From: Tobias Brunner Date: Mon, 7 Feb 2022 13:48:49 +0000 (+0100) Subject: vici: Make ICMP forwarding configurable X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22e502b2867dde2f257273cf33ac70fbec2e7583;p=thirdparty%2Fstrongswan.git vici: Make ICMP forwarding configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 6ea239f0a1..dd426df53f 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -591,6 +591,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF)); DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(cfg, OPT_NO_COPY_ECN)); DBG2(DBG_CFG, " copy_dscp = %N", dscp_copy_names, cfg->copy_dscp); + DBG2(DBG_CFG, " icmp = %u", has_opt(cfg, OPT_FORWARD_ICMP)); } /** @@ -1105,6 +1106,15 @@ CALLBACK(parse_copy_dscp, bool, return FALSE; } +/** + * Parse OTP_FORWARD_ICMP option + */ +CALLBACK(parse_opt_icmp, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_FORWARD_ICMP, v, TRUE); +} + /** * Parse an action_t */ @@ -1953,6 +1963,7 @@ CALLBACK(child_kv, bool, { "copy_df", parse_opt_copy_df, &child->cfg.options }, { "copy_ecn", parse_opt_copy_ecn, &child->cfg.options }, { "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp }, + { "icmp", parse_opt_icmp, &child->cfg.options }, { "if_id_in", parse_if_id, &child->cfg.if_id_in }, { "if_id_out", parse_if_id, &child->cfg.if_id_out }, { "label", parse_label, &child->cfg.label }, diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index aedab587b7..18bf0b9159 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -1182,6 +1182,18 @@ connections..children..copy_dscp = out receiver, which is why the default is _out_. Controlling this behavior is not supported by all kernel interfaces. +connections..children..icmp = no + Whether to forward certain ICMP error messages even if their source IP + doesn't match the negotiated IPsec policies. + + ICMP error messages, such as Destination Unreachable, Time Exceeded or + Fragmentation Needed, may be generated by a host whose IP address isn't + included in the negotiated traffic selectors and therefore doesn't match the + IPsec policies. If this option is enabled and the kernel supports it, such + packets may still be forwarded. As ICMP errors contain parts of the IP + packet that triggered them, the kernel will base its decision on a reverse + policy lookup using that IP header. + connections..children..start_action = none Action to perform after loading the configuration (_none_, _trap_, _start_).