rpms-fedora-extras/strongswan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

5.9.14 - Old patches

Browse Source
This commit is contained in:
Zoran Peričić
2024-09-18 13:06:59 +02:00
parent d7e57af704
commit f978fcb51f
4 changed files with 194 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

304
0004-Support-GRE-key-in-selectors.patch
View File

@@ -1,20 +1,21 @@
From 027c90f6808d451f3bbcd4b2dc4b8ad04806dc64 Mon Sep 17 00:00:00 2001
From 1e0d5415c1cd61df50fa27219d9ca8f76b497c6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
Date: Sun, 21 Jan 2024 03:11:32 +0100
Subject: [PATCH 4/4] Support GRE key in selectors.
---
.../kernel_netlink/kernel_netlink_ipsec.c | 12 +++++++++++
.../plugins/load_tester/load_tester_config.c | 16 ++++++++++++++
src/libcharon/plugins/stroke/stroke_config.c | 15 +++++++++++++
src/libcharon/plugins/vici/vici_config.c | 21 ++++++++++++++++++-
.../selectors/traffic_selector.c | 20 ++++++++++++++++++
.../selectors/traffic_selector.h | 12 +++++++++++
src/starter/confread.c | 18 ++++++++++++++++
7 files changed, 113 insertions(+), 1 deletion(-)
.../kernel_netlink/kernel_netlink_ipsec.c | 20 ++++++++++++
.../plugins/load_tester/load_tester_config.c | 22 ++++++++++++-
src/libcharon/plugins/stroke/stroke_config.c | 22 ++++++++++++-
src/libcharon/plugins/vici/vici_config.c | 32 ++++++++++++++++++-
.../selectors/traffic_selector.c | 20 ++++++++++++
.../selectors/traffic_selector.h | 12 +++++++
src/starter/confread.c | 24 +++++++++++++-
src/swanctl/swanctl.opt | 3 ++
8 files changed, 151 insertions(+), 4 deletions(-)
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 7596f0c18..fdfc9d51e 100644
index db0b2ac37..e4e7d9ecb 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
@@ -25,7 +26,7 @@ index 7596f0c18..fdfc9d51e 100644
memset(&sel, 0, sizeof(sel));
sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
@@ -884,6 +885,17 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
@@ -884,6 +885,25 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
sel.dport = htons(traffic_selector_icmp_code(port));
sel.dport_mask = sel.dport ? ~0 : 0;
}
@@ -34,115 +35,135 @@ index 7596f0c18..fdfc9d51e 100644
+ /* the kernel expects the GRE key in the source and destination
+ * port fields, respectively. */
+ gre_key = htons(traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
+ DBG2(DBG_KNL, "Policy GRE key: %d (%d-%d) %d", gre_key, dst->get_from_port(dst), dst->get_to_port(dst), traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
+ sel.sport = gre_key >> 16;
+ sel.sport_mask = ~0;
+ sel.dport = gre_key & 0xffff;
+ sel.dport_mask = ~0;
+ if ( gre_key != 0 )
+ {
+ DBG2(DBG_KNL, "Policy GRE key: %d (%d-%d) %d", gre_key, dst->get_from_port(dst), dst->get_to_port(dst), traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
+ sel.sport = gre_key >> 16;
+ sel.sport_mask = ~0;
+ sel.dport = gre_key & 0xffff;
+ sel.dport_mask = ~0;
+ } else {
+ sel.sport = 0;
+ sel.sport_mask = 0;
+ sel.dport = 0;
+ sel.dport_mask = 0;
+ }
+ }
sel.ifindex = interface ? if_nametoindex(interface) : 0;
sel.user = 0;
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 58e1cd98a..436116361 100644
index 58e1cd98a..ac67875d8 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -16,6 +16,8 @@
#include "load_tester_config.h"
+#include <utils/utils.h>
+
#include <netdb.h>
#include <daemon.h>
@@ -512,6 +514,20 @@ static bool parse_protoport(char *token, uint16_t *from_port,
{
*from_port = *to_port = 0;
}
+ else if (*port && *protocol == IPPROTO_GRE)
+ {
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ return FALSE;
+ }
+ end->from_port = (p >> 16) & 0xffff;
+ end->to_port = p & 0xffff;
+ if (*endptr)
+ {
+ return FALSE;
+ }
+ }
else if (*port)
{
svc = getservbyname(port, NULL);
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 55db379ff..9ee4c6463 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -20,6 +20,7 @@
#include <daemon.h>
#include <threading/mutex.h>
#include <utils/lexparser.h>
+#include <utils/utils.h>
#include <netdb.h>
@@ -937,6 +938,20 @@ static bool parse_protoport(char *token, uint16_t *from_port,
*from_port = 0xffff;
*to_port = 0;
}
+ else if (*port && *protocol == IPPROTO_GRE)
+ {
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ return FALSE;
+ }
+ *from_port = (p >> 16) & 0xffff;
+ *to_port = p & 0xffff;
+ if (*endptr)
+ {
+ return FALSE;
+ }
+ }
else if (*port)
{
svc = getservbyname(port, NULL);
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index b1486e337..35c4df1b0 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -718,7 +718,25 @@ CALLBACK(parse_ts, bool,
from = 0xffff;
to = 0;
@@ -498,7 +498,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
*protocol = (uint8_t)p;
}
- else if (*port && !streq(port, "any"))
+ else if (*port && !streq(port, "any") && proto == IPPROTO_GRE)
}
- if (streq(port, "%any"))
+ if (*protocol == IPPROTO_GRE)
+ {
+ if (*port && !streq(port, "%any"))
+ {
+ DBG2(DBG_CFG, " GRE key %s", port);
+ p = strtol(port, &end, 0);
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ DBG2(DBG_CFG, " Invalid GRE key %s", port);
+ return FALSE;
+ }
+ from = (p >> 16) & 0xffff;
+ to = p & 0xffff;
+ DBG2(DBG_CFG, " Parsed GRE key %d-%d(%d)", from, to, p);
+ if (*end)
+ end->from_port = (p >> 16) & 0xffff;
+ end->to_port = p & 0xffff;
+ if (*endptr)
+ {
+ DBG2(DBG_CFG, " Invalid GRE key %s", port);
+ return FALSE;
+ }
+ } else {
+ end->from_port = 0;
+ end->to_port = 0;
+ }
+ }
+ else if (streq(port, "%any"))
{
*from_port = 0;
*to_port = 0xffff;
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 55db379ff..b4340b8d1 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -927,7 +927,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
*protocol = (uint8_t)p;
}
}
- if (streq(port, "%any"))
+ if (*protocol == IPPROTO_GRE)
+ {
+ if (*port && !streq(port, "%any"))
+ {
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ return FALSE;
+ }
+ *from_port = (p >> 16) & 0xffff;
+ *to_port = p & 0xffff;
+ if (*endptr)
+ return FALSE;
+ }
+ else
+ {
+ *from_port = 0;
+ *to_port = 0;
+ }
+ }
+ else if (streq(port, "%any"))
{
*from_port = 0;
*to_port = 0xffff;
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index a42ebf041..53306f30d 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -715,7 +715,31 @@ CALLBACK(parse_ts, bool,
proto = (uint8_t)p;
}
}
- if (streq(port, "opaque"))
+ if (proto == IPPROTO_GRE)
+ {
+ if (*port && !streq(port, "any"))
+ {
+ DBG2(DBG_CFG, " GRE key %s", port);
+ p = strtol(port, &end, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ DBG2(DBG_CFG, " Invalid GRE key %s", port);
+ return FALSE;
+ }
+ from = (p >> 16) & 0xffff;
+ to = p & 0xffff;
+ DBG2(DBG_CFG, " Parsed GRE key %d-%d(%d)", from, to, p);
+ if (*end)
+ {
+ DBG2(DBG_CFG, " Invalid GRE key %s", port);
+ return FALSE;
+ }
+ } else {
+ from = 0;
+ to = 0;
+ }
+ }
+ else if (*port && !streq(port, "any") && proto != IPPROTO_GRE)
+ else if (streq(port, "opaque"))
{
svc = getservbyname(port, NULL);
if (svc)
@@ -752,6 +770,7 @@ CALLBACK(parse_ts, bool,
from = 0xffff;
to = 0;
@@ -752,8 +776,14 @@ CALLBACK(parse_ts, bool,
}
}
}
+ else if (proto == IPPROTO_GRE)
+ {
+ from = 0;
+ to = 0;
+ }
if (streq(buf, "dynamic"))
{
+ DBG2(DBG_CFG, " Create dynamic selector GRE key proto=%d, from_port=%d, to_port=%d", proto, from, to);
@@ -150,7 +171,7 @@ index b1486e337..35c4df1b0 100644
}
else if (strchr(buf, '-'))
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index fe61e3768..29ffbffbd 100644
index fe61e3768..09757ec36 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
@@ -183,17 +204,17 @@ index fe61e3768..29ffbffbd 100644
else
{
serv = getservbyport(htons(this->from_port), serv_proto);
@@ -343,6 +359,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
written += print_in_hook(data, "-");
written += print_icmp(data, this->to_port);
@@ -332,6 +348,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
}
}
}
+ else if (this->protocol == IPPROTO_GRE)
+ {
+ written += print_gre(data, this->from_port, this->to_port);
+ }
else
else if (is_opaque(this))
{
written += print_in_hook(data, "%d-%d",
written += print_in_hook(data, "OPAQUE");
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index 367b4fff9..b7010e4a7 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
@@ -218,41 +239,54 @@ index 367b4fff9..b7010e4a7 100644
* Compare two traffic selectors, usable as sort function
*
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 5065bc369..e2c03694d 100644
index 5065bc369..039b6f402 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -25,6 +25,7 @@
#include <library.h>
#include <utils/debug.h>
+#include <utils/utils.h>
#include "keywords.h"
#include "confread.h"
@@ -335,6 +336,23 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
end->from_port = 0xffff;
end->to_port = 0;
@@ -325,7 +325,29 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
end->protocol = (uint8_t)p;
}
}
+ else if (*port && end->protocol == IPPROTO_GRE)
- if (streq(port, "%any"))
+ if (end->protocol == IPPROTO_GRE)
+ {
+ DBG1(DBG_APP, "# GRE key: %s=%s", key, port);
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ if (*port && !streq(port, "%any"))
+ {
+ DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+ goto err;
+ }
+ end->from_port = (p >> 16) & 0xffff;
+ end->to_port = p & 0xffff;
+ if (*endptr)
+ {
+ DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+ goto err;
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+ goto err;
+ }
+ end->from_port = (p >> 16) & 0xffff;
+ end->to_port = p & 0xffff;
+ if (*endptr)
+ {
+ DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+ goto err;
+ }
+ } else {
+ end->from_port = 0;
+ end->to_port = 0;
+ }
+ }
else if (*port)
+ else if (streq(port, "%any"))
{
svc = getservbyname(port, NULL);
end->from_port = 0;
end->to_port = 0xffff;
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index d9fd949ed..1d63dadb8 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -765,6 +765,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
as well, none of the kernel backends currently support port ranges, though.
+ If protocol is restricted to GRE, port restriction specifies GRE key
+ in 32 bit numeric form eg. dynamic[gre/100].
+
When IKEv1 is used only the first selector is interpreted, except if
the Cisco Unity extension plugin is used. This is due to a limitation of the
IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
--
2.43.0
2.45.2