userland support to process notifies for new NAT mappings detected in UDP encapsulation
This commit is contained in:
parent
41b1cd6b87
commit
aa9a300677
|
@ -59,6 +59,7 @@ processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
|
||||||
processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
|
processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
|
||||||
processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
|
processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
|
||||||
processing/jobs/roam_job.c processing/jobs/roam_job.h \
|
processing/jobs/roam_job.c processing/jobs/roam_job.h \
|
||||||
|
processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
|
||||||
processing/scheduler.c processing/scheduler.h \
|
processing/scheduler.c processing/scheduler.h \
|
||||||
processing/processor.c processing/processor.h \
|
processing/processor.c processing/processor.h \
|
||||||
sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
|
sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
|
||||||
|
|
|
@ -41,6 +41,7 @@
|
||||||
#include <processing/jobs/acquire_job.h>
|
#include <processing/jobs/acquire_job.h>
|
||||||
#include <processing/jobs/rekey_child_sa_job.h>
|
#include <processing/jobs/rekey_child_sa_job.h>
|
||||||
#include <processing/jobs/delete_child_sa_job.h>
|
#include <processing/jobs/delete_child_sa_job.h>
|
||||||
|
#include <processing/jobs/update_sa_job.h>
|
||||||
|
|
||||||
/** required for Linux 2.6.26 kernel and later */
|
/** required for Linux 2.6.26 kernel and later */
|
||||||
#ifndef XFRM_STATE_AF_UNSPEC
|
#ifndef XFRM_STATE_AF_UNSPEC
|
||||||
|
@ -51,6 +52,11 @@
|
||||||
#define PRIO_LOW 3000
|
#define PRIO_LOW 3000
|
||||||
#define PRIO_HIGH 2000
|
#define PRIO_HIGH 2000
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create ORable bitfield of XFRM NL groups
|
||||||
|
*/
|
||||||
|
#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* returns a pointer to the first rtattr following the nlmsghdr *nlh and the
|
* returns a pointer to the first rtattr following the nlmsghdr *nlh and the
|
||||||
* 'usual' netlink data x like 'struct xfrm_usersa_info'
|
* 'usual' netlink data x like 'struct xfrm_usersa_info'
|
||||||
|
@ -311,6 +317,27 @@ static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
|
||||||
memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
|
memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* convert a struct xfrm_address to a host_t
|
||||||
|
*/
|
||||||
|
static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
|
||||||
|
{
|
||||||
|
chunk_t chunk;
|
||||||
|
|
||||||
|
switch (family)
|
||||||
|
{
|
||||||
|
case AF_INET:
|
||||||
|
chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
|
||||||
|
break;
|
||||||
|
case AF_INET6:
|
||||||
|
chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
return host_create_from_chunk(family, chunk, ntohs(port));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* convert a traffic selector address range to subnet and its mask.
|
* convert a traffic selector address range to subnet and its mask.
|
||||||
*/
|
*/
|
||||||
|
@ -483,6 +510,37 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr
|
||||||
charon->processor->queue_job(charon->processor, job);
|
charon->processor->queue_job(charon->processor, job);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* process a XFRM_MSG_MAPPING from kernel
|
||||||
|
*/
|
||||||
|
static void process_mapping(private_kernel_netlink_ipsec_t *this,
|
||||||
|
struct nlmsghdr *hdr)
|
||||||
|
{
|
||||||
|
job_t *job;
|
||||||
|
u_int32_t spi, reqid;
|
||||||
|
struct xfrm_user_mapping *mapping;
|
||||||
|
host_t *host;
|
||||||
|
|
||||||
|
mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
|
||||||
|
spi = mapping->id.spi;
|
||||||
|
reqid = mapping->reqid;
|
||||||
|
|
||||||
|
DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
|
||||||
|
|
||||||
|
if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
|
||||||
|
{
|
||||||
|
host = xfrm2host(mapping->id.family, &mapping->new_saddr,
|
||||||
|
mapping->new_sport);
|
||||||
|
if (host)
|
||||||
|
{
|
||||||
|
DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
|
||||||
|
"reqid {%d} changed, queueing update job", ntohl(spi), reqid);
|
||||||
|
job = (job_t*)update_sa_job_create(reqid, host);
|
||||||
|
charon->processor->queue_job(charon->processor, job);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Receives events from kernel
|
* Receives events from kernel
|
||||||
*/
|
*/
|
||||||
|
@ -531,6 +589,9 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
|
||||||
case XFRM_MSG_EXPIRE:
|
case XFRM_MSG_EXPIRE:
|
||||||
process_expire(this, hdr);
|
process_expire(this, hdr);
|
||||||
break;
|
break;
|
||||||
|
case XFRM_MSG_MAPPING:
|
||||||
|
process_mapping(this, hdr);
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -1686,7 +1747,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
|
||||||
{
|
{
|
||||||
charon->kill(charon, "unable to create XFRM event socket");
|
charon->kill(charon, "unable to create XFRM event socket");
|
||||||
}
|
}
|
||||||
addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
|
addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | XFRMNLGRP(MAPPING);
|
||||||
if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
|
if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
|
||||||
{
|
{
|
||||||
charon->kill(charon, "unable to bind XFRM event socket");
|
charon->kill(charon, "unable to bind XFRM event socket");
|
||||||
|
|
|
@ -0,0 +1,98 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2008 Martin Willi
|
||||||
|
* Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*
|
||||||
|
* $Id$
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
#include "update_sa_job.h"
|
||||||
|
|
||||||
|
#include <sa/ike_sa.h>
|
||||||
|
#include <daemon.h>
|
||||||
|
|
||||||
|
|
||||||
|
typedef struct private_update_sa_job_t private_update_sa_job_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Private data of an update_sa_job_t Object
|
||||||
|
*/
|
||||||
|
struct private_update_sa_job_t {
|
||||||
|
/**
|
||||||
|
* public update_sa_job_t interface
|
||||||
|
*/
|
||||||
|
update_sa_job_t public;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* reqid of the CHILD_SA
|
||||||
|
*/
|
||||||
|
u_int32_t reqid;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* New SA address and port
|
||||||
|
*/
|
||||||
|
host_t *new;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implements job_t.destroy.
|
||||||
|
*/
|
||||||
|
static void destroy(private_update_sa_job_t *this)
|
||||||
|
{
|
||||||
|
this->new->destroy(this->new);
|
||||||
|
free(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Implementation of job_t.execute.
|
||||||
|
*/
|
||||||
|
static void execute(private_update_sa_job_t *this)
|
||||||
|
{
|
||||||
|
ike_sa_t *ike_sa;
|
||||||
|
|
||||||
|
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
|
||||||
|
this->reqid, TRUE);
|
||||||
|
if (ike_sa == NULL)
|
||||||
|
{
|
||||||
|
DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for update", this->reqid);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* we update only if other host is NATed, but not our */
|
||||||
|
if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) &&
|
||||||
|
!ike_sa->has_condition(ike_sa, COND_NAT_HERE))
|
||||||
|
{
|
||||||
|
ike_sa->update_hosts(ike_sa, NULL, this->new);
|
||||||
|
}
|
||||||
|
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||||
|
}
|
||||||
|
destroy(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Described in header
|
||||||
|
*/
|
||||||
|
update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
|
||||||
|
{
|
||||||
|
private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t);
|
||||||
|
|
||||||
|
this->public.job_interface.execute = (void (*) (job_t *)) execute;
|
||||||
|
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
|
||||||
|
|
||||||
|
this->reqid = reqid;
|
||||||
|
this->new = new;
|
||||||
|
|
||||||
|
return &this->public;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2008 Martin Willi
|
||||||
|
* Hochschule fuer Technik Rapperswil
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* for more details.
|
||||||
|
*
|
||||||
|
* $Id$
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @defgroup update_sa_job update_sa_job
|
||||||
|
* @{ @ingroup jobs
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef UPDATE_SA_JOB_H_
|
||||||
|
#define UPDATE_SA_JOB_H_
|
||||||
|
|
||||||
|
typedef struct update_sa_job_t update_sa_job_t;
|
||||||
|
|
||||||
|
#include <library.h>
|
||||||
|
#include <utils/host.h>
|
||||||
|
#include <processing/jobs/job.h>
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Update the addresses of an IKE and its CHILD_SAs.
|
||||||
|
*/
|
||||||
|
struct update_sa_job_t {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* implements job_t interface
|
||||||
|
*/
|
||||||
|
job_t job_interface;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Creates a job to update IKE and CHILD_SA addresses.
|
||||||
|
*
|
||||||
|
* @param reqid reqid of the CHILD_SA
|
||||||
|
* @param new new address and port
|
||||||
|
* @return update_sa_job_t object
|
||||||
|
*/
|
||||||
|
update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new);
|
||||||
|
|
||||||
|
#endif /*UPDATE_SA_JOB_H_ @} */
|
|
@ -877,11 +877,6 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
|
||||||
{
|
{
|
||||||
bool update = FALSE;
|
bool update = FALSE;
|
||||||
|
|
||||||
if (supports_extension(this, EXT_MOBIKE))
|
|
||||||
{ /* if peer speaks mobike, address updates are explicit only */
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (me == NULL)
|
if (me == NULL)
|
||||||
{
|
{
|
||||||
me = this->my_host;
|
me = this->my_host;
|
||||||
|
@ -1461,7 +1456,10 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
|
||||||
if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
|
if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
|
||||||
message->get_exchange_type(message) != IKE_SA_INIT)
|
message->get_exchange_type(message) != IKE_SA_INIT)
|
||||||
{
|
{
|
||||||
update_hosts(this, me, other);
|
if (!supports_extension(this, EXT_MOBIKE))
|
||||||
|
{ /* with MOBIKE, we do no implicit updates */
|
||||||
|
update_hosts(this, me, other);
|
||||||
|
}
|
||||||
this->time.inbound = time(NULL);
|
this->time.inbound = time(NULL);
|
||||||
}
|
}
|
||||||
status = this->task_manager->process_message(this->task_manager, message);
|
status = this->task_manager->process_message(this->task_manager, message);
|
||||||
|
|
|
@ -97,10 +97,10 @@ struct xfrm_algo {
|
||||||
};
|
};
|
||||||
|
|
||||||
struct xfrm_algo_aead {
|
struct xfrm_algo_aead {
|
||||||
char alg_name[64];
|
char alg_name[64];
|
||||||
int alg_key_len; /* in bits */
|
unsigned int alg_key_len; /* in bits */
|
||||||
int alg_icv_len; /* in bits */
|
unsigned int alg_icv_len; /* in bits */
|
||||||
char alg_key[0];
|
char alg_key[0];
|
||||||
};
|
};
|
||||||
|
|
||||||
struct xfrm_stats {
|
struct xfrm_stats {
|
||||||
|
@ -113,7 +113,8 @@ enum
|
||||||
{
|
{
|
||||||
XFRM_POLICY_TYPE_MAIN = 0,
|
XFRM_POLICY_TYPE_MAIN = 0,
|
||||||
XFRM_POLICY_TYPE_SUB = 1,
|
XFRM_POLICY_TYPE_SUB = 1,
|
||||||
XFRM_POLICY_TYPE_MAX = 2
|
XFRM_POLICY_TYPE_MAX = 2,
|
||||||
|
XFRM_POLICY_TYPE_ANY = 255
|
||||||
};
|
};
|
||||||
|
|
||||||
enum
|
enum
|
||||||
|
@ -198,6 +199,9 @@ enum {
|
||||||
#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
|
#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
|
||||||
XFRM_MSG_GETSPDINFO,
|
XFRM_MSG_GETSPDINFO,
|
||||||
#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
|
#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
|
||||||
|
|
||||||
|
XFRM_MSG_MAPPING,
|
||||||
|
#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
|
||||||
__XFRM_MSG_MAX
|
__XFRM_MSG_MAX
|
||||||
};
|
};
|
||||||
#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
|
#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
|
||||||
|
@ -427,6 +431,15 @@ struct xfrm_user_migrate {
|
||||||
__u16 new_family;
|
__u16 new_family;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct xfrm_user_mapping {
|
||||||
|
struct xfrm_usersa_id id;
|
||||||
|
__u32 reqid;
|
||||||
|
xfrm_address_t old_saddr;
|
||||||
|
xfrm_address_t new_saddr;
|
||||||
|
__be16 old_sport;
|
||||||
|
__be16 new_sport;
|
||||||
|
};
|
||||||
|
|
||||||
#ifndef __KERNEL__
|
#ifndef __KERNEL__
|
||||||
/* backwards compatibility for userspace */
|
/* backwards compatibility for userspace */
|
||||||
#define XFRMGRP_ACQUIRE 1
|
#define XFRMGRP_ACQUIRE 1
|
||||||
|
@ -453,6 +466,8 @@ enum xfrm_nlgroups {
|
||||||
#define XFRMNLGRP_REPORT XFRMNLGRP_REPORT
|
#define XFRMNLGRP_REPORT XFRMNLGRP_REPORT
|
||||||
XFRMNLGRP_MIGRATE,
|
XFRMNLGRP_MIGRATE,
|
||||||
#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE
|
#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE
|
||||||
|
XFRMNLGRP_MAPPING,
|
||||||
|
#define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING
|
||||||
__XFRMNLGRP_MAX
|
__XFRMNLGRP_MAX
|
||||||
};
|
};
|
||||||
#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1)
|
#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1)
|
||||||
|
|
Loading…
Reference in New Issue