From: Tobias Brunner Date: Mon, 30 Aug 2010 10:19:37 +0000 (+0200) Subject: Slightly refactored port floating. X-Git-Tag: 4.5.0~383 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=277f02ce9e6a3bcf9faae587dbef5557c385f0ae;p=thirdparty%2Fstrongswan.git Slightly refactored port floating. In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE. --- diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 83d1e003ef..b1638374d7 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -810,6 +810,20 @@ METHOD(ike_sa_t, get_pending_updates, u_int32_t, return this->pending_updates; } +METHOD(ike_sa_t, float_ports, void, + private_ike_sa_t *this) +{ + /* do not switch if we have a custom port from MOBIKE/NAT */ + if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT) + { + this->my_host->set_port(this->my_host, IKEV2_NATT_PORT); + } + if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT) + { + this->other_host->set_port(this->other_host, IKEV2_NATT_PORT); + } +} + METHOD(ike_sa_t, update_hosts, void, private_ike_sa_t *this, host_t *me, host_t *other) { @@ -2023,6 +2037,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) .get_other_host = _get_other_host, .set_other_host = _set_other_host, .set_message_id = _set_message_id, + .float_ports = _float_ports, .update_hosts = _update_hosts, .get_my_id = _get_my_id, .set_my_id = _set_my_id, diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 34842a573e..c0007e27d9 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -328,6 +328,14 @@ struct ike_sa_t { */ void (*set_other_host) (ike_sa_t *this, host_t *other); + /** + * Float to port 4500 (e.g. if a NAT is detected). + * + * The port of either endpoint is changed only if it is currently + * set to the default value of 500. + */ + void (*float_ports)(ike_sa_t *this); + /** * Update the IKE_SAs host. * diff --git a/src/libcharon/sa/tasks/ike_me.c b/src/libcharon/sa/tasks/ike_me.c index 2d2847ae05..a04bf56ecc 100644 --- a/src/libcharon/sa/tasks/ike_me.c +++ b/src/libcharon/sa/tasks/ike_me.c @@ -454,6 +454,9 @@ static status_t process_i(private_ike_me_t *this, message_t *message) DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting"); return FAILED; } + /* if we are on a mediation connection we switch to port 4500 even + * if no NAT is detected. */ + this->ike_sa->float_ports(this->ike_sa); return NEED_MORE; } case IKE_AUTH: diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c index a62886f02e..6dbd1bafd8 100644 --- a/src/libcharon/sa/tasks/ike_mobike.c +++ b/src/libcharon/sa/tasks/ike_mobike.c @@ -468,7 +468,18 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message) if (message->get_exchange_type(message) == IKE_AUTH && this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED) { + peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + process_payloads(this, message); + + /* if peer supports NAT-T and MOBIKE, we switch to port 4500 even + * if no NAT is detected. MOBIKE requires this. */ + if (peer_cfg->use_mobike(peer_cfg) && + this->ike_sa->supports_extension(this->ike_sa, EXT_NATT) && + this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) + { + this->ike_sa->float_ports(this->ike_sa); + } return SUCCESS; } else if (message->get_exchange_type(message) == INFORMATIONAL) diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c index 9ea20ba36e..c731178bb7 100644 --- a/src/libcharon/sa/tasks/ike_natd.c +++ b/src/libcharon/sa/tasks/ike_natd.c @@ -264,42 +264,9 @@ static status_t process_i(private_ike_natd_t *this, message_t *message) if (message->get_exchange_type(message) == IKE_SA_INIT) { - peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - -#ifdef ME - /* if we are on a mediated connection we have already switched to - * port 4500 and the correct destination port is already configured, - * therefore we must not switch again */ - if (peer_cfg->get_mediated_by(peer_cfg)) + if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) { - return SUCCESS; - } -#endif /* ME */ - - if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) || -#ifdef ME - /* if we are on a mediation connection we switch to port 4500 even - * if no NAT is detected. */ - peer_cfg->is_mediation(peer_cfg) || -#endif /* ME */ - /* if peer supports NAT-T, we switch to port 4500 even - * if no NAT is detected. MOBIKE requires this. */ - (peer_cfg->use_mobike(peer_cfg) && - this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))) - { - host_t *me, *other; - - /* do not switch if we have a custom port from mobike/NAT */ - me = this->ike_sa->get_my_host(this->ike_sa); - if (me->get_port(me) == IKEV2_UDP_PORT) - { - me->set_port(me, IKEV2_NATT_PORT); - } - other = this->ike_sa->get_other_host(this->ike_sa); - if (other->get_port(other) == IKEV2_UDP_PORT) - { - other->set_port(other, IKEV2_NATT_PORT); - } + this->ike_sa->float_ports(this->ike_sa); } }