diff options
Diffstat (limited to 'src/charon/plugins/kernel_netlink')
5 files changed, 310 insertions, 310 deletions
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index cdd2436c5..bce6016c5 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -75,8 +75,8 @@ #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1)) /** - * returns a pointer to the first rtattr following the nlmsghdr *nlh and the - * 'usual' netlink data x like 'struct xfrm_usersa_info' + * returns a pointer to the first rtattr following the nlmsghdr *nlh and the + * 'usual' netlink data x like 'struct xfrm_usersa_info' */ #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) /** @@ -85,8 +85,8 @@ */ #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) /** - * returns the total size of attached rta data - * (after 'usual' netlink data x like 'struct xfrm_usersa_info') + * returns the total size of attached rta data + * (after 'usual' netlink data x like 'struct xfrm_usersa_info') */ #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x)) @@ -100,7 +100,7 @@ struct kernel_algorithm_t { * Identifier specified in IKEv2 */ int ikev2; - + /** * Name of the algorithm in linux crypto API */ @@ -239,10 +239,10 @@ typedef struct route_entry_t route_entry_t; struct route_entry_t { /** Name of the interface the route is bound to */ char *if_name; - + /** Source ip of the route */ host_t *src_ip; - + /** gateway for this route */ host_t *gateway; @@ -271,16 +271,16 @@ typedef struct policy_entry_t policy_entry_t; * installed kernel policy. */ struct policy_entry_t { - + /** direction of this policy: in, out, forward */ u_int8_t direction; - + /** parameters of installed policy */ struct xfrm_selector sel; - + /** associated route installed for this policy */ route_entry_t *route; - + /** by how many CHILD_SA's this policy is used */ u_int refcount; }; @@ -313,32 +313,32 @@ struct private_kernel_netlink_ipsec_t { * Public part of the kernel_netlink_t object. */ kernel_netlink_ipsec_t public; - + /** * mutex to lock access to various lists */ mutex_t *mutex; - + /** * Hash table of installed policies (policy_entry_t) */ hashtable_t *policies; - + /** * job receiving netlink events */ callback_job_t *job; - + /** * Netlink xfrm socket (IPsec) */ netlink_socket_t *socket_xfrm; - + /** * netlink xfrm socket to receive acquire and expire events */ int socket_xfrm_events; - + /** * whether to install routes along policies */ @@ -401,7 +401,7 @@ static u_int8_t mode2kernel(ipsec_mode_t mode) static void host2xfrm(host_t *host, xfrm_address_t *xfrm) { chunk_t chunk = host->get_address(host); - memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); + memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); } /** @@ -410,7 +410,7 @@ static void host2xfrm(host_t *host, xfrm_address_t *xfrm) static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port) { chunk_t chunk; - + switch (family) { case AF_INET: @@ -428,12 +428,12 @@ static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port) /** * convert a traffic selector address range to subnet and its mask. */ -static void ts2subnet(traffic_selector_t* ts, +static void ts2subnet(traffic_selector_t* ts, xfrm_address_t *net, u_int8_t *mask) { host_t *net_host; chunk_t net_chunk; - + ts->to_subnet(ts, &net_host, mask); net_chunk = net_host->get_address(net_host); memcpy(net, net_chunk.ptr, net_chunk.len); @@ -443,7 +443,7 @@ static void ts2subnet(traffic_selector_t* ts, /** * convert a traffic selector port range to port/portmask */ -static void ts2ports(traffic_selector_t* ts, +static void ts2ports(traffic_selector_t* ts, u_int16_t *port, u_int16_t *mask) { /* linux does not seem to accept complex portmasks. Only @@ -451,10 +451,10 @@ static void ts2ports(traffic_selector_t* ts, * a port range, or to a specific, if we have one port only. */ u_int16_t from, to; - + from = ts->get_from_port(ts); to = ts->get_to_port(ts); - + if (from == to) { *port = htons(from); @@ -470,7 +470,7 @@ static void ts2ports(traffic_selector_t* ts, /** * convert a pair of traffic_selectors to a xfrm_selector */ -static struct xfrm_selector ts2selector(traffic_selector_t *src, +static struct xfrm_selector ts2selector(traffic_selector_t *src, traffic_selector_t *dst) { struct xfrm_selector sel; @@ -485,12 +485,12 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, ts2ports(src, &sel.sport, &sel.sport_mask); sel.ifindex = 0; sel.user = 0; - + return sel; } /** - * convert a xfrm_selector to a src|dst traffic_selector + * convert a xfrm_selector to a src|dst traffic_selector */ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) { @@ -498,7 +498,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) u_int8_t prefixlen; u_int16_t port = 0; host_t *host = NULL; - + if (src) { addr = (u_char*)&sel->saddr; @@ -517,9 +517,9 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) port = htons(sel->dport); } } - + /* The Linux 2.6 kernel does not set the selector's family field, - * so as a kludge we additionally test the prefix length. + * so as a kludge we additionally test the prefix length. */ if (sel->family == AF_INET || sel->prefixlen_s == 32) { @@ -529,7 +529,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) { host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0); } - + if (host) { return traffic_selector_create_from_subnet(host, prefixlen, @@ -550,7 +550,7 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd struct rtattr *rta; size_t rtasize; job_t *job; - + acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr); rta = XFRM_RTA(hdr, struct xfrm_user_acquire); rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire); @@ -598,21 +598,21 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr protocol_id_t protocol; u_int32_t spi, reqid; struct xfrm_user_expire *expire; - + expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr); protocol = proto_kernel2ike(expire->state.id.proto); spi = expire->state.id.spi; reqid = expire->state.reqid; - + DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); - + if (protocol != PROTO_ESP && protocol != PROTO_AH) { DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} " "which is not a CHILD_SA", ntohl(spi), reqid); return; } - + DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}", expire->hard ? "delete" : "rekey", protocol_id_names, protocol, ntohl(spi), reqid); @@ -648,7 +648,7 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id); DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE"); - + src_ts = selector2ts(&policy_id->sel, TRUE); dst_ts = selector2ts(&policy_id->sel, FALSE); dir = (policy_dir_t)policy_id->dir; @@ -717,13 +717,13 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this, u_int32_t spi, reqid; struct xfrm_user_mapping *mapping; host_t *host; - + mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr); spi = mapping->id.spi; reqid = mapping->reqid; - + DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING"); - + if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP) { host = xfrm2host(mapping->id.family, &mapping->new_saddr, @@ -753,7 +753,7 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this) len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0, (struct sockaddr*)&addr, &addr_len); pthread_setcancelstate(oldstate, NULL); - + if (len < 0) { switch (errno) @@ -770,12 +770,12 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this) return JOB_REQUEUE_FAIR; } } - + if (addr.nl_pid != 0) { /* not from kernel. not interested, try another one */ return JOB_REQUEUE_DIRECT; } - + while (NLMSG_OK(hdr, len)) { switch (hdr->nlmsg_type) @@ -813,9 +813,9 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, struct xfrm_userspi_info *userspi; u_int32_t received_spi = 0; size_t len; - + memset(&request, 0, sizeof(request)); - + hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; hdr->nlmsg_type = XFRM_MSG_ALLOCSPI; @@ -830,7 +830,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, userspi->info.family = src->get_family(src); userspi->min = min; userspi->max = max; - + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -847,7 +847,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, case NLMSG_ERROR: { struct nlmsgerr *err = NLMSG_DATA(hdr); - + DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", strerror(-err->error), -err->error); break; @@ -862,12 +862,12 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, } free(out); } - + if (received_spi == 0) { return FAILED; } - + *spi = received_spi; return SUCCESS; } @@ -875,47 +875,47 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, /** * Implementation of kernel_interface_t.get_spi. */ -static status_t get_spi(private_kernel_netlink_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_spi(private_kernel_netlink_ipsec_t *this, + host_t *src, host_t *dst, protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) { DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid); - + if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol), 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS) { DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid); return FAILED; } - + DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid); - + return SUCCESS; } /** * Implementation of kernel_interface_t.get_cpi. */ -static status_t get_cpi(private_kernel_netlink_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_cpi(private_kernel_netlink_ipsec_t *this, + host_t *src, host_t *dst, u_int32_t reqid, u_int16_t *cpi) { u_int32_t received_spi = 0; DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid); - + if (get_spi_internal(this, src, dst, IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS) { DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid); return FAILED; } - + *cpi = htons((u_int16_t)ntohl(received_spi)); - + DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid); - + return SUCCESS; } @@ -935,8 +935,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, char *alg_name; struct nlmsghdr *hdr; struct xfrm_usersa_info *sa; - u_int16_t icv_size = 64; - + u_int16_t icv_size = 64; + /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 * we are in the recursive call below */ if (ipcomp != IPCOMP_NONE && cpi != 0) @@ -947,17 +947,17 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, mode, ipcomp, 0, FALSE, inbound); ipcomp = IPCOMP_NONE; } - + memset(&request, 0, sizeof(request)); - + DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid); - + hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); - + sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); host2xfrm(src, &sa->saddr); host2xfrm(dst, &sa->id.daddr); @@ -980,9 +980,9 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, sa->lft.hard_add_expires_seconds = lifetime->time.life; sa->lft.soft_use_expires_seconds = 0; sa->lft.hard_use_expires_seconds = 0; - + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info); - + switch (enc_alg) { case ENCR_UNDEFINED: @@ -1013,7 +1013,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, } DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); - + rthdr->rta_type = XFRMA_ALG_AEAD; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; @@ -1021,13 +1021,13 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, { return FAILED; } - + algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; algo->alg_icv_len = icv_size; strcpy(algo->alg_name, alg_name); memcpy(algo->alg_key, enc_key.ptr, enc_key.len); - + rthdr = XFRM_RTA_NEXT(rthdr); break; } @@ -1044,7 +1044,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, } DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); - + rthdr->rta_type = XFRMA_ALG_CRYPT; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; @@ -1052,71 +1052,71 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, { return FAILED; } - + algo = (struct xfrm_algo*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; strcpy(algo->alg_name, alg_name); memcpy(algo->alg_key, enc_key.ptr, enc_key.len); - + rthdr = XFRM_RTA_NEXT(rthdr); } } - + if (int_alg != AUTH_UNDEFINED) { rthdr->rta_type = XFRMA_ALG_AUTH; alg_name = lookup_algorithm(integrity_algs, int_alg); if (alg_name == NULL) { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", + DBG1(DBG_KNL, "algorithm %N not supported by kernel!", integrity_algorithm_names, int_alg); return FAILED; } DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", integrity_algorithm_names, int_alg, int_key.len * 8); - + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) { return FAILED; } - + struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); algo->alg_key_len = int_key.len * 8; strcpy(algo->alg_name, alg_name); memcpy(algo->alg_key, int_key.ptr, int_key.len); - + rthdr = XFRM_RTA_NEXT(rthdr); } - + if (ipcomp != IPCOMP_NONE) { rthdr->rta_type = XFRMA_ALG_COMP; alg_name = lookup_algorithm(compression_algs, ipcomp); if (alg_name == NULL) { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", + DBG1(DBG_KNL, "algorithm %N not supported by kernel!", ipcomp_transform_names, ipcomp); return FAILED; } DBG2(DBG_KNL, " using compression algorithm %N", ipcomp_transform_names, ipcomp); - + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo)); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) { return FAILED; } - + struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); algo->alg_key_len = 0; strcpy(algo->alg_name, alg_name); - + rthdr = XFRM_RTA_NEXT(rthdr); } - + if (encap) { rthdr->rta_type = XFRMA_ENCAP; @@ -1133,13 +1133,13 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, tmpl->encap_sport = htons(src->get_port(src)); tmpl->encap_dport = htons(dst->get_port(dst)); memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t)); - /* encap_oa could probably be derived from the - * traffic selectors [rfc4306, p39]. In the netlink kernel implementation - * pluto does the same as we do here but it uses encap_oa in the - * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates + /* encap_oa could probably be derived from the + * traffic selectors [rfc4306, p39]. In the netlink kernel implementation + * pluto does the same as we do here but it uses encap_oa in the + * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates * the kernel ignores it anyway * -> does that mean that NAT-T encap doesn't work in transport mode? - * No. The reason the kernel ignores NAT-OA is that it recomputes + * No. The reason the kernel ignores NAT-OA is that it recomputes * (or, rather, just ignores) the checksum. If packets pass * the IPsec checks it marks them "checksum ok" so OA isn't needed. */ rthdr = XFRM_RTA_NEXT(rthdr); @@ -1166,24 +1166,24 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, size_t len; struct rtattr *rta; size_t rtasize; - + memset(&request, 0, sizeof(request)); - + DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi)); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; hdr->nlmsg_type = XFRM_MSG_GETAE; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); - + aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr); aevent_id->flags = XFRM_AE_RVAL; - + host2xfrm(dst, &aevent_id->sa_id.daddr); aevent_id->sa_id.spi = spi; aevent_id->sa_id.proto = proto_ike2kernel(protocol); aevent_id->sa_id.family = dst->get_family(dst); - + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1212,7 +1212,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, break; } } - + if (out_aevent == NULL) { DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x", @@ -1220,7 +1220,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, free(out); return FAILED; } - + rta = XFRM_RTA(out, struct xfrm_aevent_id); rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id); while(RTA_OK(rta, rtasize)) @@ -1234,7 +1234,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, } rta = RTA_NEXT(rta, rtasize); } - + DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x", ntohl(spi)); free(out); @@ -1253,7 +1253,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, struct xfrm_usersa_id *sa_id; struct xfrm_usersa_info *sa = NULL; size_t len; - + memset(&request, 0, sizeof(request)); DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); @@ -1268,7 +1268,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, sa_id->spi = spi; sa_id->proto = proto_ike2kernel(protocol); sa_id->family = dst->get_family(dst); - + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1297,7 +1297,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, break; } } - + if (sa == NULL) { DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); @@ -1305,7 +1305,7 @@ static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, return FAILED; } *bytes = sa->curlft.bytes; - + free(out); return SUCCESS; } @@ -1319,28 +1319,28 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, netlink_buf_t request; struct nlmsghdr *hdr; struct xfrm_usersa_id *sa_id; - + /* if IPComp was used, we first delete the additional IPComp SA */ if (cpi) { del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); } - + memset(&request, 0, sizeof(request)); - + DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); - + hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = XFRM_MSG_DELSA; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; sa_id->proto = proto_ike2kernel(protocol); sa_id->family = dst->get_family(dst); - + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); @@ -1370,30 +1370,30 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, struct xfrm_encap_tmpl* tmpl = NULL; bool got_replay_state = FALSE; struct xfrm_replay_state replay; - + /* if IPComp is used, we first update the IPComp SA */ if (cpi) { update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0, src, dst, new_src, new_dst, FALSE, FALSE); } - + memset(&request, 0, sizeof(request)); - + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi)); - + /* query the existing SA first */ hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; hdr->nlmsg_type = XFRM_MSG_GETSA; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); host2xfrm(dst, &sa_id->daddr); sa_id->spi = spi; sa_id->proto = proto_ike2kernel(protocol); sa_id->family = dst->get_family(dst); - + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1428,13 +1428,13 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, free(out); return FAILED; } - + /* try to get the replay state */ if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS) { got_replay_state = TRUE; } - + /* delete the old SA (without affecting the IPComp SA) */ if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS) { @@ -1442,18 +1442,18 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, free(out); return FAILED; } - + DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", ntohl(spi), src, dst, new_src, new_dst); /* copy over the SA from out to request */ hdr = (struct nlmsghdr*)request; memcpy(hdr, out, min(out->nlmsg_len, sizeof(request))); - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = XFRM_MSG_NEWSA; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); sa = NLMSG_DATA(hdr); sa->family = new_dst->get_family(new_dst); - + if (!src->ip_equals(src, new_src)) { host2xfrm(new_src, &sa->saddr); @@ -1462,7 +1462,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, { host2xfrm(new_dst, &sa->id.daddr); } - + rta = XFRM_RTA(out, struct xfrm_usersa_info); rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info); pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info); @@ -1476,47 +1476,47 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta); tmpl->encap_sport = ntohs(new_src->get_port(new_src)); tmpl->encap_dport = ntohs(new_dst->get_port(new_dst)); - } + } memcpy(pos, rta, rta->rta_len); pos += RTA_ALIGN(rta->rta_len); hdr->nlmsg_len += RTA_ALIGN(rta->rta_len); } rta = RTA_NEXT(rta, rtasize); } - + rta = (struct rtattr*)pos; if (tmpl == NULL && new_encap) { /* add tmpl if we are enabling it */ rta->rta_type = XFRMA_ENCAP; rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); - + hdr->nlmsg_len += rta->rta_len; if (hdr->nlmsg_len > sizeof(request)) { return FAILED; } - + tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta); tmpl->encap_type = UDP_ENCAP_ESPINUDP; tmpl->encap_sport = ntohs(new_src->get_port(new_src)); tmpl->encap_dport = ntohs(new_dst->get_port(new_dst)); memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t)); - + rta = XFRM_RTA_NEXT(rta); } - + if (got_replay_state) { /* copy the replay data if available */ rta->rta_type = XFRMA_REPLAY_VAL; rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state)); - + hdr->nlmsg_len += rta->rta_len; if (hdr->nlmsg_len > sizeof(request)) { return FAILED; } memcpy(RTA_DATA(rta), &replay, sizeof(replay)); - + rta = XFRM_RTA_NEXT(rta); } @@ -1527,14 +1527,14 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } free(out); - + return SUCCESS; } /** * Implementation of kernel_interface_t.add_policy. */ -static status_t add_policy(private_kernel_netlink_ipsec_t *this, +static status_t add_policy(private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, @@ -1548,13 +1548,13 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, netlink_buf_t request; struct xfrm_userpolicy_info *policy_info; struct nlmsghdr *hdr; - + /* create a policy */ policy = malloc_thing(policy_entry_t); memset(policy, 0, sizeof(policy_entry_t)); policy->sel = ts2selector(src_ts, dst_ts); policy->direction = direction; - + /* find the policy, which matches EXACTLY */ this->mutex->lock(this->mutex); current = this->policies->get(this->policies, policy); @@ -1574,10 +1574,10 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, this->policies->put(this->policies, policy, policy); policy->refcount = 1; } - + DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); - + memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; @@ -1595,7 +1595,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, policy_info->action = XFRM_POLICY_ALLOW; policy_info->share = XFRM_SHARE_ANY; this->mutex->unlock(this->mutex); - + /* policies don't expire */ policy_info->lft.soft_byte_limit = XFRM_INF; policy_info->lft.soft_packet_limit = XFRM_INF; @@ -1605,19 +1605,19 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, policy_info->lft.hard_add_expires_seconds = 0; policy_info->lft.soft_use_expires_seconds = 0; policy_info->lft.hard_use_expires_seconds = 0; - + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info); rthdr->rta_type = XFRMA_TMPL; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - + hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) { return FAILED; } - + struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr); - + if (ipcomp != IPCOMP_NONE) { tmpl->reqid = reqid; @@ -1626,10 +1626,10 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->mode = mode2kernel(mode); tmpl->optional = direction != POLICY_OUT; tmpl->family = src->get_family(src); - + host2xfrm(src, &tmpl->saddr); host2xfrm(dst, &tmpl->id.daddr); - + /* add an additional xfrm_user_tmpl */ rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); @@ -1637,26 +1637,26 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, { return FAILED; } - + tmpl++; } - + tmpl->reqid = reqid; tmpl->id.proto = proto_ike2kernel(protocol); tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); - + host2xfrm(src, &tmpl->saddr); host2xfrm(dst, &tmpl->id.daddr); - + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); return FAILED; } - + /* install a route, if: * - we are NOT updating a policy * - this is a forward policy (to just get one for each child) @@ -1669,7 +1669,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, this->install_routes) { route_entry_t *route = malloc_thing(route_entry_t); - + if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface, dst_ts, &route->src_ip) == SUCCESS) { @@ -1681,9 +1681,9 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len); route->prefixlen = policy->sel.prefixlen_s; - + if (route->if_name) - { + { switch (charon->kernel_interface->add_route( charon->kernel_interface, route->dst_net, route->prefixlen, route->gateway, @@ -1720,7 +1720,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, * Implementation of kernel_interface_t.query_policy. */ static status_t query_policy(private_kernel_netlink_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) { @@ -1729,9 +1729,9 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this, struct xfrm_userpolicy_id *policy_id; struct xfrm_userpolicy_info *policy = NULL; size_t len; - + memset(&request, 0, sizeof(request)); - + DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); @@ -1743,7 +1743,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this, policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); policy_id->sel = ts2selector(src_ts, dst_ts); policy_id->dir = direction; - + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1772,7 +1772,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this, break; } } - + if (policy == NULL) { DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts, @@ -1780,7 +1780,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this, free(out); return FAILED; } - + if (policy->curlft.use_time) { /* we need the monotonic time, but the kernel returns system time. */ @@ -1790,7 +1790,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this, { *use_time = 0; } - + free(out); return SUCCESS; } @@ -1799,7 +1799,7 @@ static status_t query_policy(private_kernel_netlink_ipsec_t *this, * Implementation of kernel_interface_t.del_policy. */ static status_t del_policy(private_kernel_netlink_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) { @@ -1808,15 +1808,15 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this, netlink_buf_t request; struct nlmsghdr *hdr; struct xfrm_userpolicy_id *policy_id; - + DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); - + /* create a policy */ memset(&policy, 0, sizeof(policy_entry_t)); policy.sel = ts2selector(src_ts, dst_ts); policy.direction = direction; - + /* find the policy */ this->mutex->lock(this->mutex); current = this->policies->get(this->policies, &policy); @@ -1840,9 +1840,9 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this, dst_ts, policy_dir_names, direction); return NOT_FOUND; } - + memset(&request, 0, sizeof(request)); - + hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = XFRM_MSG_DELPOLICY; @@ -1851,10 +1851,10 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this, policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); policy_id->sel = to_delete->sel; policy_id->dir = direction; - + route = to_delete->route; free(to_delete); - + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts, @@ -1871,7 +1871,7 @@ static status_t del_policy(private_kernel_netlink_ipsec_t *this, DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); - } + } route_entry_destroy(route); } return SUCCESS; @@ -1884,7 +1884,7 @@ static void destroy(private_kernel_netlink_ipsec_t *this) { enumerator_t *enumerator; policy_entry_t *policy; - + this->job->cancel(this->job); close(this->socket_xfrm_events); this->socket_xfrm->destroy(this->socket_xfrm); @@ -1907,7 +1907,7 @@ static bool add_bypass_policies() int fd, family, port; enumerator_t *sockets; bool status = TRUE; - + /* we open an AF_KEY socket to autoload the af_key module. Otherwise * setsockopt(IPSEC_POLICY) won't work. */ fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2); @@ -1917,13 +1917,13 @@ static bool add_bypass_policies() return FALSE; } close(fd); - + sockets = charon->socket->create_enumerator(charon->socket); while (sockets->enumerate(sockets, &fd, &family, &port)) { struct sadb_x_policy policy; u_int sol, ipsec_policy; - + switch (family) { case AF_INET: @@ -1937,12 +1937,12 @@ static bool add_bypass_policies() default: continue; } - + memset(&policy, 0, sizeof(policy)); policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t); policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; - + policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { @@ -1954,7 +1954,7 @@ static bool add_bypass_policies() policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", + DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", strerror(errno)); status = FALSE; break; @@ -1972,7 +1972,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t); struct sockaddr_nl addr; int fd; - + /* public functions */ this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi; this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; @@ -1991,7 +1991,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); - + /* disable lifetimes for allocated SPIs in kernel */ fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY); if (fd) @@ -1999,18 +1999,18 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() ignore_result(write(fd, "0", 1)); close(fd); } - + /* add bypass policies on the sockets used by charon */ if (!add_bypass_policies()) { charon->kill(charon, "unable to add bypass policies on sockets"); } - + this->socket_xfrm = netlink_socket_create(NETLINK_XFRM); - + memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; - + /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */ this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); if (this->socket_xfrm_events <= 0) @@ -2023,10 +2023,10 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() { charon->kill(charon, "unable to bind XFRM event socket"); } - + this->job = callback_job_create((callback_job_cb_t)receive_events, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); - + return &this->public; } diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index 068860797..4b2a05f8f 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -48,16 +48,16 @@ typedef struct addr_entry_t addr_entry_t; * IP address in an inface_entry_t */ struct addr_entry_t { - + /** The ip address */ host_t *ip; - + /** virtual IP managed by us */ bool virtual; - + /** scope of the address */ u_char scope; - + /** Number of times this IP is used, if virtual */ u_int refcount; }; @@ -77,16 +77,16 @@ typedef struct iface_entry_t iface_entry_t; * A network interface on this system, containing addr_entry_t's */ struct iface_entry_t { - + /** interface index */ int ifindex; - + /** name of the interface */ char ifname[IFNAMSIZ]; - + /** interface flags, as in netdevice(7) SIOCGIFFLAGS */ u_int flags; - + /** list of addresses as host_t */ linked_list_t *addrs; }; @@ -110,57 +110,57 @@ struct private_kernel_netlink_net_t { * Public part of the kernel_netlink_net_t object. */ kernel_netlink_net_t public; - + /** * mutex to lock access to various lists */ mutex_t *mutex; - + /** * condition variable to signal virtual IP add/removal */ condvar_t *condvar; - + /** * Cached list of interfaces and its addresses (iface_entry_t) */ linked_list_t *ifaces; - + /** * job receiving netlink events */ callback_job_t *job; - + /** * netlink rt socket (routing) */ netlink_socket_t *socket; - + /** * Netlink rt socket to receive address change events */ int socket_events; - + /** * time of the last roam_job */ timeval_t last_roam; - + /** * routing table to install routes */ int routing_table; - + /** * priority of used routing table */ int routing_table_prio; - + /** * whether to react to RTM_NEWROUTE or RTM_DELROUTE events */ bool process_route; - + /** * whether to actually install virtual IPs */ @@ -176,7 +176,7 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip) iface_entry_t *iface; addr_entry_t *addr; int refcount = 0; - + ifaces = this->ifaces->create_iterator(this->ifaces, TRUE); while (ifaces->iterate(ifaces, (void**)&iface)) { @@ -197,7 +197,7 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip) } } ifaces->destroy(ifaces); - + return refcount; } @@ -208,7 +208,7 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip) static void fire_roam_job(private_kernel_netlink_net_t *this, bool address) { timeval_t now; - + time_monotonic(&now); if (timercmp(&now, &this->last_roam, >)) { @@ -237,7 +237,7 @@ static void process_link(private_kernel_netlink_net_t *this, iface_entry_t *current, *entry = NULL; char *name = NULL; bool update = FALSE; - + while(RTA_OK(rta, rtasize)) { switch (rta->rta_type) @@ -252,7 +252,7 @@ static void process_link(private_kernel_netlink_net_t *this, { name = "(unknown)"; } - + this->mutex->lock(this->mutex); switch (hdr->nlmsg_type) { @@ -305,7 +305,7 @@ static void process_link(private_kernel_netlink_net_t *this, { if (current->ifindex == msg->ifi_index) { - /* we do not remove it, as an address may be added to a + /* we do not remove it, as an address may be added to a * "down" interface and we wan't to know that. */ current->flags = msg->ifi_flags; break; @@ -316,7 +316,7 @@ static void process_link(private_kernel_netlink_net_t *this, } } this->mutex->unlock(this->mutex); - + /* send an update to all IKE_SAs */ if (update && event) { @@ -339,7 +339,7 @@ static void process_addr(private_kernel_netlink_net_t *this, addr_entry_t *addr; chunk_t local = chunk_empty, address = chunk_empty; bool update = FALSE, found = FALSE, changed = FALSE; - + while(RTA_OK(rta, rtasize)) { switch (rta->rta_type) @@ -355,7 +355,7 @@ static void process_addr(private_kernel_netlink_net_t *this, } rta = RTA_NEXT(rta, rtasize); } - + /* For PPP interfaces, we need the IFA_LOCAL address, * IFA_ADDRESS is the peers address. But IFA_LOCAL is * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */ @@ -367,12 +367,12 @@ static void process_addr(private_kernel_netlink_net_t *this, { host = host_create_from_chunk(msg->ifa_family, address, 0); } - + if (host == NULL) { /* bad family? */ return; } - + this->mutex->lock(this->mutex); ifaces = this->ifaces->create_enumerator(this->ifaces); while (ifaces->enumerate(ifaces, &iface)) @@ -403,7 +403,7 @@ static void process_addr(private_kernel_netlink_net_t *this, } } addrs->destroy(addrs); - + if (hdr->nlmsg_type == RTM_NEWADDR) { if (!found) @@ -415,7 +415,7 @@ static void process_addr(private_kernel_netlink_net_t *this, addr->virtual = FALSE; addr->refcount = 1; addr->scope = msg->ifa_scope; - + iface->addrs->insert_last(iface->addrs, addr); if (event) { @@ -433,7 +433,7 @@ static void process_addr(private_kernel_netlink_net_t *this, ifaces->destroy(ifaces); this->mutex->unlock(this->mutex); host->destroy(host); - + /* send an update to all IKE_SAs */ if (update && event && changed) { @@ -450,13 +450,13 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h struct rtattr *rta = RTM_RTA(msg); size_t rtasize = RTM_PAYLOAD(hdr); host_t *host = NULL; - + /* ignore routes added by us */ if (msg->rtm_table && msg->rtm_table == this->routing_table) { return; } - + while (RTA_OK(rta, rtasize)) { switch (rta->rta_type) @@ -491,11 +491,11 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this) socklen_t addr_len = sizeof(addr); int len, oldstate; - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); len = recvfrom(this->socket_events, response, sizeof(response), 0, (struct sockaddr*)&addr, &addr_len); pthread_setcancelstate(oldstate, NULL); - + if (len < 0) { switch (errno) @@ -512,12 +512,12 @@ static job_requeue_t receive_events(private_kernel_netlink_net_t *this) return JOB_REQUEUE_FAIR; } } - + if (addr.nl_pid != 0) { /* not from kernel. not interested, try another one */ return JOB_REQUEUE_DIRECT; } - + while (NLMSG_OK(hdr, len)) { /* looks good so far, dispatch netlink message */ @@ -553,7 +553,7 @@ typedef struct { private_kernel_netlink_net_t* this; /** whether to enumerate down interfaces */ bool include_down_ifaces; - /** whether to enumerate virtual ip addresses */ + /** whether to enumerate virtual ip addresses */ bool include_virtual_ips; } address_enumerator_t; @@ -615,7 +615,7 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi data->this = this; data->include_down_ifaces = include_down_ifaces; data->include_virtual_ips = include_virtual_ips; - + this->mutex->lock(this->mutex); return enumerator_create_nested( enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), @@ -632,9 +632,9 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip) iface_entry_t *iface; addr_entry_t *addr; char *name = NULL; - + DBG2(DBG_KNL, "getting interface name for %H", ip); - + this->mutex->lock(this->mutex); ifaces = this->ifaces->create_enumerator(this->ifaces); while (ifaces->enumerate(ifaces, &iface)) @@ -656,7 +656,7 @@ static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip) } ifaces->destroy(ifaces); this->mutex->unlock(this->mutex); - + if (name) { DBG2(DBG_KNL, "%H is on interface %s", ip, name); @@ -676,9 +676,9 @@ static int get_interface_index(private_kernel_netlink_net_t *this, char* name) enumerator_t *ifaces; iface_entry_t *iface; int ifindex = 0; - + DBG2(DBG_KNL, "getting iface index for %s", name); - + this->mutex->lock(this->mutex); ifaces = this->ifaces->create_enumerator(this->ifaces); while (ifaces->enumerate(ifaces, &iface)) @@ -708,7 +708,7 @@ static bool is_interface_up(private_kernel_netlink_net_t *this, int index) iface_entry_t *iface; /* default to TRUE for interface we do not monitor (e.g. lo) */ bool up = TRUE; - + ifaces = this->ifaces->create_enumerator(this->ifaces); while (ifaces->enumerate(ifaces, &iface)) { @@ -729,7 +729,7 @@ static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len) { static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe }; int byte = 0; - + if (net_len == 0) { /* any address matches a /0 network */ return TRUE; @@ -771,9 +771,9 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, size_t len; int best = -1; host_t *src = NULL, *gtw = NULL; - + DBG2(DBG_KNL, "getting address to reach %H", dest); - + memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; @@ -790,7 +790,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, } chunk = dest->get_address(dest); netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request)); - + if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS) { DBG1(DBG_KNL, "getting address to %H failed", dest); @@ -811,7 +811,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, chunk_t rta_gtw, rta_src, rta_dst; u_int32_t rta_oif = 0; host_t *new_src, *new_gtw; - + rta_gtw = rta_src = rta_dst = chunk_empty; msg = (struct rtmsg*)(NLMSG_DATA(current)); rta = RTM_RTA(msg); @@ -855,7 +855,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, { /* route destination does not contain dest */ goto next; } - + if (nexthop) { /* nexthop lookup, return gateway */ @@ -907,7 +907,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, } free(out); this->mutex->unlock(this->mutex); - + if (nexthop) { if (gtw) @@ -947,23 +947,23 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type struct nlmsghdr *hdr; struct ifaddrmsg *msg; chunk_t chunk; - + memset(&request, 0, sizeof(request)); - + chunk = ip->get_address(ip); - + hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; - hdr->nlmsg_type = nlmsg_type; + hdr->nlmsg_type = nlmsg_type; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg)); - + msg = (struct ifaddrmsg*)NLMSG_DATA(hdr); msg->ifa_family = ip->get_family(ip); msg->ifa_flags = 0; msg->ifa_prefixlen = 8 * chunk.len; msg->ifa_scope = RT_SCOPE_UNIVERSE; msg->ifa_index = if_index; - + netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request)); return this->socket->send_ack(this->socket, hdr); @@ -972,27 +972,27 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type /** * Implementation of kernel_net_t.add_ip. */ -static status_t add_ip(private_kernel_netlink_net_t *this, +static status_t add_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip, host_t *iface_ip) { iface_entry_t *iface; addr_entry_t *addr; enumerator_t *addrs, *ifaces; int ifindex; - + if (!this->install_virtual_ip) { /* disabled by config */ return SUCCESS; } - + DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip); - + this->mutex->lock(this->mutex); ifaces = this->ifaces->create_enumerator(this->ifaces); while (ifaces->enumerate(ifaces, &iface)) { bool iface_found = FALSE; - + addrs = iface->addrs->create_enumerator(iface->addrs); while (addrs->enumerate(addrs, &addr)) { @@ -1012,7 +1012,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this, } } addrs->destroy(addrs); - + if (iface_found) { ifindex = iface->ifindex; @@ -1022,7 +1022,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this, addr->virtual = TRUE; addr->scope = RT_SCOPE_UNIVERSE; iface->addrs->insert_last(iface->addrs, addr); - + if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL, ifindex, virtual_ip) == SUCCESS) { @@ -1042,7 +1042,7 @@ static status_t add_ip(private_kernel_netlink_net_t *this, } ifaces->destroy(ifaces); this->mutex->unlock(this->mutex); - + DBG1(DBG_KNL, "interface address %H not found, unable to install" "virtual IP %H", iface_ip, virtual_ip); return FAILED; @@ -1058,14 +1058,14 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip) enumerator_t *addrs, *ifaces; status_t status; int ifindex; - + if (!this->install_virtual_ip) { /* disabled by config */ return SUCCESS; } - + DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip); - + this->mutex->lock(this->mutex); ifaces = this->ifaces->create_enumerator(this->ifaces); while (ifaces->enumerate(ifaces, &iface)) @@ -1108,7 +1108,7 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip) } ifaces->destroy(ifaces); this->mutex->unlock(this->mutex); - + DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip); return FAILED; } @@ -1135,11 +1135,11 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty chunk_t half_net; u_int8_t half_prefixlen; status_t status; - + half_net = chunk_alloca(dst_net.len); memset(half_net.ptr, 0, half_net.len); half_prefixlen = 1; - + status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen, gateway, src_ip, if_name); half_net.ptr[0] |= 0x80; @@ -1147,7 +1147,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty gateway, src_ip, if_name); return status; } - + memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; @@ -1162,7 +1162,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty msg->rtm_protocol = RTPROT_STATIC; msg->rtm_type = RTN_UNICAST; msg->rtm_scope = RT_SCOPE_UNIVERSE; - + netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request)); chunk = src_ip->get_address(src_ip); netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request)); @@ -1185,7 +1185,7 @@ static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, dst_net, prefixlen, gateway, src_ip, if_name); } - + /** * Implementation of kernel_net_t.del_route. */ @@ -1208,9 +1208,9 @@ static status_t init_address_list(private_kernel_netlink_net_t *this) enumerator_t *ifaces, *addrs; iface_entry_t *iface; addr_entry_t *addr; - + DBG1(DBG_KNL, "listening on interfaces:"); - + memset(&request, 0, sizeof(request)); in = (struct nlmsghdr*)&request; @@ -1218,7 +1218,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this) in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT; msg = (struct rtgenmsg*)NLMSG_DATA(in); msg->rtgen_family = AF_UNSPEC; - + /* get all links */ in->nlmsg_type = RTM_GETLINK; if (this->socket->send(this->socket, in, &out, &len) != SUCCESS) @@ -1242,7 +1242,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this) break; } free(out); - + /* get all interface addresses */ in->nlmsg_type = RTM_GETADDR; if (this->socket->send(this->socket, in, &out, &len) != SUCCESS) @@ -1266,7 +1266,7 @@ static status_t init_address_list(private_kernel_netlink_net_t *this) break; } free(out); - + this->mutex->lock(this->mutex); ifaces = this->ifaces->create_enumerator(this->ifaces); while (ifaces->enumerate(ifaces, &iface)) @@ -1298,10 +1298,10 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type, struct rtmsg *msg; chunk_t chunk; - memset(&request, 0, sizeof(request)); + memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = nlmsg_type; + hdr->nlmsg_type = nlmsg_type; if (nlmsg_type == RTM_NEWRULE) { hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL; @@ -1348,7 +1348,7 @@ kernel_netlink_net_t *kernel_netlink_net_create() { private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t); struct sockaddr_nl addr; - + /* public functions */ this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; @@ -1373,34 +1373,34 @@ kernel_netlink_net_t *kernel_netlink_net_create() "charon.process_route", TRUE); this->install_virtual_ip = lib->settings->get_bool(lib->settings, "charon.install_virtual_ip", TRUE); - + this->socket = netlink_socket_create(NETLINK_ROUTE); - + memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; - + /* create and bind RT socket for events (address/interface/route changes) */ this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (this->socket_events <= 0) { charon->kill(charon, "unable to create RT event socket"); } - addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | + addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK; if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr))) { charon->kill(charon, "unable to bind RT event socket"); } - + this->job = callback_job_create((callback_job_cb_t)receive_events, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); - + if (init_address_list(this) != SUCCESS) { charon->kill(charon, "unable to get interface list"); } - + if (this->routing_table) { if (manage_rule(this, RTM_NEWRULE, this->routing_table, @@ -1409,6 +1409,6 @@ kernel_netlink_net_t *kernel_netlink_net_create() DBG1(DBG_KNL, "unable to create routing table rule"); } } - + return &this->public; } diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c index 77005e871..cdf20f14a 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -49,11 +49,11 @@ static void destroy(private_kernel_netlink_plugin_t *this) plugin_t *plugin_create() { private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t); - + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create); - + return &this->public.plugin; } diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c index ec1187083..3d8ca8807 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -34,7 +34,7 @@ struct private_netlink_socket_t { * public part of the netlink_socket_t object. */ netlink_socket_t public; - + /** * mutex to lock access to netlink socket */ @@ -46,12 +46,12 @@ struct private_netlink_socket_t { int seq; /** - * netlink socket protocol + * netlink socket protocol */ int protocol; /** - * netlink socket + * netlink socket */ int socket; }; @@ -71,12 +71,12 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in struct sockaddr_nl addr; chunk_t result = chunk_empty, tmp; struct nlmsghdr *msg, peek; - + this->mutex->lock(this->mutex); - + in->nlmsg_seq = ++this->seq; in->nlmsg_pid = getpid(); - + memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; addr.nl_pid = 0; @@ -91,11 +91,11 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in while (TRUE) { - len = sendto(this->socket, in, in->nlmsg_len, 0, + len = sendto(this->socket, in, in->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); - + if (len != in->nlmsg_len) - { + { if (errno == EINTR) { /* interrupted, try again */ @@ -107,23 +107,23 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in } break; } - + while (TRUE) - { + { char buf[4096]; tmp.len = sizeof(buf); tmp.ptr = buf; msg = (struct nlmsghdr*)tmp.ptr; - + memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; addr.nl_pid = getpid(); addr.nl_groups = 0; addr_len = sizeof(addr); - + len = recvfrom(this->socket, tmp.ptr, tmp.len, 0, (struct sockaddr*)&addr, &addr_len); - + if (len < 0) { if (errno == EINTR) @@ -155,17 +155,17 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in free(result.ptr); return FAILED; } - + tmp.len = len; result.ptr = realloc(result.ptr, result.len + tmp.len); memcpy(result.ptr + result.len, tmp.ptr, tmp.len); result.len += tmp.len; - + /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence * numbers to detect multi header messages */ len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len); - + if (len == sizeof(peek) && peek.nlmsg_seq == this->seq) { /* seems to be multipart */ @@ -173,12 +173,12 @@ static status_t netlink_send(private_netlink_socket_t *this, struct nlmsghdr *in } break; } - + *out_len = result.len; *out = (struct nlmsghdr*)result.ptr; - + this->mutex->unlock(this->mutex); - + return SUCCESS; } @@ -202,7 +202,7 @@ static status_t netlink_send_ack(private_netlink_socket_t *this, struct nlmsghdr case NLMSG_ERROR: { struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr); - + if (err->error) { if (-err->error == EEXIST) @@ -247,7 +247,7 @@ static void destroy(private_netlink_socket_t *this) netlink_socket_t *netlink_socket_create(int protocol) { private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t); struct sockaddr_nl addr; - + /* public functions */ this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send; this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack; @@ -256,23 +256,23 @@ netlink_socket_t *netlink_socket_create(int protocol) { /* private members */ this->seq = 200; this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - + memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; - + this->protocol = protocol; this->socket = socket(AF_NETLINK, SOCK_RAW, protocol); if (this->socket <= 0) { charon->kill(charon, "unable to create netlink socket"); } - + addr.nl_groups = 0; if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr))) { charon->kill(charon, "unable to bind netlink socket"); } - + return &this->public; } @@ -283,13 +283,13 @@ void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, size_t buflen) { struct rtattr *rta; - + if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen) { DBG1(DBG_KNL, "unable to add attribute, buffer too small"); return; } - + rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len)); rta->rta_type = rta_type; rta->rta_len = RTA_LENGTH(data.len); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h index 5a70e4d9b..dfd27a21a 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h @@ -37,20 +37,20 @@ struct netlink_socket_t { /** * Send a netlink message and wait for a reply. - * + * * @param in netlink message to send * @param out received netlink message * @param out_len length of the received message */ status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len); - + /** * Send a netlink message and wait for its acknowledge. - * + * * @param in netlink message to send */ status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in); - + /** * Destroy the socket. */ @@ -59,14 +59,14 @@ struct netlink_socket_t { /** * Create a netlink_socket_t object. - * + * * @param protocol protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE) */ netlink_socket_t *netlink_socket_create(int protocol); /** * Creates an rtattr and adds it to the given netlink message. - * + * * @param hdr netlink message * @param rta_type type of the rtattr * @param data data to add to the rtattr |