ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
17,175 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

42 Commits

Author SHA1 Message Date
Tobias Brunner 1b67166921 Unify format of HSR copyright statements 2018-05-23 16:32:53 +02:00
Tobias Brunner 2e4d110d1e linked-list: Change return value of find_first() and signature of its callback 
This avoids the unportable five pointer hack.
 2017-05-26 13:56:44 +02:00
Tobias Brunner 99a57aa5ee kernel-net: Let get_nexthop() return an optional interface name 
The returned name should be the interface over which the destination
address/net is reachable.
 2016-06-10 13:54:18 +02:00
Tobias Brunner 89da06ace9 kernel: Use structs to pass information to the kernel-ipsec interface 2016-04-09 16:50:59 +02:00
Andreas Steffen b12c53ce77 Use standard unsigned integer types 2016-03-24 18:52:48 +01:00
Tobias Brunner 28649f6d91 libhydra: Remove empty unused library 2016-03-03 17:36:11 +01:00
Tobias Brunner 8394ea2a42 libhydra: Move kernel interface to libcharon 
This moves hydra->kernel_interface to charon->kernel.
 2016-03-03 17:36:11 +01:00
Tobias Brunner e8140531fc libipsec: Pass the same data to del_policy() as to add_policy() 
We already do this for the other kernel interfaces.

Fixes e1e88d5add ("libipsec: Don't attempt deletion of any non-IPsec policies")
 2016-02-04 11:02:59 +01:00
Tobias Brunner a6e0f14fd2 kernel-interface: Pass the same data to del_policy() that was passed to add_policy() 
The additional data can be helpful to identify the exact policy to
delete.
 2015-11-10 16:42:52 +01:00
Martin Willi 607eebcfcf libipsec: Pass separate inbound/update flags to the IPsec SA manager 
Similar to other kernel interfaces, the libipsec backends uses the flag for
different purposes, and therefore should get separate flags.
 2015-03-09 18:18:20 +01:00
Martin Willi 942797a5b5 kernel-interface: Add a separate "update" flag to add_sa() 
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.

While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
 2015-03-09 18:18:20 +01:00
Martin Willi f81a949748 kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqid 2015-02-20 13:34:50 +01:00
Martin Willi d05d85fe65 kernel-interface: Pass full list of traffic selectors to add_sa() 
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
 2015-02-20 13:34:47 +01:00
Martin Willi fd9417607c libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa() 2015-02-20 13:34:47 +01:00
Martin Willi 2a1c9e20bd kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods 
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.

If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
 2015-02-20 13:34:32 +01:00
Martin Willi 3e779ff555 libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi() 2015-02-19 15:42:22 +01:00
Martin Willi eeaa6f9b1a kernel-libipsec: Use poll(2) instead of select 2014-11-21 12:02:07 +01:00
Tobias Brunner c005073d0b kernel-interface: Add destination prefix to get_nexthop() 
This allows to determine the next hop to reach a subnet, for instance, when
installing routes for shunt policies.
 2014-06-19 14:33:40 +02:00
Martin Willi 30c009c2fe kernel-interface: Add a replay_window parameter to add_sa() 2014-06-17 16:41:30 +02:00
Martin Willi 4163421f91 plugins: Don't link with -rdynamic on Windows 2014-06-04 15:53:02 +02:00
Tobias Brunner d223fe807a libcharon: Use lib->ns instead of charon->name 2014-02-12 14:34:32 +01:00
Tobias Brunner d347a130f5 libhydra: Use lib->ns instead of hydra->daemon 2014-02-12 14:34:32 +01:00
Tobias Brunner cd25d291f7 kernel-libipsec: Don't ignore policies of type != POLICY_IPSEC 
This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).
 2013-10-11 15:32:44 +02:00
Tobias Brunner eeb34af069 kernel-libipsec: Add an option to allow remote TS to match the IKE peer 
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.

It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
 2013-10-11 15:32:44 +02:00
Martin Willi 12fdc2b16b kernel-libipsec: Support ESPv3 TFC padding 2013-10-11 10:23:18 +02:00
Martin Willi d53f9b9637 kernel-libipsec: Support query_sa() to report usage statistics 2013-10-11 10:23:17 +02:00
Martin Willi d7083b6541 kernel: Use a time_t to report use time in query_policy() 2013-10-11 10:23:17 +02:00
Martin Willi c99458e94e kernel: Use a time_t to report use time in query_sa() 2013-10-11 10:23:17 +02:00
Tobias Brunner 29bdfb4086 kernel-libipsec: Fail route installation if remote TS matches peer 2013-07-18 15:41:13 +02:00
Tobias Brunner dfc9902013 capabilities: Some plugins don't actually require capabilities at runtime 2013-07-18 15:25:35 +02:00
Martin Willi 19cb07b890 automake: replace INCLUDES by AM_CPPFLAGS 
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
 2013-07-18 14:59:19 +02:00
Tobias Brunner f067348134 kernel-libipsec: Log error if no local address is found when installing routes 2013-07-15 14:37:31 +02:00
Tobias Brunner 41b8546ac0 capabilities: Only plugins that require CAP_NET_ADMIN demand it 
The daemon as such does not require this capability.
 2013-06-25 17:16:32 +02:00
Tobias Brunner 23ea59a95c kernel-libipsec: Ignore failures when installing routes for multicast or broadcast policies 2013-06-21 17:03:22 +02:00
Tobias Brunner 35fe41f7d0 kernel-libipsec: Add a feature to request UDP encapsulation of ESP packets 2013-06-21 17:03:21 +02:00
Tobias Brunner 1f31a2bc2e kernel-libipsec: Install a gateway for routes on platforms other than Linux 
This seems required e.g. on FreeBSD but doesn't work on Linux.
 2013-06-21 17:03:21 +02:00
Tobias Brunner dcaf8d570c kernel-libipsec: Router reads packets from multiple TUN devices 
These devices are collected via kernel_listener_t interface.
 2013-06-21 17:03:21 +02:00
Tobias Brunner 7045defbff kernel-libipsec: Use separate class to route packets between charon, libipsec and TUN device 2013-06-21 17:03:21 +02:00
Tobias Brunner 587bdf8768 kernel-libipsec: Track policies and automatically install routes 
The routes direct traffic matching the remote traffic selector to the
TUN device.

If the remote traffic selector includes the IKE peer a very specific route
is installed to allow IKE traffic.
 2013-06-21 17:03:20 +02:00
Tobias Brunner 44a49681fd kernel-libipsec: Handle packets between charon socket, libipsec and TUN device 2013-06-21 17:03:20 +02:00
Tobias Brunner 59be6ddd08 kernel-libipsec: Create a TUN device and use it to install virtual IPs 2013-06-21 17:03:20 +02:00
Tobias Brunner 279e0d42bd kernel-libipsec: Add plugin that implements kernel_ipsec_t using libipsec 2013-06-21 17:03:20 +02:00