From: Tobias Brunner Date: Mon, 7 Feb 2022 13:48:49 +0000 (+0100) Subject: vici: Make ICMP forwarding configurable X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45c5a7e1c41b60db2e0b3ad1b48a94d740c4c91b;p=thirdparty%2Fstrongswan.git vici: Make ICMP forwarding configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index aa6fbafbeb..9b3bad115e 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -572,6 +572,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " copy_df = %u", !has_opt(OPT_NO_COPY_DF)); DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(OPT_NO_COPY_ECN)); DBG2(DBG_CFG, " copy_dscp = %N", dscp_copy_names, cfg->copy_dscp); + DBG2(DBG_CFG, " icmp = %u", has_opt(OPT_FORWARD_ICMP)); } /** @@ -997,6 +998,15 @@ CALLBACK(parse_copy_dscp, bool, return FALSE; } +/** + * Parse OTP_FORWARD_ICMP option + */ +CALLBACK(parse_opt_icmp, bool, + child_cfg_option_t *out, chunk_t v) +{ + return parse_option(out, OPT_FORWARD_ICMP, v, TRUE); +} + /** * Parse an action_t */ @@ -1758,6 +1768,7 @@ CALLBACK(child_kv, bool, { "copy_df", parse_opt_copy_df, &child->cfg.options }, { "copy_ecn", parse_opt_copy_ecn, &child->cfg.options }, { "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp }, + { "icmp", parse_opt_icmp, &child->cfg.options }, { "if_id_in", parse_if_id, &child->cfg.if_id_in }, { "if_id_out", parse_if_id, &child->cfg.if_id_out }, }; diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 0ae9d45790..6fe318810d 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -1066,6 +1066,17 @@ connections..children..copy_dscp = out receiver, which is why the default is _out_. Controlling this behavior is not supported by all kernel interfaces. +connections..children..icmp = no + Whether to forward certain ICMP error messages even if the source IP doesn't + match policies. + + Whether to forward certain ICMP error messages, such as Destination + Unreachable or Time Exceeded, that could be generated by hosts whose IP + address isn't included in the negotiated traffic selector and therefore + won't match the policies. For these, the kernel will do a reverse lookup + with the IP header of the original messsage that's included in the ICMP + message. + connections..children..start_action = none Action to perform after loading the configuration (_none_, _trap_, _start_).