diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2018-09-24 15:11:14 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2018-09-24 15:11:14 +0200 |
| commit | e0e280b7669435b991b7e457abd8aa450930b3e8 (patch) | |
| tree | 3e6084f13b14ad2df104e2ce6e589eb96c5f7ac9 /src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | |
| parent | 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (diff) | |
| download | vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.tar.gz vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.zip | |
New upstream version 5.7.0
Diffstat (limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c')
| -rw-r--r-- | src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 80 |
1 files changed, 73 insertions, 7 deletions
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 4926c3de8..1292e0895 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1131,7 +1131,7 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this, static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd, watcher_event_t event) { - char response[1024]; + char response[netlink_get_buflen()]; struct nlmsghdr *hdr = (struct nlmsghdr*)response; struct sockaddr_nl addr; socklen_t addr_len = sizeof(addr); @@ -1336,6 +1336,23 @@ static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark) } /** + * Add a uint32 attribute to message + */ +static bool add_uint32(struct nlmsghdr *hdr, int buflen, + enum xfrm_attr_type_t type, uint32_t value) +{ + uint32_t *xvalue; + + xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue)); + if (!xvalue) + { + return FALSE; + } + *xvalue = value; + return TRUE; +} + +/** * Check if kernel supports HW offload */ static void netlink_find_offload_feature(const char *ifname, int query_socket) @@ -1586,6 +1603,49 @@ METHOD(kernel_ipsec_t, add_sa, status_t, sa->id.proto = id->proto; sa->family = id->src->get_family(id->src); sa->mode = mode2kernel(mode); + + if (!data->copy_df) + { + sa->flags |= XFRM_STATE_NOPMTUDISC; + } + + if (!data->copy_ecn) + { + sa->flags |= XFRM_STATE_NOECN; + } + + if (data->inbound) + { + switch (data->copy_dscp) + { + case DSCP_COPY_YES: + case DSCP_COPY_IN_ONLY: + sa->flags |= XFRM_STATE_DECAP_DSCP; + break; + default: + break; + } + } + else + { + switch (data->copy_dscp) + { + case DSCP_COPY_IN_ONLY: + case DSCP_COPY_NO: + { + /* currently the only extra flag */ + if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS, + XFRM_SA_XFLAG_DONT_ENCAP_DSCP)) + { + goto failed; + } + break; + } + default: + break; + } + } + switch (mode) { case MODE_TUNNEL: @@ -1829,17 +1889,23 @@ METHOD(kernel_ipsec_t, add_sa, status_t, goto failed; } + if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask)) + { + if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK, + data->mark.value) || + !add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK, + data->mark.mask)) + { + goto failed; + } + } + if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL) { /* the kernel supports TFC padding only for tunnel mode ESP SAs */ - uint32_t *tfcpad; - - tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD, - sizeof(*tfcpad)); - if (!tfcpad) + if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc)) { goto failed; } - *tfcpad = data->tfc; } if (id->proto != IPPROTO_COMP) |