e811659323
kernel-pfkey: Add option to install routes via internal interface
...
On FreeBSD, enabling this selects the correct source IP when sending
packets from the gateway itself.
2018-03-21 10:37:49 +01:00
381f6d982c
kernel-pfkey: Fix extended replay configuration on FreeBSD 11.1
...
Fixes: 88a8fba1c7Fixes #2501 .
2017-12-22 10:19:49 +01:00
88a8fba1c7
kernel-pfkey: Support anti-replay windows > 2k
...
FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.
Fixes #2461 .
2017-11-08 16:35:38 +01:00
21a500a092
kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD
...
The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.
Fixes #2457 .
2017-11-08 16:34:12 +01:00
2e4d110d1e
linked-list: Change return value of find_first() and signature of its callback
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
8a2e4d4a8b
linked-list: Change interface of callback for invoke_function()
...
This avoids the unportable five pointer hack.
2017-05-26 13:56:44 +02:00
bf08e39441
kernel-pfkey: Update SA addresses if supported by the kernel
...
Upcoming FreeBSD kernels will support updating the addresses of existing
SAs with new SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for the SADB_UPDATE
message.
2017-05-23 17:58:50 +02:00
a080cfece0
kernel-pfkey: Use new encap flag on Mac OS X when updating SAs
2017-05-23 17:58:50 +02:00
6d86d0f516
kernel: Make range of SPIs for IPsec SAs configurable
2017-03-02 08:52:56 +01:00
3c46ce2834
kernel-pfkey: Use the same priority range for trap and regular policies
...
Same as the change in the kernel-netlink plugin.
2017-02-08 10:36:38 +01:00
4ae2209e3d
kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
...
Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.
Fixes #2212 .
2017-01-25 17:30:57 +01:00
21aa924233
kernel-pfkey: Only set the replay window for inbound SAs
...
It is not necessary for outbound SAs and might waste memory when large
window sizes are used.
2016-06-17 18:46:33 +02:00
b98afc0a37
kernel-pfkey: Install routes with OUT policies
2016-06-10 15:25:46 +02:00
85fed13c18
kernel-pfkey: Don't install routes for drop policies and if protocol/ports are in the selector
2016-06-10 15:25:05 +02:00
50798628c5
kernel-pfkey: Also use interface returned by get_nexthop() for IPsec policies
...
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
2016-06-10 13:57:27 +02:00
c158331bfc
kernel-pfkey: Use interface to next hop for shunt policies
2016-06-10 13:57:27 +02:00
99a57aa5ee
kernel-net: Let get_nexthop() return an optional interface name
...
The returned name should be the interface over which the destination
address/net is reachable.
2016-06-10 13:54:18 +02:00
1ba2b015fa
kernel-pfkey: Use ipsec_sa_cfg_equals()
2016-06-08 16:12:52 +02:00
254726b59e
kernel-pfkey: Add support for manual priorities
...
Also orders policies with equals priorities by their automatic priority.
2016-04-15 10:39:01 +02:00
4e59618382
kernel-pfkey: Update priority calculation formula to the new one in kernel-netlink
...
Since the selectors are not exactly the same (no port masks, no interface)
some small tweaks have been applied.
2016-04-15 10:39:00 +02:00
fd8f1194f3
kernel-pfkey: Prefer policies with reqid over those without
2016-04-09 16:51:01 +02:00
0ff8ce9452
kernel-pfkey: Only install templates for regular IPsec policies with reqid
2016-04-09 16:51:01 +02:00
89da06ace9
kernel: Use structs to pass information to the kernel-ipsec interface
2016-04-09 16:50:59 +02:00
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
dec9e1957f
libhydra: Move all kernel plugins to libcharon
2016-03-03 17:36:11 +01:00
062a602216
Moved all kernel plugins to libhydra.
2010-09-02 19:01:26 +02:00
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
9f166d9ac2
Removed references to protocol_id_t from kernel interface.
...
Instead we use the actual IP protocol identifier (the conversion now happens in
child_sa_t and kernel_handler_t).
2010-09-02 19:01:25 +02:00
4e258e63c3
Moved migrate job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
01563352e8
Moved update SA job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
a22853b302
Moved delete/rekey CHILD_SA job creation to kernel event handler.
2010-09-02 19:01:24 +02:00
81f6ec276b
Moved acquire job creation to kernel event handler.
2010-09-02 19:01:23 +02:00
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
ee26c537d7
support of xfrm marks for IKEv2
2010-07-02 23:46:09 +02:00
9eb7f46b3d
Do not install routes in the PF_KEY kernel interface if interface lookup failed.
2010-06-23 11:43:31 +02:00
b7900d3258
Fixing the PF_KEY kernel interface on Android.
...
In Android's in.h IPPROTO_COMP is not #defined but just an enum member.
2010-06-22 16:12:07 +02:00
ed76b21652
Check for SADB_X_NAT_T_NEW_MAPPING in PF_KEY kernel interface.
...
FreeBSD 8 does not support SADB_X_NAT_T_NEW_MAPPING whereas Linux and
the previous FreeBSD NAT-T patch both do.
2010-06-15 15:31:10 +02:00
668e84d904
Set the ports of all hosts installed via the PF_KEY kernel interface to zero.
2010-06-15 10:11:57 +02:00
08c5572602
Moving charon to libcharon.
2010-03-19 13:34:52 +01:00
Tobias Brunner