charon-nm: Allow configurable remote traffic selectors

This change allows to customize the previously hard-coded remote traffic
selectors.

This does not actually write the newly added "remote-ts" configuration option
into NetworkManager's configuration file, but will use an existing value.
Exposing the config setting in the GUI could be done later if this is a
desired change.

Use case:  remote firewall appliance wrongly accepts the `0.0.0.0/0` TS but
does not actually route external traffic, leaving the user with a partially
working internet connection.

Closes strongswan/strongswan#173.

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 771466a6300534b121a203c9b0fccd83ff404220..db4cf4faba888541218369ba87335b2753e7f802 100644 (file)
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -839,10 +839,34 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
        }
        ts = traffic_selector_create_dynamic(0, 0, 65535);
        child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-       ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
-       child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-       ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
-       child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+       str = nm_setting_vpn_get_data_item(vpn, "remote-ts");
+       if (str && strlen(str))
+       {
+               enumerator = enumerator_create_token(str, ";", "");
+               while (enumerator->enumerate(enumerator, &str))
+               {
+                       ts = traffic_selector_create_from_cidr((char*)str, 0, 0, 65535);
+                       if (!ts)
+                       {
+                               g_set_error(err, NM_VPN_PLUGIN_ERROR,
+                                                       NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+                                                       "Invalid remote traffic selector.");
+                               enumerator->destroy(enumerator);
+                               child_cfg->destroy(child_cfg);
+                               peer_cfg->destroy(peer_cfg);
+                               return FALSE;
+                       }
+                       child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+               }
+               enumerator->destroy(enumerator);
+       }
+       else
+       {
+               ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
+               child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+               ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
+               child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+       }
        peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 
        /**