diff options
| author | Martin Willi <martin@revosec.ch> | 2014-04-08 15:58:38 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2014-06-04 16:32:11 +0200 |
| commit | 4a8ba369b62fac3a0800520599fef8cf2753b443 (patch) | |
| tree | 38df73888431c732294a32db7548c6fbfc791723 /src/libcharon/plugins/kernel_wfp | |
| parent | be32be01a87b34cab42e04a315c5654f1a1303e7 (diff) | |
| download | strongswan-4a8ba369b62fac3a0800520599fef8cf2753b443.tar.bz2 strongswan-4a8ba369b62fac3a0800520599fef8cf2753b443.tar.xz | |
kernel-wfp: Install tunnel mode policies to appropriate sub-layers
While it is unclear if this has any effect at all, we prefer specific sublayers
to install policies as suggested.
Diffstat (limited to 'src/libcharon/plugins/kernel_wfp')
| -rw-r--r-- | src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c | 26 |
2 files changed, 22 insertions, 6 deletions
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h index 8b1d5d36f..50a89a007 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h @@ -127,6 +127,8 @@ const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4; const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6; const GUID FWPM_LAYER_IPFORWARD_V4; const GUID FWPM_LAYER_IPFORWARD_V6; +const GUID FWPM_SUBLAYER_IPSEC_TUNNEL; +const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL; const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4; const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6; const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4; diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c index 5790f8389..7a8b1487c 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c @@ -553,7 +553,7 @@ static void free_conditions(FWPM_FILTER_CONDITION0 *conds, int count) * Find the callout GUID for given parameters */ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward, - GUID *layer, GUID *callout) + GUID *layer, GUID *sublayer, GUID *callout) { struct { bool tunnel; @@ -561,31 +561,40 @@ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward, bool inbound; bool forward; const GUID *layer; + const GUID *sublayer; const GUID *callout; } map[] = { - { 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, + { 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL, &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 }, - { 0, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, + { 0, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL, &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 }, - { 0, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, + { 0, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL, &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 }, - { 0, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, + { 0, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL, &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 }, { 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, + &FWPM_SUBLAYER_IPSEC_TUNNEL, &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 }, { 1, 0, 0, 1, &FWPM_LAYER_IPFORWARD_V4, + &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL, &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 }, { 1, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, + &FWPM_SUBLAYER_IPSEC_TUNNEL, &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 }, { 1, 0, 1, 1, &FWPM_LAYER_IPFORWARD_V4, + &FWPM_SUBLAYER_IPSEC_TUNNEL, &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 }, { 1, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, + &FWPM_SUBLAYER_IPSEC_TUNNEL, &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 }, { 1, 1, 0, 1, &FWPM_LAYER_IPFORWARD_V6, + &FWPM_SUBLAYER_IPSEC_TUNNEL, &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 }, { 1, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, + &FWPM_SUBLAYER_IPSEC_TUNNEL, &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 }, { 1, 1, 1, 1, &FWPM_LAYER_IPFORWARD_V6, + &FWPM_SUBLAYER_IPSEC_TUNNEL, &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 }, }; int i; @@ -599,6 +608,10 @@ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward, { *callout = *map[i].callout; *layer = *map[i].layer; + if (map[i].sublayer) + { + *sublayer = *map[i].sublayer; + } return TRUE; } } @@ -635,7 +648,8 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp, v6 = sp->src->get_type(sp->src) == TS_IPV6_ADDR_RANGE; if (!find_callout(context != NULL, v6, inbound, fwd, - &filter.layerKey, &filter.action.calloutKey)) + &filter.layerKey, &filter.subLayerKey, + &filter.action.calloutKey)) { return FALSE; } |