aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/vici/vici_config.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/plugins/vici/vici_config.c')
-rw-r--r--src/libcharon/plugins/vici/vici_config.c242
1 files changed, 117 insertions, 125 deletions
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index f95d1571b..f1c2fa860 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -422,24 +422,12 @@ static void free_peer_data(peer_data_t *data)
*/
typedef struct {
request_data_t *request;
- lifetime_cfg_t lft;
- char* updown;
- bool hostaccess;
- bool ipcomp;
- bool policies;
- ipsec_mode_t mode;
- uint32_t replay_window;
- action_t dpd_action;
- action_t start_action;
- action_t close_action;
- uint32_t reqid;
- uint32_t tfc;
- mark_t mark_in;
- mark_t mark_out;
- uint64_t inactivity;
linked_list_t *proposals;
linked_list_t *local_ts;
linked_list_t *remote_ts;
+ uint32_t replay_window;
+ bool policies;
+ child_cfg_create_t cfg;
} child_data_t;
/**
@@ -447,35 +435,37 @@ typedef struct {
*/
static void log_child_data(child_data_t *data, char *name)
{
+ child_cfg_create_t *cfg = &data->cfg;
+
DBG2(DBG_CFG, " child %s:", name);
- DBG2(DBG_CFG, " rekey_time = %llu", data->lft.time.rekey);
- DBG2(DBG_CFG, " life_time = %llu", data->lft.time.life);
- DBG2(DBG_CFG, " rand_time = %llu", data->lft.time.jitter);
- DBG2(DBG_CFG, " rekey_bytes = %llu", data->lft.bytes.rekey);
- DBG2(DBG_CFG, " life_bytes = %llu", data->lft.bytes.life);
- DBG2(DBG_CFG, " rand_bytes = %llu", data->lft.bytes.jitter);
- DBG2(DBG_CFG, " rekey_packets = %llu", data->lft.packets.rekey);
- DBG2(DBG_CFG, " life_packets = %llu", data->lft.packets.life);
- DBG2(DBG_CFG, " rand_packets = %llu", data->lft.packets.jitter);
- DBG2(DBG_CFG, " updown = %s", data->updown);
- DBG2(DBG_CFG, " hostaccess = %u", data->hostaccess);
- DBG2(DBG_CFG, " ipcomp = %u", data->ipcomp);
- DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, data->mode);
+ DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey);
+ DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life);
+ DBG2(DBG_CFG, " rand_time = %llu", cfg->lifetime.time.jitter);
+ DBG2(DBG_CFG, " rekey_bytes = %llu", cfg->lifetime.bytes.rekey);
+ DBG2(DBG_CFG, " life_bytes = %llu", cfg->lifetime.bytes.life);
+ DBG2(DBG_CFG, " rand_bytes = %llu", cfg->lifetime.bytes.jitter);
+ DBG2(DBG_CFG, " rekey_packets = %llu", cfg->lifetime.packets.rekey);
+ DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life);
+ DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter);
+ DBG2(DBG_CFG, " updown = %s", cfg->updown);
+ DBG2(DBG_CFG, " hostaccess = %u", cfg->hostaccess);
+ DBG2(DBG_CFG, " ipcomp = %u", cfg->ipcomp);
+ DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, cfg->mode);
DBG2(DBG_CFG, " policies = %u", data->policies);
if (data->replay_window != REPLAY_UNDEFINED)
{
DBG2(DBG_CFG, " replay_window = %u", data->replay_window);
}
- DBG2(DBG_CFG, " dpd_action = %N", action_names, data->dpd_action);
- DBG2(DBG_CFG, " start_action = %N", action_names, data->start_action);
- DBG2(DBG_CFG, " close_action = %N", action_names, data->close_action);
- DBG2(DBG_CFG, " reqid = %u", data->reqid);
- DBG2(DBG_CFG, " tfc = %d", data->tfc);
+ DBG2(DBG_CFG, " dpd_action = %N", action_names, cfg->dpd_action);
+ DBG2(DBG_CFG, " start_action = %N", action_names, cfg->start_action);
+ DBG2(DBG_CFG, " close_action = %N", action_names, cfg->close_action);
+ DBG2(DBG_CFG, " reqid = %u", cfg->reqid);
+ DBG2(DBG_CFG, " tfc = %d", cfg->tfc);
DBG2(DBG_CFG, " mark_in = %u/%u",
- data->mark_in.value, data->mark_in.mask);
+ cfg->mark_in.value, cfg->mark_in.mask);
DBG2(DBG_CFG, " mark_out = %u/%u",
- data->mark_out.value, data->mark_out.mask);
- DBG2(DBG_CFG, " inactivity = %llu", data->inactivity);
+ cfg->mark_out.value, cfg->mark_out.mask);
+ DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity);
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
DBG2(DBG_CFG, " local_ts = %#R", data->local_ts);
DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts);
@@ -492,7 +482,7 @@ static void free_child_data(child_data_t *data)
offsetof(traffic_selector_t, destroy));
data->remote_ts->destroy_offset(data->remote_ts,
offsetof(traffic_selector_t, destroy));
- free(data->updown);
+ free(data->cfg.updown);
}
/**
@@ -1327,29 +1317,29 @@ CALLBACK(child_kv, bool,
child_data_t *child, vici_message_t *message, char *name, chunk_t value)
{
parse_rule_t rules[] = {
- { "updown", parse_string, &child->updown },
- { "hostaccess", parse_bool, &child->hostaccess },
- { "mode", parse_mode, &child->mode },
- { "policies", parse_bool, &child->policies },
- { "replay_window", parse_uint32, &child->replay_window },
- { "rekey_time", parse_time, &child->lft.time.rekey },
- { "life_time", parse_time, &child->lft.time.life },
- { "rand_time", parse_time, &child->lft.time.jitter },
- { "rekey_bytes", parse_bytes, &child->lft.bytes.rekey },
- { "life_bytes", parse_bytes, &child->lft.bytes.life },
- { "rand_bytes", parse_bytes, &child->lft.bytes.jitter },
- { "rekey_packets", parse_uint64, &child->lft.packets.rekey },
- { "life_packets", parse_uint64, &child->lft.packets.life },
- { "rand_packets", parse_uint64, &child->lft.packets.jitter },
- { "dpd_action", parse_action, &child->dpd_action },
- { "start_action", parse_action, &child->start_action },
- { "close_action", parse_action, &child->close_action },
- { "ipcomp", parse_bool, &child->ipcomp },
- { "inactivity", parse_time, &child->inactivity },
- { "reqid", parse_uint32, &child->reqid },
- { "mark_in", parse_mark, &child->mark_in },
- { "mark_out", parse_mark, &child->mark_out },
- { "tfc_padding", parse_tfc, &child->tfc },
+ { "updown", parse_string, &child->cfg.updown },
+ { "hostaccess", parse_bool, &child->cfg.hostaccess },
+ { "mode", parse_mode, &child->cfg.mode },
+ { "policies", parse_bool, &child->policies },
+ { "replay_window", parse_uint32, &child->replay_window },
+ { "rekey_time", parse_time, &child->cfg.lifetime.time.rekey },
+ { "life_time", parse_time, &child->cfg.lifetime.time.life },
+ { "rand_time", parse_time, &child->cfg.lifetime.time.jitter },
+ { "rekey_bytes", parse_bytes, &child->cfg.lifetime.bytes.rekey },
+ { "life_bytes", parse_bytes, &child->cfg.lifetime.bytes.life },
+ { "rand_bytes", parse_bytes, &child->cfg.lifetime.bytes.jitter },
+ { "rekey_packets", parse_uint64, &child->cfg.lifetime.packets.rekey },
+ { "life_packets", parse_uint64, &child->cfg.lifetime.packets.life },
+ { "rand_packets", parse_uint64, &child->cfg.lifetime.packets.jitter },
+ { "dpd_action", parse_action, &child->cfg.dpd_action },
+ { "start_action", parse_action, &child->cfg.start_action },
+ { "close_action", parse_action, &child->cfg.close_action },
+ { "ipcomp", parse_bool, &child->cfg.ipcomp },
+ { "inactivity", parse_time, &child->cfg.inactivity },
+ { "reqid", parse_uint32, &child->cfg.reqid },
+ { "mark_in", parse_mark, &child->cfg.mark_in },
+ { "mark_out", parse_mark, &child->cfg.mark_out },
+ { "tfc_padding", parse_tfc, &child->cfg.tfc },
};
return parse_rules(rules, countof(rules), name, value,
@@ -1430,6 +1420,51 @@ CALLBACK(peer_kv, bool,
&peer->request->reply);
}
+/**
+ * Check and update lifetimes
+ */
+static void check_lifetimes(lifetime_cfg_t *lft)
+{
+ /* if no hard lifetime specified, add one at soft lifetime + 10% */
+ if (lft->time.life == LFT_UNDEFINED)
+ {
+ lft->time.life = lft->time.rekey * 110 / 100;
+ }
+ if (lft->bytes.life == LFT_UNDEFINED)
+ {
+ lft->bytes.life = lft->bytes.rekey * 110 / 100;
+ }
+ if (lft->packets.life == LFT_UNDEFINED)
+ {
+ lft->packets.life = lft->packets.rekey * 110 / 100;
+ }
+ /* if no soft lifetime specified, add one at hard lifetime - 10% */
+ if (lft->bytes.rekey == LFT_UNDEFINED)
+ {
+ lft->bytes.rekey = lft->bytes.life * 90 / 100;
+ }
+ if (lft->packets.rekey == LFT_UNDEFINED)
+ {
+ lft->packets.rekey = lft->packets.life * 90 / 100;
+ }
+ /* if no rand time defined, use difference of hard and soft */
+ if (lft->time.jitter == LFT_UNDEFINED)
+ {
+ lft->time.jitter = lft->time.life -
+ min(lft->time.life, lft->time.rekey);
+ }
+ if (lft->bytes.jitter == LFT_UNDEFINED)
+ {
+ lft->bytes.jitter = lft->bytes.life -
+ min(lft->bytes.life, lft->bytes.rekey);
+ }
+ if (lft->packets.jitter == LFT_UNDEFINED)
+ {
+ lft->packets.jitter = lft->packets.life -
+ min(lft->packets.life, lft->packets.rekey);
+ }
+}
+
CALLBACK(children_sn, bool,
peer_data_t *peer, vici_message_t *message, vici_parse_context_t *ctx,
char *name)
@@ -1439,29 +1474,28 @@ CALLBACK(children_sn, bool,
.proposals = linked_list_create(),
.local_ts = linked_list_create(),
.remote_ts = linked_list_create(),
- .mode = MODE_TUNNEL,
.policies = TRUE,
.replay_window = REPLAY_UNDEFINED,
- .dpd_action = ACTION_NONE,
- .start_action = ACTION_NONE,
- .close_action = ACTION_NONE,
- .lft = {
- .time = {
- .rekey = LFT_DEFAULT_CHILD_REKEY,
- .life = LFT_UNDEFINED,
- .jitter = LFT_UNDEFINED,
- },
- .bytes = {
- .rekey = LFT_UNDEFINED,
- .life = LFT_UNDEFINED,
- .jitter = LFT_UNDEFINED,
+ .cfg = {
+ .mode = MODE_TUNNEL,
+ .lifetime = {
+ .time = {
+ .rekey = LFT_DEFAULT_CHILD_REKEY,
+ .life = LFT_UNDEFINED,
+ .jitter = LFT_UNDEFINED,
+ },
+ .bytes = {
+ .rekey = LFT_UNDEFINED,
+ .life = LFT_UNDEFINED,
+ .jitter = LFT_UNDEFINED,
+ },
+ .packets = {
+ .rekey = LFT_UNDEFINED,
+ .life = LFT_UNDEFINED,
+ .jitter = LFT_UNDEFINED,
+ },
},
- .packets = {
- .rekey = LFT_UNDEFINED,
- .life = LFT_UNDEFINED,
- .jitter = LFT_UNDEFINED,
- },
- }
+ },
};
child_cfg_t *cfg;
proposal_t *proposal;
@@ -1496,55 +1530,13 @@ CALLBACK(children_sn, bool,
child.proposals->insert_last(child.proposals, proposal);
}
}
+ child.cfg.suppress_policies = !child.policies;
- /* if no hard lifetime specified, add one at soft lifetime + 10% */
- if (child.lft.time.life == LFT_UNDEFINED)
- {
- child.lft.time.life = child.lft.time.rekey * 110 / 100;
- }
- if (child.lft.bytes.life == LFT_UNDEFINED)
- {
- child.lft.bytes.life = child.lft.bytes.rekey * 110 / 100;
- }
- if (child.lft.packets.life == LFT_UNDEFINED)
- {
- child.lft.packets.life = child.lft.packets.rekey * 110 / 100;
- }
- /* if no soft lifetime specified, add one at hard lifetime - 10% */
- if (child.lft.bytes.rekey == LFT_UNDEFINED)
- {
- child.lft.bytes.rekey = child.lft.bytes.life * 90 / 100;
- }
- if (child.lft.packets.rekey == LFT_UNDEFINED)
- {
- child.lft.packets.rekey = child.lft.packets.life * 90 / 100;
- }
- /* if no rand time defined, use difference of hard and soft */
- if (child.lft.time.jitter == LFT_UNDEFINED)
- {
- child.lft.time.jitter = child.lft.time.life -
- min(child.lft.time.life, child.lft.time.rekey);
- }
- if (child.lft.bytes.jitter == LFT_UNDEFINED)
- {
- child.lft.bytes.jitter = child.lft.bytes.life -
- min(child.lft.bytes.life, child.lft.bytes.rekey);
- }
- if (child.lft.packets.jitter == LFT_UNDEFINED)
- {
- child.lft.packets.jitter = child.lft.packets.life -
- min(child.lft.packets.life, child.lft.packets.rekey);
- }
+ check_lifetimes(&child.cfg.lifetime);
log_child_data(&child, name);
- cfg = child_cfg_create(name, &child.lft, child.updown,
- child.hostaccess, child.mode, child.start_action,
- child.dpd_action, child.close_action, child.ipcomp,
- child.inactivity, child.reqid, &child.mark_in,
- &child.mark_out, child.tfc);
-
- cfg->set_mipv6_options(cfg, FALSE, child.policies);
+ cfg = child_cfg_create(name, &child.cfg);
if (child.replay_window != REPLAY_UNDEFINED)
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 14:10:48 +0000