diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2011-10-21 13:38:26 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2011-10-21 14:18:53 +0200 |
| commit | 99d23ddf45ddb0d483386b5f8e3a2faba792e666 (patch) | |
| tree | aa58249d12d38dffb2e10e9f151cf3ca59f388f0 /src/libhydra/plugins/kernel_netlink | |
| parent | 0b0f466bbc9d63b84fd9e893c0eccddb92202c8a (diff) | |
| download | strongswan-99d23ddf45ddb0d483386b5f8e3a2faba792e666.tar.bz2 strongswan-99d23ddf45ddb0d483386b5f8e3a2faba792e666.tar.xz | |
Implemented flushing of states and policies via XFRM.
Diffstat (limited to 'src/libhydra/plugins/kernel_netlink')
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 1ca1d6816..772e5202b 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1958,6 +1958,33 @@ failed: return status; } +METHOD(kernel_ipsec_t, flush_sas, status_t, + private_kernel_netlink_ipsec_t *this) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + struct xfrm_usersa_flush *flush; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "flushing all SAD entries"); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = XFRM_MSG_FLUSHSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush)); + + flush = (struct xfrm_usersa_flush*)NLMSG_DATA(hdr); + flush->proto = IPSEC_PROTO_ANY; + + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unable to flush SAD entries"); + return FAILED; + } + return SUCCESS; +} + /** * Add or update a policy in the kernel. * @@ -2553,6 +2580,33 @@ METHOD(kernel_ipsec_t, del_policy, status_t, return SUCCESS; } +METHOD(kernel_ipsec_t, flush_policies, status_t, + private_kernel_netlink_ipsec_t *this) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "flushing all policies from SPD"); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = XFRM_MSG_FLUSHPOLICY; + hdr->nlmsg_len = NLMSG_LENGTH(0); /* no data associated */ + + /* by adding an rtattr of type XFRMA_POLICY_TYPE we could restrict this + * to main or sub policies (default is main) */ + + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unable to flush SPD entries"); + return FAILED; + } + return SUCCESS; +} + + METHOD(kernel_ipsec_t, bypass_socket, bool, private_kernel_netlink_ipsec_t *this, int fd, int family) { @@ -2639,9 +2693,11 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() .update_sa = _update_sa, .query_sa = _query_sa, .del_sa = _del_sa, + .flush_sas = _flush_sas, .add_policy = _add_policy, .query_policy = _query_policy, .del_policy = _del_policy, + .flush_policies = _flush_policies, .bypass_socket = _bypass_socket, .destroy = _destroy, }, |