aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Add support for python 3Björn Schuberg2015-03-185-8/+29
|
* vici: Execute python tests during "check" if py.test is availableMartin Willi2015-03-181-0/+4
|
* vici: Add test of Packet layer in python libraryBjörn Schuberg2015-03-181-1/+47
|
* vici: Add test of Message (de)serialization in python libraryBjörn Schuberg2015-03-183-0/+100
|
* vici: Evaluate Python streamed command results, and raise CommandExceptionMartin Willi2015-03-181-1/+10
|
* vici: Catch Python GeneratorExit to properly cancel streamed event iterationMartin Willi2015-03-182-1/+12
|
* vici: Fall back to heap buffer when vararg printing on stack failsMartin Willi2015-03-181-21/+44
| | | | This avoids failures when building log event messages including larger hexdumps.
* vici: Return a Python generator instead of a list for streamed responsesMartin Willi2015-03-182-47/+25
| | | | | | | In addition that it may reduce memory usage and improve performance for large responses, it returns immediate results. This is important for longer lasting commands, such as initiate/terminate, where immediate log feedback is preferable when interactively calling such commands.
* vici: Raise a Python CommandException instead of returning a CommandResultMartin Willi2015-03-182-82/+42
|
* vici: Add initial Python egg documentation to READMEMartin Willi2015-03-181-0/+65
|
* vici: Use OrderedDict to handle vici responses in Python libraryMartin Willi2015-03-181-2/+3
| | | | | The default Python dictionaries are unordered, but order is important for some vici trees (for example the order of authentication rounds).
* vici: Return authentication rounds with unique namesMartin Willi2015-03-181-1/+4
| | | | | | To simplify handling of authentication rounds in dictionaries/hashtables on the client side, we assign unique names to each authentication round when listing connection.
* vici: Rebuild ruby gem on source file changesMartin Willi2015-03-181-1/+1
|
* vici: Use default Unix vici socket if none passed to ruby constructorMartin Willi2015-03-182-4/+7
| | | | | While we currently have a static path instead of one generated with Autotools, this at least is congruent to what we have in the Python library.
* vici: Support non-Unix sockets for vici connections using PythonMartin Willi2015-03-182-7/+9
|
* vici: Add python egg setuptools building and installation using easy_installMartin Willi2015-03-181-0/+15
| | | | | | An uninstall target is currently not supported, as there is no trivial way with either plain setuptools or with easy_install. pip would probably be the best choice, but we currently don't depend on it.
* vici: Generate a version specific setup.py for setuptools installationMartin Willi2015-03-183-0/+41
|
* vici: Include python package in distributionMartin Willi2015-03-182-0/+9
|
* vici: Add python package MIT licenseBjörn Schuberg2015-03-182-0/+20
|
* vici: Expose Session as a top-level symbol in python packageBjörn Schuberg2015-03-181-0/+1
|
* vici: Introduce main API Session class in python packageBjörn Schuberg2015-03-181-1/+244
|
* vici: Add a python vici command execution handlerBjörn Schuberg2015-03-182-1/+134
|
* vici: Add vici python protocol handlerBjörn Schuberg2015-03-184-0/+199
|
* vici: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-4/+4
| | | | Fixes #886.
* stroke: Use %u to print stats returned by mallinfo(3)Tobias Brunner2015-03-131-1/+1
| | | | References #886.
* eap-radius: Increase Acct-Session-ID string bufferMartin Willi2015-03-131-1/+1
| | | | | | | | As the startup timestamp needs 10 characters, we only have left 4 characters for the IKE_SA unique identifier. This is insufficient when having 10000 IKE_SAs or more established, resulting in non-unique session identifiers. Fixes #889.
* ha: Destroy synced IKE_SA if no configuration is found during updateMartin Willi2015-03-101-0/+3
|
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-091-1/+2
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-093-3/+3
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* Revert "ha: Always install the CHILD_SAs with the inbound flag set to FALSE"Martin Willi2015-03-091-2/+2
| | | | | | | | While this change results in the correct add/update flag during installation, it exchanges all other values in the child_sa->install() call. We should pass the correct flag, but determine the add/update flag by other means. This reverts commit e722ee5d.
* Make access requestor IP address available to TNC serverAndreas Steffen2015-03-082-12/+39
|
* stroke: Enable BLISS-based public key constraintsTobias Brunner2015-03-041-4/+19
|
* stroke: Support public key constraints for EAP methodsMartin Willi2015-03-031-1/+8
|
* eap-ttls: Support EAP auth information getter in EAP-TTLSMartin Willi2015-03-031-0/+7
|
* eap-tls: Support EAP auth information getter in EAP-TLSMartin Willi2015-03-031-0/+7
|
* stroke: Serve ca section CA certificates directly, not over central CA setMartin Willi2015-03-033-5/+85
| | | | | | | This makes these CA certificates independent from the purge issued by reread commands. Certificates loaded by CA sections can be removed through ipsec.conf update/reread, while CA certificates loaded implicitly from ipsec.d/cacerts can individually be reread using ipsec rereadcacerts.
* stroke: Purge existing CA/AA certificates during rereadMartin Willi2015-03-031-0/+4
|
* stroke: Use separate credential sets for CA/AA certificatesMartin Willi2015-03-031-3/+21
|
* stroke: Refactor load_certdir functionMartin Willi2015-03-031-108/+158
|
* vici: Don't use a default rand_time larger than half of rekey/reauth_timeMartin Willi2015-03-031-3/+11
|
* vici: If a IKE reauth_time is configured, disable the default rekey_timeMartin Willi2015-03-031-1/+16
|
* vici: Support ruby gem out-of-tree buildsMartin Willi2015-02-271-1/+3
| | | | | | | Referencing $(srcdir) in the gemspec is not really an option, as "gem build" includes the full path in the gem, so we need to build in $(srcdir). As there does not seem to be a way to control the output of "gem build", we manually move the gem to $(builddir) in OOT builds.
* ha: Always install the CHILD_SAs with the inbound flag set to FALSEMartin Willi2015-02-271-2/+2
| | | | | | | | | The inbound flag is used to determine if we have to install an update or a new SA in the kernel. As we do not have allocated SPIs and therefore can't update an existing SA in the HA plugin, always set the flag to FALSE. Before 698ed656 we had extra logic for that case, but handling it directly in the HA plugin is simpler.
* forecast: Explicitly cast sockaddr to fix compiler warningTobias Brunner2015-02-231-1/+1
| | | | On Travis we compile with -Werror.
* configure: Use pkg-config to detect libiptc used by connmark/forecastTobias Brunner2015-02-232-4/+4
| | | | | This ensures the library is available. On Debian/Ubuntu it is a dynamic library provided by the iptables-dev package.
* forecast: Add the broadcast/multicast forwarding plugin called forecastMartin Willi2015-02-207-0/+1472
|
* connmark: Add CONNMARK rules to select correct output SA based on conntrackMartin Willi2015-02-204-0/+611
| | | | | | | | | | | | | | Currently supports transport mode connections using IPv4 only, and requires a unique mark configured on the connection. To select the correct outbound SA when multiple connections match (i.e. multiple peers connected from the same IP address / NAT router) marks must be configured. This mark should usually be unique, which can be configured in ipsec.conf using mark=0xffffffff. The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow is tagged with the assigned mark as connmark. On the return path, the mark gets restored from the conntrack entry to select the correct outbound SA.
* connmark: Add a plugin stubMartin Willi2015-02-203-0/+143
|
* load-tester: Support initiating XAuth authenticationMartin Willi2015-02-201-0/+22
| | | | | | | | As with other configuration backends, XAuth is activated with a two round client authentication using pubkey and xauth. In load-tester, this is configured with initiator_auth=pubkey|xauth. Fixes #835.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-203-13/+17
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 11:00:55 +0000