Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-12-SP1:GA
strongswan.29076
0030-install-protocol-and-ports-transport-mode-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0030-install-protocol-and-ports-transport-mode-sa-part1.patch of Package strongswan.29076
commit 90e6675a657c4ffdebc39b23f64922bad81bcc03 Author: Tobias Brunner <tobias@strongswan.org> Date: Mon Aug 25 14:45:40 2014 +0200 kernel-netlink: Optionally install protocol and ports on transport mode SAs diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 2a755db22..7d44581a5 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -16,6 +16,15 @@ charon.plugins.kernel-netlink.mtu = 0 charon.plugins.kernel-netlink.roam_events = yes Whether to trigger roam events when interfaces, addresses or routes change. +charon.plugins.kernel-netlink.set_proto_port_transport_sa = no + Whether to set protocol and ports in the selector installed on transport + mode IPsec SAs in the kernel. + + Whether to set protocol and ports in the selector installed on transport + mode IPsec SAs in the kernel. While doing so enforces policies for inbound + traffic, it also prevents the use of a single IPsec SA by more than one + traffic selector. + charon.plugins.kernel-netlink.xfrm_acq_expires = 165 Lifetime of XFRM acquire state in kernel. diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index d9b55cfa7..274af7954 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -309,6 +309,12 @@ struct private_kernel_netlink_ipsec_t { */ bool install_routes; + /** + * Whether to set protocol and ports on selector installed with transport + * mode IPsec SAs + */ + bool proto_port_transport; + /** * Whether to track the history of a policy */ @@ -1235,12 +1241,15 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (src_ts && dst_ts) { sa->sel = ts2selector(src_ts, dst_ts); - /* don't install proto/port on SA. This would break - * potential secondary SAs for the same address using a - * different prot/port. */ - sa->sel.proto = 0; - sa->sel.dport = sa->sel.dport_mask = 0; - sa->sel.sport = sa->sel.sport_mask = 0; + if (!this->proto_port_transport) + { + /* don't install proto/port on SA. This would break + * potential secondary SAs for the same address using a + * different prot/port. */ + sa->sel.proto = 0; + sa->sel.dport = sa->sel.dport_mask = 0; + sa->sel.sport = sa->sel.sport_mask = 0; + } } break; default:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor