summaryrefslogtreecommitdiff
path: root/src/libhydra/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'src/libhydra/kernel')
-rw-r--r--src/libhydra/kernel/kernel_interface.c58
-rw-r--r--src/libhydra/kernel/kernel_interface.h31
-rw-r--r--src/libhydra/kernel/kernel_ipsec.h6
-rw-r--r--src/libhydra/kernel/kernel_listener.h16
-rw-r--r--src/libhydra/kernel/kernel_net.h18
5 files changed, 100 insertions, 29 deletions
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 53b8324b7..90637fa06 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2013 Tobias Brunner
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
@@ -180,7 +180,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
- u_int16_t cpi, bool encap, bool esn, bool inbound,
+ u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
{
if (!this->ipsec)
@@ -189,7 +189,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
}
return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
- ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
+ ipcomp, cpi, initiator, encap, esn, inbound, src_ts, dst_ts);
}
METHOD(kernel_interface_t, update_sa, status_t,
@@ -208,14 +208,14 @@ METHOD(kernel_interface_t, update_sa, status_t,
METHOD(kernel_interface_t, query_sa, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t spi, u_int8_t protocol, mark_t mark,
- u_int64_t *bytes, u_int64_t *packets)
+ u_int64_t *bytes, u_int64_t *packets, u_int32_t *time)
{
if (!this->ipsec)
{
return NOT_SUPPORTED;
}
return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark,
- bytes, packets);
+ bytes, packets, time);
}
METHOD(kernel_interface_t, del_sa, status_t,
@@ -415,7 +415,8 @@ METHOD(kernel_interface_t, all_interfaces_usable, bool,
}
METHOD(kernel_interface_t, get_address_by_ts, status_t,
- private_kernel_interface_t *this, traffic_selector_t *ts, host_t **ip)
+ private_kernel_interface_t *this, traffic_selector_t *ts,
+ host_t **ip, bool *vip)
{
enumerator_t *addrs;
host_t *host;
@@ -446,13 +447,17 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t,
}
host->destroy(host);
- addrs = create_address_enumerator(this, ADDR_TYPE_ALL);
+ addrs = create_address_enumerator(this, ADDR_TYPE_VIRTUAL);
while (addrs->enumerate(addrs, (void**)&host))
{
if (ts->includes(ts, host))
{
found = TRUE;
*ip = host->clone(host);
+ if (vip)
+ {
+ *vip = TRUE;
+ }
break;
}
}
@@ -460,6 +465,25 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t,
if (!found)
{
+ addrs = create_address_enumerator(this, ADDR_TYPE_REGULAR);
+ while (addrs->enumerate(addrs, (void**)&host))
+ {
+ if (ts->includes(ts, host))
+ {
+ found = TRUE;
+ *ip = host->clone(host);
+ if (vip)
+ {
+ *vip = FALSE;
+ }
+ break;
+ }
+ }
+ addrs->destroy(addrs);
+ }
+
+ if (!found)
+ {
DBG2(DBG_KNL, "no local address found in traffic selector %R", ts);
return FAILED;
}
@@ -620,6 +644,25 @@ METHOD(kernel_interface_t, roam, void,
this->mutex->unlock(this->mutex);
}
+METHOD(kernel_interface_t, tun, void,
+ private_kernel_interface_t *this, tun_device_t *tun, bool created)
+{
+ kernel_listener_t *listener;
+ enumerator_t *enumerator;
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &listener))
+ {
+ if (listener->tun &&
+ !listener->tun(listener, tun, created))
+ {
+ this->listeners->remove_at(this->listeners, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
METHOD(kernel_interface_t, register_algorithm, void,
private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
u_int16_t kernel_id, char *kernel_name)
@@ -740,6 +783,7 @@ kernel_interface_t *kernel_interface_create()
.mapping = _mapping,
.migrate = _migrate,
.roam = _roam,
+ .tun = _tun,
.destroy = _destroy,
},
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 1d2253b94..1d96f1c35 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -65,6 +65,10 @@ typedef enum kernel_feature_t kernel_feature_t;
enum kernel_feature_t {
/** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
KERNEL_ESP_V3_TFC = (1<<0),
+ /** Networking requires an "exclude" route for IKE/ESP packets */
+ KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
+ /** IPsec implementation requires UDP encapsulation of ESP packets */
+ KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2),
};
/**
@@ -141,6 +145,7 @@ struct kernel_interface_t {
* @param mode mode of the SA (tunnel, transport)
* @param ipcomp IPComp transform to use
* @param cpi CPI for IPComp
+ * @param initiator TRUE if initiator of the exchange creating this SA
* @param encap enable UDP encapsulation for NAT traversal
* @param esn TRUE to use Extended Sequence Numbers
* @param inbound TRUE if this is an inbound SA
@@ -155,7 +160,7 @@ struct kernel_interface_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
- bool encap, bool esn, bool inbound,
+ bool initiator, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
/**
@@ -195,11 +200,12 @@ struct kernel_interface_t {
* @param mark optional mark for this SA
* @param[out] bytes the number of bytes processed by SA
* @param[out] packets number of packets processed by SA
+ * @param[out] time last time of SA use
* @return SUCCESS if operation completed
*/
status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t spi, u_int8_t protocol, mark_t mark,
- u_int64_t *bytes, u_int64_t *packets);
+ u_int64_t *bytes, u_int64_t *packets, u_int32_t *time);
/**
* Delete a previously installed SA from the SAD.
@@ -367,7 +373,7 @@ struct kernel_interface_t {
*
* The kernel interface uses refcounting, see add_ip().
*
- * @param virtual_ip virtual ip address to assign
+ * @param virtual_ip virtual ip address to remove
* @param prefix prefix length of the IP to uninstall, -1 for auto
* @param wait TRUE to wait untily IP is gone
* @return SUCCESS if operation completed
@@ -381,7 +387,7 @@ struct kernel_interface_t {
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
- * @param src_ip sourc ip of the route
+ * @param src_ip source ip of the route
* @param if_name name of the interface the route is bound to
* @return SUCCESS if operation completed
* ALREADY_DONE if the route already exists
@@ -396,7 +402,7 @@ struct kernel_interface_t {
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
- * @param src_ip sourc ip of the route
+ * @param src_ip source ip of the route
* @param if_name name of the interface the route is bound to
* @return SUCCESS if operation completed
*/
@@ -451,10 +457,11 @@ struct kernel_interface_t {
*
* @param ts traffic selector
* @param ip returned IP address (has to be destroyed)
+ * @param vip set to TRUE if returned address is a virtual IP
* @return SUCCESS if address found
*/
status_t (*get_address_by_ts)(kernel_interface_t *this,
- traffic_selector_t *ts, host_t **ip);
+ traffic_selector_t *ts, host_t **ip, bool *vip);
/**
* Register an ipsec kernel interface constructor on the manager.
@@ -557,6 +564,14 @@ struct kernel_interface_t {
void (*roam)(kernel_interface_t *this, bool address);
/**
+ * Raise a tun event.
+ *
+ * @param tun TUN device
+ * @param created TRUE if created, FALSE if going to be destroyed
+ */
+ void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created);
+
+ /**
* Register a new algorithm with the kernel interface.
*
* @param alg_id the IKE id of the algorithm
@@ -583,7 +598,7 @@ struct kernel_interface_t {
char **kernel_name);
/**
- * Destroys a kernel_interface_manager_t object.
+ * Destroys a kernel_interface_t object.
*/
void (*destroy) (kernel_interface_t *this);
};
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ba67238e5..413e5920f 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -101,6 +101,7 @@ struct kernel_ipsec_t {
* @param mode mode of the SA (tunnel, transport)
* @param ipcomp IPComp transform to use
* @param cpi CPI for IPComp
+ * @param initiator TRUE if initiator of the exchange creating this SA
* @param encap enable UDP encapsulation for NAT traversal
* @param esn TRUE to use Extended Sequence Numbers
* @param inbound TRUE if this is an inbound SA
@@ -115,7 +116,7 @@ struct kernel_ipsec_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
- bool encap, bool esn, bool inbound,
+ bool initiator, bool encap, bool esn, bool inbound,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
/**
@@ -155,11 +156,12 @@ struct kernel_ipsec_t {
* @param mark optional mark for this SA
* @param[out] bytes the number of bytes processed by SA
* @param[out] packets number of packets processed by SA
+ * @param[out] time last time of SA use
* @return SUCCESS if operation completed
*/
status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
u_int32_t spi, u_int8_t protocol, mark_t mark,
- u_int64_t *bytes, u_int64_t *packets);
+ u_int64_t *bytes, u_int64_t *packets, u_int32_t *time);
/**
* Delete a previusly installed SA from the SAD.
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
index 27ea947eb..4382a43fd 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -23,9 +23,10 @@
typedef struct kernel_listener_t kernel_listener_t;
-#include <kernel/kernel_ipsec.h>
-#include <selectors/traffic_selector.h>
#include <networking/host.h>
+#include <networking/tun_device.h>
+#include <selectors/traffic_selector.h>
+#include <kernel/kernel_ipsec.h>
/**
* Interface for components interested in kernel events.
@@ -91,6 +92,15 @@ struct kernel_listener_t {
* @return TRUE to remain registered, FALSE to unregister
*/
bool (*roam)(kernel_listener_t *this, bool address);
+
+ /**
+ * Hook called after a TUN device was created for a virtual IP address, or
+ * before such a device gets destroyed.
+ *
+ * @param tun TUN device
+ * @param created TRUE if created, FALSE if going to be destroyed
+ */
+ bool (*tun)(kernel_listener_t *this, tun_device_t *tun, bool created);
};
#endif /** KERNEL_LISTENER_H_ @}*/
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index 0d3417f1d..8c448ddbc 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -35,17 +35,17 @@ typedef enum kernel_address_type_t kernel_address_type_t;
*/
enum kernel_address_type_t {
/** normal addresses (on regular, up, non-ignored) interfaces */
- ADDR_TYPE_REGULAR = 0,
+ ADDR_TYPE_REGULAR = (1 << 0),
/** addresses on down interfaces */
- ADDR_TYPE_DOWN = (1 << 0),
+ ADDR_TYPE_DOWN = (1 << 1),
/** addresses on ignored interfaces */
- ADDR_TYPE_IGNORED = (1 << 1),
+ ADDR_TYPE_IGNORED = (1 << 2),
/** addresses on loopback interfaces */
- ADDR_TYPE_LOOPBACK = (1 << 2),
+ ADDR_TYPE_LOOPBACK = (1 << 3),
/** virtual IP addresses */
- ADDR_TYPE_VIRTUAL = (1 << 3),
+ ADDR_TYPE_VIRTUAL = (1 << 4),
/** to enumerate all available addresses */
- ADDR_TYPE_ALL = (1 << 4) - 1,
+ ADDR_TYPE_ALL = (1 << 5) - 1,
};
/**
@@ -134,7 +134,7 @@ struct kernel_net_t {
*
* The kernel interface uses refcounting, see add_ip().
*
- * @param virtual_ip virtual ip address to assign
+ * @param virtual_ip virtual ip address to remove
* @param prefix prefix length of the IP to uninstall, -1 for auto
* @param wait TRUE to wait until IP is gone
* @return SUCCESS if operation completed
@@ -148,7 +148,7 @@ struct kernel_net_t {
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
- * @param src_ip sourc ip of the route
+ * @param src_ip source ip of the route
* @param if_name name of the interface the route is bound to
* @return SUCCESS if operation completed
* ALREADY_DONE if the route already exists
@@ -163,7 +163,7 @@ struct kernel_net_t {
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
- * @param src_ip sourc ip of the route
+ * @param src_ip source ip of the route
* @param if_name name of the interface the route is bound to
* @return SUCCESS if operation completed
*/