Slightly refactored port floating.
authorTobias Brunner <tobias@strongswan.org>
Mon, 30 Aug 2010 10:19:37 +0000 (12:19 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 30 Aug 2010 11:42:58 +0000 (13:42 +0200)
In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.

src/libcharon/sa/ike_sa.c
src/libcharon/sa/ike_sa.h
src/libcharon/sa/tasks/ike_me.c
src/libcharon/sa/tasks/ike_mobike.c
src/libcharon/sa/tasks/ike_natd.c

index 83d1e00..b163837 100644 (file)
@@ -810,6 +810,20 @@ METHOD(ike_sa_t, get_pending_updates, u_int32_t,
        return this->pending_updates;
 }
 
+METHOD(ike_sa_t, float_ports, void,
+          private_ike_sa_t *this)
+{
+       /* do not switch if we have a custom port from MOBIKE/NAT */
+       if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
+       {
+               this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
+       }
+       if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
+       {
+               this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
+       }
+}
+
 METHOD(ike_sa_t, update_hosts, void,
        private_ike_sa_t *this, host_t *me, host_t *other)
 {
@@ -2023,6 +2037,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
                        .get_other_host = _get_other_host,
                        .set_other_host = _set_other_host,
                        .set_message_id = _set_message_id,
+                       .float_ports = _float_ports,
                        .update_hosts = _update_hosts,
                        .get_my_id = _get_my_id,
                        .set_my_id = _set_my_id,
index 34842a5..c0007e2 100644 (file)
@@ -329,6 +329,14 @@ struct ike_sa_t {
        void (*set_other_host) (ike_sa_t *this, host_t *other);
 
        /**
+        * Float to port 4500 (e.g. if a NAT is detected).
+        *
+        * The port of either endpoint is changed only if it is currently
+        * set to the default value of 500.
+        */
+       void (*float_ports)(ike_sa_t *this);
+
+       /**
         * Update the IKE_SAs host.
         *
         * Hosts may be NULL to use current host.
index 2d2847a..a04bf56 100644 (file)
@@ -454,6 +454,9 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
                                DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
                                return FAILED;
                        }
+                       /* if we are on a mediation connection we switch to port 4500 even
+                        * if no NAT is detected. */
+                       this->ike_sa->float_ports(this->ike_sa);
                        return NEED_MORE;
                }
                case IKE_AUTH:
index a62886f..6dbd1ba 100644 (file)
@@ -468,7 +468,18 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
        if (message->get_exchange_type(message) == IKE_AUTH &&
                this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
        {
+               peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+
                process_payloads(this, message);
+
+               /* if peer supports NAT-T and MOBIKE, we switch to port 4500 even
+                * if no NAT is detected. MOBIKE requires this. */
+               if (peer_cfg->use_mobike(peer_cfg) &&
+                       this->ike_sa->supports_extension(this->ike_sa, EXT_NATT) &&
+                       this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+               {
+                       this->ike_sa->float_ports(this->ike_sa);
+               }
                return SUCCESS;
        }
        else if (message->get_exchange_type(message) == INFORMATIONAL)
index 9ea20ba..c731178 100644 (file)
@@ -264,42 +264,9 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 
        if (message->get_exchange_type(message) == IKE_SA_INIT)
        {
-               peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
-#ifdef ME
-               /* if we are on a mediated connection we have already switched to
-                * port 4500 and the correct destination port is already configured,
-                * therefore we must not switch again */
-               if (peer_cfg->get_mediated_by(peer_cfg))
+               if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
                {
-                       return SUCCESS;
-               }
-#endif /* ME */
-
-               if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
-#ifdef ME
-                       /* if we are on a mediation connection we switch to port 4500 even
-                        * if no NAT is detected. */
-                       peer_cfg->is_mediation(peer_cfg) ||
-#endif /* ME */
-                       /* if peer supports NAT-T, we switch to port 4500 even
-                        * if no NAT is detected. MOBIKE requires this. */
-                       (peer_cfg->use_mobike(peer_cfg) &&
-                        this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
-               {
-                       host_t *me, *other;
-
-                       /* do not switch if we have a custom port from mobike/NAT */
-                       me = this->ike_sa->get_my_host(this->ike_sa);
-                       if (me->get_port(me) == IKEV2_UDP_PORT)
-                       {
-                               me->set_port(me, IKEV2_NATT_PORT);
-                       }
-                       other = this->ike_sa->get_other_host(this->ike_sa);
-                       if (other->get_port(other) == IKEV2_UDP_PORT)
-                       {
-                               other->set_port(other, IKEV2_NATT_PORT);
-                       }
+                       this->ike_sa->float_ports(this->ike_sa);
                }
        }