent | 6a066ad19b60cb137b353feb96241a90241b4dbc (diff) | |
| download | strongswan-bd7a2f3bfc4093ed10097d167bf5f1221bf5bb61.tar.bz2 strongswan-bd7a2f3bfc4093ed10097d167bf5f1221bf5bb61.tar.xz | |
Added an option to specify the type of a policy to kernel_ipsec.add_policy.
This will later allow us to support pluto's passthrough and drop
policies in charon.
| -rw-r--r-- | src/libcharon/sa/child_sa.c | 36 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_interface.c | 5 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_interface.h | 5 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_ipsec.h | 18 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c | 2 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 2 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 2 |
7 files changed, 43 insertions, 27 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index acfdfaf6c..fa95d12f7 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -692,24 +692,24 @@ METHOD(child_sa_t, add_policies, status_t, status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, this->my_addr, this->other_addr, my_ts, other_ts, - POLICY_OUT, other_esp, other_ah, this->reqid, - this->mark_out, this->mode, this->ipcomp, - this->other_cpi, routed); + POLICY_OUT, POLICY_IPSEC, other_esp, other_ah, + this->reqid, this->mark_out, this->mode, + this->ipcomp, this->other_cpi, routed); status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, - POLICY_IN, my_esp, my_ah, this->reqid, - this->mark_in, this->mode, this->ipcomp, - this->my_cpi, routed); + POLICY_IN, POLICY_IPSEC, my_esp, my_ah, + this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, routed); if (this->mode != MODE_TRANSPORT) { status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, - POLICY_FWD, my_esp, my_ah, this->reqid, - this->mark_in, this->mode, this->ipcomp, - this->my_cpi, routed); + POLICY_FWD, POLICY_IPSEC, my_esp, my_ah, + this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, routed); } if (status != SUCCESS) @@ -832,19 +832,19 @@ METHOD(child_sa_t, update, status_t, /* reinstall updated policies */ hydra->kernel_interface->add_policy(hydra->kernel_interface, - me, other, my_ts, other_ts, POLICY_OUT, - other_esp, other_ah, this->reqid, this->mark_out, - this->mode, this->ipcomp, this->other_cpi, FALSE); + me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC, + other_esp, other_ah, this->reqid, this->mark_out, + this->mode, this->ipcomp, this->other_cpi, FALSE); hydra->kernel_interface->add_policy(hydra->kernel_interface, - other, me, other_ts, my_ts, POLICY_IN, - my_esp, my_ah, this->reqid, this->mark_in, - this->mode, this->ipcomp, this->my_cpi, FALSE); + other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC, + my_esp, my_ah, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, FALSE); if (this->mode != MODE_TRANSPORT) { hydra->kernel_interface->add_policy(hydra->kernel_interface, - other, me, other_ts, my_ts, POLICY_FWD, - my_esp, my_ah, this->reqid, this->mark_in, - this->mode, this->ipcomp, this->my_cpi, FALSE); + other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC, + my_esp, my_ah, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, FALSE); } } enumerator->destroy(enumerator); diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index bc9960509..7e16a89cd 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t, METHOD(kernel_interface_t, add_policy, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, + policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { @@ -140,7 +140,8 @@ METHOD(kernel_interface_t, add_policy, status_t, return NOT_SUPPORTED; } return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts, - direction, spi, ah_spi, reqid, mark, mode, ipcomp, cpi, routed); + direction, type, spi, ah_spi, reqid, mark, + mode, ipcomp, cpi, routed); } METHOD(kernel_interface_t, query_policy, status_t, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index c3c3764c4..fdf320be7 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -183,6 +183,7 @@ struct kernel_interface_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) * @param spi SPI of optional ESP SA * @param ah_spi SPI of optional AH SA * @param reqid unique ID of an SA to use to enforce policy @@ -197,8 +198,8 @@ struct kernel_interface_t { host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, - u_int32_t ah_spi, u_int32_t reqid, + policy_dir_t direction, policy_type_t type, + u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed); diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 1a7f7b44d..ff692535d 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -26,6 +26,7 @@ typedef enum ipsec_mode_t ipsec_mode_t; typedef enum policy_dir_t policy_dir_t; +typedef enum policy_type_t policy_type_t; typedef enum ipcomp_transform_t ipcomp_transform_t; typedef struct kernel_ipsec_t kernel_ipsec_t; typedef struct lifetime_cfg_t lifetime_cfg_t; @@ -72,6 +73,18 @@ enum policy_dir_t { extern enum_name_t *policy_dir_names; /** + * Type of a policy. + */ +enum policy_type_t { + /** Normal IPsec policy */ + POLICY_IPSEC = 1, + /** Passthrough policy (traffic is ignored by IPsec) */ + POLICY_PASS, + /** Drop policy (traffic is discarded) */ + POLICY_DROP, +}; + +/** * IPComp transform IDs, as in RFC 4306 */ enum ipcomp_transform_t { @@ -258,6 +271,7 @@ struct kernel_ipsec_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) * @param spi SPI of optional ESP SA * @param ah_spi SPI of optional AH SA * @param reqid unique ID of an SA to use to enforce policy @@ -272,8 +286,8 @@ struct kernel_ipsec_t { host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, - u_int32_t ah_spi, u_int32_t reqid, + policy_dir_t direction, policy_type_t type, + u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed); diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index f0a9e5504..042d98936 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1969,7 +1969,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, + policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 0f243361e..c715d8c73 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1617,7 +1617,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, + policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 5cd06eb2f..20d1b1205 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1593,7 +1593,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi, + policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool routed) { |