aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
* Extended IPsec kernel policy schemeAndreas Steffen2016-04-091-18/+53
| | | | | | | | The kernel policy now considers src and dst port masks as well as restictions to a given network interface. The base priority is 100'000 for passthrough shunts, 200'000 for IPsec policies, 300'000 for IPsec policy traps and 400'000 for fallback drop shunts. The values 1..30'000 can be used for manually set priorities.
* Include manual policy priorities and restriction to interfaces in vici ↵Andreas Steffen2016-04-091-1/+14
| | | | list-conn command
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-092-6/+12
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-092-2/+6
|
* peer-cfg: Use struct to pass data to constructorTobias Brunner2016-04-099-95/+148
|
* child-cfg: Use struct to pass data to constructorTobias Brunner2016-04-099-219/+231
|
* kernel-pfkey: Prefer policies with reqid over those withoutTobias Brunner2016-04-091-1/+7
|
* kernel-pfkey: Only install templates for regular IPsec policies with reqidTobias Brunner2016-04-091-32/+35
|
* kernel-netlink: Prefer policies with reqid over those withoutTobias Brunner2016-04-091-1/+7
| | | | | | | This allows two CHILD_SAs with reversed subnets to install two FWD policies each. Since the outbound policy won't have a reqid set we will end up with the two inbound FWD policies installed in the kernel, with the correct templates to allow decrypted traffic.
* kernel-netlink: Only associate templates with inbound FWD policiesTobias Brunner2016-04-091-1/+1
| | | | | | We can't set a template on the outbound FWD policy (or we'd have to make it optional). Because if the traffic does not come from another (matching) IPsec tunnel it would get dropped due to the template mismatch.
* kernel-netlink: Associate routes with IN policies instead of FWD policiesTobias Brunner2016-04-091-21/+21
| | | | | | This allows us to install more than one FWD policy. We already do this in the kernel-pfkey plugin (there the original reason was that not all kernels support FWD policies).
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-095-529/+593
|
* vici: Fix documentation of some dictionary keys of two request messagesCameron McCord2016-03-311-3/+3
| | | | Closes strongswan/strongswan#40.
* Use standard unsigned integer typesAndreas Steffen2016-03-2493-725/+725
|
* updown: Get value for PLUTO_MARK_{IN,OUT} from CHILD_SAShota Fukumori2016-03-231-2/+2
| | | | | | | Or the invoked script will get a broken value when `mark=%unique` is used in a configuration. Closes strongswan/strongswan#37.
* connmark: Explicitly include xt_mark.h for older kernelsTobias Brunner2016-03-231-0/+1
| | | | Fixes #1365.
* ha: Delete cache entry inside the locked mutexThomas Egerer2016-03-231-0/+2
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-netlink: Fix lookup of next hops for destinations with prefixTobias Brunner2016-03-211-1/+2
| | | | References #1347.
* vici: Don't hold write lock while running or undoing start actionsTobias Brunner2016-03-111-27/+63
| | | | | | | | | | | | | | Running or undoing start actions might require enumerating IKE_SAs, which in turn might have to enumerate peer configs concurrently, which requires acquiring a read lock. So if we keep holding the write lock while enumerating the SAs we provoke a deadlock. By preventing other threads from acquiring the write lock while handling actions, and thus preventing the modification of the configs, we largely maintain the current synchronous behavior. This way we also don't need to acquire additional refs for config objects as they won't get modified/removed. Fixes #1185.
* Initialize ts variableAndreas Steffen2016-03-111-1/+1
|
* forecast: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | Same as the change in the connmark plugin. References #1229.
* connmark: Don't restore CONNMARK for packets that already have a mark setTobias Brunner2016-03-101-2/+17
| | | | | | | | | This allows e.g. modified versions of xl2tpd to set the mark in situations where two clients are using the same source port behind the same NAT, which CONNMARK can't restore properly as only one conntrack entry will exist with the mark set to that of the client that sent the last packet. Fixes #1230.
* connmark: Compare the complete rules when deleting themTobias Brunner2016-03-101-1/+4
| | | | | | | | | | | | By settings a matchmask that covers the complete rule we ensure that the correct rule is deleted (i.e. matches and targets with potentially different marks are also compared). Since data after the passed pointer is actually dereferenced when comparing we definitely have to pass an array that is at least as long as the ipt_entry. Fixes #1229.
* Support of IP address ranges in traffic selectorsAndreas Steffen2016-03-102-7/+27
|
* attr: Only enumerate attributes matching the IKE version of the current IKE_SATobias Brunner2016-03-101-19/+49
| | | | Numerically configured attributes are currently sent for both versions.
* attr: Add p-cscf keyword for P-CSCF server addressesTobias Brunner2016-03-101-0/+1
|
* p-cscf: Make sending requests configurable and disable it by defaultTobias Brunner2016-03-101-2/+6
|
* p-cscf: Only send requests if virtual IPs of the same family are requestedTobias Brunner2016-03-101-2/+18
|
* p-cscf: Add attribute handler for P-CSCF server addressesTobias Brunner2016-03-104-1/+243
|
* p-cscf: Add plugin stubTobias Brunner2016-03-103-0/+123
|
* vici: Replace child configs atomicallyTobias Brunner2016-03-081-14/+11
| | | | This also leaves unmodified configs as they are.
* vici: Order auth rounds by optional `round` parameter instead of by position ↵Tobias Brunner2016-03-081-40/+64
| | | | in the request
* smp: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-4/+4
|
* vici: Correctly return IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* stroke: Correctly print IKE SPIs stored in network orderTobias Brunner2016-03-041-2/+4
|
* vici: Add support for pubkey constraints with EAP-TLSTobias Brunner2016-03-041-0/+8
| | | | This is a feature currently supported by stroke.
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-042-5/+7
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* vici: Don't redirect all SAs if no selectors are givenTobias Brunner2016-03-041-1/+1
| | | | | This avoid confusion and redirecting all SAs can now easily be done explicitly (e.g. peer_ip=0.0.0.0/0).
* vici: Match subnets and ranges against peer IP in redirect commandTobias Brunner2016-03-042-12/+42
|
* vici: Match identity with wildcards against remote ID in redirect commandTobias Brunner2016-03-042-5/+9
|
* vici: Add redirect commandTobias Brunner2016-03-045-0/+150
| | | | | This allows redirecting IKE_SAs by multiple different selectors, if none are given all SAs are redirected.
* Set PLUTO port variables to 0 in the case of no port restrictionsAndreas Steffen2016-03-041-1/+1
|
* Port range support in updown scriptAndreas Steffen2016-03-041-13/+37
|
* Implemented port ranges in kernel_netlink interfaceAndreas Steffen2016-03-041-7/+19
|
* libhydra: Remove empty unused libraryTobias Brunner2016-03-0365-65/+0
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-0330-197/+137
| | | | This moves hydra->kernel_interface to charon->kernel.
* libhydra: Move all kernel plugins to libcharonTobias Brunner2016-03-0323-0/+12420
|
* forecast: Fix alignment when adding rulesTobias Brunner2016-03-031-114/+133
| | | | | | Basically the same issue as with the connmark plugin. Fixes #1212.
* connmark: Fix alignment when adding rulesTobias Brunner2016-03-031-160/+172
| | | | | | | | The structs that make up a message sent to the kernel have all to be aligned with XT_ALIGN. That was not necessarily the case when initializing the complete message as struct. Fixes #1212.
* vici: Provide ports of local and remote IKE endpointsTobias Brunner2016-03-032-2/+9
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-25 02:31:50 +0000