- works quite well now with ipsec.conf & ipsec starter

11 files changed, 346 insertions, 15 deletions

diff --git a/Source/charon/config/connection.c b/Source/charon/config/connection.c
index 789cebb49..e0b29ac2f 100644
--- a/Source/charon/config/connection.c
+++ b/Source/charon/config/connection.c
@@ -114,6 +114,15 @@ static void update_my_host(private_connection_t *this, host_t *my_host)
 }
 
 /**
+ * Implementation of connection_t.update_other_host.
+ */
+static void update_other_host(private_connection_t *this, host_t *other_host)
+{
+	this->other_host->destroy(this->other_host);
+	this->other_host = other_host;
+}
+
+/**
  * Implementation of connection_t.get_other_host.
  */
 static host_t * get_other_host (private_connection_t *this)
@@ -238,6 +247,33 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh
 }
 
 /**
+ * Implementation of connection_t.clone.
+ */
+static connection_t *clone(private_connection_t *this)
+{
+	iterator_t *iterator;
+	proposal_t *proposal;
+	private_connection_t *clone = (private_connection_t*)connection_create(
+			this->my_host->clone(this->my_host),
+			this->other_host->clone(this->other_host),
+			this->my_id->clone(this->my_id),
+			this->other_id->clone(this->other_id),
+			this->auth_method);
+	
+	/* clone all proposals */
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		iterator->current(iterator, (void**)&proposal);
+		proposal = proposal->clone(proposal);
+		clone->proposals->insert_last(clone->proposals, (void*)proposal);
+	}
+	iterator->destroy(iterator);
+	
+	return &clone->public;
+}
+
+/**
  * Implementation of connection_t.destroy.
  */
 static void destroy (private_connection_t *this)
@@ -269,6 +305,7 @@ connection_t * connection_create(host_t *my_host, host_t *other_host, identifica
 	this->public.get_other_id = (identification_t*(*)(connection_t*))get_other_id;
 	this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
 	this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host;
+	this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host;
 	this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host;
 	this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals;
 	this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal;
@@ -276,6 +313,7 @@ connection_t * connection_create(host_t *my_host, host_t *other_host, identifica
 	this->public.get_auth_method = (auth_method_t(*)(connection_t*)) get_auth_method;
 	this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group;
 	this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group;
+	this->public.clone = (connection_t*(*)(connection_t*))clone;
 	this->public.destroy = (void(*)(connection_t*))destroy;
 	
 	/* private variables */
diff --git a/Source/charon/config/connection.h b/Source/charon/config/connection.h
index b112ace70..9ec26b778 100644
--- a/Source/charon/config/connection.h
+++ b/Source/charon/config/connection.h
@@ -123,7 +123,7 @@ struct connection_t {
 	/**
 	 * @brief Update address of my host.
 	 * 
-	 * It may be necessary to uptdate this address, as it 
+	 * It may be necessary to uptdate own address, as it 
 	 * is set to the default route (0.0.0.0) in some cases.
 	 * Old host is destroyed, new one NOT cloned.
 	 * 
@@ -131,6 +131,18 @@ struct connection_t {
 	 * @param my_host	new host to set as my_host
 	 */
 	void (*update_my_host) (connection_t *this, host_t *my_host);
+
+	/**
+	 * @brief Update address of remote host.
+	 * 
+	 * It may be necessary to uptdate remote address, as a
+	 * connection may define %any (0.0.0.0) or a subnet.
+	 * Old host is destroyed, new one NOT cloned.
+	 * 
+	 * @param this		calling object
+	 * @param my_host	new host to set as other_host
+	 */
+	void (*update_other_host) (connection_t *this, host_t *other_host);
 	
 	/**
 	 * @brief Returns a list of all supported proposals.
@@ -193,6 +205,14 @@ struct connection_t {
 	bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
 	
 	/**
+	 * @brief Clone a connection_t object.
+	 * 
+	 * @param this	connection to clone
+	 * @return		clone of it
+	 */
+	connection_t *(*clone) (connection_t *this);
+	
+	/**
 	 * @brief Destroys a connection_t object.
 	 * 
 	 * @param this	calling object
diff --git a/Source/charon/config/connection_store.h b/Source/charon/config/connection_store.h
index aac10574b..8b80c0fea 100755
--- a/Source/charon/config/connection_store.h
+++ b/Source/charon/config/connection_store.h
@@ -33,7 +33,7 @@ typedef struct connection_store_t connection_store_t;
  * @brief The interface for a store of connection_t's.
  * 
  * @b Constructors:
- * 	- connection_store_create()
+ * 	- stroke_create()
  * 
  * @ingroup config
  */
@@ -42,6 +42,8 @@ struct connection_store_t {
 	/**
 	 * @brief Returns a connection definition identified by two IDs.
 	 * 
+	 * This call is usefull to get a connection identified by addresses.
+	 * It may be used after kernel request for traffic protection.
 	 * The returned connection gets created/cloned and therefore must
 	 * be destroyed after usage.
 	 * 
@@ -57,6 +59,8 @@ struct connection_store_t {
 	/**
 	 * @brief Returns a connection definition identified by two hosts.
 	 * 
+	 * This call is useful to get a connection which is identified by IDs
+	 * rather than addresses, e.g. for connection setup on user request.
 	 * The returned connection gets created/cloned and therefore must
 	 * be destroyed after usage.
 	 * 
diff --git a/Source/charon/config/credential_store.h b/Source/charon/config/credential_store.h
index 89e9704b3..27f957aa1 100755
--- a/Source/charon/config/credential_store.h
+++ b/Source/charon/config/credential_store.h
@@ -34,7 +34,7 @@ typedef struct credential_store_t credential_store_t;
  * @brief The interface for a credential_store backend.
  * 
  * @b Constructors:
- * 	- credential_store_create()
+ * 	- stroke_create()
  * 
  * @ingroup config
  */
@@ -43,8 +43,7 @@ struct credential_store_t {
 	/**
 	 * @brief Returns the preshared secret of a specific ID.
 	 * 
-	 * The returned preshared secret MUST NOT be destroyed cause it's managed by 
-	 * this credential_store_t object.
+	 * The returned chunk must be destroyed by the caller after usage.
 	 * 
 	 * @param this					calling object
 	 * @param identification		identification_t object identifiying the secret.
@@ -59,8 +58,7 @@ struct credential_store_t {
 	/**
 	 * @brief Returns the RSA public key of a specific ID.
 	 * 
-	 * The returned rsa_public_key_t object MUST NOT be destroyed cause it's managed by 
-	 * this credential_store_t object.
+	 * The returned rsa_public_key_t must be destroyed by the caller after usage.
 	 * 
 	 * @param this					calling object
 	 * @param identification		identification_t object identifiying the key.
@@ -75,8 +73,7 @@ struct credential_store_t {
 	/**
 	 * @brief Returns the RSA private key of a specific ID.
 	 * 
-	 * The returned rsa_private_key_t object MUST NOT be destroyed cause it's managed by 
-	 * this credential_store_t object.
+	 * The returned rsa_private_key_t must be destroyed by the caller after usage.
 	 * 
 	 * @param this					calling object
 	 * @param identification		identification_t object identifiying the key
diff --git a/Source/charon/config/policy.c b/Source/charon/config/policy.c
index 0d9e8487d..fbdc46def 100644
--- a/Source/charon/config/policy.c
+++ b/Source/charon/config/policy.c
@@ -87,6 +87,57 @@ static identification_t *get_other_id(private_policy_t *this)
 }
 
 /**
+ * Implementation of policy_t.update_my_id
+ */
+static void update_my_id(private_policy_t *this, identification_t *my_id)
+{
+	this->my_id->destroy(this->my_id);
+	this->my_id = my_id;
+}
+
+/**
+ * Implementation of policy_t.update_other_id
+ */
+static void update_other_id(private_policy_t *this, identification_t *other_id)
+{
+	this->other_id->destroy(this->other_id);
+	this->other_id = other_id;
+}
+
+/** 
+ * Helper function which does the work for policy_t.update_my_ts and update_other_ts
+ */
+static void update_ts(linked_list_t* list, host_t *new_host)
+{
+	traffic_selector_t *ts;
+	iterator_t *iterator;
+	 
+	iterator = list->create_iterator(list, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		iterator->current(iterator, (void**)&ts);
+		ts->update_address_range(ts, new_host);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of policy_t.update_my_id
+ */
+static void update_my_ts(private_policy_t *this, host_t *my_host)
+{
+	update_ts(this->my_ts, my_host);
+}
+
+/**
+ * Implementation of policy_t.update_other_ts
+ */
+static void update_other_ts(private_policy_t *this, host_t *my_host)
+{
+	update_ts(this->other_ts, my_host);
+}
+
+/**
  * Implementation of policy_t.get_my_traffic_selectors
  */
 static linked_list_t *get_my_traffic_selectors(private_policy_t *this)
@@ -263,6 +314,50 @@ static status_t destroy(private_policy_t *this)
 	return SUCCESS;
 }
 
+/**
+ * Implements policy_t.clone.
+ */
+static policy_t *clone(private_policy_t *this)
+{
+	private_policy_t *clone = (private_policy_t*)policy_create(this->my_id->clone(this->my_id), 
+															   this->other_id->clone(this->other_id));
+	iterator_t *iterator;
+	proposal_t *proposal;
+	traffic_selector_t *ts;
+	
+	/* clone all proposals */
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		iterator->current(iterator, (void**)&proposal);
+		proposal = proposal->clone(proposal);
+		clone->proposals->insert_last(clone->proposals, (void*)proposal);
+	}
+	iterator->destroy(iterator);
+	
+	/* clone all local traffic selectors */
+	iterator = this->my_ts->create_iterator(this->my_ts, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		iterator->current(iterator, (void**)&ts);
+		ts = ts->clone(ts);
+		clone->my_ts->insert_last(clone->my_ts, (void*)ts);
+	}
+	iterator->destroy(iterator);
+	
+	/* clone all remote traffic selectors */
+	iterator = this->other_ts->create_iterator(this->other_ts, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		iterator->current(iterator, (void**)&ts);
+		ts = ts->clone(ts);
+		clone->other_ts->insert_last(clone->other_ts, (void*)ts);
+	}
+	iterator->destroy(iterator);
+	
+	return &clone->public;
+}
+
 /*
  * Described in header-file
  */
@@ -273,6 +368,10 @@ policy_t *policy_create(identification_t *my_id, identification_t *other_id)
 	/* public functions */
 	this->public.get_my_id = (identification_t*(*)(policy_t*))get_my_id;
 	this->public.get_other_id = (identification_t*(*)(policy_t*))get_other_id;
+	this->public.update_my_id = (void(*)(policy_t*,identification_t*))update_my_id;
+	this->public.update_other_id = (void(*)(policy_t*,identification_t*))update_other_id;
+	this->public.update_my_ts = (void(*)(policy_t*,host_t*))update_my_ts;
+	this->public.update_other_ts = (void(*)(policy_t*,host_t*))update_other_ts;
 	this->public.get_my_traffic_selectors = (linked_list_t*(*)(policy_t*))get_my_traffic_selectors;
 	this->public.select_my_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*))select_my_traffic_selectors;
 	this->public.get_other_traffic_selectors = (linked_list_t*(*)(policy_t*))get_other_traffic_selectors;
@@ -282,6 +381,7 @@ policy_t *policy_create(identification_t *my_id, identification_t *other_id)
 	this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector;
 	this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector;
 	this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal;
+	this->public.clone = (policy_t*(*)(policy_t*))clone;
 	this->public.destroy = (void(*)(policy_t*))destroy;
 	
 	/* apply init values */
diff --git a/Source/charon/config/policy.h b/Source/charon/config/policy.h
index ddae051b9..78cda1e8b 100644
--- a/Source/charon/config/policy.h
+++ b/Source/charon/config/policy.h
@@ -64,6 +64,56 @@ struct policy_t {
 	 * @return				other id
 	 */
 	identification_t *(*get_other_id) (policy_t *this);
+
+	/**
+	 * @brief Update own ID.
+	 * 
+	 * It may be necessary to uptdate own ID, as it 
+	 * is set to %any or to e.g. *@strongswan.org in 
+	 * some cases.
+	 * Old ID is destroyed, new one NOT cloned.
+	 * 
+	 * @param this		calling object
+	 * @param my_id		new ID to set as my_id
+	 */
+	void (*update_my_id) (policy_t *this, identification_t *my_id);
+
+	/**
+	 * @brief Update others ID.
+	 * 
+	 * It may be necessary to uptdate others ID, as it 
+	 * is set to %any or to e.g. *@strongswan.org in 
+	 * some cases.
+	 * Old ID is destroyed, new one NOT cloned.
+	 * 
+	 * @param this		calling object
+	 * @param other_id	new ID to set as other_id
+	 */
+	void (*update_other_id) (policy_t *this, identification_t *other_id);
+
+	/**
+	 * @brief Update own address in traffic selectors.
+	 * 
+	 * Update own 0.0.0.0 address in traffic selectors
+	 * with supplied one. The size of the subnet will be
+	 * set to /32.
+	 * 
+	 * @param this		calling object
+	 * @param my_host	new address to set in traffic selectors
+	 */
+	void (*update_my_ts) (policy_t *this, host_t *my_host);
+
+	/**
+	 * @brief Update others address in traffic selectors.
+	 * 
+	 * Update remote 0.0.0.0 address in traffic selectors
+	 * with supplied one. The size of the subnet will be
+	 * set to /32.
+	 * 
+	 * @param this		calling object
+	 * @param other_host	new address to set in traffic selectors
+	 */
+	void (*update_other_ts) (policy_t *this, host_t *other_host);
 	
 	/**
 	 * @brief Get configured traffic selectors for our site.
@@ -170,7 +220,15 @@ struct policy_t {
 	void (*add_proposal) (policy_t *this, proposal_t *proposal);
 	
 	/**
-	 * @brief Destroys the config object
+	 * @brief Clone a policy.
+	 * 
+	 * @param this				policy to clone
+	 * @return					clone of it
+	 */
+	policy_t *(*clone) (policy_t *this);
+	
+	/**
+	 * @brief Destroys the policy object
 	 * 
 	 * @param this				calling object
 	 */
diff --git a/Source/charon/config/policy_store.h b/Source/charon/config/policy_store.h
index 1c4402393..467e27d1d 100755
--- a/Source/charon/config/policy_store.h
+++ b/Source/charon/config/policy_store.h
@@ -30,10 +30,10 @@
 typedef struct policy_store_t policy_store_t;
 
 /**
- * @brief The interface for a store of polcy_t's.
+ * @brief The interface for a store of policy_t's.
  * 
  * @b Constructors:
- * - policy_store_create()
+ * - stroke_create()
  * 
  * @ingroup config
  */
@@ -42,6 +42,9 @@ struct policy_store_t {
 	/**
 	 * @brief Returns a policy identified by two IDs.
 	 * 
+	 * The returned policy gets created/cloned and therefore must be
+	 * destroyed by the caller.
+	 * 
 	 * @param this		calling object
 	 * @param my_id		own ID of the policy
 	 * @param other_id	others ID of the policy
diff --git a/Source/charon/config/proposal.c b/Source/charon/config/proposal.c
index a547583d9..e5a8a64cc 100644
--- a/Source/charon/config/proposal.c
+++ b/Source/charon/config/proposal.c
@@ -533,6 +533,50 @@ static u_int64_t get_spi(private_proposal_t *this, protocol_id_t proto)
 }
 
 /**
+ * Clone a algorithm list
+ */
+static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
+{
+	algorithm_t *algo, *clone_algo;
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		iterator->current(iterator, (void**)&algo);
+		clone_algo = allocator_alloc_thing(algorithm_t);
+		memcpy(clone_algo, algo, sizeof(algorithm_t));
+		clone_list->insert_last(clone_list, (void*)clone_algo);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implements proposal_t.clone
+ */
+static proposal_t *clone(private_proposal_t *this)
+{
+	private_proposal_t *clone = (private_proposal_t*)proposal_create(this->number);
+	
+	iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		protocol_proposal_t *proto_prop, *clone_proto_prop;
+		iterator->current(iterator, (void**)&proto_prop);
+		
+		clone_proto_prop = get_protocol_proposal(clone, proto_prop->protocol, TRUE);
+		memcpy(clone_proto_prop->spi.ptr, proto_prop->spi.ptr, clone_proto_prop->spi.len);
+		
+		clone_algo_list(proto_prop->encryption_algos, clone_proto_prop->encryption_algos);
+		clone_algo_list(proto_prop->integrity_algos, clone_proto_prop->integrity_algos);
+		clone_algo_list(proto_prop->prf_algos, clone_proto_prop->prf_algos);
+		clone_algo_list(proto_prop->dh_groups, clone_proto_prop->dh_groups);
+		clone_algo_list(proto_prop->esns, clone_proto_prop->esns);
+	}
+	iterator->destroy(iterator);
+	
+	return &clone->public;
+}
+
+/**
  * Frees all list items and destroys the list
  */
 static void free_algo_list(linked_list_t *list)
@@ -586,6 +630,7 @@ proposal_t *proposal_create(u_int8_t number)
 	this->public.get_protocols = (void(*)(proposal_t *this, protocol_id_t ids[2]))get_protocols;
 	this->public.set_spi = (void(*)(proposal_t*,protocol_id_t,u_int64_t spi))set_spi;
 	this->public.get_spi = (u_int64_t(*)(proposal_t*,protocol_id_t))get_spi;
+	this->public.clone = (proposal_t*(*)(proposal_t*))clone;
 	this->public.destroy = (void(*)(proposal_t*))destroy;
 	
 	/* init private members*/
diff --git a/Source/charon/config/proposal.h b/Source/charon/config/proposal.h
index 48ed4ea79..e2a4856e9 100644
--- a/Source/charon/config/proposal.h
+++ b/Source/charon/config/proposal.h
@@ -237,6 +237,14 @@ struct proposal_t {
 	void (*set_spi) (proposal_t *this, protocol_id_t proto, u_int64_t spi);
 	
 	/**
+	 * @brief Clone a proposal.
+	 * 
+	 * @param this				proposal to clone
+	 * @return					clone of it
+	 */
+	proposal_t *(*clone) (proposal_t *this);
+	
+	/**
 	 * @brief Destroys the proposal object.
 	 * 
 	 * @param this				calling object
diff --git a/Source/charon/config/traffic_selector.c b/Source/charon/config/traffic_selector.c
index 317b7a38e..0b8193135 100644
--- a/Source/charon/config/traffic_selector.c
+++ b/Source/charon/config/traffic_selector.c
@@ -225,7 +225,7 @@ static u_int8_t get_netmask(private_traffic_selector_t *this)
 					return bit;
 				}
 			}
-			return 0;
+			return 32;
 		}
 		case TS_IPV6_ADDR_RANGE:
 		default:
@@ -236,6 +236,24 @@ static u_int8_t get_netmask(private_traffic_selector_t *this)
 }
 
 /**
+ * Implements traffic_selector_t.update_address_range.
+ */
+static void update_address_range(private_traffic_selector_t *this, host_t *host)
+{
+	if (host->get_family(host) == AF_INET &&
+		this->type == TS_IPV4_ADDR_RANGE)
+	{
+		if (this->from_addr_ipv4 == 0)
+		{
+			chunk_t from = host->get_address_as_chunk(host);
+			this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr));
+			this->to_addr_ipv4 = this->from_addr_ipv4;
+			allocator_free_chunk(&from);
+		}
+	}
+}
+
+/**
  * Implements traffic_selector_t.clone.
  */
 static traffic_selector_t *clone(private_traffic_selector_t *this)
@@ -315,7 +333,15 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, u_int8_t ne
 			this->type = TS_IPV4_ADDR_RANGE;
 			from = net->get_address_as_chunk(net);
 			this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr));
-			this->to_addr_ipv4 = this->from_addr_ipv4 | ((1 << (32 - netbits)) - 1);
+			if (this->from_addr_ipv4 == 0)
+			{
+				/* use /32 for 0.0.0.0 */
+				this->to_addr_ipv4 = 0xFFFFFF;
+			}
+			else
+			{
+				this->to_addr_ipv4 = this->from_addr_ipv4 | ((1 << (32 - netbits)) - 1);
+			}
 			allocator_free_chunk(&from);
 			break;	
 		}
@@ -386,6 +412,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts
 	this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;	
 	this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
 	this->public.get_netmask = (u_int8_t(*)(traffic_selector_t*))get_netmask;
+	this->public.update_address_range = (void(*)(traffic_selector_t*,host_t*))update_address_range;
 	this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone;
 	this->public.destroy = (void(*)(traffic_selector_t*))destroy;
 	
diff --git a/Source/charon/config/traffic_selector.h b/Source/charon/config/traffic_selector.h
index 2980520ce..7e59b53fc 100644
--- a/Source/charon/config/traffic_selector.h
+++ b/Source/charon/config/traffic_selector.h
@@ -169,12 +169,27 @@ struct traffic_selector_t {
 	 * 
 	 * Returns the number of bits associated to the subnet.
 	 * (As the "24" in "192.168.0.0/24"). This is approximated
-	 * if the address range is not a complete subnet!
+	 * if the address range is not a complete subnet! Since Linux
+	 * does not support full IP address ranges (yet), we can't do this
+	 * (much) better.
 	 * 
 	 * @param this		calling obect
 	 * @return			netmask as "bits for subnet"
 	 */
 	u_int8_t (*get_netmask) (traffic_selector_t *this);
+		
+	/**
+	 * @brief Update the address of a traffic selector.
+	 * 
+	 * Update the address range of a traffic selector, 
+	 * if the current address is 0.0.0.0. The new address range
+	 * starts from the supplied address and also ends there 
+	 * (which means it is a one-host-address-range ;-).
+	 * 
+	 * @param this		calling obect
+	 * @param host		host_t specifying the address range
+	 */
+	void (*update_address_range) (traffic_selector_t *this, host_t* host);
 	
 	/**
 	 * @brief Destroys the ts object
@@ -222,6 +237,22 @@ traffic_selector_t *traffic_selector_create_from_string(u_int8_t protocol, ts_ty
  */
 traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol, ts_type_t type, chunk_t from_address, int16_t from_port, chunk_t to_address, u_int16_t to_port);
 
+/**
+ * @brief Create a new traffic selector defining a whole subnet.
+ * 
+ * In most cases, definition of a traffic selector for full subnets
+ * is sufficient. This constructor creates a traffic selector for
+ * all protocols, all ports and the address range specified by the
+ * subnet.
+ * 
+ * @param net			subnet to use
+ * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
+ * @return
+ * 						- traffic_selector_t object
+ * 						- NULL if address family of net not supported
+ *
+ * @ingroup config
+ */
 traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, u_int8_t netbits);
 
 #endif /* TRAFFIC_SELECTOR_H_ */