tteras/strongswan/src/libcharon/plugins/connmark, branch master tteras' strongSwan tree connmark: Add CAP_NET_RAW to capabilities keep list 2016-10-25T07:46:23+00:00 Tim Kent tim@kent.id.au 2016-10-25T06:17:10+00:00 87875086d05c0d5b7825a8810cf42da26b67bc04 Fix for "Permission denied (you must be root)" error when calling iptc_init(), which opens a RAW socket to communicate with the kernel, when built with "--with-capabilities=libcap". Closes strongswan/strongswan#53. Fixes #2157. 
Fix for "Permission denied (you must be root)" error when calling
iptc_init(), which opens a RAW socket to communicate with the kernel,
when built with "--with-capabilities=libcap".

Closes strongswan/strongswan#53.
Fixes #2157.
Use standard unsigned integer types 2016-03-24T17:52:48+00:00 Andreas Steffen andreas.steffen@strongswan.org 2016-03-22T12:22:01+00:00 b12c53ce77beb8e04b044d0c0dc9249ddba72200 






connmark: Explicitly include xt_mark.h for older kernels
2016-03-23T13:40:29+00:00

Tobias Brunner
tobias@strongswan.org

2016-03-23T13:40:29+00:00

b39be996ccbae8252f2e44265cdd7dcda7835fc2

Fixes #1365.





Fixes #1365.







connmark: Don't restore CONNMARK for packets that already have a mark set
2016-03-10T16:26:26+00:00

Tobias Brunner
tobias@strongswan.org

2016-03-07T15:52:43+00:00

c659d369a0b81c0e723d73964ddf80a79bc1d44e

This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.

Fixes #1230.





This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.

Fixes #1230.







connmark: Compare the complete rules when deleting them
2016-03-10T16:26:09+00:00

Tobias Brunner
tobias@strongswan.org

2016-03-07T14:32:02+00:00

7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d

By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).

Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.

Fixes #1229.





By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).

Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.

Fixes #1229.







libhydra: Remove empty unused library
2016-03-03T16:36:11+00:00

Tobias Brunner
tobias@strongswan.org

2016-02-12T15:35:54+00:00

28649f6d91971e0fe50078aec2937010e8c61cd8












connmark: Fix alignment when adding rules
2016-03-03T16:20:09+00:00

Tobias Brunner
tobias@strongswan.org

2015-11-30T15:04:35+00:00

c4cb652a562a1a6674adc90b615e4c866375194c

The structs that make up a message sent to the kernel have all to be
aligned with XT_ALIGN.  That was not necessarily the case when
initializing the complete message as struct.

Fixes #1212.





The structs that make up a message sent to the kernel have all to be
aligned with XT_ALIGN.  That was not necessarily the case when
initializing the complete message as struct.

Fixes #1212.







configure: Use pkg-config to detect libiptc used by connmark/forecast
2015-02-23T11:35:28+00:00

Tobias Brunner
tobias@strongswan.org

2015-02-23T11:11:22+00:00

89b60e9fd7b2a223e1fede8484e5791e6c5bb0ff

This ensures the library is available.  On Debian/Ubuntu it is a dynamic
library provided by the iptables-dev package.





This ensures the library is available.  On Debian/Ubuntu it is a dynamic
library provided by the iptables-dev package.







connmark: Add CONNMARK rules to select correct output SA based on conntrack
2015-02-20T15:34:53+00:00

Martin Willi
martin@revosec.ch

2014-11-14T11:57:53+00:00

b8973b2661310059f80f2e440cb96cc59b491084

Currently supports transport mode connections using IPv4 only, and requires
a unique mark configured on the connection.

To select the correct outbound SA when multiple connections match (i.e.
multiple peers connected from the same IP address / NAT router) marks must be
configured. This mark should usually be unique, which can be configured in
ipsec.conf using mark=0xffffffff.

The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow
is tagged with the assigned mark as connmark. On the return path, the mark
gets restored from the conntrack entry to select the correct outbound SA.





Currently supports transport mode connections using IPv4 only, and requires
a unique mark configured on the connection.

To select the correct outbound SA when multiple connections match (i.e.
multiple peers connected from the same IP address / NAT router) marks must be
configured. This mark should usually be unique, which can be configured in
ipsec.conf using mark=0xffffffff.

The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow
is tagged with the assigned mark as connmark. On the return path, the mark
gets restored from the conntrack entry to select the correct outbound SA.







connmark: Add a plugin stub
2015-02-20T14:33:59+00:00

Martin Willi
martin@revosec.ch

2014-11-14T10:01:45+00:00

8c2290dcf9a21dc33199abdf8ef29b5ae2516ad9