Noel Kuntze
09f4bccfea
kernel-netlink: Implement passthrough type routes and use them on Linux
...
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.
Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
2020-03-10 10:20:58 +01:00
Tobias Brunner
f3d8179b4b
kernel-pfkey: Add additional strings for extensions on different platforms
...
Don't define structs for macOS as we don't need them (that's true for
most of the others too, though) and at least one is defined inside an extra
ifdef.
2019-10-28 14:26:32 +01:00
Tobias Brunner
62e7c68b61
kernel-pfkey: Clear receive buffer before sending request
...
Many of the messages sent by the kernel, including confirmations to our
requests, are sent as broadcasts to all PF_KEY sockets. So if an
external tool is used to manage SAs/policies (e.g. unrelated to IPsec)
the receive buffer might be filled, resulting in errors like these:
error sending to PF_KEY socket: No buffer space available
To avoid this, just clear the buffer before sending any message.
Fixes #3225 .
2019-10-25 13:53:06 +02:00
Patryk Duda
121390fb3c
kernel-pfkey: Pass ESN flag to kernel if ESN is enabled
...
This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.
Signed-off-by: Patryk Duda <pdk@semihalf.com>
Closes strongswan/strongswan#155 .
2019-10-14 18:03:34 +02:00
Tobias Brunner
872b9b3e8d
kernel-pfkey: Read reqid directly from acquire if possible
...
Upcoming versions of FreeBSD will include an SADB_X_EXT_SA2 extension in
acquires that contains the reqid set on the matching policy. This allows
handling acquires even when no policies are installed (e.g. to work with
FreeBSD's implementation of VTI interfaces, which manage policies
themselves).
2018-12-03 12:01:43 +01:00
Tobias Brunner
784d96e031
Fixed some typos, courtesy of codespell
2018-09-17 18:51:44 +02:00
Tobias Brunner
c798b94a43
kernel-pfkey: Add support for native ChaCha20/Poly1305 on macOS
2018-07-06 10:25:56 +02:00
Ruben Tytgat
e2b8c7e6ed
kernel-pfkey: Enable macOS native AES_GCM_ICV16 support
...
macOS supports AES_GCM_ICV16 natively using PF_KEYv2.
This change enables AES_GCM if the corresponding definition is detected
in the headers.
With this change it is no longer necessary to use the libipsec module to
use AES_GCM on macOS.
Closes strongswan/strongswan#107 .
2018-07-06 10:25:55 +02:00
Tobias Brunner
50c4c1bb40
kernel-pfkey: Avoid updating policies if nothing significant changed
...
The FreeBSD kernel doesn't update policies atomically, causing
unnecessary traffic loss during simple rekeyings.
Fixes #2677 .
2018-07-02 10:17:04 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
e811659323
kernel-pfkey: Add option to install routes via internal interface
...
On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.
2018-03-21 10:37:49 +01:00
Tobias Brunner
381f6d982c
kernel-pfkey: Fix extended replay configuration on FreeBSD 11.1
...
Fixes: 88a8fba1c7
("kernel-pfkey: Support anti-replay windows > 2k")
Fixes #2501 .
2017-12-22 10:19:49 +01:00
Tobias Brunner
88a8fba1c7
kernel-pfkey: Support anti-replay windows > 2k
...
FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.
Fixes #2461 .
2017-11-08 16:35:38 +01:00
Tobias Brunner
21a500a092
kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD
...
The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.
Fixes #2457 .
2017-11-08 16:34:12 +01:00
Tobias Brunner
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
Tobias Brunner
8a2e4d4a8b
linked-list: Change interface of callback for invoke_function()
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
Tobias Brunner
bf08e39441
kernel-pfkey: Update SA addresses if supported by the kernel
...
Upcoming FreeBSD kernels will support updating the addresses of existing
SAs with new SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for the SADB_UPDATE
message.
2017-05-23 17:58:50 +02:00
Tobias Brunner
a080cfece0
kernel-pfkey: Use new encap flag on Mac OS X when updating SAs
2017-05-23 17:58:50 +02:00
Tobias Brunner
6d86d0f516
kernel: Make range of SPIs for IPsec SAs configurable
2017-03-02 08:52:56 +01:00
Tobias Brunner
3c46ce2834
kernel-pfkey: Use the same priority range for trap and regular policies
...
Same as the change in the kernel-netlink plugin.
2017-02-08 10:36:38 +01:00
Tobias Brunner
4ae2209e3d
kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
...
Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.
Fixes #2212 .
2017-01-25 17:30:57 +01:00
Tobias Brunner
21aa924233
kernel-pfkey: Only set the replay window for inbound SAs
...
It is not necessary for outbound SAs and might waste memory when large
window sizes are used.
2016-06-17 18:46:33 +02:00
Tobias Brunner
b98afc0a37
kernel-pfkey: Install routes with OUT policies
2016-06-10 15:25:46 +02:00
Tobias Brunner
85fed13c18
kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in the selector
2016-06-10 15:25:05 +02:00
Tobias Brunner
50798628c5
kernel-pfkey: Also use interface returned by get_nexthop() for IPsec policies
...
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
2016-06-10 13:57:27 +02:00
Tobias Brunner
c158331bfc
kernel-pfkey: Use interface to next hop for shunt policies
2016-06-10 13:57:27 +02:00
Tobias Brunner
99a57aa5ee
kernel-net: Let get_nexthop() return an optional interface name
...
The returned name should be the interface over which the destination
address/net is reachable.
2016-06-10 13:54:18 +02:00
Tobias Brunner
1ba2b015fa
kernel-pfkey: Use ipsec_sa_cfg_equals()
2016-06-08 16:12:52 +02:00
Tobias Brunner
254726b59e
kernel-pfkey: Add support for manual priorities
...
Also orders policies with equals priorities by their automatic priority.
2016-04-15 10:39:01 +02:00
Tobias Brunner
4e59618382
kernel-pfkey: Update priority calculation formula to the new one in kernel-netlink
...
Since the selectors are not exactly the same (no port masks, no interface)
some small tweaks have been applied.
2016-04-15 10:39:00 +02:00
Tobias Brunner
fd8f1194f3
kernel-pfkey: Prefer policies with reqid over those without
2016-04-09 16:51:01 +02:00
Tobias Brunner
0ff8ce9452
kernel-pfkey: Only install templates for regular IPsec policies with reqid
2016-04-09 16:51:01 +02:00
Tobias Brunner
89da06ace9
kernel: Use structs to pass information to the kernel-ipsec interface
2016-04-09 16:50:59 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
dec9e1957f
libhydra: Move all kernel plugins to libcharon
2016-03-03 17:36:11 +01:00
Tobias Brunner
062a602216
Moved all kernel plugins to libhydra.
2010-09-02 19:01:26 +02:00
Tobias Brunner
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
Tobias Brunner
9f166d9ac2
Removed references to protocol_id_t from kernel interface.
...
Instead we use the actual IP protocol identifier (the conversion now happens in
child_sa_t and kernel_handler_t).
2010-09-02 19:01:25 +02:00
Tobias Brunner
4e258e63c3
Moved migrate job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
Tobias Brunner
01563352e8
Moved update SA job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
Tobias Brunner
a22853b302
Moved delete/rekey CHILD_SA job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
Tobias Brunner
81f6ec276b
Moved acquire job creation to kernel event handler.
2010-09-02 19:01:23 +02:00
Tobias Brunner
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
Martin Willi
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
Andreas Steffen
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
Tobias Brunner
9eb7f46b3d
Do not install routes in the PF_KEY kernel interface if interface lookup failed.
2010-06-23 11:43:31 +02:00
Tobias Brunner
b7900d3258
Fixing the PF_KEY kernel interface on Android.
...
In Android's in.h IPPROTO_COMP is not #defined but just an enum member.
2010-06-22 16:12:07 +02:00
Tobias Brunner
ed76b21652
Check for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.
...
FreeBSD 8 does not support SADB_X_NAT_T_NEW_MAPPING whereas Linux and
the previous FreeBSD NAT-T patch both do.
2010-06-15 15:31:10 +02:00
Tobias Brunner
668e84d904
Set the ports of all hosts installed via the PF_KEY kernel interface to zero.
2010-06-15 10:11:57 +02:00