From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 16 Nov 2016 17:13:59 +0000 (+0100)
Subject: vici: Explicitly use peer name when uninstalling trap and shunt policies
X-Git-Tag: 5.5.2dr5~9^2~17
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=7627f5f9c7f8bf8edde1f98048e339fbe74615ba;p=thirdparty%2Fstrongswan.git

vici: Explicitly use peer name when uninstalling trap and shunt policies

Also adds an `ike` parameter to the `uninstall` command.
---

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index edcc7eae56..b7b7f4ee0e 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -312,7 +312,7 @@ Install a trap, drop or bypass policy defined by a CHILD_SA config.
 
 	{
 		child = <CHILD_SA configuration name to install>
-		ike = <optional IKE_SA configuraiton name to find child under>
+		ike = <optional IKE_SA configuration name to find child under>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>
@@ -324,6 +324,8 @@ Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
 
 	{
 		child = <CHILD_SA configuration name to install>
+		ike = <optional IKE_SA configuration name to find child under,
+			   if not given the first policy matching child is removed>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index dbbeb9e55b..3b27bf7c34 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -1757,7 +1757,8 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
 			{
 				case MODE_PASS:
 				case MODE_DROP:
-					charon->shunts->install(charon->shunts, NULL, child_cfg);
+					charon->shunts->install(charon->shunts,
+									peer_cfg->get_name(peer_cfg), child_cfg);
 					break;
 				default:
 					charon->traps->install(charon->traps, peer_cfg, child_cfg,
@@ -1778,6 +1779,7 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
+	peer_cfg_t *peer_cfg;
 	ike_sa_t *ike_sa;
 	uint32_t id = 0, others;
 	array_t *ids = NULL, *ikeids = NULL;
@@ -1865,13 +1867,15 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
 			{
 				case MODE_PASS:
 				case MODE_DROP:
-					charon->shunts->uninstall(charon->shunts, NULL, name);
+					charon->shunts->uninstall(charon->shunts, peer_name, name);
 					break;
 				default:
 					enumerator = charon->traps->create_enumerator(charon->traps);
-					while (enumerator->enumerate(enumerator, NULL, &child_sa))
+					while (enumerator->enumerate(enumerator, &peer_cfg,
+												 &child_sa))
 					{
-						if (streq(name, child_sa->get_name(child_sa)))
+						if (streq(peer_name, peer_cfg->get_name(peer_cfg)) &&
+							streq(name, child_sa->get_name(child_sa)))
 						{
 							id = child_sa->get_reqid(child_sa);
 							break;
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 20d19252b6..05d0dc5a69 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -565,7 +565,8 @@ CALLBACK(install, vici_message_t*,
 	{
 		case MODE_PASS:
 		case MODE_DROP:
-			ok = charon->shunts->install(charon->shunts, NULL, child_cfg);
+			ok = charon->shunts->install(charon->shunts,
+									peer_cfg->get_name(peer_cfg), child_cfg);
 			break;
 		default:
 			ok = charon->traps->install(charon->traps, peer_cfg, child_cfg,
@@ -581,12 +582,15 @@ CALLBACK(install, vici_message_t*,
 CALLBACK(uninstall, vici_message_t*,
 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
 {
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
 	uint32_t reqid = 0;
-	char *child;
+	char *child, *ike, *ns;
 
 	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
 	if (!child)
 	{
 		return send_reply(this, "missing configuration name");
@@ -594,15 +598,35 @@ CALLBACK(uninstall, vici_message_t*,
 
 	DBG1(DBG_CFG, "vici uninstall '%s'", child);
 
-	if (charon->shunts->uninstall(charon->shunts, NULL, child))
+	if (!ike)
+	{
+		enumerator = charon->shunts->create_enumerator(charon->shunts);
+		while (enumerator->enumerate(enumerator, &ns, &child_cfg))
+		{
+			if (ns && streq(child, child_cfg->get_name(child_cfg)))
+			{
+				ike = strdup(ns);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		if (ike && charon->shunts->uninstall(charon->shunts, ike, child))
+		{
+			free(ike);
+			return send_reply(this, NULL);
+		}
+		free(ike);
+	}
+	else if (charon->shunts->uninstall(charon->shunts, ike, child))
 	{
 		return send_reply(this, NULL);
 	}
 
 	enumerator = charon->traps->create_enumerator(charon->traps);
-	while (enumerator->enumerate(enumerator, NULL, &child_sa))
+	while (enumerator->enumerate(enumerator, &peer_cfg, &child_sa))
 	{
-		if (streq(child, child_sa->get_name(child_sa)))
+		if ((!ike || streq(ike, peer_cfg->get_name(peer_cfg))) &&
+			streq(child, child_sa->get_name(child_sa)))
 		{
 			reqid = child_sa->get_reqid(child_sa);
 			break;