child-sa: Add an option to install outbound trap policies only

When enabled this prevents the installation of IN/FWD policies for
auto=route connections. So unencrypted/unauthenticated inbound traffic
won't be blocked but it might be useful in some scenarios.

 #1065.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 5d137aee8de7a1b46abe89c4416c863b7a22e922..8cdcd8f244d187c4320d9c1c10c11772c4f6b0f4 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -157,6 +157,13 @@ charon.initiator_only = no
 charon.install_routes = yes
        Install routes into a separate routing table for established IPsec tunnels.
 
+charon.install_trap_outbound_only = no
+       Only install trap policies that match outbound traffic.
+
+       If this is enabled the daemon will only install trap policies that match
+       outbound traffic.  That is, no inbound/forward policies are installed to
+       block unencrypted/unauthenticated incoming traffic.
+
 charon.install_virtual_ip = yes
        Install virtual IP addresses.
 

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 73f2ec9d3239f77829a126f58f56e6cb624e997f..1897e6d3264d4af76ed66f0c591d28ccbbdd7ada 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -151,6 +151,11 @@ struct private_child_sa_t {
         */
        bool trap;
 
+       /**
+        * TRUE to only install outbound trap policies
+        */
+       bool trap_outbound_only;
+
        /**
         * Specifies if UDP encapsulation is enabled (NAT traversal)
         */
@@ -783,21 +788,25 @@ static status_t install_policies_internal(private_child_sa_t *this,
        ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
 {
        status_t status = SUCCESS;
+
        status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
                                                        my_addr, other_addr, my_ts, other_ts,
                                                        POLICY_OUT, type, other_sa,
                                                        this->mark_out, priority);
 
-       status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+       if (!this->trap || !this->trap_outbound_only)
+       {
+               status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
                                                        other_addr, my_addr, other_ts, my_ts,
                                                        POLICY_IN, type, my_sa,
                                                        this->mark_in, priority);
-       if (this->mode != MODE_TRANSPORT)
-       {
-               status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+               if (this->mode != MODE_TRANSPORT)
+               {
+                       status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
                                                        other_addr, my_addr, other_ts, my_ts,
                                                        POLICY_FWD, type, my_sa,
                                                        this->mark_in, priority);
+               }
        }
        return status;
 }
@@ -812,14 +821,18 @@ static void del_policies_internal(private_child_sa_t *this,
        hydra->kernel_interface->del_policy(hydra->kernel_interface,
                                                my_ts, other_ts, POLICY_OUT, this->reqid,
                                                this->mark_out, priority);
-       hydra->kernel_interface->del_policy(hydra->kernel_interface,
-                                               other_ts, my_ts,  POLICY_IN, this->reqid,
-                                               this->mark_in, priority);
-       if (this->mode != MODE_TRANSPORT)
+
+       if (!this->trap || !this->trap_outbound_only)
        {
                hydra->kernel_interface->del_policy(hydra->kernel_interface,
+                                               other_ts, my_ts,  POLICY_IN, this->reqid,
+                                               this->mark_in, priority);
+               if (this->mode != MODE_TRANSPORT)
+               {
+                       hydra->kernel_interface->del_policy(hydra->kernel_interface,
                                                other_ts, my_ts, POLICY_FWD, this->reqid,
                                                this->mark_in, priority);
+               }
        }
 }
 
@@ -1265,6 +1278,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
                .mark_in = config->get_mark(config, TRUE),
                .mark_out = config->get_mark(config, FALSE),
                .install_time = time_monotonic(NULL),
+               .trap_outbound_only = lib->settings->get_bool(lib->settings,
+                                               "%s.install_trap_outbound_only", FALSE, lib->ns),
        );
 
        this->config = config;