Added an option to specify the type of a policy to kernel_ipsec.add_policy.
authorTobias Brunner <tobias@strongswan.org>
Mon, 19 Jul 2010 16:38:29 +0000 (18:38 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 2 Sep 2010 17:04:19 +0000 (19:04 +0200)
This will later allow us to support pluto's passthrough and drop
policies in charon.

src/libcharon/sa/child_sa.c
src/libhydra/kernel/kernel_interface.c
src/libhydra/kernel/kernel_interface.h
src/libhydra/kernel/kernel_ipsec.h
src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c

index acfdfaf..fa95d12 100644 (file)
@@ -692,24 +692,24 @@ METHOD(child_sa_t, add_policies, status_t,
                        status |= hydra->kernel_interface->add_policy(
                                                        hydra->kernel_interface,
                                                        this->my_addr, this->other_addr, my_ts, other_ts,
-                                                       POLICY_OUT, other_esp, other_ah, this->reqid,
-                                                       this->mark_out, this->mode, this->ipcomp,
-                                                       this->other_cpi, routed);
+                                                       POLICY_OUT, POLICY_IPSEC, other_esp, other_ah,
+                                                       this->reqid, this->mark_out, this->mode,
+                                                       this->ipcomp, this->other_cpi, routed);
 
                        status |= hydra->kernel_interface->add_policy(
                                                        hydra->kernel_interface,
                                                        this->other_addr, this->my_addr, other_ts, my_ts,
-                                                       POLICY_IN, my_esp, my_ah, this->reqid,
-                                                       this->mark_in, this->mode, this->ipcomp,
-                                                       this->my_cpi, routed);
+                                                       POLICY_IN, POLICY_IPSEC, my_esp, my_ah,
+                                                       this->reqid, this->mark_in, this->mode,
+                                                       this->ipcomp, this->my_cpi, routed);
                        if (this->mode != MODE_TRANSPORT)
                        {
                                status |= hydra->kernel_interface->add_policy(
                                                        hydra->kernel_interface,
                                                        this->other_addr, this->my_addr, other_ts, my_ts,
-                                                       POLICY_FWD, my_esp, my_ah, this->reqid,
-                                                       this->mark_in, this->mode, this->ipcomp,
-                                                       this->my_cpi, routed);
+                                                       POLICY_FWD, POLICY_IPSEC, my_esp, my_ah,
+                                                       this->reqid, this->mark_in, this->mode,
+                                                       this->ipcomp, this->my_cpi, routed);
                        }
 
                        if (status != SUCCESS)
@@ -832,19 +832,19 @@ METHOD(child_sa_t, update, status_t,
 
                                /* reinstall updated policies */
                                hydra->kernel_interface->add_policy(hydra->kernel_interface,
-                                                       me, other, my_ts, other_ts, POLICY_OUT,
-                                                       other_esp, other_ah, this->reqid, this->mark_out,
-                                                       this->mode, this->ipcomp, this->other_cpi, FALSE);
+                                               me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC,
+                                               other_esp, other_ah, this->reqid, this->mark_out,
+                                               this->mode, this->ipcomp, this->other_cpi, FALSE);
                                hydra->kernel_interface->add_policy(hydra->kernel_interface,
-                                                       other, me, other_ts, my_ts, POLICY_IN,
-                                                       my_esp, my_ah, this->reqid, this->mark_in,
-                                                       this->mode, this->ipcomp, this->my_cpi, FALSE);
+                                               other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC,
+                                               my_esp, my_ah, this->reqid, this->mark_in,
+                                               this->mode, this->ipcomp, this->my_cpi, FALSE);
                                if (this->mode != MODE_TRANSPORT)
                                {
                                        hydra->kernel_interface->add_policy(hydra->kernel_interface,
-                                                       other, me, other_ts, my_ts, POLICY_FWD,
-                                                       my_esp, my_ah, this->reqid, this->mark_in,
-                                                       this->mode, this->ipcomp, this->my_cpi, FALSE);
+                                               other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC,
+                                               my_esp, my_ah, this->reqid, this->mark_in,
+                                               this->mode, this->ipcomp, this->my_cpi, FALSE);
                                }
                        }
                        enumerator->destroy(enumerator);
index bc99605..7e16a89 100644 (file)
@@ -131,7 +131,7 @@ METHOD(kernel_interface_t, del_sa, status_t,
 METHOD(kernel_interface_t, add_policy, status_t,
        private_kernel_interface_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi,  bool routed)
 {
@@ -140,7 +140,8 @@ METHOD(kernel_interface_t, add_policy, status_t,
                return NOT_SUPPORTED;
        }
        return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-                       direction, spi, ah_spi, reqid, mark, mode, ipcomp, cpi, routed);
+                                                                  direction, type, spi, ah_spi, reqid, mark,
+                                                                  mode, ipcomp, cpi, routed);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
index c3c3764..fdf320b 100644 (file)
@@ -183,6 +183,7 @@ struct kernel_interface_t {
         * @param src_ts                traffic selector to match traffic source
         * @param dst_ts                traffic selector to match traffic dest
         * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
+        * @param type                  type of policy, POLICY_(IPSEC|PASS|DROP)
         * @param spi                   SPI of optional ESP SA
         * @param ah_spi                SPI of optional AH SA
         * @param reqid                 unique ID of an SA to use to enforce policy
@@ -197,8 +198,8 @@ struct kernel_interface_t {
                                                        host_t *src, host_t *dst,
                                                        traffic_selector_t *src_ts,
                                                        traffic_selector_t *dst_ts,
-                                                       policy_dir_t direction, u_int32_t spi,
-                                                       u_int32_t ah_spi, u_int32_t reqid,
+                                                       policy_dir_t direction, policy_type_t type,
+                                                       u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
                                                        mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
                                                        u_int16_t cpi, bool routed);
 
index 1a7f7b4..ff69253 100644 (file)
@@ -26,6 +26,7 @@
 
 typedef enum ipsec_mode_t ipsec_mode_t;
 typedef enum policy_dir_t policy_dir_t;
+typedef enum policy_type_t policy_type_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
 typedef struct lifetime_cfg_t lifetime_cfg_t;
@@ -72,6 +73,18 @@ enum policy_dir_t {
 extern enum_name_t *policy_dir_names;
 
 /**
+ * Type of a policy.
+ */
+enum policy_type_t {
+       /** Normal IPsec policy */
+       POLICY_IPSEC = 1,
+       /** Passthrough policy (traffic is ignored by IPsec) */
+       POLICY_PASS,
+       /** Drop policy (traffic is discarded) */
+       POLICY_DROP,
+};
+
+/**
  * IPComp transform IDs, as in RFC 4306
  */
 enum ipcomp_transform_t {
@@ -258,6 +271,7 @@ struct kernel_ipsec_t {
         * @param src_ts                traffic selector to match traffic source
         * @param dst_ts                traffic selector to match traffic dest
         * @param direction             direction of traffic, POLICY_(IN|OUT|FWD)
+        * @param type                  type of policy, POLICY_(IPSEC|PASS|DROP)
         * @param spi                   SPI of optional ESP SA
         * @param ah_spi                SPI of optional AH SA
         * @param reqid                 unique ID of an SA to use to enforce policy
@@ -272,8 +286,8 @@ struct kernel_ipsec_t {
                                                        host_t *src, host_t *dst,
                                                        traffic_selector_t *src_ts,
                                                        traffic_selector_t *dst_ts,
-                                                       policy_dir_t direction, u_int32_t spi,
-                                                       u_int32_t ah_spi, u_int32_t reqid,
+                                                       policy_dir_t direction, policy_type_t type,
+                                                       u_int32_t spi, u_int32_t ah_spi, u_int32_t reqid,
                                                        mark_t mark, ipsec_mode_t mode,
                                                        u_int16_t ipcomp, u_int16_t cpi, bool routed);
 
index f0a9e55..042d989 100644 (file)
@@ -1969,7 +1969,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi, bool routed)
 {
index 0f24336..c715d8c 100644 (file)
@@ -1617,7 +1617,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi, bool routed)
 {
index 5cd06eb..20d1b12 100644 (file)
@@ -1593,7 +1593,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-       policy_dir_t direction, u_int32_t spi, u_int32_t ah_spi,
+       policy_dir_t direction, policy_type_t type, u_int32_t spi, u_int32_t ah_spi,
        u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
        u_int16_t cpi, bool routed)
 {