Otherwise, the output is buffered when e.g. piping the output to another
command (or file). And it avoids having to call fflush() in the
interactive mode.
Fixes#3404.
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.
Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
This is the recommended location and import config as it allows running the
tests against installed versions of the package. And while the test file
itself is automatically included in the source distribution this way, the
__init__.py file is not, so we still have to update MANIFEST.in.
This happened when installing a duplicate bypass policy for a locally
connected subnet. The destructor and the kernel-net part already
handle this correctly.
This avoids having to register certificates with authority/ca backends
beforehand, which is tricky for intermediate CA certificates loaded
themselves via authority/ca sections. On the other hand, the form of
these URLs can't be determined by config backends anymore (not an issue
for the two current implementations, no idea if custom implementations
ever made use of that possibility). If that became necessary, we could
perhaps pass the certificate to the CDP enumerator or add a new method
to the credential_set_t interface.
Don't define structs for macOS as we don't need them (that's true for
most of the others too, though) and at least one is defined inside an extra
ifdef.
If a CHILD_SA is terminated, the updown event is triggered after the
CHILD_SA is set to state CHILD_DELETED, so no usage stats or detail
information like SPIs were reported. However, when an IKEv2 SA is
terminated, the updown event for its children is triggered without
changing the state first, that is, they usually remain in state
INSTALLED and detailed data was reported in the event. IKEv1
CHILD_SAs are always terminated individually, i.e. with state
change and no extra data so far.
With this change usage stats are also returned for individually deleted
CHILD_SAs as long as the SA has not yet expired.
Fixes#3198.
Many of the messages sent by the kernel, including confirmations to our
requests, are sent as broadcasts to all PF_KEY sockets. So if an
external tool is used to manage SAs/policies (e.g. unrelated to IPsec)
the receive buffer might be filled, resulting in errors like these:
error sending to PF_KEY socket: No buffer space available
To avoid this, just clear the buffer before sending any message.
Fixes#3225.
This avoids having to call strip_dh() in child_cfg_t::get_proposals().
It also inverts the ALLOW_PRIVATE flag (i.e. makes it SKIP_PRIVATE) so
nothing has to be supplied to clone complete proposals.
This patch adds passing the ESN flag to the kernel if ESN was negotiated
and the appropriate flag is present in the kernel headers, which will
be the case in future FreeBSD releases.
Signed-off-by: Patryk Duda <pdk@semihalf.com>
Closesstrongswan/strongswan#155.
The unique names were introduced for the list-sas command in commit
04c0219e55. However, the child-updown
event wasn't updated to match. Even though the documentation suggests
that the section name of the CHILD_SAs are the same in both messages.
The original name is already being returned in the "name" attribute,
so it'll still be available.
Example:
>>> import vici, json
>>> s = vici.Session()
# First, for comparison, the list-sas command:
>>> print(json.dumps(list(s.list_sas()), sort_keys=True, indent=4, separators=(',', ': ')))
[
{
"vti0": {
"child-sas": {
"vti0-1": {
...
# A child-updown event before the change:
>>> for x in s.listen(["child-updown"]): print(json.dumps(x, sort_keys=True, indent=4, separators=(',', ': ')))
[
"child-updown",
{
"vti0": {
"child-sas": {
"vti0": { # <-- wrong: inconsistent with list-sas
...
# A child-updown event after the change:
>>> s = vici.Session()
>>> for x in s.listen(["child-updown"]): print(json.dumps(x, sort_keys=True, indent=4, separators=(',', ': ')))
[
"child-updown",
{
"vti0": {
"child-sas": {
"vti0-1": { # <-- fixed
Closesstrongswan/strongswan#153.
This allows using the certificate, which is technically a CA cert, as
end-entity certificate again after the RFC4945-related changes added
with 5.6.3.
Fixes#3139.
If the key type was specified but the ID was NULL or matched a subject, it
was possible that a certificate was returned that didn't actually match
the requested key type.
Closesstrongswan/strongswan#141.
Also expose a method to call arbitrary commands, which allows calling not
yet wrapped commands. Exceptions are raised for all commands if the response
includes a negative "success" key (similar to how it's done in the Python
bindings).
Instead of assuming passwords are simply ASCII-encoded we now assume they are
provided UTF-8-encoded, which is quite likely nowadays. The UTF-8 byte
sequences are not validated, however, only valid code points are encoded
as UTF-16LE.
Fixes#3014.
This is mainly to see what's necessary to create them (in case we
integrate this into the daemon) and to experiment in our testing
environment without having to add a patched version of iproute2 (the
4.20.0 version in stretch-backports doesn't support XFRM interfaces
yet). The regular version of iproute2 can be used for other operations
with these interfaces (delete, up, addrs etc.).
This can be the case for IKEv1 since 419ae9a20a ("ikev1: Default remote
identity to %any for PSK lookup if not configured").
Closesstrongswan/strongswan#128.
This seems to avoid broadcast loops (i.e. processing and reinjecting the
same broadcast packet over and over again) as the packets we send via
AF_PACKET socket are neither marked nor from that interface.
In order to avoid that the kernel uses virtual tunnel IPs for traffic
over physical interfaces we previously deprecated the virtual IP. While
this is working it is not ideal. This patch adds address labels for
virtual IPs, which should force the kernel to avoid such addresses to
reach any destination unless there is an explicit route that uses it as
source address.
Using parse_time() directly actually overwrites the next member in the
child_cfg_create_t struct, which is start_action, which can cause
incorrect configs if inactivity is parsed after start_action.
Fixes#2954.
In 7b7290977 ("controller: Add option to force destruction of an IKE_SA")
the 'force' option was added as 3rd parameter to controller_t::terminate_ike.
However in vici's 'clear_start_action', the argument was incorrectly
placed as the 2nd parameter - constantly sending 0 (FALSE) as the
'unique_id' to terminate, rendering calls to 'handle_start_actions'
having undo=TRUE being unable to terminate the relevant conn.
For example, this is log of such a bogus 'unload-conn':
strongswan[498]: 13[CFG] vici client 96 requests: unload-conn
strongswan[498]: 13[CFG] closing IKE_SA #9
strongswan[498]: 13[IKE] unable to terminate IKE_SA: ID 0 not found
strongswan[498]: 09[CFG] vici client 96 disconnected
here, the unloaded conn's IKE id was 9, alas 'terminate_ike_execute'
reports failure to terminate "ID 0".
Fix by passing 'id, FALSE' arguments in the correct order.
Fixes: 7b7290977 ("controller: Add option to force destruction of an IKE_SA")
Signed-off-by: Shmulik Ladkani <shmulik@metanetworks.com>
Closesstrongswan/strongswan#127.
This is particularly important for higher number of segments, but even
with small numbers there is a significant difference. For instance,
with 4 segments the fourth segment had no IPs assigned with the old
code, no matter how large the pool, because none of the eight bits used
for the segment check hashed/mapped to it.
Upcoming versions of FreeBSD will include an SADB_X_EXT_SA2 extension in
acquires that contains the reqid set on the matching policy. This allows
handling acquires even when no policies are installed (e.g. to work with
FreeBSD's implementation of VTI interfaces, which manage policies
themselves).
In case a subnet is moved from one interface to another the policies can
remain as is but the route has to change. This currently doesn't happen
automatically and there is no option to update the policy or route so
removing and reinstalling the policies is the only option.
Fixes#2820.
Tobias Brunner