aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Include uniqueness policy in list-connsTobias Brunner2017-02-161-0/+2
|
* vici: Add command to initiate SA rekeyingTobias Brunner2017-02-162-2/+118
|
* vici: Use unique names for CHILD_SAs in the list-sas commandTobias Brunner2017-02-162-2/+7
| | | | | | | | | The original name is returned in the new "name" attribute. This fixes an issue with bindings that map VICI messages to dictionaries. For instance, in roadwarrior scenarios where every CHILD_SA has the same name only the information of the last CHILD_SA would end up in the dictionary for that name.
* vici: Add support to load CA certificates from tokens and paths in authority ↵Tobias Brunner2017-02-161-10/+97
| | | | sections
* vici: Add support to load certificates from file pathsTobias Brunner2017-02-161-13/+32
| | | | Probably not that useful via swanctl.conf but could be when used via VICI.
* vici: Add support to load certificates from tokensTobias Brunner2017-02-161-12/+115
|
* vici: Add command to load a private key from a tokenTobias Brunner2017-02-162-3/+117
| | | | | | | PINs are stored in a "hidden" credential set, so that its shared secrets are not exposed via VICI. Since they are not explicitly loaded as shared secrets via VICI a client might consider them as removed secrets and remove them.
* vici: List namespace/peer-cfg name with policies and allow filteringTobias Brunner2017-02-162-13/+33
| | | | The two names are also transmitted in separate keys.
* vici: Explicitly use peer name when uninstalling trap and shunt policiesTobias Brunner2017-02-163-10/+40
| | | | Also adds an `ike` parameter to the `uninstall` command.
* stroke: Use peer name as namespace for shunt policiesTobias Brunner2017-02-161-2/+18
| | | | | The same goes for the start-action-job. When unrouting, we search for the first policy with a matching child-cfg.
* shunt-manager: Add an optional namespace for each shuntTobias Brunner2017-02-167-12/+13
| | | | | This will allow us to reuse the names of child configs e.g. when they are defined in different connections.
* vici: Add support for NT Hash secretsTobias Brunner2017-02-161-0/+4
| | | | Fixes #1002.
* vici: Add support for IPv6 Transport Proxy ModeTobias Brunner2017-02-162-14/+39
|
* vici: Add support for certificate policiesTobias Brunner2017-02-161-0/+17
|
* vici: Add missing dscp setting for IKE_SAsTobias Brunner2017-02-161-5/+39
| | | | Fixes #2170.
* vici: Add possibility to remove shared keys by a unique identifierTobias Brunner2017-02-162-5/+76
| | | | | This identifier can be set when adding/replacing a secret. The unique identifiers of all secrets may be enumerated.
* vici: Add commands to enumerate and remove private keysTobias Brunner2017-02-162-2/+75
| | | | They are identified by their SHA-1 key identifier.
* vici: Update get_pools() in Python and Ruby bindingsTobias Brunner2017-02-162-4/+6
|
* vici: Add option to query a specific poolTobias Brunner2017-02-162-3/+10
|
* bypass-lan: Don't use interfaces in policiesTobias Brunner2017-02-161-7/+6
| | | | | | | | | | | After an interface disappeared we can't remove the policies correctly as the name doesn't resolve to the previous index anymore. And making the policies so specific might not provide that much benefit. To handle the interfaces on the policies correctly would require some changes to the child-cfg, kernel-interface etc. so they'd take interface indices directly so we could target the policies correctly even if an interface disappeared (or reappeared and got a new index).
* kernel-netlink: Use RTA_SRC to specify route source in kernel-based lookupsMartin Willi2017-02-131-1/+8
| | | | | | | For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is what we do when doing userspace route calculations. For kernel-based route lookups, however, the RTA_PREFSRC attribute is ignored and we must specify RTA_SRC for policy based route lookups.
* kernel-netlink: Use kernel-based route lookup if we do not install routesMartin Willi2017-02-131-1/+11
| | | | | | | | | | | | For gateways with many connections, installing routes is often disabled, as we can use a static route configuration to achieve proper routing with a single rule. If this is the case, there is no need to dump all routes and do userspace route lookups, as there is no need to exclude routes we installed ourself. Doing kernel-based route lookups is not only faster with may routes, but also can use the full power of Linux policy based routing; something we can hardly rebuild in userspace when calculating routes.
* vici: Include the Netfilter marks in listed CHILD_SAsMartin Willi2017-02-132-0/+19
|
* vici: Explicitly set the Python encoding typeMartin Willi2017-02-131-4/+4
| | | | | | | | | | When using vici over RPyC and its (awesome) splitbrain, encoding and decoding strings fails in vici, most likely because of the Monkey-Patch magic splitbrain uses. When specifying the implicit UTF-8 as encoding scheme explicitly, Python uses the correct method to encode/decode the string, making vici useable in splitbrain contexts.
* kernel-pfroute: Implement enumeration of local subnetsTobias Brunner2017-02-081-0/+194
|
* bypass-lan: Allow ignoring or only considering subnets of specific interfacesTobias Brunner2017-02-083-6/+93
| | | | The config can also be reloaded by sending a SIGHUP to charon.
* bypass-lan: Configure interface on bypass policyTobias Brunner2017-02-081-1/+6
| | | | | Currently, only the kernel-netlink plugin supports this, the others will just ignore it.
* kernel-netlink: Return interface name in local subnet enumeratorTobias Brunner2017-02-081-5/+15
|
* kernel-interface: Add interface name to local subnet enumeratorTobias Brunner2017-02-082-2/+4
|
* bypass-lan: Add plugin that installs bypass policies for locally attached ↵Tobias Brunner2017-02-085-0/+426
| | | | subnets
* kernel-netlink: Implement enumerator for local subnetsTobias Brunner2017-02-081-0/+130
|
* kernel-pfkey: Use the same priority range for trap and regular policiesTobias Brunner2017-02-081-15/+15
| | | | Same as the change in the kernel-netlink plugin.
* kernel-netlink: Use the same priority range for trap and regular policiesTobias Brunner2017-02-081-14/+14
| | | | | | | | | | | | | While trap and regular policies now often look the same (mainly because reqids are kept constant) trap policies still need to have a lower priority than regular policies to handle unroute/route correctly if e.g. IPComp is used or the mode changes. But if we use a completely different priority range that's lower than that of regular policies it is not possible to install overlapping trap policies. By differentiating trap from regular policies via the priority's LSB this issue is avoided while still maintaining the proper ordering of trap and regular policies. Fixes #1243.
* kernel-netlink: Fix spacing in log message when policy is unchangedTobias Brunner2017-02-081-1/+1
|
* forecast: Mark correct port in UDP NAT-T ruleJames Laird-Wah2017-02-081-1/+1
| | | | Closes strongswan/strongswan#62.
* eap-dynamic: Publish the get_auth() method of the wrapped EAP methodTobias Brunner2017-02-071-0/+12
| | | | Fixes #2238.
* kernel-netlink: Set NODAD flag for virtual IPv6 addressesTobias Brunner2017-02-061-10/+16
| | | | | | | The Optimistic Duplicate Address Detection (DAD) seems to fail in some cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable. Fixes #2183.
* kernel-netlink: Prefer matching label when selecting IPv6 source addressesTobias Brunner2017-02-061-3/+78
| | | | | | | | This implements rule 6 of RFC 6724 using the default priority table, so that e.g. global addresses are preferred over ULAs (which also have global scope) when the destination is a global address. Fixes #2138.
* kernel-netlink: Use correct 4 byte alignment for AH with IPv4Tobias Brunner2017-01-251-0/+5
| | | | | | | | By default, the kernel incorrectly uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4. For many algorithms this doesn't matter but that's not the case for HMAC_SHA2_256_128. Since 2.6.39 the kernel can be explicitly configured to use a 4 byte alignment.
* kernel-netlink: Allow change of Netlink socket receive buffer sizeThomas Egerer2017-01-251-0/+44
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAsTobias Brunner2017-01-251-0/+2
| | | | | | | Picky kernels might otherwise reject our messages as RFC 2367 explicitly mandates this. Fixes #2212.
* kernel-pfroute: Don't set a gateway if it is of a different address family ↵Tobias Brunner2017-01-251-1/+2
| | | | than the destination
* stroke: Default to %dynamic if no valid TS are specified in left|rightsubnetTobias Brunner2017-01-251-57/+44
| | | | | | | Otherwise, we'd end up with an empty TS list, which is not valid. Because end->tohost is set to !end->subnets in starter the removed branch was never used.
* vici: Reload loggers after reloading strongswan.conf via reload-setting commandTobias Brunner2017-01-251-0/+1
|
* ha: Fix assignment of IP addresses if multiple pools are definedTobias Brunner2017-01-251-2/+6
| | | | Fixes #2146.
* ha: Delete passive IKE_SA on other node after half-open timeoutTobias Brunner2017-01-251-0/+15
| | | | Fixes #1192.
* kernel-netlink: Return const pointer from lookup_algorithm()Thomas Egerer2017-01-231-3/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* stroke: Load general PKCS#8 private keysAndreas Steffen2016-12-172-3/+9
|
* vici: Check for closed connection in Python bindingsWeilu Jia2016-12-141-1/+4
| | | | | | | The Python VICI library does not check if the socket is closed. If the daemon closes the connection, _recvall() spins forever. Closes strongswan/strongswan#56.
* kernel-netlink: Add support for AES-CMAC-96 (RFC 4494)Tobias Brunner2016-12-121-0/+1
| | | | The kernel apparently supports this since 3.10.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-12 17:06:13 +0000