diff options
-rw-r--r-- | src/_updown/_updown.in | 6 | ||||
-rw-r--r-- | src/libcharon/plugins/updown/updown_listener.c | 25 |
2 files changed, 27 insertions, 4 deletions
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index ca0398ab7..72ec7d246 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -78,7 +78,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -97,7 +98,8 @@ # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index 3c3994b81..12dbc88a0 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -174,6 +174,27 @@ static char *make_vip_vars(private_updown_listener_t *this, ike_sa_t *ike_sa) return strdup(total); } +/** + * Determine proper values for port env variable + */ +static u_int16_t get_port(traffic_selector_t *me, + traffic_selector_t *other, bool local) +{ + switch (max(me->get_protocol(me), other->get_protocol(other))) + { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + { + u_int16_t port = me->get_from_port(me); + + port = max(port, other->get_from_port(other)); + return local ? traffic_selector_icmp_type(port) + : traffic_selector_icmp_code(port); + } + } + return local ? me->get_from_port(me) : other->get_from_port(other); +} + METHOD(listener_t, child_updown, bool, private_updown_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) @@ -341,11 +362,11 @@ METHOD(listener_t, child_updown, bool, ike_sa->get_unique_id(ike_sa), me, ike_sa->get_my_id(ike_sa), my_client, my_client_mask, - my_ts->get_from_port(my_ts), + get_port(my_ts, other_ts, TRUE), my_ts->get_protocol(my_ts), other, ike_sa->get_other_id(ike_sa), other_client, other_client_mask, - other_ts->get_from_port(other_ts), + get_port(my_ts, other_ts, FALSE), other_ts->get_protocol(other_ts), xauth, virtual_ip, |