aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-017-8/+11
|
* dhcp: Use chunk_hash_static() to calculate ID-based MAC addressesTobias Brunner2013-06-281-1/+1
|
* stroke: Changed how proto/port are specified in left|rightsubnetTobias Brunner2013-06-281-1/+8
| | | | Using a colon as separator conflicts with IPv6 addresses.
* plugin-loader: Removed unused path argument of load() methodTobias Brunner2013-06-281-1/+1
| | | | | Multiple additional search paths can be added with the add_path() method.
* tnc-pdp: Initialize TNC-PDP in plugin callback with proper dependenciesTobias Brunner2013-06-271-6/+25
|
* capabilities: CAP_CHOWN might be required by many plugins opening UNIX socketsTobias Brunner2013-06-258-0/+48
| | | | | But as the sockets will be created with the user/group of the running process this might not be required as no change may be needed.
* farp: Require CAP_NET_RAW capability to open AF_PACKET socketTobias Brunner2013-06-251-0/+6
|
* dhcp: Require CAP_NET_BIND_SERVICE and CAP_NET_RAW to open/bind socketsTobias Brunner2013-06-251-0/+11
|
* socket-default: Require CAP_NET_BIND_SERVICE for ports < 1024Tobias Brunner2013-06-251-0/+12
| | | | | Since we don't know which ports are used with socket-dynamic we can't demand the capability there, but it might still be required.
* capabilities: Only plugins that require CAP_NET_ADMIN demand itTobias Brunner2013-06-252-10/+7
| | | | The daemon as such does not require this capability.
* capabilities: Move global capabilities_t instance to libstrongswanTobias Brunner2013-06-2512-28/+20
|
* capabilities: Ensure required capabilities are actually held by the process/userTobias Brunner2013-06-252-5/+13
|
* ikev2: keep the CHILD_SA we delete as initiator in the list to destroyMartin Willi2013-06-251-6/+5
| | | | | If the responder not correctly send the correct protocol or SPI in the delete response, we should remove the CHILD_SA regardless.
* unit-tester: RSA test was removedTobias Brunner2013-06-241-1/+0
|
* Aligned AR Identity types to IF-IMV 1.4 R5 draftAndreas Steffen2013-06-242-3/+3
|
* Added soft dependency on database pluginAndreas Steffen2013-06-211-0/+1
|
* add overall recommendation to session database entryAndreas Steffen2013-06-211-0/+8
|
* used tnc_policy_update functions for default policyAndreas Steffen2013-06-211-47/+5
|
* osx-attr: add plugin installing config attributes using SystemConfigurationMartin Willi2013-06-216-0/+464
| | | | | Currently installs DNS servers only, by prepending IP addresses to the DNS configuration of the primary networking service.
* kernel-libipsec: Ignore failures when installing routes for multicast or ↵Tobias Brunner2013-06-211-1/+23
| | | | broadcast policies
* ike: Force NAT-T/UDP encapsulation if kernel interface requires itTobias Brunner2013-06-212-5/+32
|
* kernel-libipsec: Add a feature to request UDP encapsulation of ESP packetsTobias Brunner2013-06-211-0/+7
|
* kernel-libipsec: Install a gateway for routes on platforms other than LinuxTobias Brunner2013-06-211-9/+26
| | | | This seems required e.g. on FreeBSD but doesn't work on Linux.
* kernel-libipsec: Router reads packets from multiple TUN devicesTobias Brunner2013-06-214-16/+268
| | | | These devices are collected via kernel_listener_t interface.
* kernel-libipsec: Use separate class to route packets between charon, ↵Tobias Brunner2013-06-214-74/+188
| | | | libipsec and TUN device
* kernel-libipsec: Track policies and automatically install routesTobias Brunner2013-06-211-5/+455
| | | | | | | | The routes direct traffic matching the remote traffic selector to the TUN device. If the remote traffic selector includes the IKE peer a very specific route is installed to allow IKE traffic.
* kernel-libipsec: Handle packets between charon socket, libipsec and TUN deviceTobias Brunner2013-06-211-0/+85
|
* kernel-libipsec: Create a TUN device and use it to install virtual IPsTobias Brunner2013-06-212-0/+40
|
* kernel-libipsec: Add plugin that implements kernel_ipsec_t using libipsecTobias Brunner2013-06-216-0/+392
|
* plugin-loader: Add method to print loaded plugins on a given log levelTobias Brunner2013-06-211-2/+0
|
* Fix crash if the initiator has no suitable proposal availableTobias Brunner2013-06-211-0/+5
| | | | Could be triggered with a typo in the ike or esp options when ! is used.
* unit-tester: remove obsolete rsa_gen test, now covered in unit-testsMartin Willi2013-06-213-122/+0
|
* ikev2: use protocol of selected proposal to delete a failed CHILD_SAMartin Willi2013-06-201-2/+2
| | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA.
* stroke: support %dynamic in left/rightsubnet for dynamic selectorsMartin Willi2013-06-191-2/+10
| | | | | | | This has the same meaning as omitting left/rightsubnet, i.e. replace it by the IKE address. Supporting %dynamic allows configurations with multiple dynamic selectors in a left/rightsubnet, each with potentially different proto/port selectors.
* stroke: support a specific proto/port for each net defined in left/rightsubnetMartin Willi2013-06-191-3/+105
|
* ikev2: properly fall back to tunnel mode if transport/BEET mode not configuredMartin Willi2013-06-191-2/+8
|
* ikev2: support transport mode over NATMartin Willi2013-06-191-36/+150
|
* ike: reuse the reqid of an installed trap having the same configMartin Willi2013-06-191-1/+5
| | | | | | | When we have a trap installed, but a CHILD_SA gets established for the same config from the peer, we should reuse the same reqid. Otherwise we would have two identical policies using different reqids, what we can't handle in our kernel backend.
* trap-manager: add a method to find reqid for installed traps by configMartin Willi2013-06-192-2/+38
|
* trap-manager: don't check-in nonexisting IKE_SA if acquire failsMartin Willi2013-06-191-2/+1
|
* trap-manager: fix a memleak when installing a trap to %anyMartin Willi2013-06-191-0/+1
|
* stroke: add exportconn{cert,chain} commands in addition to exportx509Martin Willi2013-06-191-6/+65
| | | | | The new commands either export a single end entity certificate or the full trust chain for a specific connection name.
* Raise an alert if the responding peer narrowed traffic selectorsMartin Willi2013-06-192-7/+28
|
* dhcp: search for transactions only for connections having a poolname "dhcp"Martin Willi2013-06-181-1/+6
| | | | | | When a connection has a single pool that queries recursively the DHCP backend, we shouldn't return any attributes directly from DHCP when queried for that pool.
* socket-default: Make sure sockets are open when checking with FD_ISSETTobias Brunner2013-06-141-4/+4
|
* socket-default: Properly initialize NAT-T port if opening regular socket failedTobias Brunner2013-06-141-1/+2
|
* Use subset matching instead of is_contained_in() to select a child_cfgMartin Willi2013-06-131-4/+8
| | | | | | | If one selector has a wider IP range than the other, but the other has a wider port/protocol selector than the first one, none is completely contained in the other. The check for a match using is_contained_in() therefore would fail. Using get_subset() can handle such cases, fixing configuration selection.
* ha: Fix CHILD_SA installation in ha_dispatcher after adding initiator flagTobias Brunner2013-06-131-4/+8
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-115-22/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* Use ref_get() to make sure IKE_SA unique IDs are uniqueMartin Willi2013-06-111-2/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 14:41:53 +0000