Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
Tobias Brunner
99a57aa5ee
kernel-net: Let get_nexthop() return an optional interface name
...
The returned name should be the interface over which the destination
address/net is reachable.
2016-06-10 13:54:18 +02:00
Tobias Brunner
89da06ace9
kernel: Use structs to pass information to the kernel-ipsec interface
2016-04-09 16:50:59 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
e8140531fc
libipsec: Pass the same data to del_policy() as to add_policy()
...
We already do this for the other kernel interfaces.
Fixes e1e88d5add
("libipsec: Don't attempt deletion of any non-IPsec policies")
2016-02-04 11:02:59 +01:00
Tobias Brunner
a6e0f14fd2
kernel-interface: Pass the same data to del_policy() that was passed to add_policy()
...
The additional data can be helpful to identify the exact policy to
delete.
2015-11-10 16:42:52 +01:00
Martin Willi
607eebcfcf
libipsec: Pass separate inbound/update flags to the IPsec SA manager
...
Similar to other kernel interfaces, the libipsec backends uses the flag for
different purposes, and therefore should get separate flags.
2015-03-09 18:18:20 +01:00
Martin Willi
942797a5b5
kernel-interface: Add a separate "update" flag to add_sa()
...
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
2015-03-09 18:18:20 +01:00
Martin Willi
f81a949748
kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqid
2015-02-20 13:34:50 +01:00
Martin Willi
d05d85fe65
kernel-interface: Pass full list of traffic selectors to add_sa()
...
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
2015-02-20 13:34:47 +01:00
Martin Willi
fd9417607c
libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()
2015-02-20 13:34:47 +01:00
Martin Willi
2a1c9e20bd
kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods
...
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
2015-02-20 13:34:32 +01:00
Martin Willi
3e779ff555
libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()
2015-02-19 15:42:22 +01:00
Martin Willi
eeaa6f9b1a
kernel-libipsec: Use poll(2) instead of select
2014-11-21 12:02:07 +01:00
Tobias Brunner
c005073d0b
kernel-interface: Add destination prefix to get_nexthop()
...
This allows to determine the next hop to reach a subnet, for instance, when
installing routes for shunt policies.
2014-06-19 14:33:40 +02:00
Martin Willi
30c009c2fe
kernel-interface: Add a replay_window parameter to add_sa()
2014-06-17 16:41:30 +02:00
Martin Willi
4163421f91
plugins: Don't link with -rdynamic on Windows
2014-06-04 15:53:02 +02:00
Tobias Brunner
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
Tobias Brunner
d347a130f5
libhydra: Use lib->ns instead of hydra->daemon
2014-02-12 14:34:32 +01:00
Tobias Brunner
cd25d291f7
kernel-libipsec: Don't ignore policies of type != POLICY_IPSEC
...
This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).
2013-10-11 15:32:44 +02:00
Tobias Brunner
eeb34af069
kernel-libipsec: Add an option to allow remote TS to match the IKE peer
...
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.
It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
2013-10-11 15:32:44 +02:00
Martin Willi
12fdc2b16b
kernel-libipsec: Support ESPv3 TFC padding
2013-10-11 10:23:18 +02:00
Martin Willi
d53f9b9637
kernel-libipsec: Support query_sa() to report usage statistics
2013-10-11 10:23:17 +02:00
Martin Willi
d7083b6541
kernel: Use a time_t to report use time in query_policy()
2013-10-11 10:23:17 +02:00
Martin Willi
c99458e94e
kernel: Use a time_t to report use time in query_sa()
2013-10-11 10:23:17 +02:00
Tobias Brunner
29bdfb4086
kernel-libipsec: Fail route installation if remote TS matches peer
2013-07-18 15:41:13 +02:00
Tobias Brunner
dfc9902013
capabilities: Some plugins don't actually require capabilities at runtime
2013-07-18 15:25:35 +02:00
Martin Willi
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
Tobias Brunner
f067348134
kernel-libipsec: Log error if no local address is found when installing routes
2013-07-15 14:37:31 +02:00
Tobias Brunner
41b8546ac0
capabilities: Only plugins that require CAP_NET_ADMIN demand it
...
The daemon as such does not require this capability.
2013-06-25 17:16:32 +02:00
Tobias Brunner
23ea59a95c
kernel-libipsec: Ignore failures when installing routes for multicast or broadcast policies
2013-06-21 17:03:22 +02:00
Tobias Brunner
35fe41f7d0
kernel-libipsec: Add a feature to request UDP encapsulation of ESP packets
2013-06-21 17:03:21 +02:00
Tobias Brunner
1f31a2bc2e
kernel-libipsec: Install a gateway for routes on platforms other than Linux
...
This seems required e.g. on FreeBSD but doesn't work on Linux.
2013-06-21 17:03:21 +02:00
Tobias Brunner
dcaf8d570c
kernel-libipsec: Router reads packets from multiple TUN devices
...
These devices are collected via kernel_listener_t interface.
2013-06-21 17:03:21 +02:00
Tobias Brunner
7045defbff
kernel-libipsec: Use separate class to route packets between charon, libipsec and TUN device
2013-06-21 17:03:21 +02:00
Tobias Brunner
587bdf8768
kernel-libipsec: Track policies and automatically install routes
...
The routes direct traffic matching the remote traffic selector to the
TUN device.
If the remote traffic selector includes the IKE peer a very specific route
is installed to allow IKE traffic.
2013-06-21 17:03:20 +02:00
Tobias Brunner
44a49681fd
kernel-libipsec: Handle packets between charon socket, libipsec and TUN device
2013-06-21 17:03:20 +02:00
Tobias Brunner
59be6ddd08
kernel-libipsec: Create a TUN device and use it to install virtual IPs
2013-06-21 17:03:20 +02:00
Tobias Brunner
279e0d42bd
kernel-libipsec: Add plugin that implements kernel_ipsec_t using libipsec
2013-06-21 17:03:20 +02:00