| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
|
|
| |
The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark. So to match only unmarked packets we
have to be able to set 0/0xffffffff.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the number of flows over a gateway exceeds the flow cache size of the Linux
kernel, policy lookup gets very expensive. Policies covering more than a single
address don't get hash-indexed by default, which results in wasting most of
the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use.
Starting with several hundred policies the overhead gets inacceptable.
Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet
to perform indexed lookup. With correctly chosen netbits, this can completely
eliminate the performance impact of policy lookups, freeing the resources
for ESP crypto.
WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a
NULL pointer dereference if a socket policy is installed while hash thresholds
are changed. And because the hashtable rebuild triggered by the threshold
change that causes this is scheduled it might also happen if the socket
policies are seemingly installed after setting the thresholds.
The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when
rebuilding hash tables") - is included since 4.8 (and might get backported).
As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled
to replace the socket policies that allow IKE traffic with port specific
bypass policies.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
When fresh CRLs are released with a high update frequency (e.g.
every 24 hours) or OCSP is used then the certificate cache gets
quickly filled with stale CRLs or OCSP responses. The new VICI
flush-certs command allows to flush e.g. cached CRLs or OCSP
responses only. Without the type argument all kind of certificates
(e.g. also received end entity and intermediate CA certificates)
are purged.
|
| | |
|
| | |
|
| |
|
|
|
| |
It's not necessary and might waste memory. However, if ESN is used we set
the window to 1 as the kernel rejects the attribute otherwise.
|
| |
|
|
|
| |
It is not necessary for outbound SAs and might waste memory when large
window sizes are used.
|
| |
|
|
|
|
|
|
| |
fgetc() returns an int and EOF is usually -1 so when this gets casted to
a char the result depends on whether `char` means `signed char` or
`unsigned char` (the C standard does not specify it). If it is unsigned
then its value is 0xff so the comparison with EOF will fail as that is an
implicit signed int.
|
| |
|
|
|
|
| |
This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.
|
| |
|
|
| |
This allows us to capture output written to stderr/stdout.
|
| |
|
|
|
|
| |
If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).
|
| | |
|
| | |
|
| |
|
|
|
| |
This is the direction we actually need routes in and makes the code
easier to read.
|
| |
|
|
| |
are in the selector
|
| |
|
|
|
|
|
|
|
| |
are in the selector
We don't need them for drop policies and they might even mess with other
routes we install. Routes for policies with protocol/ports in the
selector will always be too broad and might conflict with other routes
we install.
|
| |
|
|
|
| |
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.
|
| | |
|
| |
|
|
|
| |
The returned name should be the interface over which the destination
address/net is reachable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Other threads are free to add/update/delete other policies.
This tries to prevent race conditions caused by releasing the mutex while
sending messages to the kernel. For instance, if break-before-make
reauthentication is used and one thread on the responder is delayed in
deleting the policies that another thread is concurrently adding for the
new SA. This could have resulted in no policies being installed
eventually.
Fixes #1400.
|
| | |
|
| | |
|
| |
|
|
| |
#1467.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If a pseudonym changed a new entry was added to the table storing
permanent identity objects (that are used as keys in the other table).
However, the old mapping was not removed while replacing the mapping in
the pseudonym table caused the old pseudonym to get destroyed. This
eventually caused crashes when a new pseudonym had the same hash value as
such a defunct entry and keys had to be compared.
Fixes strongswan/strongswan#46.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
| |
This fixes authentication with tokens that require the PIN for every
signature.
Fixes #1369.
|
| | |
|
| |
|
|
| |
This fixes the out-of-tree build.
|
| |
|
|
| |
package
|
| | |
|
| |
|
|
|
|
| |
The versioning scheme used by Python (PEP 440) supports the rcN suffix
but development releases have to be named devN, not drN, which are
not supported and considered legacy versions.
|
| | |
|
| |
|
|
|
|
|
| |
in Python
recv() will return less bytes than specified (as that's the buffer size)
if not as many are ready to be read from the socket.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After adding the read callback the state is WATCHER_QUEUED and it is
switched to WATCHER_RUNNING only later by an asynchronous job. This means
that a thread that sent a Netlink message shortly after registration
might see the state as WATCHER_QUEUED. If it then tries to read the
response and the watcher thread is quicker to actually read the message
from the socket, it could block on recv() while still holding the lock.
And the asynchronous job that actually read the message and tries to queue
it will block while trying to acquire the lock, so we'd end up in a deadlock.
This is probably mostly a problem in the unit tests.
|
