diff options
author | Tobias Brunner <tobias@strongswan.org> | 2012-07-13 15:18:07 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2012-08-08 15:41:03 +0200 |
commit | 2e1a19136d8123e5a8c9aa99afbb4a51d92ec2a6 (patch) | |
tree | 9488d7e0e43cafe3bd7aa5a9f93af9f88eca7244 /src/libipsec | |
parent | 2dd47c244275abc43a597b50b95a792d1aecc3cd (diff) | |
download | strongswan-2e1a19136d8123e5a8c9aa99afbb4a51d92ec2a6.tar.bz2 strongswan-2e1a19136d8123e5a8c9aa99afbb4a51d92ec2a6.tar.xz |
IPsec policies can be looked up based on an IP packet
Diffstat (limited to 'src/libipsec')
-rw-r--r-- | src/libipsec/ipsec_policy.c | 13 | ||||
-rw-r--r-- | src/libipsec/ipsec_policy.h | 10 | ||||
-rw-r--r-- | src/libipsec/ipsec_policy_mgr.c | 27 | ||||
-rw-r--r-- | src/libipsec/ipsec_policy_mgr.h | 13 |
4 files changed, 62 insertions, 1 deletions
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c index 54bae6a76..af8ea9f9d 100644 --- a/src/libipsec/ipsec_policy.c +++ b/src/libipsec/ipsec_policy.c @@ -101,6 +101,18 @@ METHOD(ipsec_policy_t, match, bool, this->dst_ts->equals(this->dst_ts, dst_ts)); } +METHOD(ipsec_policy_t, match_packet, bool, + private_ipsec_policy_t *this, ip_packet_t *packet) +{ + u_int8_t proto = packet->get_next_header(packet); + host_t *src = packet->get_source(packet), + *dst = packet->get_destination(packet); + + return (!this->protocol || this->protocol == proto) && + this->src_ts->includes(this->src_ts, src) && + this->dst_ts->includes(this->dst_ts, dst); +} + METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*, private_ipsec_policy_t *this) { @@ -172,6 +184,7 @@ ipsec_policy_t *ipsec_policy_create(host_t *src, host_t *dst, INIT(this, .public = { .match = _match, + .match_packet = _match_packet, .get_source_ts = _get_source_ts, .get_destination_ts = _get_destination_ts, .get_direction = _get_direction, diff --git a/src/libipsec/ipsec_policy.h b/src/libipsec/ipsec_policy.h index 08069307a..67ad0b0ed 100644 --- a/src/libipsec/ipsec_policy.h +++ b/src/libipsec/ipsec_policy.h @@ -23,6 +23,8 @@ #ifndef IPSEC_POLICY_H #define IPSEC_POLICY_H +#include "ip_packet.h" + #include <library.h> #include <utils/host.h> #include <ipsec/ipsec_types.h> @@ -100,6 +102,14 @@ struct ipsec_policy_t { u_int32_t reqid, mark_t mark, policy_priority_t priority); /** + * Check if this policy matches the given IP packet + * + * @param packet IP packet + * @return TRUE if policy matches the packet + */ + bool (*match_packet)(ipsec_policy_t *this, ip_packet_t *packet); + + /** * Destroy an ipsec_policy_t */ void (*destroy)(ipsec_policy_t *this); diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c index 70447b237..41ba792c3 100644 --- a/src/libipsec/ipsec_policy_mgr.c +++ b/src/libipsec/ipsec_policy_mgr.c @@ -16,7 +16,6 @@ */ #include "ipsec_policy_mgr.h" -#include "ipsec_policy.h" #include <debug.h> #include <threading/rwlock.h> @@ -230,6 +229,31 @@ METHOD(ipsec_policy_mgr_t, flush_policies, status_t, return SUCCESS; } +METHOD(ipsec_policy_mgr_t, find_by_packet, ipsec_policy_t*, + private_ipsec_policy_mgr_t *this, ip_packet_t *packet, bool inbound) +{ + enumerator_t *enumerator; + ipsec_policy_entry_t *current; + ipsec_policy_t *found = NULL; + + this->lock->read_lock(this->lock); + enumerator = this->policies->create_enumerator(this->policies); + while (enumerator->enumerate(enumerator, (void**)¤t)) + { + ipsec_policy_t *policy = current->policy; + + if ((inbound == (policy->get_direction(policy) == POLICY_IN)) && + policy->match_packet(policy, packet)) + { + found = policy->get_ref(policy); + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + return found; +} + METHOD(ipsec_policy_mgr_t, destroy, void, private_ipsec_policy_mgr_t *this) { @@ -251,6 +275,7 @@ ipsec_policy_mgr_t *ipsec_policy_mgr_create() .add_policy = _add_policy, .del_policy = _del_policy, .flush_policies = _flush_policies, + .find_by_packet = _find_by_packet, .destroy = _destroy, }, .policies = linked_list_create(), diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h index 0a2f63239..d3ee1074f 100644 --- a/src/libipsec/ipsec_policy_mgr.h +++ b/src/libipsec/ipsec_policy_mgr.h @@ -23,6 +23,9 @@ #ifndef IPSEC_POLICY_MGR_H_ #define IPSEC_POLICY_MGR_H_ +#include "ipsec_policy.h" +#include "ip_packet.h" + #include <library.h> #include <utils/host.h> #include <utils/linked_list.h> @@ -90,6 +93,16 @@ struct ipsec_policy_mgr_t { status_t (*flush_policies)(ipsec_policy_mgr_t *this); /** + * Find the policy that matches the given IP packet best + * + * @param packet IP packet to match + * @param inbound TRUE for an inbound packet + * @return reference to the policy, or NULL if none found + */ + ipsec_policy_t *(*find_by_packet)(ipsec_policy_mgr_t *this, + ip_packet_t *packet, bool inbound); + + /** * Destroy an ipsec_policy_mgr_t */ void (*destroy)(ipsec_policy_mgr_t *this); |