| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Metrics are basically defined to order routes with equal prefix, so ordering
routes by metric first makes not much sense as that could prefer totally
unspecific routes over very specific ones.
For instance, the previous code did break installation of routes for
passthrough policies with two routes like these in the main routing table:
default via 192.168.2.1 dev eth0 proto static
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.10 metric 1
Because the default route has no metric set (0) it was used, instead of the
more specific other one, to determine src and next hop when installing a route
for a passthrough policy for 192.168.2.0/24. Therefore, the installed route
in table 220 did then incorrectly redirect all local traffic to "next hop"
192.168.2.1.
The same issue occurred when determining the source address while
installing trap policies.
Fixes 6b57790270fb ("kernel-netlink: Respect kernel routing priorities for IKE routes").
Fixes #1416.
|
| | |
|
| |
|
|
| |
Also orders policies with equals priorities by their automatic priority.
|
| |
|
|
|
|
|
| |
kernel-netlink
Since the selectors are not exactly the same (no port masks, no interface)
some small tweaks have been applied.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows using manual priorities for traps, which have a lower
base priority than the resulting IPsec policies. This could otherwise
be problematic if, for example, swanctl --install/uninstall is used while
an SA is established combined with e.g. IPComp, where the trap policy does
not look the same as the IPsec policy (which is now otherwise often the case
as the reqids stay the same).
It also orders policies by selector size if manual priorities are configured
and narrowing occurs.
|
| |
|
|
|
|
|
|
| |
The kernel policy now considers src and dst port masks as well as
restictions to a given network interface. The base priority is
100'000 for passthrough shunts, 200'000 for IPsec policies,
300'000 for IPsec policy traps and 400'000 for fallback drop shunts.
The values 1..30'000 can be used for manually set priorities.
|
| |
|
|
| |
list-conn command
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This allows two CHILD_SAs with reversed subnets to install two FWD
policies each. Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.
|
| |
|
|
|
|
| |
We can't set a template on the outbound FWD policy (or we'd have to make
it optional). Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.
|
| |
|
|
|
|
| |
This allows us to install more than one FWD policy. We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).
|
| | |
|
| |
|
|
| |
Closes strongswan/strongswan#40.
|
| | |
|
| |
|
|
|
|
|
| |
Or the invoked script will get a broken value when `mark=%unique` is
used in a configuration.
Closes strongswan/strongswan#37.
|
| |
|
|
| |
Fixes #1365.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
| |
References #1347.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock. So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.
By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior. This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.
Fixes #1185.
|
| | |
|
| |
|
|
|
|
| |
Same as the change in the connmark plugin.
References #1229.
|
| |
|
|
|
|
|
|
|
| |
This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.
Fixes #1230.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).
Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.
Fixes #1229.
|
| | |
|
| |
|
|
| |
Numerically configured attributes are currently sent for both versions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This also leaves unmodified configs as they are.
|
| |
|
|
| |
in the request
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This is a feature currently supported by stroke.
|
| |
|
|
|
|
| |
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
|
| |
|
|
|
| |
This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=0.0.0.0/0).
|
| | |
|
| | |
|
| |
|
|
|
| |
This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.
|
| | |
|
| | |
|
| | |
|
| | |
|
