aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/ha
Commit message (Collapse)AuthorAgeFilesLines
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-232-4/+7
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-233-4/+4
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* ha: Always install the CHILD_SAs with the inbound flag set to FALSEMartin Willi2015-02-271-2/+2
| | | | | | | | | The inbound flag is used to determine if we have to install an update or a new SA in the kernel. As we do not have allocated SPIs and therefore can't update an existing SA in the HA plugin, always set the flag to FALSE. Before 698ed656 we had extra logic for that case, but handling it directly in the HA plugin is simpler.
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-201-2/+2
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-6/+4
|
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-202-2/+2
|
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-201-1/+2
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* ha: Perform child rekeying outside of CHILD_SA enumeratorThomas Egerer2015-02-191-7/+22
| | | | | | | | | | | | | | | | When rekey_child_sa is called while enumerating the children of an IKE_SA, and the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas) invalidating the current element of the child_sa_enumerator. The enumerate function of linked_list_t will then advance to an element with unpredictable contents most likely resulting in an segmentation violation. A similar behavior should be observed when delete_child_sa is called. This patch creates a list of protocol/spi values while holding the child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren after releasing the enumerator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ha: Don't adopt IKEv1 children when building without IKEv1 supportMartin Willi2014-08-281-0/+2
| | | | | | | The adopt_children_job_create() function is not available when IKEv1 support is disabled. Fixes uncommon builds using --enable-ha --disable-ikev1. Fixes #690.
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-0/+1
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-171-8/+2
|
* Properly hash pointers for hash tables where appropriateTobias Brunner2014-03-311-17/+1
| | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket.
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-11/+11
|
* Use exact mask when calling umask(2)Tobias Brunner2013-10-291-1/+1
| | | | | | Due to the previous negation the high bits of the mask were set, which at least some versions of the Android build system prevent with a compile-time check.
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-041-2/+2
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-2/+2
|
* capabilities: Some plugins don't actually require capabilities at runtimeTobias Brunner2013-07-181-1/+2
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-5/+7
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-171-5/+11
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+1
|
* capabilities: CAP_CHOWN might be required by many plugins opening UNIX socketsTobias Brunner2013-06-251-0/+6
| | | | | But as the sockets will be created with the user/group of the running process this might not be required as no change may be needed.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-252-4/+4
|
* ha: Fix CHILD_SA installation in ha_dispatcher after adding initiator flagTobias Brunner2013-06-131-4/+8
|
* ha: Use plugin features to register listeners and attribute providerTobias Brunner2013-06-111-9/+37
|
* Add an option to autobalance a HA cluster automaticallyMartin Willi2013-03-191-0/+59
|
* Check if for some reason we handle a HA segment on both nodesMartin Willi2013-03-191-1/+15
|
* Acquire HA segment lock while sending heartbeatMartin Willi2013-03-191-0/+2
|
* Fix scheduling of heartbeat sending in HA pluginMartin Willi2013-03-191-2/+11
| | | | | | e0efd7c1 switches to automated job rescheduling for HA heartbeat. However, send_status() is initially called directly, which will not reschedule the job as required.
* Fix compiler warning in HA pluginMartin Willi2013-03-191-1/+1
|
* Add a DSCP configuration value to IKE configsMartin Willi2013-02-061-2/+1
|
* Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-121-1/+1
|
* Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-241-1/+1
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-244-5/+5
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-242-2/+2
|
* Remove version argument on peer_cfg constructor, use ike_cfg version insteadMartin Willi2012-10-241-1/+1
|
* Add IKE version information to ike_cfg_tMartin Willi2012-10-241-1/+1
|
* Added missing continue statement in ha socket error handlingTobias Brunner2012-09-281-0/+1
|
* Pass full pool list to release_addressMartin Willi2012-09-111-3/+17
|
* Pass the full list of pools to acquire_address, enumerate in providersMartin Willi2012-09-111-5/+13
| | | | | | | | If the provider has access to the full pool list, it can enumerate them twice, for example to search for existing leases first, and only search for new leases in a second step. Fixes lease enumeration in attr-sql using multiple pools.
* Clear virtual IPs before storing assigned ones on the IKE_SATobias Brunner2012-09-051-1/+10
| | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA.
* Check address family in HA virtual IP backendMartin Willi2012-08-301-0/+6
|
* Support multiple address pools configured on a peer_cfgMartin Willi2012-08-302-7/+8
|
* Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-303-28/+41
|
* Replaced usages of CHARON_*_PORT with calls to get_port().Tobias Brunner2012-08-081-1/+2
|
* Make the UDP ports charon listens for packets on (and uses as source ports) ↵Tobias Brunner2012-08-081-1/+1
| | | | configurable.
* Cleaned up memory management and return values for encryption payloadMartin Willi2012-07-161-1/+0
|