diff options
Diffstat (limited to 'src/libcharon')
56 files changed, 2646 insertions, 307 deletions
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index 65d0e2b11..794228665 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -47,7 +47,10 @@ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \ encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \ encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \ encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \ -kernel/kernel_handler.c kernel/kernel_handler.h \ +kernel/kernel_interface.c kernel/kernel_interface.h \ +kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ +kernel/kernel_net.c kernel/kernel_net.h \ +kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \ network/receiver.c network/receiver.h network/sender.c network/sender.h \ network/socket.c network/socket.h \ network/socket_manager.c network/socket_manager.h \ diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 0eee3c28d..910f50269 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -46,7 +46,10 @@ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \ encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \ encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \ encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \ -kernel/kernel_handler.c kernel/kernel_handler.h \ +kernel/kernel_interface.c kernel/kernel_interface.h \ +kernel/kernel_ipsec.c kernel/kernel_ipsec.h \ +kernel/kernel_net.c kernel/kernel_net.h \ +kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \ network/receiver.c network/receiver.h network/sender.c network/sender.h \ network/socket.c network/socket.h \ network/socket_manager.c network/socket_manager.h \ diff --git a/src/libcharon/attributes/mem_pool.c b/src/libcharon/attributes/mem_pool.c index 279668249..833c3e950 100644 --- a/src/libcharon/attributes/mem_pool.c +++ b/src/libcharon/attributes/mem_pool.c @@ -17,7 +17,6 @@ #include "mem_pool.h" #include <library.h> -#include <hydra.h> #include <utils/debug.h> #include <collections/hashtable.h> #include <collections/array.h> diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index f861460db..799c3f6dc 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -685,6 +685,7 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->public.xauth); DESTROY_IF(this->public.backends); DESTROY_IF(this->public.socket); + DESTROY_IF(this->public.kernel); /* rehook library logging, shutdown logging */ dbg = dbg_old; @@ -862,6 +863,7 @@ private_daemon_t *daemon_create() .ref = 1, ); charon = &this->public; + this->public.kernel = kernel_interface_create(); this->public.attributes = attribute_manager_create(); this->public.controller = controller_create(); this->public.eap = eap_manager_create(); diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index 0b66ea39a..654e22a07 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -63,7 +63,7 @@ * @defgroup payloads payloads * @ingroup encoding * - * @defgroup ckernel kernel + * @defgroup kernel kernel * @ingroup libcharon * * @defgroup network network @@ -179,6 +179,7 @@ typedef struct daemon_t daemon_t; #include <attributes/attribute_manager.h> +#include <kernel/kernel_interface.h> #include <network/sender.h> #include <network/receiver.h> #include <network/socket_manager.h> @@ -239,6 +240,11 @@ struct daemon_t { socket_manager_t *socket; /** + * Kernel interface to communicate with kernel + */ + kernel_interface_t *kernel; + + /** * A ike_sa_manager_t instance. */ ike_sa_manager_t *ike_sa_manager; diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c index 9c0e2602b..be37d30e5 100644 --- a/src/libcharon/kernel/kernel_handler.c +++ b/src/libcharon/kernel/kernel_handler.c @@ -15,7 +15,6 @@ #include "kernel_handler.h" -#include <hydra.h> #include <daemon.h> #include <processing/jobs/acquire_job.h> #include <processing/jobs/delete_child_sa_job.h> @@ -135,8 +134,7 @@ METHOD(kernel_listener_t, roam, bool, METHOD(kernel_handler_t, destroy, void, private_kernel_handler_t *this) { - hydra->kernel_interface->remove_listener(hydra->kernel_interface, - &this->public.listener); + charon->kernel->remove_listener(charon->kernel, &this->public.listener); free(this); } @@ -157,8 +155,7 @@ kernel_handler_t *kernel_handler_create() }, ); - hydra->kernel_interface->add_listener(hydra->kernel_interface, - &this->public.listener); + charon->kernel->add_listener(charon->kernel, &this->public.listener); return &this->public; } diff --git a/src/libcharon/kernel/kernel_handler.h b/src/libcharon/kernel/kernel_handler.h index 48ad6889c..f1fa0bdfc 100644 --- a/src/libcharon/kernel/kernel_handler.h +++ b/src/libcharon/kernel/kernel_handler.h @@ -15,7 +15,7 @@ /** * @defgroup kernel_handler kernel_handler - * @{ @ingroup ckernel + * @{ @ingroup kernel */ #ifndef KERNEL_HANDLER_H_ diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c new file mode 100644 index 000000000..40c4ee589 --- /dev/null +++ b/src/libcharon/kernel/kernel_interface.c @@ -0,0 +1,1085 @@ +/* + * Copyright (C) 2008-2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* + * Copyright (c) 2012 Nanoteq Pty Ltd + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "kernel_interface.h" + +#include <utils/debug.h> +#include <threading/mutex.h> +#include <collections/linked_list.h> +#include <collections/hashtable.h> +#include <collections/array.h> + +typedef struct private_kernel_interface_t private_kernel_interface_t; + +typedef struct kernel_algorithm_t kernel_algorithm_t; + +/** + * Mapping of IKE algorithms to kernel-specific algorithm identifiers + */ +struct kernel_algorithm_t { + + /** + * Transform type of the algorithm + */ + transform_type_t type; + + /** + * Identifier specified in IKE + */ + u_int16_t ike; + + /** + * Identifier as defined in pfkeyv2.h + */ + u_int16_t kernel; + + /** + * Name of the algorithm in linux crypto API + */ + char *name; +}; + +/** + * Private data of a kernel_interface_t object. + */ +struct private_kernel_interface_t { + + /** + * Public part of kernel_interface_t object. + */ + kernel_interface_t public; + + /** + * Registered IPsec constructor + */ + kernel_ipsec_constructor_t ipsec_constructor; + + /** + * Registered net constructor + */ + kernel_net_constructor_t net_constructor; + + /** + * ipsec interface + */ + kernel_ipsec_t *ipsec; + + /** + * network interface + */ + kernel_net_t *net; + + /** + * mutex for listeners + */ + mutex_t *mutex; + + /** + * list of registered listeners + */ + linked_list_t *listeners; + + /** + * Reqid entries indexed by reqids + */ + hashtable_t *reqids; + + /** + * Reqid entries indexed by traffic selectors + */ + hashtable_t *reqids_by_ts; + + /** + * mutex for algorithm mappings + */ + mutex_t *mutex_algs; + + /** + * List of algorithm mappings (kernel_algorithm_t*) + */ + linked_list_t *algorithms; + + /** + * List of interface names to include or exclude (char*), NULL if interfaces + * are not filtered + */ + linked_list_t *ifaces_filter; + + /** + * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider + * only those listed there + */ + bool ifaces_exclude; +}; + +METHOD(kernel_interface_t, get_features, kernel_feature_t, + private_kernel_interface_t *this) +{ + kernel_feature_t features = 0; + + if (this->ipsec && this->ipsec->get_features) + { + features |= this->ipsec->get_features(this->ipsec); + } + if (this->net && this->net->get_features) + { + features |= this->net->get_features(this->net); + } + return features; +} + +METHOD(kernel_interface_t, get_spi, status_t, + private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int8_t protocol, u_int32_t *spi) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->get_spi(this->ipsec, src, dst, protocol, spi); +} + +METHOD(kernel_interface_t, get_cpi, status_t, + private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int16_t *cpi) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->get_cpi(this->ipsec, src, dst, cpi); +} + +/** + * Reqid mapping entry + */ +typedef struct { + /** allocated reqid */ + u_int32_t reqid; + /** references to this entry */ + u_int refs; + /** inbound mark used for SA */ + mark_t mark_in; + /** outbound mark used for SA */ + mark_t mark_out; + /** local traffic selectors */ + array_t *local; + /** remote traffic selectors */ + array_t *remote; +} reqid_entry_t; + +/** + * Destroy a reqid mapping entry + */ +static void reqid_entry_destroy(reqid_entry_t *entry) +{ + array_destroy_offset(entry->local, offsetof(traffic_selector_t, destroy)); + array_destroy_offset(entry->remote, offsetof(traffic_selector_t, destroy)); + free(entry); +} + +/** + * Hashtable hash function for reqid entries using reqid as key + */ +static u_int hash_reqid(reqid_entry_t *entry) +{ + return chunk_hash_inc(chunk_from_thing(entry->reqid), + chunk_hash_inc(chunk_from_thing(entry->mark_in), + chunk_hash(chunk_from_thing(entry->mark_out)))); +} + +/** + * Hashtable equals function for reqid entries using reqid as key + */ +static bool equals_reqid(reqid_entry_t *a, reqid_entry_t *b) +{ + return a->reqid == b->reqid && + a->mark_in.value == b->mark_in.value && + a->mark_in.mask == b->mark_in.mask && + a->mark_out.value == b->mark_out.value && + a->mark_out.mask == b->mark_out.mask; +} + +/** + * Hash an array of traffic selectors + */ +static u_int hash_ts_array(array_t *array, u_int hash) +{ + enumerator_t *enumerator; + traffic_selector_t *ts; + + enumerator = array_create_enumerator(array); + while (enumerator->enumerate(enumerator, &ts)) + { + hash = ts->hash(ts, hash); + } + enumerator->destroy(enumerator); + + return hash; +} + +/** + * Hashtable hash function for reqid entries using traffic selectors as key + */ +static u_int hash_reqid_by_ts(reqid_entry_t *entry) +{ + return hash_ts_array(entry->local, hash_ts_array(entry->remote, + chunk_hash_inc(chunk_from_thing(entry->mark_in), + chunk_hash(chunk_from_thing(entry->mark_out))))); +} + +/** + * Compare two array with traffic selectors for equality + */ +static bool ts_array_equals(array_t *a, array_t *b) +{ + traffic_selector_t *tsa, *tsb; + enumerator_t *ae, *be; + bool equal = TRUE; + + if (array_count(a) != array_count(b)) + { + return FALSE; + } + + ae = array_create_enumerator(a); + be = array_create_enumerator(b); + while (equal && ae->enumerate(ae, &tsa) && be->enumerate(be, &tsb)) + { + equal = tsa->equals(tsa, tsb); + } + ae->destroy(ae); + be->destroy(be); + + return equal; +} + +/** + * Hashtable equals function for reqid entries using traffic selectors as key + */ +static bool equals_reqid_by_ts(reqid_entry_t *a, reqid_entry_t *b) +{ + return ts_array_equals(a->local, b->local) && + ts_array_equals(a->remote, b->remote) && + a->mark_in.value == b->mark_in.value && + a->mark_in.mask == b->mark_in.mask && + a->mark_out.value == b->mark_out.value && + a->mark_out.mask == b->mark_out.mask; +} + +/** + * Create an array from copied traffic selector list items + */ +static array_t *array_from_ts_list(linked_list_t *list) +{ + enumerator_t *enumerator; + traffic_selector_t *ts; + array_t *array; + + array = array_create(0, 0); + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &ts)) + { + array_insert(array, ARRAY_TAIL, ts->clone(ts)); + } + enumerator->destroy(enumerator); + + return array; +} + +METHOD(kernel_interface_t, alloc_reqid, status_t, + private_kernel_interface_t *this, + linked_list_t *local_ts, linked_list_t *remote_ts, + mark_t mark_in, mark_t mark_out, u_int32_t *reqid) +{ + static u_int32_t counter = 0; + reqid_entry_t *entry = NULL, *tmpl; + status_t status = SUCCESS; + + INIT(tmpl, + .local = array_from_ts_list(local_ts), + .remote = array_from_ts_list(remote_ts), + .mark_in = mark_in, + .mark_out = mark_out, + .reqid = *reqid, + ); + + this->mutex->lock(this->mutex); + if (tmpl->reqid) + { + /* search by reqid if given */ + entry = this->reqids->get(this->reqids, tmpl); + } + if (entry) + { + /* we don't require a traffic selector match for explicit reqids, + * as we wan't to reuse a reqid for trap-triggered policies that + * got narrowed during negotiation. */ + reqid_entry_destroy(tmpl); + } + else + { + /* search by traffic selectors */ + entry = this->reqids_by_ts->get(this->reqids_by_ts, tmpl); + if (entry) + { + reqid_entry_destroy(tmpl); + } + else + { + /* none found, create a new entry, allocating a reqid */ + entry = tmpl; + entry->reqid = ++counter; + this->reqids_by_ts->put(this->reqids_by_ts, entry, entry); + this->reqids->put(this->reqids, entry, entry); + } + *reqid = entry->reqid; + } + entry->refs++; + this->mutex->unlock(this->mutex); + + return status; +} + +METHOD(kernel_interface_t, release_reqid, status_t, + private_kernel_interface_t *this, u_int32_t reqid, + mark_t mark_in, mark_t mark_out) +{ + reqid_entry_t *entry, tmpl = { + .reqid = reqid, + .mark_in = mark_in, + .mark_out = mark_out, + }; + + this->mutex->lock(this->mutex); + entry = this->reqids->remove(this->reqids, &tmpl); + if (entry) + { + if (--entry->refs == 0) + { + entry = this->reqids_by_ts->remove(this->reqids_by_ts, entry); + if (entry) + { + reqid_entry_destroy(entry); + } + } + else + { + this->reqids->put(this->reqids, entry, entry); + } + } + this->mutex->unlock(this->mutex); + + if (entry) + { + return SUCCESS; + } + return NOT_FOUND; +} + +METHOD(kernel_interface_t, add_sa, status_t, + private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, + u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window, + bool initiator, bool encap, bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, + mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, + ipcomp, cpi, replay_window, initiator, encap, esn, inbound, + update, src_ts, dst_ts); +} + +METHOD(kernel_interface_t, update_sa, status_t, + private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol, + u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, + bool encap, bool new_encap, mark_t mark) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst, + new_src, new_dst, encap, new_encap, mark); +} + +METHOD(kernel_interface_t, query_sa, status_t, + private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, u_int8_t protocol, mark_t mark, + u_int64_t *bytes, u_int64_t *packets, time_t *time) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, + bytes, packets, time); +} + +METHOD(kernel_interface_t, del_sa, status_t, + private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, + u_int8_t protocol, u_int16_t cpi, mark_t mark) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark); +} + +METHOD(kernel_interface_t, flush_sas, status_t, + private_kernel_interface_t *this) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->flush_sas(this->ipsec); +} + +METHOD(kernel_interface_t, add_policy, status_t, + private_kernel_interface_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, policy_priority_t priority) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts, + direction, type, sa, mark, priority); +} + +METHOD(kernel_interface_t, query_policy, status_t, + private_kernel_interface_t *this, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + time_t *use_time) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts, + direction, mark, use_time); +} + +METHOD(kernel_interface_t, del_policy, status_t, + private_kernel_interface_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, policy_priority_t priority) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->del_policy(this->ipsec, src, dst, src_ts, dst_ts, + direction, type, sa, mark, priority); +} + +METHOD(kernel_interface_t, flush_policies, status_t, + private_kernel_interface_t *this) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->flush_policies(this->ipsec); +} + +METHOD(kernel_interface_t, get_source_addr, host_t*, + private_kernel_interface_t *this, host_t *dest, host_t *src) +{ + if (!this->net) + { + return NULL; + } + return this->net->get_source_addr(this->net, dest, src); +} + +METHOD(kernel_interface_t, get_nexthop, host_t*, + private_kernel_interface_t *this, host_t *dest, int prefix, host_t *src) +{ + if (!this->net) + { + return NULL; + } + return this->net->get_nexthop(this->net, dest, prefix, src); +} + +METHOD(kernel_interface_t, get_interface, bool, + private_kernel_interface_t *this, host_t *host, char **name) +{ + if (!this->net) + { + return NULL; + } + return this->net->get_interface(this->net, host, name); +} + +METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*, + private_kernel_interface_t *this, kernel_address_type_t which) +{ + if (!this->net) + { + return enumerator_create_empty(); + } + return this->net->create_address_enumerator(this->net, which); +} + +METHOD(kernel_interface_t, add_ip, status_t, + private_kernel_interface_t *this, host_t *virtual_ip, int prefix, + char *iface) +{ + if (!this->net) + { + return NOT_SUPPORTED; + } + return this->net->add_ip(this->net, virtual_ip, prefix, iface); +} + +METHOD(kernel_interface_t, del_ip, status_t, + private_kernel_interface_t *this, host_t *virtual_ip, int prefix, bool wait) +{ + if (!this->net) + { + return NOT_SUPPORTED; + } + return this->net->del_ip(this->net, virtual_ip, prefix, wait); +} + +METHOD(kernel_interface_t, add_route, status_t, + private_kernel_interface_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + if (!this->net) + { + return NOT_SUPPORTED; + } + return this->net->add_route(this->net, dst_net, prefixlen, gateway, + src_ip, if_name); +} + +METHOD(kernel_interface_t, del_route, status_t, + private_kernel_interface_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + if (!this->net) + { + return NOT_SUPPORTED; + } + return this->net->del_route(this->net, dst_net, prefixlen, gateway, + src_ip, if_name); +} + +METHOD(kernel_interface_t, bypass_socket, bool, + private_kernel_interface_t *this, int fd, int family) +{ + if (!this->ipsec) + { + return FALSE; + } + return this->ipsec->bypass_socket(this->ipsec, fd, family); +} + +METHOD(kernel_interface_t, enable_udp_decap, bool, + private_kernel_interface_t *this, int fd, int family, u_int16_t port) +{ + if (!this->ipsec) + { + return FALSE; + } + return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port); +} + +METHOD(kernel_interface_t, is_interface_usable, bool, + private_kernel_interface_t *this, const char *iface) +{ + status_t expected; + + if (!this->ifaces_filter) + { + return TRUE; + } + expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS; + return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq, + NULL, iface) == expected; +} + +METHOD(kernel_interface_t, all_interfaces_usable, bool, + private_kernel_interface_t *this) +{ + return this->ifaces_filter == NULL; +} + +METHOD(kernel_interface_t, get_address_by_ts, status_t, + private_kernel_interface_t *this, traffic_selector_t *ts, + host_t **ip, bool *vip) +{ + enumerator_t *addrs; + host_t *host; + int family; + bool found = FALSE; + + DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts); + + /* if we have a family which includes localhost, we do not + * search for an IP, we use the default */ + family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6; + + if (family == AF_INET) + { + host = host_create_from_string("127.0.0.1", 0); + } + else + { + host = host_create_from_string("::1", 0); + } + + if (ts->includes(ts, host)) + { + *ip = host_create_any(family); + host->destroy(host); + DBG2(DBG_KNL, "using host %H", *ip); + return SUCCESS; + } + host->destroy(host); + + /* try virtual IPs only first (on all interfaces) */ + addrs = create_address_enumerator(this, + ADDR_TYPE_ALL ^ ADDR_TYPE_REGULAR); + while (addrs->enumerate(addrs, (void**)&host)) + { + if (ts->includes(ts, host)) + { + found = TRUE; + *ip = host->clone(host); + if (vip) + { + *vip = TRUE; + } + break; + } + } + addrs->destroy(addrs); + + if (!found) + { /* then try the regular addresses (on all interfaces) */ + addrs = create_address_enumerator(this, + ADDR_TYPE_ALL ^ ADDR_TYPE_VIRTUAL); + while (addrs->enumerate(addrs, (void**)&host)) + { + if (ts->includes(ts, host)) + { + found = TRUE; + *ip = host->clone(host); + if (vip) + { + *vip = FALSE; + } + break; + } + } + addrs->destroy(addrs); + } + + if (!found) + { + DBG2(DBG_KNL, "no local address found in traffic selector %R", ts); + return FAILED; + } + + DBG2(DBG_KNL, "using host %H", *ip); + return SUCCESS; +} + + +METHOD(kernel_interface_t, add_ipsec_interface, bool, + private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor) +{ + if (!this->ipsec) + { + this->ipsec_constructor = constructor; + this->ipsec = constructor(); + return this->ipsec != NULL; + } + return FALSE; +} + +METHOD(kernel_interface_t, remove_ipsec_interface, bool, + private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor) +{ + if (constructor == this->ipsec_constructor && this->ipsec) + { + this->ipsec->destroy(this->ipsec); + this->ipsec = NULL; + return TRUE; + } + return FALSE; +} + +METHOD(kernel_interface_t, add_net_interface, bool, + private_kernel_interface_t *this, kernel_net_constructor_t constructor) +{ + if (!this->net) + { + this->net_constructor = constructor; + this->net = constructor(); + return this->net != NULL; + } + return FALSE; +} + +METHOD(kernel_interface_t, remove_net_interface, bool, + private_kernel_interface_t *this, kernel_net_constructor_t constructor) +{ + if (constructor == this->net_constructor && this->net) + { + this->net->destroy(this->net); + this->net = NULL; + return TRUE; + } + return FALSE; +} + +METHOD(kernel_interface_t, add_listener, void, + private_kernel_interface_t *this, kernel_listener_t *listener) +{ + this->mutex->lock(this->mutex); + this->listeners->insert_last(this->listeners, listener); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, remove_listener, void, + private_kernel_interface_t *this, kernel_listener_t *listener) +{ + this->mutex->lock(this->mutex); + this->listeners->remove(this->listeners, listener, NULL); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, acquire, void, + private_kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->acquire && + !listener->acquire(listener, reqid, src_ts, dst_ts)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, expire, void, + private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->expire && + !listener->expire(listener, protocol, spi, dst, hard)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, mapping, void, + private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, host_t *remote) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->mapping && + !listener->mapping(listener, protocol, spi, dst, remote)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, migrate, void, + private_kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, host_t *local, host_t *remote) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->migrate && + !listener->migrate(listener, reqid, src_ts, dst_ts, direction, + local, remote)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +static bool call_roam(kernel_listener_t *listener, bool *roam) +{ + return listener->roam && !listener->roam(listener, *roam); +} + +METHOD(kernel_interface_t, roam, void, + private_kernel_interface_t *this, bool address) +{ + this->mutex->lock(this->mutex); + this->listeners->remove(this->listeners, &address, (void*)call_roam); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, tun, void, + private_kernel_interface_t *this, tun_device_t *tun, bool created) +{ + kernel_listener_t *listener; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &listener)) + { + if (listener->tun && + !listener->tun(listener, tun, created)) + { + this->listeners->remove_at(this->listeners, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(kernel_interface_t, register_algorithm, void, + private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type, + u_int16_t kernel_id, char *kernel_name) +{ + kernel_algorithm_t *algorithm; + + INIT(algorithm, + .type = type, + .ike = alg_id, + .kernel = kernel_id, + .name = strdup(kernel_name), + ); + + this->mutex_algs->lock(this->mutex_algs); + this->algorithms->insert_first(this->algorithms, algorithm); + this->mutex_algs->unlock(this->mutex_algs); +} + +METHOD(kernel_interface_t, lookup_algorithm, bool, + private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type, + u_int16_t *kernel_id, char **kernel_name) +{ + kernel_algorithm_t *algorithm; + enumerator_t *enumerator; + bool found = FALSE; + + this->mutex_algs->lock(this->mutex_algs); + enumerator = this->algorithms->create_enumerator(this->algorithms); + while (enumerator->enumerate(enumerator, &algorithm)) + { + if (algorithm->type == type && algorithm->ike == alg_id) + { + if (kernel_id) + { + *kernel_id = algorithm->kernel; + } + if (kernel_name) + { + *kernel_name = algorithm->name; + } + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + this->mutex_algs->unlock(this->mutex_algs); + return found; +} + +METHOD(kernel_interface_t, destroy, void, + private_kernel_interface_t *this) +{ + kernel_algorithm_t *algorithm; + + while (this->algorithms->remove_first(this->algorithms, + (void**)&algorithm) == SUCCESS) + { + free(algorithm->name); + free(algorithm); + } + this->algorithms->destroy(this->algorithms); + this->mutex_algs->destroy(this->mutex_algs); + DESTROY_IF(this->ipsec); + DESTROY_IF(this->net); + DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free); + this->reqids->destroy(this->reqids); + this->reqids_by_ts->destroy(this->reqids_by_ts); + this->listeners->destroy(this->listeners); + this->mutex->destroy(this->mutex); + free(this); +} + +/* + * Described in header-file + */ +kernel_interface_t *kernel_interface_create() +{ + private_kernel_interface_t *this; + char *ifaces; + + INIT(this, + .public = { + .get_features = _get_features, + .get_spi = _get_spi, + .get_cpi = _get_cpi, + .alloc_reqid = _alloc_reqid, + .release_reqid = _release_reqid, + .add_sa = _add_sa, + .update_sa = _update_sa, + .query_sa = _query_sa, + .del_sa = _del_sa, + .flush_sas = _flush_sas, + .add_policy = _add_policy, + .query_policy = _query_policy, + .del_policy = _del_policy, + .flush_policies = _flush_policies, + .get_source_addr = _get_source_addr, + .get_nexthop = _get_nexthop, + .get_interface = _get_interface, + .create_address_enumerator = _create_address_enumerator, + .add_ip = _add_ip, + .del_ip = _del_ip, + .add_route = _add_route, + .del_route = _del_route, + .bypass_socket = _bypass_socket, + .enable_udp_decap = _enable_udp_decap, + + .is_interface_usable = _is_interface_usable, + .all_interfaces_usable = _all_interfaces_usable, + .get_address_by_ts = _get_address_by_ts, + .add_ipsec_interface = _add_ipsec_interface, + .remove_ipsec_interface = _remove_ipsec_interface, + .add_net_interface = _add_net_interface, + .remove_net_interface = _remove_net_interface, + + .add_listener = _add_listener, + .remove_listener = _remove_listener, + .register_algorithm = _register_algorithm, + .lookup_algorithm = _lookup_algorithm, + .acquire = _acquire, + .expire = _expire, + .mapping = _mapping, + .migrate = _migrate, + .roam = _roam, + .tun = _tun, + .destroy = _destroy, + }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .listeners = linked_list_create(), + .mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT), + .algorithms = linked_list_create(), + .reqids = hashtable_create((hashtable_hash_t)hash_reqid, + (hashtable_equals_t)equals_reqid, 8), + .reqids_by_ts = hashtable_create((hashtable_hash_t)hash_reqid_by_ts, + (hashtable_equals_t)equals_reqid_by_ts, 8), + ); + + ifaces = lib->settings->get_str(lib->settings, + "%s.interfaces_use", NULL, lib->ns); + if (!ifaces) + { + this->ifaces_exclude = TRUE; + ifaces = lib->settings->get_str(lib->settings, + "%s.interfaces_ignore", NULL, lib->ns); + } + if (ifaces) + { + enumerator_t *enumerator; + char *iface; + + enumerator = enumerator_create_token(ifaces, ",", " "); + while (enumerator->enumerate(enumerator, &iface)) + { + if (!this->ifaces_filter) + { + this->ifaces_filter = linked_list_create(); + } + this->ifaces_filter->insert_last(this->ifaces_filter, + strdup(iface)); + } + enumerator->destroy(enumerator); + } + + return &this->public; +} diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h new file mode 100644 index 000000000..6793c6cc6 --- /dev/null +++ b/src/libcharon/kernel/kernel_interface.h @@ -0,0 +1,655 @@ +/* + * Copyright (C) 2006-2015 Tobias Brunner + * Copyright (C) 2006 Daniel Roethlisberger + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* + * Copyright (c) 2012 Nanoteq Pty Ltd + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * @defgroup kernel_interface kernel_interface + * @{ @ingroup kernel + */ + +#ifndef KERNEL_INTERFACE_H_ +#define KERNEL_INTERFACE_H_ + +typedef struct kernel_interface_t kernel_interface_t; +typedef enum kernel_feature_t kernel_feature_t; + +#include <networking/host.h> +#include <crypto/prf_plus.h> + +#include <kernel/kernel_listener.h> +#include <kernel/kernel_ipsec.h> +#include <kernel/kernel_net.h> + +/** + * Bitfield of optional features a kernel backend supports. + * + * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each + * backend returns a subset of these features. + */ +enum kernel_feature_t { + /** IPsec can process ESPv3 (RFC 4303) TFC padded packets */ + KERNEL_ESP_V3_TFC = (1<<0), + /** Networking requires an "exclude" route for IKE/ESP packets */ + KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1), + /** IPsec implementation requires UDP encapsulation of ESP packets */ + KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2), + /** IPsec backend does not require a policy reinstall on SA updates */ + KERNEL_NO_POLICY_UPDATES = (1<<3), +}; + +/** + * Constructor function for ipsec kernel interface + */ +typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void); + +/** + * Constructor function for network kernel interface + */ +typedef kernel_net_t* (*kernel_net_constructor_t)(void); + +/** + * Manager and wrapper for different kernel interfaces. + * + * The kernel interface handles the communication with the kernel + * for SA and policy management and interface and IP address management. + */ +struct kernel_interface_t { + + /** + * Get the feature set supported by the net and ipsec kernel backends. + * + * @return ORed feature-set of backends + */ + kernel_feature_t (*get_features)(kernel_interface_t *this); + + /** + * Get a SPI from the kernel. + * + * @param src source address of SA + * @param dst destination address of SA + * @param protocol protocol for SA (ESP/AH) + * @param spi allocated spi + * @return SUCCESS if operation completed + */ + status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, + u_int8_t protocol, u_int32_t *spi); + + /** + * Get a Compression Parameter Index (CPI) from the kernel. + * + * @param src source address of SA + * @param dst destination address of SA + * @param cpi allocated cpi + * @return SUCCESS if operation completed + */ + status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst, + u_int16_t *cpi); + + /** + * Allocate or confirm a reqid to use for a given SA pair. + * + * Each returned reqid by a successful call to alloc_reqid() must be + * released using release_reqid(). + * + * The reqid parameter is an in/out parameter. If it points to non-zero, + * the reqid is confirmed and registered for use. If it points to zero, + * a reqid is allocated for the given selectors, and returned to reqid. + * + * @param local_ts traffic selectors of local side for SA + * @param remote_ts traffic selectors of remote side for SA + * @param mark_in inbound mark on SA + * @param mark_out outbound mark on SA + * @param reqid allocated reqid + * @return SUCCESS if reqid allocated + */ + status_t (*alloc_reqid)(kernel_interface_t *this, + linked_list_t *local_ts, linked_list_t *remote_ts, + mark_t mark_in, mark_t mark_out, + u_int32_t *reqid); + + /** + * Release a previously allocated reqid. + * + * @param reqid reqid to release + * @param mark_in inbound mark on SA + * @param mark_out outbound mark on SA + * @return SUCCESS if reqid released + */ + status_t (*release_reqid)(kernel_interface_t *this, u_int32_t reqid, + mark_t mark_in, mark_t mark_out); + + /** + * Add an SA to the SAD. + * + * This function does install a single SA for a single protocol in one + * direction. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param reqid reqid for this SA + * @param mark optional mark for this SA + * @param tfc Traffic Flow Confidentiality padding for this SA + * @param lifetime lifetime_cfg_t for this SA + * @param enc_alg Algorithm to use for encryption (ESP only) + * @param enc_key key to use for encryption + * @param int_alg Algorithm to use for integrity protection + * @param int_key key to use for integrity protection + * @param mode mode of the SA (tunnel, transport) + * @param ipcomp IPComp transform to use + * @param cpi CPI for IPComp + * @param replay_window anti-replay window size + * @param initiator TRUE if initiator of the exchange creating this SA + * @param encap enable UDP encapsulation for NAT traversal + * @param esn TRUE to use Extended Sequence Numbers + * @param inbound TRUE if this is an inbound SA + * @param update TRUE if an SPI has already been allocated for SA + * @param src_ts list of source traffic selectors + * @param dst_ts list of destination traffic selectors + * @return SUCCESS if operation completed + */ + status_t (*add_sa) (kernel_interface_t *this, + host_t *src, host_t *dst, u_int32_t spi, + u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t tfc, lifetime_cfg_t *lifetime, + u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, + ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, + u_int32_t replay_window, bool initiator, bool encap, + bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts); + + /** + * Update the hosts on an installed SA. + * + * We cannot directly update the destination address as the kernel + * requires the spi, the protocol AND the destination address (and family) + * to identify SAs. Therefore if the destination address changed we + * create a new SA and delete the old one. + * + * @param spi SPI of the SA + * @param protocol protocol for this SA (ESP/AH) + * @param cpi CPI for IPComp, 0 if no IPComp is used + * @param src current source address + * @param dst current destination address + * @param new_src new source address + * @param new_dst new destination address + * @param encap current use of UDP encapsulation + * @param new_encap new use of UDP encapsulation + * @param mark optional mark for this SA + * @return SUCCESS if operation completed, NOT_SUPPORTED if + * the kernel interface can't update the SA + */ + status_t (*update_sa)(kernel_interface_t *this, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, + host_t *src, host_t *dst, + host_t *new_src, host_t *new_dst, + bool encap, bool new_encap, mark_t mark); + + /** + * Query the number of bytes processed by an SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param mark optional mark for this SA + * @param[out] bytes the number of bytes processed by SA + * @param[out] packets number of packets processed by SA + * @param[out] time last (monotonic) time of SA use + * @return SUCCESS if operation completed + */ + status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, u_int8_t protocol, mark_t mark, + u_int64_t *bytes, u_int64_t *packets, time_t *time); + + /** + * Delete a previously installed SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param cpi CPI for IPComp or 0 + * @param mark optional mark for this SA + * @return SUCCESS if operation completed + */ + status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, + mark_t mark); + + /** + * Flush all SAs from the SAD. + * + * @return SUCCESS if operation completed + */ + status_t (*flush_sas) (kernel_interface_t *this); + + /** + * Add a policy to the SPD. + * + * @param src source address of SA + * @param dst dest address of SA + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy + * @param priority priority of this policy + * @return SUCCESS if operation completed + */ + status_t (*add_policy) (kernel_interface_t *this, + host_t *src, host_t *dst, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); + + /** + * Query the use time of a policy. + * + * The use time of a policy is the time the policy was used + * for the last time. + * + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param mark optional mark + * @param[out] use_time the (monotonic) time of this SA's last use + * @return SUCCESS if operation completed + */ + status_t (*query_policy) (kernel_interface_t *this, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, mark_t mark, + time_t *use_time); + + /** + * Remove a policy from the SPD. + * + * @param src source address of SA + * @param dst dest address of SA + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy + * @param priority priority of the policy + * @return SUCCESS if operation completed + */ + status_t (*del_policy) (kernel_interface_t *this, + host_t *src, host_t *dst, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); + + /** + * Flush all policies from the SPD. + * + * @return SUCCESS if operation completed + */ + status_t (*flush_policies) (kernel_interface_t *this); + + /** + * Get our outgoing source address for a destination. + * + * Does a route lookup to get the source address used to reach dest. + * The returned host is allocated and must be destroyed. + * An optional src address can be used to check if a route is available + * for the given source to dest. + * + * @param dest target destination address + * @param src source address to check, or NULL + * @return outgoing source address, NULL if unreachable + */ + host_t* (*get_source_addr)(kernel_interface_t *this, + host_t *dest, host_t *src); + + /** + * Get the next hop for a destination. + * + * Does a route lookup to get the next hop used to reach dest. + * The returned host is allocated and must be destroyed. + * An optional src address can be used to check if a route is available + * for the given source to dest. + * + * @param dest target destination address + * @param prefix prefix length if dest is a subnet, -1 for auto + * @param src source address to check, or NULL + * @return next hop address, NULL if unreachable + */ + host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest, + int prefix, host_t *src); + + /** + * Get the interface name of a local address. Interfaces that are down or + * ignored by config are not considered. + * + * @param host address to get interface name from + * @param name allocated interface name (optional) + * @return TRUE if interface found and usable + */ + bool (*get_interface)(kernel_interface_t *this, host_t *host, char **name); + + /** + * Creates an enumerator over all local addresses. + * + * This function blocks an internal cached address list until the + * enumerator gets destroyed. + * The hosts are read-only, do not modify of free. + * + * @param which a combination of address types to enumerate + * @return enumerator over host_t's + */ + enumerator_t *(*create_address_enumerator) (kernel_interface_t *this, + kernel_address_type_t which); + + /** + * Add a virtual IP to an interface. + * + * Virtual IPs are attached to an interface. If an IP is added multiple + * times, the IP is refcounted and not removed until del_ip() was called + * as many times as add_ip(). + * + * @param virtual_ip virtual ip address to assign + * @param prefix prefix length to install IP with, -1 for auto + * @param iface interface to install virtual IP on + * @return SUCCESS if operation completed + */ + status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, int prefix, + char *iface); + + /** + * Remove a virtual IP from an interface. + * + * The kernel interface uses refcounting, see add_ip(). + * + * @param virtual_ip virtual ip address to remove + * @param prefix prefix length of the IP to uninstall, -1 for auto + * @param wait TRUE to wait untily IP is gone + * @return SUCCESS if operation completed + */ + status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip, + int prefix, bool wait); + + /** + * Add a route. + * + * @param dst_net destination net + * @param prefixlen destination net prefix length + * @param gateway gateway for this route + * @param src_ip source ip of the route + * @param if_name name of the interface the route is bound to + * @return SUCCESS if operation completed + * ALREADY_DONE if the route already exists + */ + status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); + + /** + * Delete a route. + * + * @param dst_net destination net + * @param prefixlen destination net prefix length + * @param gateway gateway for this route + * @param src_ip source ip of the route + * @param if_name name of the interface the route is bound to + * @return SUCCESS if operation completed + */ + status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); + + /** + * Set up a bypass policy for a given socket. + * + * @param fd socket file descriptor to setup policy for + * @param family protocol family of the socket + * @return TRUE if policy set up successfully + */ + bool (*bypass_socket)(kernel_interface_t *this, int fd, int family); + + /** + * Enable decapsulation of ESP-in-UDP packets for the given port/socket. + * + * @param fd socket file descriptor + * @param family protocol family of the socket + * @param port the UDP port + * @return TRUE if UDP decapsulation was enabled successfully + */ + bool (*enable_udp_decap)(kernel_interface_t *this, int fd, int family, + u_int16_t port); + + + /** + * manager methods + */ + + /** + * Verifies that the given interface is usable and not excluded by + * configuration. + * + * @param iface interface name + * @return TRUE if usable + */ + bool (*is_interface_usable)(kernel_interface_t *this, const char *iface); + + /** + * Check if interfaces are excluded by config. + * + * @return TRUE if no interfaces are exclued by config + */ + bool (*all_interfaces_usable)(kernel_interface_t *this); + + /** + * Tries to find an IP address of a local interface that is included in the + * supplied traffic selector. + * + * @param ts traffic selector + * @param ip returned IP address (has to be destroyed) + * @param vip set to TRUE if returned address is a virtual IP + * @return SUCCESS if address found + */ + status_t (*get_address_by_ts)(kernel_interface_t *this, + traffic_selector_t *ts, host_t **ip, bool *vip); + + /** + * Register an ipsec kernel interface constructor on the manager. + * + * @param create constructor to register + * @return TRUE if the ipsec kernel interface was registered + * successfully, FALSE if an interface was already + * registered or the registration failed + */ + bool (*add_ipsec_interface)(kernel_interface_t *this, + kernel_ipsec_constructor_t create); + + /** + * Unregister an ipsec kernel interface constructor. + * + * @param create constructor to unregister + * @return TRUE if the ipsec kernel interface was unregistered + * successfully, FALSE otherwise + */ + bool (*remove_ipsec_interface)(kernel_interface_t *this, + kernel_ipsec_constructor_t create); + + /** + * Register a network kernel interface constructor on the manager. + * + * @param create constructor to register + * @return TRUE if the kernel net interface was registered + * successfully, FALSE if an interface was already + * registered or the registration failed + */ + bool (*add_net_interface)(kernel_interface_t *this, + kernel_net_constructor_t create); + + /** + * Unregister a network kernel interface constructor. + * + * @param create constructor to unregister + * @return TRUE if the kernel net interface was unregistered + * successfully, FALSE otherwise + */ + bool (*remove_net_interface)(kernel_interface_t *this, + kernel_net_constructor_t create); + + /** + * Add a listener to the kernel interface. + * + * @param listener listener to add + */ + void (*add_listener)(kernel_interface_t *this, + kernel_listener_t *listener); + + /** + * Remove a listener from the kernel interface. + * + * @param listener listener to remove + */ + void (*remove_listener)(kernel_interface_t *this, + kernel_listener_t *listener); + + /** + * Raise an acquire event. + * + * @param reqid reqid of the policy to acquire + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + */ + void (*acquire)(kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts); + + /** + * Raise an expire event. + * + * @param protocol protocol of the expired SA + * @param spi spi of the expired SA + * @param dst destination address of expired SA + * @param hard TRUE if it is a hard expire, FALSE otherwise + */ + void (*expire)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard); + + /** + * Raise a mapping event. + * + * @param protocol protocol of affected SA + * @param spi spi of the SA + * @param dst original destination address of SA + * @param remote new remote host + */ + void (*mapping)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, host_t *remote); + + /** + * Raise a migrate event. + * + * @param reqid reqid of the policy + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + * @param direction direction of the policy (in|out) + * @param local local host address to be used in the IKE_SA + * @param remote remote host address to be used in the IKE_SA + */ + void (*migrate)(kernel_interface_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, host_t *local, host_t *remote); + + /** + * Raise a roam event. + * + * @param address TRUE if address list, FALSE if routing changed + */ + void (*roam)(kernel_interface_t *this, bool address); + + /** + * Raise a tun event. + * + * @param tun TUN device + * @param created TRUE if created, FALSE if going to be destroyed + */ + void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created); + + /** + * Register a new algorithm with the kernel interface. + * + * @param alg_id the IKE id of the algorithm + * @param type the transform type of the algorithm + * @param kernel_id the kernel id of the algorithm + * @param kernel_name the kernel name of the algorithm + */ + void (*register_algorithm)(kernel_interface_t *this, u_int16_t alg_id, + transform_type_t type, u_int16_t kernel_id, + char *kernel_name); + + /** + * Return the kernel-specific id and/or name for an algorithms depending on + * the arguments specified. + * + * @param alg_id the IKE id of the algorithm + * @param type the transform type of the algorithm + * @param kernel_id the kernel id of the algorithm (optional) + * @param kernel_name the kernel name of the algorithm (optional) + * @return TRUE if algorithm was found + */ + bool (*lookup_algorithm)(kernel_interface_t *this, u_int16_t alg_id, + transform_type_t type, u_int16_t *kernel_id, + char **kernel_name); + + /** + * Destroys a kernel_interface_t object. + */ + void (*destroy) (kernel_interface_t *this); +}; + +/** + * Creates an object of type kernel_interface_t. + */ +kernel_interface_t *kernel_interface_create(void); + +#endif /** KERNEL_INTERFACE_H_ @}*/ diff --git a/src/libcharon/kernel/kernel_ipsec.c b/src/libcharon/kernel/kernel_ipsec.c new file mode 100644 index 000000000..0440f11bb --- /dev/null +++ b/src/libcharon/kernel/kernel_ipsec.c @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "kernel_ipsec.h" + +#include <daemon.h> + +/** + * See header + */ +bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature, + bool reg, void *data) +{ + if (reg) + { + return charon->kernel->add_ipsec_interface(charon->kernel, + (kernel_ipsec_constructor_t)data); + } + else + { + return charon->kernel->remove_ipsec_interface(charon->kernel, + (kernel_ipsec_constructor_t)data); + } +} diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h new file mode 100644 index 000000000..31e06308e --- /dev/null +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -0,0 +1,297 @@ +/* + * Copyright (C) 2006-2015 Tobias Brunner + * Copyright (C) 2006 Daniel Roethlisberger + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup kernel_ipsec kernel_ipsec + * @{ @ingroup kernel + */ + +#ifndef KERNEL_IPSEC_H_ +#define KERNEL_IPSEC_H_ + +typedef struct kernel_ipsec_t kernel_ipsec_t; + +#include <networking/host.h> +#include <ipsec/ipsec_types.h> +#include <selectors/traffic_selector.h> +#include <plugins/plugin.h> +#include <kernel/kernel_interface.h> + +/** + * Interface to the ipsec subsystem of the kernel. + * + * The kernel ipsec interface handles the communication with the kernel + * for SA and policy management. It allows setup of these, and provides + * further the handling of kernel events. + * Policy information are cached in the interface. This is necessary to do + * reference counting. The Linux kernel does not allow the same policy + * installed twice, but we need this as CHILD_SA exist multiple times + * when rekeying. Thats why we do reference counting of policies. + */ +struct kernel_ipsec_t { + + /** + * Get the feature set supported by this kernel backend. + * + * @return ORed feature-set of backend + */ + kernel_feature_t (*get_features)(kernel_ipsec_t *this); + + /** + * Get a SPI from the kernel. + * + * @param src source address of SA + * @param dst destination address of SA + * @param protocol protocol for SA (ESP/AH) + * @param spi allocated spi + * @return SUCCESS if operation completed + */ + status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int8_t protocol, u_int32_t *spi); + + /** + * Get a Compression Parameter Index (CPI) from the kernel. + * + * @param src source address of SA + * @param dst destination address of SA + * @param cpi allocated cpi + * @return SUCCESS if operation completed + */ + status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int16_t *cpi); + + /** + * Add an SA to the SAD. + * + * This function does install a single SA for a single protocol in one + * direction. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param reqid unique ID for this SA + * @param mark mark for this SA + * @param tfc Traffic Flow Confidentiality padding for this SA + * @param lifetime lifetime_cfg_t for this SA + * @param enc_alg Algorithm to use for encryption (ESP only) + * @param enc_key key to use for encryption + * @param int_alg Algorithm to use for integrity protection + * @param int_key key to use for integrity protection + * @param mode mode of the SA (tunnel, transport) + * @param ipcomp IPComp transform to use + * @param cpi CPI for IPComp + * @param replay_window anti-replay window size + * @param initiator TRUE if initiator of the exchange creating this SA + * @param encap enable UDP encapsulation for NAT traversal + * @param esn TRUE to use Extended Sequence Numbers + * @param inbound TRUE if this is an inbound SA + * @param update TRUE if an SPI has already been allocated for SA + * @param src_ts list of source traffic selectors + * @param dst_ts list of destination traffic selectors + * @return SUCCESS if operation completed + */ + status_t (*add_sa) (kernel_ipsec_t *this, + host_t *src, host_t *dst, u_int32_t spi, + u_int8_t protocol, u_int32_t reqid, + mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, + u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, + ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, + u_int32_t replay_window, bool initiator, bool encap, + bool esn, bool inbound, bool update, + linked_list_t *src_ts, linked_list_t *dst_ts); + + /** + * Update the hosts on an installed SA. + * + * We cannot directly update the destination address as the kernel + * requires the spi, the protocol AND the destination address (and family) + * to identify SAs. Therefore if the destination address changed we + * create a new SA and delete the old one. + * + * @param spi SPI of the SA + * @param protocol protocol for this SA (ESP/AH) + * @param cpi CPI for IPComp, 0 if no IPComp is used + * @param src current source address + * @param dst current destination address + * @param new_src new source address + * @param new_dst new destination address + * @param encap current use of UDP encapsulation + * @param new_encap new use of UDP encapsulation + * @param mark optional mark for this SA + * @return SUCCESS if operation completed, NOT_SUPPORTED if + * the kernel interface can't update the SA + */ + status_t (*update_sa)(kernel_ipsec_t *this, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, + host_t *src, host_t *dst, + host_t *new_src, host_t *new_dst, + bool encap, bool new_encap, mark_t mark); + + /** + * Query the number of bytes processed by an SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param mark optional mark for this SA + * @param[out] bytes the number of bytes processed by SA + * @param[out] packets number of packets processed by SA + * @param[out] time last (monotonic) time of SA use + * @return SUCCESS if operation completed + */ + status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, u_int8_t protocol, mark_t mark, + u_int64_t *bytes, u_int64_t *packets, time_t *time); + + /** + * Delete a previusly installed SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param cpi CPI for IPComp or 0 + * @param mark optional mark for this SA + * @return SUCCESS if operation completed + */ + status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, u_int8_t protocol, u_int16_t cpi, + mark_t mark); + + /** + * Flush all SAs from the SAD. + * + * @return SUCCESS if operation completed + */ + status_t (*flush_sas) (kernel_ipsec_t *this); + + /** + * Add a policy to the SPD. + * + * @param src source address of SA + * @param dst dest address of SA + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy + * @param priority priority of this policy + * @return SUCCESS if operation completed + */ + status_t (*add_policy) (kernel_ipsec_t *this, + host_t *src, host_t *dst, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); + + /** + * Query the use time of a policy. + * + * The use time of a policy is the time the policy was used for the last + * time. It is not the system time, but a monotonic timestamp as returned + * by time_monotonic. + * + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param mark optional mark + * @param[out] use_time the monotonic timestamp of this SA's last use + * @return SUCCESS if operation completed + */ + status_t (*query_policy) (kernel_ipsec_t *this, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, mark_t mark, + time_t *use_time); + + /** + * Remove a policy from the SPD. + * + * @param src source address of SA + * @param dst dest address of SA + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy + * @param priority priority of the policy + * @return SUCCESS if operation completed + */ + status_t (*del_policy) (kernel_ipsec_t *this, + host_t *src, host_t *dst, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); + + /** + * Flush all policies from the SPD. + * + * @return SUCCESS if operation completed + */ + status_t (*flush_policies) (kernel_ipsec_t *this); + + /** + * Install a bypass policy for the given socket. + * + * @param fd socket file descriptor to setup policy for + * @param family protocol family of the socket + * @return TRUE of policy set up successfully + */ + bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family); + + /** + * Enable decapsulation of ESP-in-UDP packets for the given port/socket. + * + * @param fd socket file descriptor + * @param family protocol family of the socket + * @param port the UDP port + * @return TRUE if UDP decapsulation was enabled successfully + */ + bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family, + u_int16_t port); + + /** + * Destroy the implementation. + */ + void (*destroy) (kernel_ipsec_t *this); +}; + +/** + * Helper function to (un-)register IPsec kernel interfaces from plugin features. + * + * This function is a plugin_feature_callback_t and can be used with the + * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor. + * + * @param plugin plugin registering the kernel interface + * @param feature associated plugin feature + * @param reg TRUE to register, FALSE to unregister + * @param data data passed to callback, an kernel_ipsec_constructor_t + */ +bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature, + bool reg, void *data); + +#endif /** KERNEL_IPSEC_H_ @}*/ diff --git a/src/libcharon/kernel/kernel_listener.h b/src/libcharon/kernel/kernel_listener.h new file mode 100644 index 000000000..6426fae2a --- /dev/null +++ b/src/libcharon/kernel/kernel_listener.h @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2010-2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup kernel_listener kernel_listener + * @{ @ingroup kernel + */ + +#ifndef KERNEL_LISTENER_H_ +#define KERNEL_LISTENER_H_ + +typedef struct kernel_listener_t kernel_listener_t; + +#include <networking/host.h> +#include <networking/tun_device.h> +#include <selectors/traffic_selector.h> +#include <kernel/kernel_ipsec.h> + +/** + * Interface for components interested in kernel events. + * + * All hooks are optional. + */ +struct kernel_listener_t { + + /** + * Hook called if an acquire event for a policy is received. + * + * @param reqid reqid of the policy to acquire + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*acquire)(kernel_listener_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts); + + /** + * Hook called if an exire event for an IPsec SA is received. + * + * @param protocol protocol of the expired SA + * @param spi spi of the expired SA + * @param dst destination address of expired SA + * @param hard TRUE if it is a hard expire, FALSE otherwise + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*expire)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, bool hard); + + /** + * Hook called if the NAT mappings of an IPsec SA changed. + * + * @param protocol IPsec protocol of affected SA + * @param spi spi of the SA + * @param dst old destinatino address of SA + * @param remote new remote host + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*mapping)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi, + host_t *dst, host_t *remote); + + /** + * Hook called if a migrate event for a policy is received. + * + * @param reqid reqid of the policy + * @param src_ts source traffic selector + * @param dst_ts destination traffic selector + * @param direction direction of the policy (in|out) + * @param local local host address to be used in the IKE_SA + * @param remote remote host address to be used in the IKE_SA + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*migrate)(kernel_listener_t *this, u_int32_t reqid, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, host_t *local, host_t *remote); + + /** + * Hook called if changes in the networking layer occurred (interfaces + * up/down, routes added/deleted etc.). + * + * @param address TRUE if address list, FALSE if routing changed + * @return TRUE to remain registered, FALSE to unregister + */ + bool (*roam)(kernel_listener_t *this, bool address); + + /** + * Hook called after a TUN device was created for a virtual IP address, or + * before such a device gets destroyed. + * + * @param tun TUN device + * @param created TRUE if created, FALSE if going to be destroyed + */ + bool (*tun)(kernel_listener_t *this, tun_device_t *tun, bool created); +}; + +#endif /** KERNEL_LISTENER_H_ @}*/ diff --git a/src/libcharon/kernel/kernel_net.c b/src/libcharon/kernel/kernel_net.c new file mode 100644 index 000000000..f169cad14 --- /dev/null +++ b/src/libcharon/kernel/kernel_net.c @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2011 Martin Willi + * Copyright (C) 2011 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "kernel_net.h" + +#include <daemon.h> + +/** + * See header + */ +bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature, + bool reg, void *data) +{ + if (reg) + { + return charon->kernel->add_net_interface(charon->kernel, + (kernel_net_constructor_t)data); + } + else + { + return charon->kernel->remove_net_interface(charon->kernel, + (kernel_net_constructor_t)data); + } +} diff --git a/src/libcharon/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h new file mode 100644 index 000000000..7fc644a7e --- /dev/null +++ b/src/libcharon/kernel/kernel_net.h @@ -0,0 +1,196 @@ +/* + * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup kernel_net kernel_net + * @{ @ingroup kernel + */ + +#ifndef KERNEL_NET_H_ +#define KERNEL_NET_H_ + +typedef struct kernel_net_t kernel_net_t; +typedef enum kernel_address_type_t kernel_address_type_t; + +#include <collections/enumerator.h> +#include <networking/host.h> +#include <plugins/plugin.h> +#include <kernel/kernel_interface.h> + +/** + * Type of addresses (e.g. when enumerating them) + */ +enum kernel_address_type_t { + /** normal addresses (on regular, up, non-ignored) interfaces */ + ADDR_TYPE_REGULAR = (1 << 0), + /** addresses on down interfaces */ + ADDR_TYPE_DOWN = (1 << 1), + /** addresses on ignored interfaces */ + ADDR_TYPE_IGNORED = (1 << 2), + /** addresses on loopback interfaces */ + ADDR_TYPE_LOOPBACK = (1 << 3), + /** virtual IP addresses */ + ADDR_TYPE_VIRTUAL = (1 << 4), + /** to enumerate all available addresses */ + ADDR_TYPE_ALL = (1 << 5) - 1, +}; + +/** + * Interface to the network subsystem of the kernel. + * + * The kernel network interface handles the communication with the kernel + * for interface and IP address management. + */ +struct kernel_net_t { + + /** + * Get the feature set supported by this kernel backend. + * + * @return ORed feature-set of backend + */ + kernel_feature_t (*get_features)(kernel_net_t *this); + + /** + * Get our outgoing source address for a destination. + * + * Does a route lookup to get the source address used to reach dest. + * The returned host is allocated and must be destroyed. + * An optional src address can be used to check if a route is available + * for the given source to dest. + * + * @param dest target destination address + * @param src source address to check, or NULL + * @return outgoing source address, NULL if unreachable + */ + host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src); + + /** + * Get the next hop for a destination. + * + * Does a route lookup to get the next hop used to reach dest. + * The returned host is allocated and must be destroyed. + * An optional src address can be used to check if a route is available + * for the given source to dest. + * + * @param dest target destination address + * @param prefix prefix length if dest is a subnet, -1 for auto + * @param src source address to check, or NULL + * @return next hop address, NULL if unreachable + */ + host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest, int prefix, + host_t *src); + + /** + * Get the interface name of a local address. Interfaces that are down or + * ignored by config are not considered. + * + * @param host address to get interface name from + * @param name allocated interface name (optional) + * @return TRUE if interface found and usable + */ + bool (*get_interface) (kernel_net_t *this, host_t *host, char **name); + + /** + * Creates an enumerator over all local addresses. + * + * This function blocks an internal cached address list until the + * enumerator gets destroyed. + * The hosts are read-only, do not modify of free. + * + * @param which a combination of address types to enumerate + * @return enumerator over host_t's + */ + enumerator_t *(*create_address_enumerator) (kernel_net_t *this, + kernel_address_type_t which); + + /** + * Add a virtual IP to an interface. + * + * Virtual IPs are attached to an interface. If an IP is added multiple + * times, the IP is refcounted and not removed until del_ip() was called + * as many times as add_ip(). + * + * @param virtual_ip virtual ip address to assign + * @param prefix prefix length to install with IP address, -1 for auto + * @param iface interface to install virtual IP on + * @return SUCCESS if operation completed + */ + status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix, + char *iface); + + /** + * Remove a virtual IP from an interface. + * + * The kernel interface uses refcounting, see add_ip(). + * + * @param virtual_ip virtual ip address to remove + * @param prefix prefix length of the IP to uninstall, -1 for auto + * @param wait TRUE to wait until IP is gone + * @return SUCCESS if operation completed + */ + status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip, int prefix, + bool wait); + + /** + * Add a route. + * + * @param dst_net destination net + * @param prefixlen destination net prefix length + * @param gateway gateway for this route + * @param src_ip source ip of the route + * @param if_name name of the interface the route is bound to + * @return SUCCESS if operation completed + * ALREADY_DONE if the route already exists + */ + status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); + + /** + * Delete a route. + * + * @param dst_net destination net + * @param prefixlen destination net prefix length + * @param gateway gateway for this route + * @param src_ip source ip of the route + * @param if_name name of the interface the route is bound to + * @return SUCCESS if operation completed + */ + status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, + char *if_name); + + /** + * Destroy the implementation. + */ + void (*destroy) (kernel_net_t *this); +}; + +/** + * Helper function to (un-)register net kernel interfaces from plugin features. + * + * This function is a plugin_feature_callback_t and can be used with the + * PLUGIN_CALLBACK macro to register an net kernel interface constructor. + * + * @param plugin plugin registering the kernel interface + * @param feature associated plugin feature + * @param reg TRUE to register, FALSE to unregister + * @param data data passed to callback, an kernel_net_constructor_t + */ +bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature, + bool reg, void *data); + +#endif /** KERNEL_NET_H_ @}*/ diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index a2f2016ff..ee357ca4d 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -20,7 +20,6 @@ #include "receiver.h" -#include <hydra.h> #include <daemon.h> #include <network/socket.h> #include <processing/jobs/job.h> @@ -451,9 +450,8 @@ static job_requeue_t receive_packets(private_receiver_t *this) dst = packet->get_destination(packet); src = packet->get_source(packet); - if (!hydra->kernel_interface->all_interfaces_usable(hydra->kernel_interface) - && !hydra->kernel_interface->get_interface(hydra->kernel_interface, - dst, NULL)) + if (!charon->kernel->all_interfaces_usable(charon->kernel) + && !charon->kernel->get_interface(charon->kernel, dst, NULL)) { DBG3(DBG_NET, "received packet from %#H to %#H on ignored interface", src, dst); diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index b8c1b4059..0fd1d33fd 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -31,7 +31,6 @@ #include <threading/condvar.h> #include <threading/thread.h> -#include <hydra.h> #include <daemon.h> #include <processing/jobs/callback_job.h> @@ -209,8 +208,7 @@ static int prepare_dhcp(private_dhcp_socket_t *this, else { /* act as relay agent */ - src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, - this->dst, NULL); + src = charon->kernel->get_source_addr(charon->kernel, this->dst, NULL); if (src) { memcpy(&dhcp->gateway_address, src->get_address(src).ptr, diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.c b/src/libcharon/plugins/forecast/forecast_forwarder.c index 07a3d4953..40aaa7f25 100644 --- a/src/libcharon/plugins/forecast/forecast_forwarder.c +++ b/src/libcharon/plugins/forecast/forecast_forwarder.c @@ -27,7 +27,6 @@ #include <ifaddrs.h> #include <net/if.h> -#include <hydra.h> #include <daemon.h> #include <threading/thread.h> #include <processing/jobs/callback_job.h> @@ -428,8 +427,7 @@ METHOD(forecast_forwarder_t, destroy, void, lib->watcher->remove(lib->watcher, this->kernel.pkt); close(this->kernel.pkt); } - hydra->kernel_interface->remove_listener(hydra->kernel_interface, - &this->kernel.listener); + charon->kernel->remove_listener(charon->kernel, &this->kernel.listener); free(this); } @@ -486,8 +484,8 @@ forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener) setup_interface(&this->kernel); - hydra->kernel_interface->add_listener(hydra->kernel_interface, - &this->kernel.listener); + charon->kernel->add_listener(charon->kernel, + &this->kernel.listener); lib->watcher->add(lib->watcher, this->kernel.pkt, WATCHER_READ, (watcher_cb_t)receive_casts, this); diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c index a4be4041e..6a8a96821 100644 --- a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c +++ b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c @@ -24,7 +24,7 @@ #include "kernel_iph_net.h" -#include <hydra.h> +#include <daemon.h> #include <threading/mutex.h> #include <collections/linked_list.h> #include <processing/jobs/callback_job.h> @@ -130,7 +130,7 @@ static job_requeue_t roam_event(private_kernel_iph_net_t *this) this->roam_address = FALSE; this->mutex->unlock(this->mutex); - hydra->kernel_interface->roam(hydra->kernel_interface, address); + charon->kernel->roam(charon->kernel, address); return JOB_REQUEUE_NONE; } diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c index c5475e30b..c16381440 100644 --- a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c +++ b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c @@ -17,8 +17,6 @@ #include "kernel_iph_plugin.h" #include "kernel_iph_net.h" -#include <hydra.h> - typedef struct private_kernel_iph_plugin_t private_kernel_iph_plugin_t; /** diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c index 9f5f4edbd..4c8771e96 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c @@ -17,7 +17,7 @@ #include <library.h> #include <ipsec.h> -#include <hydra.h> +#include <daemon.h> #include <networking/tun_device.h> #include <threading/mutex.h> #include <utils/debug.h> @@ -224,8 +224,7 @@ static inline bool policy_entry_equals(policy_entry_t *a, */ static void expire(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard) { - hydra->kernel_interface->expire(hydra->kernel_interface, protocol, - spi, dst, hard); + charon->kernel->expire(charon->kernel, protocol, spi, dst, hard); } METHOD(kernel_ipsec_t, get_features, kernel_feature_t, @@ -313,16 +312,13 @@ static void add_exclude_route(private_kernel_libipsec_ipsec_t *this, if (!route->exclude) { DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src); - gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface, - dst, -1, NULL); + gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL); if (gtw) { char *if_name = NULL; - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, src, &if_name) && - hydra->kernel_interface->add_route(hydra->kernel_interface, - dst->get_address(dst), + if (charon->kernel->get_interface(charon->kernel, src, &if_name) && + charon->kernel->add_route(charon->kernel, dst->get_address(dst), dst->get_family(dst) == AF_INET ? 32 : 128, gtw, src, if_name) == SUCCESS) { @@ -367,14 +363,12 @@ static void remove_exclude_route(private_kernel_libipsec_ipsec_t *this, dst = route->exclude->dst; DBG2(DBG_KNL, "uninstalling exclude route for %H src %H", dst, route->exclude->src); - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, - route->exclude->src, &if_name) && - hydra->kernel_interface->del_route(hydra->kernel_interface, - dst->get_address(dst), - dst->get_family(dst) == AF_INET ? 32 : 128, - route->exclude->gtw, route->exclude->src, - if_name) != SUCCESS) + if (charon->kernel->get_interface(charon->kernel, route->exclude->src, + &if_name) && + charon->kernel->del_route(charon->kernel, dst->get_address(dst), + dst->get_family(dst) == AF_INET ? 32 : 128, + route->exclude->gtw, route->exclude->src, + if_name) != SUCCESS) { DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst); } @@ -402,8 +396,8 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this, return TRUE; } - if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, - src_ts, &src_ip, &is_virtual) != SUCCESS) + if (charon->kernel->get_address_by_ts(charon->kernel, src_ts, &src_ip, + &is_virtual) != SUCCESS) { traffic_selector_t *multicast, *broadcast = NULL; bool ignore = FALSE; @@ -444,8 +438,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this, ); #ifndef __linux__ /* on Linux we cant't install a gateway */ - route->gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, dst, -1, src); + route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1, src); #endif if (policy->route) @@ -459,9 +452,9 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this, return TRUE; } /* uninstall previously installed route */ - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - old->dst_net, old->prefixlen, old->gateway, - old->src_ip, old->if_name) != SUCCESS) + if (charon->kernel->del_route(charon->kernel, old->dst_net, + old->prefixlen, old->gateway, + old->src_ip, old->if_name) != SUCCESS) { DBG1(DBG_KNL, "error uninstalling route installed with policy " "%R === %R %N", src_ts, dst_ts, policy_dir_names, @@ -490,9 +483,9 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this, DBG2(DBG_KNL, "installing route: %R src %H dev %s", dst_ts, route->src_ip, route->if_name); - switch (hydra->kernel_interface->add_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name)) + switch (charon->kernel->add_route(charon->kernel, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name)) { case ALREADY_DONE: /* route exists, do not uninstall */ @@ -598,9 +591,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t, { route_entry_t *route = policy->route; - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, route->src_ip, - route->if_name) != SUCCESS) + if (charon->kernel->del_route(charon->kernel, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name) != SUCCESS) { DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", src_ts, dst_ts, @@ -629,9 +622,9 @@ METHOD(kernel_ipsec_t, flush_policies, status_t, { route_entry_t *route = pol->route; - hydra->kernel_interface->del_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name); + charon->kernel->del_route(charon->kernel, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name); remove_exclude_route(this, route); } policy_entry_destroy(pol); diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c index 830954e11..66141ad56 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c @@ -19,7 +19,6 @@ #include "kernel_libipsec_router.h" #include <daemon.h> -#include <hydra.h> #include <ipsec.h> #include <collections/hashtable.h> #include <networking/tun_device.h> @@ -298,8 +297,7 @@ METHOD(kernel_libipsec_router_t, destroy, void, (ipsec_outbound_cb_t)send_esp); ipsec->processor->unregister_inbound(ipsec->processor, (ipsec_inbound_cb_t)deliver_plain); - hydra->kernel_interface->remove_listener(hydra->kernel_interface, - &this->public.listener); + charon->kernel->remove_listener(charon->kernel, &this->public.listener); this->lock->destroy(this->lock); this->tuns->destroy(this->tuns); close(this->notify[0]); @@ -351,8 +349,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create() (hashtable_equals_t)tun_entry_equals, 4); this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - hydra->kernel_interface->add_listener(hydra->kernel_interface, - &this->public.listener); + charon->kernel->add_listener(charon->kernel, &this->public.listener); ipsec->processor->register_outbound(ipsec->processor, send_esp, NULL); ipsec->processor->register_inbound(ipsec->processor, (ipsec_inbound_cb_t)deliver_plain, this); diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am index cc8855406..973e2c2f4 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.am +++ b/src/libcharon/plugins/kernel_netlink/Makefile.am @@ -1,7 +1,7 @@ AM_CPPFLAGS = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon \ -DROUTING_TABLE=${routing_table} \ -DROUTING_TABLE_PRIO=${routing_table_prio} diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8c506d9f4..275aa6cb2 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -35,7 +35,7 @@ #include "kernel_netlink_ipsec.h" #include "kernel_netlink_shared.h" -#include <hydra.h> +#include <daemon.h> #include <utils/debug.h> #include <threading/mutex.h> #include <collections/array.h> @@ -262,8 +262,8 @@ static char* lookup_algorithm(transform_type_t type, int ikev2) return list[i].name; } } - if (hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, - ikev2, type, NULL, &name)) + if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL, + &name)) { return name; } @@ -856,8 +856,7 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, src_ts = selector2ts(&acquire->sel, TRUE); dst_ts = selector2ts(&acquire->sel, FALSE); - hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts, - dst_ts); + charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts); } /** @@ -882,8 +881,8 @@ static void process_expire(private_kernel_netlink_ipsec_t *this, dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0); if (dst) { - hydra->kernel_interface->expire(hydra->kernel_interface, protocol, - spi, dst, expire->hard != 0); + charon->kernel->expire(charon->kernel, protocol, spi, dst, + expire->hard != 0); dst->destroy(dst); } } @@ -951,8 +950,8 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, if (src_ts && dst_ts && local && remote) { - hydra->kernel_interface->migrate(hydra->kernel_interface, reqid, - src_ts, dst_ts, dir, local, remote); + charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir, + local, remote); } else { @@ -988,8 +987,8 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this, mapping->new_sport); if (new) { - hydra->kernel_interface->mapping(hydra->kernel_interface, - IPPROTO_ESP, spi, dst, new); + charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst, + new); new->destroy(new); } dst->destroy(dst); @@ -2202,22 +2201,21 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, .prefixlen = policy->sel.prefixlen_s, ); - if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, - fwd->dst_ts, &route->src_ip, NULL) == SUCCESS) + if (charon->kernel->get_address_by_ts(charon->kernel, fwd->dst_ts, + &route->src_ip, NULL) == SUCCESS) { /* get the nexthop to src (src as we are in POLICY_FWD) */ if (!ipsec->src->is_anyaddr(ipsec->src)) { - route->gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, ipsec->src, - -1, ipsec->dst); + route->gateway = charon->kernel->get_nexthop(charon->kernel, + ipsec->src, -1, ipsec->dst); } else { /* for shunt policies */ iface = xfrm2host(policy->sel.family, &policy->sel.saddr, 0); - route->gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, iface, - policy->sel.prefixlen_s, route->src_ip); + route->gateway = charon->kernel->get_nexthop(charon->kernel, + iface, policy->sel.prefixlen_s, + route->src_ip); iface->destroy(iface); } route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); @@ -2232,8 +2230,8 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, iface = route->src_ip; } /* install route via outgoing interface */ - if (!hydra->kernel_interface->get_interface(hydra->kernel_interface, - iface, &route->if_name)) + if (!charon->kernel->get_interface(charon->kernel, iface, + &route->if_name)) { this->mutex->unlock(this->mutex); route_entry_destroy(route); @@ -2250,9 +2248,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, return SUCCESS; } /* uninstall previously installed route */ - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - old->dst_net, old->prefixlen, old->gateway, - old->src_ip, old->if_name) != SUCCESS) + if (charon->kernel->del_route(charon->kernel, old->dst_net, + old->prefixlen, old->gateway, + old->src_ip, old->if_name) != SUCCESS) { DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", fwd->src_ts, @@ -2265,10 +2263,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", fwd->src_ts, route->gateway, route->src_ip, route->if_name); - switch (hydra->kernel_interface->add_route( - hydra->kernel_interface, route->dst_net, - route->prefixlen, route->gateway, - route->src_ip, route->if_name)) + switch (charon->kernel->add_route(charon->kernel, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name)) { default: DBG1(DBG_KNL, "unable to install source route for %H", @@ -2579,9 +2576,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t, if (current->route) { route_entry_t *route = current->route; - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name) != SUCCESS) + if (charon->kernel->del_route(charon->kernel, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name) != SUCCESS) { DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", src_ts, dst_ts, diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c index 4e5e02d07..abe29e2c5 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -51,7 +51,7 @@ #include "kernel_netlink_net.h" #include "kernel_netlink_shared.h" -#include <hydra.h> +#include <daemon.h> #include <utils/debug.h> #include <threading/mutex.h> #include <threading/rwlock.h> @@ -893,7 +893,7 @@ static job_requeue_t roam_event(private_kernel_netlink_net_t *this) address = this->roam_address; this->roam_address = FALSE; this->roam_lock->unlock(this->roam_lock); - hydra->kernel_interface->roam(hydra->kernel_interface, address); + charon->kernel->roam(charon->kernel, address); return JOB_REQUEUE_NONE; } @@ -1004,8 +1004,8 @@ static void process_link(private_kernel_netlink_net_t *this, INIT(entry, .ifindex = msg->ifi_index, .addrs = linked_list_create(), - .usable = hydra->kernel_interface->is_interface_usable( - hydra->kernel_interface, name), + .usable = charon->kernel->is_interface_usable( + charon->kernel, name), ); this->ifaces->insert_last(this->ifaces, entry); } diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c index 8d5a0d5e8..8bafc3c55 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -19,8 +19,6 @@ #include "kernel_netlink_ipsec.h" #include "kernel_netlink_net.h" -#include <hydra.h> - typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t; /** diff --git a/src/libcharon/plugins/kernel_netlink/tests.c b/src/libcharon/plugins/kernel_netlink/tests.c index 52985b438..a1799ea70 100644 --- a/src/libcharon/plugins/kernel_netlink/tests.c +++ b/src/libcharon/plugins/kernel_netlink/tests.c @@ -15,8 +15,6 @@ #include <test_runner.h> -#include <hydra.h> - /* declare test suite constructors */ #define TEST_SUITE(x) test_suite_t* x(); #include "tests.h" diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.am b/src/libcharon/plugins/kernel_pfkey/Makefile.am index f645528d9..8fdca93a5 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.am +++ b/src/libcharon/plugins/kernel_pfkey/Makefile.am @@ -1,7 +1,7 @@ AM_CPPFLAGS = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra + -I$(top_srcdir)/src/libcharon AM_CFLAGS = \ $(PLUGIN_CFLAGS) diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index a2fccd1d3..d505f1c33 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -78,7 +78,7 @@ #include "kernel_pfkey_ipsec.h" -#include <hydra.h> +#include <daemon.h> #include <utils/debug.h> #include <networking/host.h> #include <collections/linked_list.h> @@ -922,8 +922,7 @@ static int lookup_algorithm(transform_type_t type, int ikev2) } list++; } - hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2, - type, &alg, NULL); + charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, &alg, NULL); return alg; } @@ -1283,8 +1282,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, src_ts = sadb_address2ts(response.src); dst_ts = sadb_address2ts(response.dst); - hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts, - dst_ts); + charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts); } /** @@ -1316,8 +1314,7 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1)); if (dst) { - hydra->kernel_interface->expire(hydra->kernel_interface, protocol, - spi, dst, hard); + charon->kernel->expire(charon->kernel, protocol, spi, dst, hard); dst->destroy(dst); } } @@ -1366,8 +1363,8 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, if (src_ts && dst_ts && local && remote) { - hydra->kernel_interface->migrate(hydra->kernel_interface, reqid, - src_ts, dst_ts, dir, local, remote); + charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir, + local, remote); } else { @@ -1437,8 +1434,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, new = host_create_from_sockaddr(sa); if (new) { - hydra->kernel_interface->mapping(hydra->kernel_interface, - IPPROTO_ESP, spi, dst, new); + charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst, new); new->destroy(new); } dst->destroy(dst); @@ -2142,15 +2138,13 @@ static void add_exclude_route(private_kernel_pfkey_ipsec_t *this, if (!route->exclude) { DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src); - gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface, - dst, -1, NULL); + gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL); if (gtw) { char *if_name = NULL; - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, src, &if_name) && - hydra->kernel_interface->add_route(hydra->kernel_interface, + if (charon->kernel->get_interface(charon->kernel, src, &if_name) && + charon->kernel->add_route(charon->kernel, dst->get_address(dst), dst->get_family(dst) == AF_INET ? 32 : 128, gtw, src, if_name) == SUCCESS) @@ -2213,10 +2207,10 @@ static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this, dst = route->exclude->dst; DBG2(DBG_KNL, "uninstalling exclude route for %H src %H", dst, route->exclude->src); - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, + if (charon->kernel->get_interface( + charon->kernel, route->exclude->src, &if_name) && - hydra->kernel_interface->del_route(hydra->kernel_interface, + charon->kernel->del_route(charon->kernel, dst->get_address(dst), dst->get_family(dst) == AF_INET ? 32 : 128, route->exclude->gtw, route->exclude->src, @@ -2241,8 +2235,8 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, host_t *host, *src, *dst; bool is_virtual; - if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, - in->dst_ts, &host, &is_virtual) != SUCCESS) + if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts, &host, + &is_virtual) != SUCCESS) { return FALSE; } @@ -2259,8 +2253,8 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, if (!dst->is_anyaddr(dst)) { - route->gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, dst, -1, src); + route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1, + src); /* if the IP is virtual, we install the route over the interface it has * been installed on. Otherwise we use the interface we use for IKE, as @@ -2272,17 +2266,16 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, } else { /* for shunt policies */ - route->gateway = hydra->kernel_interface->get_nexthop( - hydra->kernel_interface, policy->src.net, - policy->src.mask, route->src_ip); + route->gateway = charon->kernel->get_nexthop(charon->kernel, + policy->src.net, policy->src.mask, + route->src_ip); /* we don't have a source address, use the address we found */ src = route->src_ip; } /* get interface for route, using source address */ - if (!hydra->kernel_interface->get_interface(hydra->kernel_interface, - src, &route->if_name)) + if (!charon->kernel->get_interface(charon->kernel, src, &route->if_name)) { route_entry_destroy(route); return FALSE; @@ -2298,9 +2291,9 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, return TRUE; } /* uninstall previously installed route */ - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - old->dst_net, old->prefixlen, old->gateway, - old->src_ip, old->if_name) != SUCCESS) + if (charon->kernel->del_route(charon->kernel, old->dst_net, + old->prefixlen, old->gateway, + old->src_ip, old->if_name) != SUCCESS) { DBG1(DBG_KNL, "error uninstalling route installed with policy " "%R === %R %N", in->src_ts, in->dst_ts, @@ -2311,8 +2304,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, } /* if remote traffic selector covers the IKE peer, add an exclude route */ - if (hydra->kernel_interface->get_features( - hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE) + if (charon->kernel->get_features(charon->kernel) & KERNEL_REQUIRE_EXCLUDE_ROUTE) { if (in->src_ts->is_host(in->src_ts, dst)) { @@ -2331,9 +2323,9 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", in->src_ts, route->gateway, route->src_ip, route->if_name); - switch (hydra->kernel_interface->add_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name)) + switch (charon->kernel->add_route(charon->kernel, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name)) { case ALREADY_DONE: /* route exists, do not uninstall */ @@ -2813,9 +2805,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t, if (policy->route) { route_entry_t *route = policy->route; - if (hydra->kernel_interface->del_route(hydra->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name) != SUCCESS) + if (charon->kernel->del_route(charon->kernel, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name) != SUCCESS) { DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", src_ts, dst_ts, diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c index 61d576547..d49fe2422 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c @@ -18,8 +18,6 @@ #include "kernel_pfkey_ipsec.h" -#include <hydra.h> - typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t; /** diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.am b/src/libcharon/plugins/kernel_pfroute/Makefile.am index 5129c02f6..51047e38a 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.am +++ b/src/libcharon/plugins/kernel_pfroute/Makefile.am @@ -1,7 +1,7 @@ AM_CPPFLAGS = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra + -I$(top_srcdir)/src/libcharon AM_CFLAGS = \ $(PLUGIN_CFLAGS) diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c index df80c29b8..4eebdfdad 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -24,7 +24,7 @@ #include "kernel_pfroute_net.h" -#include <hydra.h> +#include <daemon.h> #include <utils/debug.h> #include <networking/host.h> #include <networking/tun_device.h> @@ -555,7 +555,7 @@ static job_requeue_t roam_event(private_kernel_pfroute_net_t *this) address = this->roam_address; this->roam_address = FALSE; this->roam_lock->unlock(this->roam_lock); - hydra->kernel_interface->roam(hydra->kernel_interface, address); + charon->kernel->roam(charon->kernel, address); return JOB_REQUEUE_NONE; } @@ -862,8 +862,8 @@ static void process_link(private_kernel_pfroute_net_t *this, if (if_indextoname(iface->ifindex, iface->ifname)) { DBG1(DBG_KNL, "interface %s appeared", iface->ifname); - iface->usable = hydra->kernel_interface->is_interface_usable( - hydra->kernel_interface, iface->ifname); + iface->usable = charon->kernel->is_interface_usable(charon->kernel, + iface->ifname); repopulate_iface(this, iface); this->ifaces->insert_last(this->ifaces, iface); if (iface->usable) @@ -1266,7 +1266,7 @@ METHOD(kernel_net_t, add_ip, status_t, /* lets do this while holding the lock, thus preventing another thread * from deleting the TUN device concurrently, hopefully listeners are quick * and cause no deadlocks */ - hydra->kernel_interface->tun(hydra->kernel_interface, tun, TRUE); + charon->kernel->tun(charon->kernel, tun, TRUE); this->lock->unlock(this->lock); return SUCCESS; @@ -1294,8 +1294,7 @@ METHOD(kernel_net_t, del_ip, status_t, if (addr && addr->ip_equals(addr, vip)) { this->tuns->remove_at(this->tuns, enumerator); - hydra->kernel_interface->tun(hydra->kernel_interface, tun, - FALSE); + charon->kernel->tun(charon->kernel, tun, FALSE); tun->destroy(tun); found = TRUE; break; @@ -1738,8 +1737,8 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this) .ifindex = if_nametoindex(ifa->ifa_name), .flags = ifa->ifa_flags, .addrs = linked_list_create(), - .usable = hydra->kernel_interface->is_interface_usable( - hydra->kernel_interface, ifa->ifa_name), + .usable = charon->kernel->is_interface_usable( + charon->kernel, ifa->ifa_name), ); memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ); this->ifaces->insert_last(this->ifaces, iface); diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c index 09068b33e..acd834ba3 100644 --- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c +++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -18,8 +18,6 @@ #include "kernel_pfroute_net.h" -#include <hydra.h> - typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t; /** diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c index 95f79f168..e1c429885 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c @@ -20,7 +20,6 @@ #include "kernel_wfp_ipsec.h" #include <daemon.h> -#include <hydra.h> #include <threading/mutex.h> #include <collections/array.h> #include <collections/hashtable.h> @@ -1396,10 +1395,9 @@ static bool uninstall_route(private_kernel_wfp_ipsec_t *this, { if (--route->refs == 0) { - if (hydra->kernel_interface->get_interface(hydra->kernel_interface, - src, &name)) + if (charon->kernel->get_interface(charon->kernel, src, &name)) { - res = hydra->kernel_interface->del_route(hydra->kernel_interface, + res = charon->kernel->del_route(charon->kernel, dst->get_address(dst), mask, gtw, src, name) == SUCCESS; free(name); } @@ -1442,10 +1440,9 @@ static bool install_route(private_kernel_wfp_ipsec_t *this, } else { - if (hydra->kernel_interface->get_interface(hydra->kernel_interface, - src, &name)) + if (charon->kernel->get_interface(charon->kernel, src, &name)) { - if (hydra->kernel_interface->add_route(hydra->kernel_interface, + if (charon->kernel->add_route(charon->kernel, dst->get_address(dst), mask, gtw, src, name) == SUCCESS) { INIT(route, @@ -1486,14 +1483,13 @@ static bool manage_route(private_kernel_wfp_ipsec_t *this, { return FALSE; } - if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, - src_ts, &src, NULL) != SUCCESS) + if (charon->kernel->get_address_by_ts(charon->kernel, src_ts, &src, + NULL) != SUCCESS) { dst->destroy(dst); return FALSE; } - gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface, - remote, -1, local); + gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local); if (add) { done = install_route(this, dst, mask, src, gtw); @@ -1650,8 +1646,7 @@ static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id, { src = src ? src->clone(src) : NULL; dst = dst ? dst->clone(dst) : NULL; - hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, - src, dst); + charon->kernel->acquire(charon->kernel, reqid, src, dst); } } @@ -2069,8 +2064,8 @@ static job_requeue_t expire_job(expire_data_t *data) if (entry) { - hydra->kernel_interface->expire(hydra->kernel_interface, protocol, - data->spi, data->dst, data->hard); + charon->kernel->expire(charon->kernel, protocol, data->spi, data->dst, + data->hard); } return JOB_REQUEUE_NONE; diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index 8a500635c..8f6abde0c 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -18,7 +18,6 @@ #include <netdb.h> #include <daemon.h> -#include <hydra.h> #include <attributes/mem_pool.h> #include <collections/hashtable.h> #include <threading/mutex.h> @@ -656,8 +655,8 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num) id->destroy(id); return NULL; } - if (hydra->kernel_interface->add_ip(hydra->kernel_interface, - found, this->prefix, iface) != SUCCESS) + if (charon->kernel->add_ip(charon->kernel, found, this->prefix, + iface) != SUCCESS) { DBG1(DBG_CFG, "installing load-tester IP %H on %s failed", found, iface); found->destroy(found); @@ -852,8 +851,8 @@ METHOD(load_tester_config_t, delete_ip, void, { if (pool->release_address(pool, entry->host, entry->id)) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, - entry->host, this->prefix, FALSE); + charon->kernel->del_ip(charon->kernel, entry->host, + this->prefix, FALSE); break; } } @@ -882,8 +881,8 @@ static void cleanup_leases(private_load_tester_config_t *this) { if (online) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, - addr, this->prefix, FALSE); + charon->kernel->del_ip(charon->kernel, addr, this->prefix, + FALSE); entry = this->leases->remove(this->leases, addr); if (entry) { diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index a0c467e22..6cf3a909c 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -23,7 +23,6 @@ #include <unistd.h> -#include <hydra.h> #include <daemon.h> #include <processing/jobs/callback_job.h> #include <threading/condvar.h> diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c index 74c3960ff..ec3decc4d 100644 --- a/src/libcharon/plugins/resolve/resolve_handler.c +++ b/src/libcharon/plugins/resolve/resolve_handler.c @@ -20,7 +20,6 @@ #include <sys/stat.h> #include <unistd.h> -#include <hydra.h> #include <utils/debug.h> #include <threading/mutex.h> diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index 13bf3e775..6e432d9cf 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -41,7 +41,6 @@ #include <netinet/udp.h> #include <net/if.h> -#include <hydra.h> #include <daemon.h> #include <threading/thread.h> @@ -720,16 +719,15 @@ static int open_socket(private_socket_default_socket_t *this, } #endif - if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, - skt, family)) + if (!charon->kernel->bypass_socket(charon->kernel, skt, family)) { DBG1(DBG_NET, "installing IKE bypass policy failed"); } /* enable UDP decapsulation for NAT-T sockets */ if (port == &this->natt && - !hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface, - skt, family, this->natt)) + !charon->kernel->enable_udp_decap(charon->kernel, skt, family, + this->natt)) { DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed", family == AF_INET ? "IPv4" : "IPv6", this->natt); diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c index a032134c3..b89cae47b 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c @@ -36,7 +36,6 @@ #include <netinet/udp.h> #include <net/if.h> -#include <hydra.h> #include <daemon.h> #include <threading/thread.h> #include <threading/rwlock.h> @@ -438,15 +437,13 @@ static int open_socket(private_socket_dynamic_socket_t *this, return 0; } - if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, - fd, family)) + if (!charon->kernel->bypass_socket(charon->kernel, fd, family)) { DBG1(DBG_NET, "installing IKE bypass policy failed"); } /* enable UDP decapsulation on each socket */ - if (!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface, - fd, family, *port)) + if (!charon->kernel->enable_udp_decap(charon->kernel, fd, family, *port)) { DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed", family == AF_INET ? "IPv4" : "IPv6", *port); diff --git a/src/libcharon/plugins/socket_win/socket_win_socket.c b/src/libcharon/plugins/socket_win/socket_win_socket.c index fbfbedae1..94af08e80 100644 --- a/src/libcharon/plugins/socket_win/socket_win_socket.c +++ b/src/libcharon/plugins/socket_win/socket_win_socket.c @@ -19,7 +19,6 @@ #include "socket_win_socket.h" #include <library.h> -#include <hydra.h> #include <threading/thread.h> #include <daemon.h> @@ -397,13 +396,11 @@ static SOCKET open_socket(private_socket_win_socket_t *this, int i) closesocket(s); return INVALID_SOCKET; } - if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, - s, AF_INET)) + if (!charon->kernel->bypass_socket(charon->kernel, s, AF_INET)) { DBG1(DBG_NET, "installing IPv4 IKE bypass policy failed"); } - if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface, - s, AF_INET6)) + if (!charon->kernel->bypass_socket(charon->kernel, s, AF_INET6)) { DBG1(DBG_NET, "installing IPv6 IKE bypass policy failed"); } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 400aa64a2..134abb955 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -16,7 +16,6 @@ #include "stroke_config.h" -#include <hydra.h> #include <daemon.h> #include <threading/mutex.h> #include <utils/lexparser.h> @@ -201,8 +200,7 @@ static bool is_local(char *address, bool any_allowed) host = host_create_from_dns(token, 0, 0); if (host) { - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, host, NULL)) + if (charon->kernel->get_interface(charon->kernel, host, NULL)) { found = TRUE; } diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index 5a1a5074d..36da5ff21 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -16,7 +16,6 @@ #include "stroke_control.h" -#include <hydra.h> #include <daemon.h> #include <processing/jobs/delete_ike_sa_job.h> diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 14233c975..9d4d54246 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -26,7 +26,6 @@ #include <malloc.h> #endif /* HAVE_MALLINFO */ -#include <hydra.h> #include <daemon.h> #include <collections/linked_list.h> #include <plugins/plugin.h> @@ -533,8 +532,8 @@ METHOD(stroke_list_t, status, void, } enumerator->destroy(enumerator); - enumerator = hydra->kernel_interface->create_address_enumerator( - hydra->kernel_interface, ADDR_TYPE_REGULAR); + enumerator = charon->kernel->create_address_enumerator(charon->kernel, + ADDR_TYPE_REGULAR); fprintf(out, "Listening IP addresses:\n"); while (enumerator->enumerate(enumerator, (void**)&host)) { diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c index d2ba2e345..2bad4fab0 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c @@ -18,7 +18,6 @@ #include "tnc_ifmap_renew_session_job.h" #include <daemon.h> -#include <hydra.h> #include <utils/debug.h> #define IFMAP_RENEW_SESSION_INTERVAL 150 @@ -51,8 +50,8 @@ static bool publish_device_ip_addresses(private_tnc_ifmap_listener_t *this) host_t *host; bool success = TRUE; - enumerator = hydra->kernel_interface->create_address_enumerator( - hydra->kernel_interface, ADDR_TYPE_REGULAR); + enumerator = charon->kernel->create_address_enumerator(charon->kernel, + ADDR_TYPE_REGULAR); while (enumerator->enumerate(enumerator, &host)) { if (!this->ifmap->publish_device_ip(this->ifmap, host)) diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index 96282bee0..dafdf94fc 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -21,7 +21,6 @@ #include "updown_listener.h" #include <utils/process.h> -#include <hydra.h> #include <daemon.h> #include <config/child_cfg.h> @@ -265,8 +264,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa, config->get_name(config)); if (up) { - if (hydra->kernel_interface->get_interface(hydra->kernel_interface, - me, &iface)) + if (charon->kernel->get_interface(charon->kernel, me, &iface)) { cache_iface(this, child_sa->get_reqid(child_sa), iface); } diff --git a/src/libcharon/plugins/vici/vici_tests.c b/src/libcharon/plugins/vici/vici_tests.c index 434aa5e18..d1f8097bf 100644 --- a/src/libcharon/plugins/vici/vici_tests.c +++ b/src/libcharon/plugins/vici/vici_tests.c @@ -16,7 +16,6 @@ #include <test_runner.h> #include <daemon.h> -#include <hydra.h> /* declare test suite constructors */ #define TEST_SUITE(x) test_suite_t* x(); diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c index b4f135a57..c39689012 100644 --- a/src/libcharon/processing/jobs/adopt_children_job.c +++ b/src/libcharon/processing/jobs/adopt_children_job.c @@ -19,7 +19,6 @@ #include "adopt_children_job.h" #include <daemon.h> -#include <hydra.h> #include <collections/array.h> #include <processing/jobs/delete_ike_sa_job.h> diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index b0f163c83..56b7cb5a4 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -23,7 +23,6 @@ #include <string.h> #include <time.h> -#include <hydra.h> #include <daemon.h> #include <collections/array.h> @@ -469,10 +468,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->my_spi) { - status = hydra->kernel_interface->query_sa(hydra->kernel_interface, - this->other_addr, this->my_addr, this->my_spi, - proto_ike2ip(this->protocol), this->mark_in, - &bytes, &packets, &time); + status = charon->kernel->query_sa(charon->kernel, this->other_addr, + this->my_addr, this->my_spi, + proto_ike2ip(this->protocol), this->mark_in, + &bytes, &packets, &time); if (status == SUCCESS) { if (bytes > this->my_usebytes) @@ -493,10 +492,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->other_spi) { - status = hydra->kernel_interface->query_sa(hydra->kernel_interface, - this->my_addr, this->other_addr, this->other_spi, - proto_ike2ip(this->protocol), this->mark_out, - &bytes, &packets, &time); + status = charon->kernel->query_sa(charon->kernel, this->my_addr, + this->other_addr, this->other_spi, + proto_ike2ip(this->protocol), this->mark_out, + &bytes, &packets, &time); if (status == SUCCESS) { if (bytes > this->other_usebytes) @@ -532,15 +531,15 @@ static bool update_usetime(private_child_sa_t *this, bool inbound) if (inbound) { - if (hydra->kernel_interface->query_policy(hydra->kernel_interface, - other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS) + if (charon->kernel->query_policy(charon->kernel, other_ts, + my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS) { last_use = max(last_use, in); } if (this->mode != MODE_TRANSPORT) { - if (hydra->kernel_interface->query_policy(hydra->kernel_interface, - other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS) + if (charon->kernel->query_policy(charon->kernel, other_ts, + my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS) { last_use = max(last_use, fwd); } @@ -548,8 +547,8 @@ static bool update_usetime(private_child_sa_t *this, bool inbound) } else { - if (hydra->kernel_interface->query_policy(hydra->kernel_interface, - my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS) + if (charon->kernel->query_policy(charon->kernel, my_ts, + other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS) { last_use = max(last_use, out); } @@ -629,10 +628,8 @@ METHOD(child_sa_t, get_installtime, time_t, METHOD(child_sa_t, alloc_spi, u_int32_t, private_child_sa_t *this, protocol_id_t protocol) { - if (hydra->kernel_interface->get_spi(hydra->kernel_interface, - this->other_addr, this->my_addr, - proto_ike2ip(protocol), - &this->my_spi) == SUCCESS) + if (charon->kernel->get_spi(charon->kernel, this->other_addr, this->my_addr, + proto_ike2ip(protocol), &this->my_spi) == SUCCESS) { /* if we allocate a SPI, but then are unable to establish the SA, we * need to know the protocol family to delete the partial SA */ @@ -645,9 +642,8 @@ METHOD(child_sa_t, alloc_spi, u_int32_t, METHOD(child_sa_t, alloc_cpi, u_int16_t, private_child_sa_t *this) { - if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, - this->other_addr, this->my_addr, - &this->my_cpi) == SUCCESS) + if (charon->kernel->get_cpi(charon->kernel, this->other_addr, this->my_addr, + &this->my_cpi) == SUCCESS) { return this->my_cpi; } @@ -711,9 +707,8 @@ METHOD(child_sa_t, install, status_t, if (!this->reqid_allocated && !this->static_reqid) { - status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, - my_ts, other_ts, this->mark_in, this->mark_out, - &this->reqid); + status = charon->kernel->alloc_reqid(charon->kernel, my_ts, other_ts, + this->mark_in, this->mark_out, &this->reqid); if (status != SUCCESS) { return status; @@ -757,7 +752,7 @@ METHOD(child_sa_t, install, status_t, dst_ts = other_ts; } - status = hydra->kernel_interface->add_sa(hydra->kernel_interface, + status = charon->kernel->add_sa(charon->kernel, src, dst, spi, proto_ike2ip(this->protocol), this->reqid, inbound ? this->mark_in : this->mark_out, tfc, lifetime, enc_alg, encr, int_alg, integ, this->mode, @@ -776,7 +771,7 @@ static bool require_policy_update() { kernel_feature_t f; - f = hydra->kernel_interface->get_features(hydra->kernel_interface); + f = charon->kernel->get_features(charon->kernel); return !(f & KERNEL_NO_POLICY_UPDATES); } @@ -833,18 +828,18 @@ static status_t install_policies_internal(private_child_sa_t *this, ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority) { status_t status = SUCCESS; - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + status |= charon->kernel->add_policy(charon->kernel, my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type, other_sa, this->mark_out, priority); - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + status |= charon->kernel->add_policy(charon->kernel, other_addr, my_addr, other_ts, my_ts, POLICY_IN, type, my_sa, this->mark_in, priority); if (this->mode != MODE_TRANSPORT) { - status |= hydra->kernel_interface->add_policy(hydra->kernel_interface, + status |= charon->kernel->add_policy(charon->kernel, other_addr, my_addr, other_ts, my_ts, POLICY_FWD, type, my_sa, this->mark_in, priority); @@ -861,15 +856,15 @@ static void del_policies_internal(private_child_sa_t *this, ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority) { - hydra->kernel_interface->del_policy(hydra->kernel_interface, + charon->kernel->del_policy(charon->kernel, my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type, other_sa, this->mark_out, priority); - hydra->kernel_interface->del_policy(hydra->kernel_interface, + charon->kernel->del_policy(charon->kernel, other_addr, my_addr, other_ts, my_ts, POLICY_IN, type, my_sa, this->mark_in, priority); if (this->mode != MODE_TRANSPORT) { - hydra->kernel_interface->del_policy(hydra->kernel_interface, + charon->kernel->del_policy(charon->kernel, other_addr, my_addr, other_ts, my_ts, POLICY_FWD, type, my_sa, this->mark_in, priority); } @@ -886,8 +881,8 @@ METHOD(child_sa_t, add_policies, status_t, if (!this->reqid_allocated && !this->static_reqid) { /* trap policy, get or confirm reqid */ - status = hydra->kernel_interface->alloc_reqid( - hydra->kernel_interface, my_ts_list, other_ts_list, + status = charon->kernel->alloc_reqid( + charon->kernel, my_ts_list, other_ts_list, this->mark_in, this->mark_out, &this->reqid); if (status != SUCCESS) { @@ -967,11 +962,10 @@ static void reinstall_vip(host_t *vip, host_t *me) { char *iface; - if (hydra->kernel_interface->get_interface(hydra->kernel_interface, - me, &iface)) + if (charon->kernel->get_interface(charon->kernel, me, &iface)) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE); - hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface); + charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); + charon->kernel->add_ip(charon->kernel, vip, -1, iface); free(iface); } } @@ -1000,7 +994,7 @@ METHOD(child_sa_t, update, status_t, /* update our (initiator) SA */ if (this->my_spi) { - if (hydra->kernel_interface->update_sa(hydra->kernel_interface, + if (charon->kernel->update_sa(charon->kernel, this->my_spi, proto_ike2ip(this->protocol), this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, this->other_addr, this->my_addr, other, me, @@ -1014,7 +1008,7 @@ METHOD(child_sa_t, update, status_t, /* update his (responder) SA */ if (this->other_spi) { - if (hydra->kernel_interface->update_sa(hydra->kernel_interface, + if (charon->kernel->update_sa(charon->kernel, this->other_spi, proto_ike2ip(this->protocol), this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, this->my_addr, this->other_addr, me, other, @@ -1143,14 +1137,14 @@ METHOD(child_sa_t, destroy, void, /* delete SAs in the kernel, if they are set up */ if (this->my_spi) { - hydra->kernel_interface->del_sa(hydra->kernel_interface, + charon->kernel->del_sa(charon->kernel, this->other_addr, this->my_addr, this->my_spi, proto_ike2ip(this->protocol), this->my_cpi, this->mark_in); } if (this->other_spi) { - hydra->kernel_interface->del_sa(hydra->kernel_interface, + charon->kernel->del_sa(charon->kernel, this->my_addr, this->other_addr, this->other_spi, proto_ike2ip(this->protocol), this->other_cpi, this->mark_out); @@ -1158,7 +1152,7 @@ METHOD(child_sa_t, destroy, void, if (this->reqid_allocated) { - if (hydra->kernel_interface->release_reqid(hydra->kernel_interface, + if (charon->kernel->release_reqid(charon->kernel, this->reqid, this->mark_in, this->mark_out) != SUCCESS) { DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid); diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index afd6fdf2a..48a4b274a 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -46,7 +46,6 @@ #include "ike_sa.h" #include <library.h> -#include <hydra.h> #include <daemon.h> #include <collections/array.h> #include <utils/lexparser.h> @@ -803,12 +802,12 @@ METHOD(ike_sa_t, add_virtual_ip, void, { char *iface; - if (hydra->kernel_interface->get_interface(hydra->kernel_interface, - this->my_host, &iface)) + if (charon->kernel->get_interface(charon->kernel, this->my_host, + &iface)) { DBG1(DBG_IKE, "installing new virtual IP %H", ip); - if (hydra->kernel_interface->add_ip(hydra->kernel_interface, - ip, -1, iface) == SUCCESS) + if (charon->kernel->add_ip(charon->kernel, ip, -1, + iface) == SUCCESS) { array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip)); } @@ -845,8 +844,7 @@ METHOD(ike_sa_t, clear_virtual_ips, void, { if (local) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, - vip, -1, TRUE); + charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); } vip->destroy(vip); } @@ -1282,8 +1280,8 @@ static void resolve_hosts(private_ike_sa_t *this) !this->other_host->is_anyaddr(this->other_host)) { host->destroy(host); - host = hydra->kernel_interface->get_source_addr( - hydra->kernel_interface, this->other_host, NULL); + host = charon->kernel->get_source_addr(charon->kernel, + this->other_host, NULL); if (host) { host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg)); @@ -2084,8 +2082,8 @@ static bool is_current_path_valid(private_ike_sa_t *this) { bool valid = FALSE; host_t *src; - src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, - this->other_host, this->my_host); + src = charon->kernel->get_source_addr(charon->kernel, this->other_host, + this->my_host); if (src) { if (src->ip_equals(src, this->my_host)) @@ -2129,8 +2127,7 @@ static bool is_any_path_valid(private_ike_sa_t *this) continue; } DBG1(DBG_IKE, "looking for a route to %H ...", addr); - src = hydra->kernel_interface->get_source_addr( - hydra->kernel_interface, addr, NULL); + src = charon->kernel->get_source_addr(charon->kernel, addr, NULL); if (src) { break; @@ -2418,7 +2415,7 @@ METHOD(ike_sa_t, destroy, void, } while (array_remove(this->my_vips, ARRAY_TAIL, &vip)) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE); + charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); vip->destroy(vip); } if (array_count(this->other_vips)) diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c index b8af6f67b..cb1a31371 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c @@ -41,7 +41,6 @@ #include <string.h> -#include <hydra.h> #include <daemon.h> #include <sa/ikev1/keymat_v1.h> #include <config/peer_cfg.h> @@ -104,7 +103,7 @@ static bool force_encap(ike_cfg_t *ike_cfg) { if (!ike_cfg->force_encap(ike_cfg)) { - return hydra->kernel_interface->get_features(hydra->kernel_interface) & + return charon->kernel->get_features(charon->kernel) & KERNEL_REQUIRE_UDP_ENCAPSULATION; } return TRUE; diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index c0c91574c..ecdfc780d 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -16,7 +16,6 @@ #include "xauth.h" #include <daemon.h> -#include <hydra.h> #include <encoding/payloads/cp_payload.h> #include <processing/jobs/adopt_children_job.h> #include <sa/ikev1/tasks/mode_config.h> diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 97f73d851..740d09778 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -18,7 +18,6 @@ #include "child_create.h" #include <daemon.h> -#include <hydra.h> #include <sa/ikev2/keymat_v2.h> #include <crypto/diffie_hellman.h> #include <credentials/certificates/x509.h> @@ -786,7 +785,7 @@ static bool build_payloads(private_child_create_t *this, message_t *message) break; } - features = hydra->kernel_interface->get_features(hydra->kernel_interface); + features = charon->kernel->get_features(charon->kernel); if (!(features & KERNEL_ESP_V3_TFC)) { message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED, diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c index a7e7505a1..10d412ffd 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_me.c +++ b/src/libcharon/sa/ikev2/tasks/ike_me.c @@ -17,7 +17,6 @@ #include <string.h> -#include <hydra.h> #include <daemon.h> #include <config/peer_cfg.h> #include <encoding/payloads/id_payload.h> @@ -135,8 +134,8 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message) host = this->ike_sa->get_my_host(this->ike_sa); port = host->get_port(host); - enumerator = hydra->kernel_interface->create_address_enumerator( - hydra->kernel_interface, ADDR_TYPE_REGULAR); + enumerator = charon->kernel->create_address_enumerator(charon->kernel, + ADDR_TYPE_REGULAR); while (enumerator->enumerate(enumerator, (void**)&addr)) { host = addr->clone(addr); diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index cbdc5e797..3f7bb175f 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -18,7 +18,6 @@ #include <string.h> -#include <hydra.h> #include <daemon.h> #include <sa/ikev2/tasks/ike_natd.h> #include <encoding/payloads/notify_payload.h> @@ -196,8 +195,8 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message) int added = 0; me = this->ike_sa->get_my_host(this->ike_sa); - enumerator = hydra->kernel_interface->create_address_enumerator( - hydra->kernel_interface, ADDR_TYPE_REGULAR); + enumerator = charon->kernel->create_address_enumerator(charon->kernel, + ADDR_TYPE_REGULAR); while (enumerator->enumerate(enumerator, (void**)&host)) { if (me->ip_equals(me, host)) @@ -333,8 +332,7 @@ METHOD(ike_mobike_t, transmit, bool, if (!this->check) { - me = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, - other_old, me_old); + me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old); if (me) { if (me->ip_equals(me, me_old)) @@ -372,8 +370,7 @@ METHOD(ike_mobike_t, transmit, bool, { continue; } - me = hydra->kernel_interface->get_source_addr( - hydra->kernel_interface, other, NULL); + me = charon->kernel->get_source_addr(charon->kernel, other, NULL); if (me) { /* reuse port for an active address, 4500 otherwise */ @@ -407,7 +404,7 @@ METHOD(task_t, build_i, status_t, /* we check if the existing address is still valid */ old = message->get_source(message); - new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, + new = charon->kernel->get_source_addr(charon->kernel, message->get_destination(message), old); if (new) { diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c index dd34c1234..4bf5264dd 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_natd.c +++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c @@ -18,7 +18,6 @@ #include <string.h> -#include <hydra.h> #include <daemon.h> #include <config/peer_cfg.h> #include <crypto/hashers/hasher.h> @@ -86,7 +85,7 @@ static bool force_encap(ike_cfg_t *ike_cfg) { if (!ike_cfg->force_encap(ike_cfg)) { - return hydra->kernel_interface->get_features(hydra->kernel_interface) & + return charon->kernel->get_features(charon->kernel) & KERNEL_REQUIRE_UDP_ENCAPSULATION; } return TRUE; @@ -327,7 +326,7 @@ METHOD(task_t, build_i, status_t, } else { - host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface, + host = charon->kernel->get_source_addr(charon->kernel, this->ike_sa->get_other_host(this->ike_sa), NULL); if (host) { /* 2. */ @@ -341,8 +340,8 @@ METHOD(task_t, build_i, status_t, } else { /* 3. */ - enumerator = hydra->kernel_interface->create_address_enumerator( - hydra->kernel_interface, ADDR_TYPE_REGULAR); + enumerator = charon->kernel->create_address_enumerator( + charon->kernel, ADDR_TYPE_REGULAR); while (enumerator->enumerate(enumerator, (void**)&host)) { /* apply port 500 to host, but work on a copy */ diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index 5231994c8..0e9cf6e1f 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -16,7 +16,6 @@ #include "shunt_manager.h" -#include <hydra.h> #include <daemon.h> #include <threading/rwlock.h> #include <threading/rwlock_condvar.h> @@ -111,22 +110,22 @@ static bool install_shunt_policy(child_cfg_t *child) continue; } /* install out policy */ - status |= hydra->kernel_interface->add_policy( - hydra->kernel_interface, host_any, host_any, + status |= charon->kernel->add_policy(charon->kernel, + host_any, host_any, my_ts, other_ts, POLICY_OUT, policy_type, &sa, child->get_mark(child, FALSE), policy_prio); /* install in policy */ - status |= hydra->kernel_interface->add_policy( - hydra->kernel_interface, host_any, host_any, + status |= charon->kernel->add_policy(charon->kernel, + host_any, host_any, other_ts, my_ts, POLICY_IN, policy_type, &sa, child->get_mark(child, TRUE), policy_prio); /* install forward policy */ - status |= hydra->kernel_interface->add_policy( - hydra->kernel_interface, host_any, host_any, + status |= charon->kernel->add_policy(charon->kernel, + host_any, host_any, other_ts, my_ts, POLICY_FWD, policy_type, &sa, child->get_mark(child, TRUE), policy_prio); @@ -248,22 +247,22 @@ static void uninstall_shunt_policy(child_cfg_t *child) continue; } /* uninstall out policy */ - status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, host_any, host_any, + status |= charon->kernel->del_policy(charon->kernel, + host_any, host_any, my_ts, other_ts, POLICY_OUT, policy_type, &sa, child->get_mark(child, FALSE), policy_prio); /* uninstall in policy */ - status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, host_any, host_any, + status |= charon->kernel->del_policy(charon->kernel, + host_any, host_any, other_ts, my_ts, POLICY_IN, policy_type, &sa, child->get_mark(child, TRUE), policy_prio); /* uninstall forward policy */ - status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, host_any, host_any, + status |= charon->kernel->del_policy(charon->kernel, + host_any, host_any, other_ts, my_ts, POLICY_FWD, policy_type, &sa, child->get_mark(child, TRUE), policy_prio); diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 90ad7e40e..85e220775 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -16,7 +16,6 @@ #include "trap_manager.h" -#include <hydra.h> #include <daemon.h> #include <threading/mutex.h> #include <threading/rwlock.h> @@ -195,8 +194,7 @@ METHOD(trap_manager_t, install, u_int32_t, if (!me || me->is_anyaddr(me)) { DESTROY_IF(me); - me = hydra->kernel_interface->get_source_addr( - hydra->kernel_interface, other, NULL); + me = charon->kernel->get_source_addr(charon->kernel, other, NULL); if (!me) { DBG1(DBG_CFG, "installing trap failed, local address unknown"); |