diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2017-02-15 15:33:38 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-03-02 08:27:21 +0100 |
| commit | d8e12fdb130a3b9413260ef74f646b3b243c6e1e (patch) | |
| tree | ebc448d2d9d8c9702840c7aa4855285e4f37e936 | |
| parent | 7ae95468119583084d6373ce7890b20a64e0aa02 (diff) | |
| download | strongswan-d8e12fdb130a3b9413260ef74f646b3b243c6e1e.tar.bz2 strongswan-d8e12fdb130a3b9413260ef74f646b3b243c6e1e.tar.xz | |
libipsec: Match IPsec policies against ports of processed packets
Fixes #2252.
| -rw-r--r-- | src/libipsec/ipsec_policy.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c index 8077d3c8d..98201b843 100644 --- a/src/libipsec/ipsec_policy.c +++ b/src/libipsec/ipsec_policy.c @@ -101,6 +101,24 @@ METHOD(ipsec_policy_t, match, bool, this->dst_ts->equals(this->dst_ts, dst_ts)); } +/** + * Match the port of the given host against the given traffic selector. + */ +static inline bool match_port(traffic_selector_t *ts, host_t *host) +{ + uint16_t from, to, port; + + from = ts->get_from_port(ts); + to = ts->get_to_port(ts); + if ((from == 0 && to == 0xffff) || + (from == 0xffff && to == 0)) + { + return TRUE; + } + port = host->get_port(host); + return from <= port && port <= to; +} + METHOD(ipsec_policy_t, match_packet, bool, private_ipsec_policy_t *this, ip_packet_t *packet) { @@ -110,7 +128,9 @@ METHOD(ipsec_policy_t, match_packet, bool, return (!this->protocol || this->protocol == proto) && this->src_ts->includes(this->src_ts, src) && - this->dst_ts->includes(this->dst_ts, dst); + match_port(this->src_ts, src) && + this->dst_ts->includes(this->dst_ts, dst) && + match_port(this->dst_ts, dst); } METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*, |