Created
March 10, 2017 07:08
-
-
Save optix2000/c5fde1a37a6f886b6770caa25810b288 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 5b47a47153e0e1beb6f1ae94b50faad7de1c8244 Mon Sep 17 00:00:00 2001 | |
From: Tobias Brunner <tobias@strongswan.org> | |
Date: Fri, 21 Aug 2015 17:25:00 +0200 | |
Subject: [PATCH] child-sa: Add an option to install outbound trap policies | |
only | |
When enabled this prevents the installation of IN/FWD policies for | |
auto=route connections. So unencrypted/unauthenticated inbound traffic | |
won't be blocked but it might be useful in some scenarios. | |
#1065. | |
--- | |
conf/options/charon.opt | 7 +++++++ | |
src/libcharon/sa/child_sa.c | 31 +++++++++++++++++++++++-------- | |
2 files changed, 30 insertions(+), 8 deletions(-) | |
diff --git a/conf/options/charon.opt b/conf/options/charon.opt | |
index 5d137aee8de7..8cdcd8f244d1 100644 | |
--- a/conf/options/charon.opt | |
+++ b/conf/options/charon.opt | |
@@ -157,6 +157,13 @@ charon.initiator_only = no | |
charon.install_routes = yes | |
Install routes into a separate routing table for established IPsec tunnels. | |
+charon.install_trap_outbound_only = no | |
+ Only install trap policies that match outbound traffic. | |
+ | |
+ If this is enabled the daemon will only install trap policies that match | |
+ outbound traffic. That is, no inbound/forward policies are installed to | |
+ block unencrypted/unauthenticated incoming traffic. | |
+ | |
charon.install_virtual_ip = yes | |
Install virtual IP addresses. | |
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c | |
index 73f2ec9d3239..1897e6d3264d 100644 | |
--- a/src/libcharon/sa/child_sa.c | |
+++ b/src/libcharon/sa/child_sa.c | |
@@ -152,6 +152,11 @@ struct private_child_sa_t { | |
bool trap; | |
/** | |
+ * TRUE to only install outbound trap policies | |
+ */ | |
+ bool trap_outbound_only; | |
+ | |
+ /** | |
* Specifies if UDP encapsulation is enabled (NAT traversal) | |
*/ | |
bool encap; | |
@@ -783,21 +788,25 @@ static status_t install_policies_internal(private_child_sa_t *this, | |
ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority) | |
{ | |
status_t status = SUCCESS; | |
+ | |
status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, | |
my_addr, other_addr, my_ts, other_ts, | |
POLICY_OUT, type, other_sa, | |
this->mark_out, priority); | |
- status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, | |
+ if (!this->trap || !this->trap_outbound_only) | |
+ { | |
+ status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, | |
other_addr, my_addr, other_ts, my_ts, | |
POLICY_IN, type, my_sa, | |
this->mark_in, priority); | |
- if (this->mode != MODE_TRANSPORT) | |
- { | |
- status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, | |
+ if (this->mode != MODE_TRANSPORT) | |
+ { | |
+ status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, | |
other_addr, my_addr, other_ts, my_ts, | |
POLICY_FWD, type, my_sa, | |
this->mark_in, priority); | |
+ } | |
} | |
return status; | |
} | |
@@ -812,14 +821,18 @@ static void del_policies_internal(private_child_sa_t *this, | |
hydra->kernel_interface->del_policy(hydra->kernel_interface, | |
my_ts, other_ts, POLICY_OUT, this->reqid, | |
this->mark_out, priority); | |
- hydra->kernel_interface->del_policy(hydra->kernel_interface, | |
- other_ts, my_ts, POLICY_IN, this->reqid, | |
- this->mark_in, priority); | |
- if (this->mode != MODE_TRANSPORT) | |
+ | |
+ if (!this->trap || !this->trap_outbound_only) | |
{ | |
hydra->kernel_interface->del_policy(hydra->kernel_interface, | |
+ other_ts, my_ts, POLICY_IN, this->reqid, | |
+ this->mark_in, priority); | |
+ if (this->mode != MODE_TRANSPORT) | |
+ { | |
+ hydra->kernel_interface->del_policy(hydra->kernel_interface, | |
other_ts, my_ts, POLICY_FWD, this->reqid, | |
this->mark_in, priority); | |
+ } | |
} | |
} | |
@@ -1265,6 +1278,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, | |
.mark_in = config->get_mark(config, TRUE), | |
.mark_out = config->get_mark(config, FALSE), | |
.install_time = time_monotonic(NULL), | |
+ .trap_outbound_only = lib->settings->get_bool(lib->settings, | |
+ "%s.install_trap_outbound_only", FALSE, lib->ns), | |
); | |
this->config = config; | |
-- | |
1.9.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment