/*
* Copyright (C) 2013 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2012 Martin Willi
* Copyright (C) 2012 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "unity_handler.h"
#include <daemon.h>
#include <threading/mutex.h>
#include <collections/linked_list.h>
#include <processing/jobs/callback_job.h>
typedef struct private_unity_handler_t private_unity_handler_t;
/**
* Private data of an unity_handler_t object.
*/
struct private_unity_handler_t {
/**
* Public unity_handler_t interface.
*/
unity_handler_t public;
/**
* List of subnets to include, as entry_t
*/
linked_list_t *include;
/**
* Mutex for concurrent access to lists
*/
mutex_t *mutex;
};
/**
* Traffic selector entry for networks to include under a given IKE_SA
*/
typedef struct {
/** associated IKE_SA COOKIEs */
ike_sa_id_t *id;
/** traffic selector to include/exclude */
traffic_selector_t *ts;
} entry_t;
/**
* Clean up an entry
*/
static void entry_destroy(entry_t *this)
{
this->id->destroy(this->id);
this->ts->destroy(this->ts);
free(this);
}
/**
* Create a traffic selector from a unity subnet definition
*/
static traffic_selector_t *create_ts(chunk_t subnet)
{
chunk_t net, mask;
int i;
net = chunk_create(subnet.ptr, 4);
mask = chunk_clonea(chunk_create(subnet.ptr + 4, 4));
for (i = 0; i < net.len; i++)
{
mask.ptr[i] = (mask.ptr[i] ^ 0xFF) | net.ptr[i];
}
return traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE,
net, 0, mask, 65535);
}
/**
* Parse a unity attribute and extract all subnets as traffic selectors
*/
static linked_list_t *parse_subnets(chunk_t data)
{
linked_list_t *list = NULL;
traffic_selector_t *ts;
while (data.len >= 8)
{ /* the padding is optional */
ts = create_ts(data);
if (ts)
{
if (!list)
{
list = linked_list_create();
}
list->insert_last(list, ts);
}
/* skip address, mask and 6 bytes of padding */
data = chunk_skip(data, 14);
}
return list;
}
/**
* Store a list of subnets to include in tunnels under this IKE_SA
*/
static bool add_include(private_unity_handler_t *this, chunk_t data)
{
traffic_selector_t *ts;
linked_list_t *list;
ike_sa_t *ike_sa;
entry_t *entry;
ike_sa = charon->bus->get_sa(charon->bus);
if (!ike_sa)
{
return FALSE;
}
list = parse_subnets(data);
if (!list)
{
return FALSE;
}
while (list->remove_first(list, (void**)&ts) == SUCCESS)
{
INIT(entry,
.id = ike_sa->get_id(ike_sa),
.ts = ts,
);
entry->id = entry->id->clone(entry->id);
this->mutex->lock(this->mutex);
this->include->insert_last(this->include, entry);
this->mutex->unlock(this->mutex);
}
list->destroy(list);
return TRUE;
}
/**
* Remove a list of subnets from the inclusion list for this IKE_SA
*/
static bool remove_include(private_unity_handler_t *this, chunk_t data)
{
enumerator_t *enumerator;
traffic_selector_t *ts;
linked_list_t *list;
ike_sa_t *ike_sa;
entry_t *entry;
ike_sa = charon->bus->get_sa(charon->bus);
if (!ike_sa)
{
return FALSE;
}
list = parse_subnets(data);
if (!list)
{
return FALSE;
}
this->mutex->lock(this->mutex);
while (list->remove_first(list, (void**)&ts) == SUCCESS)
{
enumerator = this->include->create_enumerator(this->include);
while (enumerator->enumerate(enumerator, &entry))
{
if (entry->id->equals(entry->id, ike_sa->get_id(ike_sa)) &&
ts->equals(ts, entry->ts))
{
this->include->remove_at(this->include, enumerator);
entry_destroy(entry);
break;
}
}
enumerator->destroy(enumerator);
ts->destroy(ts);
}
this->mutex->unlock(this->mutex);
list->destroy(list);
return TRUE;
}
/**
* Create a unique shunt name for a bypass policy
*/
static void create_shunt_name(ike_sa_t *ike_sa, traffic_selector_t *ts,
char *buf, size_t len)
{
snprintf(buf, len, "Unity (%s[%u]: %R)", ike_sa->get_name(ike_sa),
ike_sa->get_unique_id(ike_sa), ts);
}
/**
* Install entry as a shunt policy
*/
static job_requeue_t add_exclude_async(entry_t *entry)
{
enumerator_t *enumerator;
child_cfg_t *child_cfg;
child_cfg_create_t child = {
.mode = MODE_PASS,
};
ike_sa_t *ike_sa;
char name[128];
host_t *host;
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, entry->id);
if (ike_sa)
{
create_shunt_name(ike_sa, entry->ts, name, sizeof(name));
child_cfg = child_cfg_create(name, &child);
child_cfg->add_traffic_selector(child_cfg, FALSE,
entry->ts->clone(entry->ts));
host = ike_sa->get_my_host(ike_sa);
child_cfg->add_traffic_selector(child_cfg, TRUE,
traffic_selector_create_from_subnet(host->clone(host),
32, 0, 0, 65535));
enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
while (enumerator->enumerate(enumerator, &host))
{
child_cfg->add_traffic_selector(child_cfg, TRUE,
traffic_selector_create_from_subnet(host->clone(host),
32, 0, 0, 65535));
}
enumerator->destroy(enumerator);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
charon->shunts->install(charon->shunts, "unity", child_cfg);
child_cfg->destroy(child_cfg);
DBG1(DBG_IKE, "installed %N bypass policy for %R",
configuration_attribute_type_names, UNITY_LOCAL_LAN, entry->ts);
}
return JOB_REQUEUE_NONE;
}
/**
* Add a bypass policy for a given subnet
*/
static bool add_exclude(private_unity_handler_t *this, chunk_t data)
{
traffic_selector_t *ts;
linked_list_t *list;
ike_sa_t *ike_sa;
entry_t *entry;
ike_sa = charon->bus->get_sa(charon->bus);
if (!ike_sa)
{
return FALSE;
}
list = parse_subnets(data);
if (!list)
{
return FALSE;
}
while (list->remove_first(list, (void**)&ts) == SUCCESS)
{
INIT(entry,
.id = ike_sa->get_id(ike_sa),
.ts = ts,
);
entry->id = entry->id->clone(entry->id);
/* we can't install the shunt policy yet, as we don't know the virtual IP.
* Defer installation using an async callback. */
lib->processor->queue_job(lib->processor, (job_t*)
callback_job_create((void*)add_exclude_async, entry,
(void*)entry_destroy, NULL));
}
list->destroy(list);
return TRUE;
}
/**
* Remove a bypass policy for a given subnet
*/
static bool remove_exclude(private_unity_handler_t *this, chunk_t data)
{
traffic_selector_t *ts;
linked_list_t *list;
ike_sa_t *ike_sa;
char name[128];
bool success = TRUE;
ike_sa = charon->bus->get_sa(charon->bus);
if (!ike_sa)
{
return FALSE;
}
list = parse_subnets(data);
if (!list)
{
return FALSE;
}
while (list->remove_first(list, (void**)&ts) == SUCCESS)
{
create_shunt_name(ike_sa, ts, name, sizeof(name));
DBG1(DBG_IKE, "uninstalling %N bypass policy for %R",
configuration_attribute_type_names, UNITY_LOCAL_LAN, ts);
ts->destroy(ts);
success = charon->shunts->uninstall(charon->shunts, "unity",
name) && success;
}
list->destroy(list);
return success;
}
METHOD(attribute_handler_t, handle, bool,
private_unity_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
switch (type)
{
case UNITY_SPLIT_INCLUDE:
return add_include(this, data);
case UNITY_LOCAL_LAN:
return add_exclude(this, data);
default:
return FALSE;
}
}
METHOD(attribute_handler_t, release, void,
private_unity_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
switch (type)
{
case UNITY_SPLIT_INCLUDE:
remove_include(this, data);
break;
case UNITY_LOCAL_LAN:
remove_exclude(this, data);
break;
default:
break;
}
}
/**
* Configuration attributes to request
*/
static configuration_attribute_type_t attributes[] = {
UNITY_SPLIT_INCLUDE,
UNITY_LOCAL_LAN,
};
/**
* Attribute enumerator implementation
*/
typedef struct {
/** implements enumerator_t */
enumerator_t public;
/** position in attributes[] */
int i;
} attribute_enumerator_t;
METHOD(enumerator_t, enumerate_attributes, bool,
attribute_enumerator_t *this, va_list args)
{
configuration_attribute_type_t *type;
chunk_t *data;
VA_ARGS_VGET(args, type, data);
if (this->i < countof(attributes))
{
*type = attributes[this->i++];
*data = chunk_empty;
return TRUE;
}
return FALSE;
}
METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
unity_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips)
{
attribute_enumerator_t *enumerator;
ike_sa = charon->bus->get_sa(charon->bus);
if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 ||
!ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
{
return enumerator_create_empty();
}
INIT(enumerator,
.public = {
.enumerate = enumerator_enumerate_default,
.venumerate = _enumerate_attributes,
.destroy = (void*)free,
},
);
return &enumerator->public;
}
typedef struct {
/** mutex to unlock */
mutex_t *mutex;
/** IKE_SA ID to filter for */
ike_sa_id_t *id;
} include_filter_t;
CALLBACK(include_filter, bool,
include_filter_t *data, enumerator_t *orig, va_list args)
{
entry_t *entry;
traffic_selector_t **ts;
VA_ARGS_VGET(args, ts);
while (orig->enumerate(orig, &entry))
{
if (data->id->equals(data->id, entry->id))
{
*ts = entry->ts;
return TRUE;
}
}
return FALSE;
}
CALLBACK(destroy_filter, void,
include_filter_t *data)
{
data->mutex->unlock(data->mutex);
free(data);
}
METHOD(unity_handler_t, create_include_enumerator, enumerator_t*,
private_unity_handler_t *this, ike_sa_id_t *id)
{
include_filter_t *data;
INIT(data,
.mutex = this->mutex,
.id = id,
);
data->mutex->lock(data->mutex);
return enumerator_create_filter(
this->include->create_enumerator(this->include),
include_filter, data, destroy_filter);
}
METHOD(unity_handler_t, destroy, void,
private_unity_handler_t *this)
{
this->include->destroy(this->include);
this->mutex->destroy(this->mutex);
free(this);
}
/**
* See header
*/
unity_handler_t *unity_handler_create()
{
private_unity_handler_t *this;
INIT(this,
.public = {
.handler = {
.handle = _handle,
.release = _release,
.create_attribute_enumerator = _create_attribute_enumerator,
},
.create_include_enumerator = _create_include_enumerator,
.destroy = _destroy,
},
.include = linked_list_create(),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
return &this->public;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to unity_handler.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / unity