aboutsummaryrefslogtreecommitdiffstats
path: root/src/libhydra
diff options
context:
space:
mode:
Diffstat (limited to 'src/libhydra')
-rw-r--r--src/libhydra/kernel/kernel_interface.c4
-rw-r--r--src/libhydra/kernel/kernel_interface.h6
-rw-r--r--src/libhydra/kernel/kernel_ipsec.h6
-rw-r--r--src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c4
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c6
-rw-r--r--src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c4
6 files changed, 15 insertions, 15 deletions
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 77eaf68c4..bc9960509 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t,
METHOD(kernel_interface_t, add_policy, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@@ -140,7 +140,7 @@ METHOD(kernel_interface_t, add_policy, status_t,
return NOT_SUPPORTED;
}
return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
- direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed);
+ direction, spi, ah_spi, reqid, mark, mode, ipcomp, cpi, routed);
}
METHOD(kernel_interface_t, query_policy, status_t,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index ec1f561cc..c3c3764c4 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -183,8 +183,8 @@ struct kernel_interface_t {
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
- * @param spi SPI of SA
- * @param protocol protocol to use to protect traffic (AH/ESP)
+ * @param spi SPI of optional ESP SA
+ * @param ah_spi SPI of optional AH SA
* @param reqid unique ID of an SA to use to enforce policy
* @param mark mark for this policy
* @param mode mode of SA (tunnel, transport)
@@ -198,7 +198,7 @@ struct kernel_interface_t {
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi,
- u_int8_t protocol, u_int32_t reqid,
+ u_int32_t ah_spi, u_int32_t reqid,
mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed);
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ad3f64c5d..1a7f7b44d 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -258,8 +258,8 @@ struct kernel_ipsec_t {
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
- * @param spi SPI of SA
- * @param protocol protocol to use to protect traffic (AH/ESP)
+ * @param spi SPI of optional ESP SA
+ * @param ah_spi SPI of optional AH SA
* @param reqid unique ID of an SA to use to enforce policy
* @param mark mark for this policy
* @param mode mode of SA (tunnel, transport)
@@ -273,7 +273,7 @@ struct kernel_ipsec_t {
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t spi,
- u_int8_t protocol, u_int32_t reqid,
+ u_int32_t ah_spi, u_int32_t reqid,
mark_t mark, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, bool routed);
diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index 166df54fe..f0a9e5504 100644
--- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1969,7 +1969,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@@ -1987,7 +1987,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
/* tunnel mode policies direct the packets into the pseudo IPIP SA */
satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
- proto2satype(protocol);
+ proto2satype(spi ? IPPROTO_ESP : IPPROTO_AH);
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction);
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 6ecfa03e3..3fd78626b 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1617,7 +1617,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@@ -1749,7 +1749,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
}
tmpl->reqid = reqid;
- tmpl->id.proto = protocol;
+ tmpl->id.proto = spi ? IPPROTO_ESP : IPPROTO_AH;
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
tmpl->mode = mode2kernel(mode);
tmpl->family = src->get_family(src);
@@ -1943,7 +1943,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
METHOD(kernel_ipsec_t, del_policy, status_t,
private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
+ traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
bool unrouted)
{
policy_entry_t *current, policy, *to_delete = NULL;
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index b2c0e2ccd..5cd06eb2f 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1593,7 +1593,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
- policy_dir_t direction, u_int32_t spi, u_int8_t protocol,
+ policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool routed)
{
@@ -1661,7 +1661,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
req = (struct sadb_x_ipsecrequest*)(pol + 1);
- req->sadb_x_ipsecrequest_proto = protocol;
+ req->sadb_x_ipsecrequest_proto = spi ? IPPROTO_ESP : IPPROTO_AH;
/* !!! the length of this struct MUST be in octets instead of 64 bit words */
req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 14:11:05 +0000