diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:41:35 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2011-07-27 13:41:35 +0200 |
| commit | fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210 (patch) | |
| tree | 3e085d662684f302bfc531ff03ef2b73f257ba16 /src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c | |
| parent | a2e377fcfdc227e3856b656c8cd5401d67710eff (diff) | |
| download | strongswan-fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210.tar.bz2 strongswan-fbedc6a45b9c18f13972c8e1a7ada0ef5fb67210.tar.xz | |
Remove policies in kernel interfaces based on their priority.
This allows to unroute a connection while the same connection is
currently established. In this case both CHILD_SAs share the same
reqid but the installed policies have different priorities.
Diffstat (limited to 'src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c')
| -rw-r--r-- | src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index aca00ddb4..25287aa77 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1971,7 +1971,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, - mark_t mark, bool routed) + mark_t mark, policy_priority_t priority) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -2013,7 +2013,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, this->policies->insert_last(this->policies, policy); } - if (routed) + if (priority == POLICY_PRIORITY_ROUTED) { /* we install this as a %trap eroute in the kernel, later to be * triggered by packets matching the policy (-> ACQUIRE). */ @@ -2049,9 +2049,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t, msg = (struct sadb_msg*)request; /* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */ - build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst, - policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask, - policy->src.proto, found != NULL); + build_addflow(msg, satype, spi, + priority == POLICY_PRIORITY_ROUTED ? NULL : src, + priority == POLICY_PRIORITY_ROUTED ? NULL : dst, + policy->src.net, policy->src.mask, policy->dst.net, + policy->dst.mask, policy->src.proto, found != NULL); this->mutex->unlock(this->mutex); @@ -2348,7 +2350,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, - mark_t mark, bool unrouted) + mark_t mark, policy_priority_t priority) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg = (struct sadb_msg*)request, *out; @@ -2382,7 +2384,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t, policy_entry_destroy(policy); /* decrease appropriate counter */ - unrouted ? found->trapcount-- : found->activecount--; + priority == POLICY_PRIORITY_ROUTED ? found->trapcount-- + : found->activecount--; if (found->trapcount == 0) { |