From d8e12fdb130a3b9413260ef74f646b3b243c6e1e Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 15 Feb 2017 15:33:38 +0100
Subject: [PATCH] libipsec: Match IPsec policies against ports of processed
 packets

Fixes #2252.
---
 src/libipsec/ipsec_policy.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c
index 8077d3c8d8..98201b8435 100644
--- a/src/libipsec/ipsec_policy.c
+++ b/src/libipsec/ipsec_policy.c
@@ -101,6 +101,24 @@ METHOD(ipsec_policy_t, match, bool,
 			this->dst_ts->equals(this->dst_ts, dst_ts));
 }
 
+/**
+ * Match the port of the given host against the given traffic selector.
+ */
+static inline bool match_port(traffic_selector_t *ts, host_t *host)
+{
+	uint16_t from, to, port;
+
+	from = ts->get_from_port(ts);
+	to = ts->get_to_port(ts);
+	if ((from == 0 && to == 0xffff) ||
+		(from == 0xffff && to == 0))
+	{
+		return TRUE;
+	}
+	port = host->get_port(host);
+	return from <= port && port <= to;
+}
+
 METHOD(ipsec_policy_t, match_packet, bool,
 	private_ipsec_policy_t *this, ip_packet_t *packet)
 {
@@ -110,7 +128,9 @@ METHOD(ipsec_policy_t, match_packet, bool,
 
 	return (!this->protocol || this->protocol == proto) &&
 		   this->src_ts->includes(this->src_ts, src) &&
-		   this->dst_ts->includes(this->dst_ts, dst);
+		   match_port(this->src_ts, src) &&
+		   this->dst_ts->includes(this->dst_ts, dst) &&
+		   match_port(this->dst_ts, dst);
 }
 
 METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*,
-- 
2.47.2