aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Support non-Unix sockets for vici connections using PythonMartin Willi2015-03-182-7/+9
|
* vici: Add python egg setuptools building and installation using easy_installMartin Willi2015-03-181-0/+15
| | | | | | An uninstall target is currently not supported, as there is no trivial way with either plain setuptools or with easy_install. pip would probably be the best choice, but we currently don't depend on it.
* vici: Generate a version specific setup.py for setuptools installationMartin Willi2015-03-183-0/+41
|
* vici: Include python package in distributionMartin Willi2015-03-182-0/+9
|
* vici: Add python package MIT licenseBjörn Schuberg2015-03-182-0/+20
|
* vici: Expose Session as a top-level symbol in python packageBjörn Schuberg2015-03-181-0/+1
|
* vici: Introduce main API Session class in python packageBjörn Schuberg2015-03-181-1/+244
|
* vici: Add a python vici command execution handlerBjörn Schuberg2015-03-182-1/+134
|
* vici: Add vici python protocol handlerBjörn Schuberg2015-03-184-0/+199
|
* vici: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-4/+4
| | | | Fixes #886.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* eap-radius: Increase Acct-Session-ID string bufferMartin Willi2015-03-131-1/+1
| | | | | | | | As the startup timestamp needs 10 characters, we only have left 4 characters for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs or more established, resulting in non-unique session identifiers. Fixes #889.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-091-1/+2
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-093-3/+3
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* Make access requestor IP address available to TNC serverAndreas Steffen2015-03-082-12/+39
|
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* eap-ttls: Support EAP auth information getter in EAP-TTLSMartin Willi2015-03-031-0/+7
|
* eap-tls: Support EAP auth information getter in EAP-TLSMartin Willi2015-03-031-0/+7
|
* stroke: Serve ca section CA certificates directly, not over central CA setMartin Willi2015-03-033-5/+85
| | | | | | | This makes these CA certificates independent from the purge issued by reread commands. Certificates loaded by CA sections can be removed through ipsec.conf update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts can individually be reread using ipsec rereadcacerts.
* stroke: Purge existing CA/AA certificates during rereadMartin Willi2015-03-031-0/+4
|
* stroke: Use separate credential sets for CA/AA certificatesMartin Willi2015-03-031-3/+21
|
* stroke: Refactor load_certdir functionMartin Willi2015-03-031-108/+158
|
* vici: Don't use a default rand_time larger than half of rekey/reauth_timeMartin Willi2015-03-031-3/+11
|
* vici: If a IKE reauth_time is configured, disable the default rekey_timeMartin Willi2015-03-031-1/+16
|
* vici: Support ruby gem out-of-tree buildsMartin Willi2015-02-271-1/+3
| | | | | | | Referencing $(srcdir) in the gemspec is not really an option, as "gem build" includes the full path in the gem, so we need to build in $(srcdir). As there does not seem to be a way to control the output of "gem build", we manually move the gem to $(builddir) in OOT builds.
* ha: Always install the CHILD_SAs with the inbound flag set to FALSEMartin Willi2015-02-271-2/+2
| | | | | | | | | The inbound flag is used to determine if we have to install an update or a new SA in the kernel. As we do not have allocated SPIs and therefore can't update an existing SA in the HA plugin, always set the flag to FALSE. Before 698ed656 we had extra logic for that case, but handling it directly in the HA plugin is simpler.
* forecast: Explicitly cast sockaddr to fix compiler warningTobias Brunner2015-02-231-1/+1
| | | | On Travis we compile with -Werror.
* configure: Use pkg-config to detect libiptc used by connmark/forecastTobias Brunner2015-02-232-4/+4
| | | | | This ensures the library is available. On Debian/Ubuntu it is a dynamic library provided by the iptables-dev package.
* forecast: Add the broadcast/multicast forwarding plugin called forecastMartin Willi2015-02-207-0/+1472
|
* connmark: Add CONNMARK rules to select correct output SA based on conntrackMartin Willi2015-02-204-0/+611
| | | | | | | | | | | | | | Currently supports transport mode connections using IPv4 only, and requires a unique mark configured on the connection. To select the correct outbound SA when multiple connections match (i.e. multiple peers connected from the same IP address / NAT router) marks must be configured. This mark should usually be unique, which can be configured in ipsec.conf using mark=0xffffffff. The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow is tagged with the assigned mark as connmark. On the return path, the mark gets restored from the conntrack entry to select the correct outbound SA.
* connmark: Add a plugin stubMartin Willi2015-02-203-0/+143
|
* load-tester: Support initiating XAuth authenticationMartin Willi2015-02-201-0/+22
| | | | | | | | As with other configuration backends, XAuth is activated with a two round client authentication using pubkey and xauth. In load-tester, this is configured with initiator_auth=pubkey|xauth. Fixes #835.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-203-13/+17
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* attribute-handler: Pass full IKE_SA to handler backendsMartin Willi2015-02-206-50/+40
|
* attribute-provider: Pass full IKE_SA to provider backendsMartin Willi2015-02-208-46/+45
|
* unit-tester: Drop the old unit-tester libcharon pluginMartin Willi2015-02-2012-946/+0
| | | | | | While it has some tests that we don't directly cover with the new unit tests, most of them require special infrastructure and therefore have not been used for a long time.
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-2014-72/+66
|
* attr-sql: Move plugin to libcharonMartin Willi2015-02-205-0/+715
|
* attr: Move plugin to libcharonMartin Willi2015-02-205-0/+553
|
* resolve: Move plugin back to libcharonMartin Willi2015-02-205-0/+588
| | | | Since pluto is gone, all existing users build upon libcharon.
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-202-2/+2
|
* unity: Reference IKE_SAs by the IKEv1 COOKIEs, improving lookup performanceMartin Willi2015-02-203-14/+17
| | | | | When handling thousands of IKE_SAs, the unique ID based lookup is rather slow, as we have no indexing.
* ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-201-1/+1
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-203-13/+10
|
* controller: Use the CHILD_SA unique_id to terminate CHILD_SAsMartin Willi2015-02-203-13/+13
|
* stroke: List CHILD_SA unique ID as the primary identifier, but print reqid, tooMartin Willi2015-02-201-5/+6
|
* vici: Include the CHILD_SA unique ID in list-sa eventMartin Willi2015-02-202-0/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-15 16:39:03 +0000