f8646dd65e
kernel-pfkey: check if we have a gateway before comparing them
2013-05-06 16:10:13 +02:00
d4260c5f7f
kernel-pfkey: install route along with input, not forward policies
...
As forwarding policies are not available on all systems (OS X), using the
forward policy to attach the route is a bad pick. Using input policies allows
OS X to install routes.
2013-05-06 16:10:13 +02:00
6e879a59fc
kernel-pfroute: rescan address list for an interface if its state changes
...
It seems that we don't get address notifications if the interface is down
on OS X.
2013-05-06 16:10:13 +02:00
0fd409db77
kernel-pfroute: add newly appearing interfaces to the interface cache
2013-05-06 16:10:12 +02:00
9bc342eae4
kernel-pfroute: implement get_nexthop()
2013-05-06 16:10:12 +02:00
272bcac894
kernel-pfroute: install and uninstall routes
2013-05-06 16:10:12 +02:00
3a7f4b5c8d
kernel-pfroute: collect replies received for our own queries
2013-05-06 16:10:12 +02:00
b1c6b68e4c
kernel-pfroute: refactor PF_ROUTE message processing, use an enumerator
2013-05-06 16:10:12 +02:00
889efae4cf
kernel-pfkey: use an int to set esp_port with a sysctl on OS X
2013-05-06 16:10:12 +02:00
9650bf3cc7
kernel-pfroute: use INIT() macro for allocations
2013-05-06 16:10:12 +02:00
0e107f03ac
kernel-pfroute: use only a single PF_ROUTE socket for both events and queries
2013-05-06 16:10:12 +02:00
e8002956c9
kernel-pfroute: fix length check when receiving PF_ROUTE messages
2013-05-06 16:10:12 +02:00
64f309e735
kernel-pfkey: remove obsolete pluto specific behavior
2013-05-06 16:10:12 +02:00
bc6275d21c
kernel-netlink: remove obsolete pluto specific behavior
2013-05-06 16:10:11 +02:00
37873f9994
kernel-netlink: Add an option to disable roam events
2013-05-03 15:11:19 +02:00
0b9ce21b5e
kernel-netlink: Define defaults for routing table and prio
2013-05-03 15:11:19 +02:00
e5d819b617
android: Remove/filter header files from LOCAL_SRC_FILES
...
This avoids huge warnings when building the native code.
2013-03-20 15:24:26 +01:00
2ac772a5d0
Use proper address family when adding multiple addresses to SQL pool
2013-03-19 16:33:07 +01:00
fe62707209
Ignore SQL-based IP address pools if their address family does not match
2013-03-19 16:33:07 +01:00
deafaf51f1
Load arbitrary (non-host) attributes from strongswan.conf
...
This allows to e.g. load Cisco-specific attributes that contain FQDNs.
2013-03-19 15:21:30 +01:00
d29246cabe
Merge branch 'radius-ext'
...
Bring some extensions to eap-radius, namely a virtual IP address provider based
on received Framed-IPs, forwarding of Cisco Unity banners, Interim Accounting
updates and the reporting of sent/received packets.
2013-03-18 10:13:36 +01:00
cb14ecb1d3
Merge branch 'netlink-align'
...
Fixes some Netlink alignment issues, and then refactors Netlink XFRM message
attribute handling.
2013-03-18 10:09:35 +01:00
94163816fa
Use netlink_add_attribute() to copy over attributes during update_sa()
2013-03-15 16:02:01 +01:00
0d9f31e1ed
Use a helper function to add XFRM_MARK attribute
2013-03-15 16:02:01 +01:00
6dfc633927
Use netlink_reserve() helper function in XFRM to simplify message construction
2013-03-15 16:02:01 +01:00
6359ab04f4
Add a Netlink utility function to add a RTA header and reserve space for data
2013-03-15 14:32:51 +01:00
53c98f098f
Correctly check buffer length in netlink_add_attribute()
2013-03-15 14:32:25 +01:00
6ac601f543
Avoid unneeded termination of netlink algorithm name arrays with END_OF_LIST
2013-03-15 14:01:15 +01:00
6b35ab84da
Pass correclty sized pointer to lookup_algorithm() in PF_KEY
2013-03-14 14:20:54 +01:00
7eeeb1c702
kernel_ipsec_t.query_sa() additionally returns the number of processed packets
2013-03-14 14:20:54 +01:00
cf6a4ea005
strdup() iface passed to queue_route_reinstall(), fixing double-free
2013-03-11 15:17:50 +01:00
0897cda33b
Add a constructor to create in-memory pools from an address range
2013-03-11 15:12:47 +01:00
d3f5a05e29
When adding Netlink attributes, increase header length with potential alignment
...
If the payload is unaligned, we must make sure the total netlink message
length includes the added alignment for the first attribute.
2013-03-11 12:32:21 +01:00
292ee515db
Fix maximum size of a mem_pool_t
2013-03-07 18:21:02 +01:00
ad9af9e2d8
Fix some apidoc in mem_pool.h
2013-03-06 10:26:52 +01:00
b611d8ba48
Merge branch 'ikev1-rekeying'
...
Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.
2013-03-01 11:32:02 +01:00
ec1b4e6638
Merge branch 'vip-shunts'
...
Installs bypass policies for the physical address if a virtual address is
assigned, and installs a proper source route to actually use the physical
address for bypassed destinations.
Conflicts:
src/libcharon/plugins/unity/unity_handler.c
2013-03-01 11:30:13 +01:00
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
53e62f5d0c
Indicate support for processing ESPv3 TFC padding in Netlink IPsec backend
2013-03-01 11:11:51 +01:00
76f7d80e80
Introduce "features" for the kernel backends returning kernel capabilities
2013-03-01 11:11:24 +01:00
a1db77de7c
Use a complete port range in traffic_selector_create_from_{subnet,cidr}
2013-02-21 11:52:33 +01:00
a2fd08dd26
Install a route for shunt policies
...
If we install a virtual IP, its source route would render the shunt policy
useless, as locally generated traffic wouldn't match. Having a route for each
shunt policy with higher priority chooses the correct source address for
bypassed destinations.
2013-02-20 16:32:24 +01:00
3dc9d427c9
After IKEv1 reauthentication, reinstall VIP routes after migrating CHILD_SAs
...
During IKEv1 reauthentication, the virtual IP gets removed, then reinstalled.
The CHILD_SAs get migrated, but any associated route gets removed from the
kernel. Reinstall routes after adding the virtual IP again.
2013-02-20 09:16:00 +01:00
544c2e3d7b
kernel-netlinks get_interface() considers virtual IPs, too
...
When using load-tester, we can install tunnel outer addresses on
demand. As these are installed as "virtual", we have to consider
virtual IPs in the get_interface() lookup to install "real" virtual
IPs to these dynamic external addresses.
2012-12-17 14:23:44 +01:00
d88597f0dd
Don't wait while removing external IPs used for load testing
2012-11-29 10:22:51 +01:00
b185cdd16d
Install virtual IPs via interface name, and use an interface lookup where required
2012-11-29 10:22:51 +01:00
50bd755871
Add an optional kernel-interface parameter to install IPs with a custom prefix
2012-11-29 10:22:51 +01:00
8edb6248f8
libhydra can be initialized more than once
2012-11-14 10:14:34 +01:00
cbd52e7ddc
Limit recursion when searching for source addresses
...
This could be required if e.g. two default routes list gateways but the
corresponding outbound interfaces do not have any IP addresses on them.
2012-11-13 09:06:02 +01:00
5be88ca6bb
Don't call get_route recursively if a route's gateway matches the destination
2012-11-13 09:06:02 +01:00
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
d5c143e5be
Moved enum_name_t to utils folder
2012-10-24 16:00:50 +02:00
125b37af6d
Moved chunk_t to utils folder
2012-10-24 16:00:50 +02:00
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
2e7cc07ecd
Moved host_t and host_resolver_t to a new networking subfolder
2012-10-24 15:06:18 +02:00
eecd41e349
Use a helper function to add milliseconds to timeval structs
2012-10-18 12:25:59 +02:00
8e2d3075aa
Use proper offset when adding mark attribute in kernel-netlink plugin
2012-10-15 11:11:29 +02:00
ac24c4d323
Also add mark when querying current replay state in kernel-netlink plugin
2012-10-15 10:15:53 +02:00
2925aa725e
Fixed update_sa in kernel-netlink plugin if marks are used
2012-10-11 19:08:47 +02:00
9ff9c3d11b
Added missing break statements in NAT-T mapping handling in PF_KEY plugin
2012-09-28 18:57:56 +02:00
a37ac3a47a
Make sure we successfully opened xfrm_acq_expires
2012-09-28 18:54:28 +02:00
6ffb8f8634
Clarified code when hashing/comparing cached policies in kernel-netlink
2012-09-28 18:30:16 +02:00
a05f3b2021
Make sure first argument is an int when using %.*s to print e.g. chunks
2012-09-28 18:01:49 +02:00
53ab3c27cd
Ensure that pipe is closed when calling resolvconf(8)
2012-09-28 17:33:24 +02:00
9a1ba213f4
Use proper argument for sizeof when copying replay state
2012-09-28 17:00:20 +02:00
bef21bd330
Algorithm names are not always static anymore, avoid string overflows
2012-09-28 16:49:05 +02:00
a79af394a0
Allow replay windows smaller than the default of 32
2012-09-27 12:43:39 +02:00
9845391a95
Properly initialize cached address map in kernel-pfroute plugin
2012-09-27 12:43:36 +02:00
bfd2cc1cd7
Fixed compilation of kernel-pfroute plugin
2012-09-27 09:23:58 +02:00
2e2feffb67
Don't check interface of inbound message if interfaces are not filtered
...
We don't have a proper kernel-net interface on Android yet, so the check
for a usable interface does not work there.
2012-09-24 17:12:18 +02:00
f65ec0aa90
Make sure the if_name member of cached route entries is initialized to NULL
2012-09-22 08:23:56 +02:00
bdf36dac71
Use an rwlock in kernel-pfroute too
2012-09-21 18:16:27 +02:00
a25d536eea
Use rwlock and rwlock_condvar to increase concurrency in kernel-netlink plugin
2012-09-21 18:16:27 +02:00
16d62305c2
Use a separate mutex for cached routes in kernel-netlink plugin
2012-09-21 18:16:27 +02:00
4134108c77
Use a lock to safely check and update the time for the next roam event
2012-09-21 18:16:27 +02:00
e8e9048fee
Added an option to configure the interface on which virtual IP addresses are installed
2012-09-21 18:16:26 +02:00
c6b401581a
Changed how kernel-netlink handles virtual IP addresses
...
Also tried to avoid the use of enumerators.
2012-09-21 18:16:26 +02:00
4106aea8e4
Made IP address enumeration more flexible
...
Also added an option to enumerate addresses on ignored interfaces.
2012-09-21 18:16:26 +02:00
1f97e1aaca
Use a hashtable to quickly check for usable IP addresses/interfaces
2012-09-21 18:16:26 +02:00
940e1b0f66
Filter ignored interfaces in kernel interfaces (for events, address enumeration, etc.)
2012-09-21 18:16:26 +02:00
645d7a5ef3
%any is never on a local interface
2012-09-21 18:16:26 +02:00
9ba36c0f7f
Make it easy to check if an address is locally usable via changed get_interface() method
2012-09-21 18:16:26 +02:00
aed33805ce
Don't ignore loopback devices and allow addresses on them being enumerated
2012-09-21 18:16:26 +02:00
9513225e6b
Added options and a lookup function that will allow filtering of network interfaces
2012-09-21 18:16:26 +02:00
dad6d904ee
Use source address in get_nexthop() call
...
Otherwise the nexthop returned might belong to a different route than
the one actually used with the current source address.
2012-09-21 18:16:25 +02:00
662534657f
Source address lookup refactored
...
Routes matching the destination are now first parsed and sorted by network
prefix length. This list is then used to search for the best route with
a matching preferred source address (if one is specified). This makes sure
we really check all routes for that address.
2012-09-21 18:16:25 +02:00
cef0a8118e
Check routes with equal prefix if preferred source is specified
2012-09-21 18:16:25 +02:00
9d6b02d6c1
Try to find preferred source on interface if returned source does not match
2012-09-21 18:16:25 +02:00
da6d86dd94
Try to keep the given source address when looking up routes
...
This allows to pin the local end of an IKE_SA to an address that is not the
physical address of an interface. Without this patch the local address would
change to the physical address when roam events occur.
2012-09-21 18:16:25 +02:00
f0a2fef8a5
In mem_pool, check for an existing ID entry before creating a new one
2012-09-20 11:04:55 +02:00
08ad639f32
Added algorithm lookup via kernel_interface_t to the various kernel interfaces
2012-09-13 15:48:49 +02:00
524fb37ccd
Added possibility to register custom kernel algorithms to kernel interface
2012-09-13 15:44:47 +02:00
fa96a350c2
Consistently log XFRM mark masks with 0 prefix in kernel-netlink plugin
2012-09-12 17:40:36 +02:00
5b96503e13
Use uintptr_t in mem pool to avoid compiler warning if sizeof(void*) != sizeof(int)
2012-09-12 13:19:52 +02:00
1e04488f32
Check for an existing lease in all stroke pools before creating a new one
2012-09-11 16:18:28 +02:00
28a3d5bfbd
Pass full pool list to release_address
2012-09-11 16:18:28 +02:00
594c58e111
Pass the full list of pools to acquire_address, enumerate in providers
...
If the provider has access to the full pool list, it can enumerate
them twice, for example to search for existing leases first, and
only search for new leases in a second step.
Fixes lease enumeration in attr-sql using multiple pools.
2012-09-11 16:18:28 +02:00
4065e2504c
Use the proper types for comma separated attributes read from strongswan.conf
...
Attributes of different address families previously were mapped to
the same attribute type (the one derived from the address family of the
first address).
2012-09-10 15:17:17 +02:00
747fd544a7
Properly remove broadcast address from mem pools
2012-09-10 11:44:18 +02:00
7f52f621c2
Be less verbose if IP allocation for a single pool fails
2012-08-30 16:43:44 +02:00
40e9089889
Strictly enforce address family match while acquiring mem_pool IPs
2012-08-30 16:43:44 +02:00
13f11ccf46
Don't parse comma separated pool names in attr-sql
...
We now handle multiple pools at a deeper level, making that special
handling obsolete. Comma separated pools are parsed in stroke.
2012-08-30 16:43:44 +02:00
d55fe264d1
Pass all configured pool names to attribute provider enumerator
2012-08-30 16:43:43 +02:00
feb8550401
Pass a list instead of a single virtual IP to attribute enumerators
2012-08-30 16:43:42 +02:00
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
d8eec395b2
Add a getter for the mem_pool_t base address
2012-08-24 11:19:07 +02:00
31a0e24b0f
Increased log level when listing interfaces and IP addresses during startup
...
This avoids confusing log messages in starter and ipsec statusall
already lists the available addresses anyway.
2012-08-16 16:14:15 +02:00
3a917ac77f
Validate netmask in mem_pool_create
2012-08-13 13:54:28 +02:00
156f7e9b85
Moved types used by kernel_ipsec_t interface (and libipsec) to libstrongswan
...
This avoids a dependency of libipsec to libhydra.
2012-08-08 15:41:02 +02:00
e49abcede0
Let kernel interfaces decide how to enable UDP decapsulation of ESP packets.
2012-08-08 15:12:24 +02:00
3b7468b245
Support Unity split-include/exclude options in attr plugin
2012-07-20 17:36:27 +02:00
0159a54047
Check rng return value when generating SPIs in kernel-klips plugin
2012-07-16 14:53:36 +02:00
63afd833b9
Avoid SIGSEGV during shutdown if charon is not started as root
2012-06-25 19:00:00 +02:00
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
7beb31aae4
Fixed IPv6 source address lookup
...
Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for
IPv6 routes we didn't use NLM_F_DUMP to get all routes.
Still routes installed with policies are installed also for IPv6.
So since only one route is returned without DUMP, and we ignore
all routes from our own routing table, no source address was found
during roaming if DST of the installed route included the IKE peer.
With newer kernels we can now use DUMP as we did for IPv4 already,
for older kernels we do so if our own routes are installed in a
separate routing table, otherwise we still use GET.
2012-06-25 16:29:59 +02:00
5c1332bf7c
NLM_F_DUMP includes NLM_F_ROOT.
2012-06-15 16:46:27 +02:00
8ec51f83e5
Don't create roam jobs based on cached/cloned routes.
2012-06-15 16:44:18 +02:00
9896b6bd58
Don't compare ports when comparing cached routes.
...
At least src_ip has a port set sometimes.
2012-06-15 16:44:07 +02:00
05ca56558c
Disabled listening for kernel events in starter.
2012-06-08 14:12:06 +02:00
9041c074b3
Properly install policies with ports in PF_KEY kernel interface.
2012-06-07 14:37:00 +02:00
9e19cb912d
Destroy Netlink socket only after deleting remaining source routes.
2012-05-21 13:33:13 +02:00
c732e22019
Fix route reinstallation if preferred source IP is not on outgoing interface.
2012-05-07 19:00:47 +02:00
bc798c9ce8
Route reinstallation in kernel_ipsec_t implementations is not needed anymore.
2012-05-02 15:24:47 +02:00
f834249c59
Reinstall routes in kernel-netlink plugin, if interfaces get reactivated or IPs reappear.
2012-05-02 15:24:47 +02:00
74ba22c992
Keep track of installed source routes in kernel-netlink plugin.
2012-05-02 14:56:08 +02:00
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
ed2cab08d2
Make resolvconf interface prefix configurable.
2012-03-27 10:44:21 +02:00
caae5a5c0f
Added support for the resolvconf framework in resolve plugin.
...
If /sbin/resolvconf is found nameservers are not written directly to
/etc/resolv.conf but instead resolvconf is invoked.
2012-03-27 10:44:21 +02:00
6e921f2017
Use single DBG2 statements in kernel_netlink plugin (i.e. ignore mark.value).
2012-03-27 10:37:56 +02:00
3de54af7ec
Define a special XFRM mark_t.value that dynamically uses the CHILD_SA reqid
2012-03-22 09:05:56 +01:00
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
07202a2bf1
Be less verbose when deleting SAs triggered by a hard expire
2012-03-20 17:31:31 +01:00
e174e0d445
Added not-yet used sa_payload parameters used in IKEv1
2012-03-20 17:30:52 +01:00
21796bac9a
Be less verbose if we don't have a local address for a tunnel
2012-03-06 16:05:58 +01:00
686cfd4e34
Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.
...
This requires a Linux kernel >= 2.6.33.
2012-02-27 14:31:19 +01:00
2e0b478a01
Android 4 requires LOCAL_MODULE_TAGS to be set for all modules.
...
Because all packages are now marked as optional executables that are to
be installed on the final system have to be added to PRODUCT_PACKAGES in
build/target/product/core.mk. Dependencies (such as libraries) are
installed automatically.
2012-01-12 19:18:35 +01:00
35a1986142
Fixed additional typos in comments and log messages.
2012-01-12 11:42:42 +01:00
64c4fd0a60
Always unlock mutex for installed policies in kernel-netlink plugin.
2011-12-14 18:17:49 +01:00
00b9e598f3
Fix copy'n'paste error in libhydra's netlink interface
...
Detected by cppcheck.
2011-11-21 09:00:39 +01:00
7b21873668
Fix network interface deletion handling in kernel-netlink plugin.
...
When the kernel reports the deletion of an interface (RTM_DELLINK),
the cached interface attributes, including ifindex, become invalid
and must be forgotten.
Interface link state changes ("up" and "down") show up as RTM_NEWLINK,
so they will not cause a cached entry to be removed or
prevent listening to address change notifications.
Once an interface has been deleted, the kernel ought to stop sending
notifications for it. If the interface gets recreated with the same
name later, the kernel again reports RTM_NEWLINK, which causes a new
cache entry to be created.
There should be no reason to keep a stale cache entry around, as was
claimed in the comment.
2011-11-14 15:24:48 +01:00
866858527d
Fix 'ipsec pool --status' for empty pools.
2011-11-04 15:07:54 +01:00
c125d1ba13
Memwipe request after sa update, too
2011-11-04 11:11:17 +01:00
dbfd1a63aa
Extend xfrm_attr_type_names by newly added enum values
2011-11-04 11:11:17 +01:00
051226d5c0
Silently install route again, even if it did not change.
...
Address/interface changes can cause the route to disappear. Afterwards
the route might look the same but that does not mean it is still installed.
2011-11-04 11:11:17 +01:00
25d59e9e2d
Compile warning fixed in kernel interfaces.
2011-11-04 11:11:17 +01:00
0e6aafb5b6
The kernel-klips plugin does currently not support SAD/SPD flushing.
2011-10-21 14:24:33 +02:00
773572f9e0
Implemented flushing of SAD and SPD entries via PF_KEY.
2011-10-21 14:24:33 +02:00
99d23ddf45
Implemented flushing of states and policies via XFRM.
2011-10-21 14:18:53 +02:00
0b0f466bbc
Defined functions in the kernel interface to flush SAD and SPD entries.
2011-10-21 14:18:23 +02:00
cfa15a71d9
Source files in Android.mk updated.
2011-10-14 17:36:20 +02:00
Martin Willi