Overview

File 0030-install-protocol-and-ports-transport-mode-sa-part1.patch of Package strongswan.29076

commit 90e6675a657c4ffdebc39b23f64922bad81bcc03
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon Aug 25 14:45:40 2014 +0200

    kernel-netlink: Optionally install protocol and ports on transport mode SAs

diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 2a755db22..7d44581a5 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -16,6 +16,15 @@ charon.plugins.kernel-netlink.mtu = 0
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.
 
+charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel.
+
+	Whether to set protocol and ports in the selector installed on transport
+	mode IPsec SAs in the kernel. While doing so enforces policies for inbound
+	traffic, it also prevents the use of a single IPsec SA by more than one
+	traffic selector.
+
 charon.plugins.kernel-netlink.xfrm_acq_expires = 165
 	Lifetime of XFRM acquire state in kernel.
 
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index d9b55cfa7..274af7954 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -309,6 +309,12 @@ struct private_kernel_netlink_ipsec_t {
 	 */
 	bool install_routes;
 
+	/**
+	 * Whether to set protocol and ports on selector installed with transport
+	 * mode IPsec SAs
+	 */
+	bool proto_port_transport;
+
 	/**
 	 * Whether to track the history of a policy
 	 */
@@ -1235,12 +1241,15 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			if (src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);
-				/* don't install proto/port on SA. This would break
-				 * potential secondary SAs for the same address using a
-				 * different prot/port. */
-				sa->sel.proto = 0;
-				sa->sel.dport = sa->sel.dport_mask = 0;
-				sa->sel.sport = sa->sel.sport_mask = 0;
+				if (!this->proto_port_transport)
+				{
+					/* don't install proto/port on SA. This would break
+					 * potential secondary SAs for the same address using a
+					 * different prot/port. */
+					sa->sel.proto = 0;
+					sa->sel.dport = sa->sel.dport_mask = 0;
+					sa->sel.sport = sa->sel.sport_mask = 0;
+				}
 			}
 			break;
 		default:
openSUSE Build Service is sponsored by
Places