0001-child-sa-Add-an-option-to-install-outbound-trap-poli.patch

From 5b47a47153e0e1beb6f1ae94b50faad7de1c8244 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 21 Aug 2015 17:25:00 +0200
Subject: [PATCH] child-sa: Add an option to install outbound trap policies
 only

When enabled this prevents the installation of IN/FWD policies for
auto=route connections. So unencrypted/unauthenticated inbound traffic
won't be blocked but it might be useful in some scenarios.

 #1065.
---
 conf/options/charon.opt     |  7 +++++++
 src/libcharon/sa/child_sa.c | 31 +++++++++++++++++++++++--------
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 5d137aee8de7..8cdcd8f244d1 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -157,6 +157,13 @@ charon.initiator_only = no
 charon.install_routes = yes
 	Install routes into a separate routing table for established IPsec tunnels.
 
+charon.install_trap_outbound_only = no
+	Only install trap policies that match outbound traffic.
+
+	If this is enabled the daemon will only install trap policies that match
+	outbound traffic.  That is, no inbound/forward policies are installed to
+	block unencrypted/unauthenticated incoming traffic.
+
 charon.install_virtual_ip = yes
 	Install virtual IP addresses.
 
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 73f2ec9d3239..1897e6d3264d 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -152,6 +152,11 @@ struct private_child_sa_t {
 	bool trap;
 
 	/**
+	 * TRUE to only install outbound trap policies
+	 */
+	bool trap_outbound_only;
+
+	/**
 	 * Specifies if UDP encapsulation is enabled (NAT traversal)
 	 */
 	bool encap;
@@ -783,21 +788,25 @@ static status_t install_policies_internal(private_child_sa_t *this,
 	ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
 {
 	status_t status = SUCCESS;
+
 	status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
 							my_addr, other_addr, my_ts, other_ts,
 							POLICY_OUT, type, other_sa,
 							this->mark_out, priority);
 
-	status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+	if (!this->trap || !this->trap_outbound_only)
+	{
+		status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
 							other_addr, my_addr, other_ts, my_ts,
 							POLICY_IN, type, my_sa,
 							this->mark_in, priority);
-	if (this->mode != MODE_TRANSPORT)
-	{
-		status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+		if (this->mode != MODE_TRANSPORT)
+		{
+			status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
 							other_addr, my_addr, other_ts, my_ts,
 							POLICY_FWD, type, my_sa,
 							this->mark_in, priority);
+		}
 	}
 	return status;
 }
@@ -812,14 +821,18 @@ static void del_policies_internal(private_child_sa_t *this,
 	hydra->kernel_interface->del_policy(hydra->kernel_interface,
 						my_ts, other_ts, POLICY_OUT, this->reqid,
 						this->mark_out, priority);
-	hydra->kernel_interface->del_policy(hydra->kernel_interface,
-						other_ts, my_ts,  POLICY_IN, this->reqid,
-						this->mark_in, priority);
-	if (this->mode != MODE_TRANSPORT)
+
+	if (!this->trap || !this->trap_outbound_only)
 	{
 		hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						other_ts, my_ts,  POLICY_IN, this->reqid,
+						this->mark_in, priority);
+		if (this->mode != MODE_TRANSPORT)
+		{
+			hydra->kernel_interface->del_policy(hydra->kernel_interface,
 						other_ts, my_ts, POLICY_FWD, this->reqid,
 						this->mark_in, priority);
+		}
 	}
 }
 
@@ -1265,6 +1278,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 		.mark_in = config->get_mark(config, TRUE),
 		.mark_out = config->get_mark(config, FALSE),
 		.install_time = time_monotonic(NULL),
+		.trap_outbound_only = lib->settings->get_bool(lib->settings,
+						"%s.install_trap_outbound_only", FALSE, lib->ns),
 	);
 
 	this->config = config;
-- 
1.9.1