• [dev][crypto][strongswan] 有关strongswan的forward policy的源码分析


    默认情况下,我们使用strongswan建立了一个ipsec隧道之后,建立的policy如下:

    [root@D129 OUTPUT]# ip xfrm policy
    src 10.129.0.0/16 dst 10.9.0.0/16 
        dir out priority 383615 ptype main 
        tmpl src 192.168.8.129 dst 192.168.8.9
            proto esp spi 0x5623adc0 reqid 1 mode tunnel
    src 10.9.0.0/16 dst 10.129.0.0/16 
        dir fwd priority 383615 ptype main 
        tmpl src 192.168.8.9 dst 192.168.8.129
            proto esp reqid 1 mode tunnel
    src 10.9.0.0/16 dst 10.129.0.0/16 
        dir in priority 383615 ptype main 
        tmpl src 192.168.8.9 dst 192.168.8.129
            proto esp reqid 1 mode tunnel

    通过观察,我们能够总结到:

    1.  一共有三条policy,分别是IN类型,OUT类型,FWD类型。

    2.  IN和FWD的原目的IP对,template原目的IP对相同。OUT类型与之相反。

    然而,我们所了解到的内容,并不仅局限于此。接下来阅读两端strongswan的代码

    https://github.com/strongswan/strongswan/blob/5.7.2/src/libcharon/sa/child_sa.c

    static status_t install_policies_inbound(private_child_sa_t *this,
        host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
    ... ...
        if (this->mode != MODE_TRANSPORT)
        {
            in_id.dir = POLICY_FWD;
            status |= charon->kernel->add_policy(charon->kernel, &in_id, &in_policy);
        }
        return status;
    }
    ... ...
    static status_t install_policies_outbound(private_child_sa_t *this,
        host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
    ... ...
            out_id.dir = POLICY_FWD;
            other_sa->reqid = 0;
            if (priority == POLICY_PRIORITY_DEFAULT)
            {
                out_policy.prio = POLICY_PRIORITY_ROUTED;
            }
            status |= charon->kernel->add_policy(charon->kernel, &out_id,
                                                 &out_policy);
            /* reset the reqid for any other further policies */
            other_sa->reqid = this->reqid;
        }
        return status;
    }

    通过上面的代码,可以观察到,无论是IN或OUT方向,都有其分别对应的FWD policy。并由sa的具体参数配置决定。

    child_sa_t * child_sa_create(host_t *me, host_t* other,
                                 child_cfg_t *config, uint32_t reqid, bool encap,
    ... ...
            .policies_fwd_out = config->has_option(config, OPT_FWD_OUT_POLICIES),
    ... ...
    }

    这个参数见swanctl.conf的手册

          connections.<conn>.children.<child>.policies_fwd_out [no]
                  Whether to install outbound FWD IPsec policies or not. Enabling this is required in case there is a drop policy that would match and block forwarded traffic for this CHILD_SA.

    还有一段注释,帮助理解。

            /* install an "outbound" FWD policy in case there is a drop policy
             * matching outbound forwarded traffic, to allow another tunnel to use
             * the reversed subnets and do the same we don't set a reqid (this also
             * allows the kernel backend to distinguish between the two types of
             * FWD policies). To avoid problems with symmetrically overlapping
             * policies of two SAs we install them with reduced priority.  As they
             * basically act as bypass policies for drop policies we use a higher
             * priority than is used for them. */

    也就是说,开启“第三节”里提到的配置之后。strongswan对每一个sa产生的policy,将不是“第一节”中提到的三个,

    而是四个,一个IN,一个OUT,两个FWD,两个FWD各自与IN,OUT参数一致。

  • 相关阅读:
    Mysql主从复制(基于Log)
    Linux系统开机启动流程
    JS的 验证组织机构的合法性
    Linux以下基于TCP多线程聊天室(client)
    浅谈Java集合框架
    疯狂Java学习笔记(72)-----------大话程序猿面试
    Android自己定义View之组合控件 ---- LED数字时钟
    C/C++学习:函数指针
    springmvc+spring+jpa(hibernate)+redis+maven配置
    数组进行多少次OP操作,才干有序
  • 原文地址:https://www.cnblogs.com/hugetong/p/10517873.html
Copyright © 2020-2023  润新知