child_sa = child_sa_create(ike_sa->get_my_host(ike_sa),
ike_sa->get_other_host(ike_sa), config, 0,
- ike_sa->has_condition(ike_sa, COND_NAT_ANY));
+ ike_sa->has_condition(ike_sa, COND_NAT_ANY),
+ 0, 0);
child_sa->set_mode(child_sa, mode);
child_sa->set_protocol(child_sa, PROTO_ESP);
child_sa->set_ipcomp(child_sa, ipcomp);
if (!this->reqid_allocated)
{
status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
- my_ts, other_ts, &this->mark_in, &this->mark_out,
+ my_ts, other_ts, this->mark_in, this->mark_out,
&this->reqid);
if (status != SUCCESS)
{
/* trap policy, get or confirm reqid */
status = hydra->kernel_interface->alloc_reqid(
hydra->kernel_interface, my_ts_list, other_ts_list,
- &this->mark_in, &this->mark_out, &this->reqid);
+ this->mark_in, this->mark_out, &this->reqid);
if (status != SUCCESS)
{
return status;
* Described in header.
*/
child_sa_t * child_sa_create(host_t *me, host_t* other,
- child_cfg_t *config, u_int32_t rekey, bool encap)
+ child_cfg_t *config, u_int32_t rekey, bool encap,
+ u_int mark_in, u_int mark_out)
{
private_child_sa_t *this;
- static refcount_t unique_id = 0;
+ static refcount_t unique_id = 0, unique_mark = 0, mark;
INIT(this,
.public = {
this->config = config;
config->get_ref(config);
+ if (mark_in)
+ {
+ this->mark_in.value = mark_in;
+ }
+ if (mark_out)
+ {
+ this->mark_out.value = mark_out;
+ }
+ if (this->mark_in.value == MARK_UNIQUE ||
+ this->mark_out.value == MARK_UNIQUE)
+ {
+ mark = ref_get(&unique_mark);
+ if (this->mark_in.value == MARK_UNIQUE)
+ {
+ this->mark_in.value = mark;
+ }
+ if (this->mark_out.value == MARK_UNIQUE)
+ {
+ this->mark_out.value = mark;
+ }
+ }
+
if (!this->reqid)
{
/* reuse old reqid if we are rekeying an existing CHILD_SA. While the
* @param config config to use for this CHILD_SA
* @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
* @param encap TRUE to enable UDP encapsulation (NAT traversal)
+ * @param mark_in explicit inbound mark value to use, 0 for config
+ * @param mark_out explicit outbound mark value to use, 0 for config
* @return child_sa_t object
*/
child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
- u_int32_t reqid, bool encap);
+ u_int32_t reqid, bool encap,
+ u_int mark_in, u_int mark_out);
#endif /** CHILD_SA_H_ @}*/
task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
task->use_reqid(task, child_sa->get_reqid(child_sa));
+ task->use_marks(task, child_sa->get_mark(child_sa, TRUE).value,
+ child_sa->get_mark(child_sa, FALSE).value);
task->rekey(task, child_sa->get_spi(child_sa, TRUE));
queue_task(this, &task->task);
*/
u_int32_t reqid;
+ /**
+ * Explicit inbound mark value to use, if any
+ */
+ u_int mark_in;
+
+ /**
+ * Explicit inbound mark value to use, if any
+ */
+ u_int mark_out;
+
/**
* SPI of SA we rekey
*/
this->child_sa = child_sa_create(
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
- this->config, this->reqid, this->udp);
+ this->config, this->reqid, this->udp,
+ this->mark_in, this->mark_out);
if (this->udp && this->mode == MODE_TRANSPORT)
{
{
this->reqid = child_sa->get_reqid(child_sa);
this->rekey = child_sa->get_spi(child_sa, TRUE);
+ this->mark_in = child_sa->get_mark(child_sa,
+ TRUE).value;
+ this->mark_out = child_sa->get_mark(child_sa,
+ FALSE).value;
child_sa->set_state(child_sa, CHILD_REKEYING);
DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
child_sa->get_name(child_sa), this->reqid);
this->child_sa = child_sa_create(
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
- this->config, this->reqid, this->udp);
+ this->config, this->reqid, this->udp,
+ this->mark_in, this->mark_out);
tsi = linked_list_create_with_items(this->tsi, NULL);
tsr = linked_list_create_with_items(this->tsr, NULL);
this->reqid = reqid;
}
+METHOD(quick_mode_t, use_marks, void,
+ private_quick_mode_t *this, u_int in, u_int out)
+{
+ this->mark_in = in;
+ this->mark_out = out;
+}
+
METHOD(quick_mode_t, rekey, void,
private_quick_mode_t *this, u_int32_t spi)
{
this->dh = NULL;
this->spi_i = 0;
this->spi_r = 0;
+ this->mark_in = 0;
+ this->mark_out = 0;
if (!this->initiator)
{
.destroy = _destroy,
},
.use_reqid = _use_reqid,
+ .use_marks = _use_marks,
.rekey = _rekey,
},
.ike_sa = ike_sa,
*/
void (*use_reqid)(quick_mode_t *this, u_int32_t reqid);
+ /**
+ * Use specific mark values, overriding configuration.
+ *
+ * @param in inbound mark value
+ * @param out outbound mark value
+ */
+ void (*use_marks)(quick_mode_t *this, u_int in, u_int out);
+
/**
* Set the SPI of the old SA, if rekeying.
*
*/
u_int32_t reqid;
+ /**
+ * Explicit inbound mark value
+ */
+ u_int mark_in;
+
+ /**
+ * Explicit outbound mark value
+ */
+ u_int mark_out;
+
/**
* CHILD_SA which gets established
*/
this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
- this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY),
+ this->mark_in, this->mark_out);
if (!allocate_spi(this))
{
this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
- this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY),
+ this->mark_in, this->mark_out);
if (this->ipcomp_received != IPCOMP_NONE)
{
this->reqid = reqid;
}
+METHOD(child_create_t, use_marks, void,
+ private_child_create_t *this, u_int in, u_int out)
+{
+ this->mark_in = in;
+ this->mark_out = out;
+}
+
METHOD(child_create_t, get_child, child_sa_t*,
private_child_create_t *this)
{
this->ipcomp_received = IPCOMP_NONE;
this->other_cpi = 0;
this->reqid = 0;
+ this->mark_in = 0;
+ this->mark_out = 0;
this->established = FALSE;
}
.set_config = _set_config,
.get_lower_nonce = _get_lower_nonce,
.use_reqid = _use_reqid,
+ .use_marks = _use_marks,
.task = {
.get_type = _get_type,
.migrate = _migrate,
*/
void (*use_reqid) (child_create_t *this, u_int32_t reqid);
+ /**
+ * Use specific mark values to override configuration.
+ *
+ * @param in inbound mark value
+ * @param out outbound mark value
+ */
+ void (*use_marks)(child_create_t *this, u_int in, u_int out);
+
/**
* Get the lower of the two nonces, used for rekey collisions.
*
}
reqid = this->child_sa->get_reqid(this->child_sa);
this->child_create->use_reqid(this->child_create, reqid);
+ this->child_create->use_marks(this->child_create,
+ this->child_sa->get_mark(this->child_sa, TRUE).value,
+ this->child_sa->get_mark(this->child_sa, FALSE).value);
if (this->child_create->task.build(&this->child_create->task,
message) != NEED_MORE)
/* let the CHILD_CREATE task build the response */
reqid = this->child_sa->get_reqid(this->child_sa);
this->child_create->use_reqid(this->child_create, reqid);
+ this->child_create->use_marks(this->child_create,
+ this->child_sa->get_mark(this->child_sa, TRUE).value,
+ this->child_sa->get_mark(this->child_sa, FALSE).value);
config = this->child_sa->get_config(this->child_sa);
this->child_create->set_config(this->child_create, config->get_ref(config));
this->child_create->task.build(&this->child_create->task, message);
this->lock->unlock(this->lock);
/* create and route CHILD_SA */
- child_sa = child_sa_create(me, other, child, reqid, FALSE);
+ child_sa = child_sa_create(me, other, child, reqid, FALSE, 0, 0);
list = linked_list_create_with_items(me, NULL);
my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
*/
static u_int hash_reqid_by_ts(reqid_entry_t *entry)
{
- return hash_ts_array(entry->local, hash_ts_array(entry->remote, 0));
+ return hash_ts_array(entry->local, hash_ts_array(entry->remote,
+ chunk_hash_inc(chunk_from_thing(entry->mark_in),
+ chunk_hash(chunk_from_thing(entry->mark_out)))));
}
/**
return equal;
}
-/**
- * Check if mark b matches to a, optionally with reqid match
- */
-static bool mark_matches(mark_t a, mark_t b, u_int32_t reqid)
-{
- if (a.value == b.value)
- {
- return TRUE;
- }
- if (a.value == MARK_REQID && b.value == reqid)
- {
- return TRUE;
- }
- return FALSE;
-}
-
/**
* Hashtable equals function for reqid entries using traffic selectors as key
*/
static bool equals_reqid_by_ts(reqid_entry_t *a, reqid_entry_t *b)
{
- if (ts_array_equals(a->local, b->local) &&
- ts_array_equals(a->remote, b->remote) &&
- a->mark_in.mask == b->mark_in.mask &&
- a->mark_out.mask == b->mark_out.mask)
- {
- if (mark_matches(a->mark_in, b->mark_in, a->reqid) &&
- mark_matches(a->mark_out, b->mark_out, a->reqid))
- {
- return TRUE;
- }
- if (mark_matches(b->mark_in, a->mark_in, b->reqid) &&
- mark_matches(b->mark_out, a->mark_out, b->reqid))
- {
- return TRUE;
- }
- }
- return FALSE;
+ return ts_array_equals(a->local, b->local) &&
+ ts_array_equals(a->remote, b->remote) &&
+ a->mark_in.value == b->mark_in.value &&
+ a->mark_in.mask == b->mark_in.mask &&
+ a->mark_out.value == b->mark_out.value &&
+ a->mark_out.mask == b->mark_out.mask;
}
/**
METHOD(kernel_interface_t, alloc_reqid, status_t,
private_kernel_interface_t *this,
linked_list_t *local_ts, linked_list_t *remote_ts,
- mark_t *mark_in, mark_t *mark_out, u_int32_t *reqid)
+ mark_t mark_in, mark_t mark_out, u_int32_t *reqid)
{
static u_int32_t counter = 0;
reqid_entry_t *entry = NULL, *tmpl;
INIT(tmpl,
.local = array_from_ts_list(local_ts),
.remote = array_from_ts_list(remote_ts),
- .mark_in = *mark_in,
- .mark_out = *mark_out,
+ .mark_in = mark_in,
+ .mark_out = mark_out,
.reqid = *reqid,
);
if (tmpl->reqid)
{
/* search by reqid if given */
- if (tmpl->mark_in.value == MARK_REQID)
- {
- tmpl->mark_in.value = tmpl->reqid;
- }
- if (tmpl->mark_out.value == MARK_REQID)
- {
- tmpl->mark_out.value = tmpl->reqid;
- }
entry = this->reqids->get(this->reqids, tmpl);
}
if (entry)
}
else
{
- /* search by traffic selectors. We do the search with MARK_REQID
- * wildcards (if any), and update the marks if we find any match */
+ /* search by traffic selectors */
entry = this->reqids_by_ts->get(this->reqids_by_ts, tmpl);
if (entry)
{
/* none found, create a new entry, allocating a reqid */
entry = tmpl;
entry->reqid = ++counter;
- if (entry->mark_in.value == MARK_REQID)
- {
- entry->mark_in.value = entry->reqid;
- }
- if (entry->mark_out.value == MARK_REQID)
- {
- entry->mark_out.value = entry->reqid;
- }
this->reqids_by_ts->put(this->reqids_by_ts, entry, entry);
this->reqids->put(this->reqids, entry, entry);
}
*reqid = entry->reqid;
}
- *mark_in = entry->mark_in;
- *mark_out = entry->mark_out;
entry->refs++;
this->mutex->unlock(this->mutex);
* the reqid is confirmed and registered for use. If it points to zero,
* a reqid is allocated for the given selectors, and returned to reqid.
*
- * The passed mark values get updated to the reqid value if they are set
- * to the magic value MARK_REQID.
- *
* @param local_ts traffic selectors of local side for SA
* @param remote_ts traffic selectors of remote side for SA
* @param mark_in inbound mark on SA
*/
status_t (*alloc_reqid)(kernel_interface_t *this,
linked_list_t *local_ts, linked_list_t *remote_ts,
- mark_t *mark_in, mark_t *mark_out,
+ mark_t mark_in, mark_t mark_out,
u_int32_t *reqid);
/**
};
/**
- * Special mark value that uses the reqid of the CHILD_SA as mark
+ * Special mark value that uses a unique mark for each CHILD_SA
*/
-#define MARK_REQID (0xFFFFFFFF)
+#define MARK_UNIQUE (0xFFFFFFFF)
/**
* Try to parse a mark_t from the given string of the form mark[/mask].
projects / thirdparty / strongswan.git / commitdiff
