diff options
| author | Martin Willi <martin@revosec.ch> | 2013-06-13 13:34:12 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-06-13 13:37:50 +0200 |
| commit | 246e2bed1d005386938fb6243ec97cf2cff7bd48 (patch) | |
| tree | 1c7a43835b6f193f97954179d1e77863ef1ebb27 /src | |
| parent | 44fb978169e99a7fa7c3f62a0e74157a886484b9 (diff) | |
| download | strongswan-246e2bed1d005386938fb6243ec97cf2cff7bd48.tar.bz2 strongswan-246e2bed1d005386938fb6243ec97cf2cff7bd48.tar.xz | |
Use subset matching instead of is_contained_in() to select a child_cfg
If one selector has a wider IP range than the other, but the other has a
wider port/protocol selector than the first one, none is completely contained
in the other. The check for a match using is_contained_in() therefore would
fail. Using get_subset() can handle such cases, fixing configuration selection.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/config/peer_cfg.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 8de7d1289..eb983199b 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -249,7 +249,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local, { linked_list_t *cfg_list; enumerator_t *sup_enum, *cfg_enum; - traffic_selector_t *sup_ts, *cfg_ts; + traffic_selector_t *sup_ts, *cfg_ts, *subset; int match = 0, round; /* fetch configured TS list, narrowing dynamic TS */ @@ -268,10 +268,14 @@ static int get_ts_match(child_cfg_t *cfg, bool local, { /* equality is honored better than matches */ match += round * 5; } - else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) || - sup_ts->is_contained_in(sup_ts, cfg_ts)) + else { - match += round * 1; + subset = cfg_ts->get_subset(cfg_ts, sup_ts); + if (subset) + { + subset->destroy(subset); + match += round * 1; + } } } cfg_enum->destroy(cfg_enum); |