aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/vici/vici_config.c
Commit message (Collapse)AuthorAgeFilesLines
* vici: Make setting mark on inbound SA configurableTobias Brunner2017-11-021-7/+19
|
* Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-261-7/+14
| | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
* vici: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-261-0/+11
|
* vici: Make hardware offload configurableTobias Brunner2017-05-231-0/+11
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-231-11/+58
| | | | Makes it potentially easier to add new flags.
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-231-0/+1
| | | | fragments
* vici: Add support for mediation extensionTobias Brunner2017-02-161-1/+85
|
* vici: Add support to load certificates from file pathsTobias Brunner2017-02-161-13/+32
| | | | Probably not that useful via swanctl.conf but could be when used via VICI.
* vici: Add support to load certificates from tokensTobias Brunner2017-02-161-12/+115
|
* vici: Explicitly use peer name when uninstalling trap and shunt policiesTobias Brunner2017-02-161-4/+8
| | | | Also adds an `ike` parameter to the `uninstall` command.
* shunt-manager: Add an optional namespace for each shuntTobias Brunner2017-02-161-2/+2
| | | | | This will allow us to reuse the names of child configs e.g. when they are defined in different connections.
* vici: Add support for IPv6 Transport Proxy ModeTobias Brunner2017-02-161-9/+12
|
* vici: Add support for certificate policiesTobias Brunner2017-02-161-0/+17
|
* vici: Add missing dscp setting for IKE_SAsTobias Brunner2017-02-161-5/+39
| | | | Fixes #2170.
* vici: Enable IKE fragmentation by defaultTobias Brunner2016-10-041-1/+1
|
* vici: Make installation of outbound FWD policies configurableTobias Brunner2016-09-281-25/+29
|
* vici: Increased various string buffers to BUF_LEN (512 bytes)Andreas Steffen2016-07-291-4/+4
|
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-041-15/+16
|
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-091-0/+3
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-091-0/+2
|
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-6/+17
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-091-125/+117
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-30/+30
|
* vici: Don't hold write lock while running or undoing start actionsTobias Brunner2016-03-111-27/+63
| | | | | | | | | | | | | | Running or undoing start actions might require enumerating IKE_SAs, which in turn might have to enumerate peer configs concurrently, which requires acquiring a read lock. So if we keep holding the write lock while enumerating the SAs we provoke a deadlock. By preventing other threads from acquiring the write lock while handling actions, and thus preventing the modification of the configs, we largely maintain the current synchronous behavior. This way we also don't need to acquire additional refs for config objects as they won't get modified/removed. Fixes #1185.
* Initialize ts variableAndreas Steffen2016-03-111-1/+1
|
* Support of IP address ranges in traffic selectorsAndreas Steffen2016-03-101-1/+17
|
* vici: Replace child configs atomicallyTobias Brunner2016-03-081-14/+11
| | | | This also leaves unmodified configs as they are.
* vici: Order auth rounds by optional `round` parameter instead of by position ↵Tobias Brunner2016-03-081-40/+64
| | | | in the request
* vici: Add support for pubkey constraints with EAP-TLSTobias Brunner2016-03-041-0/+8
| | | | This is a feature currently supported by stroke.
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-2/+3
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* vici: Support multiple named raw ublic keysAndreas Steffen2016-01-101-15/+19
|
* vici: Support of raw public keysAndreas Steffen2016-01-091-6/+52
|
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-171-1/+5
|
* vici: Use an empty local auth round if none givenMartin Willi2015-12-071-3/+2
| | | | | While it hardly makes sense to use none for negotiated SAs, it actually does when installing shunt policies.
* vici: Limit start action undoing to IKE_SAs using the base peer config nameMartin Willi2015-12-071-3/+7
| | | | | If two peer configs use the same child config names, potentailly delete the wrong CHILD_SA. Check the peer config name as well to avoid that.
* vici: Close empty IKE_SAs after undoing CHILD_SA start actionsMartin Willi2015-12-071-6/+44
|
* vici: Use value based array to store CHILD_SA ids during restartMartin Willi2015-12-071-5/+6
| | | | | The previous approach stored a pointer to a volatile stack variable, which works for a single ID, but not for multiple.
* vici: Undo start actions when unloading configsMartin Willi2015-12-071-0/+1
|
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-211-1/+1
|
* vici: Add option to disable policy installation for CHILD_SAsTobias Brunner2015-08-171-1/+6
|
* vici: Certification Authority support added.Andreas Steffen2015-07-211-9/+23
| | | | | | CDP and OCSP URIs for a one or multiple certification authorities can be added via the VICI interface. swanctl allows to read definitions from a new authorities section.
* vici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets ↵Andreas Steffen2015-07-201-6/+20
| | | | are defined
* vici: Default to certificate subject for identityTimo Teräs2015-05-041-0/+37
| | | | | | | | If id is not specified and certificate authentication is used, use the certificate subject name as identity. Simplifies configuration as in most cases this is the right thing to do. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* vici: Don't use a default rand_time larger than half of rekey/reauth_timeMartin Willi2015-03-031-3/+11
|
* vici: If a IKE reauth_time is configured, disable the default rekey_timeMartin Willi2015-03-031-1/+16
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-201-10/+10
|
* vici: Support a replay_window CHILD_SA optionMartin Willi2014-06-171-0/+16
|
* vici: Add Windows supportMartin Willi2014-06-041-1/+0
|
* ike: Add an additional but separate AEAD proposal to CHILD configMartin Willi2014-05-161-2/+10
| | | | | | | This currently has no effect: We don't include AEAD algorithms in the default ESP proposal, as we don't know if it is supported by the backend. But as we hopefully get an algorithm query mechanism on kernel interfaces some day, we add the appropriate functionality nonetheless.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-10/+25
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-10 00:36:41 +0000