diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2013-10-14 17:08:09 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2013-10-17 16:57:39 +0200 |
| commit | 9739a0bf670095b9ea1ed4d22694f3de04a3d5be (patch) | |
| tree | fec55dc5ba1d0c18fe53ca75ba5ca850ee8c4d89 /src | |
| parent | 59213396fac7295a1d3e9cecdced2dd89b86ba69 (diff) | |
| download | strongswan-9739a0bf670095b9ea1ed4d22694f3de04a3d5be.tar.bz2 strongswan-9739a0bf670095b9ea1ed4d22694f3de04a3d5be.tar.xz | |
updown: Pass ICMP[v6] message type and code to updown script
The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.
Diffstat (limited to 'src')
| -rw-r--r-- | src/_updown/_updown.in | 6 | ||||
| -rw-r--r-- | src/libcharon/plugins/updown/updown_listener.c | 25 |
2 files changed, 27 insertions, 4 deletions
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index ca0398ab7..72ec7d246 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -78,7 +78,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -97,7 +98,8 @@ # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index 3c3994b81..12dbc88a0 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -174,6 +174,27 @@ static char *make_vip_vars(private_updown_listener_t *this, ike_sa_t *ike_sa) return strdup(total); } +/** + * Determine proper values for port env variable + */ +static u_int16_t get_port(traffic_selector_t *me, + traffic_selector_t *other, bool local) +{ + switch (max(me->get_protocol(me), other->get_protocol(other))) + { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + { + u_int16_t port = me->get_from_port(me); + + port = max(port, other->get_from_port(other)); + return local ? traffic_selector_icmp_type(port) + : traffic_selector_icmp_code(port); + } + } + return local ? me->get_from_port(me) : other->get_from_port(other); +} + METHOD(listener_t, child_updown, bool, private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) @@ -341,11 +362,11 @@ METHOD(listener_t, child_updown, bool, ike_sa->get_unique_id(ike_sa), me, ike_sa->get_my_id(ike_sa), my_client, my_client_mask, - my_ts->get_from_port(my_ts), + get_port(my_ts, other_ts, TRUE), my_ts->get_protocol(my_ts), other, ike_sa->get_other_id(ike_sa), other_client, other_client_mask, - other_ts->get_from_port(other_ts), + get_port(my_ts, other_ts, FALSE), other_ts->get_protocol(other_ts), xauth, virtual_ip, |