From: Tobias Brunner Date: Fri, 21 Aug 2015 15:25:00 +0000 (+0200) Subject: child-sa: Add an option to install outbound trap policies only X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Ftrap-policies-out-only;p=thirdparty%2Fstrongswan.git child-sa: Add an option to install outbound trap policies only When enabled this prevents the installation of IN/FWD policies for auto=route connections. So unencrypted/unauthenticated inbound traffic won't be blocked but it might be useful in some scenarios. #1065. --- diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 5d137aee8d..8cdcd8f244 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -157,6 +157,13 @@ charon.initiator_only = no charon.install_routes = yes Install routes into a separate routing table for established IPsec tunnels. +charon.install_trap_outbound_only = no + Only install trap policies that match outbound traffic. + + If this is enabled the daemon will only install trap policies that match + outbound traffic. That is, no inbound/forward policies are installed to + block unencrypted/unauthenticated incoming traffic. + charon.install_virtual_ip = yes Install virtual IP addresses. diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 73f2ec9d32..1897e6d326 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -151,6 +151,11 @@ struct private_child_sa_t { */ bool trap; + /** + * TRUE to only install outbound trap policies + */ + bool trap_outbound_only; + /** * Specifies if UDP encapsulation is enabled (NAT traversal) */ @@ -783,21 +788,25 @@ static status_t install_policies_internal(private_child_sa_t *this, ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority) { status_t status = SUCCESS; + status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type, other_sa, this->mark_out, priority); - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + if (!this->trap || !this->trap_outbound_only) + { + status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, other_addr, my_addr, other_ts, my_ts, POLICY_IN, type, my_sa, this->mark_in, priority); - if (this->mode != MODE_TRANSPORT) - { - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + if (this->mode != MODE_TRANSPORT) + { + status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, other_addr, my_addr, other_ts, my_ts, POLICY_FWD, type, my_sa, this->mark_in, priority); + } } return status; } @@ -812,14 +821,18 @@ static void del_policies_internal(private_child_sa_t *this, hydra->kernel_interface->del_policy(hydra->kernel_interface, my_ts, other_ts, POLICY_OUT, this->reqid, this->mark_out, priority); - hydra->kernel_interface->del_policy(hydra->kernel_interface, - other_ts, my_ts, POLICY_IN, this->reqid, - this->mark_in, priority); - if (this->mode != MODE_TRANSPORT) + + if (!this->trap || !this->trap_outbound_only) { hydra->kernel_interface->del_policy(hydra->kernel_interface, + other_ts, my_ts, POLICY_IN, this->reqid, + this->mark_in, priority); + if (this->mode != MODE_TRANSPORT) + { + hydra->kernel_interface->del_policy(hydra->kernel_interface, other_ts, my_ts, POLICY_FWD, this->reqid, this->mark_in, priority); + } } } @@ -1265,6 +1278,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, .mark_in = config->get_mark(config, TRUE), .mark_out = config->get_mark(config, FALSE), .install_time = time_monotonic(NULL), + .trap_outbound_only = lib->settings->get_bool(lib->settings, + "%s.install_trap_outbound_only", FALSE, lib->ns), ); this->config = config;