added policy cache to kernel interface
allows refcounting of multiple installed policies finally brings us stable simultaneous rekeying
This commit is contained in:
parent
269f7f448b
commit
aeeb4f4f97
|
@ -204,7 +204,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
|
|||
* Message rule for CREATE_CHILD_SA from responder.
|
||||
*/
|
||||
static payload_rule_t create_child_sa_r_payload_rules[] = {
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
|
||||
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
|
||||
{NONCE,1,1,TRUE,FALSE},
|
||||
{KEY_EXCHANGE,0,1,TRUE,FALSE},
|
||||
|
|
|
@ -113,11 +113,6 @@ struct private_child_sa_t {
|
|||
* transaction which is rekeying this CHILD_SA
|
||||
*/
|
||||
void *rekeying_transaction;
|
||||
|
||||
/**
|
||||
* has this child SA been rekeyed/is rekeying?
|
||||
*/
|
||||
bool is_rekeying;
|
||||
|
||||
/**
|
||||
* Specifies if NAT traversal is used
|
||||
|
@ -446,21 +441,21 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
|
|||
policy->me.net, policy->other.net,
|
||||
policy->me.net_mask, policy->other.net_mask,
|
||||
XFRM_POLICY_OUT, policy->upper_proto,
|
||||
this->protocol, this->reqid);
|
||||
this->protocol, this->reqid, FALSE);
|
||||
|
||||
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_IN, policy->upper_proto,
|
||||
this->protocol, this->reqid);
|
||||
this->protocol, this->reqid, FALSE);
|
||||
|
||||
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_FWD, policy->upper_proto,
|
||||
this->protocol, this->reqid);
|
||||
this->protocol, this->reqid, FALSE);
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
|
@ -487,7 +482,6 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
|
|||
static void set_rekeying_transaction(private_child_sa_t *this, void *transaction)
|
||||
{
|
||||
this->rekeying_transaction = transaction;
|
||||
this->is_rekeying = TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -498,100 +492,28 @@ static void* get_rekeying_transaction(private_child_sa_t *this)
|
|||
return this->rekeying_transaction;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.is_rekeying.
|
||||
*/
|
||||
static bool is_rekeying(private_child_sa_t *this)
|
||||
{
|
||||
return this->is_rekeying;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.get_use_time
|
||||
*/
|
||||
static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use_time)
|
||||
{
|
||||
iterator_t *iterator;
|
||||
sa_policy_t *policy;
|
||||
struct protoent *proto;
|
||||
char proto_buf[8] = "";
|
||||
char *proto_name = proto_buf;
|
||||
status_t status;
|
||||
|
||||
*use_time = UNDEFINED_TIME;
|
||||
|
||||
iterator = this->policies->create_iterator(this->policies, TRUE);
|
||||
while (iterator->iterate(iterator, (void**)&policy))
|
||||
|
||||
if (inbound)
|
||||
{
|
||||
time_t ut;
|
||||
|
||||
if (policy->upper_proto)
|
||||
{
|
||||
proto = getprotobynumber(policy->upper_proto);
|
||||
if (proto)
|
||||
{
|
||||
proto_name = proto->p_name;
|
||||
}
|
||||
else
|
||||
{
|
||||
snprintf(proto_buf, sizeof(proto_buf), "<%d>", policy->upper_proto);
|
||||
}
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1,
|
||||
"querying policy: %s/%d==%s==%s/%d",
|
||||
policy->me.net->get_address(policy->me.net), policy->me.net_mask,
|
||||
proto_name,
|
||||
policy->other.net->get_address(policy->other.net), policy->other.net_mask);
|
||||
|
||||
if (inbound)
|
||||
{
|
||||
status = charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_IN, policy->upper_proto,
|
||||
&ut);
|
||||
|
||||
/* also check forward policy in tunnel mode */
|
||||
if (status == SUCCESS /*&& mode == TUNNEL XXX */)
|
||||
{
|
||||
time_t fwd;
|
||||
|
||||
status = charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_FWD, policy->upper_proto,
|
||||
&fwd);
|
||||
|
||||
if (status == SUCCESS)
|
||||
{
|
||||
ut = max(ut, fwd);
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
status = charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
this->me.addr, this->other.addr,
|
||||
policy->me.net, policy->other.net,
|
||||
policy->me.net_mask, policy->other.net_mask,
|
||||
XFRM_POLICY_OUT, policy->upper_proto,
|
||||
&ut);
|
||||
}
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
*use_time = max(*use_time, ut);
|
||||
status = charon->kernel_interface->query_sa(charon->kernel_interface,
|
||||
this->me.addr, this->me.spi,
|
||||
this->protocol, use_time);
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
|
||||
return SUCCESS;
|
||||
else
|
||||
{
|
||||
status = charon->kernel_interface->query_sa(charon->kernel_interface,
|
||||
this->other.addr, this->other.spi,
|
||||
this->protocol, use_time);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -759,18 +681,13 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
|
|||
iterator = this->policies->create_iterator(this->policies, TRUE);
|
||||
while (iterator->iterate(iterator, (void**)&policy))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|LEVEL1,
|
||||
"updating policy: %s/%d====%s/%d",
|
||||
policy->me.net->get_address(policy->me.net), policy->me.net_mask,
|
||||
policy->other.net->get_address(policy->other.net), policy->other.net_mask);
|
||||
|
||||
status = charon->kernel_interface->add_policy(
|
||||
charon->kernel_interface,
|
||||
new_me, new_other,
|
||||
policy->me.net, policy->other.net,
|
||||
policy->me.net_mask, policy->other.net_mask,
|
||||
XFRM_POLICY_OUT, policy->upper_proto,
|
||||
this->protocol, this->reqid);
|
||||
this->protocol, this->reqid, TRUE);
|
||||
|
||||
status |= charon->kernel_interface->add_policy(
|
||||
charon->kernel_interface,
|
||||
|
@ -778,7 +695,7 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
|
|||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_IN, policy->upper_proto,
|
||||
this->protocol, this->reqid);
|
||||
this->protocol, this->reqid, TRUE);
|
||||
|
||||
status |= charon->kernel_interface->add_policy(
|
||||
charon->kernel_interface,
|
||||
|
@ -786,8 +703,8 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
|
|||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_FWD, policy->upper_proto,
|
||||
this->protocol, this->reqid);
|
||||
|
||||
this->protocol, this->reqid, TRUE);
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
|
@ -879,27 +796,21 @@ static void destroy(private_child_sa_t *this)
|
|||
/* delete all policies in the kernel */
|
||||
while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS)
|
||||
{
|
||||
if (!this->is_rekeying)
|
||||
{
|
||||
/* let rekeyed policies, as they are used by another child_sa */
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
this->me.addr, this->other.addr,
|
||||
policy->me.net, policy->other.net,
|
||||
policy->me.net_mask, policy->other.net_mask,
|
||||
XFRM_POLICY_OUT, policy->upper_proto);
|
||||
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_IN, policy->upper_proto);
|
||||
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
this->other.addr, this->me.addr,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_FWD, policy->upper_proto);
|
||||
}
|
||||
/* let rekeyed policies, as they are used by another child_sa */
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
policy->me.net, policy->other.net,
|
||||
policy->me.net_mask, policy->other.net_mask,
|
||||
XFRM_POLICY_OUT, policy->upper_proto);
|
||||
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_IN, policy->upper_proto);
|
||||
|
||||
charon->kernel_interface->del_policy(charon->kernel_interface,
|
||||
policy->other.net, policy->me.net,
|
||||
policy->other.net_mask, policy->me.net_mask,
|
||||
XFRM_POLICY_FWD, policy->upper_proto);
|
||||
policy->me.net->destroy(policy->me.net);
|
||||
policy->other.net->destroy(policy->other.net);
|
||||
free(policy);
|
||||
|
@ -933,7 +844,6 @@ child_sa_t * child_sa_create(u_int32_t rekey, host_t *me, host_t* other,
|
|||
this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
|
||||
this->public.set_rekeying_transaction = (void (*)(child_sa_t*,void*))set_rekeying_transaction;
|
||||
this->public.get_rekeying_transaction = (void* (*)(child_sa_t*))get_rekeying_transaction;
|
||||
this->public.is_rekeying = (bool (*)(child_sa_t*))is_rekeying;
|
||||
this->public.log_status = (void (*)(child_sa_t*, logger_t*, char*))log_status;
|
||||
this->public.destroy = (void(*)(child_sa_t*))destroy;
|
||||
|
||||
|
@ -953,7 +863,6 @@ child_sa_t * child_sa_create(u_int32_t rekey, host_t *me, host_t* other,
|
|||
this->policies = linked_list_create();
|
||||
this->protocol = PROTO_NONE;
|
||||
this->rekeying_transaction = NULL;
|
||||
this->is_rekeying = FALSE;
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
|
|
@ -174,6 +174,9 @@ struct child_sa_t {
|
|||
* such situations to handle them cleanly. A rekeying transaction
|
||||
* registers itself to the CHILD_SA, and checks later if another
|
||||
* transaction is in progress of a rekey.
|
||||
*
|
||||
* @todo Fix include problematics to allow inclusion of
|
||||
* the create_child_sa_t transaction.
|
||||
*
|
||||
* @param this calling object
|
||||
*/
|
||||
|
@ -182,22 +185,12 @@ struct child_sa_t {
|
|||
/**
|
||||
* @brief Get the transaction which rekeys this CHILD_SA.
|
||||
*
|
||||
* See set_rekeying_transactoin
|
||||
* @see set_rekeying_transactoin().
|
||||
*
|
||||
* @param this calling object
|
||||
*/
|
||||
void* (*get_rekeying_transaction) (child_sa_t *this);
|
||||
|
||||
/**
|
||||
* @brief Is the CHILD SA rekeying/in progress of rekeying?
|
||||
*
|
||||
* This is a readonly parameter. It is set whenever the
|
||||
* set_rekeying_transaction() method is called.
|
||||
*
|
||||
* @param this calling object
|
||||
*/
|
||||
bool (*is_rekeying) (child_sa_t *this);
|
||||
|
||||
/**
|
||||
* @brief Log the status of a child_sa to a logger.
|
||||
*
|
||||
|
@ -223,7 +216,7 @@ struct child_sa_t {
|
|||
|
||||
/**
|
||||
* @brief Constructor to create a new child_sa_t.
|
||||
*
|
||||
*
|
||||
* @param rekey_reqid reqid of old CHILD_SA when rekeying, 0 otherwise
|
||||
* @param me own address
|
||||
* @param other remote address
|
||||
|
|
|
@ -172,8 +172,8 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
|
|||
host_t *me, *other;
|
||||
|
||||
/* check if we are not already rekeying */
|
||||
if (this->rekeyed_sa &&
|
||||
this->rekeyed_sa->is_rekeying(this->rekeyed_sa))
|
||||
if (this->rekeyed_sa &&
|
||||
this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR,
|
||||
"rekeying a CHILD_SA which is already rekeying, aborted");
|
||||
|
@ -628,20 +628,11 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
|
|||
response->add_payload(response, (payload_t*)ts_response);
|
||||
}
|
||||
/* CHILD_SA successfully created. We set us as the rekeying transaction of
|
||||
* this SA. If we already initiated rekeying of the same SA, we will detect
|
||||
* the rekeyed SA. If we already initiated rekeying of the same SA, we will detect
|
||||
* this later in the conclude() call. */
|
||||
if (this->rekeyed_sa)
|
||||
{
|
||||
if (this->rekeyed_sa->is_rekeying(this->rekeyed_sa))
|
||||
{
|
||||
/* rekeying already in progress, register us, too */
|
||||
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public);
|
||||
}
|
||||
else
|
||||
{
|
||||
/* no rekeying in progress. mark SA as rekeyed, but not conflicted */
|
||||
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, NULL);
|
||||
}
|
||||
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public);
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
|
@ -779,14 +770,14 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
|
|||
other = (private_create_child_sa_t*)
|
||||
this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa);
|
||||
|
||||
/* we are not rekeying anymore, unregister us */
|
||||
/* rekeying finished, update SA status */
|
||||
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, NULL);
|
||||
|
||||
if (other != this)
|
||||
{ /* simlutaneous rekeying is going on, not so good */
|
||||
chunk_t this_lowest, other_lowest;
|
||||
|
||||
/* check if this has a lower nonce the other */
|
||||
/* check if this has a lower nonce than other */
|
||||
if (memcmp(this->nonce_i.ptr, this->nonce_r.ptr,
|
||||
min(this->nonce_i.len, this->nonce_r.len)) < 0)
|
||||
{
|
||||
|
@ -822,7 +813,6 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
|
|||
/* delete the old SA if we have won the rekeying nonce compare*/
|
||||
if (!this->lost)
|
||||
{
|
||||
other->rekeyed_sa->set_rekeying_transaction(other->rekeyed_sa, NULL);
|
||||
delete_child_sa = delete_child_sa_create(this->ike_sa, this->message_id + 1);
|
||||
delete_child_sa->set_child_sa(delete_child_sa, this->rekeyed_sa);
|
||||
*next = (transaction_t*)delete_child_sa;
|
||||
|
@ -832,7 +822,6 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
|
|||
{
|
||||
/* we have lost simlutaneous rekeying, delete the CHILD_SA we just have created */
|
||||
delete_child_sa = delete_child_sa_create(this->ike_sa, this->message_id + 1);
|
||||
new_child->set_rekeying_transaction(new_child, NULL);
|
||||
delete_child_sa->set_child_sa(delete_child_sa, new_child);
|
||||
*next = (transaction_t*)delete_child_sa;
|
||||
}
|
||||
|
|
|
@ -192,8 +192,11 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
|
|||
* this means we have lost the nonce comparison, and the rekeying
|
||||
* will fail. We set a flag in the transaction for this special case.
|
||||
*/
|
||||
this->logger->log(this->logger, CONTROL,
|
||||
"DELETE received while rekeying, rekeying cancelled");
|
||||
if (!response)
|
||||
{ /* only whine as initiator */
|
||||
this->logger->log(this->logger, CONTROL,
|
||||
"DELETE received while rekeying, rekeying cancelled");
|
||||
}
|
||||
rekey->cancel(rekey);
|
||||
}
|
||||
/* delete it, with inbound spi */
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -48,6 +48,10 @@ typedef struct kernel_interface_t kernel_interface_t;
|
|||
* The kernel interface handles the communication with the kernel
|
||||
* for SA and policy management. It allows setup of these, and provides
|
||||
* further the handling of kernel events.
|
||||
* Policy information are cached in the interface. This is necessary to do
|
||||
* reference counting. The Linux kernel does not allow the same policy
|
||||
* installed twice, but we need this as CHILD_SA exist multiple times
|
||||
* when rekeying. Thats why we do reference counting of policies.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - kernel_interface_create()
|
||||
|
@ -73,11 +77,8 @@ struct kernel_interface_t {
|
|||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*get_spi) (kernel_interface_t *this,
|
||||
host_t *src, host_t *dst,
|
||||
protocol_id_t protocol,
|
||||
u_int32_t reqid,
|
||||
u_int32_t *spi);
|
||||
status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
|
||||
protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
|
||||
|
||||
/**
|
||||
* @brief Add an SA to the SAD.
|
||||
|
@ -107,18 +108,12 @@ struct kernel_interface_t {
|
|||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*add_sa)(kernel_interface_t *this,
|
||||
host_t *src, host_t *dst,
|
||||
u_int32_t spi,
|
||||
protocol_id_t protocol,
|
||||
u_int32_t reqid,
|
||||
u_int64_t expire_soft,
|
||||
u_int64_t expire_hard,
|
||||
algorithm_t *enc_alg,
|
||||
algorithm_t *int_alg,
|
||||
prf_plus_t *prf_plus,
|
||||
natt_conf_t *natt,
|
||||
bool replace);
|
||||
status_t (*add_sa) (kernel_interface_t *this,
|
||||
host_t *src, host_t *dst, u_int32_t spi,
|
||||
protocol_id_t protocol, u_int32_t reqid,
|
||||
u_int64_t expire_soft, u_int64_t expire_hard,
|
||||
algorithm_t *enc_alg, algorithm_t *int_alg,
|
||||
prf_plus_t *prf_plus, natt_conf_t *natt, bool replace);
|
||||
|
||||
/**
|
||||
* @brief Update the hosts on an installed SA. Encapsulation ports are also updated.
|
||||
|
@ -127,40 +122,52 @@ struct kernel_interface_t {
|
|||
* the protocol AND the destination address (and family) to identify SAs. Therefore if the
|
||||
* destination address changed we create a new SA and delete the old one.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param src source address for this SA
|
||||
* @param dst destination address for this SA
|
||||
* @param new_src new source address for this SA
|
||||
* @param new_dst new destination address for this SA
|
||||
* @param this calling object
|
||||
* @param src source address for this SA
|
||||
* @param dst destination address for this SA
|
||||
* @param new_src new source address for this SA
|
||||
* @param new_dst new destination address for this SA
|
||||
* @param src_changes changes in src
|
||||
* @param dst_changes changes in dst
|
||||
* @param spi SPI allocated by us or remote peer
|
||||
* @param protocol protocol for this SA (ESP/AH)
|
||||
* @param spi SPI allocated by us or remote peer
|
||||
* @param protocol protocol for this SA (ESP/AH)
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*update_sa_hosts)(kernel_interface_t *this,
|
||||
host_t *src, host_t *dst,
|
||||
host_t *new_src, host_t *new_dst,
|
||||
int src_changes, int dst_changes,
|
||||
u_int32_t spi, protocol_id_t protocol);
|
||||
/**
|
||||
* @brief Query the use time of an SA.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param dst destination address for this SA
|
||||
* @param spi SPI allocated by us or remote peer
|
||||
* @param protocol protocol for this SA (ESP/AH)
|
||||
* @param[out] use_time the time of this SA's last use
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*query_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
|
||||
protocol_id_t protocol, time_t *use_time);
|
||||
|
||||
/**
|
||||
* @brief Delete a previusly installed SA from the SAD.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param dst destination address for this SA
|
||||
* @param spi SPI allocated by us or remote peer
|
||||
* @param protocol protocol for this SA (ESP/AH)
|
||||
* @param this calling object
|
||||
* @param dst destination address for this SA
|
||||
* @param spi SPI allocated by us or remote peer
|
||||
* @param protocol protocol for this SA (ESP/AH)
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*del_sa) (kernel_interface_t *this,
|
||||
host_t *dst,
|
||||
u_int32_t spi,
|
||||
protocol_id_t protocol);
|
||||
status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
|
||||
protocol_id_t protocol);
|
||||
|
||||
/**
|
||||
* @brief Add a policy to the SPD.
|
||||
|
@ -181,47 +188,23 @@ struct kernel_interface_t {
|
|||
* @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
|
||||
* @param protocol protocol to use to protect traffic (AH/ESP)
|
||||
* @param reqid uniqe ID of an SA to use to enforce policy
|
||||
* @param update update an existing policy, if TRUE
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*add_policy) (kernel_interface_t *this,
|
||||
host_t *me, host_t *other,
|
||||
host_t *src, host_t *dst,
|
||||
u_int8_t src_hostbits, u_int8_t dst_hostbits,
|
||||
int direction, int upper_proto,
|
||||
protocol_id_t protocol,
|
||||
u_int32_t reqid);
|
||||
/**
|
||||
* @brief Query the use time of a policy
|
||||
*
|
||||
* @param this calling object
|
||||
* @param me address of local peer
|
||||
* @param other address of remote peer
|
||||
* @param src src address of traffic this policy applies
|
||||
* @param dst dest address of traffic this policy applies
|
||||
* @param src_hostbits subnetmask to use for src address
|
||||
* @param dst_hostbits subnetmask to use for dst address
|
||||
* @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD
|
||||
* @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
|
||||
* @param use_time the time of this policy's last use
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*query_policy) (kernel_interface_t *this,
|
||||
host_t *me, host_t *other,
|
||||
host_t *src, host_t *dst,
|
||||
u_int8_t src_hostbits, u_int8_t dst_hostbits,
|
||||
int direction, int upper_proto,
|
||||
time_t *use_time);
|
||||
host_t *me, host_t *other,
|
||||
host_t *src, host_t *dst,
|
||||
u_int8_t src_hostbits, u_int8_t dst_hostbits,
|
||||
u_int8_t direction, u_int8_t upper_proto,
|
||||
protocol_id_t protocol,
|
||||
u_int32_t reqid, bool update);
|
||||
|
||||
/**
|
||||
* @brief Remove a policy from the SPD.
|
||||
*
|
||||
*
|
||||
* @param this calling object
|
||||
* @param me address of local peer
|
||||
* @param other address of remote peer
|
||||
* @param src src address of traffic this policy applies
|
||||
* @param dst dest address of traffic this policy applies
|
||||
* @param src_hostbits subnetmask to use for src address
|
||||
|
@ -232,11 +215,10 @@ struct kernel_interface_t {
|
|||
* - SUCCESS
|
||||
* - FAILED if kernel comm failed
|
||||
*/
|
||||
status_t (*del_policy) (kernel_interface_t *this,
|
||||
host_t *me, host_t *other,
|
||||
host_t *src, host_t *dst,
|
||||
u_int8_t src_hostbits, u_int8_t dst_hostbits,
|
||||
int direction, int upper_proto);
|
||||
status_t (*del_policy) (kernel_interface_t *this,
|
||||
host_t *src, host_t *dst,
|
||||
u_int8_t src_hostbits, u_int8_t dst_hostbits,
|
||||
u_int8_t direction, u_int8_t upper_proto);
|
||||
|
||||
/**
|
||||
* @brief Destroys a kernel_interface object.
|
||||
|
|
Loading…
Reference in New Issue