diff options
Diffstat (limited to 'src/libhydra/kernel')
| -rw-r--r-- | src/libhydra/kernel/kernel_interface.c | 310 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_interface.h | 169 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_ipsec.c | 22 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_ipsec.h | 170 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_listener.h | 16 | ||||
| -rw-r--r-- | src/libhydra/kernel/kernel_net.h | 74 |
6 files changed, 521 insertions, 240 deletions
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 573557506..90637fa06 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2011 Tobias Brunner + * Copyright (C) 2008-2013 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -15,14 +15,65 @@ * for more details. */ +/* + * Copyright (c) 2012 Nanoteq Pty Ltd + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "kernel_interface.h" -#include <debug.h> +#include <hydra.h> +#include <utils/debug.h> #include <threading/mutex.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> typedef struct private_kernel_interface_t private_kernel_interface_t; +typedef struct kernel_algorithm_t kernel_algorithm_t; + +/** + * Mapping of IKE algorithms to kernel-specific algorithm identifiers + */ +struct kernel_algorithm_t { + + /** + * Transform type of the algorithm + */ + transform_type_t type; + + /** + * Identifier specified in IKE + */ + u_int16_t ike; + + /** + * Identifier as defined in pfkeyv2.h + */ + u_int16_t kernel; + + /** + * Name of the algorithm in linux crypto API + */ + char *name; +}; + /** * Private data of a kernel_interface_t object. */ @@ -62,8 +113,46 @@ struct private_kernel_interface_t { * list of registered listeners */ linked_list_t *listeners; + + /** + * mutex for algorithm mappings + */ + mutex_t *mutex_algs; + + /** + * List of algorithm mappings (kernel_algorithm_t*) + */ + linked_list_t *algorithms; + + /** + * List of interface names to include or exclude (char*), NULL if interfaces + * are not filtered + */ + linked_list_t *ifaces_filter; + + /** + * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider + * only those listed there + */ + bool ifaces_exclude; }; +METHOD(kernel_interface_t, get_features, kernel_feature_t, + private_kernel_interface_t *this) +{ + kernel_feature_t features = 0; + + if (this->ipsec && this->ipsec->get_features) + { + features |= this->ipsec->get_features(this->ipsec); + } + if (this->net && this->net->get_features) + { + features |= this->net->get_features(this->net); + } + return features; +} + METHOD(kernel_interface_t, get_spi, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) @@ -91,7 +180,7 @@ METHOD(kernel_interface_t, add_sa, status_t, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool esn, bool inbound, + u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { if (!this->ipsec) @@ -100,7 +189,7 @@ METHOD(kernel_interface_t, add_sa, status_t, } return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, - ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts); + ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts); } METHOD(kernel_interface_t, update_sa, status_t, @@ -118,13 +207,15 @@ METHOD(kernel_interface_t, update_sa, status_t, METHOD(kernel_interface_t, query_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes) + u_int32_t spi, u_int8_t protocol, mark_t mark, + u_int64_t *bytes, u_int64_t *packets, u_int32_t *time) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes); + return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, + bytes, packets, time); } METHOD(kernel_interface_t, del_sa, status_t, @@ -209,55 +300,54 @@ METHOD(kernel_interface_t, get_source_addr, host_t*, } METHOD(kernel_interface_t, get_nexthop, host_t*, - private_kernel_interface_t *this, host_t *dest) + private_kernel_interface_t *this, host_t *dest, host_t *src) { if (!this->net) { return NULL; } - return this->net->get_nexthop(this->net, dest); + return this->net->get_nexthop(this->net, dest, src); } -METHOD(kernel_interface_t, get_interface, char*, - private_kernel_interface_t *this, host_t *host) +METHOD(kernel_interface_t, get_interface, bool, + private_kernel_interface_t *this, host_t *host, char **name) { if (!this->net) { return NULL; } - return this->net->get_interface(this->net, host); + return this->net->get_interface(this->net, host, name); } METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*, - private_kernel_interface_t *this, bool include_down_ifaces, - bool include_virtual_ips) + private_kernel_interface_t *this, kernel_address_type_t which) { if (!this->net) { return enumerator_create_empty(); } - return this->net->create_address_enumerator(this->net, include_down_ifaces, - include_virtual_ips); + return this->net->create_address_enumerator(this->net, which); } METHOD(kernel_interface_t, add_ip, status_t, - private_kernel_interface_t *this, host_t *virtual_ip, host_t *iface_ip) + private_kernel_interface_t *this, host_t *virtual_ip, int prefix, + char *iface) { if (!this->net) { return NOT_SUPPORTED; } - return this->net->add_ip(this->net, virtual_ip, iface_ip); + return this->net->add_ip(this->net, virtual_ip, prefix, iface); } METHOD(kernel_interface_t, del_ip, status_t, - private_kernel_interface_t *this, host_t *virtual_ip) + private_kernel_interface_t *this, host_t *virtual_ip, int prefix, bool wait) { if (!this->net) { return NOT_SUPPORTED; } - return this->net->del_ip(this->net, virtual_ip); + return this->net->del_ip(this->net, virtual_ip, prefix, wait); } METHOD(kernel_interface_t, add_route, status_t, @@ -294,8 +384,39 @@ METHOD(kernel_interface_t, bypass_socket, bool, return this->ipsec->bypass_socket(this->ipsec, fd, family); } +METHOD(kernel_interface_t, enable_udp_decap, bool, + private_kernel_interface_t *this, int fd, int family, u_int16_t port) +{ + if (!this->ipsec) + { + return FALSE; + } + return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port); +} + +METHOD(kernel_interface_t, is_interface_usable, bool, + private_kernel_interface_t *this, const char *iface) +{ + status_t expected; + + if (!this->ifaces_filter) + { + return TRUE; + } + expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS; + return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq, + NULL, iface) == expected; +} + +METHOD(kernel_interface_t, all_interfaces_usable, bool, + private_kernel_interface_t *this) +{ + return this->ifaces_filter == NULL; +} + METHOD(kernel_interface_t, get_address_by_ts, status_t, - private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip) + private_kernel_interface_t *this, traffic_selector_t *ts, + host_t **ip, bool *vip) { enumerator_t *addrs; host_t *host; @@ -326,13 +447,17 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t, } host->destroy(host); - addrs = create_address_enumerator(this, TRUE, TRUE); + addrs = create_address_enumerator(this, ADDR_TYPE_VIRTUAL); while (addrs->enumerate(addrs, (void**)&host)) { if (ts->includes(ts, host)) { found = TRUE; *ip = host->clone(host); + if (vip) + { + *vip = TRUE; + } break; } } @@ -340,6 +465,25 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t, if (!found) { + addrs = create_address_enumerator(this, ADDR_TYPE_REGULAR); + while (addrs->enumerate(addrs, (void**)&host)) + { + if (ts->includes(ts, host)) + { + found = TRUE; + *ip = host->clone(host); + if (vip) + { + *vip = FALSE; + } + break; + } + } + addrs->destroy(addrs); + } + + if (!found) + { DBG2(DBG_KNL, "no local address found in traffic selector %R", ts); return FAILED; } @@ -362,7 +506,7 @@ METHOD(kernel_interface_t, add_ipsec_interface, void, METHOD(kernel_interface_t, remove_ipsec_interface, void, private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor) { - if (constructor == this->ipsec_constructor) + if (constructor == this->ipsec_constructor && this->ipsec) { this->ipsec->destroy(this->ipsec); this->ipsec = NULL; @@ -382,7 +526,7 @@ METHOD(kernel_interface_t, add_net_interface, void, METHOD(kernel_interface_t, remove_net_interface, void, private_kernel_interface_t *this, kernel_net_constructor_t constructor) { - if (constructor == this->net_constructor) + if (constructor == this->net_constructor && this->net) { this->net->destroy(this->net); this->net = NULL; @@ -500,13 +644,92 @@ METHOD(kernel_interface_t, roam, void, this->mutex->unlock(this->mutex); } +METHOD(kernel_interface_t, tun, void, + private_kernel_interface_t *this, tun_device_t *tun, bool created) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->tun && + !listener->tun(listener, tun, created)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, register_algorithm, void, + private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type, + u_int16_t kernel_id, char *kernel_name) +{ + kernel_algorithm_t *algorithm; + + INIT(algorithm, + .type = type, + .ike = alg_id, + .kernel = kernel_id, + .name = strdup(kernel_name), + ); + + this->mutex_algs->lock(this->mutex_algs); + this->algorithms->insert_first(this->algorithms, algorithm); + this->mutex_algs->unlock(this->mutex_algs); +} + +METHOD(kernel_interface_t, lookup_algorithm, bool, + private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type, + u_int16_t *kernel_id, char **kernel_name) +{ + kernel_algorithm_t *algorithm; + enumerator_t *enumerator; + bool found = FALSE; + + this->mutex_algs->lock(this->mutex_algs); + enumerator = this->algorithms->create_enumerator(this->algorithms); + while (enumerator->enumerate(enumerator, &algorithm)) + { + if (algorithm->type == type && algorithm->ike == alg_id) + { + if (kernel_id) + { + *kernel_id = algorithm->kernel; + } + if (kernel_name) + { + *kernel_name = algorithm->name; + } + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + this->mutex_algs->unlock(this->mutex_algs); + return found; +} + METHOD(kernel_interface_t, destroy, void, private_kernel_interface_t *this) { + kernel_algorithm_t *algorithm; + + while (this->algorithms->remove_first(this->algorithms, + (void**)&algorithm) == SUCCESS) + { + free(algorithm->name); + free(algorithm); + } + this->algorithms->destroy(this->algorithms); + this->mutex_algs->destroy(this->mutex_algs); DESTROY_IF(this->ipsec); DESTROY_IF(this->net); - this->mutex->destroy(this->mutex); + DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free); this->listeners->destroy(this->listeners); + this->mutex->destroy(this->mutex); free(this); } @@ -516,9 +739,11 @@ METHOD(kernel_interface_t, destroy, void, kernel_interface_t *kernel_interface_create() { private_kernel_interface_t *this; + char *ifaces; INIT(this, .public = { + .get_features = _get_features, .get_spi = _get_spi, .get_cpi = _get_cpi, .add_sa = _add_sa, @@ -539,7 +764,10 @@ kernel_interface_t *kernel_interface_create() .add_route = _add_route, .del_route = _del_route, .bypass_socket = _bypass_socket, + .enable_udp_decap = _enable_udp_decap, + .is_interface_usable = _is_interface_usable, + .all_interfaces_usable = _all_interfaces_usable, .get_address_by_ts = _get_address_by_ts, .add_ipsec_interface = _add_ipsec_interface, .remove_ipsec_interface = _remove_ipsec_interface, @@ -548,17 +776,47 @@ kernel_interface_t *kernel_interface_create() .add_listener = _add_listener, .remove_listener = _remove_listener, + .register_algorithm = _register_algorithm, + .lookup_algorithm = _lookup_algorithm, .acquire = _acquire, .expire = _expire, .mapping = _mapping, .migrate = _migrate, .roam = _roam, + .tun = _tun, .destroy = _destroy, }, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .listeners = linked_list_create(), + .mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT), + .algorithms = linked_list_create(), ); + ifaces = lib->settings->get_str(lib->settings, + "%s.interfaces_use", NULL, hydra->daemon); + if (!ifaces) + { + this->ifaces_exclude = TRUE; + ifaces = lib->settings->get_str(lib->settings, + "%s.interfaces_ignore", NULL, hydra->daemon); + } + if (ifaces) + { + enumerator_t *enumerator; + char *iface; + + enumerator = enumerator_create_token(ifaces, ",", " "); + while (enumerator->enumerate(enumerator, &iface)) + { + if (!this->ifaces_filter) + { + this->ifaces_filter = linked_list_create(); + } + this->ifaces_filter->insert_last(this->ifaces_filter, + strdup(iface)); + } + enumerator->destroy(enumerator); + } + return &this->public; } - diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 991cfafd0..1d96f1c35 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2011 Tobias Brunner + * Copyright (C) 2006-2013 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -16,6 +16,28 @@ * for more details. */ +/* + * Copyright (c) 2012 Nanoteq Pty Ltd + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + /** * @defgroup kernel_interface kernel_interface * @{ @ingroup hkernel @@ -25,8 +47,9 @@ #define KERNEL_INTERFACE_H_ typedef struct kernel_interface_t kernel_interface_t; +typedef enum kernel_feature_t kernel_feature_t; -#include <utils/host.h> +#include <networking/host.h> #include <crypto/prf_plus.h> #include <kernel/kernel_listener.h> @@ -34,6 +57,21 @@ typedef struct kernel_interface_t kernel_interface_t; #include <kernel/kernel_net.h> /** + * Bitfield of optional features a kernel backend supports. + * + * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each + * backend returns a subset of these features. + */ +enum kernel_feature_t { + /** IPsec can process ESPv3 (RFC 4303) TFC padded packets */ + KERNEL_ESP_V3_TFC = (1<<0), + /** Networking requires an "exclude" route for IKE/ESP packets */ + KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1), + /** IPsec implementation requires UDP encapsulation of ESP packets */ + KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2), +}; + +/** * Constructor function for ipsec kernel interface */ typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void); @@ -52,6 +90,13 @@ typedef kernel_net_t* (*kernel_net_constructor_t)(void); struct kernel_interface_t { /** + * Get the feature set supported by the net and ipsec kernel backends. + * + * @return ORed feature-set of backends + */ + kernel_feature_t (*get_features)(kernel_interface_t *this); + + /** * Get a SPI from the kernel. * * @param src source address of SA @@ -100,6 +145,7 @@ struct kernel_interface_t { * @param mode mode of the SA (tunnel, transport) * @param ipcomp IPComp transform to use * @param cpi CPI for IPComp + * @param initiator TRUE if initiator of the exchange creating this SA * @param encap enable UDP encapsulation for NAT traversal * @param esn TRUE to use Extended Sequence Numbers * @param inbound TRUE if this is an inbound SA @@ -114,7 +160,7 @@ struct kernel_interface_t { u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool encap, bool esn, bool inbound, + bool initiator, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts); /** @@ -153,11 +199,13 @@ struct kernel_interface_t { * @param protocol protocol for this SA (ESP/AH) * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA + * @param[out] packets number of packets processed by SA + * @param[out] time last time of SA use * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, mark_t mark, - u_int64_t *bytes); + u_int64_t *bytes, u_int64_t *packets, u_int32_t *time); /** * Delete a previously installed SA from the SAD. @@ -260,7 +308,7 @@ struct kernel_interface_t { * Does a route lookup to get the source address used to reach dest. * The returned host is allocated and must be destroyed. * An optional src address can be used to check if a route is available - * for given source to dest. + * for the given source to dest. * * @param dest target destination address * @param src source address to check, or NULL @@ -274,19 +322,23 @@ struct kernel_interface_t { * * Does a route lookup to get the next hop used to reach dest. * The returned host is allocated and must be destroyed. + * An optional src address can be used to check if a route is available + * for the given source to dest. * * @param dest target destination address * @return next hop address, NULL if unreachable */ - host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest); + host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest, host_t *src); /** - * Get the interface name of a local address. + * Get the interface name of a local address. Interfaces that are down or + * ignored by config are not considered. * * @param host address to get interface name from - * @return allocated interface name, or NULL if not found + * @param name allocated interface name (optional) + * @return TRUE if interface found and usable */ - char* (*get_interface) (kernel_interface_t *this, host_t *host); + bool (*get_interface)(kernel_interface_t *this, host_t *host, char **name); /** * Creates an enumerator over all local addresses. @@ -295,12 +347,11 @@ struct kernel_interface_t { * enumerator gets destroyed. * The hosts are read-only, do not modify of free. * - * @param include_down_ifaces TRUE to enumerate addresses from down interfaces - * @param include_virtual_ips TRUE to enumerate virtual ip addresses - * @return enumerator over host_t's + * @param which a combination of address types to enumerate + * @return enumerator over host_t's */ enumerator_t *(*create_address_enumerator) (kernel_interface_t *this, - bool include_down_ifaces, bool include_virtual_ips); + kernel_address_type_t which); /** * Add a virtual IP to an interface. @@ -308,24 +359,27 @@ struct kernel_interface_t { * Virtual IPs are attached to an interface. If an IP is added multiple * times, the IP is refcounted and not removed until del_ip() was called * as many times as add_ip(). - * The virtual IP is attached to the interface where the iface_ip is found. * * @param virtual_ip virtual ip address to assign - * @param iface_ip IP of an interface to attach virtual IP + * @param prefix prefix length to install IP with, -1 for auto + * @param iface interface to install virtual IP on * @return SUCCESS if operation completed */ - status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, - host_t *iface_ip); + status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, int prefix, + char *iface); /** * Remove a virtual IP from an interface. * * The kernel interface uses refcounting, see add_ip(). * - * @param virtual_ip virtual ip address to assign + * @param virtual_ip virtual ip address to remove + * @param prefix prefix length of the IP to uninstall, -1 for auto + * @param wait TRUE to wait untily IP is gone * @return SUCCESS if operation completed */ - status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip); + status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip, + int prefix, bool wait); /** * Add a route. @@ -333,7 +387,7 @@ struct kernel_interface_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed * ALREADY_DONE if the route already exists @@ -348,7 +402,7 @@ struct kernel_interface_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed */ @@ -361,24 +415,53 @@ struct kernel_interface_t { * * @param fd socket file descriptor to setup policy for * @param family protocol family of the socket - * @return TRUE of policy set up successfully + * @return TRUE if policy set up successfully */ bool (*bypass_socket)(kernel_interface_t *this, int fd, int family); /** + * Enable decapsulation of ESP-in-UDP packets for the given port/socket. + * + * @param fd socket file descriptor + * @param family protocol family of the socket + * @param port the UDP port + * @return TRUE if UDP decapsulation was enabled successfully + */ + bool (*enable_udp_decap)(kernel_interface_t *this, int fd, int family, + u_int16_t port); + + + /** * manager methods */ /** - * Tries to find an ip address of a local interface that is included in the + * Verifies that the given interface is usable and not excluded by + * configuration. + * + * @param iface interface name + * @return TRUE if usable + */ + bool (*is_interface_usable)(kernel_interface_t *this, const char *iface); + + /** + * Check if interfaces are excluded by config. + * + * @return TRUE if no interfaces are exclued by config + */ + bool (*all_interfaces_usable)(kernel_interface_t *this); + + /** + * Tries to find an IP address of a local interface that is included in the * supplied traffic selector. * * @param ts traffic selector - * @param ip returned ip (has to be destroyed) + * @param ip returned IP address (has to be destroyed) + * @param vip set to TRUE if returned address is a virtual IP * @return SUCCESS if address found */ status_t (*get_address_by_ts)(kernel_interface_t *this, - traffic_selector_t *ts, host_t **ip); + traffic_selector_t *ts, host_t **ip, bool *vip); /** * Register an ipsec kernel interface constructor on the manager. @@ -481,7 +564,41 @@ struct kernel_interface_t { void (*roam)(kernel_interface_t *this, bool address); /** - * Destroys a kernel_interface_manager_t object. + * Raise a tun event. + * + * @param tun TUN device + * @param created TRUE if created, FALSE if going to be destroyed + */ + void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created); + + /** + * Register a new algorithm with the kernel interface. + * + * @param alg_id the IKE id of the algorithm + * @param type the transform type of the algorithm + * @param kernel_id the kernel id of the algorithm + * @param kernel_name the kernel name of the algorithm + */ + void (*register_algorithm)(kernel_interface_t *this, u_int16_t alg_id, + transform_type_t type, u_int16_t kernel_id, + char *kernel_name); + + /** + * Return the kernel-specific id and/or name for an algorithms depending on + * the arguments specified. + * + * @param alg_id the IKE id of the algorithm + * @param type the transform type of the algorithm + * @param kernel_id the kernel id of the algorithm (optional) + * @param kernel_name the kernel name of the algorithm (optional) + * @return TRUE if algorithm was found + */ + bool (*lookup_algorithm)(kernel_interface_t *this, u_int16_t alg_id, + transform_type_t type, u_int16_t *kernel_id, + char **kernel_name); + + /** + * Destroys a kernel_interface_t object. */ void (*destroy) (kernel_interface_t *this); }; diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c index 9b38297cc..1a32ab4e7 100644 --- a/src/libhydra/kernel/kernel_ipsec.c +++ b/src/libhydra/kernel/kernel_ipsec.c @@ -17,28 +17,6 @@ #include <hydra.h> -ENUM(ipsec_mode_names, MODE_TRANSPORT, MODE_DROP, - "TRANSPORT", - "TUNNEL", - "BEET", - "PASS", - "DROP" -); - -ENUM(policy_dir_names, POLICY_IN, POLICY_FWD, - "in", - "out", - "fwd" -); - -ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH, - "IPCOMP_NONE", - "IPCOMP_OUI", - "IPCOMP_DEFLATE", - "IPCOMP_LZS", - "IPCOMP_LZJH" -); - /** * See header */ diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index ddb63283c..413e5920f 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2011 Tobias Brunner + * Copyright (C) 2006-2012 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -24,150 +24,13 @@ #ifndef KERNEL_IPSEC_H_ #define KERNEL_IPSEC_H_ -typedef enum ipsec_mode_t ipsec_mode_t; -typedef enum policy_dir_t policy_dir_t; -typedef enum policy_type_t policy_type_t; -typedef enum policy_priority_t policy_priority_t; -typedef enum ipcomp_transform_t ipcomp_transform_t; typedef struct kernel_ipsec_t kernel_ipsec_t; -typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t; -typedef struct lifetime_cfg_t lifetime_cfg_t; -typedef struct mark_t mark_t; -#include <utils/host.h> -#include <crypto/prf_plus.h> +#include <networking/host.h> +#include <ipsec/ipsec_types.h> #include <selectors/traffic_selector.h> #include <plugins/plugin.h> - -/** - * Mode of an IPsec SA. - */ -enum ipsec_mode_t { - /** transport mode, no inner address */ - MODE_TRANSPORT = 1, - /** tunnel mode, inner and outer addresses */ - MODE_TUNNEL, - /** BEET mode, tunnel mode but fixed, bound inner addresses */ - MODE_BEET, - /** passthrough policy for traffic without an IPsec SA */ - MODE_PASS, - /** drop policy discarding traffic */ - MODE_DROP -}; - -/** - * enum names for ipsec_mode_t. - */ -extern enum_name_t *ipsec_mode_names; - -/** - * Direction of a policy. These are equal to those - * defined in xfrm.h, but we want to stay implementation - * neutral here. - */ -enum policy_dir_t { - /** Policy for inbound traffic */ - POLICY_IN = 0, - /** Policy for outbound traffic */ - POLICY_OUT = 1, - /** Policy for forwarded traffic */ - POLICY_FWD = 2, -}; - -/** - * enum names for policy_dir_t. - */ -extern enum_name_t *policy_dir_names; - -/** - * Type of a policy. - */ -enum policy_type_t { - /** Normal IPsec policy */ - POLICY_IPSEC = 1, - /** Passthrough policy (traffic is ignored by IPsec) */ - POLICY_PASS, - /** Drop policy (traffic is discarded) */ - POLICY_DROP, -}; - -/** - * High-level priority of a policy. - */ -enum policy_priority_t { - /** Default priority */ - POLICY_PRIORITY_DEFAULT, - /** Priority for trap policies */ - POLICY_PRIORITY_ROUTED, - /** Priority for fallback drop policies */ - POLICY_PRIORITY_FALLBACK, -}; - -/** - * IPComp transform IDs, as in RFC 4306 - */ -enum ipcomp_transform_t { - IPCOMP_NONE = 0, - IPCOMP_OUI = 1, - IPCOMP_DEFLATE = 2, - IPCOMP_LZS = 3, - IPCOMP_LZJH = 4, -}; - -/** - * enum strings for ipcomp_transform_t. - */ -extern enum_name_t *ipcomp_transform_names; - -/** - * This struct contains details about IPsec SA(s) tied to a policy. - */ -struct ipsec_sa_cfg_t { - /** mode of SA (tunnel, transport) */ - ipsec_mode_t mode; - /** unique ID */ - u_int32_t reqid; - /** details about ESP/AH */ - struct { - /** TRUE if this protocol is used */ - bool use; - /** SPI for ESP/AH */ - u_int32_t spi; - } esp, ah; - /** details about IPComp */ - struct { - /** the IPComp transform used */ - u_int16_t transform; - /** CPI for IPComp */ - u_int16_t cpi; - } ipcomp; -}; - -/** - * A lifetime_cfg_t defines the lifetime limits of an SA. - * - * Set any of these values to 0 to ignore. - */ -struct lifetime_cfg_t { - struct { - /** Limit before the SA gets invalid. */ - u_int64_t life; - /** Limit before the SA gets rekeyed. */ - u_int64_t rekey; - /** The range of a random value subtracted from rekey. */ - u_int64_t jitter; - } time, bytes, packets; -}; - -/** - * A mark_t defines an optional mark in an IPsec SA. - */ -struct mark_t { - /** Mark value */ - u_int32_t value; - /** Mark mask */ - u_int32_t mask; -}; +#include <kernel/kernel_interface.h> /** * Interface to the ipsec subsystem of the kernel. @@ -183,6 +46,13 @@ struct mark_t { struct kernel_ipsec_t { /** + * Get the feature set supported by this kernel backend. + * + * @return ORed feature-set of backend + */ + kernel_feature_t (*get_features)(kernel_ipsec_t *this); + + /** * Get a SPI from the kernel. * * @param src source address of SA @@ -231,6 +101,7 @@ struct kernel_ipsec_t { * @param mode mode of the SA (tunnel, transport) * @param ipcomp IPComp transform to use * @param cpi CPI for IPComp + * @param initiator TRUE if initiator of the exchange creating this SA * @param encap enable UDP encapsulation for NAT traversal * @param esn TRUE to use Extended Sequence Numbers * @param inbound TRUE if this is an inbound SA @@ -245,7 +116,7 @@ struct kernel_ipsec_t { u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool encap, bool esn, bool inbound, + bool initiator, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts); /** @@ -284,11 +155,13 @@ struct kernel_ipsec_t { * @param protocol protocol for this SA (ESP/AH) * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA + * @param[out] packets number of packets processed by SA + * @param[out] time last time of SA use * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, mark_t mark, - u_int64_t *bytes); + u_int64_t *bytes, u_int64_t *packets, u_int32_t *time); /** * Delete a previusly installed SA from the SAD. @@ -396,6 +269,17 @@ struct kernel_ipsec_t { bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family); /** + * Enable decapsulation of ESP-in-UDP packets for the given port/socket. + * + * @param fd socket file descriptor + * @param family protocol family of the socket + * @param port the UDP port + * @return TRUE if UDP decapsulation was enabled successfully + */ + bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family, + u_int16_t port); + + /** * Destroy the implementation. */ void (*destroy) (kernel_ipsec_t *this); diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h index 5db297b6f..4382a43fd 100644 --- a/src/libhydra/kernel/kernel_listener.h +++ b/src/libhydra/kernel/kernel_listener.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2010-2013 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,9 +23,10 @@ typedef struct kernel_listener_t kernel_listener_t; -#include <kernel/kernel_ipsec.h> +#include <networking/host.h> +#include <networking/tun_device.h> #include <selectors/traffic_selector.h> -#include <utils/host.h> +#include <kernel/kernel_ipsec.h> /** * Interface for components interested in kernel events. @@ -91,6 +92,15 @@ struct kernel_listener_t { * @return TRUE to remain registered, FALSE to unregister */ bool (*roam)(kernel_listener_t *this, bool address); + + /** + * Hook called after a TUN device was created for a virtual IP address, or + * before such a device gets destroyed. + * + * @param tun TUN device + * @param created TRUE if created, FALSE if going to be destroyed + */ + bool (*tun)(kernel_listener_t *this, tun_device_t *tun, bool created); }; #endif /** KERNEL_LISTENER_H_ @}*/ diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h index a89e76804..8c448ddbc 100644 --- a/src/libhydra/kernel/kernel_net.h +++ b/src/libhydra/kernel/kernel_net.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2012 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -23,10 +23,30 @@ #define KERNEL_NET_H_ typedef struct kernel_net_t kernel_net_t; +typedef enum kernel_address_type_t kernel_address_type_t; -#include <utils/enumerator.h> -#include <utils/host.h> +#include <collections/enumerator.h> +#include <networking/host.h> #include <plugins/plugin.h> +#include <kernel/kernel_interface.h> + +/** + * Type of addresses (e.g. when enumerating them) + */ +enum kernel_address_type_t { + /** normal addresses (on regular, up, non-ignored) interfaces */ + ADDR_TYPE_REGULAR = (1 << 0), + /** addresses on down interfaces */ + ADDR_TYPE_DOWN = (1 << 1), + /** addresses on ignored interfaces */ + ADDR_TYPE_IGNORED = (1 << 2), + /** addresses on loopback interfaces */ + ADDR_TYPE_LOOPBACK = (1 << 3), + /** virtual IP addresses */ + ADDR_TYPE_VIRTUAL = (1 << 4), + /** to enumerate all available addresses */ + ADDR_TYPE_ALL = (1 << 5) - 1, +}; /** * Interface to the network subsystem of the kernel. @@ -37,12 +57,19 @@ typedef struct kernel_net_t kernel_net_t; struct kernel_net_t { /** + * Get the feature set supported by this kernel backend. + * + * @return ORed feature-set of backend + */ + kernel_feature_t (*get_features)(kernel_net_t *this); + + /** * Get our outgoing source address for a destination. * * Does a route lookup to get the source address used to reach dest. * The returned host is allocated and must be destroyed. * An optional src address can be used to check if a route is available - * for given source to dest. + * for the given source to dest. * * @param dest target destination address * @param src source address to check, or NULL @@ -55,19 +82,24 @@ struct kernel_net_t { * * Does a route lookup to get the next hop used to reach dest. * The returned host is allocated and must be destroyed. + * An optional src address can be used to check if a route is available + * for the given source to dest. * * @param dest target destination address + * @param src source address to check, or NULL * @return next hop address, NULL if unreachable */ - host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest); + host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest, host_t *src); /** - * Get the interface name of a local address. + * Get the interface name of a local address. Interfaces that are down or + * ignored by config are not considered. * * @param host address to get interface name from - * @return allocated interface name, or NULL if not found + * @param name allocated interface name (optional) + * @return TRUE if interface found and usable */ - char* (*get_interface) (kernel_net_t *this, host_t *host); + bool (*get_interface) (kernel_net_t *this, host_t *host, char **name); /** * Creates an enumerator over all local addresses. @@ -76,12 +108,11 @@ struct kernel_net_t { * enumerator gets destroyed. * The hosts are read-only, do not modify of free. * - * @param include_down_ifaces TRUE to enumerate addresses from down interfaces - * @param include_virtual_ips TRUE to enumerate virtual ip addresses - * @return enumerator over host_t's + * @param which a combination of address types to enumerate + * @return enumerator over host_t's */ enumerator_t *(*create_address_enumerator) (kernel_net_t *this, - bool include_down_ifaces, bool include_virtual_ips); + kernel_address_type_t which); /** * Add a virtual IP to an interface. @@ -89,24 +120,27 @@ struct kernel_net_t { * Virtual IPs are attached to an interface. If an IP is added multiple * times, the IP is refcounted and not removed until del_ip() was called * as many times as add_ip(). - * The virtual IP is attached to the interface where the iface_ip is found. * * @param virtual_ip virtual ip address to assign - * @param iface_ip IP of an interface to attach virtual IP + * @param prefix prefix length to install with IP address, -1 for auto + * @param iface interface to install virtual IP on * @return SUCCESS if operation completed */ - status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip, - host_t *iface_ip); + status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix, + char *iface); /** * Remove a virtual IP from an interface. * * The kernel interface uses refcounting, see add_ip(). * - * @param virtual_ip virtual ip address to assign + * @param virtual_ip virtual ip address to remove + * @param prefix prefix length of the IP to uninstall, -1 for auto + * @param wait TRUE to wait until IP is gone * @return SUCCESS if operation completed */ - status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip); + status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix, + bool wait); /** * Add a route. @@ -114,7 +148,7 @@ struct kernel_net_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed * ALREADY_DONE if the route already exists @@ -129,7 +163,7 @@ struct kernel_net_t { * @param dst_net destination net * @param prefixlen destination net prefix length * @param gateway gateway for this route - * @param src_ip sourc ip of the route + * @param src_ip source ip of the route * @param if_name name of the interface the route is bound to * @return SUCCESS if operation completed */ |