From: Martin Willi Date: Mon, 15 Apr 2013 14:53:41 +0000 (+0200) Subject: kernel-utun: use PF_KEY style setsockopts to create IKE bypass policies X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=8577ed9648b753715b75d44a5d0c82b79baf8861;p=thirdparty%2Fstrongswan.git kernel-utun: use PF_KEY style setsockopts to create IKE bypass policies --- diff --git a/src/libhydra/plugins/kernel_utun/kernel_utun_ipsec.c b/src/libhydra/plugins/kernel_utun/kernel_utun_ipsec.c index c2beaaab49..413f5ece31 100644 --- a/src/libhydra/plugins/kernel_utun/kernel_utun_ipsec.c +++ b/src/libhydra/plugins/kernel_utun/kernel_utun_ipsec.c @@ -30,6 +30,8 @@ #include #include #include +#include +#include #include #include @@ -410,11 +412,46 @@ METHOD(kernel_ipsec_t, flush_policies, status_t, return FAILED; } - METHOD(kernel_ipsec_t, bypass_socket, bool, private_kernel_utun_ipsec_t *this, int fd, int family) { - return FALSE; + struct sadb_x_policy policy; + u_int sol, ipsec_policy; + + switch (family) + { + case AF_INET: + sol = IPPROTO_IP; + ipsec_policy = IP_IPSEC_POLICY; + break; + case AF_INET6: + sol = IPPROTO_IPV6; + ipsec_policy = IPV6_IPSEC_POLICY; + break; + default: + return FALSE; + } + + memset(&policy, 0, sizeof(policy)); + policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t); + policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; + policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; + + policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; + if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) + { + DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", + strerror(errno)); + return FALSE; + } + policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; + if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) + { + DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", + strerror(errno)); + return FALSE; + } + return TRUE; } METHOD(kernel_ipsec_t, enable_udp_decap, bool,