From: Aidas K. <mo...@us...> - 2004-11-17 19:03:46
|
Update of /cvsroot/ipsec-tools/ipsec-tools/src/racoon In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv26800/src/racoon Modified Files: isakmp_quick.c policy.c strnames.c Log Message: fwd policy support for generated policies. Patch by Patric McHardy Index: strnames.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/strnames.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -d -r1.11 -r1.12 --- strnames.c 24 Oct 2004 17:37:00 -0000 1.11 +++ strnames.c 17 Nov 2004 19:03:37 -0000 1.12 @@ -822,6 +822,9 @@ static struct ksmap name_direction[] = { { IPSEC_DIR_INBOUND, "in", NULL }, { IPSEC_DIR_OUTBOUND, "out", NULL }, +#ifdef HAVE_POLICY_FWD +{ IPSEC_DIR_FWD, "fwd", NULL }, +#endif }; char * Index: isakmp_quick.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/isakmp_quick.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -d -r1.11 -r1.12 --- isakmp_quick.c 1 Nov 2004 15:21:22 -0000 1.11 +++ isakmp_quick.c 17 Nov 2004 19:03:37 -0000 1.12 @@ -1579,6 +1579,18 @@ return error; } +static int +tunnel_mode_prop(p) + struct saprop *p; +{ + struct saproto *pr; + + for (pr = p->head; pr; pr = pr->next) + if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) + return 1; + return 0; +} + /* * set SA to kernel. */ @@ -1648,10 +1660,24 @@ plog(LLV_DEBUG, LOCATION, NULL, "pfkey spdupdate2(inbound) sent.\n"); + spidx = (struct policyindex *)iph2->spidx_gen; +#ifdef HAVE_POLICY_FWD + /* make forward policy if required */ + if (tunnel_mode_prop(iph2->approval)) { + spidx->dir = IPSEC_DIR_FWD; + if (pk_sendspdupdate2(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "pfkey spdupdate2(forward) failed.\n"); + goto end; + } + plog(LLV_DEBUG, LOCATION, NULL, + "pfkey spdupdate2(forward) sent.\n"); + } +#endif + /* make outbound policy */ iph2->src = src; iph2->dst = dst; - spidx = (struct policyindex *)iph2->spidx_gen; spidx->dir = IPSEC_DIR_OUTBOUND; addr = spidx->src; spidx->src = spidx->dst; Index: policy.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/policy.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- policy.c 13 Sep 2004 14:09:19 -0000 1.5 +++ policy.c 17 Nov 2004 19:03:37 -0000 1.6 @@ -308,10 +308,35 @@ { struct policyindex spidx; struct secpolicy *sp; - struct sockaddr_storage addr; - u_int8_t pref; + struct sockaddr_storage src, dst; + u_int8_t prefs, prefd; memcpy(&spidx, spidx0, sizeof(spidx)); + switch (spidx.dir) { + case IPSEC_DIR_INBOUND: +#ifdef HAVE_POLICY_FWD + case IPSEC_DIR_FWD: +#endif + src = spidx.src; + dst = spidx.dst; + prefs = spidx.prefs; + prefd = spidx.prefd; + break; + case IPSEC_DIR_OUTBOUND: + src = spidx.dst; + dst = spidx.src; + prefs = spidx.prefd; + prefd = spidx.prefs; + break; + default: + return; + } + + spidx.src = src; + spidx.dst = dst; + spidx.prefs = prefs; + spidx.prefd = prefd; + spidx.dir = IPSEC_DIR_INBOUND; sp = getsp(&spidx); if (sp) { @@ -319,15 +344,21 @@ delsp(sp); } - spidx.dir = spidx.dir == IPSEC_DIR_OUTBOUND - ? IPSEC_DIR_INBOUND - : IPSEC_DIR_OUTBOUND ; - addr = spidx.src; - spidx.src = spidx.dst; - spidx.dst = addr; - pref = spidx.prefs; - spidx.prefs = spidx.prefd; - spidx.prefd = pref; +#ifdef HAVE_POLICY_FWD + spidx.dir = IPSEC_DIR_FWD; + + sp = getsp(&spidx); + if (sp) { + remsp(sp); + delsp(sp); + } +#endif + + spidx.src = dst; + spidx.dst = src; + spidx.prefs = prefd; + spidx.prefd = prefs; + spidx.dir = IPSEC_DIR_OUTBOUND; sp = getsp(&spidx); if (sp) { |