traffic_selector_t *src;
/** policy destinaiton addresses */
traffic_selector_t *dst;
+ /** WFP allocated LUID for inbound filter ID */
+ u_int64_t policy_in;
+ /** WFP allocated LUID for outbound filter ID */
+ u_int64_t policy_out;
+ /** WFP allocated LUID for forward inbound filter ID, tunnel mode only */
+ u_int64_t policy_fwd_in;
+ /** WFP allocated LUID for forward outbound filter ID, tunnel mode only */
+ u_int64_t policy_fwd_out;
+ /** have installed a route for it? */
+ bool route;
} sp_entry_t;
/**
ipsec_mode_t mode;
/** UDP encapsulation */
bool encap;
- /** WFP allocated LUID for inbound filter ID */
- u_int64_t policy_in;
- /** WFP allocated LUID for outbound filter ID */
- u_int64_t policy_out;
- /** WFP allocated LUID for forward inbound filter ID, tunnel mode only */
- u_int64_t policy_fwd_in;
- /** WFP allocated LUID for forward outbound filter ID, tunnel mode only */
- u_int64_t policy_fwd_out;
/** provider context, for tunnel mode only */
u_int64_t provider;
/** WFP allocated LUID for SA context */
*/
static void cleanup_policies(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
- if (entry->policy_in)
- {
- FwpmFilterDeleteById0(this->handle, entry->policy_in);
- entry->policy_in = 0;
- }
- if (entry->policy_out)
- {
- FwpmFilterDeleteById0(this->handle, entry->policy_out);
- entry->policy_out = 0;
- }
+ enumerator_t *enumerator;
+ sp_entry_t *sp;
+
if (entry->mode == MODE_TUNNEL)
{
manage_routes(this, entry, FALSE);
- if (entry->policy_fwd_in)
+ }
+
+ enumerator = array_create_enumerator(entry->sps);
+ while (enumerator->enumerate(enumerator, &sp))
+ {
+ if (sp->policy_in)
{
- FwpmFilterDeleteById0(this->handle, entry->policy_fwd_in);
- entry->policy_fwd_in = 0;
+ FwpmFilterDeleteById0(this->handle, sp->policy_in);
+ sp->policy_in = 0;
}
- if (entry->policy_fwd_out)
+ if (sp->policy_out)
{
- FwpmFilterDeleteById0(this->handle, entry->policy_fwd_out);
- entry->policy_fwd_out = 0;
+ FwpmFilterDeleteById0(this->handle, sp->policy_out);
+ sp->policy_out = 0;
+ }
+ if (sp->policy_fwd_in)
+ {
+ FwpmFilterDeleteById0(this->handle, sp->policy_fwd_in);
+ sp->policy_fwd_in = 0;
+ }
+ if (sp->policy_fwd_out)
+ {
+ FwpmFilterDeleteById0(this->handle, sp->policy_fwd_out);
+ sp->policy_fwd_out = 0;
}
}
+ enumerator->destroy(enumerator);
}
/**
while (enumerator->enumerate(enumerator, &sp))
{
/* inbound policy */
- if (!install_sp(this, sp, context, TRUE, FALSE, &entry->policy_in))
+ if (!install_sp(this, sp, context, TRUE, FALSE, &sp->policy_in))
{
enumerator->destroy(enumerator);
return FALSE;
}
/* outbound policy */
- if (!install_sp(this, sp, context, FALSE, FALSE, &entry->policy_out))
+ if (!install_sp(this, sp, context, FALSE, FALSE, &sp->policy_out))
{
enumerator->destroy(enumerator);
return FALSE;
{
/* inbound forward policy, from decapsulation */
if (!install_sp(this, sp, context,
- TRUE, TRUE, &entry->policy_fwd_in))
+ TRUE, TRUE, &sp->policy_fwd_in))
{
enumerator->destroy(enumerator);
return FALSE;
}
/* outbound forward policy, to encapsulate */
if (!install_sp(this, sp, context,
- FALSE, TRUE, &entry->policy_fwd_out))
+ FALSE, TRUE, &sp->policy_fwd_out))
{
enumerator->destroy(enumerator);
return FALSE;
.trafficType = type,
},
};
+ enumerator_t *enumerator;
+ sp_entry_t *sp;
DWORD res;
if (type == IPSEC_TRAFFIC_TYPE_TRANSPORT)
{
- traffic.ipsecFilterId = entry->policy_out;
- spi.inboundIpsecTraffic.ipsecFilterId = entry->policy_in;
+ enumerator = array_create_enumerator(entry->sps);
+ if (enumerator->enumerate(enumerator, &sp))
+ {
+ traffic.ipsecFilterId = sp->policy_out;
+ spi.inboundIpsecTraffic.ipsecFilterId = sp->policy_in;
+ }
+ else
+ {
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ enumerator->destroy(enumerator);
}
else
{
enumerator = array_create_enumerator(entry->sps);
while (enumerator->enumerate(enumerator, &sp))
{
+ if (add && sp->route)
+ {
+ continue;
+ }
+ if (!add && !sp->route)
+ {
+ continue;
+ }
if (!sp->dst->to_subnet(sp->dst, &dst, &mask))
{
continue;
}
- if (hydra->kernel_interface->get_address_by_ts( hydra->kernel_interface,
+ if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
sp->src, &src, NULL) != SUCCESS)
{
dst->destroy(dst);
entry->remote, entry->local);
if (add)
{
- if (!install_route(this, dst, mask, src, gtw))
+ if (install_route(this, dst, mask, src, gtw))
+ {
+ sp->route = TRUE;
+ }
+ else
{
DBG1(DBG_KNL, "installing route for policy %R === %R failed",
sp->src, sp->dst);
}
else
{
- if (!uninstall_route(this, dst, mask, src, gtw))
+ if (uninstall_route(this, dst, mask, src, gtw))
+ {
+ sp->route = FALSE;
+ }
+ else
{
DBG1(DBG_KNL, "uninstalling route for policy %R === %R failed",
sp->src, sp->dst);
entry = this->osas->get(this->osas, &key);
if (entry)
{
- if (array_count(entry->sps) == 0)
+ if (sa->mode == MODE_TUNNEL || array_count(entry->sps) == 0)
{
INIT(sp,
.src = src_ts->clone(src_ts),
.dst = dst_ts->clone(dst_ts),
);
array_insert(entry->sps, -1, sp);
- if (!install(this, entry))
+ if (array_count(entry->sps) == sa->policy_count)
{
- status = FAILED;
+ if (!install(this, entry))
+ {
+ status = FAILED;
+ }
}
}
else
/* TODO: reinstall with a filter using multiple TS?
* Filters are ANDed for a match, but we could install a filter
* with the inverse TS set using NOT-matches... */
+ DBG1(DBG_KNL, "multiple transport mode traffic selectors not "
+ "supported by WFP");
status = NOT_SUPPORTED;
}
}
projects / thirdparty / strongswan.git / commitdiff
