cfg->set_mark_in.value, cfg->set_mark_in.mask);
DBG2(DBG_CFG, " set_mark_out = %u/%u",
cfg->set_mark_out.value, cfg->set_mark_out.mask);
+ DBG2(DBG_CFG, " label = %s",
+ cfg->label ? cfg->label->get_string(cfg->label) : NULL);
+ DBG2(DBG_CFG, " label_mode = %N", sec_label_mode_names, cfg->label_mode);
DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity);
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
DBG2(DBG_CFG, " local_ts = %#R", data->local_ts);
offsetof(traffic_selector_t, destroy));
data->remote_ts->destroy_offset(data->remote_ts,
offsetof(traffic_selector_t, destroy));
+ DESTROY_IF(data->cfg.label);
free(data->cfg.updown);
free(data->cfg.interface);
}
return if_id_from_string(buf, out);
}
+/**
+ * Parse security label
+ */
+CALLBACK(parse_label, bool,
+ sec_label_t **out, chunk_t v)
+{
+ char buf[BUF_LEN];
+
+ if (!vici_stringify(v, buf, sizeof(buf)))
+ {
+ return FALSE;
+ }
+ *out = sec_label_from_string(buf);
+ return *out != NULL;
+}
+
+/**
+ * Parse security label mode
+ */
+CALLBACK(parse_label_mode, bool,
+ sec_label_mode_t *out, chunk_t v)
+{
+ char buf[BUF_LEN];
+
+ if (!vici_stringify(v, buf, sizeof(buf)) ||
+ !sec_label_mode_from_string(buf, out))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
/**
* Parse TFC padding option
*/
{ "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp },
{ "if_id_in", parse_if_id, &child->cfg.if_id_in },
{ "if_id_out", parse_if_id, &child->cfg.if_id_out },
+ { "label", parse_label, &child->cfg.label },
+ { "label_mode", parse_label_mode, &child->cfg.label_mode },
};
return parse_rules(rules, countof(rules), name, value,
The daemon will not install routes for CHILD_SAs that have this option set.
+connections.<conn>.children.<child>.label
+ Optional security label (e.g. SELinux context), IKEv2 only. Refer to
+ **label_mode** for details on how labels are processed.
+
+connections.<conn>.children.<child>.label_mode = system
+ Security label mode (_system_, _simple_ or _selinux_), IKEv2 only.
+
+ Defines the mode in which the configured security label is used. The default
+ value of _system_ selects _selinux_ if strongSwan was built with SELinux
+ support and SELinux is enabled by the kernel, otherwise, _simple_ will be
+ selected.
+
+ If set to _simple_, the label will be used as is as an additional
+ identifier/selector on the IKEv2 level when negotiating CHILD_SAs and
+ selecting configs, labels are not installed in the kernel and received
+ labels have to match exactly.
+
+ If set to _selinux_, which is only allowed if SELinux is usable on the
+ system, the configured label is expected to be a generic context (e.g.
+ _system_u:object_r:ipsec_spd_t:s0_) for which flows, whose context match it
+ via association:polmatch, will trigger an acquire if no SA exists yet for
+ the flow's specific context. The configured label is installed on (trap)
+ policies, so this should generally be combined with _trap_ in
+ **start_action**. However, if the connection is initiated directly,
+ without acquire, a childless IKE_SA is established and appropriate trap
+ policies are installed on both ends. Labels received from peers are accepted
+ if they match the configured label via association:polmatch.
+
connections.<conn>.children.<child>.tfc_padding = 0
Traffic Flow Confidentiality padding.
projects / thirdparty / strongswan.git / commitdiff
