Fixing installation of trap policies (SPI=0) in kernel interface.
authorTobias Brunner <tobias@strongswan.org>
Tue, 3 Aug 2010 09:49:28 +0000 (11:49 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 2 Sep 2010 17:04:21 +0000 (19:04 +0200)
src/libcharon/plugins/load_tester/load_tester_ipsec.c
src/libhydra/kernel/kernel_interface.c
src/libhydra/kernel/kernel_interface.h
src/libhydra/kernel/kernel_ipsec.h
src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index ce199a7..aece95e 100644 (file)
@@ -85,9 +85,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
           private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
           traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-          policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
-          u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-          u_int16_t cpi, bool routed)
+          policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+          mark_t mark, bool routed)
 {
        return SUCCESS;
 }
index 7e16a89..3e6d462 100644 (file)
@@ -131,17 +131,15 @@ METHOD(kernel_interface_t, del_sa, status_t,
 METHOD(kernel_interface_t, add_policy, status_t,
        private_kernel_interface_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-       u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi,  bool routed)
+       policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+       mark_t mark, bool routed)
 {
        if (!this->ipsec)
        {
                return NOT_SUPPORTED;
        }
        return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-                                                                  direction, type, spi, ah_spi, reqid, mark,
-                                                                  mode, ipcomp, cpi, routed);
+                                                                  direction, type, sa, mark, routed);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
index fdf320b..8b0c7a2 100644 (file)
@@ -184,13 +184,8 @@ struct kernel_interface_t {
         * @param dst_ts                traffic selector to match traffic dest
         * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
         * @param type                  type of policy, POLICY_(IPSEC|PASS|DROP)
-        * @param spi                   SPI of optional ESP SA
-        * @param ah_spi                SPI of optional AH SA
-        * @param reqid                 unique ID of an SA to use to enforce policy
+        * @param sa                    details about the SA(s) tied to this policy
         * @param mark                  mark for this policy
-        * @param mode                  mode of SA (tunnel, transport)
-        * @param ipcomp                the IPComp transform used
-        * @param cpi                   CPI for IPComp
         * @param routed                TRUE, if this policy is routed in the kernel
         * @return                              SUCCESS if operation completed
         */
@@ -199,9 +194,7 @@ struct kernel_interface_t {
                                                        traffic_selector_t *src_ts,
                                                        traffic_selector_t *dst_ts,
                                                        policy_dir_t direction, policy_type_t type,
-                                                       u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
-                                                       mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-                                                       u_int16_t cpi, bool routed);
+                                                       ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
 
        /**
         * Query the use time of a policy.
index ff69253..49d9cc0 100644 (file)
@@ -29,6 +29,7 @@ typedef enum policy_dir_t policy_dir_t;
 typedef enum policy_type_t policy_type_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
+typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
 typedef struct lifetime_cfg_t lifetime_cfg_t;
 typedef struct mark_t mark_t;
 
@@ -101,6 +102,30 @@ enum ipcomp_transform_t {
 extern enum_name_t *ipcomp_transform_names;
 
 /**
+ * This struct contains details about IPsec SA(s) tied to a policy.
+ */
+struct ipsec_sa_cfg_t {
+       /** mode of SA (tunnel, transport) */
+       ipsec_mode_t mode;
+       /** unique ID */
+       u_int32_t reqid;
+       /** details about ESP/AH */
+       struct {
+               /** TRUE if this protocol is used */
+               bool use;
+               /** SPI for ESP/AH */
+               u_int32_t spi;
+       } esp, ah;
+       /** details about IPComp */
+       struct {
+               /** the IPComp transform used */
+               u_int16_t transform;
+               /** CPI for IPComp */
+               u_int16_t cpi;
+       } ipcomp;
+};
+
+/**
  * A lifetime_cfg_t defines the lifetime limits of an SA.
  *
  * Set any of these values to 0 to ignore.
@@ -272,13 +297,8 @@ struct kernel_ipsec_t {
         * @param dst_ts                traffic selector to match traffic dest
         * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
         * @param type                  type of policy, POLICY_(IPSEC|PASS|DROP)
-        * @param spi                   SPI of optional ESP SA
-        * @param ah_spi                SPI of optional AH SA
-        * @param reqid                 unique ID of an SA to use to enforce policy
+        * @param sa                    details about the SA(s) tied to this policy
         * @param mark                  mark for this policy
-        * @param mode                  mode of SA (tunnel, transport)
-        * @param ipcomp                the IPComp transform used
-        * @param cpi                   CPI for IPComp
         * @param routed                TRUE, if this policy is routed in the kernel
         * @return                              SUCCESS if operation completed
         */
@@ -287,9 +307,7 @@ struct kernel_ipsec_t {
                                                        traffic_selector_t *src_ts,
                                                        traffic_selector_t *dst_ts,
                                                        policy_dir_t direction, policy_type_t type,
-                                                       u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
-                                                       mark_t mark, ipsec_mode_t mode,
-                                                       u_int16_t ipcomp, u_int16_t cpi, bool routed);
+                                                       ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
 
        /**
         * Query the use time of a policy.
index 042d989..0df5f8b 100644 (file)
@@ -1969,13 +1969,13 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-       u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool routed)
+       policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+       mark_t mark, bool routed)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
        policy_entry_t *policy, *found = NULL;
+       u_int32_t spi;
        u_int8_t satype;
        size_t len;
 
@@ -1986,8 +1986,10 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        }
 
        /* tunnel mode policies direct the packets into the pseudo IPIP SA */
-       satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
-                                                                        proto2satype(spi ? IPPROTO_ESP : IPPROTO_AH);
+       satype = (sa->mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP
+                                                                          : proto2satype(sa->esp.use ? IPPROTO_ESP
+                                                                                                                                 : IPPROTO_AH);
+       spi = sa->esp.use ? sa->esp.spi : sa->ah.spi;
 
        /* create a policy */
        policy = create_policy_entry(src_ts, dst_ts, direction);
@@ -2019,7 +2021,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
                /* the reqid is always set to the latest child SA that trapped this
                 * policy. we will need this reqid upon receiving an acquire. */
-               policy->reqid = reqid;
+               policy->reqid = sa->reqid;
 
                /* increase the trap counter */
                policy->trapcount++;
@@ -2097,7 +2099,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
                route_entry_t *route = malloc_thing(route_entry_t);
                route->src_ip = NULL;
 
-               if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+               if (sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
                        this->install_routes)
                {
                        hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
index 06c4125..55158af 100644 (file)
@@ -1617,9 +1617,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-       u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool routed)
+       policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+       mark_t mark, bool routed)
 {
        policy_entry_t *current, *policy;
        bool found = FALSE;
@@ -1715,11 +1714,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
                        u_int8_t proto;
                        bool use;
                } protos[] = {
-                       { IPPROTO_COMP, ipcomp != IPCOMP_NONE },
-                       { IPPROTO_ESP, spi != 0 },
-                       { IPPROTO_AH, ah_spi != 0 },
+                       { IPPROTO_COMP, sa->ipcomp.transform != IPCOMP_NONE },
+                       { IPPROTO_ESP, sa->esp.use },
+                       { IPPROTO_AH, sa->ah.use },
                };
-               ipsec_mode_t proto_mode = mode;
+               ipsec_mode_t proto_mode = sa->mode;
 
                rthdr->rta_type = XFRMA_TMPL;
                rthdr->rta_len = 0; /* actual length is set below */
@@ -1738,7 +1737,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
                                return FAILED;
                        }
 
-                       tmpl->reqid = reqid;
+                       tmpl->reqid = sa->reqid;
                        tmpl->id.proto = protos[i].proto;
                        tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
                        tmpl->mode = mode2kernel(proto_mode);
@@ -1793,7 +1792,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
         * - routing is not disabled via strongswan.conf
         */
        if (policy->route == NULL && direction == POLICY_FWD &&
-               mode != MODE_TRANSPORT && this->install_routes)
+               sa->mode != MODE_TRANSPORT && this->install_routes)
        {
                route_entry_t *route = malloc_thing(route_entry_t);
 
index 20d1b12..1b18f6a 100644 (file)
@@ -1593,9 +1593,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
-       u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-       u_int16_t cpi, bool routed)
+       policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+       mark_t mark, bool routed)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1612,7 +1611,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
        }
 
        /* create a policy */
-       policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
+       policy = create_policy_entry(src_ts, dst_ts, direction, sa->reqid);
 
        /* find a matching policy */
        this->mutex->lock(this->mutex);
@@ -1661,13 +1660,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
        /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
        req = (struct sadb_x_ipsecrequest*)(pol + 1);
-       req->sadb_x_ipsecrequest_proto = spi ? IPPROTO_ESP : IPPROTO_AH;
+       req->sadb_x_ipsecrequest_proto = sa->esp.use ? IPPROTO_ESP : IPPROTO_AH;
        /* !!! the length of this struct MUST be in octets instead of 64 bit words */
        req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
-       req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
-       req->sadb_x_ipsecrequest_reqid = reqid;
+       req->sadb_x_ipsecrequest_mode = mode2kernel(sa->mode);
+       req->sadb_x_ipsecrequest_reqid = sa->reqid;
        req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
-       if (mode == MODE_TUNNEL)
+       if (sa->mode == MODE_TUNNEL)
        {
                len = hostcpy(req + 1, src);
                req->sadb_x_ipsecrequest_len += len;
@@ -1741,7 +1740,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
         * - routing is not disabled via strongswan.conf
         */
        if (policy->route == NULL && direction == POLICY_FWD &&
-               mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+               sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
                this->install_routes)
        {
                route_entry_t *route = malloc_thing(route_entry_t);