09f4bccfea
kernel-netlink: Implement passthrough type routes and use them on Linux
...
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.
Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
2020-03-10 10:20:58 +01:00
f3d8179b4b
kernel-pfkey: Add additional strings for extensions on different platforms
...
Don't define structs for macOS as we don't need them (that's true for
most of the others too, though) and at least one is defined inside an extra
ifdef.
2019-10-28 14:26:32 +01:00
62e7c68b61
kernel-pfkey: Clear receive buffer before sending request
...
Many of the messages sent by the kernel, including confirmations to our
requests, are sent as broadcasts to all PF_KEY sockets. So if an
external tool is used to manage SAs/policies (e.g. unrelated to IPsec)
the receive buffer might be filled, resulting in errors like these:
error sending to PF_KEY socket: No buffer space available
To avoid this, just clear the buffer before sending any message.
Fixes #3225 .
2019-10-25 13:53:06 +02:00
121390fb3c
kernel-pfkey: Pass ESN flag to kernel if ESN is enabled
...
This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.
Signed-off-by: Patryk Duda <pdk@semihalf.com>
Closes strongswan/strongswan#155 .
2019-10-14 18:03:34 +02:00
872b9b3e8d
kernel-pfkey: Read reqid directly from acquire if possible
...
Upcoming versions of FreeBSD will include an SADB_X_EXT_SA2 extension in
acquires that contains the reqid set on the matching policy. This allows
handling acquires even when no policies are installed (e.g. to work with
FreeBSD's implementation of VTI interfaces, which manage policies
themselves).
2018-12-03 12:01:43 +01:00
784d96e031
Fixed some typos, courtesy of codespell
2018-09-17 18:51:44 +02:00
c798b94a43
kernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS
2018-07-06 10:25:56 +02:00
e2b8c7e6ed
kernel-pfkey: Enable macOS native AES_GCM_ICV16 support
...
macOS supports AES_GCM_ICV16 natively using PF_KEYv2.
This change enables AES_GCM if the corresponding definition is detected
in the headers.
With this change it is no longer necessary to use the libipsec module to
use AES_GCM on macOS.
Closes strongswan/strongswan#107 .
2018-07-06 10:25:55 +02:00
50c4c1bb40
kernel-pfkey: Avoid updating policies if nothing significant changed
...
The FreeBSD kernel doesn't update policies atomically, causing
unnecessary traffic loss during simple rekeyings.
Fixes #2677 .
2018-07-02 10:17:04 +02:00
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
e811659323
kernel-pfkey: Add option to install routes via internal interface
...
On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.
2018-03-21 10:37:49 +01:00
381f6d982c
kernel-pfkey: Fix extended replay configuration on FreeBSD 11.1
...
Fixes: 88a8fba1c7Fixes #2501 .
2017-12-22 10:19:49 +01:00
88a8fba1c7
kernel-pfkey: Support anti-replay windows > 2k
...
FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.
Fixes #2461 .
2017-11-08 16:35:38 +01:00
21a500a092
kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD
...
The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.
Fixes #2457 .
2017-11-08 16:34:12 +01:00
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
8a2e4d4a8b
linked-list: Change interface of callback for invoke_function()
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
bf08e39441
kernel-pfkey: Update SA addresses if supported by the kernel
...
Upcoming FreeBSD kernels will support updating the addresses of existing
SAs with new SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for the SADB_UPDATE
message.
2017-05-23 17:58:50 +02:00
a080cfece0
kernel-pfkey: Use new encap flag on Mac OS X when updating SAs
2017-05-23 17:58:50 +02:00
6d86d0f516
kernel: Make range of SPIs for IPsec SAs configurable
2017-03-02 08:52:56 +01:00
3c46ce2834
kernel-pfkey: Use the same priority range for trap and regular policies
...
Same as the change in the kernel-netlink plugin.
2017-02-08 10:36:38 +01:00
4ae2209e3d
kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
...
Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.
Fixes #2212 .
2017-01-25 17:30:57 +01:00
21aa924233
kernel-pfkey: Only set the replay window for inbound SAs
...
It is not necessary for outbound SAs and might waste memory when large
window sizes are used.
2016-06-17 18:46:33 +02:00
b98afc0a37
kernel-pfkey: Install routes with OUT policies
2016-06-10 15:25:46 +02:00
85fed13c18
kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in the selector
2016-06-10 15:25:05 +02:00
50798628c5
kernel-pfkey: Also use interface returned by get_nexthop() for IPsec policies
...
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
2016-06-10 13:57:27 +02:00
c158331bfc
kernel-pfkey: Use interface to next hop for shunt policies
2016-06-10 13:57:27 +02:00
99a57aa5ee
kernel-net: Let get_nexthop() return an optional interface name
...
The returned name should be the interface over which the destination
address/net is reachable.
2016-06-10 13:54:18 +02:00
1ba2b015fa
kernel-pfkey: Use ipsec_sa_cfg_equals()
2016-06-08 16:12:52 +02:00
254726b59e
kernel-pfkey: Add support for manual priorities
...
Also orders policies with equals priorities by their automatic priority.
2016-04-15 10:39:01 +02:00
4e59618382
kernel-pfkey: Update priority calculation formula to the new one in kernel-netlink
...
Since the selectors are not exactly the same (no port masks, no interface)
some small tweaks have been applied.
2016-04-15 10:39:00 +02:00
fd8f1194f3
kernel-pfkey: Prefer policies with reqid over those without
2016-04-09 16:51:01 +02:00
0ff8ce9452
kernel-pfkey: Only install templates for regular IPsec policies with reqid
2016-04-09 16:51:01 +02:00
89da06ace9
kernel: Use structs to pass information to the kernel-ipsec interface
2016-04-09 16:50:59 +02:00
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
dec9e1957f
libhydra: Move all kernel plugins to libcharon
2016-03-03 17:36:11 +01:00
062a602216
Moved all kernel plugins to libhydra.
2010-09-02 19:01:26 +02:00
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
9f166d9ac2
Removed references to protocol_id_t from kernel interface.
...
Instead we use the actual IP protocol identifier (the conversion now happens in
child_sa_t and kernel_handler_t).
2010-09-02 19:01:25 +02:00
4e258e63c3
Moved migrate job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
01563352e8
Moved update SA job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
a22853b302
Moved delete/rekey CHILD_SA job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
81f6ec276b
Moved acquire job creation to kernel event handler.
2010-09-02 19:01:23 +02:00
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
9eb7f46b3d
Do not install routes in the PF_KEY kernel interface if interface lookup failed.
2010-06-23 11:43:31 +02:00
b7900d3258
Fixing the PF_KEY kernel interface on Android.
...
In Android's in.h IPPROTO_COMP is not #defined but just an enum member.
2010-06-22 16:12:07 +02:00
ed76b21652
Check for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.
...
FreeBSD 8 does not support SADB_X_NAT_T_NEW_MAPPING whereas Linux and
the previous FreeBSD NAT-T patch both do.
2010-06-15 15:31:10 +02:00
668e84d904
Set the ports of all hosts installed via the PF_KEY kernel interface to zero.
2010-06-15 10:11:57 +02:00
Noel Kuntze