diff options
Diffstat (limited to 'src/charon/plugins/kernel_netlink')
9 files changed, 73 insertions, 39 deletions
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in index b3b161315..b97738bff 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.in +++ b/src/charon/plugins/kernel_netlink/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10.2 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -91,6 +91,7 @@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -113,6 +114,9 @@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ +LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ +LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ @@ -124,6 +128,7 @@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ @@ -137,6 +142,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -197,6 +204,7 @@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -208,6 +216,7 @@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ @@ -228,8 +237,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ @@ -326,7 +335,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index ee47914d3..9322d8dfe 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -16,8 +16,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_ipsec.c 4997 2009-03-24 10:24:58Z martin $ */ #include <sys/types.h> @@ -170,14 +168,20 @@ static kernel_algorithm_t encryption_algs[] = { /* {ENCR_DES_IV32, "***" }, */ {ENCR_NULL, "cipher_null" }, {ENCR_AES_CBC, "aes" }, -/* {ENCR_AES_CTR, "***" }, */ + {ENCR_AES_CTR, "rfc3686(ctr(aes))" }, {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" }, {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" }, {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" }, {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, - {END_OF_LIST, NULL }, +/* {ENCR_NULL_AUTH_AES_GMAC, "***" }, */ + {ENCR_CAMELLIA_CBC, "cbc(camellia)" }, +/* {ENCR_CAMELLIA_CTR, "***" }, */ +/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */ +/* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */ +/* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */ + {END_OF_LIST, NULL } }; /** @@ -192,7 +196,7 @@ static kernel_algorithm_t integrity_algs[] = { /* {AUTH_DES_MAC, "***" }, */ /* {AUTH_KPDK_MD5, "***" }, */ {AUTH_AES_XCBC_96, "xcbc(aes)" }, - {END_OF_LIST, NULL }, + {END_OF_LIST, NULL } }; /** @@ -203,7 +207,7 @@ static kernel_algorithm_t compression_algs[] = { {IPCOMP_DEFLATE, "deflate" }, {IPCOMP_LZS, "lzs" }, {IPCOMP_LZJH, "lzjh" }, - {END_OF_LIST, NULL }, + {END_OF_LIST, NULL } }; /** @@ -369,6 +373,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto) } /** + * convert the general ipsec mode to the one defined in xfrm.h + */ +static u_int8_t mode2kernel(ipsec_mode_t mode) +{ + switch (mode) + { + case MODE_TRANSPORT: + return XFRM_MODE_TRANSPORT; + case MODE_TUNNEL: + return XFRM_MODE_TUNNEL; + case MODE_BEET: + return XFRM_MODE_BEET; + default: + return mode; + } +} + +/** * convert a host_t to a struct xfrm_address */ static void host2xfrm(host_t *host, xfrm_address_t *xfrm) @@ -797,7 +819,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, host2xfrm(src, &userspi->info.saddr); host2xfrm(dst, &userspi->info.id.daddr); userspi->info.id.proto = proto; - userspi->info.mode = TRUE; /* tunnel mode */ + userspi->info.mode = XFRM_MODE_TUNNEL; userspi->info.reqid = reqid; userspi->info.family = src->get_family(src); userspi->min = min; @@ -935,7 +957,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, sa->id.spi = spi; sa->id.proto = proto_ike2kernel(protocol); sa->family = src->get_family(src); - sa->mode = mode; + sa->mode = mode2kernel(mode); if (mode == MODE_TUNNEL) { sa->flags |= XFRM_STATE_AF_UNSPEC; @@ -1210,8 +1232,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1220,7 +1243,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, /* if IPComp was used, we first delete the additional IPComp SA */ if (cpi) { - del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); + del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); } memset(&request, 0, sizeof(request)); @@ -1333,7 +1356,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, } /* delete the old SA (without affecting the IPComp SA) */ - if (del_sa(this, dst, spi, protocol, 0) != SUCCESS) + if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS) { DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); free(out); @@ -1520,7 +1543,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = IPPROTO_COMP; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->optional = direction != POLICY_OUT; tmpl->family = src->get_family(src); @@ -1541,7 +1564,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = proto_ike2kernel(protocol); tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); host2xfrm(src, &tmpl->saddr); @@ -1865,7 +1888,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h index 0b65c5213..3a45cce06 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_ipsec.h 5003 2009-03-24 17:43:01Z martin $ */ /** diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index 6e4ddffe5..32154a7ea 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_net.c 4671 2008-11-18 09:52:28Z martin $ */ #include <sys/socket.h> @@ -163,7 +161,11 @@ struct private_kernel_netlink_net_t { * whether to react to RTM_NEWROUTE or RTM_DELROUTE events */ bool process_route; - + + /** + * whether to actually install virtual IPs + */ + bool install_virtual_ip; }; /** @@ -219,7 +221,7 @@ static void fire_roam_job(private_kernel_netlink_net_t *this, bool address) now.tv_usec -= 1000000; } this->last_roam = now; - charon->scheduler->schedule_job(charon->scheduler, + charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)roam_job_create(address), ROAM_DELAY); } } @@ -985,7 +987,12 @@ static status_t add_ip(private_kernel_netlink_net_t *this, addr_entry_t *addr; enumerator_t *addrs, *ifaces; int ifindex; - + + if (!this->install_virtual_ip) + { /* disabled by config */ + return SUCCESS; + } + DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip); this->mutex->lock(this->mutex); @@ -1059,7 +1066,12 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip) enumerator_t *addrs, *ifaces; status_t status; int ifindex; - + + if (!this->install_virtual_ip) + { /* disabled by config */ + return SUCCESS; + } + DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip); this->mutex->lock(this->mutex); @@ -1175,7 +1187,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty /** * Implementation of kernel_net_t.add_route. */ -status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, @@ -1185,7 +1197,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, /** * Implementation of kernel_net_t.del_route. */ -status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen, @@ -1367,6 +1379,8 @@ kernel_netlink_net_t *kernel_netlink_net_create() "charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO); this->process_route = lib->settings->get_bool(lib->settings, "charon.process_route", TRUE); + this->install_virtual_ip = lib->settings->get_bool(lib->settings, + "charon.install_virtual_ip", TRUE); this->socket = netlink_socket_create(NETLINK_ROUTE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h index 39b96837b..ff9831d3c 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_net.h 5003 2009-03-24 17:43:01Z martin $ */ /** diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c index adc3d585f..77005e871 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_plugin.c 4350 2008-09-18 15:16:43Z tobias $ */ diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h index f08dbc023..ec6036b98 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_plugin.h 5003 2009-03-24 17:43:01Z martin $ */ /** diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c index 05bd4e397..7ef7cc56e 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_shared.c 4831 2009-01-09 09:37:13Z andreas $ */ #include <sys/socket.h> diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h index 90e464796..5a70e4d9b 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: kernel_netlink_shared.h 4660 2008-11-14 14:23:11Z martin $ */ #ifndef KERNEL_NETLINK_SHARED_H_ |