aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/load_tester
Commit message (Collapse)AuthorAgeFilesLines
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-261-14/+20
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* load-tester: Fix load-tester on platforms where plain `char` is signedTobias Brunner2016-06-171-1/+1
| | | | | | | | fgetc() returns an int and EOF is usually -1 so when this gets casted to a char the result depends on whether `char` means `signed char` or `unsigned char` (the C standard does not specify it). If it is unsigned then its value is 0xff so the comparison with EOF will fail as that is an implicit signed int.
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-8/+12
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-12/+12
|
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-091-26/+15
|
* Use standard unsigned integer typesAndreas Steffen2016-03-243-20/+20
|
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-032-8/+6
| | | | This moves hydra->kernel_interface to charon->kernel.
* load-tester: Register kernel-ipsec implementation as plugin featureTobias Brunner2016-02-011-10/+11
| | | | | | | | | | | Otherwise, libcharon's dependency on kernel-ipsec can't be satisfied. This changed with db61c37690b5 ("kernel-interface: Return bool for kernel interface registration") as the registration of further kernel-ipsec implementations now fails and therefore even if other plugins are loaded the dependency will not be satisfied anymore. References #953.
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-101-2/+3
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-212-2/+2
|
* load-tester: Include string.h for strcmp() on some platformsTobias Brunner2015-08-131-0/+1
|
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-231-1/+2
|
* diffie-hellman: Add a bool return value to get_my_public_value()Martin Willi2015-03-231-1/+2
|
* diffie-hellman: Use bool instead of status_t as get_shared_secret() return valueMartin Willi2015-03-231-2/+2
| | | | | While such a change is not unproblematic, keeping status_t makes the API inconsistent once we introduce return values for the public value operations.
* load-tester: Migrate NULL DH implementation to INIT/METHOD macrosMartin Willi2015-03-231-21/+26
|
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-091-1/+1
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* load-tester: Support initiating XAuth authenticationMartin Willi2015-02-201-0/+22
| | | | | | | | As with other configuration backends, XAuth is activated with a two round client authentication using pubkey and xauth. In load-tester, this is configured with initiator_auth=pubkey|xauth. Fixes #835.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-1/+1
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-1/+1
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-2/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* load-tester: Add a crl option to include a CRL uri in generated certificatesMartin Willi2014-06-191-1/+21
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-171-2/+3
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-041-1/+1
|
* enum: Return boolean result for enum_from_name() lookupMartin Willi2014-05-161-3/+1
| | | | | | | | | | | Handling the result for enum_from_name() is difficult, as checking for negative return values requires a cast if the enum type is unsigned. The new signature clearly differentiates lookup result from lookup value. Further, this actually allows to convert real -1 enum values, which could not be distinguished from "not-found" and the -1 return value. This also fixes several clang warnings where enums are unsigned.
* load-tester: Fix race condition issuing same SPIChristophe Gouault2014-04-241-2/+2
| | | | | | | | | | Due to an unprotected incrementation, two load-tester initiators occasionally use the same SPI under high load, and hence generate 2 IPsec SAs with the same identifier. The responder IPsec stack will refuse to configure the second SA. Use an atomic incrementation to avoid this race condition. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* load-tester: Fix race condition issuing same identityChristophe Gouault2014-04-241-2/+2
| | | | | | | | | | Due to an unprotected incrementation, two load-tester initiators occasionally use the same identifier under high load. The responder typically drops one of the connections. Use an atomic incrementation to avoid this race condition. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-125-45/+44
|
* Fixed some typosTobias Brunner2013-10-291-1/+1
|
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-111-1/+1
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-111-1/+1
|
* load-tester: Fix crash if private key was not loaded successfullyTobias Brunner2013-09-241-1/+1
| | | | Fixes #417.
* load-tester: support extended traffic selector syntax, as in leftsubnetMartin Willi2013-09-041-13/+168
| | | | | In addition the initiator may use %unique as port, using a distinct port for each connection, starting from 1025.
* load-tester: add an option to test transport/beet connectionsMartin Willi2013-09-041-1/+21
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-041-5/+4
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-1/+1
|
* stream-service: move CAP_CHOWN check from plugins to service constructorMartin Willi2013-07-181-7/+0
| | | | | A plugin service can be a TCP socket now, so it does not make much sense to strictly check for CAP_CHOWN.
* load-tester: use a stream service to dispatch control connectionsMartin Willi2013-07-182-93/+27
|
* capabilities: Some plugins don't actually require capabilities at runtimeTobias Brunner2013-07-181-1/+1
|
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-5/+7
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* Use strpfx() helper where appropriateTobias Brunner2013-07-081-1/+1
|
* capabilities: CAP_CHOWN might be required by many plugins opening UNIX socketsTobias Brunner2013-06-251-0/+6
| | | | | But as the sockets will be created with the user/group of the running process this might not be required as no change may be needed.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-251-2/+2
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-1/+1
|
* Add a load-tester option to keep allocated external address until shutdownMartin Willi2013-03-212-1/+50
|
* Add an "esp" load-tester option to configure custom CHILD_SA ESP proposalMartin Willi2013-03-181-3/+16
|
* kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-141-2/+2
|
* Support mutliple subnets and ranges as external load-tester addressesMartin Willi2013-03-111-15/+59
|
* Merge branch 'opaque-ports'Martin Willi2013-03-011-1/+1
|\ | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-19 21:46:05 +0000