IPsec policy manager added
authorTobias Brunner <tobias@strongswan.org>
Fri, 13 Jul 2012 12:27:41 +0000 (14:27 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Aug 2012 13:41:03 +0000 (15:41 +0200)
This version only provides the very simplest management functions.

src/libipsec/Android.mk
src/libipsec/Makefile.am
src/libipsec/ipsec.c
src/libipsec/ipsec.h
src/libipsec/ipsec_policy_mgr.c [new file with mode: 0644]
src/libipsec/ipsec_policy_mgr.h [new file with mode: 0644]

index f18fc73..269f39b 100644 (file)
@@ -9,6 +9,7 @@ esp_packet.c esp_packet.h \
 ipsec_event_listener.h \
 ipsec_event_relay.c ipsec_event_relay.h \
 ipsec_policy.c ipsec_policy.h \
+ipsec_policy_mgr.c ipsec_policy_mgr.h \
 ipsec_sa.c ipsec_sa.h \
 ipsec_sa_mgr.c ipsec_sa_mgr.h
 
index 4b81d45..ec5745a 100644 (file)
@@ -7,6 +7,7 @@ esp_packet.c esp_packet.h \
 ipsec_event_listener.h \
 ipsec_event_relay.c ipsec_event_relay.h \
 ipsec_policy.c ipsec_policy.h \
+ipsec_policy_mgr.c ipsec_policy_mgr.h \
 ipsec_sa.c ipsec_sa.h \
 ipsec_sa_mgr.c ipsec_sa_mgr.h
 
index 49773ab..5453430 100644 (file)
@@ -44,6 +44,7 @@ void libipsec_deinit()
 {
        private_ipsec_t *this = (private_ipsec_t*)ipsec;
        DESTROY_IF(this->public.events);
+       DESTROY_IF(this->public.policies);
        DESTROY_IF(this->public.sas);
        free(this);
        ipsec = NULL;
@@ -67,6 +68,7 @@ bool libipsec_init()
        }
 
        this->public.sas = ipsec_sa_mgr_create();
+       this->public.policies = ipsec_policy_mgr_create();
        this->public.events = ipsec_event_relay_create();
        return TRUE;
 }
index 3047381..e8e828d 100644 (file)
@@ -26,6 +26,7 @@
 #define IPSEC_H_
 
 #include "ipsec_sa_mgr.h"
+#include "ipsec_policy_mgr.h"
 #include "ipsec_event_relay.h"
 
 #include <library.h>
@@ -43,6 +44,11 @@ struct ipsec_t {
        ipsec_sa_mgr_t *sas;
 
        /**
+        * IPsec policy manager instance
+        */
+       ipsec_policy_mgr_t *policies;
+
+       /**
         * Event relay instance
         */
        ipsec_event_relay_t *events;
diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c
new file mode 100644 (file)
index 0000000..40e6989
--- /dev/null
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_policy_mgr.h"
+#include "ipsec_policy.h"
+
+#include <debug.h>
+#include <library.h>
+#include <ipsec/ipsec_types.h>
+#include <selectors/traffic_selector.h>
+#include <threading/rwlock.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+
+typedef struct private_ipsec_policy_mgr_t private_ipsec_policy_mgr_t;
+
+/**
+ * Private additions to ipsec_policy_mgr_t.
+ */
+struct private_ipsec_policy_mgr_t {
+
+       /**
+        * Public members of ipsec_policy_mgr_t.
+        */
+       ipsec_policy_mgr_t public;
+
+       /**
+        * Installed policies
+        */
+       linked_list_t *policies;
+
+       /**
+        * Lock to safely access policies
+        */
+       rwlock_t *lock;
+
+};
+
+static bool match_policy(ipsec_policy_t *policy, ipsec_policy_t *other_policy)
+{
+       return policy->match(policy, other_policy->get_source_ts(other_policy),
+                                                other_policy->get_destination_ts(other_policy),
+                                                other_policy->get_direction(other_policy),
+                                                other_policy->get_reqid(other_policy),
+                                                (mark_t){ .value = 0, },
+                                                other_policy->get_priority(other_policy));
+}
+
+METHOD(ipsec_policy_mgr_t, add_policy, status_t,
+       private_ipsec_policy_mgr_t *this, host_t *src, host_t *dst,
+       traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+       policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+       policy_priority_t priority)
+{
+       ipsec_policy_t *policy;
+
+       policy = ipsec_policy_create(src, dst, src_ts, dst_ts, direction, type, sa,
+                                                                mark, priority);
+       this->lock->write_lock(this->lock);
+       if (this->policies->find_first(this->policies, (void*)match_policy,
+                                                                  NULL, policy) != SUCCESS)
+       {
+               this->policies->insert_last(this->policies, policy);
+       }
+       else
+       {
+               policy->destroy(policy);
+       }
+       this->lock->unlock(this->lock);
+       return SUCCESS;
+}
+
+METHOD(ipsec_policy_mgr_t, del_policy, status_t,
+       private_ipsec_policy_mgr_t *this, traffic_selector_t *src_ts,
+       traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
+       mark_t mark, policy_priority_t priority)
+{
+       enumerator_t *enumerator;
+       ipsec_policy_t *current, *found = NULL;
+
+       this->lock->write_lock(this->lock);
+       enumerator = this->policies->create_enumerator(this->policies);
+       while (enumerator->enumerate(enumerator, (void**)&current))
+       {
+               if (current->match(current, src_ts, dst_ts, direction, reqid,
+                                                  mark, priority))
+               {
+                       this->policies->remove_at(this->policies, enumerator);
+                       found = current;
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->lock->unlock(this->lock);
+       if (found)
+       {
+               found->destroy(found);
+               return SUCCESS;
+       }
+       return FAILED;
+}
+
+METHOD(ipsec_policy_mgr_t, flush_policies, status_t,
+       private_ipsec_policy_mgr_t *this)
+{
+       ipsec_policy_t *policy;
+
+       DBG2(DBG_ESP, "flushing policies");
+
+       this->lock->write_lock(this->lock);
+       while (this->policies->remove_last(this->policies,
+                                                                         (void**)&policy) == SUCCESS)
+       {
+               policy->destroy(policy);
+       }
+       this->lock->unlock(this->lock);
+       return SUCCESS;
+}
+
+METHOD(ipsec_policy_mgr_t, destroy, void,
+       private_ipsec_policy_mgr_t *this)
+{
+       flush_policies(this);
+       this->policies->destroy(this->policies);
+       this->lock->destroy(this->lock);
+       free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipsec_policy_mgr_t *ipsec_policy_mgr_create()
+{
+       private_ipsec_policy_mgr_t *this;
+
+       INIT(this,
+               .public = {
+                       .add_policy = _add_policy,
+                       .del_policy = _del_policy,
+                       .flush_policies = _flush_policies,
+                       .destroy = _destroy,
+               },
+               .policies = linked_list_create(),
+               .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+       );
+
+       return &this->public;
+}
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
new file mode 100644 (file)
index 0000000..0a2f632
--- /dev/null
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_policy_mgr ipsec_policy_mgr
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_POLICY_MGR_H_
+#define IPSEC_POLICY_MGR_H_
+
+#include <library.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+#include <ipsec/ipsec_types.h>
+#include <selectors/traffic_selector.h>
+
+typedef struct ipsec_policy_mgr_t ipsec_policy_mgr_t;
+
+/**
+ * IPsec policy manager
+ *
+ * The first methods are modeled after those in kernel_ipsec_t.
+ *
+ * @note Only policies of type POLICY_IPSEC are currently used, also policies
+ * with direction POLICY_FWD are ignored.  Any packets that do not match an
+ * installed policy will be dropped.
+ */
+struct ipsec_policy_mgr_t {
+
+       /**
+        * Add a policy
+        *
+        * A policy is always associated to an SA. Traffic which matches a
+        * policy is handled by the SA with the same reqid.
+        *
+        * @param src                   source address of SA
+        * @param dst                   dest address of SA
+        * @param src_ts                traffic selector to match traffic source
+        * @param dst_ts                traffic selector to match traffic dest
+        * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
+        * @param type                  type of policy, POLICY_(IPSEC|PASS|DROP)
+        * @param sa                    details about the SA(s) tied to this policy
+        * @param mark                  mark for this policy
+        * @param priority              priority of this policy
+        * @return                              SUCCESS if operation completed
+        */
+       status_t (*add_policy)(ipsec_policy_mgr_t *this,
+                                                  host_t *src, host_t *dst, traffic_selector_t *src_ts,
+                                                  traffic_selector_t *dst_ts, policy_dir_t direction,
+                                                  policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+                                                  policy_priority_t priority);
+
+       /**
+        * Remove a policy
+        *
+        * @param src_ts                traffic selector to match traffic source
+        * @param dst_ts                traffic selector to match traffic dest
+        * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
+        * @param reqid                 unique ID of the associated SA
+        * @param mark                  optional mark
+        * @param priority              priority of the policy
+        * @return                              SUCCESS if operation completed
+        */
+       status_t (*del_policy)(ipsec_policy_mgr_t *this,
+                                                  traffic_selector_t *src_ts,
+                                                  traffic_selector_t *dst_ts,
+                                                  policy_dir_t direction, u_int32_t reqid, mark_t mark,
+                                                  policy_priority_t priority);
+
+       /**
+        * Flush all policies
+        *
+        * @return                              SUCCESS if operation completed
+        */
+       status_t (*flush_policies)(ipsec_policy_mgr_t *this);
+
+       /**
+        * Destroy an ipsec_policy_mgr_t
+        */
+       void (*destroy)(ipsec_policy_mgr_t *this);
+
+};
+
+/**
+ * Create an ipsec_policy_mgr instance
+ *
+ * @return                     ipsec_policy_mgr
+ */
+ipsec_policy_mgr_t *ipsec_policy_mgr_create();
+
+#endif /** IPSEC_POLICY_MGR_H_ @}*/