| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| | |
There are some exceptions (e.g. those that use auto=start or p2pnat).
|
| | |
| |
| |
| |
| |
| |
| | |
The main difference is that ping now reports icmp_seq instead of
icmp_req, so we match for icmp_.eq, which works with both releases.
tcpdump now also reports port 4500 as ipsec-nat-t.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
analyzing/collecting logs
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Several packages got renamed/updated, libgcrypt was apparently installed
by default previously.
Since most libraries changed we have to completely rebuild all the tools
installed in the root image. We currently don't provide a clean target in
the recipes, and even if we did we'd have to track which base image we
last built for. It's easier to just use a different build directory for
each base image, at the cost of some additional disk space (if not manually
cleaned). However, that's also the case when updating kernel or
software versions.
|
| | | |
|
| | |
| |
| |
| | |
This seems to be required for systemd to remount it.
|
| | |
| |
| |
| |
| |
| | |
It is still compatible with the current release as the config in
sites-available will be ignored, while conf-enabled does not exist and
is not included in the main config.
|
| | |
| |
| |
| |
| |
| | |
Newer OpenSSH versions disable this by default because it's unsafe.
Since this is not relevant for our use case we enable it due to its
speed.
|
| | |
| |
| |
| |
| | |
If changes are made to the base or root image the images depending on
these have to be rebuilt.
|
| | |
| |
| |
| | |
This sub-package does not build on Debian jessie.
|
| |/
|
|
|
|
| |
Unlike `apt-get install` in a chroot debootstrap does not seem to start
the services but stopping them might cause problems if they were running
outside the chroot.
|
| |
|
|
|
|
|
|
| |
Newer versions of GCC are too "smart" and replace a call to malloc(X)
followed by a call to memset(0,X) with a call co calloc(), which obviously
results in an infinite loop when it does that in our own calloc()
implementation. Using `volatile` for the variable storing the total size
prevents the optimization and we actually call malloc().
|
| | |
|
| |
|
|
|
| |
Some C libraries, such as uClibc, require an explicit link for some atomic
functions. Check for any libatomic, and explcily link it.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Some of these are also understood by BoringSSL.
Fixes #1510.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.
|
| |
|
|
| |
This allows us to capture output written to stderr/stdout.
|
| |
|
|
|
|
| |
If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changes how the interface for routes installed with policies is
determined. In most cases we now use the interface over which we reach the
other peer, not the interface on which the local address (or the source IP) is
installed. However, that might be the same interface depending on the
configuration (i.e. in practice there will often not be a change).
Routes are not installed anymore for drop policies and for policies with
protocol/port selectors.
Fixes #809, #824, #1347.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
This is the direction we actually need routes in and makes the code
easier to read.
|
| | |
| |
| |
| | |
are in the selector
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
are in the selector
We don't need them for drop policies and they might even mess with other
routes we install. Routes for policies with protocol/ports in the
selector will always be too broad and might conflict with other routes
we install.
|
| | |
| |
| |
| |
| | |
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.
|
| | | |
|
| |/
|
|
|
| |
The returned name should be the interface over which the destination
address/net is reachable.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Other threads are free to add/update/delete other policies.
This tries to prevent race conditions caused by releasing the mutex while
sending messages to the kernel. For instance, if break-before-make
reauthentication is used and one thread on the responder is delayed in
deleting the policies that another thread is concurrently adding for the
new SA. This could have resulted in no policies being installed
eventually.
Fixes #1400.
|
| | |
|
| | |
|
| |
|
|
| |
#1467.
|
| | |
|
| |\
| |
| |
| |
| |
| |
| | |
Fixes the comparison of ipsec_sa_cfg_t instances in case there is
padding that's not initialized to zero.
Fixes #1503.
|
| | | |
|
| | | |
|
| |/
|
|
|
|
| |
memeq() is currently used to compare these but if there is padding that
is not initialized the same for two instances the comparison fails.
Using this function ensures the objects are compared correctly.
|
| |
|
|
|
|
|
|
|
|
|
| |
If a pseudonym changed a new entry was added to the table storing
permanent identity objects (that are used as keys in the other table).
However, the old mapping was not removed while replacing the mapping in
the pseudonym table caused the old pseudonym to get destroyed. This
eventually caused crashes when a new pseudonym had the same hash value as
such a defunct entry and keys had to be compared.
Fixes strongswan/strongswan#46.
|
| |
|
|
|
|
| |
If two CHILD_SAs with mark=%unique are created concurrently they could
otherwise end up with either the same mark or different marks in both
directions.
|
