5 files changed, 932 insertions, 0 deletions

diff --git a/src/charon/network/Makefile.network b/src/charon/network/Makefile.network
new file mode 100644
index 000000000..fd99bd085
--- /dev/null
+++ b/src/charon/network/Makefile.network
@@ -0,0 +1,24 @@
+# Copyright (C) 2005 Jan Hutter, Martin Willi
+# Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+NETWORK_DIR= $(CHARON_DIR)network/
+
+
+CHARON_OBJS+= $(BUILD_DIR)packet.o
+$(BUILD_DIR)packet.o :		$(NETWORK_DIR)packet.c $(NETWORK_DIR)packet.h
+							$(CC) $(CFLAGS) -c -o $@ $<
+
+CHARON_OBJS+= $(BUILD_DIR)socket.o
+$(BUILD_DIR)socket.o :		$(NETWORK_DIR)socket.c $(NETWORK_DIR)socket.h
+							$(CC) $(CFLAGS) -c -o $@ $<
\ No newline at end of file
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
new file mode 100644
index 000000000..6aaeca190
--- /dev/null
+++ b/src/charon/network/packet.c
@@ -0,0 +1,189 @@
+/**
+ * @file packet.c
+ * 
+ * @brief Implementation of packet_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "packet.h"
+
+
+typedef struct private_packet_t private_packet_t;
+
+/**
+ * Private data of an packet_t object.
+ */
+struct private_packet_t {
+
+	/**
+	 * Public part of a packet_t object.
+	 */
+	packet_t public;
+	
+	/**
+	 * source address
+	 */
+	host_t *source;
+		
+	/**
+	 * destination address
+	 */
+	host_t *destination;
+	 
+	 /**
+	  * message data
+	  */
+	chunk_t data;
+};
+
+/**
+ * Implements packet_t.get_source
+ */
+static void set_source(private_packet_t *this, host_t *source)
+{
+	if (this->source)
+	{
+		this->source->destroy(this->source);	
+	}
+	this->source = source;
+}
+
+/**
+ * Implements packet_t.set_destination
+ */
+static void set_destination(private_packet_t *this, host_t *destination)
+{
+	if (this->destination)
+	{
+		this->destination->destroy(this->destination);	
+	}
+	this->destination = destination;
+}
+
+/**
+ * Implements packet_t.get_source
+ */
+static host_t *get_source(private_packet_t *this)
+{
+	return this->source;
+}
+
+/**
+ * Implements packet_t.get_destination
+ */
+static host_t *get_destination(private_packet_t *this)
+{
+	return this->destination;
+}
+	
+/**
+ * Implements packet_t.get_data
+ */
+static chunk_t get_data(private_packet_t *this)
+{
+	return this->data;
+}
+
+/**
+ * Implements packet_t.set_data
+ */
+static void set_data(private_packet_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->data = data;
+}
+
+/**
+ * Implements packet_t.destroy.
+ */
+static void destroy(private_packet_t *this)
+{
+	if (this->source != NULL)
+	{
+		this->source->destroy(this->source);
+	}	
+	if (this->destination != NULL)
+	{
+		this->destination->destroy(this->destination);
+	}
+	free(this->data.ptr);
+	free(this);
+}
+
+/**
+ * Implements packet_t.clone.
+ */
+static packet_t *clone(private_packet_t *this)
+{
+	private_packet_t *other = (private_packet_t*)packet_create();
+
+	if (this->destination != NULL)
+	{
+		other->destination = this->destination->clone(this->destination);
+	}
+	else 
+	{
+		other->destination = NULL;
+	}
+	
+	if (this->source != NULL)
+	{
+		other->source = this->source->clone(this->source);
+	}
+	else 
+	{
+		other->source = NULL;
+	}
+	
+	/* only clone existing chunks :-) */
+	if (this->data.ptr != NULL)
+	{
+		other->data.ptr = clalloc(this->data.ptr,this->data.len);
+		other->data.len = this->data.len;
+	}
+	else
+	{
+		other->data = CHUNK_INITIALIZER;
+	}
+	return &(other->public);
+}
+
+
+/*
+ * Documented in header
+ */
+packet_t *packet_create(void)
+{
+	private_packet_t *this = malloc_thing(private_packet_t);
+
+	this->public.set_data = (void(*) (packet_t *,chunk_t)) set_data;
+	this->public.get_data = (chunk_t(*) (packet_t *)) get_data;
+	this->public.set_source = (void(*) (packet_t *,host_t*)) set_source;
+	this->public.get_source = (host_t*(*) (packet_t *)) get_source;
+	this->public.set_destination = (void(*) (packet_t *,host_t*)) set_destination;
+	this->public.get_destination = (host_t*(*) (packet_t *)) get_destination;
+	this->public.clone = (packet_t*(*) (packet_t *))clone;
+	this->public.destroy = (void(*) (packet_t *)) destroy;
+	
+	this->destination = NULL;
+	this->source = NULL;
+	this->data = CHUNK_INITIALIZER;
+	
+	return &(this->public);
+}
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
new file mode 100644
index 000000000..9510ecd87
--- /dev/null
+++ b/src/charon/network/packet.h
@@ -0,0 +1,135 @@
+/**
+ * @file packet.h
+ * 
+ * @brief Interface of packet_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#ifndef PACKET_H_
+#define PACKET_H_
+
+
+#include <types.h>
+#include <utils/host.h>
+
+
+typedef struct packet_t packet_t;
+
+/**
+ * @brief Abstraction of an UDP-Packet, contains data, sender and receiver.
+ * 
+ * @b Constructors:
+ * - packet_create()
+ * 
+ * @ingroup network
+ */
+struct packet_t {
+
+	/**
+	 * @brief Set the source address.
+	 * 
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 * 
+	 * @param this		calling object
+	 * @param source	address to set as source
+	 */
+	void (*set_source) (packet_t *packet, host_t *source);
+	
+	/**
+	 * @brief Set the destination address.
+	 * 
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 * 
+	 * @param this		calling object
+	 * @param source	address to set as destination
+	 */
+	void (*set_destination) (packet_t *packet, host_t *destination);
+	
+	/**
+	 * @brief Get the source address.
+	 * 
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 * 
+	 * @param this		calling object
+	 * @return			source address
+	 */
+	host_t *(*get_source) (packet_t *packet);
+	
+	/**
+	 * @brief Get the destination address.
+	 * 
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 * 
+	 * @param this		calling object
+	 * @return			destination address
+	 */
+	host_t *(*get_destination) (packet_t *packet);
+	
+	/**
+	 * @brief Get the data from the packet.
+	 * 
+	 * The data pointed by the chunk is still owned 
+	 * by the packet. Clone it if needed.
+	 * 
+	 * @param this		calling object
+	 * @return			chunk containing the data
+	 */
+	chunk_t (*get_data) (packet_t *packet);
+	
+	/**
+	 * @brief Set the data in the packet.
+	 * 
+	 * Supplied chunk data is now owned by the 
+	 * packet. It will free it.
+	 * 
+	 * @param this		calling object
+	 * @param data		chunk with data to set
+	 */
+	void (*set_data) (packet_t *packet, chunk_t data);
+	
+	/**
+	 * @brief Clones a packet_t object.
+	 *  
+	 * @param packet	calling object
+	 * @param clone		pointer to a packet_t object pointer where the new object is stored
+	 */
+	packet_t* (*clone) (packet_t *packet);
+	
+	/**
+	 * @brief Destroy the packet, freeing contained data.
+	 *  
+	 * @param packet	packet to destroy	
+	 */
+	void (*destroy) (packet_t *packet);
+};
+
+/**
+ * @brief create an empty packet
+ *  
+ * @return packet_t object
+ * 
+ * @ingroup network
+ */
+packet_t *packet_create(void);
+
+
+#endif /*PACKET_H_*/
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
new file mode 100644
index 000000000..4193e6fd8
--- /dev/null
+++ b/src/charon/network/socket.c
@@ -0,0 +1,456 @@
+/**
+ * @file socket.c
+ *
+ * @brief Implementation of socket_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ *
+ * Some parts of interface lookup code from pluto.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <linux/filter.h>
+
+#include "socket.h"
+
+#include <daemon.h>
+#include <utils/logger_manager.h>
+
+
+#define IP_HEADER_LENGTH 20
+#define UDP_HEADER_LENGTH 8
+
+
+/**
+ * This filter code filters out all non-IKEv2 traffic on 
+ * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
+ * IKE versions is done in pluto.
+ */
+struct sock_filter ikev2_filter_code[] = 
+{
+	/* Protocol must be UDP */
+	BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 9),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_UDP, 0, 7),
+	/* Destination Port must be 500 */
+	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 22),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 500, 0, 5),
+	/* IKE version must be 2.0 */
+	BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 45),
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
+	/* packet length is length in IKEv2 header + ip header + udp header */
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 52),
+	BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, IP_HEADER_LENGTH + UDP_HEADER_LENGTH),
+	BPF_STMT(BPF_RET+BPF_A, 0),
+	/* packet doesn't match IKEv2, ignore */
+	BPF_STMT(BPF_RET+BPF_K, 0),
+};
+
+/**
+ * Filter struct to use with setsockopt
+ */
+struct sock_fprog ikev2_filter = {
+	sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
+	ikev2_filter_code
+};
+
+
+typedef struct interface_t interface_t;
+
+/**
+ * An interface on which we listen.
+ */
+struct interface_t {
+	
+	/**
+	 * Name of the interface
+	 */
+	char name[IFNAMSIZ];
+	
+	/**
+	 * Associated socket
+	 */
+	int socket_fd;
+	
+	/**
+	 * Host with listening address
+	 */
+	host_t *address;
+};
+
+typedef struct private_socket_t private_socket_t;
+
+/**
+ * Private data of an socket_t object
+ */
+struct private_socket_t{
+	/**
+	 * public functions
+	 */
+	 socket_t public;
+	 
+	 /**
+	  * Master socket
+	  */
+	 int master_fd;
+	 
+	 /**
+	  * List of all socket to listen
+	  */
+	 linked_list_t* interfaces;
+	 
+	 /** 
+	  * logger for this socket
+	  */
+	 logger_t *logger;
+};
+
+/**
+ * implementation of socket_t.receive
+ */
+static status_t receiver(private_socket_t *this, packet_t **packet)
+{
+	char buffer[MAX_PACKET];
+	chunk_t data;
+	packet_t *pkt = packet_create();
+	host_t *source, *dest;
+	int bytes_read = 0;
+	
+	
+	while (bytes_read >= 0)
+	{
+		int max_fd = 1;
+		fd_set readfds;
+		iterator_t *iterator;
+		int oldstate;
+		interface_t *interface;
+		
+		/* build fd_set */
+		FD_ZERO(&readfds);
+		iterator = this->interfaces->create_iterator(this->interfaces, TRUE);
+		while (iterator->has_next(iterator))
+		{
+			iterator->current(iterator, (void**)&interface);
+			FD_SET(interface->socket_fd, &readfds);
+			if (interface->socket_fd > max_fd)
+			{
+				max_fd = interface->socket_fd + 1;
+			}
+		}
+		iterator->destroy(iterator);
+		
+		/* add packet destroy handler for cancellation, enable cancellation */
+		pthread_cleanup_push((void(*)(void*))pkt->destroy, (void*)pkt);
+		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+		
+		this->logger->log(this->logger, CONTROL|LEVEL1, "waiting on sockets");
+		bytes_read = select(max_fd, &readfds, NULL, NULL, NULL);
+		
+		/* reset cancellation, remove packet destroy handler (without executing) */
+		pthread_setcancelstate(oldstate, NULL);
+		pthread_cleanup_pop(0);
+		
+		/* read on the first nonblocking socket */
+		bytes_read = 0;
+		iterator = this->interfaces->create_iterator(this->interfaces, TRUE);
+		while (iterator->has_next(iterator))
+		{
+			iterator->current(iterator, (void**)&interface);
+			if (FD_ISSET(interface->socket_fd, &readfds))
+			{
+				/* do the read */
+				bytes_read = recv(interface->socket_fd, buffer, MAX_PACKET, 0);
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+		
+		if (bytes_read  < 0)
+		{
+			this->logger->log(this->logger, ERROR, "error reading from socket: %s", strerror(errno));
+			continue;
+		}
+		if (bytes_read > IP_HEADER_LENGTH + UDP_HEADER_LENGTH)
+		{
+			/* read source/dest from raw IP/UDP header */
+			chunk_t source_chunk = {buffer + 12, 4};
+			chunk_t dest_chunk = {buffer + 16, 4};
+			u_int16_t source_port = ntohs(*(u_int16_t*)(buffer + 20));
+			u_int16_t dest_port = ntohs(*(u_int16_t*)(buffer + 22));
+			source = host_create_from_chunk(AF_INET, source_chunk, source_port);
+			dest = host_create_from_chunk(AF_INET, dest_chunk, dest_port);
+			pkt->set_source(pkt, source);
+			pkt->set_destination(pkt, dest);
+			break;
+		}
+		this->logger->log(this->logger, ERROR|LEVEL1, "too short packet received");
+	}
+	
+	this->logger->log(this->logger, CONTROL, "received packet: from %s:%d to %s:%d",
+					  source->get_address(source), source->get_port(source),
+					  dest->get_address(dest), dest->get_port(dest));
+
+	/* fill in packet */
+	data.len = bytes_read - IP_HEADER_LENGTH - UDP_HEADER_LENGTH;
+	data.ptr = malloc(data.len);
+	memcpy(data.ptr, buffer + IP_HEADER_LENGTH + UDP_HEADER_LENGTH, data.len);
+	pkt->set_data(pkt, data);
+
+	/* return packet */
+	*packet = pkt;
+
+	return SUCCESS;
+}
+
+/**
+ * implementation of socket_t.send
+ */
+status_t sender(private_socket_t *this, packet_t *packet)
+{
+	ssize_t bytes_sent;
+	chunk_t data;
+	host_t *src, *dst;
+	
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	data = packet->get_data(packet);
+
+	this->logger->log(this->logger, CONTROL, "sending packet: from %s:%d to %s:%d",
+					  src->get_address(src), src->get_port(src),
+					  dst->get_address(dst), dst->get_port(dst));
+	
+	/* send data */
+	/* TODO: should we send via the interface we received the packet? */
+	bytes_sent = sendto(this->master_fd, data.ptr, data.len, 0, 
+						dst->get_sockaddr(dst), *(dst->get_sockaddr_len(dst)));
+
+	if (bytes_sent != data.len)
+	{
+		this->logger->log(this->logger, ERROR, "error writing to socket: %s", strerror(errno));
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Find all suitable interfaces, bind them and add them to the list
+ */
+static status_t build_interface_list(private_socket_t *this, u_int16_t port)
+{
+	int on = TRUE;
+	int i;
+	struct sockaddr_in addr;
+	struct ifconf ifconf;
+	struct ifreq buf[300];
+	
+	/* master socket for querying socket for a specific interfaces */
+	this->master_fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+	if (this->master_fd == -1)
+	{
+		this->logger->log(this->logger, ERROR, "could not open IPv4 master socket!");
+		return FAILED;
+	}
+	
+	/* allow binding of multiplo sockets */
+	if (setsockopt(this->master_fd, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
+	{
+		this->logger->log(this->logger, ERROR, "unable to set SO_REUSEADDR on master socket!");
+		return FAILED;
+	}
+	
+	/* bind the master socket */
+	addr.sin_family = AF_INET;
+	addr.sin_addr.s_addr = INADDR_ANY;
+	addr.sin_port = htons(port);
+	if (bind(this->master_fd,(struct sockaddr*)&addr, sizeof(addr)) < 0)
+	{
+		this->logger->log(this->logger, ERROR, "unable to bind master socket: %s!", strerror(errno));
+		return FAILED;
+	}
+
+	/* get all interfaces */
+	ifconf.ifc_len = sizeof(buf);
+	ifconf.ifc_buf = (void*) buf;
+	memset(buf, 0, sizeof(buf));
+	if (ioctl(this->master_fd, SIOCGIFCONF, &ifconf) == -1)
+	{
+		this->logger->log(this->logger, ERROR, "unable to get interfaces!");
+		return FAILED;
+	}
+
+	/* add every interesting interfaces to our interface list */
+	for (i = 0; (i+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; i++)
+	{
+		struct sockaddr_in *current = (struct sockaddr_in*) &buf[i].ifr_addr;
+		struct ifreq auxinfo;
+		int skt;
+		interface_t *interface;
+
+		if (current->sin_family != AF_INET)
+		{
+			/* ignore all but AF_INET interfaces */
+			continue;
+		}
+
+		/* get auxilary info about socket */
+		memset(&auxinfo, 0, sizeof(auxinfo));
+		memcpy(auxinfo.ifr_name, buf[i].ifr_name, IFNAMSIZ);
+		if (ioctl(this->master_fd, SIOCGIFFLAGS, &auxinfo) == -1)
+		{
+			this->logger->log(this->logger, ERROR, "unable to SIOCGIFFLAGS master socket!");
+			continue;
+		}
+		if (!(auxinfo.ifr_flags & IFF_UP))
+		{
+			/* ignore an interface that isn't up */
+			continue;
+		}
+		if (current->sin_addr.s_addr == 0)
+		{
+			/* ignore unconfigured interfaces */
+			continue;
+		}
+		
+		/* set up interface socket */
+		skt = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+		if (socket < 0)
+		{
+			this->logger->log(this->logger, ERROR, "unable to open interface socket!");
+			continue;
+		}
+		if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
+		{
+			this->logger->log(this->logger, ERROR, "unable to set SO_REUSEADDR on interface socket!");
+			close(skt);
+			continue;
+		}
+		current->sin_port = htons(port);
+		current->sin_family = AF_INET;
+		if (bind(skt, (struct sockaddr*)current, sizeof(struct sockaddr_in)) < 0)
+		{
+			this->logger->log(this->logger, ERROR, "unable to bind interface socket!");
+			close(skt);
+			continue;
+		}
+			
+		if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER, &ikev2_filter, sizeof(ikev2_filter)) < 0)
+		{
+			this->logger->log(this->logger, ERROR, "unable to attack IKEv2 filter to interface socket!");
+			close(skt);
+			continue;
+		}
+		
+		/* add socket with interface name to list */
+		interface = malloc_thing(interface_t);
+ 		strncpy(interface->name, buf[i].ifr_name, IFNAMSIZ);
+		interface->socket_fd = skt;
+		interface->address = host_create_from_sockaddr((struct sockaddr*)current);
+		this->logger->log(this->logger, CONTROL, "listening on %s (%s)",
+						  interface->name, interface->address->get_address(interface->address));
+		this->interfaces->insert_last(this->interfaces, (void*)interface);
+	}
+	
+	if (this->interfaces->get_count(this->interfaces) == 0)
+	{
+		this->logger->log(this->logger, ERROR, "unable to find any usable interface!");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * implementation of socket_t.is_listening_on
+ */
+static bool is_listening_on(private_socket_t *this, host_t *host)
+{
+	iterator_t *iterator;
+	
+	/* listening on 0.0.0.0 is always TRUE */
+	if (host->is_default_route(host))
+	{
+		return TRUE;
+	}
+	
+	/* compare host with all interfaces */
+	iterator = this->interfaces->create_iterator(this->interfaces, TRUE);
+	while (iterator->has_next(iterator))
+	{
+		interface_t *interface;
+		iterator->current(iterator, (void**)&interface);
+		if (host->equals(host, interface->address))
+		{
+			iterator->destroy(iterator);
+			return TRUE;
+		}
+	}
+	iterator->destroy(iterator);
+	return FALSE;
+}
+
+/**
+ * implementation of socket_t.destroy
+ */
+static void destroy(private_socket_t *this)
+{
+	interface_t *interface;
+	while (this->interfaces->remove_last(this->interfaces, (void**)&interface) == SUCCESS)
+	{
+		interface->address->destroy(interface->address);
+		close(interface->socket_fd);
+		free(interface);
+	}
+	this->interfaces->destroy(this->interfaces);
+	close(this->master_fd);
+	free(this);
+}
+
+/*
+ * See header for description
+ */
+socket_t *socket_create(u_int16_t port)
+{
+	private_socket_t *this = malloc_thing(private_socket_t);
+
+	/* public functions */
+	this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
+	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
+	this->public.is_listening_on = (bool (*)(socket_t*,host_t*))is_listening_on;
+	this->public.destroy = (void(*)(socket_t*)) destroy;
+	
+	this->logger = logger_manager->get_logger(logger_manager, SOCKET);
+	this->interfaces = linked_list_create();
+	
+	if (build_interface_list(this, port) != SUCCESS)
+	{
+		this->interfaces->destroy(this->interfaces);
+		free(this);
+		charon->kill(charon, "could not bind any interface!");
+	}
+
+	return (socket_t*)this;
+}
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
new file mode 100644
index 000000000..498e7700a
--- /dev/null
+++ b/src/charon/network/socket.h
@@ -0,0 +1,128 @@
+/**
+ * @file socket.h
+ * 
+ * @brief Interface for socket_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SOCKET_H_
+#define SOCKET_H_
+
+
+#include <types.h>
+#include <network/packet.h>
+
+
+/**
+ * @brief Maximum size of a packet.
+ * 
+ * 3000 Bytes should be sufficient, see IKEv2 RFC.
+ * 
+ * @ingroup network
+ */
+#define MAX_PACKET 3000
+
+
+typedef struct socket_t socket_t;
+
+/**
+ * @brief Abstraction all sockets (currently IPv4 only).
+ *
+ * All available IPv4 sockets are bound and the receive function
+ * reads from them. To allow binding of other daemons (pluto) to
+ * UDP/500, this implementation uses RAW sockets. An installed
+ * "Linux socket filter" filters out all non-IKEv2 traffic and handles
+ * just IKEv2 messages. An other daemon (pluto) must handle all traffic
+ * seperatly, e.g. ignore IKEv2 traffic, since charon handles that. 
+ * 
+ * @b Constructors:
+ * - socket_create()
+ * 
+ * @todo add IPv6 support
+ * 
+ * @todo We currently use multiple sockets for historic reasons. With the
+ * new RAW socket mechanism, we could use just one socket and filter
+ * addresses in userspace (or via linux socket filter). This would allow 
+ * realtime interface/address management in a easy way...
+ * 
+ * @ingroup network
+ */
+struct socket_t {
+	/**
+	 * @brief Receive a packet.
+	 * 
+	 * Reads a packet from the socket and sets source/dest
+	 * appropriately.
+	 * 
+	 * @param sock			socket_t object to work on
+	 * @param packet		pinter gets address from allocated packet_t
+	 * @return 				
+	 * 						- SUCCESS when packet successfully received
+	 * 						- FAILED when unable to receive
+	 */
+	status_t (*receive) (socket_t *sock, packet_t **packet);
+	
+	/**
+	 * @brief Send a packet.
+	 * 
+	 * Sends a packet to the net using destination from the packet.
+	 * Packet is sent using default routing mechanisms, thus the 
+	 * source address in packet is ignored.
+	 * 
+	 * @param sock			socket_t object to work on
+	 * @param packet[out]	packet_t to send
+	 * @return 				
+	 * 						- SUCCESS when packet successfully sent
+	 * 						- FAILED when unable to send
+	 */
+	status_t (*send) (socket_t *sock, packet_t *packet);
+	
+	/**
+	 * @brief Check if socket listens on an address.
+	 * 
+	 * @param sock			socket_t object to work on
+	 * @param host			address to check
+	 * @return 				TRUE if listening on host, FALSE otherwise
+	 */
+	bool (*is_listening_on) (socket_t *sock, host_t *host);
+	
+	/**
+	 * @brief Destroy sockets.
+	 * 
+	 * close sockets and destroy socket_t object
+	 * 
+	 * @param sock 			socket_t to destroy
+	 */
+	void (*destroy) (socket_t *sock);
+};
+
+/**
+ * @brief Create a socket_t, wich binds multiple sockets.
+ * 
+ * currently creates one socket, listening on all addresses
+ * on "port".
+ *  
+ * @param port				port to bind socket to
+ * @return  				socket_t object
+ * 
+ * @ingroup network
+ */
+socket_t *socket_create(u_int16_t port);
+
+
+#endif /*SOCKET_H_*/