Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Tobias Brunner
8da7dbe766
socket-default: Fix setting DSCP value on FreeBSD
...
Fixes #3030 .
2019-04-23 11:49:04 +02:00
Martin Willi
ebd2d3877e
ipsec-types: Restrict the use of %unique and other keywords when parsing marks
...
%unique (and the upcoming %same key) are usable in specific contexts only.
To restrict the user from using it in other places where it does not get the
expected results, reject such keywords unless explicitly allowed.
2018-08-31 12:26:40 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Martin Willi
9b29003cd9
socket-default: Add an option to force the sending interface via IP_PKTINFO
...
On Linux, setting the source address is insufficient to force a packet to be
sent over a certain path. The kernel uses the best route to select the outgoing
interface, even if we set a source address of a lower priority interface. This
is not only true for interfaces attaching to the same subnet, but also for
unrelated interfaces; the kernel (at least on 4.7) sends out the packet on
whatever interface it sees fit, even if that network does not expect packets
from the source address we force to.
When a better interface becomes available, strongSwan sends its MOBIKE address
list update using the old source address. But the kernel sends that packet over
the new best interface. If that network drops packets having the unexpected
source address from the old path, the MOBIKE update fails and the SA finally
times out.
To enforce a specific interface for our packet, we explicitly set the interface
index from the interface where the source address is installed. According to
ip(7), this overrules the specified source address to the primary interface
address. As this could have side effects to installations using multiple
addresses on a single interface, we disable the option by default for now.
This also allows using IPv6 link-local addresses, which won't work if
the outbound interface is not set explicitly.
2017-05-23 16:49:39 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
47e113a639
socket-default: Refactor setting source address when sending messages
...
This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.
It also makes the code clearer than with all these ifdefs.
Fixes #1171 .
2015-11-09 16:43:21 +01:00
Tobias Brunner
99747bed8f
socket-default: Refactor retrieval of destination address of received packets
...
This makes the code a bit clearer than with the interleaved ifdefs.
2015-11-09 16:42:20 +01:00
Tobias Brunner
3000f6aada
Fixed some typos, courtesy of codespell
2014-12-15 17:11:14 +01:00
Martin Willi
ed247660e8
socket-default: Use round-robin selection of sockets to read from
...
If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket
over others. To handle all with equal priority, use a round-robin selection.
2014-11-21 12:02:07 +01:00
Martin Willi
ce13ba62cc
socket-default: Use poll(2) instead of select
...
It is not only simpler, but also allows the use of arbitrary high fd numbers,
which silently fails with select().
2014-11-21 12:02:07 +01:00
Tobias Brunner
f00a9c1715
packet: Define a global default maximum size for IKE packets
2014-10-10 09:32:42 +02:00
Martin Willi
4163421f91
plugins: Don't link with -rdynamic on Windows
2014-06-04 15:53:02 +02:00
Tobias Brunner
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
Tobias Brunner
80f8b3a6d8
socket-default: Allow setting firewall mark on outbound packets
2013-10-11 15:32:44 +02:00
Tobias Brunner
4eb6149ae8
sockets: Initialize the whole ancillary data buffer not only the actual struct
...
This avoids uninitialized bytes that Valgrind seems to notice otherwise.
Fixes #395 .
2013-09-10 13:42:59 +02:00
Tobias Brunner
dfc9902013
capabilities: Some plugins don't actually require capabilities at runtime
2013-07-18 15:25:35 +02:00
Martin Willi
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
Tobias Brunner
598bec78fa
socket-default: Add options to disable address families
2013-07-05 09:48:27 +02:00
Tobias Brunner
eafd7ee7e1
net: Socket implementations report the address families they support
2013-07-05 09:48:01 +02:00
Tobias Brunner
1dd61bf13d
socket-default: Require CAP_NET_BIND_SERVICE for ports < 1024
...
Since we don't know which ports are used with socket-dynamic we can't
demand the capability there, but it might still be required.
2013-06-25 17:16:32 +02:00
Tobias Brunner
c6f1929a45
socket-default: Make sure sockets are open when checking with FD_ISSET
2013-06-14 17:25:16 +02:00
Tobias Brunner
1889837767
socket-default: Properly initialize NAT-T port if opening regular socket failed
2013-06-14 16:42:56 +02:00
Tobias Brunner
270e425b24
Socket plugins soft depend on the kernel-ipsec plugin feature
...
On most platforms calls to methods to bypass the IKE sockets and enabling
UDP decapsulation are required.
2013-06-11 11:18:17 +02:00
Martin Willi
dc35d097b3
socket-default: to bind to one dynamic port on OS X, create v4 socket before v6
...
It seems that the order of binding sockets of different address families to the
same dynamic port must be v6-before-v4 on Linux, but v4-before-v6 on OS X.
2013-05-06 16:10:11 +02:00
Martin Willi
a30727fe2b
socket-default: refactor socket pair opening to a function
2013-05-06 16:10:11 +02:00
Martin Willi
6948df3220
socket-default: Don't try to send packet if we haven't a socket for given family
2013-05-06 16:10:10 +02:00
Martin Willi
e9326eba13
socket-default: Use -1 if socket is not available, as 0 is actually a valid fd
2013-05-06 16:10:10 +02:00
Martin Willi
ea5917afd8
Set DSCP values when sending IP packets in socket-default
2013-02-06 15:20:32 +01:00
Martin Willi
6e82269ee6
Don't send a packet in default socket if family is not IPv4 nor IPv6
2013-02-06 15:20:32 +01:00
Martin Willi
6c37daaa3b
Avoid extensive casting of sockaddr types in socket-default by using a union
...
Additionally fixes a strict-aliasing rule compiler warning with older gcc.
2013-02-06 15:20:32 +01:00
Tobias Brunner
45178362c8
Clarified error message if enabling UDP decapsulation fails
2012-09-27 10:49:17 +02:00
Tobias Brunner
aaefeafb49
Enable UDP decapsulation for both address families
...
Since the 3.5 Linux kernel both UDP implementations have a separate static
flag to indicate whether ANY sockets enabled UDP decapsulation.
As we only ever enabled it for one address family (in earlier versions IPv4
only, now for IPv6, if supported, and for IPv4 otherwise) UDP decapsulation
wouldn't work anymore (at least for one address family).
2012-08-16 15:26:37 +02:00
Tobias Brunner
6fbf4472ea
Added option to prevent socket-default from setting the source address on outbound packets
2012-08-08 15:39:07 +02:00
Tobias Brunner
224ab4c59b
socket-default plugin allocates random ports if configured to 0.
...
Also added strongswan.conf options to change the ports.
2012-08-08 15:30:27 +02:00
Tobias Brunner
a7babe25ee
Added get_port() method to socket_t to learn the listening port.
2012-08-08 15:12:25 +02:00
Tobias Brunner
896941d365
Improved how NAT-T keepalives are handled in sockets/receiver.
2012-08-08 15:12:24 +02:00
Tobias Brunner
e49abcede0
Let kernel interfaces decide how to enable UDP decapsulation of ESP packets.
2012-08-08 15:12:24 +02:00
Tobias Brunner
064da8b96b
Add Non-ESP marker in sender and not individual socket plugins.
2012-08-08 15:12:24 +02:00
Tobias Brunner
65da43e2fc
Handle Non-ESP marker in receiver and not individual socket plugins.
2012-08-08 15:12:24 +02:00
Tobias Brunner
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
Tobias Brunner
f7cbc0fafe
Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.
2012-06-13 15:02:10 +02:00
Tobias Brunner
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
Martin Willi
8c5aacc270
Add features support to socket-default plugin
2011-10-14 10:05:48 +02:00
Martin Willi
ff6aab9e85
Fix alignement compiler warning
2011-06-03 10:49:54 +02:00
Martin Willi
c55818ebb0
Added a (not yet implemented) plugin_t method to reload plugin configuration
2011-04-15 10:07:13 +02:00
Martin Willi
787b5884aa
Added a get_name() function to plugin_t, create_plugin_enumerator enumerates over plugin_t
2011-04-15 10:07:12 +02:00
Tobias Brunner
fa20849431
Deferred instantiation of socket implmentations until registration.
...
Instantiating the implementations on plugin load was problematic
in case multiple socket plugins were loaded. Now, the first one
registered is instantiated.
2010-10-15 17:30:21 +02:00