Tobias Brunner
ce433c9b29
kernel-wfp: Declare constants explicitly as extern
...
Newer compilers otherwise complain that there are multiple definitions
of these (in header and .c file).
2020-11-13 16:38:17 +01:00
Noel Kuntze
09f4bccfea
kernel-netlink: Implement passthrough type routes and use them on Linux
...
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.
Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
2020-03-10 10:20:58 +01:00
Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Tobias Brunner
2db6d5b8b3
Fixed some typos, courtesy of codespell
2018-02-13 12:19:54 +01:00
Tobias Brunner
9d240b0761
kernel-wfp: Don't redefine IPPROTO_IP* if already defined
2017-03-23 18:29:18 +01:00
Tobias Brunner
99a57aa5ee
kernel-net: Let get_nexthop() return an optional interface name
...
The returned name should be the interface over which the destination
address/net is reachable.
2016-06-10 13:54:18 +02:00
Tobias Brunner
89da06ace9
kernel: Use structs to pass information to the kernel-ipsec interface
2016-04-09 16:50:59 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Tobias Brunner
8394ea2a42
libhydra: Move kernel interface to libcharon
...
This moves hydra->kernel_interface to charon->kernel.
2016-03-03 17:36:11 +01:00
Tobias Brunner
a6e0f14fd2
kernel-interface: Pass the same data to del_policy() that was passed to add_policy()
...
The additional data can be helpful to identify the exact policy to
delete.
2015-11-10 16:42:52 +01:00
Martin Willi
942797a5b5
kernel-interface: Add a separate "update" flag to add_sa()
...
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
2015-03-09 18:18:20 +01:00
Martin Willi
f81a949748
kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqid
2015-02-20 13:34:50 +01:00
Martin Willi
d05d85fe65
kernel-interface: Pass full list of traffic selectors to add_sa()
...
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
2015-02-20 13:34:47 +01:00
Martin Willi
2a1c9e20bd
kernel-interface: Remove reqid parameter from get_spi/get_cpi() methods
...
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
2015-02-20 13:34:32 +01:00
Martin Willi
e1a448314f
kernel-wfp: Install outbound ALE connect rules for IPsec
...
Similar to the inbound rules, the ALE filter processes IP-in-IP packets for
outbound tunnel mode traffic. When using an outbound default-drop policy,
Windows does not allow connection initiation without these explicit rules.
2014-12-04 11:10:48 +01:00
Martin Willi
a8142a17cf
kernel-wfp: Install inbound ALE IP-in-IP filters
...
When processing inbound tunnel mode packets, Windows decrypts packets and
filters them as IP-in-IP packets. We therefore require an ALE filter that
calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them
when using a default-drop policy.
Without these rules, any outbound packet created an ALE state that allows
inbound packets as well. Processing inbound packets without any outbound
traffic fails without these rules.
2014-12-04 11:10:48 +01:00
Martin Willi
070461b70d
kernel-wfp: Add missing IPsec sublayer GUIDs
2014-12-04 11:10:48 +01:00
Martin Willi
a21338a43e
kernel-wfp: Define IPsec related ALE layers and callout GUIDs
2014-12-04 11:10:48 +01:00
Martin Willi
4d48dfd6a3
kernel-wfp: Fix logging of MM/QM/EM NetEvent failures
2014-12-04 11:10:48 +01:00
Tobias Brunner
c005073d0b
kernel-interface: Add destination prefix to get_nexthop()
...
This allows to determine the next hop to reach a subnet, for instance, when
installing routes for shunt policies.
2014-06-19 14:33:40 +02:00
Martin Willi
30c009c2fe
kernel-interface: Add a replay_window parameter to add_sa()
2014-06-17 16:41:30 +02:00
Martin Willi
cab59c73fc
windows: Use WINAPI call convention for Windows API callbacks
...
For x86_64 it does not actually matter, but for i686 builds the call convention
is different with WINAPI.
2014-06-06 16:28:28 +02:00
Martin Willi
4b9848a2cc
kernel-wfp: Include Windows header patch for MinGW 4.8.1
2014-06-04 16:32:12 +02:00
Martin Willi
75afbeee21
kernel-wfp: Clone acquire traffic selectors only if they exist
2014-06-04 16:32:11 +02:00
Martin Willi
78bde29a7c
kernel-wfp: Install routes for trap policies
2014-06-04 16:32:11 +02:00
Martin Willi
e36d1d4124
kernel-wfp: Refactor route management to separate function
2014-06-04 16:32:11 +02:00
Martin Willi
4a8ba369b6
kernel-wfp: Install tunnel mode policies to appropriate sub-layers
...
While it is unclear if this has any effect at all, we prefer specific sublayers
to install policies as suggested.
2014-06-04 16:32:11 +02:00
Martin Willi
be32be01a8
kernel-wfp: Declare GUIDs and auth/cipher configs missing in some MinGW builds
2014-06-04 16:32:11 +02:00
Martin Willi
4b51280344
kernel-wfp: Support multiple traffic selectors on tunnel mode SAs
2014-06-04 16:32:11 +02:00
Martin Willi
c7d30c2ad1
kernel-wfp: Show a warning for packets the kernel drops in its IPsec layers
2014-06-04 16:32:10 +02:00
Martin Willi
a4f3b363da
kernel-wfp: Set flag to get UDP encapsulation with tunnel mode working
...
Having this flag set fixes connections initiated by the Windows host, but
unfortunately does not yet fix incoming connections. Connection state issue?
We still see 0xc00000e2 error events, translating to INTERNAL_ERROR.
2014-06-04 16:32:10 +02:00
Martin Willi
6de788704b
kernel-wfp: Install tunnel and trap forward policies
2014-06-04 16:32:10 +02:00
Martin Willi
1678f0a999
kernel-wfp: Manually create a ProviderContext to attach individual filters
...
This gives us more flexibility than using the intransparent FwpmIPsecTunnelAdd,
and fixes the issues we have seen with trap policies. Forward filters are
still missing, but required for site-to-site tunnels.
2014-06-04 16:32:10 +02:00
Martin Willi
1ca2b1615a
kernel-wfp: Print filter weight in "ipsecdump filters"
2014-06-04 16:32:10 +02:00
Martin Willi
c6f189e448
kernel-wfp: Add support for trap policies and acquires
2014-06-04 16:32:10 +02:00
Martin Willi
f206e069f1
kernel-wfp: Implement bypass_socket() using dedicated filter rules
2014-06-04 16:32:09 +02:00
Martin Willi
2868314028
kernel-wfp: Register for WFP Net events
2014-06-04 16:32:09 +02:00
Martin Willi
6aaa432741
kernel-wfp: Add some missing IPv6 GUIDs, fix IPv6 host conversion
2014-06-04 16:32:09 +02:00
Martin Willi
288dc68596
kernel-wfp: Add an ipsecdump "filters" command to print IPsec related filters
2014-06-04 16:32:09 +02:00
Martin Willi
489a4f2192
kernel-wfp: Add an ipsecdump utility to show installed SAs/SPs on Windows
2014-06-04 16:32:09 +02:00
Martin Willi
9c974c329d
kernel-wfp: Depend on used RNG plugin features
2014-06-04 16:32:09 +02:00
Martin Willi
5a5b9925f8
kernel-wfp: Implement update_sa()
2014-06-04 16:32:09 +02:00
Martin Willi
1987b70989
kernel-wfp: Configure ports for SAs using UDP encapsulation
2014-06-04 16:32:09 +02:00
Martin Willi
9b5c95648f
kernel-wfp: Refactor SA context construction, and use IPsecSaContextCreate1()
2014-06-04 16:32:08 +02:00
Martin Willi
bbe42a1fa5
kernel-wfp: Allocate SPIs pseudo-randomly using a 0xc prefix
2014-06-04 16:32:08 +02:00
Martin Willi
b714746ef0
kernel-wfp: Install appropriate routes for tunnel mode policies
2014-06-04 16:32:08 +02:00
Martin Willi
b934929804
kernel-wfp: Disable IPsec policy updates
...
It seems that WFP requires an update of the SA context only, but not for the
filters. This allows us to omit support for (fallback) drop policies.
2014-06-04 16:32:07 +02:00
Martin Willi
cd88f818fa
kernel-wfp: Increment SPIs properly, that is while in host order
2014-06-04 16:32:07 +02:00
Martin Willi
af098b5008
kernel-wfp: Triggering expire events for SAs to rekey/delete
2014-06-04 16:32:07 +02:00