Merge branch 'ipcomp'

Fixes compatibility issues between firewall rules (leftfirewall=yes)
and IPComp (compress=yes), plus issues with IPComp when used with
multiple subnets in left|rightsubnet.

Fixes #436.

3 files changed, 50 insertions, 4 deletions

diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index c68c23d8a..532bd2437 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -50,6 +50,9 @@
 #       PLUTO_PROTO
 #              is the negotiated IPsec protocol, ah|esp
 #
+#       PLUTO_IPCOMP
+#              is not empty if IPComp was negotiated
+#
 #       PLUTO_UNIQUEID
 #              is the unique identifier of the associated IKE_SA
 #
@@ -411,6 +414,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -435,6 +446,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@@ -474,6 +492,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@@ -517,6 +544,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 81adfdb13..2c3f93298 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -218,12 +219,12 @@ METHOD(listener_t, child_updown, bool,
 	enumerator = child_sa->create_policy_enumerator(child_sa);
 	while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 	{
-		char command[1024];
+		char command[2048];
 		host_t *my_client, *other_client;
 		u_int8_t my_client_mask, other_client_mask;
 		char *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc, *dns, *xauth;
 		mark_t mark;
-		bool is_host, is_ipv6;
+		bool is_host, is_ipv6, use_ipcomp;
 		FILE *shell;
 
 		my_ts->to_subnet(my_ts, &my_client, &my_client_mask);
@@ -322,6 +323,9 @@ METHOD(listener_t, child_updown, bool,
 
 		dns = make_dns_vars(this, ike_sa);
 
+		/* check for IPComp */
+		use_ipcomp = child_sa->get_ipcomp(child_sa) != IPCOMP_NONE;
+
 		/* determine IPv4/IPv6 and client/host situation */
 		is_host = my_ts->is_host(my_ts, me);
 		is_ipv6 = is_host ? (me->get_family(me) == AF_INET6) :
@@ -355,6 +359,7 @@ METHOD(listener_t, child_updown, bool,
 				"%s"
 				"%s"
 				"%s"
+				"%s"
 				"%s",
 				 up ? "up" : "down",
 				 is_host ? "-host" : "-client",
@@ -377,6 +382,7 @@ METHOD(listener_t, child_updown, bool,
 				 mark_in,
 				 mark_out,
 				 udp_enc,
+				 use_ipcomp ? "PLUTO_IPCOMP='1' " : "",
 				 config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "",
 				 dns,
 				 script);
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 128e6571c..24f15d9a1 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1203,6 +1203,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	struct nlmsghdr *hdr;
 	struct xfrm_usersa_info *sa;
 	u_int16_t icv_size = 64;
+	ipsec_mode_t original_mode = mode;
 	status_t status = FAILED;
 
 	/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
@@ -1213,7 +1214,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
 			   tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
 			   chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound,
-			   NULL, NULL);
+			   src_ts, dst_ts);
 		ipcomp = IPCOMP_NONE;
 		/* use transport mode ESP SA, IPComp uses tunnel mode */
 		mode = MODE_TRANSPORT;
@@ -1243,7 +1244,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			break;
 		case MODE_BEET:
 		case MODE_TRANSPORT:
-			if(src_ts && dst_ts)
+			if (original_mode == MODE_TUNNEL)
+			{	/* don't install selectors for switched SAs.  because only one
+				 * selector can be installed other traffic would get dropped */
+				break;
+			}
+			if (src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
 				/* don't install proto/port on SA. This would break