diff options
author | Martin Willi <martin@revosec.ch> | 2013-09-04 17:12:23 +0200 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2013-09-13 13:56:43 +0200 |
commit | 96136a12298e0804e8bd5f5b2d2d68e508da9810 (patch) | |
tree | d872b7946604db44b7bf9994144cf72ad769c88a /src/libipsec/ipsec_policy_mgr.h | |
parent | 791fde166998fa1f48c837576ec155e38bcdd1be (diff) | |
download | strongswan-96136a12298e0804e8bd5f5b2d2d68e508da9810.tar.bz2 strongswan-96136a12298e0804e8bd5f5b2d2d68e508da9810.tar.xz |
libipsec: check for a policy with the reqid of the SA on decapsulation
To prevent a client from sending a packet with a source address of a different
client, we require a policy bound via reqid to the decapsulating SA.
Diffstat (limited to 'src/libipsec/ipsec_policy_mgr.h')
-rw-r--r-- | src/libipsec/ipsec_policy_mgr.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h index dfa4b12c3..30406bdb7 100644 --- a/src/libipsec/ipsec_policy_mgr.h +++ b/src/libipsec/ipsec_policy_mgr.h @@ -97,10 +97,12 @@ struct ipsec_policy_mgr_t { * * @param packet IP packet to match * @param inbound TRUE for an inbound packet + * @param reqid require a policy with a specific reqid, 0 for any * @return reference to the policy, or NULL if none found */ ipsec_policy_t *(*find_by_packet)(ipsec_policy_mgr_t *this, - ip_packet_t *packet, bool inbound); + ip_packet_t *packet, bool inbound, + u_int32_t reqid); /** * Destroy an ipsec_policy_mgr_t |