Fixed BEET mode by installing SAs with negotiated address in traffic selector

author: Martin Willi <martin@strongswan.org> 2009-12-17 10:50:37 +0100
committer: Martin Willi <martin@strongswan.org> 2009-12-17 10:52:07 +0100
commit: 6ec949e022a4dd36f19676f0ba825c8b7ffcb2f6 (patch)
tree: dbada4619c15f17d6874b47d749fdfb83378fe78 /src/charon/plugins
parent: f721e0fb5f2cc4aa010a262ab5de228ea48a6357 (diff)
download: strongswan-6ec949e02.tar.bz2
strongswan-6ec949e02.tar.xz
3 files changed, 24 insertions, 10 deletions
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index fc2c2a746..e0e4a7670 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1704,7 +1704,8 @@ static status_t add_sa(private_kernel_klips_ipsec_t *this,
 					   u_int16_t enc_alg, chunk_t enc_key,
 					   u_int16_t int_alg, chunk_t int_key,
 					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound)
+					   bool encap, bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2617,7 +2618,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 62434b30a..9cebd4627 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -930,7 +930,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 					   u_int16_t enc_alg, chunk_t enc_key,
 					   u_int16_t int_alg, chunk_t int_key,
 					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound)
+					   bool encap, bool inbound,
+					   traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
 	netlink_buf_t request;
 	char *alg_name;
@@ -945,7 +946,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 		lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
 			   ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
-			   mode, ipcomp, 0, FALSE, inbound);
+			   mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
@@ -968,10 +969,21 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
 	sa->id.proto = proto_ike2kernel(protocol);
 	sa->family = src->get_family(src);
 	sa->mode = mode2kernel(mode);
-	if (mode == MODE_TUNNEL)
+	switch (mode)
 	{
-		sa->flags |= XFRM_STATE_AF_UNSPEC;
+		case MODE_TUNNEL:
+			sa->flags |= XFRM_STATE_AF_UNSPEC;
+			break;
+		case MODE_BEET:
+			if(src_ts && dst_ts)
+			{
+				sa->sel = ts2selector(src_ts, dst_ts);
+			}
+			break;
+		default:
+			break;
 	}
+
 	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
 	sa->reqid = reqid;
 	sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
@@ -1695,7 +1707,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
 	/* install a route, if:
 	 * - we are NOT updating a policy
 	 * - this is a forward policy (to just get one for each child)
-	 * - we are in tunnel mode
+	 * - we are in tunnel/BEET mode
 	 * - routing is not disabled via strongswan.conf
 	 */
 	if (policy->route == NULL && direction == POLICY_FWD &&
@@ -1999,7 +2011,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 0ebdafad3..b26a2bc0a 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1230,7 +1230,8 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
 					   u_int16_t enc_alg, chunk_t enc_key,
 					   u_int16_t int_alg, chunk_t int_key,
 					   ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-					   bool encap, bool inbound)
+					   bool encap, bool inbound, traffic_selector_t *src_ts,
+					   traffic_selector_t *dst_ts)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -2159,7 +2160,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	/* public functions */
 	this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
 	this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
+	this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
 	this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
 	this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
 	this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
author	Martin Willi <martin@strongswan.org>	2009-12-17 10:50:37 +0100
committer	Martin Willi <martin@strongswan.org>	2009-12-17 10:52:07 +0100
commit	6ec949e022a4dd36f19676f0ba825c8b7ffcb2f6 (patch)
tree	dbada4619c15f17d6874b47d749fdfb83378fe78 /src/charon/plugins
parent	f721e0fb5f2cc4aa010a262ab5de228ea48a6357 (diff)
download	strongswan-6ec949e02.tar.bz2 strongswan-6ec949e02.tar.xz