diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:41:35 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:41:35 +0200 |
| commit | fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210 (patch) | |
| tree | 3e085d662684f302bfc531ff03ef2b73f257ba16 /src/libcharon | |
| parent | a2e377fcfdc227e3856b656c8cd5401d67710eff (diff) | |
| download | strongswan-fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210.tar.bz2 strongswan-fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210.tar.xz | |
Remove policies in kernel interfaces based on their priority.
This allows to unroute a connection while the same connection is
currently established. In this case both CHILD_SAs share the same
reqid but the installed policies have different priorities.
Diffstat (limited to 'src/libcharon')
| -rw-r--r-- | src/libcharon/plugins/load_tester/load_tester_ipsec.c | 4 | ||||
| -rw-r--r-- | src/libcharon/sa/child_sa.c | 36 | ||||
| -rw-r--r-- | src/libcharon/sa/shunt_manager.c | 15 |
3 files changed, 32 insertions, 23 deletions
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index e8c02b99a..f76f2988c 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -86,7 +86,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, - mark_t mark, bool routed) + mark_t mark, policy_priority_t priority) { return SUCCESS; } @@ -103,7 +103,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_load_tester_ipsec_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, - mark_t mark, bool unrouted) + mark_t mark, policy_priority_t priority) { return SUCCESS; } diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 870ba8d66..4c97b52eb 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2010 Tobias Brunner + * Copyright (C) 2006-2011 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -664,7 +664,6 @@ METHOD(child_sa_t, add_policies, status_t, enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; status_t status = SUCCESS; - bool routed = (this->state == CHILD_CREATED); /* apply traffic selectors */ enumerator = my_ts_list->create_enumerator(my_ts_list); @@ -682,6 +681,7 @@ METHOD(child_sa_t, add_policies, status_t, if (this->config->install_policy(this->config)) { + policy_priority_t priority; ipsec_sa_cfg_t my_sa = { .mode = this->mode, .reqid = this->reqid, @@ -708,6 +708,9 @@ METHOD(child_sa_t, add_policies, status_t, other_sa.ah.spi = this->other_spi; } + priority = this->state == CHILD_CREATED ? POLICY_PRIORITY_ROUTED + : POLICY_PRIORITY_DEFAULT; + /* enumerate pairs of traffic selectors */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) @@ -717,20 +720,20 @@ METHOD(child_sa_t, add_policies, status_t, hydra->kernel_interface, this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC, &other_sa, - this->mark_out, routed); + this->mark_out, priority); status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN, POLICY_IPSEC, &my_sa, - this->mark_in, routed); + this->mark_in, priority); if (this->mode != MODE_TRANSPORT) { status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC, &my_sa, - this->mark_in, routed); + this->mark_in, priority); } if (status != SUCCESS) @@ -838,15 +841,15 @@ METHOD(child_sa_t, update, status_t, /* remove old policies first */ hydra->kernel_interface->del_policy(hydra->kernel_interface, my_ts, other_ts, POLICY_OUT, this->reqid, - this->mark_out, FALSE); + this->mark_out, POLICY_PRIORITY_DEFAULT); hydra->kernel_interface->del_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_IN, this->reqid, - this->mark_in, FALSE); + this->mark_in, POLICY_PRIORITY_DEFAULT); if (this->mode != MODE_TRANSPORT) { hydra->kernel_interface->del_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_FWD, this->reqid, - this->mark_in, FALSE); + this->mark_in, POLICY_PRIORITY_DEFAULT); } /* check whether we have to update a "dynamic" traffic selector */ @@ -872,15 +875,15 @@ METHOD(child_sa_t, update, status_t, /* reinstall updated policies */ hydra->kernel_interface->add_policy(hydra->kernel_interface, me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC, - &other_sa, this->mark_out, FALSE); + &other_sa, this->mark_out, POLICY_PRIORITY_DEFAULT); hydra->kernel_interface->add_policy(hydra->kernel_interface, other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC, - &my_sa, this->mark_in, FALSE); + &my_sa, this->mark_in, POLICY_PRIORITY_DEFAULT); if (this->mode != MODE_TRANSPORT) { hydra->kernel_interface->add_policy(hydra->kernel_interface, other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC, - &my_sa, this->mark_in, FALSE); + &my_sa, this->mark_in, POLICY_PRIORITY_DEFAULT); } } enumerator->destroy(enumerator); @@ -913,7 +916,10 @@ METHOD(child_sa_t, destroy, void, { enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; - bool unrouted = (this->state == CHILD_ROUTED); + policy_priority_t priority; + + priority = this->state == CHILD_ROUTED ? POLICY_PRIORITY_ROUTED + : POLICY_PRIORITY_DEFAULT; set_state(this, CHILD_DESTROYING); @@ -947,15 +953,15 @@ METHOD(child_sa_t, destroy, void, { hydra->kernel_interface->del_policy(hydra->kernel_interface, my_ts, other_ts, POLICY_OUT, this->reqid, - this->mark_out, unrouted); + this->mark_out, priority); hydra->kernel_interface->del_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_IN, this->reqid, - this->mark_in, unrouted); + this->mark_in, priority); if (this->mode != MODE_TRANSPORT) { hydra->kernel_interface->del_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_FWD, this->reqid, - this->mark_in, unrouted); + this->mark_in, priority); } } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index accebe652..52b2ecd62 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -69,19 +69,22 @@ static bool install_shunt_policy(child_cfg_t *child) status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, host_any, host_any, my_ts, other_ts, POLICY_OUT, policy_type, - &sa, child->get_mark(child, FALSE), FALSE); + &sa, child->get_mark(child, FALSE), + POLICY_PRIORITY_DEFAULT); /* install in policy */ status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, host_any, host_any, other_ts, my_ts, POLICY_IN, policy_type, - &sa, child->get_mark(child, TRUE), FALSE); + &sa, child->get_mark(child, TRUE), + POLICY_PRIORITY_DEFAULT); /* install forward policy */ status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, host_any, host_any, other_ts, my_ts, POLICY_FWD, policy_type, - &sa, child->get_mark(child, TRUE), FALSE); + &sa, child->get_mark(child, TRUE), + POLICY_PRIORITY_DEFAULT); } e_other_ts->destroy(e_other_ts); } @@ -150,19 +153,19 @@ static void uninstall_shunt_policy(child_cfg_t *child) status |= hydra->kernel_interface->del_policy( hydra->kernel_interface, my_ts, other_ts, POLICY_OUT, 0, child->get_mark(child, FALSE), - FALSE); + POLICY_PRIORITY_DEFAULT); /* uninstall in policy */ status |= hydra->kernel_interface->del_policy( hydra->kernel_interface, other_ts, my_ts, POLICY_IN, 0, child->get_mark(child, TRUE), - FALSE); + POLICY_PRIORITY_DEFAULT); /* uninstall forward policy */ status |= hydra->kernel_interface->del_policy( hydra->kernel_interface, other_ts, my_ts, POLICY_FWD, 0, child->get_mark(child, TRUE), - FALSE); + POLICY_PRIORITY_DEFAULT); } e_other_ts->destroy(e_other_ts); } |