aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/child_sa.c
Commit message (Collapse)AuthorAgeFilesLines
* child-cfg: Optionally set mark on inbound SATobias Brunner2017-11-021-2/+17
|
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-071-6/+23
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* child-sa: Suppress CHILD_SA state changes if there is no changeTobias Brunner2017-08-071-6/+9
|
* child-sa: Install outbound SA immediately if kernel supports SPIs on policiesTobias Brunner2017-08-071-18/+36
|
* child-sa: Use flags to track installation of outbound SA and policies separatelyTobias Brunner2017-08-071-23/+28
|
* linked-list: Change interface of callback for invoke_function()Tobias Brunner2017-05-261-5/+5
| | | | This avoids the unportable five pointer hack.
* Migrate all enumerators to venumerate() interface changeTobias Brunner2017-05-261-4/+6
|
* child-cfg: Optionally use 96-bit truncation for HMAC-SHA-256Tobias Brunner2017-05-261-0/+8
| | | | | | | | The correct truncation is 128-bit but some implementations insist on using 96-bit truncation. With strongSwan this can be negotiated using an algorithm identifier from a private range. But this doesn't work with third-party implementations. This adds an option to use 96-bit truncation even if the official identifier is used.
* child-sa: Remove state to track installation of half the SA againTobias Brunner2017-05-231-1/+0
|
* child-sa: Expose state of the outbound SATobias Brunner2017-05-231-16/+26
|
* child-sa: Add method to remove the outbound SA and policiesTobias Brunner2017-05-231-5/+73
|
* child-sa: Keep track whether the outbound SA has been installed or notTobias Brunner2017-05-231-8/+13
|
* child-sa: Add log message for CHILD_SA state changesTobias Brunner2017-05-231-0/+4
|
* child-sa: Add method to associate rekeyed CHILD_SAs with their replacementTobias Brunner2017-05-231-0/+19
|
* child-sa: Add methods that allow partial installation of CHILD_SATobias Brunner2017-05-231-5/+117
| | | | | | | Using install() for the inbound SA and register_outbound() for the outbound SA followed by install_policies(), will delay the installation of the outbound SA as well as the installation of the outbound policies in the kernel until install_outbound() is called later.
* child-sa: Add new state to track installation of only the inbound SATobias Brunner2017-05-231-0/+1
|
* child-sa: Change API used to set/install policiesTobias Brunner2017-05-231-30/+56
| | | | This way we only have to pass the traffic selectors once.
* child-sa: Split in- and outbound policy de-/installationTobias Brunner2017-05-231-62/+127
| | | | Only install outbound fallback policies.
* child-sa: Optionally enable hardware offload for CHILD_SAsTobias Brunner2017-05-231-0/+1
|
* child-cfg: Use flags for boolean optionsTobias Brunner2017-05-231-7/+9
| | | | Makes it potentially easier to add new flags.
* Fixed some typos, courtesy of codespellTobias Brunner2017-03-231-1/+1
|
* child-sa: Do not install mark on inbound kernel SAEyal Birger2017-02-141-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The SA ID (src, dst, proto, spi) is unique on ingress. As such, explicit inbound marking is not needed to match an SA. On the other hand, requiring inbound SAs to use marks forces the installation of a mechanism for marking traffic (e.g. iptables) based on some criteria. Defining the criteria becomes complicated, for example when required to support multiple SAs from the same src, especially when traffic is UDP encapsulated. This commit removes the assignment of the child_sa mark_in to the inbound SA. Policies can be arbitrated by existing means - e.g, via netfilter policy matching or using VTI interfaces - without the need to classify the flows prior to state matching. Since the reqid allocator regards the mark value, there is no risk of matching the wrong policy. And as explicit marking was required for route-based VPN to work before this change, it should not cause regressions in existing setups. Closes strongswan/strongswan#59.
* child-sa: Use single return statement in update_usebytes()Thomas Egerer2016-11-181-4/+8
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* child-sa: Only install outbound FWD policies if explicitly configuredTobias Brunner2016-09-281-14/+27
| | | | | | They are only required if drop policies would otherwise prevent forwarding traffic. This reduces the number of policies and avoids conflicts e.g. with SPD hash thresholds.
* child-sa: Use non-static variable to store generated unique markTobias Brunner2016-06-061-1/+2
| | | | | | If two CHILD_SAs with mark=%unique are created concurrently they could otherwise end up with either the same mark or different marks in both directions.
* child-sa: Install "outbound" FWD policy with lower priorityTobias Brunner2016-05-061-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This provides a fix if symmetrically overlapping policies are installed as e.g. the case in the ikev2/ip-two-pools-db scenario: carol 10.3.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon alice 10.4.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon Among others, the following FWD policies are installed on moon: src 10.3.0.1/32 dst 10.4.0.0/16 ... tmpl ... src 10.4.0.0/16 dst 10.3.0.1/32 ... src 10.4.0.1/32 dst 10.3.0.0/16 ... tmpl ... src 10.3.0.0/16 dst 10.4.0.1/32 ... Because the network prefixes are the same for all of these they all have the same priority. Due to that it depends on the install order which policy gets used. For instance, a packet from 10.3.0.1 to 10.4.0.1 will match the first as well as the last policy. However, when handling the inbound packet we have to use the first one as the packet will otherwise be dropped due to a template mismatch. And we can't install templates with the "outbound" FWD policies as that would prevent using different IPsec modes or e.g. IPComp on only one of multiple SAs. Instead we install the "outbound" FWD policies with a lower priority than the "inbound" FWD policies so the latter are preferred. But we use a higher priority than default drop policies would use (in case they'd be defined with the same subnets).
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-041-1/+1
|
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-091-0/+4
|
* Support manually-set IPsec policy prioritiesAndreas Steffen2016-04-091-19/+40
|
* child-sa: Install "outbound" FWD policyTobias Brunner2016-04-091-0/+16
| | | | | | | If there is a DROP shunt that matches outbound forwarded traffic it would get dropped as the FWD policy we install only matches decrypted inbound traffic. That's because the Linux kernel first checks the FWD policies before looking up the OUT policy and SA to encrypt the packets.
* kernel: Use structs to pass information to the kernel-ipsec interfaceTobias Brunner2016-04-091-62/+189
|
* Use standard unsigned integer typesAndreas Steffen2016-03-241-26/+26
|
* libhydra: Move kernel interface to libcharonTobias Brunner2016-03-031-44/+38
| | | | This moves hydra->kernel_interface to charon->kernel.
* kernel-interface: Pass the same data to del_policy() that was passed to ↵Tobias Brunner2015-11-101-87/+91
| | | | | | | add_policy() The additional data can be helpful to identify the exact policy to delete.
* child-sa: Fix refcounting of allocated reqidsTobias Brunner2015-08-171-3/+12
| | | | | | | | | | | During a rekeying we want to reuse the current reqid, but if the new SA does not allocate it via kernel-interface the state there will disappear when the old SA is destroyed after the rekeying. When the IKE_SA is later reauthenticated with make-before-break reauthentication the new CHILD_SAs there will get new reqids as no existing state is found in the kernel-interface, breaking policy installation in the kernel. Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
* child-sa: Use any fixed reqid configured on the CHILD_SA configMartin Willi2015-06-051-2/+2
| | | | | | | Global reqid allocation (94eb09ac) broke fixed reqid allocation. Resupport them by bypassing allocation in the kernel if a fixed reqid has been configured. Fixes #976.
* Fixed some typos, courtesy of codespellTobias Brunner2015-03-251-1/+1
|
* child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAsTobias Brunner2015-03-251-0/+1
| | | | | | This is needed to handle DELETEs properly, which was previously done via CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents reauthentication.
* child-sa: Remove policies before states to avoid acquire events for ↵Tobias Brunner2015-03-191-16/+16
| | | | untrapped policies
* kernel-interface: Add a separate "update" flag to add_sa()Martin Willi2015-03-091-1/+1
| | | | | | | | | | | The current "inbound" flag is used for two purposes: To define the actual direction of the SA, but also to determine the operation used for SA installation. If an SPI has been allocated, an update operation is required instead of an add. While the inbound flag normally defines the kind of operation required, this is not necessarily true in all cases. On the HA passive node, we install inbound SAs without prior SPI allocation.
* Revert "child-sa: Remove the obsolete update logic"Martin Willi2015-03-091-1/+6
| | | | | | | | | While the the meaning of the "inbound" flag on the kernel_interface->add_sa() call is not very clear, we still need that update logic to allow installation of inbound SAs without SPI allocation. This is used in the HA plugin as a passive node. This reverts commit 698ed656.
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-201-4/+27
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* child-sa: Introduce a unique CHILD_SA identifierMartin Willi2015-02-201-0/+14
| | | | | As the reqid is not that unique even among multiple IKE_SAs anymore, we need an identifier to uniquely identify a specific CHILD_SA instance.
* child-sa: Delegate reqid allocation to the kernel interfaceMartin Willi2015-02-201-15/+46
|
* child-sa: Sort traffic selectors after adding CHILD_SA policiesMartin Willi2015-02-201-0/+3
| | | | Having traffic selectors sorted properly makes comparing them much simpler.
* child-sa: Remove the obsolete update logicMartin Willi2015-02-201-6/+1
| | | | | | The kernel backend uses an inbound parameter these days, where it makes no sense to pass the update flag. The kernel backend decides itself how it handles SA installation based on the inbound flag.
* kernel-interface: Pass full list of traffic selectors to add_sa()Martin Willi2015-02-201-8/+6
| | | | | | While we can handle the first selector only in BEET mode in kernel-netlink, passing the full list gives the backend more flexibility how to handle this information.
* kernel-interface: Remove reqid parameter from get_spi/get_cpi() methodsMartin Willi2015-02-201-2/+2
| | | | | | | | | | The reqid is not strictly required, as we set the reqid with the update call when installing the negotiated SA. If we don't need a reqid at this stage, we can later allocate the reqid in the kernel backend once the SA parameters have been fully negotaited. This allows us to assign the same reqid for the same selectors to avoid conflicts on backends this is necessary.
* child-sa: Introduce a CHILD_RETRYING state to detect DH group retriesMartin Willi2014-11-211-0/+1
|
* child-sa: Set replay window on both inbound and outbound SAMartin Willi2014-06-181-6/+2
| | | | | | | | While the outbound SA actually does not need a replay window, the kernel rejects zero replay windows on SAs using ESN. The ESN flag is required to use the full sequence number in ICV calculation, hence we set the replay window. This restores the behavior we had before 30c009c2.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 22:36:18 +0000