vici: Add support for interface ID configurable on IKE_SA

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 2b0b7c2..61427d2 100644 (file)
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -772,6 +772,8 @@ command.
                        nat-remote = <yes, if remote endpoint is behind a NAT>
                        nat-fake = <yes, if NAT situation has been faked as responder>
                        nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
+                       if-id-in = <hex encoded default inbound XFRM interface ID>
+                       if-id-out = <hex encoded default outbound XFRM interface ID>
                        encr-alg = <IKE encryption algorithm string>
                        encr-keysize = <key size for encr-alg, if applicable>
                        integ-alg = <IKE integrity algorithm string>

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 5750d87..f86d5c9 100644 (file)
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -327,6 +327,8 @@ typedef struct {
        uint64_t over_time;
        uint64_t rand_time;
        uint8_t dscp;
+       uint32_t if_id_in;
+       uint32_t if_id_out;
 #ifdef ME
        bool mediation;
        char *mediated_by;
@@ -421,6 +423,8 @@ static void log_peer_data(peer_data_t *data)
        DBG2(DBG_CFG, "  over_time = %llu", data->over_time);
        DBG2(DBG_CFG, "  rand_time = %llu", data->rand_time);
        DBG2(DBG_CFG, "  proposals = %#P", data->proposals);
+       DBG2(DBG_CFG, "  if_id_in = %u", data->if_id_in);
+       DBG2(DBG_CFG, "  if_id_out = %u", data->if_id_out);
 #ifdef ME
        DBG2(DBG_CFG, "  mediation = %u", data->mediation);
        if (data->mediated_by)
@@ -1785,6 +1789,8 @@ CALLBACK(peer_kv, bool,
                { "rand_time",          parse_time,                     &peer->rand_time                        },
                { "ppk_id",                     parse_peer_id,          &peer->ppk_id                           },
                { "ppk_required",       parse_bool,                     &peer->ppk_required                     },
+               { "if_id_in",           parse_if_id,            &peer->if_id_in                         },
+               { "if_id_out",          parse_if_id,            &peer->if_id_out                        },
 #ifdef ME
                { "mediation",          parse_bool,                     &peer->mediation                        },
                { "mediated_by",        parse_string,           &peer->mediated_by                      },
@@ -2523,6 +2529,8 @@ CALLBACK(config_sn, bool,
                .dpd_timeout = peer.dpd_timeout,
                .ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL,
                .ppk_required = peer.ppk_required,
+               .if_id_in = peer.if_id_in,
+               .if_id_out = peer.if_id_out,
        };
 #ifdef ME
        cfg.mediation = peer.mediation;

diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index e00c1d8..16e3c8b 100644 (file)
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -354,6 +354,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
        ike_sa_id_t *id;
        identification_t *eap;
        proposal_t *proposal;
+       uint32_t if_id;
        uint16_t alg, ks;
        host_t *host;
 
@@ -400,6 +401,17 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
        add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE);
        add_condition(b, ike_sa, "nat-any", COND_NAT_ANY);
 
+       if_id = ike_sa->get_if_id(ike_sa, TRUE);
+       if (if_id)
+       {
+               b->add_kv(b, "if-id-in", "%.8x", if_id);
+       }
+       if_id = ike_sa->get_if_id(ike_sa, FALSE);
+       if (if_id)
+       {
+               b->add_kv(b, "if-id-out", "%.8x", if_id);
+       }
+
        proposal = ike_sa->get_proposal(ike_sa);
        if (proposal)
        {

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index c02c574..460e17b 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -280,6 +280,18 @@ connections.<conn>.pools =
        other configuration attributes from. Each name references a pool by name
        from either the **pools** section or an external pool.
 
+connections.<conn>.if_id_in = 0
+       Default inbound XFRM interface ID for children.
+
+       XFRM interface ID set on inbound policies/SA, can be overridden by child
+       config, see there for details.
+
+connections.<conn>.if_id_out = 0
+       Default outbound XFRM interface ID for children.
+
+       XFRM interface ID set on outbound policies/SA, can be overridden by child
+       cofnig, see there for details.
+
 connections.<conn>.mediation = no
        Whether this connection is a mediation connection.