aboutsummaryrefslogtreecommitdiffstats
path: root/src/frontends/android/jni/libandroidbridge/kernel
Commit message (Collapse)AuthorAgeFilesLines
* android: Migrate to the Gradle build systemTobias Brunner2015-11-126-917/+0
| | | | | This uses a manual way to trigger the NDK build (the default with on-the-fly Android.mk files does not work for us).
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-101-3/+4
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* android: Retrigger a roam event if reportedly connected but no source ↵Tobias Brunner2015-07-281-2/+35
| | | | | | | | | | | | | | | | | | address found In dual-stack environments the IPv6 connectivity (via autoconfiguration) might be established before the IPv4 connectivity (via DHCP). It seems Android triggers the CONNECTIVITY_ACTION broadcast already when the first family is fully configured. At that time we might not be able to find an IPv4 source address. And since Android does not trigger the broadcast again if IPv4 connectivity is established, the connection is broken afterwards. So we store the connectivity state and if we are reportedly connected but still find no source address we trigger a roam event to recheck for an IPv4 address. This will cause regular rechecks if a device enters an IPv6-only network, but I guess that's rare (otherwise we could limit the number of rechecks done between connectivity changes).
* android: Add method to check for connectivity to NetworkManagerTobias Brunner2015-07-282-3/+33
|
* android: Fix kernel-net implementation on Android 4.3 and earlierTobias Brunner2015-07-281-0/+34
| | | | | | | | | | Before fwmarks were used protected sockets were bound to the outbound interface via SO_BINDTODEVICE. This does not always seem to work well together with our connect()/getsockname() trick if the server is covered by the traffic selectors. Calling protect() again after disconnecting the socket seems to help, but if there is no connectivity at all we still get the virtual IP back (maybe protect() does not bind the socket to any interface then).
* android: Add a custom kernel-net implementation to replace kernel-netlinkTobias Brunner2015-07-282-27/+149
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | When roaming from a mobile network to WiFi on Android 5.x the event received via ConnectivityManager is triggered before the mobile connection is fully torn down (i.e. before the interface is disabled and the routes disappear). So for strongSwan the current path still seems valid and since no roam event is triggered later the daemon never switches to WiFi and the connection is broken afterwards. A possible solution to this is enabling roam events in the kernel-netlink plugin. That would trigger an event when the device is finally disconnected from the mobile network. However, this could actually take a some time, during which traffic continues to be sent via mobile network instead of WiFi. That's because Android now uses multiple routing tables, routing rules and fwmarks to direct traffic to the appropriate interface/table, but in our plugin we don't have the information available that would allow us to make the switch to a different network/routing table earlier (and we actually prefer the current path if it is still valid). Additionally, the plugin produces quite a bit more events than ConnectivityManager (which was one of the reasons to use the latter in the first place). This custom kernel-net implementation is now specifically tailored for Android. Roam events are still triggered via ConnectivityManager but the source address is determined via connect()/getsockname() on a VPN excluded UDP socket, which does use the correct routing table as intended by Android. That way the daemon immediately sees a different source IP when connectivity changes even if the device is connected to multiple networks concurrently.
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-091-2/+3
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-3/+3
|
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-1/+1
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()Martin Willi2015-02-201-2/+1
|
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-2/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()Martin Willi2015-02-191-1/+1
|
* android: Add support for querying use stats of a CHILD_SATobias Brunner2014-09-091-1/+2
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+3
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-1/+1
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-1/+1
|
* android: Forward initiator flag to libipsec when adding IPsec SATobias Brunner2013-06-131-2/+2
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-1/+1
|
* android: Remove unused methods on NetworkManager/network_manager_tTobias Brunner2013-05-032-94/+1
|
* android: Repurpose android-net to simply handle connectivity eventsTobias Brunner2013-05-032-58/+22
| | | | | | Using the events by NetworkManager/ConnectivityManager to trigger roam events instead of the events generated by the kernel-netlink plugin the noise level is much lower.
* kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-141-1/+2
|
* Fixed Doxygen comments after scanning complete src directoryTobias Brunner2013-03-023-3/+3
|
* android: Implement kernel_net_t.get_interface via JNITobias Brunner2013-01-143-5/+62
| | | | | | This is now required to properly accept/install a virtual IP address. Fixes #275.
* Install virtual IPs via interface name, and use an interface lookup where ↵Martin Willi2012-11-291-1/+1
| | | | required
* Add an optional kernel-interface parameter to install IPs with a custom prefixMartin Willi2012-11-291-1/+2
|
* Moved debug.[ch] to utils folderTobias Brunner2012-10-243-3/+3
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-241-1/+1
|
* Use a helper function to add milliseconds to timeval structsTobias Brunner2012-10-181-6/+1
|
* android: Bypass/protect previously bypassed sockets if connectivity changesTobias Brunner2012-10-161-0/+2
|
* android: Support for IPsec SA update addedTobias Brunner2012-10-161-1/+2
|
* android: Trigger roam events in case connectivity changesTobias Brunner2012-10-161-0/+63
|
* android: Register NetworkManager as BroadcastReceiver and relay events via JNITobias Brunner2012-10-162-5/+144
|
* android: Determine source address dynamicallyTobias Brunner2012-10-161-1/+16
|
* android: Added NetworkManager class which allows to retrieve a local IP addressTobias Brunner2012-10-162-0/+196
|
* Implement kernel_ipsec_t.bypass_socket() via JNI and VpnService.protect()Tobias Brunner2012-08-131-1/+2
|
* Add an Android specific kernel_ipsec_t implementationTobias Brunner2012-08-132-0/+240
| | | | | This is pretty much a proxy class that delegates everything (that is currently supported) to libipsec.
* Add an Android specific kernel_net_t implementationTobias Brunner2012-08-132-0/+113
This currently provides only no-ops and is just added because a kernel-net implementation is required and kernel-netlink can't be used at the moment.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-28 13:11:53 +0000