aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/vici/vici_config.c
Commit message (Collapse)AuthorAgeFilesLines
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-041-15/+16
|
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-091-0/+3
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-091-0/+2
|
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-6/+17
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-125/+117
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-30/+30
|
* vici: Don't hold write lock while running or undoing start actionsTobias Brunner2016-03-111-27/+63
| | | | | | | | | | | | | | Running or undoing start actions might require enumerating IKE_SAs, which in turn might have to enumerate peer configs concurrently, which requires acquiring a read lock. So if we keep holding the write lock while enumerating the SAs we provoke a deadlock. By preventing other threads from acquiring the write lock while handling actions, and thus preventing the modification of the configs, we largely maintain the current synchronous behavior. This way we also don't need to acquire additional refs for config objects as they won't get modified/removed. Fixes #1185.
* Initialize ts variableAndreas Steffen2016-03-111-1/+1
|
* Support of IP address ranges in traffic selectorsAndreas Steffen2016-03-101-1/+17
|
* vici: Replace child configs atomicallyTobias Brunner2016-03-081-14/+11
| | | | This also leaves unmodified configs as they are.
* vici: Order auth rounds by optional `round` parameter instead of by position ↵Tobias Brunner2016-03-081-40/+64
| | | | in the request
* vici: Add support for pubkey constraints with EAP-TLSTobias Brunner2016-03-041-0/+8
| | | | This is a feature currently supported by stroke.
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-2/+3
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* vici: Support multiple named raw ublic keysAndreas Steffen2016-01-101-15/+19
|
* vici: Support of raw public keysAndreas Steffen2016-01-091-6/+52
|
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-171-1/+5
|
* vici: Use an empty local auth round if none givenMartin Willi2015-12-071-3/+2
| | | | | While it hardly makes sense to use none for negotiated SAs, it actually does when installing shunt policies.
* vici: Limit start action undoing to IKE_SAs using the base peer config nameMartin Willi2015-12-071-3/+7
| | | | | If two peer configs use the same child config names, potentailly delete the wrong CHILD_SA. Check the peer config name as well to avoid that.
* vici: Close empty IKE_SAs after undoing CHILD_SA start actionsMartin Willi2015-12-071-6/+44
|
* vici: Use value based array to store CHILD_SA ids during restartMartin Willi2015-12-071-5/+6
| | | | | The previous approach stored a pointer to a volatile stack variable, which works for a single ID, but not for multiple.
* vici: Undo start actions when unloading configsMartin Willi2015-12-071-0/+1
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-211-1/+1
|
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-171-1/+6
|
* vici: Certification Authority support added.Andreas Steffen2015-07-211-9/+23
| | | | | | CDP and OCSP URIs for a one or multiple certification authorities can be added via the VICI interface. swanctl allows to read definitions from a new authorities section.
* vici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets ↵Andreas Steffen2015-07-201-6/+20
| | | | are defined
* vici: Default to certificate subject for identityTimo Teräs2015-05-041-0/+37
| | | | | | | | If id is not specified and certificate authentication is used, use the certificate subject name as identity. Simplifies configuration as in most cases this is the right thing to do. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* vici: Don't use a default rand_time larger than half of rekey/reauth_timeMartin Willi2015-03-031-3/+11
|
* vici: If a IKE reauth_time is configured, disable the default rekey_timeMartin Willi2015-03-031-1/+16
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-201-10/+10
|
* vici: Support a replay_window CHILD_SA optionMartin Willi2014-06-171-0/+16
|
* vici: Add Windows supportMartin Willi2014-06-041-1/+0
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-2/+10
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-10/+25
|
* vici: Support the close_action keyword, as we have it documentedMartin Willi2014-05-141-1/+6
|
* vici: Properly filter by CHILD_SA name while undoing start actionsMartin Willi2014-05-071-2/+5
|
* vici: Fallback to socket listening port if no explicit local port specifiedMartin Willi2014-05-071-1/+4
|
* vici: Support a "mtu" value for the tfc_padding optionMartin Willi2014-05-071-2/+16
|
* vici: Handle the "trap" action as an alias for "route"Martin Willi2014-05-071-0/+1
|
* vici: Have an explicit "relaxed" keyword for the default revocation policyMartin Willi2014-05-071-1/+5
|
* vici: Use a default child rekey time of 1 hourMartin Willi2014-05-071-0/+6
|
* vici: Use a default IKE rekey time of 4 hoursMartin Willi2014-05-071-0/+6
|
* vici: Support referencing external named pools for peer configsMartin Willi2014-05-071-0/+14
|
* vici: Actually add configured virtual IPs to peer configMartin Willi2014-05-071-0/+5
|
* vici: Use a default rand_time of the difference between hard and soft lifetimesMartin Willi2014-05-071-0/+26
|
* vici: Use a default hard lifetime of 110% of the soft lifetimeMartin Willi2014-05-071-0/+37
|
* vici: Perform specified start_action on connection load, undo it on unloadMartin Willi2014-05-071-2/+185
|
* vici: Support pinning end entity and CA certificates to connectionsMartin Willi2014-05-071-0/+37
|
* vici: Support missing groups option in auth configMartin Willi2014-05-071-1/+24
|
* vici: Add unload-conn and get-conns commands to manage loaded connectionsMartin Willi2014-05-071-0/+62
|
* vici: Add backend providing in-memory connectionsMartin Willi2014-05-071-0/+1539
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-07 08:44:02 +0000