aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/processing
Commit message (Collapse)AuthorAgeFilesLines
* charon: add optional source and remote overrides for initiateTimo Teräs2017-11-201-1/+1
| | | | | | | | | | | This introduces support for specifying optional IKE SA specific source and remote address for child sa initiation. This allows to initiate wildcard connection for known address via vici. In addition this allows impler implementation of trap-any patches and is a prerequisite for dmvpn support. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* delete-child-sa-job: Add new constructor that takes the unique ID of a CHILD_SATobias Brunner2017-05-232-13/+69
| | | | | This makes sure we delete the right SA in case the addresses got updated in the mean time.
* ike: Log remote IP when deleting half-open IKE_SAsTobias Brunner2017-03-151-1/+2
|
* peer-cfg: Store mediated_by as name and not peer-cfg referenceTobias Brunner2017-02-161-2/+19
| | | | | | | | | This way updates to the mediation config are respected and the order in which configs are configured/loaded does not matter. The SQL plugin currently maintains the strong relationship between mediated and mediation connection (we could theoretically change that to a string too).
* stroke: Use peer name as namespace for shunt policiesTobias Brunner2017-02-161-1/+2
| | | | | The same goes for the start-action-job. When unrouting, we search for the first policy with a matching child-cfg.
* shunt-manager: Add an optional namespace for each shuntTobias Brunner2017-02-161-1/+2
| | | | | This will allow us to reuse the names of child configs e.g. when they are defined in different connections.
* Use standard unsigned integer typesAndreas Steffen2016-03-2416-28/+28
|
* redirect-job: Add job to redirect an active IKE_SATobias Brunner2016-03-042-0/+157
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-031-1/+0
| | | | This moves hydra->kernel_interface to charon->kernel.
* ike: Keep track of send keepalive jobs to avoid scheduling more than one per ↵Tobias Brunner2016-03-031-1/+1
| | | | IKE_SA
* mediation: Reschedule initiate mediation job if SA is not yet foundTobias Brunner2015-11-091-0/+4
| | | | | | | | | If the job gets queued for a newly created IKE_SA it might not yet be checked in when the job is running, reschedule the job in that case. This should fix the two p2pnat test scenarios, which occasionally failed because one of the peers did not initiate the connection to the mediation server.
* controller: Optionally adhere to init limits also when initiating IKE_SAsTobias Brunner2015-08-212-3/+3
|
* ikev1: Assign different job priorities for inbound IKEv1 messagesTobias Brunner2015-08-211-2/+12
|
* jobs: Don't execute rekey CHILD_SA job on passive IKE_SAsThomas Egerer2015-08-041-1/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: When a reauth is detected explicitly delete the old IKE_SATobias Brunner2015-05-211-3/+13
| | | | | | | | | | | Instead of just implicitly destroying the old SA we properly delete it to notify the other peer (if the other peer keeps the SA up after the reauthentication and sends DPDs it might consider us dead even though the new SA is up, that seems to be the case with racoon). We delay the DELETE a bit to give the other peer time to get the new SA fully established. Since DELETE messages are not retransmitted it is still possible that the other peer misses that we deleted the SA.
* ikev1: Trigger children_migrate event if CHILD_SAs are adoptedTobias Brunner2015-05-211-0/+4
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-251-1/+2
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* ikev1: Adopt virtual IPs on new IKE_SA during re-authenticationTobias Brunner2015-03-191-13/+45
| | | | | | | | | | | Some clients like iOS/Mac OS X don't do a mode config exchange on the new SA during re-authentication. If we don't adopt the previous virtual IP Quick Mode rekeying will later fail. If a client does do Mode Config we directly reassign the VIPs we migrated from the old SA, without querying the attributes framework. Fixes #807, #810.
* ikev2: Immediately initiate queued tasks after establishing rekeyed IKE_SAMartin Willi2015-03-182-0/+145
| | | | | | If additional tasks get queued before/while rekeying an IKE_SA, these get migrated to the new IKE_SA. We previously did not trigger initiation of these tasks, though, leaving the task unexecuted until a new task gets queued.
* ikev1: Don't handle DPD timeout job if IKE_SA got passiveMartin Willi2015-03-101-0/+6
| | | | | | While a passively installed IKE_SA does not queue a DPD timeout job, one that switches from active to passive might execute it. Ignore such a queued job if the IKE_SA is in passive state.
* migrate-job: Do CHILD_SA reqid lookup locallyMartin Willi2015-02-202-26/+21
|
* kernel-interface: Raise mapping event with a proto/SPI/dst tupleMartin Willi2015-02-202-11/+30
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-202-10/+10
|
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-204-39/+33
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-201-4/+15
|
* ike: Remove redundant check for local NAT when handling changed NAT mappingsTobias Brunner2014-10-131-6/+1
|
* ikev1: Extend adopt_children_job by task queuing, executed after adoptionMartin Willi2014-08-252-0/+48
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-041-1/+1
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ike: Delay actively initiated reauthentication when other exchanges in progressMartin Willi2014-04-171-2/+47
| | | | | If any other IKE or CHILD_SA operation takes places, we should not start initiating reauthentication to avoid any potential races.
* ike: Restart inactivity counter after doing a CHILD_SA rekeyMartin Willi2014-01-231-2/+3
| | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect.
* ikev1: Don't log a reauthentication detection message if no children adoptedMartin Willi2013-09-301-2/+6
| | | | | When a replace unique policy is in place, the children get adopted during the uniqueness check. In this case the message is just misleading.
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+1
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-191-1/+11
| | | | certain time frame
* When IKEv1 DPD times out, raise missing SEND_RETRANSMIT_TIMOUT alertMartin Willi2013-03-141-0/+1
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-142-4/+3
| | | | packets
* Log message size for in- and outbound IKE messagesTobias Brunner2012-12-241-2/+3
|
* Raise an alert if half-open timeout limit reachedMartin Willi2012-12-191-0/+1
|
* Properly trigger ike_updown() event if IKEv1 DPD times outMartin Willi2012-12-041-0/+1
| | | | Fixes missing RADIUS Accounting Stop, #257.
* Moved data structures to new collections subfolderTobias Brunner2012-10-241-1/+1
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-242-2/+2
|
* Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-301-3/+12
|
* Replaced usages of CHARON_*_PORT with calls to get_port().Tobias Brunner2012-08-081-1/+1
|
* Make the UDP ports charon listens for packets on (and uses as source ports) ↵Tobias Brunner2012-08-081-1/+1
| | | | configurable.
* Make rescheduling a job more predictableTobias Brunner2012-06-251-6/+4
| | | | | | | | | | | | | This avoids race conditions between calls to cancel() and jobs that like to be rescheduled. If jobs were able to reschedule themselves it would theoretically be possible that two worker threads have the same job assigned (the one currently executing the job and the one executing the same but rescheduled job if it already is time to execute it), this means that cancel() could be called twice for that job. Creating a new job based on the current one and reschedule that is also OK, but rescheduling itself is more efficient for jobs that need to be executed often.
* Give processor_t more control over the lifecycle of a jobTobias Brunner2012-06-2519-59/+51
| | | | | | | | | | | Jobs are now destroyed by the processor, but they are allowed to reschedule themselves. That is, parts of the reschedule functionality already provided by callback_job_t is moved to the processor. Not yet fully supported is JOB_REQUEUE_DIRECT and canceling jobs. Note: job_t.destroy() is now called not only for queued jobs but also after execution or cancellation of jobs. job_t.status can be used to decide what to do in said method.
* Use XAuth/EAP remote identity for uniqueness checkMartin Willi2012-06-251-2/+2
|
* Avoid queueing more than one retry initiate job.Tobias Brunner2012-05-301-1/+1
|
* Job added to re-initiate an IKE_SA.Tobias Brunner2012-05-302-0/+143
|
* Fix IKEv1 DPD clear, destroying IKE_SA even if reestablish not neededMartin Willi2012-05-211-9/+3
|
* make IKEv1 DPD timeout configurable in charonAndreas Steffen2012-05-171-1/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 16:22:09 +0000