]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
wip: ike: Abort initiation if source IP can't be determined src-ip-abort
authorTobias Brunner <tobias@strongswan.org>
Tue, 24 Aug 2021 12:48:05 +0000 (14:48 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 4 Nov 2021 07:59:22 +0000 (08:59 +0100)
Without a source IP we'll have problems with NAT-D.

wip: Are there legitimate situations where we can't determine the source
address (limited kernel interfaces perhaps?). I also wonder if the
fallbacks in ike-natd are actually ever used nowadays (probably,
ike_sa_t::resolve_hosts() was way simpler in earlier versions so it was
more common that the source IP was not determined at that point).
So I guess we could just remove all that stuff there.
(actually, 4.1.4 added the source lookup in ike-natd and 4.2.5 added the
same in resolve_hosts - about a year between the two)

src/libcharon/bus/bus.h
src/libcharon/sa/ike_sa.c

index 1256f407ed7c3e2645fdfb6541e225985e23ac87..18e0dc07d56554cdb9dc9d39fb460a6229f1d169 100644 (file)
@@ -86,6 +86,8 @@ enum alert_t {
        ALERT_RADIUS_NOT_RESPONDING,
        /** a shutdown signal has been received, argument is the signal (int) */
        ALERT_SHUTDOWN_SIGNAL,
+       /** failed to determine source address, no arguments */
+       ALERT_LOCAL_ADDR_FAILED,
        /** local peer authentication failed (by us or by peer), no arguments */
        ALERT_LOCAL_AUTH_FAILED,
        /** peer authentication failed, no arguments */
index a891aff4970a0a62a8058b44745f726c92f68411..4d36b8d19db7fefd69154c44d5a47511cc29fcd0 100644 (file)
@@ -1565,6 +1565,21 @@ METHOD(ike_sa_t, initiate, status_t,
                                 addr, this->retry_initiate_interval);
                        defer_initiate = TRUE;
                }
+               else if (this->my_host->is_anyaddr(this->my_host))
+               {
+                       if (!this->retry_initiate_interval)
+                       {
+                               DBG1(DBG_IKE, "unable to determine source address to reach %H, "
+                                        "initiate aborted", this->other_host);
+                               DESTROY_IF(child_cfg);
+                               charon->bus->alert(charon->bus, ALERT_LOCAL_ADDR_FAILED);
+                               return DESTROY_ME;
+                       }
+                       DBG1(DBG_IKE, "unable to determine source address to reach %H, "
+                                "retrying in %ds", this->other_host,
+                                this->retry_initiate_interval);
+                       defer_initiate = TRUE;
+               }
 
                set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
                this->task_manager->queue_ike(this->task_manager);