Added options and a lookup function that will allow filtering of network interfaces
authorTobias Brunner <tobias@strongswan.org>
Fri, 14 Sep 2012 12:43:17 +0000 (14:43 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 21 Sep 2012 16:16:26 +0000 (18:16 +0200)
man/strongswan.conf.5.in
src/libhydra/hydra.c
src/libhydra/kernel/kernel_interface.c
src/libhydra/kernel/kernel_interface.h

index 4f30c42..5b34e58 100644 (file)
@@ -173,7 +173,7 @@ keys, which is discouraged due to security concerns (offline attacks on the
 openly transmitted hash of the PSK)
 .TP
 .BR charon.ignore_routing_tables
-A list of routing tables to be excluded from route lookup
+A space-separated list of routing tables to be excluded from route lookups
 .TP
 .BR charon.ikesa_table_segments " [1]"
 Number of exclusively locked segments in the hash table
@@ -198,6 +198,14 @@ Install routes into a separate routing table for established IPsec tunnels
 .BR charon.install_virtual_ip " [yes]"
 Install virtual IP addresses
 .TP
+.BR charon.interfaces_ignore
+A comma-separated list of network interfaces that should be ignored, if
+charon.interfaces_use is specified this option has no effect.
+.TP
+.BR charon.interfaces_use
+A comma-separated list of network interfaces that sould be used by charon.
+All other interfaces are ignored.
+.TP
 .BR charon.keep_alive " [20s]"
 NAT keep alive interval
 .TP
index f180e36..7d62565 100644 (file)
@@ -58,12 +58,13 @@ bool libhydra_init(const char *daemon)
        INIT(this,
                .public = {
                        .attributes = attribute_manager_create(),
-                       .kernel_interface = kernel_interface_create(),
                        .daemon = strdup(daemon ?: "libhydra"),
                },
        );
        hydra = &this->public;
 
+       this->public.kernel_interface = kernel_interface_create();
+
        if (lib->integrity &&
                !lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
        {
index 90ed737..cd162b7 100644 (file)
@@ -39,6 +39,7 @@
 
 #include "kernel_interface.h"
 
+#include <hydra.h>
 #include <debug.h>
 #include <threading/mutex.h>
 #include <utils/linked_list.h>
@@ -122,6 +123,18 @@ struct private_kernel_interface_t {
         * List of algorithm mappings (kernel_algorithm_t*)
         */
        linked_list_t *algorithms;
+
+       /**
+        * List of interface names to include or exclude (char*), NULL if interfaces
+        * are not filtered
+        */
+       linked_list_t *ifaces_filter;
+
+       /**
+        * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider
+        * only those listed there
+        */
+       bool ifaces_exclude;
 };
 
 METHOD(kernel_interface_t, get_spi, status_t,
@@ -364,6 +377,20 @@ METHOD(kernel_interface_t, enable_udp_decap, bool,
        return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port);
 }
 
+METHOD(kernel_interface_t, is_interface_usable, bool,
+       private_kernel_interface_t *this, const char *iface)
+{
+       status_t expected;
+
+       if (!this->ifaces_filter)
+       {
+               return TRUE;
+       }
+       expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS;
+       return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq,
+                                                                                  NULL, iface) == expected;
+}
+
 METHOD(kernel_interface_t, get_address_by_ts, status_t,
        private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
 {
@@ -634,6 +661,7 @@ METHOD(kernel_interface_t, destroy, void,
        this->mutex_algs->destroy(this->mutex_algs);
        DESTROY_IF(this->ipsec);
        DESTROY_IF(this->net);
+       DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
        this->listeners->destroy(this->listeners);
        this->mutex->destroy(this->mutex);
        free(this);
@@ -645,6 +673,7 @@ METHOD(kernel_interface_t, destroy, void,
 kernel_interface_t *kernel_interface_create()
 {
        private_kernel_interface_t *this;
+       char *ifaces;
 
        INIT(this,
                .public = {
@@ -670,6 +699,7 @@ kernel_interface_t *kernel_interface_create()
                        .bypass_socket = _bypass_socket,
                        .enable_udp_decap = _enable_udp_decap,
 
+                       .is_interface_usable = _is_interface_usable,
                        .get_address_by_ts = _get_address_by_ts,
                        .add_ipsec_interface = _add_ipsec_interface,
                        .remove_ipsec_interface = _remove_ipsec_interface,
@@ -693,6 +723,35 @@ kernel_interface_t *kernel_interface_create()
                .algorithms = linked_list_create(),
        );
 
+       ifaces = lib->settings->get_str(lib->settings,
+                                       "%s.interfaces_use", NULL, hydra->daemon);
+       if (!ifaces)
+       {
+               ifaces = lib->settings->get_str(lib->settings,
+                                       "%s.interfaces_ignore", NULL, hydra->daemon);
+               if (ifaces)
+               {
+                       this->ifaces_exclude = TRUE;
+               }
+       }
+       if (ifaces)
+       {
+               enumerator_t *enumerator;
+               char *iface;
+
+               enumerator = enumerator_create_token(ifaces, ",", " ");
+               while (enumerator->enumerate(enumerator, &iface))
+               {
+                       if (!this->ifaces_filter)
+                       {
+                               this->ifaces_filter = linked_list_create();
+                       }
+                       this->ifaces_filter->insert_last(this->ifaces_filter,
+                                                                                        strdup(iface));
+               }
+               enumerator->destroy(enumerator);
+       }
+
        return &this->public;
 }
 
index 338cf39..72af397 100644 (file)
@@ -406,11 +406,20 @@ struct kernel_interface_t {
         */
 
        /**
-        * Tries to find an ip address of a local interface that is included in the
+        * Verifies that the given interface is usable and not excluded by
+        * configuration.
+        *
+        * @param iface                 interface name
+        * @return                              TRUE if usable
+        */
+       bool (*is_interface_usable)(kernel_interface_t *this, const char *iface);
+
+       /**
+        * Tries to find an IP address of a local interface that is included in the
         * supplied traffic selector.
         *
         * @param ts                    traffic selector
-        * @param ip                    returned ip (has to be destroyed)
+        * @param ip                    returned IP address (has to be destroyed)
         * @return                              SUCCESS if address found
         */
        status_t (*get_address_by_ts)(kernel_interface_t *this,