| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
|
| | |
| |
| |
| |
| |
| | |
If there is a default drop policy forwarded traffic might otherwise not
be allowed by a specific passthrough policy (while local traffic is
allowed).
|
| | |
| |
| |
| |
| |
| |
| | |
This allows two CHILD_SAs with reversed subnets to install two FWD
policies each. Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.
|
| | |
| |
| |
| |
| |
| | |
We can't set a template on the outbound FWD policy (or we'd have to make
it optional). Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.
|
| | |
| |
| |
| |
| |
| |
| | |
If there is a DROP shunt that matches outbound forwarded traffic it
would get dropped as the FWD policy we install only matches decrypted
inbound traffic. That's because the Linux kernel first checks the FWD
policies before looking up the OUT policy and SA to encrypt the packets.
|
| | |
| |
| |
| |
| |
| | |
This allows us to install more than one FWD policy. We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).
|
| |/ |
|
| |
|
|
| |
scenario
|
| |
|
|
| |
References #1382.
|
| |
|
|
|
|
|
|
|
| |
GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing. This causes invalid frees if
leak detective is active. Other invalid frees are related to time
conversions (tzset).
References #1382.
|
| |
|
|
|
|
| |
They are zero padded to fill the buffer.
Fixes #1377.
|
| | |
|
| | |
|
| |
|
|
|
| |
Some platforms have XetohXX macros instead of XeXXtoh macros, in which
case we'd redefine the htoXeXX macros.
|
| |
|
|
| |
Closes strongswan/strongswan#40.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Or the invoked script will get a broken value when `mark=%unique` is
used in a configuration.
Closes strongswan/strongswan#37.
|
| |
|
|
| |
Fixes #1365.
|
| | |
|
| |
|
|
|
|
|
| |
While building against this level in general would break our app on
older systems, the NDK will automatically use this level for 64-bit
ABI builds (which are not supported in older levels). So to build
against 64-bit ABIs we have to support this API level.
|
| |
|
|
| |
Not really relevant, just to make sure both file lists are the same.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
was called
A thread might check out a new IKE_SA via checkout_new() or
checkout_by_config() and start initiating it while the daemon is
terminating and the IKE_SA manager is flushed by the main thread.
That SA is not tracked yet so the main thread is not waiting for it and
the other thread is able to check it in and creating an entry after flush()
already terminated causing a memory leak.
Fixes #1348.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| | |
|
| |
|
|
| |
References #1347.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock. So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.
By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior. This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.
Fixes #1185.
|
| | |
|
| |
|
|
|
|
| |
Same as the change in the connmark plugin.
References #1229.
|
| |
|
|
|
|
|
|
|
| |
This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.
Fixes #1230.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).
Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.
Fixes #1229.
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Implemented IKEv1 IPv4/IPv6 address subnet and range identities to
be used as owners for shared secrets.
swanctl supports configuration of traffic selectors with IPv4/IPv6
address ranges.
|
| | | |
|
| | | |
|
| |/
|
|
|
|
| |
The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and
IPV6_ADDR_RANGE identities have been fully implemented and can be
used as owners of shared secrets (PSKs).
|
| |\
| |
| |
| |
| |
| |
| | |
This adds the p-cscf plugin that can request P-CSCF server addresses from
an ePDG via IKEv2 (RFC 7651). Addresses of the same families as requested
virtual IPs are requested if enabled in strongswan.conf for a particular
connection. The plugin currently writes received addresses to the log.
|
| | |
| |
| |
| | |
Numerically configured attributes are currently sent for both versions.
|
| | | |
|
| | | |
|
| | | |
|
