libipsec: check for a policy with the reqid of the SA on decapsulation

To prevent a client from sending a packet with a source address of a different client, we require a policy bound via reqid to the decapsulating SA.
author: Martin Willi <martin@revosec.ch> 2013-09-04 17:12:23 +0200
committer: Martin Willi <martin@revosec.ch> 2013-09-13 13:56:43 +0200
commit: 96136a12298e0804e8bd5f5b2d2d68e508da9810 (patch)
tree: d872b7946604db44b7bf9994144cf72ad769c88a /src/libipsec/ipsec_policy_mgr.h
parent: 791fde166998fa1f48c837576ec155e38bcdd1be (diff)
download: strongswan-96136a12298e0804e8bd5f5b2d2d68e508da9810.tar.bz2
strongswan-96136a12298e0804e8bd5f5b2d2d68e508da9810.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
index dfa4b12c3..30406bdb7 100644
--- a/src/libipsec/ipsec_policy_mgr.h
+++ b/src/libipsec/ipsec_policy_mgr.h
@@ -97,10 +97,12 @@ struct ipsec_policy_mgr_t {
 	 *
 	 * @param packet		IP packet to match
 	 * @param inbound		TRUE for an inbound packet
+	 * @param reqid			require a policy with a specific reqid, 0 for any
 	 * @return				reference to the policy, or NULL if none found
 	 */
 	ipsec_policy_t *(*find_by_packet)(ipsec_policy_mgr_t *this,
-									  ip_packet_t *packet, bool inbound);
+									  ip_packet_t *packet, bool inbound,
+									  u_int32_t reqid);
 
 	/**
 	 * Destroy an ipsec_policy_mgr_t
author	Martin Willi <martin@revosec.ch>	2013-09-04 17:12:23 +0200
committer	Martin Willi <martin@revosec.ch>	2013-09-13 13:56:43 +0200
commit	96136a12298e0804e8bd5f5b2d2d68e508da9810 (patch)
tree	d872b7946604db44b7bf9994144cf72ad769c88a /src/libipsec/ipsec_policy_mgr.h
parent	791fde166998fa1f48c837576ec155e38bcdd1be (diff)
download	strongswan-96136a12298e0804e8bd5f5b2d2d68e508da9810.tar.bz2 strongswan-96136a12298e0804e8bd5f5b2d2d68e508da9810.tar.xz