From: Tobias Brunner Date: Tue, 24 Aug 2021 12:48:05 +0000 (+0200) Subject: wip: ike: Abort initiation if source IP can't be determined X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fsrc-ip-abort;p=thirdparty%2Fstrongswan.git wip: ike: Abort initiation if source IP can't be determined Without a source IP we'll have problems with NAT-D. wip: Are there legitimate situations where we can't determine the source address (limited kernel interfaces perhaps?). I also wonder if the fallbacks in ike-natd are actually ever used nowadays (probably, ike_sa_t::resolve_hosts() was way simpler in earlier versions so it was more common that the source IP was not determined at that point). So I guess we could just remove all that stuff there. (actually, 4.1.4 added the source lookup in ike-natd and 4.2.5 added the same in resolve_hosts - about a year between the two) --- diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index 1256f407ed..18e0dc07d5 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -86,6 +86,8 @@ enum alert_t { ALERT_RADIUS_NOT_RESPONDING, /** a shutdown signal has been received, argument is the signal (int) */ ALERT_SHUTDOWN_SIGNAL, + /** failed to determine source address, no arguments */ + ALERT_LOCAL_ADDR_FAILED, /** local peer authentication failed (by us or by peer), no arguments */ ALERT_LOCAL_AUTH_FAILED, /** peer authentication failed, no arguments */ diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index a891aff497..4d36b8d19d 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1565,6 +1565,21 @@ METHOD(ike_sa_t, initiate, status_t, addr, this->retry_initiate_interval); defer_initiate = TRUE; } + else if (this->my_host->is_anyaddr(this->my_host)) + { + if (!this->retry_initiate_interval) + { + DBG1(DBG_IKE, "unable to determine source address to reach %H, " + "initiate aborted", this->other_host); + DESTROY_IF(child_cfg); + charon->bus->alert(charon->bus, ALERT_LOCAL_ADDR_FAILED); + return DESTROY_ME; + } + DBG1(DBG_IKE, "unable to determine source address to reach %H, " + "retrying in %ds", this->other_host, + this->retry_initiate_interval); + defer_initiate = TRUE; + } set_condition(this, COND_ORIGINAL_INITIATOR, TRUE); this->task_manager->queue_ike(this->task_manager);