kernel-netlink: Optionally install protocol and ports on transport mode SAs
authorTobias Brunner <tobias@strongswan.org>
Mon, 25 Aug 2014 12:45:40 +0000 (14:45 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Sep 2014 08:45:50 +0000 (10:45 +0200)
conf/plugins/kernel-netlink.opt
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 2a755db..7d44581 100644 (file)
@@ -16,6 +16,15 @@ charon.plugins.kernel-netlink.mtu = 0
 charon.plugins.kernel-netlink.roam_events = yes
        Whether to trigger roam events when interfaces, addresses or routes change.
 
+charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
+       Whether to set protocol and ports in the selector installed on transport
+       mode IPsec SAs in the kernel.
+
+       Whether to set protocol and ports in the selector installed on transport
+       mode IPsec SAs in the kernel. While doing so enforces policies for inbound
+       traffic, it also prevents the use of a single IPsec SA by more than one
+       traffic selector.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
        Lifetime of XFRM acquire state in kernel.
 
index d9b55cf..274af79 100644 (file)
@@ -310,6 +310,12 @@ struct private_kernel_netlink_ipsec_t {
        bool install_routes;
 
        /**
+        * Whether to set protocol and ports on selector installed with transport
+        * mode IPsec SAs
+        */
+       bool proto_port_transport;
+
+       /**
         * Whether to track the history of a policy
         */
        bool policy_history;
@@ -1235,12 +1241,15 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                        if (src_ts && dst_ts)
                        {
                                sa->sel = ts2selector(src_ts, dst_ts);
-                               /* don't install proto/port on SA. This would break
-                                * potential secondary SAs for the same address using a
-                                * different prot/port. */
-                               sa->sel.proto = 0;
-                               sa->sel.dport = sa->sel.dport_mask = 0;
-                               sa->sel.sport = sa->sel.sport_mask = 0;
+                               if (!this->proto_port_transport)
+                               {
+                                       /* don't install proto/port on SA. This would break
+                                        * potential secondary SAs for the same address using a
+                                        * different prot/port. */
+                                       sa->sel.proto = 0;
+                                       sa->sel.dport = sa->sel.dport_mask = 0;
+                                       sa->sel.sport = sa->sel.sport_mask = 0;
+                               }
                        }
                        break;
                default:
@@ -2683,6 +2692,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
                .policy_history = TRUE,
                .install_routes = lib->settings->get_bool(lib->settings,
                                                        "%s.install_routes", TRUE, lib->ns),
+               .proto_port_transport = lib->settings->get_bool(lib->settings,
+                                               "%s.plugins.kernel-netlink.set_proto_port_transport_sa",
+                                               FALSE, lib->ns),
        );
 
        if (streq(lib->ns, "starter"))