shunt manager installs policies with %any hosts
[strongswan.git] / src / libcharon / sa / shunt_manager.c
1 /*
2 * Copyright (C) 2011 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "shunt_manager.h"
17
18 #include <hydra.h>
19 #include <daemon.h>
20 #include <threading/rwlock.h>
21 #include <utils/linked_list.h>
22
23
24 typedef struct private_shunt_manager_t private_shunt_manager_t;
25
26 /**
27 * Private data of an shunt_manager_t object.
28 */
29 struct private_shunt_manager_t {
30
31 /**
32 * Public shunt_manager_t interface.
33 */
34 shunt_manager_t public;
35
36 /**
37 * Installed shunts, as child_cfg_t
38 */
39 linked_list_t *shunts;
40 };
41
42 /**
43 * Install in and out shunt policies in the kernel
44 */
45 static bool install_shunt_policy(child_cfg_t *child)
46 {
47 enumerator_t *e_my_ts, *e_other_ts;
48 linked_list_t *my_ts_list, *other_ts_list;
49 traffic_selector_t *my_ts, *other_ts;
50 host_t *host_any;
51 policy_type_t policy_type;
52 status_t status = SUCCESS;
53 ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT };
54
55 policy_type = (child->get_mode(child) == MODE_PASS) ?
56 POLICY_PASS : POLICY_DROP;
57 my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
58 other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
59 host_any = host_create_any(AF_INET);
60
61 /* enumerate pairs of traffic selectors */
62 e_my_ts = my_ts_list->create_enumerator(my_ts_list);
63 while (e_my_ts->enumerate(e_my_ts, &my_ts))
64 {
65 e_other_ts = other_ts_list->create_enumerator(other_ts_list);
66 while (e_other_ts->enumerate(e_other_ts, &other_ts))
67 {
68 /* install out policy */
69 status |= hydra->kernel_interface->add_policy(
70 hydra->kernel_interface, host_any, host_any,
71 my_ts, other_ts, POLICY_OUT, policy_type,
72 &sa, child->get_mark(child, FALSE), FALSE);
73
74 /* install in policy */
75 status |= hydra->kernel_interface->add_policy(
76 hydra->kernel_interface, host_any, host_any,
77 other_ts, my_ts, POLICY_IN, policy_type,
78 &sa, child->get_mark(child, TRUE), FALSE);
79
80 /* install forward policy */
81 status |= hydra->kernel_interface->add_policy(
82 hydra->kernel_interface, host_any, host_any,
83 other_ts, my_ts, POLICY_FWD, policy_type,
84 &sa, child->get_mark(child, TRUE), FALSE);
85 }
86 e_other_ts->destroy(e_other_ts);
87 }
88 e_my_ts->destroy(e_my_ts);
89
90 my_ts_list->destroy_offset(my_ts_list,
91 offsetof(traffic_selector_t, destroy));
92 other_ts_list->destroy_offset(other_ts_list,
93 offsetof(traffic_selector_t, destroy));
94 host_any->destroy(host_any);
95
96 return status == SUCCESS;
97 }
98
99 METHOD(shunt_manager_t, install, bool,
100 private_shunt_manager_t *this, child_cfg_t *child)
101 {
102 enumerator_t *enumerator;
103 child_cfg_t *child_cfg;
104 bool found = FALSE;
105
106 /* check if not already installed */
107 enumerator = this->shunts->create_enumerator(this->shunts);
108 while (enumerator->enumerate(enumerator, &child_cfg))
109 {
110 if (streq(child_cfg->get_name(child_cfg), child->get_name(child)))
111 {
112 found = TRUE;
113 break;
114 }
115 }
116 enumerator->destroy(enumerator);
117
118 if (found)
119 {
120 DBG1(DBG_CFG, "shunt %N policy '%s' already installed",
121 ipsec_mode_names, child->get_mode(child), child->get_name(child));
122 return TRUE;
123 }
124 this->shunts->insert_last(this->shunts, child->get_ref(child));
125
126 return install_shunt_policy(child);
127 }
128
129 /**
130 * Uninstall in and out shunt policies in the kernel
131 */
132 static void uninstall_shunt_policy(child_cfg_t *child)
133 {
134 enumerator_t *e_my_ts, *e_other_ts;
135 linked_list_t *my_ts_list, *other_ts_list;
136 traffic_selector_t *my_ts, *other_ts;
137 status_t status = SUCCESS;
138
139 my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
140 other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
141
142 /* enumerate pairs of traffic selectors */
143 e_my_ts = my_ts_list->create_enumerator(my_ts_list);
144 while (e_my_ts->enumerate(e_my_ts, &my_ts))
145 {
146 e_other_ts = other_ts_list->create_enumerator(other_ts_list);
147 while (e_other_ts->enumerate(e_other_ts, &other_ts))
148 {
149 /* uninstall out policy */
150 status |= hydra->kernel_interface->del_policy(
151 hydra->kernel_interface, my_ts, other_ts,
152 POLICY_OUT, 0, child->get_mark(child, FALSE),
153 FALSE);
154
155 /* uninstall in policy */
156 status |= hydra->kernel_interface->del_policy(
157 hydra->kernel_interface, other_ts, my_ts,
158 POLICY_IN, 0, child->get_mark(child, TRUE),
159 FALSE);
160
161 /* uninstall forward policy */
162 status |= hydra->kernel_interface->del_policy(
163 hydra->kernel_interface, other_ts, my_ts,
164 POLICY_FWD, 0, child->get_mark(child, TRUE),
165 FALSE);
166 }
167 e_other_ts->destroy(e_other_ts);
168 }
169 e_my_ts->destroy(e_my_ts);
170
171 my_ts_list->destroy_offset(my_ts_list,
172 offsetof(traffic_selector_t, destroy));
173 other_ts_list->destroy_offset(other_ts_list,
174 offsetof(traffic_selector_t, destroy));
175
176 if (status != SUCCESS)
177 {
178 DBG1(DBG_CFG, "uninstalling shunt %N 'policy %s' failed",
179 ipsec_mode_names, child->get_mode(child), child->get_name(child));
180 }
181 }
182
183 METHOD(shunt_manager_t, uninstall, bool,
184 private_shunt_manager_t *this, char *name)
185 {
186 enumerator_t *enumerator;
187 child_cfg_t *child, *found = NULL;
188
189 enumerator = this->shunts->create_enumerator(this->shunts);
190 while (enumerator->enumerate(enumerator, &child))
191 {
192 if (streq(name, child->get_name(child)))
193 {
194 this->shunts->remove_at(this->shunts, enumerator);
195 found = child;
196 break;
197 }
198 }
199 enumerator->destroy(enumerator);
200
201 if (!found)
202 {
203 return FALSE;
204 }
205 uninstall_shunt_policy(child);
206 return TRUE;
207 }
208
209 METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
210 private_shunt_manager_t *this)
211 {
212 return this->shunts->create_enumerator(this->shunts);
213 }
214
215 METHOD(shunt_manager_t, destroy, void,
216 private_shunt_manager_t *this)
217 {
218 child_cfg_t *child;
219
220 while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS)
221 {
222 uninstall_shunt_policy(child);
223 child->destroy(child);
224 }
225 this->shunts->destroy(this->shunts);
226 free(this);
227 }
228
229 /**
230 * See header
231 */
232 shunt_manager_t *shunt_manager_create()
233 {
234 private_shunt_manager_t *this;
235
236 INIT(this,
237 .public = {
238 .install = _install,
239 .uninstall = _uninstall,
240 .create_enumerator = _create_enumerator,
241 .destroy = _destroy,
242 },
243 .shunts = linked_list_create(),
244 );
245
246 return &this->public;
247 }
248