Add an option to enable faking of ARP packets only for specific CHILD_SAs

diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index db19c7ef897fa8a3974afbb593913206891d6376..771f440c654be86054cea7aece6ff15b847bf793 100644 (file)
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -542,6 +542,11 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.farp.enable " [yes]"
 Enable faking of ARP responses for remote IP addresses of established CHILD_SAs
 .TP
+.BR charon.plugins.farp.only_for
+A comma-separated list of connection names for which ARP responses should be
+faked.  If not configured ARP responses will be generated for remote IP
+addresses of all established CHILD_SAs.
+.TP
 .BR charon.plugins.ha.fifo_interface " [yes]"
 
 .TP

diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index 81d5d2405dc758e268e8a58d56dc716816f388c6..ce289f048aec2013d10897476db1325ea351d356 100644 (file)
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -15,6 +18,7 @@
 
 #include "farp_listener.h"
 
+#include <daemon.h>
 #include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
@@ -35,6 +39,12 @@ struct private_farp_listener_t {
         */
        linked_list_t *entries;
 
+       /**
+        * List with connection names for which ARP packets should be faked,
+        * NULL to enable it for all SAs
+        */
+       linked_list_t *only_for;
+
        /**
         * RWlock for IP list
         */
@@ -62,6 +72,13 @@ METHOD(listener_t, child_updown, bool,
 
        if (up)
        {
+               if (this->only_for &&
+                       this->only_for->find_first(this->only_for, (void*)streq, NULL,
+                                                                          child_sa->get_name(child_sa)) != SUCCESS)
+               {
+                       return TRUE;
+               }
+
                INIT(entry,
                        .local = child_sa->get_traffic_selectors(child_sa, TRUE),
                        .remote = child_sa->get_traffic_selectors(child_sa, FALSE),
@@ -134,6 +151,7 @@ METHOD(farp_listener_t, has_tunnel, bool,
 METHOD(farp_listener_t, destroy, void,
        private_farp_listener_t *this)
 {
+       DESTROY_FUNCTION_IF(this->only_for, (void*)free);
        this->entries->destroy(this->entries);
        this->lock->destroy(this->lock);
        free(this);
@@ -145,6 +163,7 @@ METHOD(farp_listener_t, destroy, void,
 farp_listener_t *farp_listener_create()
 {
        private_farp_listener_t *this;
+       char *names;
 
        INIT(this,
                .public = {
@@ -158,6 +177,25 @@ farp_listener_t *farp_listener_create()
                .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
        );
 
+       names = lib->settings->get_str(lib->settings, "%s.plugins.farp.only_for",
+                                                                  NULL, charon->name);
+       if (names)
+       {
+               enumerator_t *enumerator;
+               char *name;
+
+               enumerator = enumerator_create_token(names, ",", " ");
+               while (enumerator->enumerate(enumerator, &name))
+               {
+                       if (!this->only_for)
+                       {
+                               this->only_for = linked_list_create();
+                       }
+                       this->only_for->insert_last(this->only_for, strdup(name));
+               }
+               enumerator->destroy(enumerator);
+       }
+
        return &this->public;
 }