Compare commits
1 Commits
strongswan
...
f31
| Author | SHA1 | Date | |
|---|---|---|---|
| 528e23087b |
@@ -1,19 +1,19 @@
|
||||
From 27de580084d02f6ef92c048ea60a3861fba03e4b Mon Sep 17 00:00:00 2001
|
||||
From 1d669ed02aca9e797db9fbca3eb1198dc19c292e Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Fri, 17 Jul 2015 11:53:58 +0200
|
||||
Subject: [PATCH 1/7] ike: Adhere to IKE_SA limit when checking out by config
|
||||
Subject: [PATCH 1/4] ike: Adhere to IKE_SA limit when checking out by config
|
||||
|
||||
This prevents new SAs from getting created if we hit the global IKE_SA
|
||||
limit (we still allow checkout_new(), which is used for rekeying).
|
||||
---
|
||||
src/libcharon/sa/ike_sa_manager.c | 71 ++++++++++++++++---------------
|
||||
1 file changed, 37 insertions(+), 34 deletions(-)
|
||||
src/libcharon/sa/ike_sa_manager.c | 73 ++++++++++++++++---------------
|
||||
1 file changed, 38 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
|
||||
index 1de410d6c..440894e9b 100644
|
||||
index 101d98678..5ac534b6c 100644
|
||||
--- a/src/libcharon/sa/ike_sa_manager.c
|
||||
+++ b/src/libcharon/sa/ike_sa_manager.c
|
||||
@@ -1434,48 +1434,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
@@ -1419,48 +1419,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
|
||||
DBG2(DBG_MGR, "checkout IKE_SA by config");
|
||||
|
||||
@@ -37,25 +37,10 @@ index 1de410d6c..440894e9b 100644
|
||||
- if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
|
||||
- entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
|
||||
- { /* skip IKE_SAs which are not usable, wake other waiting threads */
|
||||
- entry->condvar->signal(entry->condvar);
|
||||
- continue;
|
||||
- }
|
||||
-
|
||||
- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
|
||||
- if (current_peer && current_peer->equals(current_peer, peer_cfg))
|
||||
- {
|
||||
- current_ike = current_peer->get_ike_cfg(current_peer);
|
||||
- if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
|
||||
+ if (!wait_for_entry(this, entry, segment))
|
||||
{
|
||||
- entry->checked_out = thread_current();
|
||||
- ike_sa = entry->ike_sa;
|
||||
- DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
|
||||
- ike_sa->get_unique_id(ike_sa),
|
||||
- current_peer->get_name(current_peer));
|
||||
- break;
|
||||
+ {
|
||||
+ continue;
|
||||
}
|
||||
+ }
|
||||
+ if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
|
||||
+ entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
|
||||
+ { /* skip IKE_SAs which are not usable, wake other waiting threads */
|
||||
@@ -78,8 +63,24 @@ index 1de410d6c..440894e9b 100644
|
||||
+ }
|
||||
+ }
|
||||
+ /* other threads might be waiting for this entry */
|
||||
+ entry->condvar->signal(entry->condvar);
|
||||
entry->condvar->signal(entry->condvar);
|
||||
- continue;
|
||||
}
|
||||
-
|
||||
- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
|
||||
- if (current_peer && current_peer->equals(current_peer, peer_cfg))
|
||||
- {
|
||||
- current_ike = current_peer->get_ike_cfg(current_peer);
|
||||
- if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
|
||||
- {
|
||||
- entry->checked_out = thread_current();
|
||||
- ike_sa = entry->ike_sa;
|
||||
- DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
|
||||
- ike_sa->get_unique_id(ike_sa),
|
||||
- current_peer->get_name(current_peer));
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- /* other threads might be waiting for this entry */
|
||||
- entry->condvar->signal(entry->condvar);
|
||||
+ enumerator->destroy(enumerator);
|
||||
@@ -100,5 +101,5 @@ index 1de410d6c..440894e9b 100644
|
||||
}
|
||||
charon->bus->set_sa(charon->bus, ike_sa);
|
||||
--
|
||||
2.24.1
|
||||
2.21.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From 59aad0f83614fb7ade337e853947b4f43b3e9ef3 Mon Sep 17 00:00:00 2001
|
||||
From ea546194df7e5d181cdfc1b236e21f973080be51 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:41:58 +0300
|
||||
Subject: [PATCH 2/7] charon: add optional source and remote overrides for
|
||||
Subject: [PATCH 2/4] charon: add optional source and remote overrides for
|
||||
initiate
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
@@ -18,23 +18,23 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
---
|
||||
src/charon-cmd/cmd/cmd_connection.c | 2 +-
|
||||
src/charon-nm/nm/nm_service.c | 2 +-
|
||||
src/libcharon/control/controller.c | 43 +++++++++++++-
|
||||
src/libcharon/control/controller.c | 43 ++++++++++++-
|
||||
src/libcharon/control/controller.h | 3 +
|
||||
src/libcharon/plugins/stroke/stroke_control.c | 5 +-
|
||||
src/libcharon/plugins/vici/vici_config.c | 2 +-
|
||||
src/libcharon/plugins/vici/vici_control.c | 59 +++++++++++++++++--
|
||||
src/libcharon/plugins/vici/vici_control.c | 63 ++++++++++++++++---
|
||||
.../processing/jobs/start_action_job.c | 2 +-
|
||||
src/libcharon/sa/ike_sa_manager.c | 51 +++++++++++++++-
|
||||
src/libcharon/sa/ike_sa_manager.c | 51 ++++++++++++++-
|
||||
src/libcharon/sa/ike_sa_manager.h | 8 ++-
|
||||
src/libcharon/sa/trap_manager.c | 45 ++++++--------
|
||||
src/swanctl/commands/initiate.c | 40 ++++++++++++-
|
||||
12 files changed, 217 insertions(+), 45 deletions(-)
|
||||
src/libcharon/sa/trap_manager.c | 49 ++++++---------
|
||||
src/swanctl/commands/initiate.c | 40 +++++++++++-
|
||||
12 files changed, 220 insertions(+), 50 deletions(-)
|
||||
|
||||
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
|
||||
index b91c89830..55f8d224f 100644
|
||||
index 71df92f7e..13b31de8a 100644
|
||||
--- a/src/charon-cmd/cmd/cmd_connection.c
|
||||
+++ b/src/charon-cmd/cmd/cmd_connection.c
|
||||
@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
|
||||
@@ -436,7 +436,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
|
||||
child_cfg = create_child_cfg(this, peer_cfg);
|
||||
|
||||
if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
|
||||
@@ -44,10 +44,10 @@ index b91c89830..55f8d224f 100644
|
||||
terminate(pid);
|
||||
}
|
||||
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
|
||||
index 1b07230fd..e4379e612 100644
|
||||
index 3e8392a57..4b7468a97 100644
|
||||
--- a/src/charon-nm/nm/nm_service.c
|
||||
+++ b/src/charon-nm/nm/nm_service.c
|
||||
@@ -735,7 +735,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
|
||||
@@ -634,7 +634,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
||||
* Prepare IKE_SA
|
||||
*/
|
||||
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
|
||||
@@ -57,7 +57,7 @@ index 1b07230fd..e4379e612 100644
|
||||
{
|
||||
peer_cfg->destroy(peer_cfg);
|
||||
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
|
||||
index 0c86275e2..baa83f440 100644
|
||||
index 44a4d0aa8..88c04b16c 100644
|
||||
--- a/src/libcharon/control/controller.c
|
||||
+++ b/src/libcharon/control/controller.c
|
||||
@@ -15,6 +15,28 @@
|
||||
@@ -106,7 +106,7 @@ index 0c86275e2..baa83f440 100644
|
||||
/**
|
||||
* unique ID, used for various methods
|
||||
*/
|
||||
@@ -414,9 +446,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
@@ -402,9 +434,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
ike_sa_t *ike_sa;
|
||||
interface_listener_t *listener = &job->listener;
|
||||
peer_cfg_t *peer_cfg = listener->peer_cfg;
|
||||
@@ -121,8 +121,8 @@ index 0c86275e2..baa83f440 100644
|
||||
+
|
||||
if (!ike_sa)
|
||||
{
|
||||
DESTROY_IF(listener->child_cfg);
|
||||
@@ -425,6 +462,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
listener->child_cfg->destroy(listener->child_cfg);
|
||||
@@ -413,6 +450,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
listener_done(listener);
|
||||
return JOB_REQUEUE_NONE;
|
||||
}
|
||||
@@ -130,7 +130,7 @@ index 0c86275e2..baa83f440 100644
|
||||
listener->lock->lock(listener->lock);
|
||||
listener->ike_sa = ike_sa;
|
||||
listener->lock->unlock(listener->lock);
|
||||
@@ -497,6 +535,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
@@ -485,6 +523,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
|
||||
METHOD(controller_t, initiate, status_t,
|
||||
private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
|
||||
@@ -138,23 +138,23 @@ index 0c86275e2..baa83f440 100644
|
||||
controller_cb_t callback, void *param, u_int timeout, bool limits)
|
||||
{
|
||||
interface_job_t *job;
|
||||
@@ -519,6 +558,8 @@ METHOD(controller_t, initiate, status_t,
|
||||
@@ -507,6 +546,8 @@ METHOD(controller_t, initiate, status_t,
|
||||
.status = FAILED,
|
||||
.child_cfg = child_cfg,
|
||||
.peer_cfg = peer_cfg,
|
||||
+ .my_host = my_host ? my_host->clone(my_host) : NULL,
|
||||
+ .other_host = other_host ? other_host->clone(other_host) : NULL,
|
||||
.lock = spinlock_create(),
|
||||
.options.limits = limits,
|
||||
.limits = limits,
|
||||
},
|
||||
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
|
||||
index b4ccfced2..9945b78ad 100644
|
||||
index 9524f53b9..7c51ba4ca 100644
|
||||
--- a/src/libcharon/control/controller.h
|
||||
+++ b/src/libcharon/control/controller.h
|
||||
@@ -79,6 +79,8 @@ struct controller_t {
|
||||
*
|
||||
* @param peer_cfg peer_cfg to use for IKE_SA setup
|
||||
* @param child_cfg optional child_cfg to set up CHILD_SA from
|
||||
* @param child_cfg child_cfg to set up CHILD_SA from
|
||||
+ * @param my_host optional address hint for source
|
||||
+ * @param other_host optional address hint for destination
|
||||
* @param cb logging callback
|
||||
@@ -169,7 +169,7 @@ index b4ccfced2..9945b78ad 100644
|
||||
bool limits);
|
||||
|
||||
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
|
||||
index 8d84b934e..b00d0e62d 100644
|
||||
index ee8306772..0736a6427 100644
|
||||
--- a/src/libcharon/plugins/stroke/stroke_control.c
|
||||
+++ b/src/libcharon/plugins/stroke/stroke_control.c
|
||||
@@ -108,7 +108,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
|
||||
@@ -192,10 +192,10 @@ index 8d84b934e..b00d0e62d 100644
|
||||
switch (status)
|
||||
{
|
||||
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
|
||||
index eb679290d..81f2970ae 100644
|
||||
index e0e2955e2..b3e835f59 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_config.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_config.c
|
||||
@@ -2136,7 +2136,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
|
||||
@@ -2000,7 +2000,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
|
||||
DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
|
||||
charon->controller->initiate(charon->controller,
|
||||
peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
|
||||
@@ -205,7 +205,7 @@ index eb679290d..81f2970ae 100644
|
||||
case ACTION_ROUTE:
|
||||
DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
|
||||
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
|
||||
index 4c09b578d..1e8e788c3 100644
|
||||
index afee649f7..94bb2eecb 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_control.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_control.c
|
||||
@@ -16,6 +16,28 @@
|
||||
@@ -237,29 +237,33 @@ index 4c09b578d..1e8e788c3 100644
|
||||
#include "vici_control.h"
|
||||
#include "vici_builder.h"
|
||||
|
||||
@@ -177,6 +199,9 @@ CALLBACK(initiate, vici_message_t*,
|
||||
peer_cfg_t *peer_cfg = NULL;
|
||||
child_cfg_t *child_cfg;
|
||||
char *child, *ike, *type, *sa;
|
||||
+ char *my_host_str, *other_host_str;
|
||||
@@ -169,9 +191,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
|
||||
CALLBACK(initiate, vici_message_t*,
|
||||
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
|
||||
{
|
||||
+ vici_message_t* msg;
|
||||
child_cfg_t *child_cfg = NULL;
|
||||
peer_cfg_t *peer_cfg;
|
||||
- char *child, *ike;
|
||||
+ host_t *my_host = NULL, *other_host = NULL;
|
||||
+ char *child, *ike, *my_host_str, *other_host_str;
|
||||
int timeout;
|
||||
bool limits;
|
||||
controller_cb_t log_cb = NULL;
|
||||
@@ -190,6 +215,8 @@ CALLBACK(initiate, vici_message_t*,
|
||||
@@ -185,6 +209,8 @@ CALLBACK(initiate, vici_message_t*,
|
||||
timeout = request->get_int(request, 0, "timeout");
|
||||
limits = request->get_bool(request, FALSE, "init-limits");
|
||||
log.level = request->get_int(request, 1, "loglevel");
|
||||
+ my_host_str = request->get_str(request, NULL, "my-host");
|
||||
+ other_host_str = request->get_str(request, NULL, "other-host");
|
||||
|
||||
if (!child && !ike)
|
||||
if (!child)
|
||||
{
|
||||
@@ -203,6 +230,17 @@ CALLBACK(initiate, vici_message_t*,
|
||||
type = child ? "CHILD_SA" : "IKE_SA";
|
||||
sa = child ?: ike;
|
||||
@@ -195,28 +221,47 @@ CALLBACK(initiate, vici_message_t*,
|
||||
log_cb = (controller_cb_t)log_vici;
|
||||
}
|
||||
|
||||
- DBG1(DBG_CFG, "vici initiate '%s'", child);
|
||||
+ if (my_host_str)
|
||||
+ {
|
||||
+ my_host = host_create_from_string(my_host_str, 0);
|
||||
@@ -270,13 +274,13 @@ index 4c09b578d..1e8e788c3 100644
|
||||
+ }
|
||||
+
|
||||
+ DBG1(DBG_CFG, "vici initiate '%s', me %H, other %H, limits %d", child, my_host, other_host, limits);
|
||||
+
|
||||
child_cfg = find_child_cfg(child, ike, &peer_cfg);
|
||||
|
||||
DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
|
||||
@@ -210,21 +248,30 @@ CALLBACK(initiate, vici_message_t*,
|
||||
child_cfg = find_child_cfg(child, ike, &peer_cfg);
|
||||
if (!child_cfg)
|
||||
{
|
||||
return send_reply(this, "%s config '%s' not found", type, sa);
|
||||
- return send_reply(this, "CHILD_SA config '%s' not found", child);
|
||||
+ msg = send_reply(this, "CHILD_SA config '%s' not found", child);
|
||||
+ goto ret;
|
||||
}
|
||||
- switch (charon->controller->initiate(charon->controller, peer_cfg,
|
||||
- child_cfg, log_cb, &log, timeout, limits))
|
||||
@@ -289,22 +293,22 @@ index 4c09b578d..1e8e788c3 100644
|
||||
+ msg = send_reply(this, NULL);
|
||||
+ break;
|
||||
case OUT_OF_RES:
|
||||
- return send_reply(this, "%s '%s' not established after %dms", type,
|
||||
+ msg = send_reply(this, "%s '%s' not established after %dms", type,
|
||||
sa, timeout);
|
||||
- return send_reply(this, "CHILD_SA '%s' not established after %dms",
|
||||
+ msg = send_reply(this, "CHILD_SA '%s' not established after %dms",
|
||||
child, timeout);
|
||||
+ break;
|
||||
case INVALID_STATE:
|
||||
- return send_reply(this, "establishing %s '%s' not possible at the "
|
||||
+ msg = send_reply(this, "establishing %s '%s' not possible at the "
|
||||
"moment due to limits", type, sa);
|
||||
- return send_reply(this, "establishing CHILD_SA '%s' not possible "
|
||||
+ msg = send_reply(this, "establishing CHILD_SA '%s' not possible "
|
||||
"at the moment due to limits", child);
|
||||
+ break;
|
||||
case FAILED:
|
||||
default:
|
||||
- return send_reply(this, "establishing %s '%s' failed", type, sa);
|
||||
+ msg = send_reply(this, "establishing %s '%s' failed", type, sa);
|
||||
- return send_reply(this, "establishing CHILD_SA '%s' failed", child);
|
||||
+ msg = send_reply(this, "establishing CHILD_SA '%s' failed", child);
|
||||
+ break;
|
||||
}
|
||||
+
|
||||
+ret:
|
||||
+ if (my_host) my_host->destroy(my_host);
|
||||
+ if (other_host) other_host->destroy(other_host);
|
||||
+ return msg;
|
||||
@@ -312,7 +316,7 @@ index 4c09b578d..1e8e788c3 100644
|
||||
|
||||
CALLBACK(terminate, vici_message_t*,
|
||||
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
|
||||
index 3a0ed879f..e3399007b 100644
|
||||
index 654ec6abe..3d5a48cb8 100644
|
||||
--- a/src/libcharon/processing/jobs/start_action_job.c
|
||||
+++ b/src/libcharon/processing/jobs/start_action_job.c
|
||||
@@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t,
|
||||
@@ -325,7 +329,7 @@ index 3a0ed879f..e3399007b 100644
|
||||
case ACTION_ROUTE:
|
||||
DBG1(DBG_JOB, "start action: route '%s'", name);
|
||||
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
|
||||
index 440894e9b..493599413 100644
|
||||
index 5ac534b6c..2a5beb94b 100644
|
||||
--- a/src/libcharon/sa/ike_sa_manager.c
|
||||
+++ b/src/libcharon/sa/ike_sa_manager.c
|
||||
@@ -17,6 +17,28 @@
|
||||
@@ -357,7 +361,7 @@ index 440894e9b..493599413 100644
|
||||
#include <string.h>
|
||||
#include <inttypes.h>
|
||||
|
||||
@@ -1423,7 +1445,8 @@ out:
|
||||
@@ -1408,7 +1430,8 @@ out:
|
||||
}
|
||||
|
||||
METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
@@ -367,7 +371,7 @@ index 440894e9b..493599413 100644
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
entry_t *entry;
|
||||
@@ -1432,7 +1455,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
@@ -1417,7 +1440,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
ike_cfg_t *current_ike;
|
||||
u_int segment;
|
||||
|
||||
@@ -386,7 +390,7 @@ index 440894e9b..493599413 100644
|
||||
|
||||
if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
|
||||
{
|
||||
@@ -1449,6 +1482,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
@@ -1434,6 +1467,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
entry->condvar->signal(entry->condvar);
|
||||
continue;
|
||||
}
|
||||
@@ -403,7 +407,7 @@ index 440894e9b..493599413 100644
|
||||
current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
|
||||
if (current_peer && current_peer->equals(current_peer, peer_cfg))
|
||||
{
|
||||
@@ -1480,6 +1523,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
@@ -1465,6 +1508,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
return NULL;
|
||||
}
|
||||
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
|
||||
@@ -444,10 +448,10 @@ index efad2e4d6..c43edabbb 100644
|
||||
/**
|
||||
* Reset initiator SPI.
|
||||
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
|
||||
index 2bc531b38..7220ea597 100644
|
||||
index 6436a2549..b54089a63 100644
|
||||
--- a/src/libcharon/sa/trap_manager.c
|
||||
+++ b/src/libcharon/sa/trap_manager.c
|
||||
@@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void,
|
||||
@@ -448,7 +448,7 @@ METHOD(trap_manager_t, acquire, void,
|
||||
peer_cfg_t *peer;
|
||||
child_cfg_t *child;
|
||||
ike_sa_t *ike_sa;
|
||||
@@ -456,7 +460,7 @@ index 2bc531b38..7220ea597 100644
|
||||
bool wildcard, ignore = FALSE;
|
||||
|
||||
this->lock->read_lock(this->lock);
|
||||
@@ -508,36 +508,27 @@ METHOD(trap_manager_t, acquire, void,
|
||||
@@ -524,36 +524,27 @@ METHOD(trap_manager_t, acquire, void,
|
||||
this->lock->unlock(this->lock);
|
||||
|
||||
if (wildcard)
|
||||
@@ -471,32 +475,34 @@ index 2bc531b38..7220ea597 100644
|
||||
-
|
||||
- ike_sa->set_peer_cfg(ike_sa, peer);
|
||||
- ike_cfg = ike_sa->get_ike_cfg(ike_sa);
|
||||
+ {
|
||||
+ ike_cfg_t *ike_cfg;
|
||||
+ uint16_t port;
|
||||
+ uint8_t mask;
|
||||
|
||||
-
|
||||
- port = ike_cfg->get_other_port(ike_cfg);
|
||||
- dst->to_subnet(dst, &host, &mask);
|
||||
- host->set_port(host, port);
|
||||
- ike_sa->set_other_host(ike_sa, host);
|
||||
+ ike_cfg = peer->get_ike_cfg(peer);
|
||||
|
||||
-
|
||||
- port = ike_cfg->get_my_port(ike_cfg);
|
||||
- src->to_subnet(src, &host, &mask);
|
||||
- host->set_port(host, port);
|
||||
- ike_sa->set_my_host(ike_sa, host);
|
||||
+ port = ike_cfg->get_other_port(ike_cfg);
|
||||
+ dst->to_subnet(dst, &other_host, &mask);
|
||||
+ other_host->set_port(other_host, port);
|
||||
|
||||
-
|
||||
- charon->bus->set_sa(charon->bus, ike_sa);
|
||||
- }
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
{
|
||||
- ike_sa = charon->ike_sa_manager->checkout_by_config(
|
||||
- charon->ike_sa_manager, peer);
|
||||
+ ike_cfg_t *ike_cfg;
|
||||
+ uint16_t port;
|
||||
+ uint8_t mask;
|
||||
+
|
||||
+ ike_cfg = peer->get_ike_cfg(peer);
|
||||
+
|
||||
+ port = ike_cfg->get_other_port(ike_cfg);
|
||||
+ dst->to_subnet(dst, &other_host, &mask);
|
||||
+ other_host->set_port(other_host, port);
|
||||
+
|
||||
+ port = ike_cfg->get_my_port(ike_cfg);
|
||||
+ src->to_subnet(src, &my_host, &mask);
|
||||
+ my_host->set_port(my_host, port);
|
||||
@@ -511,7 +517,7 @@ index 2bc531b38..7220ea597 100644
|
||||
{
|
||||
if (ike_sa->get_peer_cfg(ike_sa) == NULL)
|
||||
diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
|
||||
index 8ade8bf41..03b2cb0f4 100644
|
||||
index 8e452a6f6..b27bb8194 100644
|
||||
--- a/src/swanctl/commands/initiate.c
|
||||
+++ b/src/swanctl/commands/initiate.c
|
||||
@@ -13,6 +13,28 @@
|
||||
@@ -582,13 +588,13 @@ index 8ade8bf41..03b2cb0f4 100644
|
||||
vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
|
||||
@@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"child", 'c', 1, "initiate a CHILD_SA configuration"},
|
||||
{"ike", 'i', 1, "initiate an IKE_SA, or name of child's parent"},
|
||||
{"child", 'c', 1, "initate a CHILD_SA configuration"},
|
||||
{"ike", 'i', 1, "name of the connection to which the child belongs"},
|
||||
+ {"source", 'S', 1, "override source address"},
|
||||
+ {"remote", 'R', 1, "override remote address"},
|
||||
{"timeout", 't', 1, "timeout in seconds before detaching"},
|
||||
{"raw", 'r', 0, "dump raw response message"},
|
||||
{"pretty", 'P', 0, "dump raw response message in pretty print"},
|
||||
--
|
||||
2.24.1
|
||||
2.21.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From 871c5f7158b13d847156ced924a82c8ef25a9b28 Mon Sep 17 00:00:00 2001
|
||||
From 40790461360e930ffda5dce9e020e15d9ccfdd7a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:05 +0300
|
||||
Subject: [PATCH 3/7] vici: send certificates for ike-sa events
|
||||
Subject: [PATCH 3/4] vici: send certificates for ike-sa events
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
1 file changed, 41 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
|
||||
index ad07ff12d..e3f6a0d26 100644
|
||||
index 134ea375d..6a2d9d3dc 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_query.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_query.c
|
||||
@@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
|
||||
@@ -337,7 +337,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
|
||||
* List details of an IKE_SA
|
||||
*/
|
||||
static void list_ike(private_vici_query_t *this, vici_builder_t *b,
|
||||
@@ -24,8 +24,8 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
{
|
||||
time_t t;
|
||||
ike_sa_id_t *id;
|
||||
@@ -388,6 +388,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
|
||||
uint32_t if_id;
|
||||
@@ -345,6 +345,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
|
||||
proposal_t *proposal;
|
||||
uint16_t alg, ks;
|
||||
host_t *host;
|
||||
+ auth_cfg_t *auth_cfg;
|
||||
@@ -33,7 +33,7 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
|
||||
b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
|
||||
b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
|
||||
@@ -397,11 +399,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
|
||||
@@ -354,11 +356,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
|
||||
b->add_kv(b, "local-host", "%H", host);
|
||||
b->add_kv(b, "local-port", "%d", host->get_port(host));
|
||||
b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
|
||||
@@ -77,7 +77,7 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
|
||||
eap = ike_sa->get_other_eap_id(ike_sa);
|
||||
|
||||
@@ -531,7 +565,7 @@ CALLBACK(list_sas, vici_message_t*,
|
||||
@@ -476,7 +510,7 @@ CALLBACK(list_sas, vici_message_t*,
|
||||
b = vici_builder_create();
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
|
||||
@@ -86,7 +86,7 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
|
||||
b->begin_section(b, "child-sas");
|
||||
csas = ike_sa->create_child_sa_enumerator(ike_sa);
|
||||
@@ -1717,7 +1751,7 @@ METHOD(listener_t, ike_updown, bool,
|
||||
@@ -1607,7 +1641,7 @@ METHOD(listener_t, ike_updown, bool,
|
||||
}
|
||||
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
@@ -95,7 +95,7 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
b->end_section(b);
|
||||
|
||||
this->dispatcher->raise_event(this->dispatcher,
|
||||
@@ -1742,10 +1776,10 @@ METHOD(listener_t, ike_rekey, bool,
|
||||
@@ -1632,10 +1666,10 @@ METHOD(listener_t, ike_rekey, bool,
|
||||
b = vici_builder_create();
|
||||
b->begin_section(b, old->get_name(old));
|
||||
b->begin_section(b, "old");
|
||||
@@ -108,7 +108,7 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
b->end_section(b);
|
||||
b->end_section(b);
|
||||
|
||||
@@ -1776,7 +1810,7 @@ METHOD(listener_t, child_updown, bool,
|
||||
@@ -1665,7 +1699,7 @@ METHOD(listener_t, child_updown, bool,
|
||||
}
|
||||
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
@@ -116,8 +116,8 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
+ list_ike(this, b, ike_sa, now, up);
|
||||
b->begin_section(b, "child-sas");
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
|
||||
@@ -1811,7 +1845,7 @@ METHOD(listener_t, child_rekey, bool,
|
||||
b->begin_section(b, child_sa->get_name(child_sa));
|
||||
@@ -1697,7 +1731,7 @@ METHOD(listener_t, child_rekey, bool,
|
||||
b = vici_builder_create();
|
||||
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
@@ -127,5 +127,5 @@ index ad07ff12d..e3f6a0d26 100644
|
||||
|
||||
b->begin_section(b, old->get_name(old));
|
||||
--
|
||||
2.24.1
|
||||
2.21.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From 50501301f9b4749916778082a176d9932ea8b32b Mon Sep 17 00:00:00 2001
|
||||
From b08bc3334aa09841438123ce3ddd7f535350cb24 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:11 +0300
|
||||
Subject: [PATCH 4/7] vici: add support for individual sa state changes
|
||||
Subject: [PATCH 4/4] vici: add support for individual sa state changes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
1 file changed, 105 insertions(+)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
|
||||
index e3f6a0d26..9968cdd3c 100644
|
||||
index 6a2d9d3dc..36802fcc4 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_query.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_query.c
|
||||
@@ -1717,8 +1717,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
|
||||
@@ -1607,8 +1607,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
|
||||
this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
|
||||
this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
|
||||
this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
|
||||
@@ -34,7 +34,7 @@ index e3f6a0d26..9968cdd3c 100644
|
||||
manage_command(this, "list-sas", list_sas, reg);
|
||||
manage_command(this, "list-policies", list_policies, reg);
|
||||
manage_command(this, "list-conns", list_conns, reg);
|
||||
@@ -1789,6 +1797,45 @@ METHOD(listener_t, ike_rekey, bool,
|
||||
@@ -1679,6 +1687,45 @@ METHOD(listener_t, ike_rekey, bool,
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@@ -80,7 +80,7 @@ index e3f6a0d26..9968cdd3c 100644
|
||||
METHOD(listener_t, child_updown, bool,
|
||||
private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
|
||||
{
|
||||
@@ -1868,6 +1915,62 @@ METHOD(listener_t, child_rekey, bool,
|
||||
@@ -1754,6 +1801,62 @@ METHOD(listener_t, child_rekey, bool,
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@@ -143,7 +143,7 @@ index e3f6a0d26..9968cdd3c 100644
|
||||
METHOD(vici_query_t, destroy, void,
|
||||
private_vici_query_t *this)
|
||||
{
|
||||
@@ -1887,8 +1990,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
|
||||
@@ -1773,8 +1876,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
|
||||
.listener = {
|
||||
.ike_updown = _ike_updown,
|
||||
.ike_rekey = _ike_rekey,
|
||||
@@ -155,5 +155,5 @@ index e3f6a0d26..9968cdd3c 100644
|
||||
.destroy = _destroy,
|
||||
},
|
||||
--
|
||||
2.24.1
|
||||
2.21.0
|
||||
|
||||
|
||||
@@ -1,49 +0,0 @@
|
||||
From c48f8ff36eca91f652ae3bdd88b93a7a2b879d54 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:15 +0300
|
||||
Subject: [PATCH 5/7] vici: add (deprecated) async parameter
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is obsoleted by the new "timeout=-1" option that achieves
|
||||
the same. Only for compatibility with old versions of quagga-nhrp.
|
||||
|
||||
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
---
|
||||
src/libcharon/plugins/vici/vici_control.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
|
||||
index 1e8e788c3..12ef92334 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_control.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_control.c
|
||||
@@ -203,7 +203,7 @@ CALLBACK(initiate, vici_message_t*,
|
||||
vici_message_t* msg;
|
||||
host_t *my_host = NULL, *other_host = NULL;
|
||||
int timeout;
|
||||
- bool limits;
|
||||
+ bool limits, async;
|
||||
controller_cb_t log_cb = NULL;
|
||||
log_info_t log = {
|
||||
.dispatcher = this->dispatcher,
|
||||
@@ -214,6 +214,7 @@ CALLBACK(initiate, vici_message_t*,
|
||||
ike = request->get_str(request, NULL, "ike");
|
||||
timeout = request->get_int(request, 0, "timeout");
|
||||
limits = request->get_bool(request, FALSE, "init-limits");
|
||||
+ async = request->get_bool(request, FALSE, "async");
|
||||
log.level = request->get_int(request, 1, "loglevel");
|
||||
my_host_str = request->get_str(request, NULL, "my-host");
|
||||
other_host_str = request->get_str(request, NULL, "other-host");
|
||||
@@ -222,7 +223,7 @@ CALLBACK(initiate, vici_message_t*,
|
||||
{
|
||||
return send_reply(this, "missing configuration name");
|
||||
}
|
||||
- if (timeout >= 0)
|
||||
+ if (timeout >= 0 && !async)
|
||||
{
|
||||
log_cb = (controller_cb_t)log_vici;
|
||||
}
|
||||
--
|
||||
2.24.1
|
||||
|
||||
@@ -1,507 +0,0 @@
|
||||
From 3385fb7d3fd2dff73f22d2e51c9e7454b723f2ef Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:18 +0300
|
||||
Subject: [PATCH 6/7] support gre key in ikev1
|
||||
|
||||
this implements gre key negotiation in ikev1 similarly to the
|
||||
ipsec-tools patch in alpine.
|
||||
|
||||
the from/to port pair is internally used as gre key for gre
|
||||
protocol traffic selectors. since from/to pairs 0/0xffff and
|
||||
0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
|
||||
will not work.
|
||||
|
||||
this is not standard compliant, and should probably not be upstreamed
|
||||
or used widely, but it is applied for interoperability with alpine
|
||||
racoon for the time being.
|
||||
---
|
||||
src/libcharon/encoding/payloads/id_payload.c | 68 ++++++++++++++-----
|
||||
src/libcharon/encoding/payloads/id_payload.h | 6 +-
|
||||
.../kernel_netlink/kernel_netlink_ipsec.c | 40 ++++++++---
|
||||
src/libcharon/plugins/stroke/stroke_config.c | 5 ++
|
||||
src/libcharon/plugins/unity/unity_narrow.c | 2 +-
|
||||
src/libcharon/plugins/vici/vici_config.c | 9 ++-
|
||||
src/libcharon/sa/ikev1/tasks/quick_mode.c | 16 +++--
|
||||
.../selectors/traffic_selector.c | 33 ++++++++-
|
||||
.../selectors/traffic_selector.h | 31 +++++++++
|
||||
9 files changed, 171 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
|
||||
index b2f1adbbc..6b44d0cf6 100644
|
||||
--- a/src/libcharon/encoding/payloads/id_payload.c
|
||||
+++ b/src/libcharon/encoding/payloads/id_payload.c
|
||||
@@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*,
|
||||
* Create a traffic selector from an range ID
|
||||
*/
|
||||
static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
|
||||
- ts_type_t type)
|
||||
+ ts_type_t type,
|
||||
+ uint16_t from_port, uint16_t to_port)
|
||||
{
|
||||
return traffic_selector_create_from_bytes(this->protocol_id, type,
|
||||
- chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
|
||||
- chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
|
||||
+ chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port,
|
||||
+ chunk_skip(this->id_data, this->id_data.len / 2), to_port);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a traffic selector from an subnet ID
|
||||
*/
|
||||
static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
|
||||
- ts_type_t type)
|
||||
+ ts_type_t type,
|
||||
+ uint16_t from_port, uint16_t to_port)
|
||||
{
|
||||
traffic_selector_t *ts;
|
||||
chunk_t net, netmask;
|
||||
@@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
|
||||
netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
|
||||
}
|
||||
ts = traffic_selector_create_from_bytes(this->protocol_id, type,
|
||||
- net, this->port, netmask, this->port ?: 65535);
|
||||
+ net, from_port, netmask, to_port);
|
||||
chunk_free(&netmask);
|
||||
return ts;
|
||||
}
|
||||
@@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
|
||||
* Create a traffic selector from an IP ID
|
||||
*/
|
||||
static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
|
||||
- ts_type_t type)
|
||||
+ ts_type_t type,
|
||||
+ uint16_t from_port, uint16_t to_port)
|
||||
{
|
||||
return traffic_selector_create_from_bytes(this->protocol_id, type,
|
||||
- this->id_data, this->port, this->id_data, this->port ?: 65535);
|
||||
+ this->id_data, from_port, this->id_data, to_port);
|
||||
}
|
||||
|
||||
METHOD(id_payload_t, get_ts, traffic_selector_t*,
|
||||
- private_id_payload_t *this)
|
||||
+ private_id_payload_t *this, id_payload_t *other_, bool initiator)
|
||||
{
|
||||
+ private_id_payload_t *other = (private_id_payload_t *) other_;
|
||||
+ uint16_t from_port, to_port;
|
||||
+
|
||||
+ if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE)
|
||||
+ {
|
||||
+ if (initiator)
|
||||
+ {
|
||||
+ from_port = this->port;
|
||||
+ to_port = other->port;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ from_port = other->port;
|
||||
+ to_port = this->port;
|
||||
+ }
|
||||
+ if (from_port == 0 && to_port == 0)
|
||||
+ to_port = 0xffff;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ from_port = this->port;
|
||||
+ to_port = this->port ?: 0xffff;
|
||||
+ }
|
||||
+
|
||||
switch (this->id_type)
|
||||
{
|
||||
case ID_IPV4_ADDR_SUBNET:
|
||||
if (this->id_data.len == 8)
|
||||
{
|
||||
- return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
|
||||
+ return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV6_ADDR_SUBNET:
|
||||
if (this->id_data.len == 32)
|
||||
{
|
||||
- return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
|
||||
+ return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV4_ADDR_RANGE:
|
||||
if (this->id_data.len == 8)
|
||||
{
|
||||
- return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
|
||||
+ return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV6_ADDR_RANGE:
|
||||
if (this->id_data.len == 32)
|
||||
{
|
||||
- return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
|
||||
+ return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV4_ADDR:
|
||||
if (this->id_data.len == 4)
|
||||
{
|
||||
- return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
|
||||
+ return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV6_ADDR:
|
||||
if (this->id_data.len == 16)
|
||||
{
|
||||
- return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
|
||||
+ return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
@@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
|
||||
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator)
|
||||
{
|
||||
private_id_payload_t *this;
|
||||
uint8_t mask;
|
||||
@@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
|
||||
ts->get_from_address(ts), ts->get_to_address(ts));
|
||||
net->destroy(net);
|
||||
}
|
||||
- this->port = ts->get_from_port(ts);
|
||||
this->protocol_id = ts->get_protocol(ts);
|
||||
+ if (initiator || this->protocol_id != IPPROTO_GRE)
|
||||
+ {
|
||||
+ this->port = ts->get_from_port(ts);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ this->port = ts->get_to_port(ts);
|
||||
+ if (this->port == 0xffff && ts->get_from_port(ts) == 0)
|
||||
+ this->port = 0;
|
||||
+ }
|
||||
this->payload_length += this->id_data.len;
|
||||
|
||||
return &this->public;
|
||||
diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
|
||||
index 283780624..fafeca8bc 100644
|
||||
--- a/src/libcharon/encoding/payloads/id_payload.h
|
||||
+++ b/src/libcharon/encoding/payloads/id_payload.h
|
||||
@@ -48,11 +48,11 @@ struct id_payload_t {
|
||||
identification_t *(*get_identification) (id_payload_t *this);
|
||||
|
||||
/**
|
||||
- * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
|
||||
+ * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair.
|
||||
*
|
||||
* @return traffic selector, NULL on failure
|
||||
*/
|
||||
- traffic_selector_t* (*get_ts)(id_payload_t *this);
|
||||
+ traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator);
|
||||
|
||||
/**
|
||||
* Get encoded payload without fixed payload header (used for IKEv1).
|
||||
@@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
|
||||
* @param ts traffic selector
|
||||
* @return PLV1_ID id_paylad_t object.
|
||||
*/
|
||||
-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
|
||||
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator);
|
||||
|
||||
#endif /** ID_PAYLOAD_H_ @}*/
|
||||
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
|
||||
index 327854ff4..2b204c273 100644
|
||||
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
|
||||
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
|
||||
@@ -863,7 +863,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
|
||||
ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
|
||||
ts2ports(dst, &sel.dport, &sel.dport_mask);
|
||||
ts2ports(src, &sel.sport, &sel.sport_mask);
|
||||
- if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
|
||||
+ if (sel.proto == IPPROTO_GRE)
|
||||
+ {
|
||||
+ sel.sport = htons(src->get_from_port(src));
|
||||
+ sel.dport = htons(src->get_to_port(src));
|
||||
+ sel.sport_mask = ~0;
|
||||
+ sel.dport_mask = ~0;
|
||||
+ if (sel.sport == htons(0) && sel.dport == htons(0xffff))
|
||||
+ {
|
||||
+ sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0;
|
||||
+ }
|
||||
+ }
|
||||
+ else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
|
||||
(sel.dport || sel.sport))
|
||||
{
|
||||
/* the kernel expects the ICMP type and code in the source and
|
||||
@@ -887,7 +898,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
{
|
||||
u_char *addr;
|
||||
uint8_t prefixlen;
|
||||
- uint16_t port = 0;
|
||||
+ uint16_t from_port = 0, to_port = 65535;
|
||||
host_t *host = NULL;
|
||||
|
||||
if (src)
|
||||
@@ -896,7 +907,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
prefixlen = sel->prefixlen_s;
|
||||
if (sel->sport_mask)
|
||||
{
|
||||
- port = ntohs(sel->sport);
|
||||
+ from_port = to_port = ntohs(sel->sport);
|
||||
}
|
||||
}
|
||||
else
|
||||
@@ -905,14 +916,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
prefixlen = sel->prefixlen_d;
|
||||
if (sel->dport_mask)
|
||||
{
|
||||
- port = ntohs(sel->dport);
|
||||
+ from_port = to_port = ntohs(sel->dport);
|
||||
+ }
|
||||
+ }
|
||||
+ if (sel->proto == IPPROTO_GRE)
|
||||
+ {
|
||||
+ if (sel->sport_mask)
|
||||
+ {
|
||||
+ from_port = ntohs(sel->sport);
|
||||
+ to_port = ntohs(sel->dport);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ from_port = 0;
|
||||
+ to_port = 0xffff;
|
||||
}
|
||||
}
|
||||
- if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
|
||||
+ else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
|
||||
{ /* convert ICMP[v6] message type and code as supplied by the kernel in
|
||||
* source and destination ports (both in network order) */
|
||||
- port = (sel->sport >> 8) | (sel->dport & 0xff00);
|
||||
- port = ntohs(port);
|
||||
+ from_port = (sel->sport >> 8) | (sel->dport & 0xff00);
|
||||
+ from_port = to_port = ntohs(from_port);
|
||||
}
|
||||
/* The Linux 2.6 kernel does not set the selector's family field,
|
||||
* so as a kludge we additionally test the prefix length.
|
||||
@@ -929,7 +953,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
if (host)
|
||||
{
|
||||
return traffic_selector_create_from_subnet(host, prefixlen,
|
||||
- sel->proto, port, port ?: 65535);
|
||||
+ sel->proto, from_port, to_port);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
|
||||
index fe5c1a542..775fa0565 100644
|
||||
--- a/src/libcharon/plugins/stroke/stroke_config.c
|
||||
+++ b/src/libcharon/plugins/stroke/stroke_config.c
|
||||
@@ -936,6 +936,11 @@ static bool parse_protoport(char *token, uint16_t *from_port,
|
||||
*from_port = 0xffff;
|
||||
*to_port = 0;
|
||||
}
|
||||
+ else if (*port && *protocol == IPPROTO_GRE)
|
||||
+ {
|
||||
+ p = strtol(port, &endptr, 0);
|
||||
+ traffic_selector_split_grekey(p, from_port, to_port);
|
||||
+ }
|
||||
else if (*port)
|
||||
{
|
||||
svc = getservbyname(port, NULL);
|
||||
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
|
||||
index afbd6cc7e..911fe70c6 100644
|
||||
--- a/src/libcharon/plugins/unity/unity_narrow.c
|
||||
+++ b/src/libcharon/plugins/unity/unity_narrow.c
|
||||
@@ -248,7 +248,7 @@ METHOD(listener_t, message, bool,
|
||||
if (!first)
|
||||
{
|
||||
id_payload = (id_payload_t*)payload;
|
||||
- tsr = id_payload->get_ts(id_payload);
|
||||
+ tsr = id_payload->get_ts(id_payload, NULL, FALSE);
|
||||
break;
|
||||
}
|
||||
first = FALSE;
|
||||
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
|
||||
index 81f2970ae..92ab77a00 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_config.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_config.c
|
||||
@@ -709,8 +709,13 @@ CALLBACK(parse_ts, bool,
|
||||
}
|
||||
else if (*port && !streq(port, "any"))
|
||||
{
|
||||
- svc = getservbyname(port, NULL);
|
||||
- if (svc)
|
||||
+ if (proto == IPPROTO_GRE)
|
||||
+ {
|
||||
+ p = strtol(port, &end, 0);
|
||||
+ if (*end) return FALSE;
|
||||
+ traffic_selector_split_grekey(p, &from, &to);
|
||||
+ }
|
||||
+ else if ((svc = getservbyname(port, NULL)) != NULL)
|
||||
{
|
||||
from = to = ntohs(svc->s_port);
|
||||
}
|
||||
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
|
||||
index 9ded2dd53..8a5351001 100644
|
||||
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
|
||||
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
|
||||
@@ -552,9 +552,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
|
||||
{
|
||||
id_payload_t *id_payload;
|
||||
|
||||
- id_payload = id_payload_create_from_ts(this->tsi);
|
||||
+ id_payload = id_payload_create_from_ts(this->tsi, TRUE);
|
||||
message->add_payload(message, &id_payload->payload_interface);
|
||||
- id_payload = id_payload_create_from_ts(this->tsr);
|
||||
+ id_payload = id_payload_create_from_ts(this->tsr, FALSE);
|
||||
message->add_payload(message, &id_payload->payload_interface);
|
||||
}
|
||||
|
||||
@@ -565,7 +565,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
|
||||
{
|
||||
traffic_selector_t *tsi = NULL, *tsr = NULL;
|
||||
enumerator_t *enumerator;
|
||||
- id_payload_t *id_payload;
|
||||
+ id_payload_t *idi = NULL, *idr = NULL;
|
||||
payload_t *payload;
|
||||
host_t *hsi, *hsr;
|
||||
bool first = TRUE;
|
||||
@@ -575,20 +575,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
|
||||
{
|
||||
if (payload->get_type(payload) == PLV1_ID)
|
||||
{
|
||||
- id_payload = (id_payload_t*)payload;
|
||||
-
|
||||
if (first)
|
||||
{
|
||||
- tsi = id_payload->get_ts(id_payload);
|
||||
+ idi = (id_payload_t*)payload;
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
- tsr = id_payload->get_ts(id_payload);
|
||||
+ idr = (id_payload_t*)payload;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
+ if (idi && idr) {
|
||||
+ tsi = idi->get_ts(idi, idr, TRUE);
|
||||
+ tsr = idr->get_ts(idr, idi, FALSE);
|
||||
+ }
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
/* create host2host selectors if ID payloads missing */
|
||||
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
|
||||
index cfd2b029d..d01e2ccec 100644
|
||||
--- a/src/libstrongswan/selectors/traffic_selector.c
|
||||
+++ b/src/libstrongswan/selectors/traffic_selector.c
|
||||
@@ -198,6 +198,14 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
|
||||
return print_in_hook(data, "%d", type);
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * Print GRE key
|
||||
+ */
|
||||
+static int print_grekey(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
|
||||
+{
|
||||
+ return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port));
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Described in header.
|
||||
*/
|
||||
@@ -303,7 +311,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
|
||||
{
|
||||
written += print_in_hook(data, "/");
|
||||
|
||||
- if (this->from_port == this->to_port)
|
||||
+ if (this->protocol == IPPROTO_GRE)
|
||||
+ {
|
||||
+ written += print_grekey(data, this->from_port, this->to_port);
|
||||
+ }
|
||||
+ else if (this->from_port == this->to_port)
|
||||
{
|
||||
struct servent *serv;
|
||||
|
||||
@@ -377,7 +389,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
|
||||
/* select protocol, which is not zero */
|
||||
protocol = max(this->protocol, other->protocol);
|
||||
|
||||
- if ((is_opaque(this) && is_opaque(other)) ||
|
||||
+ if (this->protocol == IPPROTO_GRE)
|
||||
+ {
|
||||
+ if (is_any(this))
|
||||
+ {
|
||||
+ from_port = other->from_port;
|
||||
+ to_port = other->to_port;
|
||||
+ }
|
||||
+ else if (is_any(other) ||
|
||||
+ (this->from_port == other->from_port &&
|
||||
+ this->to_port == other->to_port))
|
||||
+ {
|
||||
+ from_port = this->from_port;
|
||||
+ to_port = this->to_port;
|
||||
+ }
|
||||
+ else
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ else if ((is_opaque(this) && is_opaque(other)) ||
|
||||
(is_opaque(this) && is_any(other)) ||
|
||||
(is_opaque(other) && is_any(this)))
|
||||
{
|
||||
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
|
||||
index 03f7a6d8c..b27ca4ad1 100644
|
||||
--- a/src/libstrongswan/selectors/traffic_selector.h
|
||||
+++ b/src/libstrongswan/selectors/traffic_selector.h
|
||||
@@ -120,6 +120,9 @@ struct traffic_selector_t {
|
||||
* 8 bits and the code in the least significant 8 bits. Use the utility
|
||||
* functions to extract them.
|
||||
*
|
||||
+ * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored
|
||||
+ * in the from port. Use the utility function to merge and split them.
|
||||
+ *
|
||||
* @return port
|
||||
*/
|
||||
uint16_t (*get_from_port)(traffic_selector_t *this);
|
||||
@@ -134,6 +137,9 @@ struct traffic_selector_t {
|
||||
* 8 bits and the code in the least significant 8 bits. Use the utility
|
||||
* functions to extract them.
|
||||
*
|
||||
+ * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored
|
||||
+ * in the to port. Use the utility function to merge and split them.
|
||||
+ *
|
||||
* @return port
|
||||
*/
|
||||
uint16_t (*get_to_port)(traffic_selector_t *this);
|
||||
@@ -277,6 +283,31 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
|
||||
int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
|
||||
void *opts);
|
||||
|
||||
+/**
|
||||
+ * Reconstruct the 32-bit GRE KEY in host order from a from/to ports.
|
||||
+ *
|
||||
+ * @param from_port port number in host order
|
||||
+ * @param to_port port number in host order
|
||||
+ * @return GRE KEY in host order
|
||||
+ */
|
||||
+static inline uint32_t traffic_selector_grekey(uint16_t from_port, uint16_t to_port)
|
||||
+{
|
||||
+ return (from_port << 16) | to_port;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * Split 32-bit GRE KEY in host order to from/to ports.
|
||||
+ *
|
||||
+ * @param grekey grekey in host order
|
||||
+ * @param from_port from port in host order
|
||||
+ * @param to_port to port in host order
|
||||
+ */
|
||||
+static inline void traffic_selector_split_grekey(uint32_t grekey, uint16_t *from_port, uint16_t *to_port)
|
||||
+{
|
||||
+ *from_port = grekey >> 16;
|
||||
+ *to_port = grekey & 0xffff;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Create a new traffic selector using human readable params.
|
||||
*
|
||||
--
|
||||
2.24.1
|
||||
|
||||
@@ -1,124 +0,0 @@
|
||||
From a73ae5cce094eaab9ac01482fbea320bfa4eed16 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
|
||||
Date: Wed, 22 Jan 2020 13:12:39 +0100
|
||||
Subject: [PATCH 7/7] vyos-terminate-connections-source-dest
|
||||
|
||||
---
|
||||
src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
|
||||
src/swanctl/commands/terminate.c | 18 ++++++++++++++-
|
||||
2 files changed, 41 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
|
||||
index 12ef92334..d9cf1add5 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_control.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_control.c
|
||||
@@ -279,12 +279,13 @@ CALLBACK(terminate, vici_message_t*,
|
||||
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
|
||||
{
|
||||
enumerator_t *enumerator, *isas, *csas;
|
||||
- char *child, *ike, *errmsg = NULL;
|
||||
+ char *child, *ike, *errmsg = NULL, *my_host_str, *other_host_str;
|
||||
u_int child_id, ike_id, current, *del, done = 0;
|
||||
bool force;
|
||||
int timeout;
|
||||
ike_sa_t *ike_sa;
|
||||
child_sa_t *child_sa;
|
||||
+ host_t *my_host = NULL, *other_host = NULL;
|
||||
array_t *ids;
|
||||
vici_builder_t *builder;
|
||||
controller_cb_t log_cb = NULL;
|
||||
@@ -300,12 +301,23 @@ CALLBACK(terminate, vici_message_t*,
|
||||
force = request->get_bool(request, FALSE, "force");
|
||||
timeout = request->get_int(request, 0, "timeout");
|
||||
log.level = request->get_int(request, 1, "loglevel");
|
||||
+ my_host_str = request->get_str(request, NULL, "my-host");
|
||||
+ other_host_str = request->get_str(request, NULL, "other-host");
|
||||
|
||||
- if (!child && !ike && !ike_id && !child_id)
|
||||
+ if (!child && !ike && !ike_id && !child_id && !my_host_str &&!other_host_str)
|
||||
{
|
||||
return send_reply(this, "missing terminate selector");
|
||||
}
|
||||
-
|
||||
+ if (my_host_str && !other_host_str || other_host_str && !my_host_str)
|
||||
+ {
|
||||
+ return send_reply(this, "missing source or remote");
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ my_host = host_create_from_string(my_host_str, 0);
|
||||
+ other_host = host_create_from_string(other_host_str, 0);
|
||||
+ DBG1(DBG_CFG, "vici terminate with source me %H and other %H", my_host, other_host);
|
||||
+ }
|
||||
if (ike_id)
|
||||
{
|
||||
DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
|
||||
@@ -368,6 +380,15 @@ CALLBACK(terminate, vici_message_t*,
|
||||
{
|
||||
array_insert(ids, ARRAY_TAIL, &ike_id);
|
||||
}
|
||||
+ else if (my_host && other_host)
|
||||
+ {
|
||||
+ if (!my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)) || !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa)))
|
||||
+ {
|
||||
+ continue;
|
||||
+ }
|
||||
+ current = ike_sa->get_unique_id(ike_sa);
|
||||
+ array_insert(ids, ARRAY_TAIL, ¤t);
|
||||
+ }
|
||||
}
|
||||
isas->destroy(isas);
|
||||
|
||||
diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
|
||||
index 2309843b2..37d0bde3f 100644
|
||||
--- a/src/swanctl/commands/terminate.c
|
||||
+++ b/src/swanctl/commands/terminate.c
|
||||
@@ -37,7 +37,7 @@ static int terminate(vici_conn_t *conn)
|
||||
vici_req_t *req;
|
||||
vici_res_t *res;
|
||||
command_format_options_t format = COMMAND_FORMAT_NONE;
|
||||
- char *arg, *child = NULL, *ike = NULL;
|
||||
+ char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
|
||||
int ret = 0, timeout = 0, level = 1, child_id = 0, ike_id = 0;
|
||||
bool force = FALSE;
|
||||
|
||||
@@ -74,6 +74,12 @@ static int terminate(vici_conn_t *conn)
|
||||
case 'l':
|
||||
level = atoi(arg);
|
||||
continue;
|
||||
+ case 'S':
|
||||
+ my_host = arg;
|
||||
+ continue;
|
||||
+ case 'R':
|
||||
+ other_host = arg;
|
||||
+ continue;
|
||||
case EOF:
|
||||
break;
|
||||
default:
|
||||
@@ -109,6 +115,14 @@ static int terminate(vici_conn_t *conn)
|
||||
{
|
||||
vici_add_key_valuef(req, "force", "yes");
|
||||
}
|
||||
+ if (my_host)
|
||||
+ {
|
||||
+ vici_add_key_valuef(req, "my-host", "%s", my_host);
|
||||
+ }
|
||||
+ if (other_host)
|
||||
+ {
|
||||
+ vici_add_key_valuef(req, "other-host", "%s", other_host);
|
||||
+ }
|
||||
if (timeout)
|
||||
{
|
||||
vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
|
||||
@@ -155,6 +169,8 @@ static void __attribute__ ((constructor))reg()
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"child", 'c', 1, "terminate by CHILD_SA name"},
|
||||
+ {"source", 'S', 1, "override source address"},
|
||||
+ {"remote", 'R', 1, "override remote address"},
|
||||
{"ike", 'i', 1, "terminate by IKE_SA name"},
|
||||
{"child-id", 'C', 1, "terminate by CHILD_SA reqid"},
|
||||
{"ike-id", 'I', 1, "terminate by IKE_SA unique identifier"},
|
||||
--
|
||||
2.24.1
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
%global _hardened_build 1
|
||||
#%%define prerelease dr1
|
||||
%global dist nhrp.3%{?dist}
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.8.2
|
||||
@@ -9,10 +8,6 @@ Summary: An OpenSource IPsec-based VPN and TNC solution
|
||||
License: GPLv2+
|
||||
URL: http://www.strongswan.org/
|
||||
Source0: http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
|
||||
|
||||
# tmpfiles.d configuration for the /run directory
|
||||
Source1: %{name}-tmpfiles.conf
|
||||
|
||||
Patch1: strongswan-5.6.0-uintptr_t.patch
|
||||
Patch3: strongswan-5.6.2-CVE-2018-5388.patch
|
||||
|
||||
@@ -20,9 +15,6 @@ Patch10: 0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
|
||||
Patch11: 0002-charon-add-optional-source-and-remote-overrides-for-.patch
|
||||
Patch12: 0003-vici-send-certificates-for-ike-sa-events.patch
|
||||
Patch13: 0004-vici-add-support-for-individual-sa-state-changes.patch
|
||||
Patch14: 0005-vici-add-deprecated-async-parameter.patch
|
||||
Patch15: 0006-support-gre-key-in-ikev1.patch
|
||||
Patch16: 0007-vyos-terminate-connections-source-dest.patch
|
||||
|
||||
# only needed for pre-release versions
|
||||
#BuildRequires: autoconf automake
|
||||
@@ -95,12 +87,10 @@ PT-TLS to support TNC over TLS.
|
||||
%patch3 -p1
|
||||
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch11 -p1 -F3
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
|
||||
|
||||
%build
|
||||
# only for snapshots
|
||||
@@ -220,9 +210,6 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
|
||||
done
|
||||
install -d -m 0700 %{buildroot}%{_rundir}/strongswan
|
||||
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}
|
||||
install -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
|
||||
%post
|
||||
%systemd_post %{name}.service
|
||||
|
||||
@@ -265,8 +252,6 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
%{_datadir}/strongswan/templates/database/
|
||||
%attr(0755,root,root) %dir %{_rundir}/strongswan
|
||||
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
|
||||
%files sqlite
|
||||
%{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
|
||||
|
||||
|
||||
Reference in New Issue
Block a user