[dev][crypto][strongswan] 有關strongswan的forward policy的源碼分析

一

默認狀況下，咱們使用strongswan創建了一個ipsec隧道以後，創建的policy以下：

[root@D129 OUTPUT]# ip xfrm policy src 10.129.0.0/16 dst 10.9.0.0/16 dir out priority 383615 ptype main tmpl src 192.168.8.129 dst 192.168.8.9 proto esp spi 0x5623adc0 reqid 1 mode tunnel src 10.9.0.0/16 dst 10.129.0.0/16 dir fwd priority 383615 ptype main tmpl src 192.168.8.9 dst 192.168.8.129 proto esp reqid 1 mode tunnel src 10.9.0.0/16 dst 10.129.0.0/16 dir in priority 383615 ptype main tmpl src 192.168.8.9 dst 192.168.8.129 proto esp reqid 1 mode tunnel

經過觀察，咱們可以總結到：

1.  一共有三條policy，分別是IN類型，OUT類型，FWD類型。

2.  IN和FWD的原目的IP對，template原目的IP對相同。OUT類型與之相反。

 

二

然而，咱們所瞭解到的內容，並不只侷限於此。接下來閱讀兩端strongswan的代碼

https://github.com/strongswan/strongswan/blob/5.7.2/src/libcharon/sa/child_sa.c

static status_t install_policies_inbound(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, ... ... if (this->mode != MODE_TRANSPORT) { in_id.dir = POLICY_FWD; status |= charon->kernel->add_policy(charon->kernel, &in_id, &in_policy); } return status; } ... ... static status_t install_policies_outbound(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, ... ... out_id.dir = POLICY_FWD; other_sa->reqid = 0; if (priority == POLICY_PRIORITY_DEFAULT) { out_policy.prio = POLICY_PRIORITY_ROUTED; } status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy); /* reset the reqid for any other further policies */ other_sa->reqid = this->reqid; } return status; }

 

經過上面的代碼，能夠觀察到，不管是IN或OUT方向，都有其分別對應的FWD policy。並由sa的具體參數配置決定。

child_sa_t * child_sa_create(host_t *me, host_t* other, child_cfg_t *config, uint32_t reqid, bool encap, ... ... .policies_fwd_out = config->has_option(config, OPT_FWD_OUT_POLICIES), ... ... }

 

三

這個參數見swanctl.conf的手冊

connections.<conn>.children.<child>.policies_fwd_out [no] Whether to install outbound FWD IPsec policies or not. Enabling this is required in case there is a drop policy that would match and block forwarded traffic for this CHILD_SA.

還有一段註釋，幫助理解。

/* install an "outbound" FWD policy in case there is a drop policy * matching outbound forwarded traffic, to allow another tunnel to use * the reversed subnets and do the same we don't set a reqid (this also * allows the kernel backend to distinguish between the two types of * FWD policies). To avoid problems with symmetrically overlapping * policies of two SAs we install them with reduced priority. As they * basically act as bypass policies for drop policies we use a higher * priority than is used for them. */

 

四

也就是說，開啓「第三節」裏提到的配置以後。strongswan對每個sa產生的policy，將不是「第一節」中提到的三個，

而是四個，一個IN，一個OUT，兩個FWD，兩個FWD各自與IN，OUT參數一致。