aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
Commit message (Collapse)AuthorAgeFilesLines
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-261-19/+16
| | | | This avoids the unportable five pointer hack.
* kernel-net: Let get_nexthop() return an optional interface nameTobias Brunner2016-06-101-2/+3
| | | | | The returned name should be the interface over which the destination address/net is reachable.
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-091-42/+38
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-17/+17
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-031-33/+26
| | | | This moves hydra->kernel_interface to charon->kernel.
* libipsec: Pass the same data to del_policy() as to add_policy()Tobias Brunner2016-02-041-2/+2
| | | | | | We already do this for the other kernel interfaces. Fixes e1e88d5adde0 ("libipsec: Don't attempt deletion of any non-IPsec policies")
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-101-3/+4
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-091-1/+2
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-091-1/+1
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-3/+3
|
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-1/+1
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()Martin Willi2015-02-201-2/+1
|
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-2/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()Martin Willi2015-02-191-1/+1
|
* kernel-interface: Add destination prefix to get_nexthop()Tobias Brunner2014-06-191-2/+2
| | | | | This allows to determine the next hop to reach a subnet, for instance, when installing routes for shunt policies.
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+3
|
* libhydra: Use lib->ns instead of hydra->daemonTobias Brunner2014-02-121-1/+1
|
* kernel-libipsec: Don't ignore policies of type != POLICY_IPSECTobias Brunner2013-10-111-5/+0
| | | | | | This actually broke rekeying due to the DROP policies that are temporarily added, which broke the refcount as the ignored policies were not ignored in del_policy() (the type is not known there).
* kernel-libipsec: Add an option to allow remote TS to match the IKE peerTobias Brunner2013-10-111-2/+9
| | | | | | | | Setting the fwmark options for the kernel-netlink and socket-default plugins allow this kind of setup. It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make it work.
* kernel-libipsec: Support ESPv3 TFC paddingMartin Willi2013-10-111-1/+1
|
* kernel-libipsec: Support query_sa() to report usage statisticsMartin Willi2013-10-111-1/+2
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-1/+1
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-1/+1
|
* kernel-libipsec: Fail route installation if remote TS matches peerTobias Brunner2013-07-181-0/+9
|
* kernel-libipsec: Log error if no local address is found when installing routesTobias Brunner2013-07-151-0/+5
|
* kernel-libipsec: Ignore failures when installing routes for multicast or ↵Tobias Brunner2013-06-211-1/+23
| | | | broadcast policies
* kernel-libipsec: Add a feature to request UDP encapsulation of ESP packetsTobias Brunner2013-06-211-0/+7
|
* kernel-libipsec: Install a gateway for routes on platforms other than LinuxTobias Brunner2013-06-211-9/+26
| | | | This seems required e.g. on FreeBSD but doesn't work on Linux.
* kernel-libipsec: Router reads packets from multiple TUN devicesTobias Brunner2013-06-211-7/+2
| | | | These devices are collected via kernel_listener_t interface.
* kernel-libipsec: Track policies and automatically install routesTobias Brunner2013-06-211-5/+455
| | | | | | | | The routes direct traffic matching the remote traffic selector to the TUN device. If the remote traffic selector includes the IKE peer a very specific route is installed to allow IKE traffic.
* kernel-libipsec: Create a TUN device and use it to install virtual IPsTobias Brunner2013-06-211-0/+7
|
* kernel-libipsec: Add plugin that implements kernel_ipsec_t using libipsecTobias Brunner2013-06-211-0/+189
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-20 18:33:55 +0000