aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/kernel_wfp
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2014-04-08 15:58:38 +0200
committerMartin Willi <martin@revosec.ch>2014-06-04 16:32:11 +0200
commit4a8ba369b62fac3a0800520599fef8cf2753b443 (patch)
tree38df73888431c732294a32db7548c6fbfc791723 /src/libcharon/plugins/kernel_wfp
parentbe32be01a87b34cab42e04a315c5654f1a1303e7 (diff)
downloadstrongswan-4a8ba369b62fac3a0800520599fef8cf2753b443.tar.bz2
strongswan-4a8ba369b62fac3a0800520599fef8cf2753b443.tar.xz
kernel-wfp: Install tunnel mode policies to appropriate sub-layers
While it is unclear if this has any effect at all, we prefer specific sublayers to install policies as suggested.
Diffstat (limited to 'src/libcharon/plugins/kernel_wfp')
-rw-r--r--src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h2
-rw-r--r--src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c26
2 files changed, 22 insertions, 6 deletions
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
index 8b1d5d36f..50a89a007 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
@@ -127,6 +127,8 @@ const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6;
const GUID FWPM_LAYER_IPFORWARD_V4;
const GUID FWPM_LAYER_IPFORWARD_V6;
+const GUID FWPM_SUBLAYER_IPSEC_TUNNEL;
+const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL;
const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4;
const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6;
const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4;
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 5790f8389..7a8b1487c 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -553,7 +553,7 @@ static void free_conditions(FWPM_FILTER_CONDITION0 *conds, int count)
* Find the callout GUID for given parameters
*/
static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
- GUID *layer, GUID *callout)
+ GUID *layer, GUID *sublayer, GUID *callout)
{
struct {
bool tunnel;
@@ -561,31 +561,40 @@ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
bool inbound;
bool forward;
const GUID *layer;
+ const GUID *sublayer;
const GUID *callout;
} map[] = {
- { 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
+ { 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 },
- { 0, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4,
+ { 0, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL,
&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 },
- { 0, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
+ { 0, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 },
- { 0, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6,
+ { 0, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL,
&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 },
{ 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 },
{ 1, 0, 0, 1, &FWPM_LAYER_IPFORWARD_V4,
+ &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 },
{ 1, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 },
{ 1, 0, 1, 1, &FWPM_LAYER_IPFORWARD_V4,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 },
{ 1, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 },
{ 1, 1, 0, 1, &FWPM_LAYER_IPFORWARD_V6,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 },
{ 1, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 },
{ 1, 1, 1, 1, &FWPM_LAYER_IPFORWARD_V6,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 },
};
int i;
@@ -599,6 +608,10 @@ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
{
*callout = *map[i].callout;
*layer = *map[i].layer;
+ if (map[i].sublayer)
+ {
+ *sublayer = *map[i].sublayer;
+ }
return TRUE;
}
}
@@ -635,7 +648,8 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
v6 = sp->src->get_type(sp->src) == TS_IPV6_ADDR_RANGE;
if (!find_callout(context != NULL, v6, inbound, fwd,
- &filter.layerKey, &filter.action.calloutKey))
+ &filter.layerKey, &filter.subLayerKey,
+ &filter.action.calloutKey))
{
return FALSE;
}