vici: Add support for IPv6 Transport Proxy Mode

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index add81b9eff4eb6d692be0ab7cf22222ae10c81b0..b16e23a5aabc6065a7cf0aab49c62eb7cfff8c60 100644 (file)
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -463,7 +463,8 @@ static void log_child_data(child_data_t *data, char *name)
        DBG2(DBG_CFG, "   updown = %s", cfg->updown);
        DBG2(DBG_CFG, "   hostaccess = %u", cfg->hostaccess);
        DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
-       DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
+       DBG2(DBG_CFG, "   mode = %N%s", ipsec_mode_names, cfg->mode,
+                cfg->proxy_mode ? "_PROXY" : "");
        DBG2(DBG_CFG, "   policies = %u", data->policies);
        DBG2(DBG_CFG, "   policies_fwd_out = %u", data->policies_fwd_out);
        if (data->replay_window != REPLAY_UNDEFINED)
@@ -772,20 +773,22 @@ CALLBACK(parse_bool, bool,
  * Parse a ipsec_mode_t
  */
 CALLBACK(parse_mode, bool,
-       ipsec_mode_t *out, chunk_t v)
+       child_cfg_create_t *cfg, chunk_t v)
 {
        enum_map_t map[] = {
-               { "tunnel",             MODE_TUNNEL             },
-               { "transport",  MODE_TRANSPORT  },
-               { "beet",               MODE_BEET               },
-               { "drop",               MODE_DROP               },
-               { "pass",               MODE_PASS               },
+               { "tunnel",                             MODE_TUNNEL             },
+               { "transport",                  MODE_TRANSPORT  },
+               { "transport_proxy",    MODE_TRANSPORT  },
+               { "beet",                               MODE_BEET               },
+               { "drop",                               MODE_DROP               },
+               { "pass",                               MODE_PASS               },
        };
        int d;
 
        if (parse_map(map, countof(map), &d, v))
        {
-               *out = d;
+               cfg->mode = d;
+               cfg->proxy_mode = (d == MODE_TRANSPORT) && (v.len > 9);
                return TRUE;
        }
        return FALSE;
@@ -1383,7 +1386,7 @@ CALLBACK(child_kv, bool,
        parse_rule_t rules[] = {
                { "updown",                             parse_string,           &child->cfg.updown                                      },
                { "hostaccess",                 parse_bool,                     &child->cfg.hostaccess                          },
-               { "mode",                               parse_mode,                     &child->cfg.mode                                        },
+               { "mode",                               parse_mode,                     &child->cfg                                                     },
                { "policies",                   parse_bool,                     &child->policies                                        },
                { "policies_fwd_out",   parse_bool,                     &child->policies_fwd_out                        },
                { "replay_window",              parse_uint32,           &child->replay_window                           },

diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index e3a16f5eafecb28b39523d3fc7e793faedeef8a5..3f7d71e79a21725fc7afdbda53fba31ceda70964 100644 (file)
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -92,6 +92,29 @@ static void add_mark(vici_builder_t *b, mark_t mark,
        }
 }
 
+/**
+ * List the mode of a CHILD_SA or config
+ */
+static void list_mode(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
+{
+       ipsec_mode_t mode;
+       char *sub_mode = "";
+
+       if (child || cfg)
+       {
+               if (!cfg)
+               {
+                       cfg = child->get_config(child);
+               }
+               mode = child ? child->get_mode(child) : cfg->get_mode(cfg);
+               if (mode == MODE_TRANSPORT && cfg->use_proxy_mode(cfg))
+               {       /* only report this if the negotiated mode is actually TRANSPORT */
+                       sub_mode = "_PROXY";
+               }
+               b->add_kv(b, "mode", "%N%s", ipsec_mode_names, mode, sub_mode);
+       }
+}
+
 /**
  * List details of a CHILD_SA
  */
@@ -108,7 +131,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
        b->add_kv(b, "uniqueid", "%u", child->get_unique_id(child));
        b->add_kv(b, "reqid", "%u", child->get_reqid(child));
        b->add_kv(b, "state", "%N", child_sa_state_names, child->get_state(child));
-       b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
+       list_mode(b, child, NULL);
        if (child->get_state(child) == CHILD_INSTALLED ||
                child->get_state(child) == CHILD_REKEYING ||
                child->get_state(child) == CHILD_REKEYED)
@@ -455,7 +478,7 @@ static void raise_policy(private_vici_query_t *this, u_int id, child_sa_t *child
        b = vici_builder_create();
        b->begin_section(b, child->get_name(child));
 
-       b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
+       list_mode(b, child, NULL);
 
        b->begin_list(b, "local-ts");
        enumerator = child->create_ts_enumerator(child, TRUE);
@@ -495,7 +518,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id,
        b = vici_builder_create();
        b->begin_section(b, cfg->get_name(cfg));
 
-       b->add_kv(b, "mode", "%N", ipsec_mode_names, cfg->get_mode(cfg));
+       list_mode(b, NULL, cfg);
 
        b->begin_list(b, "local-ts");
        list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL);
@@ -757,8 +780,7 @@ CALLBACK(list_conns, vici_message_t*,
                {
                        b->begin_section(b, child_cfg->get_name(child_cfg));
 
-                       b->add_kv(b, "mode", "%N", ipsec_mode_names,
-                               child_cfg->get_mode(child_cfg));
+                       list_mode(b, NULL, child_cfg);
 
                        lft = child_cfg->get_lifetime(child_cfg, FALSE);
                        b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index e74886641b29ed3de14661e36c1ada3f1b5fb278..327b8971db98c2309e6ad54f1607866ff7a0bd70 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -654,11 +654,13 @@ connections.<conn>.children.<child>.hostaccess = yes
        Hostaccess variable to pass to **updown** script.
 
 connections.<conn>.children.<child>.mode = tunnel
-       IPsec Mode to establish (_tunnel_, _transport_, _beet_, _pass_ or _drop_).
+       IPsec Mode to establish (_tunnel_, _transport_, _transport_proxy_, _beet_,
+       _pass_ or _drop_).
 
        IPsec Mode to establish CHILD_SA with. _tunnel_ negotiates the CHILD_SA
-       in IPsec Tunnel Mode, whereas _transport_ uses IPsec Transport Mode. _beet_
-       is the Bound End to End Tunnel mixture mode, working with fixed inner
+       in IPsec Tunnel Mode, whereas _transport_ uses IPsec Transport Mode.
+       _transport_proxy_ signifying the special Mobile IPv6 Transport Proxy Mode.
+       _beet_ is the Bound End to End Tunnel mixture mode, working with fixed inner
        addresses without the need to include them in each packet.
 
        Both _transport_ and _beet_ modes are subject to mode negotiation; _tunnel_