vici: Make installation of outbound FWD policies configurable
authorTobias Brunner <tobias@strongswan.org>
Thu, 18 Aug 2016 14:22:51 +0000 (16:22 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 28 Sep 2016 15:56:43 +0000 (17:56 +0200)
src/libcharon/plugins/vici/vici_config.c
src/swanctl/swanctl.opt

index daefcaa..224a519 100644 (file)
@@ -437,6 +437,7 @@ typedef struct {
        linked_list_t *remote_ts;
        uint32_t replay_window;
        bool policies;
+       bool policies_fwd_out;
        child_cfg_create_t cfg;
 } child_data_t;
 
@@ -462,6 +463,7 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
        DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
        DBG2(DBG_CFG, "   policies = %u", data->policies);
+       DBG2(DBG_CFG, "   policies_fwd_out = %u", data->policies_fwd_out);
        if (data->replay_window != REPLAY_UNDEFINED)
        {
                DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
@@ -1330,31 +1332,32 @@ CALLBACK(child_kv, bool,
        child_data_t *child, vici_message_t *message, char *name, chunk_t value)
 {
        parse_rule_t rules[] = {
-               { "updown",                     parse_string,           &child->cfg.updown                                      },
-               { "hostaccess",         parse_bool,                     &child->cfg.hostaccess                          },
-               { "mode",                       parse_mode,                     &child->cfg.mode                                        },
-               { "policies",           parse_bool,                     &child->policies                                        },
-               { "replay_window",      parse_uint32,           &child->replay_window                           },
-               { "rekey_time",         parse_time,                     &child->cfg.lifetime.time.rekey         },
-               { "life_time",          parse_time,                     &child->cfg.lifetime.time.life          },
-               { "rand_time",          parse_time,                     &child->cfg.lifetime.time.jitter        },
-               { "rekey_bytes",        parse_bytes,            &child->cfg.lifetime.bytes.rekey        },
-               { "life_bytes",         parse_bytes,            &child->cfg.lifetime.bytes.life         },
-               { "rand_bytes",         parse_bytes,            &child->cfg.lifetime.bytes.jitter       },
-               { "rekey_packets",      parse_uint64,           &child->cfg.lifetime.packets.rekey      },
-               { "life_packets",       parse_uint64,           &child->cfg.lifetime.packets.life       },
-               { "rand_packets",       parse_uint64,           &child->cfg.lifetime.packets.jitter     },
-               { "dpd_action",         parse_action,           &child->cfg.dpd_action                          },
-               { "start_action",       parse_action,           &child->cfg.start_action                        },
-               { "close_action",       parse_action,           &child->cfg.close_action                        },
-               { "ipcomp",                     parse_bool,                     &child->cfg.ipcomp                                      },
-               { "inactivity",         parse_time,                     &child->cfg.inactivity                          },
-               { "reqid",                      parse_uint32,           &child->cfg.reqid                                       },
-               { "mark_in",            parse_mark,                     &child->cfg.mark_in                                     },
-               { "mark_out",           parse_mark,                     &child->cfg.mark_out                            },
-               { "tfc_padding",        parse_tfc,                      &child->cfg.tfc                                         },
-               { "priority",           parse_uint32,           &child->cfg.priority                            },
-               { "interface",          parse_string,           &child->cfg.interface                           },
+               { "updown",                             parse_string,           &child->cfg.updown                                      },
+               { "hostaccess",                 parse_bool,                     &child->cfg.hostaccess                          },
+               { "mode",                               parse_mode,                     &child->cfg.mode                                        },
+               { "policies",                   parse_bool,                     &child->policies                                        },
+               { "policies_fwd_out",   parse_bool,                     &child->policies_fwd_out                        },
+               { "replay_window",              parse_uint32,           &child->replay_window                           },
+               { "rekey_time",                 parse_time,                     &child->cfg.lifetime.time.rekey         },
+               { "life_time",                  parse_time,                     &child->cfg.lifetime.time.life          },
+               { "rand_time",                  parse_time,                     &child->cfg.lifetime.time.jitter        },
+               { "rekey_bytes",                parse_bytes,            &child->cfg.lifetime.bytes.rekey        },
+               { "life_bytes",                 parse_bytes,            &child->cfg.lifetime.bytes.life         },
+               { "rand_bytes",                 parse_bytes,            &child->cfg.lifetime.bytes.jitter       },
+               { "rekey_packets",              parse_uint64,           &child->cfg.lifetime.packets.rekey      },
+               { "life_packets",               parse_uint64,           &child->cfg.lifetime.packets.life       },
+               { "rand_packets",               parse_uint64,           &child->cfg.lifetime.packets.jitter     },
+               { "dpd_action",                 parse_action,           &child->cfg.dpd_action                          },
+               { "start_action",               parse_action,           &child->cfg.start_action                        },
+               { "close_action",               parse_action,           &child->cfg.close_action                        },
+               { "ipcomp",                             parse_bool,                     &child->cfg.ipcomp                                      },
+               { "inactivity",                 parse_time,                     &child->cfg.inactivity                          },
+               { "reqid",                              parse_uint32,           &child->cfg.reqid                                       },
+               { "mark_in",                    parse_mark,                     &child->cfg.mark_in                                     },
+               { "mark_out",                   parse_mark,                     &child->cfg.mark_out                            },
+               { "tfc_padding",                parse_tfc,                      &child->cfg.tfc                                         },
+               { "priority",                   parse_uint32,           &child->cfg.priority                            },
+               { "interface",                  parse_string,           &child->cfg.interface                           },
        };
 
        return parse_rules(rules, countof(rules), name, value,
@@ -1537,6 +1540,7 @@ CALLBACK(children_sn, bool,
                }
        }
        child.cfg.suppress_policies = !child.policies;
+       child.cfg.fwd_out_policies = child.policies_fwd_out;
 
        check_lifetimes(&child.cfg.lifetime);
 
index 15cbc6c..2a4f5a7 100644 (file)
@@ -659,6 +659,13 @@ connections.<conn>.children.<child>.policies = yes
        Whether to install IPsec policies or not. Disabling this can be useful in
        some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
 
+connections.<conn>.children.<child>.policies_fwd_out = no
+       Whether to install outbound FWD IPsec policies or not.
+
+       Whether to install outbound FWD IPsec policies or not. Enabling this is
+       required in case there is a drop policy that would match and block forwarded
+       traffic for this CHILD_SA.
+
 connections.<conn>.children.<child>.dpd_action = clear
        Action to perform on DPD timeout (_clear_, _trap_ or _restart_).