[strongSwan] 答复: what's the expression of a range of address?
Tony.He 賀雙鳳
Tony.He at DELTAWW.COM.CN
Thu Feb 25 09:44:16 CET 2016
Hi,
Thanks for reply. I have checked the latest Kernel code(Git commit ID is 6dc390a). Below is the selector definition.
/* Selector, used as selector both on policy rules (SPD) and SAs. */
struct xfrm_selector {
xfrm_address_t daddr;
xfrm_address_t saddr;
__be16 dport;
__be16 dport_mask;
__be16 sport;
__be16 sport_mask;
__u16 family;
__u8 prefixlen_d;
__u8 prefixlen_s;
__u8 proto;
int ifindex;
__kernel_uid32_t user;
};
Seems that Kernel doesn’t support range of IP address even though RFC http://tools.ietf.org/html/rfc4301#page-26 defines the expression of a range IP address.
I will try to use firewall rule or modify Kernel code if it’s necessary.
Best regards
Tony
发件人: Rayson Zhu [mailto:vfreex at gmail.com]
发送时间: 2016年2月25日 14:48
收件人: Tony.He 賀雙鳳
抄送: users at lists.strongswan.org
主题: Re: [strongSwan] what's the expression of a range of address?
You can use a firewall rule rather than narrow your tunnel for this scenario.
But, users can change their IP addresses manually to bypass your restriction if you didn't bind their MAC addresses/ports to their IP addresses.
On Thu, Feb 25, 2016 at 12:03 PM, Tony.He 賀雙鳳 <Tony.He at deltaww.com.cn<mailto:Tony.He at deltaww.com.cn>> wrote:
Hi,
Here is the topology.
local subnet 192.168.1.0/24<http://192.168.1.0/24> -GW A ---Internet----GW B – local subnet 192.168.2.0/24<http://192.168.2.0/24>.
I want to only allow hosts whose IP addresses in a range to be part of the tunnel. For example, 192.168.1.2-192.168.1.8 are allowed
in site A and 192.168.2.3-192.168.2.11 are allowed in site B. Can anyone tell me how to configure? Thanks in advance.
Best regards
Tony
*************************************************************************
This email message, including any attachments, is for the sole
use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message. [Delta Electronics, INC. China]
*************************************************************************
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
*************************************************************************
This email message, including any attachments, is for the sole
use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message. [Delta Electronics, INC. China]
*************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160225/7c4c349d/attachment-0001.html>
More information about the Users
mailing list