vici list-conns sends reauthentication and rekeying time information
This commit is contained in:
parent
e88f21cf65
commit
b1df631212
|
@ -428,10 +428,14 @@ static uint64_t apply_jitter(uint64_t rekey, uint64_t jitter)
|
||||||
#define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
|
#define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
|
||||||
|
|
||||||
METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
|
METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
|
||||||
private_child_cfg_t *this)
|
private_child_cfg_t *this, bool jitter)
|
||||||
{
|
{
|
||||||
lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
|
lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
|
||||||
memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
|
memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
|
||||||
|
if (!jitter)
|
||||||
|
{
|
||||||
|
lft->time.jitter = lft->bytes.jitter = lft->packets.jitter = 0;
|
||||||
|
}
|
||||||
APPLY_JITTER(lft->time);
|
APPLY_JITTER(lft->time);
|
||||||
APPLY_JITTER(lft->bytes);
|
APPLY_JITTER(lft->bytes);
|
||||||
APPLY_JITTER(lft->packets);
|
APPLY_JITTER(lft->packets);
|
||||||
|
|
|
@ -157,9 +157,10 @@ struct child_cfg_t {
|
||||||
* The rekey limits automatically contain a jitter to avoid simultaneous
|
* The rekey limits automatically contain a jitter to avoid simultaneous
|
||||||
* rekeying. These values will change with each call to this function.
|
* rekeying. These values will change with each call to this function.
|
||||||
*
|
*
|
||||||
|
* @param jitter subtract jitter value to randomize lifetimes
|
||||||
* @return lifetime_cfg_t (has to be freed)
|
* @return lifetime_cfg_t (has to be freed)
|
||||||
*/
|
*/
|
||||||
lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
|
lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the mode to use for the CHILD_SA.
|
* Get the mode to use for the CHILD_SA.
|
||||||
|
|
|
@ -228,7 +228,7 @@ struct peer_cfg_t {
|
||||||
/**
|
/**
|
||||||
* Get a time to start rekeying.
|
* Get a time to start rekeying.
|
||||||
*
|
*
|
||||||
* @param jitter remove a jitter value to randomize time
|
* @param jitter subtract a jitter value to randomize time
|
||||||
* @return time in s when to start rekeying, 0 disables rekeying
|
* @return time in s when to start rekeying, 0 disables rekeying
|
||||||
*/
|
*/
|
||||||
uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
|
uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
|
||||||
|
@ -236,7 +236,7 @@ struct peer_cfg_t {
|
||||||
/**
|
/**
|
||||||
* Get a time to start reauthentication.
|
* Get a time to start reauthentication.
|
||||||
*
|
*
|
||||||
* @param jitter remove a jitter value to randomize time
|
* @param jitter subtract a jitter value to randomize time
|
||||||
* @return time in s when to start reauthentication, 0 disables it
|
* @return time in s when to start reauthentication, 0 disables it
|
||||||
*/
|
*/
|
||||||
uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
|
uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
|
||||||
|
|
|
@ -734,6 +734,8 @@ _list-conns_ command.
|
||||||
<list of valid remote IKE endpoint addresses>
|
<list of valid remote IKE endpoint addresses>
|
||||||
]
|
]
|
||||||
version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
|
version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
|
||||||
|
reauth_time = <IKE_SA reauthentication interval in seconds>
|
||||||
|
rekey_time = <IKE_SA rekeying interval in seconds>
|
||||||
|
|
||||||
local*, remote* = { # multiple local and remote auth sections
|
local*, remote* = { # multiple local and remote auth sections
|
||||||
class = <authentication type>
|
class = <authentication type>
|
||||||
|
@ -758,6 +760,9 @@ _list-conns_ command.
|
||||||
children = {
|
children = {
|
||||||
<CHILD_SA config name>* = {
|
<CHILD_SA config name>* = {
|
||||||
mode = <IPsec mode>
|
mode = <IPsec mode>
|
||||||
|
rekey_time = <CHILD_SA rekeying interval in seconds>
|
||||||
|
rekey_bytes = <CHILD_SA rekeying interval in bytes>
|
||||||
|
rekey_packets = <CHILD_SA rekeying interval in packets>
|
||||||
local-ts = [
|
local-ts = [
|
||||||
<list of local traffic selectors>
|
<list of local traffic selectors>
|
||||||
]
|
]
|
||||||
|
|
|
@ -62,12 +62,22 @@
|
||||||
/**
|
/**
|
||||||
* Default IKE rekey time
|
* Default IKE rekey time
|
||||||
*/
|
*/
|
||||||
#define LFT_DEFAULT_IKE_REKEY (4 * 60 * 60)
|
#define LFT_DEFAULT_IKE_REKEY_TIME (4 * 60 * 60)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Default CHILD rekey time
|
* Default CHILD rekey time
|
||||||
*/
|
*/
|
||||||
#define LFT_DEFAULT_CHILD_REKEY (1 * 60 * 60)
|
#define LFT_DEFAULT_CHILD_REKEY_TIME (1 * 60 * 60)
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Default CHILD rekey bytes
|
||||||
|
*/
|
||||||
|
#define LFT_DEFAULT_CHILD_REKEY_BYTES 0
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Default CHILD rekey packets
|
||||||
|
*/
|
||||||
|
#define LFT_DEFAULT_CHILD_REKEY_PACKETS 0
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Undefined replay window
|
* Undefined replay window
|
||||||
|
@ -1443,15 +1453,6 @@ static void check_lifetimes(lifetime_cfg_t *lft)
|
||||||
{
|
{
|
||||||
lft->packets.life = lft->packets.rekey * 110 / 100;
|
lft->packets.life = lft->packets.rekey * 110 / 100;
|
||||||
}
|
}
|
||||||
/* if no soft lifetime specified, add one at hard lifetime - 10% */
|
|
||||||
if (lft->bytes.rekey == LFT_UNDEFINED)
|
|
||||||
{
|
|
||||||
lft->bytes.rekey = lft->bytes.life * 90 / 100;
|
|
||||||
}
|
|
||||||
if (lft->packets.rekey == LFT_UNDEFINED)
|
|
||||||
{
|
|
||||||
lft->packets.rekey = lft->packets.life * 90 / 100;
|
|
||||||
}
|
|
||||||
/* if no rand time defined, use difference of hard and soft */
|
/* if no rand time defined, use difference of hard and soft */
|
||||||
if (lft->time.jitter == LFT_UNDEFINED)
|
if (lft->time.jitter == LFT_UNDEFINED)
|
||||||
{
|
{
|
||||||
|
@ -1485,17 +1486,17 @@ CALLBACK(children_sn, bool,
|
||||||
.mode = MODE_TUNNEL,
|
.mode = MODE_TUNNEL,
|
||||||
.lifetime = {
|
.lifetime = {
|
||||||
.time = {
|
.time = {
|
||||||
.rekey = LFT_DEFAULT_CHILD_REKEY,
|
.rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
|
||||||
.life = LFT_UNDEFINED,
|
.life = LFT_UNDEFINED,
|
||||||
.jitter = LFT_UNDEFINED,
|
.jitter = LFT_UNDEFINED,
|
||||||
},
|
},
|
||||||
.bytes = {
|
.bytes = {
|
||||||
.rekey = LFT_UNDEFINED,
|
.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
|
||||||
.life = LFT_UNDEFINED,
|
.life = LFT_UNDEFINED,
|
||||||
.jitter = LFT_UNDEFINED,
|
.jitter = LFT_UNDEFINED,
|
||||||
},
|
},
|
||||||
.packets = {
|
.packets = {
|
||||||
.rekey = LFT_UNDEFINED,
|
.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
|
||||||
.life = LFT_UNDEFINED,
|
.life = LFT_UNDEFINED,
|
||||||
.jitter = LFT_UNDEFINED,
|
.jitter = LFT_UNDEFINED,
|
||||||
},
|
},
|
||||||
|
@ -2044,7 +2045,7 @@ CALLBACK(config_sn, bool,
|
||||||
if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
|
if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
|
||||||
{
|
{
|
||||||
/* apply a default rekey time if no rekey/reauth time set */
|
/* apply a default rekey time if no rekey/reauth time set */
|
||||||
peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
|
peer.rekey_time = LFT_DEFAULT_IKE_REKEY_TIME;
|
||||||
peer.reauth_time = 0;
|
peer.reauth_time = 0;
|
||||||
}
|
}
|
||||||
if (peer.rekey_time == LFT_UNDEFINED)
|
if (peer.rekey_time == LFT_UNDEFINED)
|
||||||
|
|
|
@ -686,6 +686,7 @@ CALLBACK(list_conns, vici_message_t*,
|
||||||
uint32_t manual_prio;
|
uint32_t manual_prio;
|
||||||
linked_list_t *list;
|
linked_list_t *list;
|
||||||
traffic_selector_t *ts;
|
traffic_selector_t *ts;
|
||||||
|
lifetime_cfg_t *lft;
|
||||||
vici_builder_t *b;
|
vici_builder_t *b;
|
||||||
|
|
||||||
ike = request->get_str(request, NULL, "ike");
|
ike = request->get_str(request, NULL, "ike");
|
||||||
|
@ -726,6 +727,10 @@ CALLBACK(list_conns, vici_message_t*,
|
||||||
|
|
||||||
b->add_kv(b, "version", "%N", ike_version_names,
|
b->add_kv(b, "version", "%N", ike_version_names,
|
||||||
peer_cfg->get_ike_version(peer_cfg));
|
peer_cfg->get_ike_version(peer_cfg));
|
||||||
|
b->add_kv(b, "reauth_time", "%u",
|
||||||
|
peer_cfg->get_reauth_time(peer_cfg, FALSE));
|
||||||
|
b->add_kv(b, "rekey_time", "%u",
|
||||||
|
peer_cfg->get_rekey_time(peer_cfg, FALSE));
|
||||||
|
|
||||||
build_auth_cfgs(peer_cfg, TRUE, b);
|
build_auth_cfgs(peer_cfg, TRUE, b);
|
||||||
build_auth_cfgs(peer_cfg, FALSE, b);
|
build_auth_cfgs(peer_cfg, FALSE, b);
|
||||||
|
@ -740,6 +745,12 @@ CALLBACK(list_conns, vici_message_t*,
|
||||||
b->add_kv(b, "mode", "%N", ipsec_mode_names,
|
b->add_kv(b, "mode", "%N", ipsec_mode_names,
|
||||||
child_cfg->get_mode(child_cfg));
|
child_cfg->get_mode(child_cfg));
|
||||||
|
|
||||||
|
lft = child_cfg->get_lifetime(child_cfg, FALSE);
|
||||||
|
b->add_kv(b, "rekey_time", "%"PRIu64, lft->time.rekey);
|
||||||
|
b->add_kv(b, "rekey_bytes", "%"PRIu64, lft->bytes.rekey);
|
||||||
|
b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey);
|
||||||
|
free(lft);
|
||||||
|
|
||||||
b->begin_list(b, "local-ts");
|
b->begin_list(b, "local-ts");
|
||||||
list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
|
list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
|
||||||
selectors = list->create_enumerator(list);
|
selectors = list->create_enumerator(list);
|
||||||
|
|
|
@ -751,7 +751,7 @@ METHOD(child_sa_t, install, status_t,
|
||||||
this->reqid_allocated = TRUE;
|
this->reqid_allocated = TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
lifetime = this->config->get_lifetime(this->config);
|
lifetime = this->config->get_lifetime(this->config, TRUE);
|
||||||
|
|
||||||
now = time_monotonic(NULL);
|
now = time_monotonic(NULL);
|
||||||
if (lifetime->time.rekey)
|
if (lifetime->time.rekey)
|
||||||
|
|
|
@ -722,7 +722,7 @@ static void get_lifetimes(private_quick_mode_t *this)
|
||||||
{
|
{
|
||||||
lifetime_cfg_t *lft;
|
lifetime_cfg_t *lft;
|
||||||
|
|
||||||
lft = this->config->get_lifetime(this->config);
|
lft = this->config->get_lifetime(this->config, TRUE);
|
||||||
if (lft->time.life)
|
if (lft->time.life)
|
||||||
{
|
{
|
||||||
this->lifetime = lft->time.life;
|
this->lifetime = lft->time.life;
|
||||||
|
|
|
@ -84,13 +84,47 @@ CALLBACK(children_sn, int,
|
||||||
{
|
{
|
||||||
hashtable_t *child;
|
hashtable_t *child;
|
||||||
char *interface, *priority;
|
char *interface, *priority;
|
||||||
|
char *rekey_time, *rekey_bytes, *rekey_packets;
|
||||||
|
bool no_time, no_bytes, no_packets, or = FALSE;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
|
child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
|
||||||
ret = vici_parse_cb(res, NULL, values, list, child);
|
ret = vici_parse_cb(res, NULL, values, list, child);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
{
|
{
|
||||||
printf(" %s: %s\n", name, child->get(child, "mode"));
|
printf(" %s: %s, ", name, child->get(child, "mode"));
|
||||||
|
|
||||||
|
rekey_time = child->get(child, "rekey_time");
|
||||||
|
rekey_bytes = child->get(child, "rekey_bytes");
|
||||||
|
rekey_packets = child->get(child, "rekey_packets");
|
||||||
|
no_time = streq(rekey_time, "0");
|
||||||
|
no_bytes = streq(rekey_bytes, "0");
|
||||||
|
no_packets = streq(rekey_packets, "0");
|
||||||
|
|
||||||
|
if (no_time && no_bytes && no_packets)
|
||||||
|
{
|
||||||
|
printf("no rekeying\n");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
printf("rekeying every");
|
||||||
|
if (!no_time)
|
||||||
|
{
|
||||||
|
printf(" %ss", rekey_time);
|
||||||
|
or = TRUE;
|
||||||
|
}
|
||||||
|
if (!no_bytes)
|
||||||
|
{
|
||||||
|
printf("%s %s bytes", or ? " or" : "", rekey_bytes);
|
||||||
|
or = TRUE;
|
||||||
|
}
|
||||||
|
if (!no_packets)
|
||||||
|
{
|
||||||
|
printf("%s %s packets", or ? " or" : "", rekey_packets);
|
||||||
|
}
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
|
||||||
printf(" local: %s\n", child->get(child, "local-ts"));
|
printf(" local: %s\n", child->get(child, "local-ts"));
|
||||||
printf(" remote: %s\n", child->get(child, "remote-ts"));
|
printf(" remote: %s\n", child->get(child, "remote-ts"));
|
||||||
|
|
||||||
|
@ -189,8 +223,43 @@ CALLBACK(conn_list, int,
|
||||||
CALLBACK(conns, int,
|
CALLBACK(conns, int,
|
||||||
void *null, vici_res_t *res, char *name)
|
void *null, vici_res_t *res, char *name)
|
||||||
{
|
{
|
||||||
printf("%s: %s\n", name, vici_find_str(res, "", "%s.version", name));
|
char *version, *reauth_time, *rekey_time;
|
||||||
|
|
||||||
|
version = vici_find_str(res, "", "%s.version", name);
|
||||||
|
reauth_time = vici_find_str(res, "", "%s.reauth_time", name);
|
||||||
|
rekey_time = vici_find_str(res, "", "%s.rekey_time", name);
|
||||||
|
|
||||||
|
printf("%s: %s, ", name, version);
|
||||||
|
if (streq(version, "IKEv1"))
|
||||||
|
{
|
||||||
|
if (streq(reauth_time, "0"))
|
||||||
|
{
|
||||||
|
reauth_time = rekey_time;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (streq(reauth_time, "0"))
|
||||||
|
{
|
||||||
|
printf("no reauthentication");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
printf("reauthentication every %ss", reauth_time);
|
||||||
|
}
|
||||||
|
if (streq(version, "IKEv1"))
|
||||||
|
{
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if (streq(rekey_time, "0"))
|
||||||
|
{
|
||||||
|
printf(", no rekeying\n");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
printf(", rekeying every %ss\n", rekey_time);
|
||||||
|
}
|
||||||
|
}
|
||||||
return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
|
return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue