aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
Commit message (Collapse)AuthorAgeFilesLines
* kernel-wfp: Don't redefine IPPROTO_IP* if already definedTobias Brunner2017-03-231-0/+4
|
* kernel-net: Let get_nexthop() return an optional interface nameTobias Brunner2016-06-101-1/+1
| | | | | The returned name should be the interface over which the destination address/net is reachable.
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-091-79/+75
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-61/+61
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-031-15/+10
| | | | This moves hydra->kernel_interface to charon->kernel.
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-101-4/+5
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-091-1/+1
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-201-7/+4
|
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-1/+1
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-2/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* kernel-wfp: Install outbound ALE connect rules for IPsecMartin Willi2014-12-041-16/+43
| | | | | | Similar to the inbound rules, the ALE filter processes IP-in-IP packets for outbound tunnel mode traffic. When using an outbound default-drop policy, Windows does not allow connection initiation without these explicit rules.
* kernel-wfp: Install inbound ALE IP-in-IP filtersMartin Willi2014-12-041-41/+159
| | | | | | | | | | | When processing inbound tunnel mode packets, Windows decrypts packets and filters them as IP-in-IP packets. We therefore require an ALE filter that calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them when using a default-drop policy. Without these rules, any outbound packet created an ALE state that allows inbound packets as well. Processing inbound packets without any outbound traffic fails without these rules.
* kernel-wfp: Fix logging of MM/QM/EM NetEvent failuresMartin Willi2014-12-041-0/+12
|
* kernel-interface: Add destination prefix to get_nexthop()Tobias Brunner2014-06-191-1/+1
| | | | | This allows to determine the next hop to reach a subnet, for instance, when installing routes for shunt policies.
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+3
|
* windows: Use WINAPI call convention for Windows API callbacksMartin Willi2014-06-061-3/+3
| | | | | For x86_64 it does not actually matter, but for i686 builds the call convention is different with WINAPI.
* kernel-wfp: Clone acquire traffic selectors only if they existMartin Willi2014-06-041-1/+3
|
* kernel-wfp: Install routes for trap policiesMartin Willi2014-06-041-3/+21
|
* kernel-wfp: Refactor route management to separate functionMartin Willi2014-06-041-39/+47
|
* kernel-wfp: Install tunnel mode policies to appropriate sub-layersMartin Willi2014-06-041-6/+20
| | | | | While it is unclear if this has any effect at all, we prefer specific sublayers to install policies as suggested.
* kernel-wfp: Support multiple traffic selectors on tunnel mode SAsMartin Willi2014-06-041-36/+80
|
* kernel-wfp: Show a warning for packets the kernel drops in its IPsec layersMartin Willi2014-06-041-0/+6
|
* kernel-wfp: Set flag to get UDP encapsulation with tunnel mode workingMartin Willi2014-06-041-0/+1
| | | | | | Having this flag set fixes connections initiated by the Windows host, but unfortunately does not yet fix incoming connections. Connection state issue? We still see 0xc00000e2 error events, translating to INTERNAL_ERROR.
* kernel-wfp: Install tunnel and trap forward policiesMartin Willi2014-06-041-110/+251
|
* kernel-wfp: Manually create a ProviderContext to attach individual filtersMartin Willi2014-06-041-67/+51
| | | | | | This gives us more flexibility than using the intransparent FwpmIPsecTunnelAdd, and fixes the issues we have seen with trap policies. Forward filters are still missing, but required for site-to-site tunnels.
* kernel-wfp: Add support for trap policies and acquiresMartin Willi2014-06-041-1/+290
|
* kernel-wfp: Implement bypass_socket() using dedicated filter rulesMartin Willi2014-06-041-2/+117
|
* kernel-wfp: Register for WFP Net eventsMartin Willi2014-06-041-0/+41
|
* kernel-wfp: Add some missing IPv6 GUIDs, fix IPv6 host conversionMartin Willi2014-06-041-2/+17
|
* kernel-wfp: Implement update_sa()Martin Willi2014-06-041-1/+97
|
* kernel-wfp: Configure ports for SAs using UDP encapsulationMartin Willi2014-06-041-0/+31
|
* kernel-wfp: Refactor SA context construction, and use IPsecSaContextCreate1()Martin Willi2014-06-041-19/+32
|
* kernel-wfp: Allocate SPIs pseudo-randomly using a 0xc prefixMartin Willi2014-06-041-2/+59
|
* kernel-wfp: Install appropriate routes for tunnel mode policiesMartin Willi2014-06-041-1/+208
|
* kernel-wfp: Disable IPsec policy updatesMartin Willi2014-06-041-4/+11
| | | | | It seems that WFP requires an update of the SA context only, but not for the filters. This allows us to omit support for (fallback) drop policies.
* kernel-wfp: Increment SPIs properly, that is while in host orderMartin Willi2014-06-041-2/+2
|
* kernel-wfp: Triggering expire events for SAs to rekey/deleteMartin Willi2014-06-041-0/+108
|
* kernel-wfp: Enforce hard lifetimes of SAsMartin Willi2014-06-041-0/+8
|
* kernel-wfp: Add some notes about query_sa/policy() supportMartin Willi2014-06-041-0/+5
|
* kernel-wfp: Reference SA/SP sets by SPI and destination, not reqidMartin Willi2014-06-041-255/+149
| | | | | This allows us to have multiple CHILD_SAs for the same reqid, and brings rekeying support.
* kernel-wfp: Add support for tunnel mode connectionsMartin Willi2014-06-041-25/+205
|
* kernel-wfp: Register a WFP provider to manage IPsec tunnelsMartin Willi2014-06-041-0/+22
|
* kernel-wfp: Preliminary support for transport mode connectionsMartin Willi2014-06-041-3/+689
|
* kernel-wfp: Fix/Complete some fwpuclnt functionality in MinGWMartin Willi2014-06-041-3/+1
| | | | | | | | | While MinGW declares all the required symbols, some of them are missing in the library files. We provide missing variables locally, functions get a stub that call the GetProcAddress()ed function from the DLL. Also some MinGW headers define some enum values incorrectly, we overload these using defines.
* kernel-wfp: Open and close a WFP engineMartin Willi2014-06-041-1/+33
|
* kernel-wfp: Create userland state for SAs/policies to install in kernelMartin Willi2014-06-041-5/+364
|
* kernel-wfp: Add a stub for a Windows Filtering Platform based IPsec backendMartin Willi2014-06-041-0/+169
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-18 09:09:30 +0000