kernel-netlink: Associate routes with IN policies instead of FWD policies
authorTobias Brunner <tobias@strongswan.org>
Fri, 1 Apr 2016 14:26:07 +0000 (16:26 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 9 Apr 2016 14:50:59 +0000 (16:50 +0200)
This allows us to install more than one FWD policy.  We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).

src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

index 7baea3e..df79f86 100644 (file)
@@ -463,7 +463,7 @@ static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
 }
 
 typedef struct policy_sa_t policy_sa_t;
-typedef struct policy_sa_fwd_t policy_sa_fwd_t;
+typedef struct policy_sa_in_t policy_sa_in_t;
 
 /**
  * Mapping between a policy and an IPsec SA.
@@ -480,10 +480,10 @@ struct policy_sa_t {
 };
 
 /**
- * For forward policies we also cache the traffic selectors in order to install
+ * For inbound policies we also cache the traffic selectors in order to install
  * the route.
  */
-struct policy_sa_fwd_t {
+struct policy_sa_in_t {
        /** Generic interface */
        policy_sa_t generic;
 
@@ -495,7 +495,7 @@ struct policy_sa_fwd_t {
 };
 
 /**
- * Create a policy_sa(_fwd)_t object
+ * Create a policy_sa(_in)_t object
  */
 static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
        policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
@@ -504,14 +504,14 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
 {
        policy_sa_t *policy;
 
-       if (dir == POLICY_FWD)
+       if (dir == POLICY_IN)
        {
-               policy_sa_fwd_t *fwd;
-               INIT(fwd,
+               policy_sa_in_t *in;
+               INIT(in,
                        .src_ts = src_ts->clone(src_ts),
                        .dst_ts = dst_ts->clone(dst_ts),
                );
-               policy = &fwd->generic;
+               policy = &in->generic;
        }
        else
        {
@@ -523,16 +523,16 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
 }
 
 /**
- * Destroy a policy_sa(_fwd)_t object
+ * Destroy a policy_sa(_in)_t object
  */
 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
                                                          private_kernel_netlink_ipsec_t *this)
 {
-       if (*dir == POLICY_FWD)
+       if (*dir == POLICY_IN)
        {
-               policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
-               fwd->src_ts->destroy(fwd->src_ts);
-               fwd->dst_ts->destroy(fwd->dst_ts);
+               policy_sa_in_t *in = (policy_sa_in_t*)policy;
+               in->src_ts->destroy(in->src_ts);
+               in->dst_ts->destroy(in->dst_ts);
        }
        ipsec_sa_destroy(this, policy->sa);
        free(policy);
@@ -2243,14 +2243,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
        }
 
        /* install a route, if:
-        * - this is a forward policy (to just get one for each child)
+        * - this is a inbound policy (to just get one for each child)
         * - we are in tunnel/BEET mode or install a bypass policy
         * - routing is not disabled via strongswan.conf
         */
-       if (policy->direction == POLICY_FWD && this->install_routes &&
+       if (policy->direction == POLICY_IN && this->install_routes &&
                (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
        {
-               policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
+               policy_sa_in_t *in = (policy_sa_in_t*)mapping;
                route_entry_t *route;
                host_t *iface;
 
@@ -2258,10 +2258,10 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
                        .prefixlen = policy->sel.prefixlen_s,
                );
 
-               if (charon->kernel->get_address_by_ts(charon->kernel, fwd->dst_ts,
+               if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts,
                                                                                          &route->src_ip, NULL) == SUCCESS)
                {
-                       /* get the nexthop to src (src as we are in POLICY_FWD) */
+                       /* get the nexthop to src (src as we are in POLICY_IN) */
                        if (!ipsec->src->is_anyaddr(ipsec->src))
                        {
                                route->gateway = charon->kernel->get_nexthop(charon->kernel,
@@ -2310,8 +2310,8 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
                                                                                old->src_ip, old->if_name) != SUCCESS)
                                {
                                        DBG1(DBG_KNL, "error uninstalling route installed with "
-                                                                 "policy %R === %R %N", fwd->src_ts,
-                                                                  fwd->dst_ts, policy_dir_names,
+                                                                 "policy %R === %R %N", in->src_ts,
+                                                                  in->dst_ts, policy_dir_names,
                                                                   policy->direction);
                                }
                                route_entry_destroy(old);
@@ -2319,7 +2319,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
                        }
 
                        DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
-                                fwd->src_ts, route->gateway, route->src_ip, route->if_name);
+                                in->src_ts, route->gateway, route->src_ip, route->if_name);
                        switch (charon->kernel->add_route(charon->kernel, route->dst_net,
                                                                                          route->prefixlen, route->gateway,
                                                                                          route->src_ip, route->if_name))