summaryrefslogtreecommitdiff
path: root/src/libhydra/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'src/libhydra/kernel')
-rw-r--r--src/libhydra/kernel/kernel_interface.c14
-rw-r--r--src/libhydra/kernel/kernel_interface.h9
-rw-r--r--src/libhydra/kernel/kernel_ipsec.h2
-rw-r--r--src/libhydra/kernel/kernel_net.h4
4 files changed, 21 insertions, 8 deletions
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 3e34d20a6..3fa28e054 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -179,8 +179,9 @@ METHOD(kernel_interface_t, add_sa, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
- u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
- u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
+ u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+ u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
+ bool initiator, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
{
if (!this->ipsec)
@@ -188,8 +189,9 @@ METHOD(kernel_interface_t, add_sa, status_t,
return NOT_SUPPORTED;
}
return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
- mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
- ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts);
+ mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
+ ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
+ src_ts, dst_ts);
}
METHOD(kernel_interface_t, update_sa, status_t,
@@ -300,13 +302,13 @@ METHOD(kernel_interface_t, get_source_addr, host_t*,
}
METHOD(kernel_interface_t, get_nexthop, host_t*,
- private_kernel_interface_t *this, host_t *dest, host_t *src)
+ private_kernel_interface_t *this, host_t *dest, int prefix, host_t *src)
{
if (!this->net)
{
return NULL;
}
- return this->net->get_nexthop(this->net, dest, src);
+ return this->net->get_nexthop(this->net, dest, prefix, src);
}
METHOD(kernel_interface_t, get_interface, bool,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index cc47d3c4a..cd550383c 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -69,6 +69,8 @@ enum kernel_feature_t {
KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
/** IPsec implementation requires UDP encapsulation of ESP packets */
KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2),
+ /** IPsec backend does not require a policy reinstall on SA updates */
+ KERNEL_NO_POLICY_UPDATES = (1<<3),
};
/**
@@ -145,6 +147,7 @@ struct kernel_interface_t {
* @param mode mode of the SA (tunnel, transport)
* @param ipcomp IPComp transform to use
* @param cpi CPI for IPComp
+ * @param replay_window anti-replay window size
* @param initiator TRUE if initiator of the exchange creating this SA
* @param encap enable UDP encapsulation for NAT traversal
* @param esn TRUE to use Extended Sequence Numbers
@@ -160,6 +163,7 @@ struct kernel_interface_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ u_int32_t replay_window,
bool initiator, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
@@ -326,9 +330,12 @@ struct kernel_interface_t {
* for the given source to dest.
*
* @param dest target destination address
+ * @param prefix prefix length if dest is a subnet, -1 for auto
+ * @param src source address to check, or NULL
* @return next hop address, NULL if unreachable
*/
- host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest, host_t *src);
+ host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest,
+ int prefix, host_t *src);
/**
* Get the interface name of a local address. Interfaces that are down or
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index 25f5b38fd..eec7401e9 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -101,6 +101,7 @@ struct kernel_ipsec_t {
* @param mode mode of the SA (tunnel, transport)
* @param ipcomp IPComp transform to use
* @param cpi CPI for IPComp
+ * @param replay_window anti-replay window size
* @param initiator TRUE if initiator of the exchange creating this SA
* @param encap enable UDP encapsulation for NAT traversal
* @param esn TRUE to use Extended Sequence Numbers
@@ -116,6 +117,7 @@ struct kernel_ipsec_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+ u_int32_t replay_window,
bool initiator, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index 8c448ddbc..4312c17d1 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -86,10 +86,12 @@ struct kernel_net_t {
* for the given source to dest.
*
* @param dest target destination address
+ * @param prefix prefix length if dest is a subnet, -1 for auto
* @param src source address to check, or NULL
* @return next hop address, NULL if unreachable
*/
- host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest, host_t *src);
+ host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest, int prefix,
+ host_t *src);
/**
* Get the interface name of a local address. Interfaces that are down or