diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2013-08-25 15:37:27 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2013-08-25 15:37:27 +0200 |
commit | c7307e752d8f47c68f834e22ee2ce0a14a70e695 (patch) | |
tree | fbb442a20ab54aad511b46a070e65b8d09c22791 /src/libhydra/kernel | |
parent | f74c6d77c3efb529e7403eeef0613c061eb895b3 (diff) | |
parent | 6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349 (diff) | |
download | vyos-strongswan-c7307e752d8f47c68f834e22ee2ce0a14a70e695.tar.gz vyos-strongswan-c7307e752d8f47c68f834e22ee2ce0a14a70e695.zip |
Merge tag 'upstream/5.1.0'
Upstream version 5.1.0
Diffstat (limited to 'src/libhydra/kernel')
-rw-r--r-- | src/libhydra/kernel/kernel_interface.c | 58 | ||||
-rw-r--r-- | src/libhydra/kernel/kernel_interface.h | 31 | ||||
-rw-r--r-- | src/libhydra/kernel/kernel_ipsec.h | 6 | ||||
-rw-r--r-- | src/libhydra/kernel/kernel_listener.h | 16 | ||||
-rw-r--r-- | src/libhydra/kernel/kernel_net.h | 18 |
5 files changed, 100 insertions, 29 deletions
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 53b8324b7..90637fa06 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2013 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -180,7 +180,7 @@ METHOD(kernel_interface_t, add_sa, status_t, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool esn, bool inbound, + u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { if (!this->ipsec) @@ -189,7 +189,7 @@ METHOD(kernel_interface_t, add_sa, status_t, } return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, - ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts); + ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts); } METHOD(kernel_interface_t, update_sa, status_t, @@ -208,14 +208,14 @@ METHOD(kernel_interface_t, update_sa, status_t, METHOD(kernel_interface_t, query_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, mark_t mark, - u_int64_t *bytes, u_int64_t *packets) + u_int64_t *bytes, u_int64_t *packets, u_int32_t *time) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, - bytes, packets); + bytes, packets, time); } METHOD(kernel_interface_t, del_sa, status_t, @@ -415,7 +415,8 @@ METHOD(kernel_interface_t, all_interfaces_usable, bool, } METHOD(kernel_interface_t, get_address_by_ts, status_t, - private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip) + private_kernel_interface_t *this, traffic_selector_t *ts, + host_t **ip, bool *vip) { enumerator_t *addrs; host_t *host; @@ -446,13 +447,17 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t, } host->destroy(host); - addrs = create_address_enumerator(this, ADDR_TYPE_ALL); + addrs = create_address_enumerator(this, ADDR_TYPE_VIRTUAL); while (addrs->enumerate(addrs, (void**)&host)) { if (ts->includes(ts, host)) { found = TRUE; *ip = host->clone(host); + if (vip) + { + *vip = TRUE; + } break; } } @@ -460,6 +465,25 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t, if (!found) { + addrs = create_address_enumerator(this, ADDR_TYPE_REGULAR); + while (addrs->enumerate(addrs, (void**)&host)) + { + if (ts->includes(ts, host)) + { + found = TRUE; + *ip = host->clone(host); + if (vip) + { + *vip = FALSE; + } + break; + } + } + addrs->destroy(addrs); + } + + if (!found) + { DBG2(DBG_KNL, "no local address found in traffic selector %R", ts); return FAILED; } @@ -620,6 +644,25 @@ METHOD(kernel_interface_t, roam, void, this->mutex->unlock(this->mutex); } +METHOD(kernel_interface_t, tun, void, + private_kernel_interface_t *this, tun_device_t *tun, bool created) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->tun && + !listener->tun(listener, tun, created)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + METHOD(kernel_interface_t, register_algorithm, void, private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type, u_int16_t kernel_id, char *kernel_name) @@ -740,6 +783,7 @@ kernel_interface_t *kernel_interface_create() .mapping = _mapping, .migrate = _migrate, .roam = _roam, + .tun = _tun, .destroy = _destroy, }, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 1d2253b94..1d96f1c35 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2013 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -65,6 +65,10 @@ typedef enum kernel_feature_t kernel_feature_t; enum kernel_feature_t { /** IPsec can process ESPv3 (RFC 4303) TFC padded packets */ KERNEL_ESP_V3_TFC = (1<<0), + /** Networking requires an "exclude" route for IKE/ESP packets */ + KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1), + /** IPsec implementation requires UDP encapsulation of ESP packets */ + KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2), }; /** @@ -141,6 +145,7 @@ struct kernel_interface_t { * @param mode mode of the SA (tunnel, transport) * @param ipcomp IPComp transform to use * @param cpi CPI for IPComp + * @param initiator TRUE if initiator of the exchange creating this SA * @param encap enable UDP encapsulation for NAT traversal * @param esn TRUE to use Extended Sequence Numbers * @param inbound TRUE if this is an inbound SA @@ -155,7 +160,7 @@ struct kernel_interface_t { u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool encap, bool esn, bool inbound, + bool initiator, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts); /** @@ -195,11 +200,12 @@ struct kernel_interface_t { * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA * @param[out] packets number of packets processed by SA + * @param[out] time last time of SA use * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, mark_t mark, - u_int64_t *bytes, u_int64_t *packets); + u_int64_t *bytes, u_int64_t *packets, u_int32_t *time); /** * Delete a previously installed SA from the SAD. @@ -367,7 +373,7 @@ struct kernel_interface_t { * * The kernel interface uses refcounting, see add_ip(). * - * @param virtual_ip virtual ip address to assign + * @param virtual_ip virtual ip address to remove * @param prefix prefix length of the IP to uninstall, -1 for auto * @param wait TRUE to wait untily IP is gone * @return SUCCESS if operation completed @@ -381,7 +387,7 @@ struct kernel_interface_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed * ALREADY_DONE if the route already exists @@ -396,7 +402,7 @@ struct kernel_interface_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed */ @@ -451,10 +457,11 @@ struct kernel_interface_t { * * @param ts traffic selector * @param ip returned IP address (has to be destroyed) + * @param vip set to TRUE if returned address is a virtual IP * @return SUCCESS if address found */ status_t (*get_address_by_ts)(kernel_interface_t *this, - traffic_selector_t *ts, host_t **ip); + traffic_selector_t *ts, host_t **ip, bool *vip); /** * Register an ipsec kernel interface constructor on the manager. @@ -557,6 +564,14 @@ struct kernel_interface_t { void (*roam)(kernel_interface_t *this, bool address); /** + * Raise a tun event. + * + * @param tun TUN device + * @param created TRUE if created, FALSE if going to be destroyed + */ + void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created); + + /** * Register a new algorithm with the kernel interface. * * @param alg_id the IKE id of the algorithm @@ -583,7 +598,7 @@ struct kernel_interface_t { char **kernel_name); /** - * Destroys a kernel_interface_manager_t object. + * Destroys a kernel_interface_t object. */ void (*destroy) (kernel_interface_t *this); }; diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index ba67238e5..413e5920f 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -101,6 +101,7 @@ struct kernel_ipsec_t { * @param mode mode of the SA (tunnel, transport) * @param ipcomp IPComp transform to use * @param cpi CPI for IPComp + * @param initiator TRUE if initiator of the exchange creating this SA * @param encap enable UDP encapsulation for NAT traversal * @param esn TRUE to use Extended Sequence Numbers * @param inbound TRUE if this is an inbound SA @@ -115,7 +116,7 @@ struct kernel_ipsec_t { u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool encap, bool esn, bool inbound, + bool initiator, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts); /** @@ -155,11 +156,12 @@ struct kernel_ipsec_t { * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA * @param[out] packets number of packets processed by SA + * @param[out] time last time of SA use * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, mark_t mark, - u_int64_t *bytes, u_int64_t *packets); + u_int64_t *bytes, u_int64_t *packets, u_int32_t *time); /** * Delete a previusly installed SA from the SAD. diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h index 27ea947eb..4382a43fd 100644 --- a/src/libhydra/kernel/kernel_listener.h +++ b/src/libhydra/kernel/kernel_listener.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2010-2013 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,9 +23,10 @@ typedef struct kernel_listener_t kernel_listener_t; -#include <kernel/kernel_ipsec.h> -#include <selectors/traffic_selector.h> #include <networking/host.h> +#include <networking/tun_device.h> +#include <selectors/traffic_selector.h> +#include <kernel/kernel_ipsec.h> /** * Interface for components interested in kernel events. @@ -91,6 +92,15 @@ struct kernel_listener_t { * @return TRUE to remain registered, FALSE to unregister */ bool (*roam)(kernel_listener_t *this, bool address); + + /** + * Hook called after a TUN device was created for a virtual IP address, or + * before such a device gets destroyed. + * + * @param tun TUN device + * @param created TRUE if created, FALSE if going to be destroyed + */ + bool (*tun)(kernel_listener_t *this, tun_device_t *tun, bool created); }; #endif /** KERNEL_LISTENER_H_ @}*/ diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h index 0d3417f1d..8c448ddbc 100644 --- a/src/libhydra/kernel/kernel_net.h +++ b/src/libhydra/kernel/kernel_net.h @@ -35,17 +35,17 @@ typedef enum kernel_address_type_t kernel_address_type_t; */ enum kernel_address_type_t { /** normal addresses (on regular, up, non-ignored) interfaces */ - ADDR_TYPE_REGULAR = 0, + ADDR_TYPE_REGULAR = (1 << 0), /** addresses on down interfaces */ - ADDR_TYPE_DOWN = (1 << 0), + ADDR_TYPE_DOWN = (1 << 1), /** addresses on ignored interfaces */ - ADDR_TYPE_IGNORED = (1 << 1), + ADDR_TYPE_IGNORED = (1 << 2), /** addresses on loopback interfaces */ - ADDR_TYPE_LOOPBACK = (1 << 2), + ADDR_TYPE_LOOPBACK = (1 << 3), /** virtual IP addresses */ - ADDR_TYPE_VIRTUAL = (1 << 3), + ADDR_TYPE_VIRTUAL = (1 << 4), /** to enumerate all available addresses */ - ADDR_TYPE_ALL = (1 << 4) - 1, + ADDR_TYPE_ALL = (1 << 5) - 1, }; /** @@ -134,7 +134,7 @@ struct kernel_net_t { * * The kernel interface uses refcounting, see add_ip(). * - * @param virtual_ip virtual ip address to assign + * @param virtual_ip virtual ip address to remove * @param prefix prefix length of the IP to uninstall, -1 for auto * @param wait TRUE to wait until IP is gone * @return SUCCESS if operation completed @@ -148,7 +148,7 @@ struct kernel_net_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed * ALREADY_DONE if the route already exists @@ -163,7 +163,7 @@ struct kernel_net_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed */ |