child-cfg: Skip non-matching TS instead of replacing them for transpo…

…rt mode get_traffic_selectors() is called the same way also as responder when selecting child configs via peer_cfg_t::select_child_cfg(). Replacing TS for all child configs could lead to selecting one that later fails to actually narrow the traffic selectors. Ignoring non-matching TS also helps if we have a trap config with multiple remote subnets (otherwise, we'd have to filter duplicates afterwards). When installing traps, the hosts might be %any, in which case we allow the configured (technically non-matching) TS for the wildcard use case. Fixes: da82786 ("child-cfg: Always apply hosts to traffic selectors if proposing transport mode") Closes #1143
strongswan · Jul 18, 2022 · 833333e · 833333e
1 parent 1f242e7
commit 833333e
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
@@ -298,6 +298,12 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 				e2 = hosts->create_enumerator(hosts);
 				while (e2->enumerate(e2, &host))
 				{
+					if (!dynamic && !host->is_anyaddr(host) &&
+						!ts1->includes(ts1, host))
+					{	/* for transport mode, we skip TS that don't match
+						 * specific IPs */
+						continue;
+					}
 					ts2 = ts1->clone(ts1);
 					if (dynamic || !host->is_anyaddr(host))
 					{	/* don't make regular TS larger than they were */