const GUID FWPM_CONDITION_IP_LOCAL_ADDRESS = {
0xd9ee00de, 0xc1ef, 0x4617, { 0xbf,0xe3,0xff,0xd8,0xf5,0xa0,0x89,0x57 }
};
+const GUID FWPM_CONDITION_IP_SOURCE_ADDRESS = {
+ 0xae96897e, 0x2e94, 0x4bc9, { 0xb3,0x13,0xb2,0x7e,0xe8,0x0e,0x57,0x4d }
+};
+const GUID FWPM_CONDITION_IP_DESTINATION_ADDRESS = {
+ 0x2d79133b, 0xb390, 0x45c6, { 0x86,0x99,0xac,0xac,0xea,0xaf,0xed,0x33 }
+};
const GUID FWPM_CONDITION_IP_LOCAL_PORT = {
0x0c1ba1af, 0x5765, 0x453f, { 0xaf,0x22,0xa8,0xf7,0x91,0xac,0x77,0x5b }
};
const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6 = {
0xe1735bde, 0x013f, 0x4655, { 0xb3,0x51,0xa4,0x9e,0x15,0x76,0x2d,0xf0 }
};
+const GUID FWPM_LAYER_IPFORWARD_V4 = {
+ 0xa82acc24, 0x4ee1, 0x4ee1, { 0xb4,0x65,0xfd,0x1d,0x25,0xcb,0x10,0xa4}
+};
+const GUID FWPM_LAYER_IPFORWARD_V6 = {
+ 0x7b964818, 0x19c7, 0x493a, { 0xb7,0x1f,0x83,0x2c,0x36,0x84,0xd2,0x8c }
+};
const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 = {
0x5132900d, 0x5e84, 0x4b5f, { 0x80,0xe4,0x01,0x74,0x1e,0x81,0xff,0x10 }
};
const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 = {
0xf1835363, 0xa6a5, 0x4e62, { 0xb1,0x80,0x23,0xdb,0x78,0x9d,0x8d,0xa6 }
};
+const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 = {
+ 0x28829633, 0xc4f0, 0x4e66, { 0x87,0x3f,0x84,0x4d,0xb2,0xa8,0x99,0xc7 }
+};
+const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 = {
+ 0xaf50bec2, 0xc686, 0x429a, { 0x88,0x4d,0xb7,0x44,0x43,0xe7,0xb0,0xb4 }
+};
+const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 = {
+ 0xfb532136, 0x15cb, 0x440b, { 0x93,0x7c,0x17,0x17,0xca,0x32,0x0c,0x40 }
+};
+const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 = {
+ 0xdae640cc, 0xe021, 0x4bee, { 0x9e,0xb6,0xa4,0x8b,0x27,0x5c,0x8c,0x1d }
+};
/**
* Load a function symbol from a loaded dll
u_int64_t policy_in;
/** WFP allocated LUID for outbound filter ID */
u_int64_t policy_out;
+ /** WFP allocated LUID for forward inbound filter ID, tunnel mode only */
+ u_int64_t policy_fwd_in;
+ /** WFP allocated LUID for forward outbound filter ID, tunnel mode only */
+ u_int64_t policy_fwd_out;
/** provider context, for tunnel mode only */
u_int64_t provider;
/** WFP allocated LUID for SA context */
if (entry->mode == MODE_TUNNEL)
{
manage_routes(this, entry, FALSE);
+ if (entry->policy_fwd_in)
+ {
+ FwpmFilterDeleteById0(this->handle, entry->policy_fwd_in);
+ entry->policy_fwd_in = 0;
+ }
+ if (entry->policy_fwd_out)
+ {
+ FwpmFilterDeleteById0(this->handle, entry->policy_fwd_out);
+ entry->policy_fwd_out = 0;
+ }
}
}
/**
* (Re-)allocate filter conditions for given local or remote traffic selector
*/
-static bool ts2condition(traffic_selector_t *ts, bool local,
+static bool ts2condition(traffic_selector_t *ts, const GUID *target,
FWPM_FILTER_CONDITION0 *conds[], int *count)
{
FWPM_FILTER_CONDITION0 *cond;
to_port = ts->get_to_port(ts);
cond = append_condition(conds, count);
- if (local)
- {
- cond->fieldKey = FWPM_CONDITION_IP_LOCAL_ADDRESS;
- }
- else
- {
- cond->fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
- }
+ cond->fieldKey = *target;
if (ts->is_host(ts, NULL))
{
cond->matchType = FWP_MATCH_EQUAL;
}
proto = ts->get_protocol(ts);
- if (proto && local)
+ if (proto && target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
{
cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_IP_PROTOCOL;
if (proto == IPPROTO_ICMP)
{
- if (local)
+ if (target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
{
u_int8_t from_type, to_type, from_code, to_code;
}
else if (from_port != 0 || to_port != 0xFFFF)
{
- cond = append_condition(conds, count);
- if (local)
+ if (target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
{
+ cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
+ range2cond(cond, from_port, to_port);
}
- else
+ if (target == &FWPM_CONDITION_IP_REMOTE_ADDRESS)
{
+ cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
+ range2cond(cond, from_port, to_port);
}
- range2cond(cond, from_port, to_port);
}
return TRUE;
}
free(conds);
}
+/**
+ * Find the callout GUID for given parameters
+ */
+static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
+ GUID *layer, GUID *callout)
+{
+ struct {
+ bool tunnel;
+ bool v6;
+ bool inbound;
+ bool forward;
+ const GUID *layer;
+ const GUID *callout;
+ } map[] = {
+ { 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 },
+ { 0, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 },
+ { 0, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 },
+ { 0, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 },
+ { 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 },
+ { 1, 0, 0, 1, &FWPM_LAYER_IPFORWARD_V4,
+ &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 },
+ { 1, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 },
+ { 1, 0, 1, 1, &FWPM_LAYER_IPFORWARD_V4,
+ &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 },
+ { 1, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 },
+ { 1, 1, 0, 1, &FWPM_LAYER_IPFORWARD_V6,
+ &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 },
+ { 1, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 },
+ { 1, 1, 1, 1, &FWPM_LAYER_IPFORWARD_V6,
+ &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 },
+ };
+ int i;
+
+ for (i = 0; i < countof(map); i++)
+ {
+ if (tunnel == map[i].tunnel &&
+ v6 == map[i].v6 &&
+ inbound == map[i].inbound &&
+ forward == map[i].forward)
+ {
+ *callout = *map[i].callout;
+ *layer = *map[i].layer;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
/**
* Install a single policy in to the kernel
*/
-static bool install_sp(private_kernel_wfp_ipsec_t *this,
- entry_t *entry, GUID *context, bool inbound)
+static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
+ GUID *context, bool inbound, bool fwd, UINT64 *filter_id)
{
FWPM_FILTER_CONDITION0 *conds = NULL;
- int count = 0;
- enumerator_t *enumerator;
traffic_selector_t *local, *remote;
- sp_entry_t *sp;
+ const GUID *ltarget, *rtarget;
+ int count = 0;
+ bool v6;
DWORD res;
FWPM_FILTER0 filter = {
.displayData = {
.action = {
.type = FWP_ACTION_CALLOUT_TERMINATING,
},
- .layerKey = inbound ? FWPM_LAYER_INBOUND_TRANSPORT_V4 :
- FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
};
if (context)
{
- if (inbound)
- {
- filter.action.calloutKey = FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4;
- }
- else
- {
- filter.action.calloutKey = FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4;
- }
filter.flags |= FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT;
- filter.providerKey = (GUID*)&this->provider.providerKey,
- memcpy(&filter.providerContextKey, context, sizeof(GUID));
+ filter.providerKey = (GUID*)&this->provider.providerKey;
+ filter.providerContextKey = *context;
+ }
+
+ v6 = sp->src->get_type(sp->src) == TS_IPV6_ADDR_RANGE;
+ if (!find_callout(context != NULL, v6, inbound, fwd,
+ &filter.layerKey, &filter.action.calloutKey))
+ {
+ return FALSE;
+ }
+
+ if (inbound && fwd)
+ {
+ local = sp->dst;
+ remote = sp->src;
}
else
{
- if (inbound)
- {
- filter.action.calloutKey = FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4;
- }
- else
- {
- filter.action.calloutKey = FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4;
- }
+ local = sp->src;
+ remote = sp->dst;
+ }
+ if (fwd)
+ {
+ ltarget = &FWPM_CONDITION_IP_SOURCE_ADDRESS;
+ rtarget = &FWPM_CONDITION_IP_DESTINATION_ADDRESS;
+ }
+ else
+ {
+ ltarget = &FWPM_CONDITION_IP_LOCAL_ADDRESS;
+ rtarget = &FWPM_CONDITION_IP_REMOTE_ADDRESS;
}
+ if (!ts2condition(local, ltarget, &conds, &count) ||
+ !ts2condition(remote, rtarget, &conds, &count))
+ {
+ free_conditions(conds, count);
+ return FALSE;
+ }
+
+ filter.numFilterConditions = count;
+ filter.filterCondition = conds;
+
+ res = FwpmFilterAdd0(this->handle, &filter, NULL, filter_id);
+ free_conditions(conds, count);
+ if (res != ERROR_SUCCESS)
+ {
+ DBG1(DBG_KNL, "installing %s%sbound WFP filter failed: 0x%08x",
+ fwd ? "forward " : "", inbound ? "in" : "out", res);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Install a set of policies in to the kernel
+ */
+static bool install_sps(private_kernel_wfp_ipsec_t *this,
+ entry_t *entry, GUID *context)
+{
+ enumerator_t *enumerator;
+ sp_entry_t *sp;
enumerator = array_create_enumerator(entry->sps);
while (enumerator->enumerate(enumerator, &sp))
{
- if (inbound)
+ /* inbound policy */
+ if (!install_sp(this, sp, context, TRUE, FALSE, &entry->policy_in))
{
- local = sp->dst;
- remote = sp->src;
- }
- else
- {
- local = sp->src;
- remote = sp->dst;
+ enumerator->destroy(enumerator);
+ return FALSE;
}
-
- if (!ts2condition(local, TRUE, &conds, &count) ||
- !ts2condition(remote, FALSE, &conds, &count))
+ /* outbound policy */
+ if (!install_sp(this, sp, context, FALSE, FALSE, &entry->policy_out))
{
- free_conditions(conds, count);
enumerator->destroy(enumerator);
return FALSE;
}
+ if (context)
+ {
+ if (!sp->src->is_host(sp->src, entry->local) ||
+ !sp->dst->is_host(sp->dst, entry->remote))
+ {
+ /* inbound forward policy, from decapsulation */
+ if (!install_sp(this, sp, context,
+ TRUE, TRUE, &entry->policy_fwd_in))
+ {
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ /* outbound forward policy, to encapsulate */
+ if (!install_sp(this, sp, context,
+ FALSE, TRUE, &entry->policy_fwd_out))
+ {
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ }
}
enumerator->destroy(enumerator);
- filter.numFilterConditions = count;
- filter.filterCondition = conds;
-
- if (inbound)
- {
- res = FwpmFilterAdd0(this->handle, &filter, NULL, &entry->policy_in);
- }
- else
- {
- res = FwpmFilterAdd0(this->handle, &filter, NULL, &entry->policy_out);
- }
- free_conditions(conds, count);
- if (res != ERROR_SUCCESS)
- {
- DBG1(DBG_KNL, "installing %sbound FWP filter failed: 0x%08x",
- inbound ? "in" : "out", res);
- return FALSE;
- }
return TRUE;
}
*/
static bool install_transport(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
- if (install_sp(this, entry, NULL, TRUE) &&
- install_sp(this, entry, NULL, FALSE) &&
+ if (install_sps(this, entry, NULL) &&
install_sas(this, entry, IPSEC_TRAFFIC_TYPE_TRANSPORT))
{
return TRUE;
}
/**
- * Install tunnel mode SPs to the kernel
+ * Register a dummy tunnel provider to associate tunnel filters to
*/
-static bool install_tunnel_sps(private_kernel_wfp_ipsec_t *this, entry_t *entry)
+static bool add_tunnel_provider(private_kernel_wfp_ipsec_t *this,
+ entry_t *entry, GUID *guid, UINT64 *luid)
{
DWORD res;
};
FWPM_PROVIDER_CONTEXT0 qm = {
.displayData = {
- .name = L"charon tunnel provider context",
+ .name = L"charon tunnel provider",
},
.providerKey = (GUID*)&this->provider.providerKey,
.type = FWPM_IPSEC_IKE_QM_TUNNEL_CONTEXT,
break;
case AF_INET6:
policy.tunnelEndpoints.ipVersion = FWP_IP_VERSION_V6;
- memcpy(&policy.tunnelEndpoints.localV6Address,
- entry->local->get_address(entry->local).ptr, 16);
- memcpy(&policy.tunnelEndpoints.remoteV6Address,
- entry->remote->get_address(entry->remote).ptr, 16);
+ host2address6(entry->local, &policy.tunnelEndpoints.localV6Address);
+ host2address6(entry->remote, &policy.tunnelEndpoints.remoteV6Address);
break;
default:
return FALSE;
return FALSE;
}
- res = FwpmProviderContextAdd0(this->handle, &qm, NULL, &entry->provider);
+ res = FwpmProviderContextAdd0(this->handle, &qm, NULL, luid);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "adding provider context failed: 0x%08x", res);
return FALSE;
}
+ *guid = qm.providerContextKey;
+ return TRUE;
+}
- if (!install_sp(this, entry, &qm.providerContextKey, TRUE) ||
- !install_sp(this, entry, &qm.providerContextKey, FALSE))
+/**
+ * Install tunnel mode SPs to the kernel
+ */
+static bool install_tunnel_sps(private_kernel_wfp_ipsec_t *this, entry_t *entry)
+{
+ GUID guid;
+
+ if (!add_tunnel_provider(this, entry, &guid, &entry->provider))
+ {
+ return FALSE;
+ }
+ if (!install_sps(this, entry, &guid))
{
return FALSE;
}
typedef struct {
/** reqid this trap is installed for */
u_int32_t reqid;
- /** local traffic selector */
- traffic_selector_t *local;
- /** remote traffic selector */
- traffic_selector_t *remote;
+ /** is this a forward policy trap for tunnel mode? */
+ bool fwd;
+ /** src traffic selector */
+ traffic_selector_t *src;
+ /** dst traffic selector */
+ traffic_selector_t *dst;
/** LUID of installed tunnel policy filter */
UINT64 filter_id;
} trap_t;
*/
static void destroy_trap(trap_t *this)
{
- this->local->destroy(this->local);
- this->remote->destroy(this->remote);
+ this->src->destroy(this->src);
+ this->dst->destroy(this->dst);
free(this);
}
FWPM_FILTER_CONDITION0 *conds = NULL;
int count = 0;
DWORD res;
+ const GUID *starget, *dtarget;
UINT64 weight = 0x000000000000ff00;
FWPM_FILTER0 filter = {
.displayData = {
},
};
- switch (trap->local->get_type(trap->local))
+ if (trap->fwd)
{
- case TS_IPV4_ADDR_RANGE:
+ if (trap->src->get_type(trap->src) == TS_IPV4_ADDR_RANGE)
+ {
+ filter.layerKey = FWPM_LAYER_IPFORWARD_V4;
+ }
+ else
+ {
+ filter.layerKey = FWPM_LAYER_IPFORWARD_V6;
+ }
+ starget = &FWPM_CONDITION_IP_SOURCE_ADDRESS;
+ dtarget = &FWPM_CONDITION_IP_DESTINATION_ADDRESS;
+ }
+ else
+ {
+ if (trap->src->get_type(trap->src) == TS_IPV4_ADDR_RANGE)
+ {
filter.layerKey = FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
- break;
- case TS_IPV6_ADDR_RANGE:
+ }
+ else
+ {
filter.layerKey = FWPM_LAYER_OUTBOUND_TRANSPORT_V6;
- break;
+ }
+ starget = &FWPM_CONDITION_IP_LOCAL_ADDRESS;
+ dtarget = &FWPM_CONDITION_IP_REMOTE_ADDRESS;
}
- if (!ts2condition(trap->local, TRUE, &conds, &count) ||
- !ts2condition(trap->remote, FALSE, &conds, &count))
+ if (!ts2condition(trap->src, starget, &conds, &count) ||
+ !ts2condition(trap->dst, dtarget, &conds, &count))
{
free_conditions(conds, count);
return FALSE;
free_conditions(conds, count);
if (res != ERROR_SUCCESS)
{
- DBG1(DBG_KNL, "installing FWP trap filter failed: 0x%08x", res);
+ DBG1(DBG_KNL, "installing WFP trap filter failed: 0x%08x", res);
return FALSE;
}
return TRUE;
res = FwpmFilterDeleteById0(this->handle, trap->filter_id);
if (res != ERROR_SUCCESS)
{
- DBG1(DBG_KNL, "uninstalling FWP trap filter failed: 0x%08x", res);
+ DBG1(DBG_KNL, "uninstalling WFP trap filter failed: 0x%08x", res);
return FALSE;
}
return TRUE;
/**
* Create and install a new trap entry
*/
-static bool add_trap(private_kernel_wfp_ipsec_t *this, u_int32_t reqid,
- traffic_selector_t *local, traffic_selector_t *remote)
+static bool add_trap(private_kernel_wfp_ipsec_t *this,
+ u_int32_t reqid, bool fwd,
+ traffic_selector_t *src, traffic_selector_t *dst)
{
trap_t *trap;
INIT(trap,
.reqid = reqid,
- .local = local->clone(local),
- .remote = remote->clone(remote),
+ .fwd = fwd,
+ .src = src->clone(src),
+ .dst = dst->clone(dst),
);
if (!install_trap(this, trap))
/**
* Uninstall and remove a new trap entry
*/
-static bool remove_trap(private_kernel_wfp_ipsec_t *this, u_int32_t reqid,
- traffic_selector_t *local, traffic_selector_t *remote)
+static bool remove_trap(private_kernel_wfp_ipsec_t *this,
+ u_int32_t reqid, bool fwd,
+ traffic_selector_t *src, traffic_selector_t *dst)
{
enumerator_t *enumerator;
trap_t *trap, *found = NULL;
while (enumerator->enumerate(enumerator, NULL, &trap))
{
if (reqid == trap->reqid &&
- local->equals(local, trap->local) &&
- remote->equals(remote, trap->remote))
+ fwd == trap->fwd &&
+ src->equals(src, trap->src) &&
+ dst->equals(dst, trap->dst))
{
this->traps->remove_at(this->traps, enumerator);
found = trap;
case POLICY_PRIORITY_DEFAULT:
break;
case POLICY_PRIORITY_ROUTED:
- if (add_trap(this, sa->reqid, src_ts, dst_ts))
+ if (!add_trap(this, sa->reqid, FALSE, src_ts, dst_ts))
+ {
+ return FAILED;
+ }
+ if (sa->mode == MODE_TUNNEL)
{
- return SUCCESS;
+ if (!add_trap(this, sa->reqid, TRUE, src_ts, dst_ts))
+ {
+ return FAILED;
+ }
}
- return FAILED;
+ return SUCCESS;
case POLICY_PRIORITY_FALLBACK:
default:
return NOT_SUPPORTED;
{
if (direction == POLICY_OUT && priority == POLICY_PRIORITY_ROUTED)
{
- if (remove_trap(this, reqid, src_ts, dst_ts))
+ if (remove_trap(this, reqid, FALSE, src_ts, dst_ts))
{
+ remove_trap(this, reqid, TRUE, src_ts, dst_ts);
return SUCCESS;
}
return NOT_FOUND;
free_conditions(conds, count);
if (res != ERROR_SUCCESS)
{
- DBG1(DBG_KNL, "installing FWP trap filter failed: 0x%08x", res);
+ DBG1(DBG_KNL, "installing WFP bypass filter failed: 0x%08x", res);
return FALSE;
}
return TRUE;
projects / thirdparty / strongswan.git / commitdiff
