From: Tobias Brunner Date: Mon, 13 Feb 2017 18:06:24 +0000 (+0100) Subject: bypass-lan: Don't use interfaces in policies X-Git-Tag: 5.5.2dr5~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2129d1cbe6b482cf956a1f609ff974c9dcd5b24;p=thirdparty%2Fstrongswan.git bypass-lan: Don't use interfaces in policies After an interface disappeared we can't remove the policies correctly as the name doesn't resolve to the previous index anymore. And making the policies so specific might not provide that much benefit. To handle the interfaces on the policies correctly would require some changes to the child-cfg, kernel-interface etc. so they'd take interface indices directly so we could target the policies correctly even if an interface disappeared (or reappeared and got a new index). --- diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c index 49f7cd3caf..138f8fb0b1 100644 --- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c +++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c @@ -64,7 +64,6 @@ typedef struct { private_bypass_lan_listener_t *listener; host_t *net; uint8_t mask; - char *iface; child_cfg_t *cfg; } bypass_policy_t; @@ -86,7 +85,6 @@ static void bypass_policy_destroy(bypass_policy_t *this) ts->destroy(ts); } this->net->destroy(this->net); - free(this->iface); free(this); } @@ -151,16 +149,18 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) INIT(lookup, .net = net->clone(net), .mask = mask, - .iface = strdupnull(iface), ); - seen->put(seen, lookup, lookup); + found = seen->put(seen, lookup, lookup); + if (found) + { /* in case the same subnet is on multiple interfaces */ + bypass_policy_destroy(found); + } found = this->policies->get(this->policies, lookup); if (!found) { child_cfg_create_t child = { .mode = MODE_PASS, - .interface = iface, }; child_cfg_t *cfg; traffic_selector_t *ts; @@ -168,7 +168,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) ts = traffic_selector_create_from_subnet(net->clone(net), mask, 0, 0, 65535); - snprintf(name, sizeof(name), "Bypass LAN %R [%s]", ts, iface ?: ""); + snprintf(name, sizeof(name), "Bypass LAN %R", ts); cfg = child_cfg_create(name, &child); cfg->add_traffic_selector(cfg, FALSE, ts->clone(ts)); @@ -179,7 +179,6 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) INIT(found, .net = net->clone(net), .mask = mask, - .iface = strdupnull(iface), .cfg = cfg, ); this->policies->put(this->policies, found, found);