ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
17,549 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

59 Commits

Author SHA1 Message Date
Josh Soref b3ab7a48cc Spelling fixes 
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior

Closes strongswan/strongswan#164.
 2020-02-11 18:23:07 +01:00
Tobias Brunner 8da7dbe766 socket-default: Fix setting DSCP value on FreeBSD 
Fixes #3030.
 2019-04-23 11:49:04 +02:00
Martin Willi ebd2d3877e ipsec-types: Restrict the use of %unique and other keywords when parsing marks 
%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.
 2018-08-31 12:26:40 +02:00
Tobias Brunner 1b67166921 Unify format of HSR copyright statements 2018-05-23 16:32:53 +02:00
Martin Willi 9b29003cd9 socket-default: Add an option to force the sending interface via IP_PKTINFO 
On Linux, setting the source address is insufficient to force a packet to be
sent over a certain path. The kernel uses the best route to select the outgoing
interface, even if we set a source address of a lower priority interface. This
is not only true for interfaces attaching to the same subnet, but also for
unrelated interfaces; the kernel (at least on 4.7) sends out the packet on
whatever interface it sees fit, even if that network does not expect packets
from the source address we force to.

When a better interface becomes available, strongSwan sends its MOBIKE address
list update using the old source address. But the kernel sends that packet over
the new best interface. If that network drops packets having the unexpected
source address from the old path, the MOBIKE update fails and the SA finally
times out.

To enforce a specific interface for our packet, we explicitly set the interface
index from the interface where the source address is installed. According to
ip(7), this overrules the specified source address to the primary interface
address. As this could have side effects to installations using multiple
addresses on a single interface, we disable the option by default for now.

This also allows using IPv6 link-local addresses, which won't work if
the outbound interface is not set explicitly.
 2017-05-23 16:49:39 +02:00
Andreas Steffen b12c53ce77 Use standard unsigned integer types 2016-03-24 18:52:48 +01:00
Tobias Brunner 28649f6d91 libhydra: Remove empty unused library 2016-03-03 17:36:11 +01:00
Tobias Brunner 8394ea2a42 libhydra: Move kernel interface to libcharon 
This moves hydra->kernel_interface to charon->kernel.
 2016-03-03 17:36:11 +01:00
Tobias Brunner 47e113a639 socket-default: Refactor setting source address when sending messages 
This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg().  Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.

It also makes the code clearer than with all these ifdefs.

Fixes #1171.
 2015-11-09 16:43:21 +01:00
Tobias Brunner 99747bed8f socket-default: Refactor retrieval of destination address of received packets 
This makes the code a bit clearer than with the interleaved ifdefs.
 2015-11-09 16:42:20 +01:00
Tobias Brunner 3000f6aada Fixed some typos, courtesy of codespell 2014-12-15 17:11:14 +01:00
Martin Willi ed247660e8 socket-default: Use round-robin selection of sockets to read from 
If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket
over others. To handle all with equal priority, use a round-robin selection.
 2014-11-21 12:02:07 +01:00
Martin Willi ce13ba62cc socket-default: Use poll(2) instead of select 
It is not only simpler, but also allows the use of arbitrary high fd numbers,
which silently fails with select().
 2014-11-21 12:02:07 +01:00
Tobias Brunner f00a9c1715 packet: Define a global default maximum size for IKE packets 2014-10-10 09:32:42 +02:00
Martin Willi 4163421f91 plugins: Don't link with -rdynamic on Windows 2014-06-04 15:53:02 +02:00
Tobias Brunner d223fe807a libcharon: Use lib->ns instead of charon->name 2014-02-12 14:34:32 +01:00
Tobias Brunner 80f8b3a6d8 socket-default: Allow setting firewall mark on outbound packets 2013-10-11 15:32:44 +02:00
Tobias Brunner 4eb6149ae8 sockets: Initialize the whole ancillary data buffer not only the actual struct 
This avoids uninitialized bytes that Valgrind seems to notice otherwise.

Fixes #395.
 2013-09-10 13:42:59 +02:00
Tobias Brunner dfc9902013 capabilities: Some plugins don't actually require capabilities at runtime 2013-07-18 15:25:35 +02:00
Martin Willi 19cb07b890 automake: replace INCLUDES by AM_CPPFLAGS 
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
 2013-07-18 14:59:19 +02:00
Tobias Brunner 598bec78fa socket-default: Add options to disable address families 2013-07-05 09:48:27 +02:00
Tobias Brunner eafd7ee7e1 net: Socket implementations report the address families they support 2013-07-05 09:48:01 +02:00
Tobias Brunner 1dd61bf13d socket-default: Require CAP_NET_BIND_SERVICE for ports < 1024 
Since we don't know which ports are used with socket-dynamic we can't
demand the capability there, but it might still be required.
 2013-06-25 17:16:32 +02:00
Tobias Brunner c6f1929a45 socket-default: Make sure sockets are open when checking with FD_ISSET 2013-06-14 17:25:16 +02:00
Tobias Brunner 1889837767 socket-default: Properly initialize NAT-T port if opening regular socket failed 2013-06-14 16:42:56 +02:00
Tobias Brunner 270e425b24 Socket plugins soft depend on the kernel-ipsec plugin feature 
On most platforms calls to methods to bypass the IKE sockets and enabling
UDP decapsulation are required.
 2013-06-11 11:18:17 +02:00
Martin Willi dc35d097b3 socket-default: to bind to one dynamic port on OS X, create v4 socket before v6 
It seems that the order of binding sockets of different address families to the
same dynamic port must be v6-before-v4 on Linux, but v4-before-v6 on OS X.
 2013-05-06 16:10:11 +02:00
Martin Willi a30727fe2b socket-default: refactor socket pair opening to a function 2013-05-06 16:10:11 +02:00
Martin Willi 6948df3220 socket-default: Don't try to send packet if we haven't a socket for given family 2013-05-06 16:10:10 +02:00
Martin Willi e9326eba13 socket-default: Use -1 if socket is not available, as 0 is actually a valid fd 2013-05-06 16:10:10 +02:00
Martin Willi ea5917afd8 Set DSCP values when sending IP packets in socket-default 2013-02-06 15:20:32 +01:00
Martin Willi 6e82269ee6 Don't send a packet in default socket if family is not IPv4 nor IPv6 2013-02-06 15:20:32 +01:00
Martin Willi 6c37daaa3b Avoid extensive casting of sockaddr types in socket-default by using a union 
Additionally fixes a strict-aliasing rule compiler warning with older gcc.
 2013-02-06 15:20:32 +01:00
Tobias Brunner 45178362c8 Clarified error message if enabling UDP decapsulation fails 2012-09-27 10:49:17 +02:00
Tobias Brunner aaefeafb49 Enable UDP decapsulation for both address families 
Since the 3.5 Linux kernel both UDP implementations have a separate static
flag to indicate whether ANY sockets enabled UDP decapsulation.
As we only ever enabled it for one address family (in earlier versions IPv4
only, now for IPv6, if supported, and for IPv4 otherwise) UDP decapsulation
wouldn't work anymore (at least for one address family).
 2012-08-16 15:26:37 +02:00
Tobias Brunner 6fbf4472ea Added option to prevent socket-default from setting the source address on outbound packets 2012-08-08 15:39:07 +02:00
Tobias Brunner 224ab4c59b socket-default plugin allocates random ports if configured to 0. 
Also added strongswan.conf options to change the ports.
 2012-08-08 15:30:27 +02:00
Tobias Brunner a7babe25ee Added get_port() method to socket_t to learn the listening port. 2012-08-08 15:12:25 +02:00
Tobias Brunner 896941d365 Improved how NAT-T keepalives are handled in sockets/receiver. 2012-08-08 15:12:24 +02:00
Tobias Brunner e49abcede0 Let kernel interfaces decide how to enable UDP decapsulation of ESP packets. 2012-08-08 15:12:24 +02:00
Tobias Brunner 064da8b96b Add Non-ESP marker in sender and not individual socket plugins. 2012-08-08 15:12:24 +02:00
Tobias Brunner 65da43e2fc Handle Non-ESP marker in receiver and not individual socket plugins. 2012-08-08 15:12:24 +02:00
Tobias Brunner e7ea057fd2 Make the UDP ports charon listens for packets on (and uses as source ports) configurable. 2012-08-08 15:07:43 +02:00
Tobias Brunner f7cbc0fafe Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer. 2012-06-13 15:02:10 +02:00
Tobias Brunner 42500c274a Use name from initialization to access settings in libcharon. 
Also fixes several whitespace errors.
 2012-05-03 13:57:04 +02:00
Martin Willi 8c5aacc270 Add features support to socket-default plugin 2011-10-14 10:05:48 +02:00
Martin Willi ff6aab9e85 Fix alignement compiler warning 2011-06-03 10:49:54 +02:00
Martin Willi c55818ebb0 Added a (not yet implemented) plugin_t method to reload plugin configuration 2011-04-15 10:07:13 +02:00
Martin Willi 787b5884aa Added a get_name() function to plugin_t, create_plugin_enumerator enumerates over plugin_t 2011-04-15 10:07:12 +02:00
Tobias Brunner fa20849431 Deferred instantiation of socket implmentations until registration. 
Instantiating the implementations on plugin load was problematic
in case multiple socket plugins were loaded. Now, the first one
registered is instantiated.
 2010-10-15 17:30:21 +02:00