diff options
Diffstat (limited to 'src/libhydra/plugins/kernel_netlink')
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/Makefile.in | 12 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 22 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c | 25 |
3 files changed, 38 insertions, 21 deletions
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index 5f85da653..5910cfd92 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -219,8 +219,6 @@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ -CHECK_CFLAGS = @CHECK_CFLAGS@ -CHECK_LIBS = @CHECK_LIBS@ COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ @@ -288,6 +286,11 @@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -376,12 +379,16 @@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ @@ -396,6 +403,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8352b9311..c864a92f4 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1203,6 +1203,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, struct nlmsghdr *hdr; struct xfrm_usersa_info *sa; u_int16_t icv_size = 64; + ipsec_mode_t original_mode = mode; status_t status = FAILED; /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 @@ -1213,7 +1214,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, initiator, FALSE, FALSE, inbound, - NULL, NULL); + src_ts, dst_ts); ipcomp = IPCOMP_NONE; /* use transport mode ESP SA, IPComp uses tunnel mode */ mode = MODE_TRANSPORT; @@ -1243,7 +1244,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t, break; case MODE_BEET: case MODE_TRANSPORT: - if(src_ts && dst_ts) + if (original_mode == MODE_TUNNEL) + { /* don't install selectors for switched SAs. because only one + * selector can be installed other traffic would get dropped */ + break; + } + if (src_ts && dst_ts) { sa->sel = ts2selector(src_ts, dst_ts); /* don't install proto/port on SA. This would break @@ -1459,8 +1465,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, goto failed; } - if (tfc) - { + if (tfc && protocol == IPPROTO_ESP && mode == MODE_TUNNEL) + { /* the kernel supports TFC padding only for tunnel mode ESP SAs */ u_int32_t *tfcpad; tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD, @@ -2679,15 +2685,15 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .policy_history = TRUE, .install_routes = lib->settings->get_bool(lib->settings, - "%s.install_routes", TRUE, hydra->daemon), + "%s.install_routes", TRUE, lib->ns), .replay_window = lib->settings->get_int(lib->settings, - "%s.replay_window", DEFAULT_REPLAY_WINDOW, hydra->daemon), + "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns), ); this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) / (sizeof(u_int32_t) * 8); - if (streq(hydra->daemon, "starter")) + if (streq(lib->ns, "starter")) { /* starter has no threads, so we do not register for kernel events */ register_for_events = FALSE; } @@ -2697,7 +2703,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() { fprintf(f, "%u", lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.xfrm_acq_expires", - DEFAULT_ACQUIRE_LIFETIME, hydra->daemon)); + DEFAULT_ACQUIRE_LIFETIME, lib->ns)); fclose(f); } diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index d27075082..3cf317634 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -1962,10 +1962,13 @@ METHOD(kernel_net_t, add_route, status_t, this->routes_lock->unlock(this->routes_lock); return ALREADY_DONE; } - found = route_entry_clone(&route); - this->routes->put(this->routes, found, found); status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, dst_net, prefixlen, gateway, src_ip, if_name); + if (status == SUCCESS) + { + found = route_entry_clone(&route); + this->routes->put(this->routes, found, found); + } this->routes_lock->unlock(this->routes_lock); return status; } @@ -2122,7 +2125,7 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type, netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request)); fwmark = lib->settings->get_str(lib->settings, - "%s.plugins.kernel-netlink.fwmark", NULL, hydra->daemon); + "%s.plugins.kernel-netlink.fwmark", NULL, lib->ns); if (fwmark) { #ifdef HAVE_LINUX_FIB_RULES_H @@ -2282,30 +2285,30 @@ kernel_netlink_net_t *kernel_netlink_net_create() .condvar = rwlock_condvar_create(), .roam_lock = spinlock_create(), .routing_table = lib->settings->get_int(lib->settings, - "%s.routing_table", ROUTING_TABLE, hydra->daemon), + "%s.routing_table", ROUTING_TABLE, lib->ns), .routing_table_prio = lib->settings->get_int(lib->settings, - "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon), + "%s.routing_table_prio", ROUTING_TABLE_PRIO, lib->ns), .process_route = lib->settings->get_bool(lib->settings, - "%s.process_route", TRUE, hydra->daemon), + "%s.process_route", TRUE, lib->ns), .install_virtual_ip = lib->settings->get_bool(lib->settings, - "%s.install_virtual_ip", TRUE, hydra->daemon), + "%s.install_virtual_ip", TRUE, lib->ns), .install_virtual_ip_on = lib->settings->get_str(lib->settings, - "%s.install_virtual_ip_on", NULL, hydra->daemon), + "%s.install_virtual_ip_on", NULL, lib->ns), .roam_events = lib->settings->get_bool(lib->settings, - "%s.plugins.kernel-netlink.roam_events", TRUE, hydra->daemon), + "%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns), ); timerclear(&this->last_route_reinstall); timerclear(&this->next_roam); check_kernel_features(this); - if (streq(hydra->daemon, "starter")) + if (streq(lib->ns, "starter")) { /* starter has no threads, so we do not register for kernel events */ register_for_events = FALSE; } exclude = lib->settings->get_str(lib->settings, - "%s.ignore_routing_tables", NULL, hydra->daemon); + "%s.ignore_routing_tables", NULL, lib->ns); if (exclude) { char *token; |