Implemented IPsec policies restricted to given network interface

2 files changed, 12 insertions, 6 deletions

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index bad343eba..95c0e3ce0 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -26,6 +26,7 @@
 #include <linux/rtnetlink.h>
 #include <linux/xfrm.h>
 #include <linux/udp.h>
+#include <net/if.h>
 #include <unistd.h>
 #include <time.h>
 #include <errno.h>
@@ -739,7 +740,8 @@ static void ts2ports(traffic_selector_t* ts,
  * Convert a pair of traffic_selectors to an xfrm_selector
  */
 static struct xfrm_selector ts2selector(traffic_selector_t *src,
-										traffic_selector_t *dst)
+										traffic_selector_t *dst,
+										char *interface)
 {
 	struct xfrm_selector sel;
 	uint16_t port;
@@ -763,7 +765,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
 		sel.dport = htons(traffic_selector_icmp_code(port));
 		sel.dport_mask = sel.dport ? ~0 : 0;
 	}
-	sel.ifindex = 0;
+	sel.ifindex = interface ? if_nametoindex(interface) : 0;
 	sel.user = 0;
 
 	return sel;
@@ -1279,7 +1281,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 				data->dst_ts->get_first(data->dst_ts,
 										(void**)&first_dst_ts) == SUCCESS)
 			{
-				sa->sel = ts2selector(first_src_ts, first_dst_ts);
+				sa->sel = ts2selector(first_src_ts, first_dst_ts,
+									  data->interface);
 				if (!this->proto_port_transport)
 				{
 					/* don't install proto/port on SA. This would break
@@ -2358,7 +2361,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 	/* create a policy */
 	INIT(policy,
-		.sel = ts2selector(id->src_ts, id->dst_ts),
+		.sel = ts2selector(id->src_ts, id->dst_ts, id->interface),
 		.mark = id->mark.value & id->mark.mask,
 		.direction = id->dir,
 		.reqid = data->sa->reqid,
@@ -2468,7 +2471,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
 
 	policy_id = NLMSG_DATA(hdr);
-	policy_id->sel = ts2selector(id->src_ts, id->dst_ts);
+	policy_id->sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
 	policy_id->dir = id->dir;
 
 	if (!add_mark(hdr, sizeof(request), id->mark))
@@ -2552,7 +2555,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 
 	/* create a policy */
 	memset(&policy, 0, sizeof(policy_entry_t));
-	policy.sel = ts2selector(id->src_ts, id->dst_ts);
+	policy.sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
 	policy.mark = id->mark.value & id->mark.mask;
 	policy.direction = id->dir;
 
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 8358336af..a1ab56df9 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -462,6 +462,7 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   reqid = %u", cfg->reqid);
 	DBG2(DBG_CFG, "   tfc = %d", cfg->tfc);
 	DBG2(DBG_CFG, "   priority = %d", cfg->priority);
+	DBG2(DBG_CFG, "   interface = %s", cfg->interface);
 	DBG2(DBG_CFG, "   mark_in = %u/%u",
 		 cfg->mark_in.value, cfg->mark_in.mask);
 	DBG2(DBG_CFG, "   mark_out = %u/%u",
@@ -484,6 +485,7 @@ static void free_child_data(child_data_t *data)
 	data->remote_ts->destroy_offset(data->remote_ts,
 									offsetof(traffic_selector_t, destroy));
 	free(data->cfg.updown);
+	free(data->cfg.interface);
 }
 
 /**
@@ -1342,6 +1344,7 @@ CALLBACK(child_kv, bool,
 		{ "mark_out",		parse_mark,			&child->cfg.mark_out				},
 		{ "tfc_padding",	parse_tfc,			&child->cfg.tfc						},
 		{ "priority",		parse_uint32,		&child->cfg.priority				},
+		{ "interface",		parse_string,		&child->cfg.interface				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,