aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c')
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c112
1 files changed, 47 insertions, 65 deletions
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index b92cbb785..b64e41c56 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2044,75 +2044,62 @@ static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
return SUCCESS;
}
-METHOD(kernel_ipsec_t, destroy, void,
- private_kernel_pfkey_ipsec_t *this)
-{
- this->job->cancel(this->job);
- close(this->socket);
- close(this->socket_events);
- this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
- this->mutex->destroy(this->mutex);
- this->mutex_pfkey->destroy(this->mutex_pfkey);
- free(this);
-}
-
-/**
- * Add bypass policies for IKE on the sockets of charon
- */
-static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+ private_kernel_pfkey_ipsec_t *this, int fd, int family)
{
- int fd, family, port;
- enumerator_t *sockets;
- bool status = TRUE;
+ struct sadb_x_policy policy;
+ u_int sol, ipsec_policy;
- sockets = charon->socket->create_enumerator(charon->socket);
- while (sockets->enumerate(sockets, &fd, &family, &port))
+ switch (family)
{
- struct sadb_x_policy policy;
- u_int sol, ipsec_policy;
-
- switch (family)
+ case AF_INET:
{
- case AF_INET:
- {
- sol = SOL_IP;
- ipsec_policy = IP_IPSEC_POLICY;
- break;
- }
- case AF_INET6:
- {
- sol = SOL_IPV6;
- ipsec_policy = IPV6_IPSEC_POLICY;
- break;
- }
- default:
- continue;
- }
-
- memset(&policy, 0, sizeof(policy));
- policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
- policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
- policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-
- policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
- if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
- {
- DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
- strerror(errno));
- status = FALSE;
+ sol = SOL_IP;
+ ipsec_policy = IP_IPSEC_POLICY;
break;
}
- policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
- if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ case AF_INET6:
{
- DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
- strerror(errno));
- status = FALSE;
+ sol = SOL_IPV6;
+ ipsec_policy = IPV6_IPSEC_POLICY;
break;
}
+ default:
+ return FALSE;
}
- sockets->destroy(sockets);
- return status;
+
+ memset(&policy, 0, sizeof(policy));
+ policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+ policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+
+ policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ return FALSE;
+ }
+ policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+ if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+ {
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ strerror(errno));
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+ private_kernel_pfkey_ipsec_t *this)
+{
+ this->job->cancel(this->job);
+ close(this->socket);
+ close(this->socket_events);
+ this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+ this->mutex->destroy(this->mutex);
+ this->mutex_pfkey->destroy(this->mutex_pfkey);
+ free(this);
}
/*
@@ -2133,6 +2120,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
.add_policy = _add_policy,
.query_policy = _query_policy,
.del_policy = _del_policy,
+ .bypass_socket = _bypass_socket,
.destroy = _destroy,
},
.policies = linked_list_create(),
@@ -2156,12 +2144,6 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
charon->kill(charon, "unable to create PF_KEY event socket");
}
- /* add bypass policies on the sockets used by charon */
- if (!add_bypass_policies(this))
- {
- charon->kill(charon, "unable to add bypass policies on sockets");
- }
-
/* register the event socket */
if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-19 15:19:24 +0000