Commit 22e502b286 for strongswan.org
commit 22e502b2867dde2f257273cf33ac70fbec2e7583
Author: Tobias Brunner <tobias@strongswan.org>
Date: Mon Feb 7 14:48:49 2022 +0100
vici: Make ICMP forwarding configurable
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 6ea239f0a1..dd426df53f 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -591,6 +591,7 @@ static void log_child_data(child_data_t *data, char *name)
DBG2(DBG_CFG, " copy_df = %u", !has_opt(cfg, OPT_NO_COPY_DF));
DBG2(DBG_CFG, " copy_ecn = %u", !has_opt(cfg, OPT_NO_COPY_ECN));
DBG2(DBG_CFG, " copy_dscp = %N", dscp_copy_names, cfg->copy_dscp);
+ DBG2(DBG_CFG, " icmp = %u", has_opt(cfg, OPT_FORWARD_ICMP));
}
/**
@@ -1105,6 +1106,15 @@ CALLBACK(parse_copy_dscp, bool,
return FALSE;
}
+/**
+ * Parse OTP_FORWARD_ICMP option
+ */
+CALLBACK(parse_opt_icmp, bool,
+ child_cfg_option_t *out, chunk_t v)
+{
+ return parse_option(out, OPT_FORWARD_ICMP, v, TRUE);
+}
+
/**
* Parse an action_t
*/
@@ -1953,6 +1963,7 @@ CALLBACK(child_kv, bool,
{ "copy_df", parse_opt_copy_df, &child->cfg.options },
{ "copy_ecn", parse_opt_copy_ecn, &child->cfg.options },
{ "copy_dscp", parse_copy_dscp, &child->cfg.copy_dscp },
+ { "icmp", parse_opt_icmp, &child->cfg.options },
{ "if_id_in", parse_if_id, &child->cfg.if_id_in },
{ "if_id_out", parse_if_id, &child->cfg.if_id_out },
{ "label", parse_label, &child->cfg.label },
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index aedab587b7..18bf0b9159 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -1182,6 +1182,18 @@ connections.<conn>.children.<child>.copy_dscp = out
receiver, which is why the default is _out_. Controlling this behavior is
not supported by all kernel interfaces.
+connections.<conn>.children.<child>.icmp = no
+ Whether to forward certain ICMP error messages even if their source IP
+ doesn't match the negotiated IPsec policies.
+
+ ICMP error messages, such as Destination Unreachable, Time Exceeded or
+ Fragmentation Needed, may be generated by a host whose IP address isn't
+ included in the negotiated traffic selectors and therefore doesn't match the
+ IPsec policies. If this option is enabled and the kernel supports it, such
+ packets may still be forwarded. As ICMP errors contain parts of the IP
+ packet that triggered them, the kernel will base its decision on a reverse
+ policy lookup using that IP header.
+
connections.<conn>.children.<child>.start_action = none
Action to perform after loading the configuration (_none_, _trap_, _start_).