tteras/strongswan/src/libcharon/plugins/socket_default, branch master tteras' strongSwan tree socket-default: Add an option to force the sending interface via IP_PKTINFO 2017-05-23T14:49:39+00:00 Martin Willi martin@strongswan.org 2016-09-16T12:50:07+00:00 9b29003cd9e12075070106eb9481954ab34912ca On Linux, setting the source address is insufficient to force a packet to be sent over a certain path. The kernel uses the best route to select the outgoing interface, even if we set a source address of a lower priority interface. This is not only true for interfaces attaching to the same subnet, but also for unrelated interfaces; the kernel (at least on 4.7) sends out the packet on whatever interface it sees fit, even if that network does not expect packets from the source address we force to. When a better interface becomes available, strongSwan sends its MOBIKE address list update using the old source address. But the kernel sends that packet over the new best interface. If that network drops packets having the unexpected source address from the old path, the MOBIKE update fails and the SA finally times out. To enforce a specific interface for our packet, we explicitly set the interface index from the interface where the source address is installed. According to ip(7), this overrules the specified source address to the primary interface address. As this could have side effects to installations using multiple addresses on a single interface, we disable the option by default for now. This also allows using IPv6 link-local addresses, which won't work if the outbound interface is not set explicitly. 
On Linux, setting the source address is insufficient to force a packet to be
sent over a certain path. The kernel uses the best route to select the outgoing
interface, even if we set a source address of a lower priority interface. This
is not only true for interfaces attaching to the same subnet, but also for
unrelated interfaces; the kernel (at least on 4.7) sends out the packet on
whatever interface it sees fit, even if that network does not expect packets
from the source address we force to.

When a better interface becomes available, strongSwan sends its MOBIKE address
list update using the old source address. But the kernel sends that packet over
the new best interface. If that network drops packets having the unexpected
source address from the old path, the MOBIKE update fails and the SA finally
times out.

To enforce a specific interface for our packet, we explicitly set the interface
index from the interface where the source address is installed. According to
ip(7), this overrules the specified source address to the primary interface
address. As this could have side effects to installations using multiple
addresses on a single interface, we disable the option by default for now.

This also allows using IPv6 link-local addresses, which won't work if
the outbound interface is not set explicitly.
Use standard unsigned integer types 2016-03-24T17:52:48+00:00 Andreas Steffen andreas.steffen@strongswan.org 2016-03-22T12:22:01+00:00 b12c53ce77beb8e04b044d0c0dc9249ddba72200 






libhydra: Remove empty unused library
2016-03-03T16:36:11+00:00

Tobias Brunner
tobias@strongswan.org

2016-02-12T15:35:54+00:00

28649f6d91971e0fe50078aec2937010e8c61cd8












libhydra: Move kernel interface to libcharon
2016-03-03T16:36:11+00:00

Tobias Brunner
tobias@strongswan.org

2016-02-12T14:30:18+00:00

8394ea2a42eb23ba22471d913dcf47e6067109e1

This moves hydra->kernel_interface to charon->kernel.





This moves hydra->kernel_interface to charon->kernel.







socket-default: Refactor setting source address when sending messages
2015-11-09T15:43:21+00:00

Tobias Brunner
tobias@strongswan.org

2015-11-02T15:22:38+00:00

47e113a63905305fdb7eee8304a5eb1adcb216d4

This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg().  Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.

It also makes the code clearer than with all these ifdefs.

Fixes #1171.





This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg().  Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.

It also makes the code clearer than with all these ifdefs.

Fixes #1171.







socket-default: Refactor retrieval of destination address of received packets
2015-11-09T15:42:20+00:00

Tobias Brunner
tobias@strongswan.org

2015-11-02T15:16:56+00:00

99747bed8f0aea9427bd17820dbde79342bb9ce9

This makes the code a bit clearer than with the interleaved ifdefs.





This makes the code a bit clearer than with the interleaved ifdefs.







Fixed some typos, courtesy of codespell
2014-12-15T16:11:14+00:00

Tobias Brunner
tobias@strongswan.org

2014-12-15T16:11:14+00:00

3000f6aada33e5f4045591b496cc33298b9276fa












socket-default: Use round-robin selection of sockets to read from
2014-11-21T11:02:07+00:00

Martin Willi
martin@revosec.ch

2014-11-21T10:43:20+00:00

ed247660e81557261cd954e8b3ff19e410a347be

If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket
over others. To handle all with equal priority, use a round-robin selection.





If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket
over others. To handle all with equal priority, use a round-robin selection.







socket-default: Use poll(2) instead of select
2014-11-21T11:02:07+00:00

Martin Willi
martin@revosec.ch

2014-11-05T15:59:39+00:00

ce13ba62cc70fd6861ffc5e18f822cc3fb127841

It is not only simpler, but also allows the use of arbitrary high fd numbers,
which silently fails with select().





It is not only simpler, but also allows the use of arbitrary high fd numbers,
which silently fails with select().







packet: Define a global default maximum size for IKE packets
2014-10-10T07:32:42+00:00

Tobias Brunner
tobias@strongswan.org

2014-09-16T13:38:38+00:00

f00a9c171592c05cc6e77030b791e80525dd839b