def _create_policy(self, src_selector, dst_selector, src_port, dst_port, ip_proto, direction,
ipsec_proto, mode, src, dst, index=0):
policy = XfrmUserPolicyInfo(
sel=XfrmSelector(family=socket.AF_INET,
daddr=XfrmAddress.from_ipaddr(dst_selector[0]),
saddr=XfrmAddress.from_ipaddr(src_selector[0]),
dport=dst_port,
sport=src_port,
dport_mask=0 if dst_port == 0 else 0xFFFF,
sport_mask=0 if src_port == 0 else 0xFFFF,
prefixlen_d=dst_selector.prefixlen,
prefixlen_s=src_selector.prefixlen,
proto=ip_proto),
dir=direction,
index=index,
action=XFRM_POLICY_ALLOW,
lft=XfrmLifetimeCfg.infinite(),
)
template = XfrmUserTmpl(
id=XfrmId(daddr=XfrmAddress.from_ipaddr(dst),
proto=(socket.IPPROTO_ESP
if ipsec_proto == Proposal.Protocol.ESP else socket.IPPROTO_AH)),
family=socket.AF_INET,
saddr=XfrmAddress.from_ipaddr(src),
aalgos=0xFFFFFFFF,
ealgos=0xFFFFFFFF,
calgos=0xFFFFFFFF,
mode=mode)
self.send_recv(XFRM_MSG_NEWPOLICY, (NLM_F_REQUEST | NLM_F_ACK), policy,
{XFRMA_TMPL: template})
评论列表
文章目录
