Andreas Steffen
2964562199
add overall recommendation to session database entry
2013-06-21 23:25:22 +02:00
Andreas Steffen
4f6bf1a843
don't define a default database URI
2013-06-21 23:25:22 +02:00
Andreas Steffen
1ecff25917
created a simple IMV Policy Manager
2013-06-21 23:25:22 +02:00
Andreas Steffen
1571a11fa4
register received scanner attributes
2013-06-21 23:25:22 +02:00
Andreas Steffen
9d63ad17d4
used tnc_policy_update functions for default policy
2013-06-21 23:25:22 +02:00
Andreas Steffen
a6266485be
refactored IMV policy management
2013-06-21 23:25:22 +02:00
Andreas Steffen
4f9aabbfd7
implemented policy rules for OS IMV
2013-06-21 23:25:22 +02:00
Andreas Steffen
7daf6d8cc5
check for zero-length device ID
2013-06-21 23:25:22 +02:00
Andreas Steffen
033834719d
ITA-HSR/Device ID attribute & IMV OS state machine
2013-06-21 23:25:22 +02:00
Andreas Steffen
bb9d8b1853
execute an _imv_policy script
2013-06-21 23:25:22 +02:00
Andreas Steffen
b8db66de15
implemented IMV session control
2013-06-21 23:25:21 +02:00
Andreas Steffen
1f179c63b3
Manage files and directories
2013-06-21 23:25:21 +02:00
Tobias Brunner
b61c78d3c2
Merge branch 'kernel-libipsec'
...
Adds a new kernel interface plugin that uses TUN devices and libipsec to
provide IPsec process in userland.
It works on Linux, FreeBSD and Mac OS X. In particular the latter two
platforms may gain from this approach as their respective kernels don't
provide support for AES-GCM.
kernel-pfroute has been improved (source address lookup) and a second
plugin (osx-attr) installs configuration attributes (currently DNS
servers only) via SystemConfiguration on Mac OS X.
2013-06-21 17:07:41 +02:00
Martin Willi
45dcf4df57
osx-attr: add plugin installing config attributes using SystemConfiguration
...
Currently installs DNS servers only, by prepending IP addresses to the
DNS configuration of the primary networking service.
2013-06-21 17:03:22 +02:00
Tobias Brunner
12488efa78
kernel-pfroute: Simplify route lookup after fixing sockaddr parsing
2013-06-21 17:03:22 +02:00
Tobias Brunner
4b3fea3d54
kernel-pfroute: Alignment of sockaddrs is not always the same
2013-06-21 17:03:22 +02:00
Tobias Brunner
aa33d2e6eb
kernel-pfroute: struct sockaddr arguments are 4 byte aligned
...
This was noticed on Mac OS X where, if the default route is returned,
RTA_NETMASK has sa_len set to 0, but skipping zero bytes to read the
next address makes no sense, of course. Using 0 for sa_len seems
a bit strange, in particular, because struct sockaddr has by definition
a minimum length of 16 bytes. But it seems FreeBSD actually does the
same.
2013-06-21 17:03:22 +02:00
Tobias Brunner
23ea59a95c
kernel-libipsec: Ignore failures when installing routes for multicast or broadcast policies
2013-06-21 17:03:22 +02:00
Tobias Brunner
b0629f7d9b
kernel-pfroute: Improve route lookup depending on information we get back
...
Kernels don't provide the same information for all routes.
2013-06-21 17:03:22 +02:00
Tobias Brunner
1c697ff1c5
kernel-pfroute: Try to ensure we get a source address or interface name
2013-06-21 17:03:22 +02:00
Tobias Brunner
01955eec71
ike: Force NAT-T/UDP encapsulation if kernel interface requires it
2013-06-21 17:03:21 +02:00
Tobias Brunner
35fe41f7d0
kernel-libipsec: Add a feature to request UDP encapsulation of ESP packets
2013-06-21 17:03:21 +02:00
Tobias Brunner
66aaabf342
tun-device: Packets sent over utun devices on Mac OS X have the protocol family prepended
2013-06-21 17:03:21 +02:00
Tobias Brunner
34b0ad0653
kernel-pfroute: Use DST as nexthop for host routes
...
These are created as cache/clone on Mac OS X.
2013-06-21 17:03:21 +02:00
Tobias Brunner
d6c17e96b2
kernel-pfroute: Implement get_source_addr()
2013-06-21 17:03:21 +02:00
Tobias Brunner
f58f8bf409
kernel-pfroute: Properly install routes with interface and gateway
2013-06-21 17:03:21 +02:00
Tobias Brunner
1f31a2bc2e
kernel-libipsec: Install a gateway for routes on platforms other than Linux
...
This seems required e.g. on FreeBSD but doesn't work on Linux.
2013-06-21 17:03:21 +02:00
Tobias Brunner
93e4df3761
kernel-pfroute: Activate TUN device before setting address
...
On FreeBSD, for some reason, we don't learn the interface is up
otherwise. Even though ifconfig lists it as up at the same time.
2013-06-21 17:03:21 +02:00
Tobias Brunner
c8a56512a6
tun-device: Avoid opening /dev/tunX multiple times (e.g. on FreeBSD)
2013-06-21 17:03:21 +02:00
Tobias Brunner
dcaf8d570c
kernel-libipsec: Router reads packets from multiple TUN devices
...
These devices are collected via kernel_listener_t interface.
2013-06-21 17:03:21 +02:00
Tobias Brunner
7045defbff
kernel-libipsec: Use separate class to route packets between charon, libipsec and TUN device
2013-06-21 17:03:21 +02:00
Tobias Brunner
554c4276a5
kernel-pfroute: Raise tun event when creating/destroying TUN devices for virtual IPs
2013-06-21 17:03:21 +02:00
Tobias Brunner
4868d1c3bc
kernel: Add an event kernel interfaces can raise if they create/destroy a TUN device
2013-06-21 17:03:21 +02:00
Tobias Brunner
0d2ad63fe2
printf-hook: Avoid double-free when freeing Vstr config
...
Thread-specific objects get freed when the thread value object is
destroyed (wasn't the case earlier, i.e. before 2b19dd35
), which
may cause the second call to vstr_free_conf() to fail in an assert
in Vstr (depending on how it was built).
2013-06-21 17:03:20 +02:00
Tobias Brunner
587bdf8768
kernel-libipsec: Track policies and automatically install routes
...
The routes direct traffic matching the remote traffic selector to the
TUN device.
If the remote traffic selector includes the IKE peer a very specific route
is installed to allow IKE traffic.
2013-06-21 17:03:20 +02:00
Tobias Brunner
44a49681fd
kernel-libipsec: Handle packets between charon socket, libipsec and TUN device
2013-06-21 17:03:20 +02:00
Tobias Brunner
59be6ddd08
kernel-libipsec: Create a TUN device and use it to install virtual IPs
2013-06-21 17:03:20 +02:00
Tobias Brunner
279e0d42bd
kernel-libipsec: Add plugin that implements kernel_ipsec_t using libipsec
2013-06-21 17:03:20 +02:00
Tobias Brunner
3cd7ba4960
kernel-netlink: Routes don't require a gateway/nexthop
2013-06-21 17:03:20 +02:00
Tobias Brunner
1b3b7ba54d
charon-cmd: Document auxiliary options
2013-06-21 17:00:49 +02:00
Tobias Brunner
4d62ad7571
charon-cmd: Link strongswan.conf(5) and charon-cmd(8) man pages
2013-06-21 16:35:19 +02:00
Tobias Brunner
5991f09565
charon-cmd: Use fixed number of character to align command descriptions
...
If the command and argument is longer than that write the first line of
description to the following line.
2013-06-21 16:04:46 +02:00
Tobias Brunner
5e185047e1
charon-cmd: Shortened and fixed command descriptions
2013-06-21 16:04:45 +02:00
Tobias Brunner
463314b55a
charon-cmd: Simplify usage output for authentication profiles
...
The man page describes the min full.
2013-06-21 16:04:45 +02:00
Tobias Brunner
e8d6b91ebd
charon-cmd: Add Aggressive Mode profiles to man page
2013-06-21 16:04:45 +02:00
Tobias Brunner
0d60489bf8
charon-cmd: Add man page for charon-cmd(8)
2013-06-21 16:04:45 +02:00
Tobias Brunner
295d595b49
charon-cmd: Add --debug argument to set the default log level
2013-06-21 15:55:52 +02:00
Tobias Brunner
4049ec42bf
charon-cmd: Handle simple command line arguments like --help before the others
2013-06-21 15:51:42 +02:00
Tobias Brunner
0d25c4ef87
plugin-loader: Move logging of failed features to status()
...
Still log an error message if critical features fail, as loaded
plugins/features are not logged in that case.
This way loaded plugins are printed before failed features and
the relation is easier to make for users. It also allows programs
to log this message on a different level.
2013-06-21 15:22:46 +02:00
Tobias Brunner
607f8e9906
plugin-loader: Add method to print loaded plugins on a given log level
2013-06-21 15:17:53 +02:00