| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The kernel policy now considers src and dst port masks as well as
restictions to a given network interface. The base priority is
100'000 for passthrough shunts, 200'000 for IPsec policies,
300'000 for IPsec policy traps and 400'000 for fallback drop shunts.
The values 1..30'000 can be used for manually set priorities.
|
| |
|
|
| |
list-conn command
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If there is a default drop policy forwarded traffic might otherwise not
be allowed by a specific passthrough policy (while local traffic is
allowed).
|
| |
|
|
|
|
|
| |
This allows two CHILD_SAs with reversed subnets to install two FWD
policies each. Since the outbound policy won't have a reqid set we will
end up with the two inbound FWD policies installed in the kernel, with
the correct templates to allow decrypted traffic.
|
| |
|
|
|
|
| |
We can't set a template on the outbound FWD policy (or we'd have to make
it optional). Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.
|
| |
|
|
|
|
|
| |
If there is a DROP shunt that matches outbound forwarded traffic it
would get dropped as the FWD policy we install only matches decrypted
inbound traffic. That's because the Linux kernel first checks the FWD
policies before looking up the OUT policy and SA to encrypt the packets.
|
| |
|
|
|
|
| |
This allows us to install more than one FWD policy. We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).
|
| | |
|
| |
|
|
| |
Closes strongswan/strongswan#40.
|
| | |
|
| |
|
|
|
|
|
| |
Or the invoked script will get a broken value when `mark=%unique` is
used in a configuration.
Closes strongswan/strongswan#37.
|
| |
|
|
| |
Fixes #1365.
|
| |
|
|
| |
Not really relevant, just to make sure both file lists are the same.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
was called
A thread might check out a new IKE_SA via checkout_new() or
checkout_by_config() and start initiating it while the daemon is
terminating and the IKE_SA manager is flushed by the main thread.
That SA is not tracked yet so the main thread is not waiting for it and
the other thread is able to check it in and creating an entry after flush()
already terminated causing a memory leak.
Fixes #1348.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
| |
References #1347.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock. So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.
By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior. This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.
Fixes #1185.
|
| | |
|
| |
|
|
|
|
| |
Same as the change in the connmark plugin.
References #1229.
|
| |
|
|
|
|
|
|
|
| |
This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.
Fixes #1230.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).
Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.
Fixes #1229.
|
| | |
|
| |
|
|
| |
Numerically configured attributes are currently sent for both versions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
addresses
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do these checks after the SA is fully established.
When establishing an SA the responder is always able to install the
CHILD_SA created with the IKE_SA before the initiator can do so.
During make-before-break reauthentication this could cause traffic sent
by the responder to get dropped if the installation of the SA on the
initiator is delayed e.g. by OCSP/CRL checks.
In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g.
with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during
make-before-break reauthentication as it wouldn't be able to decrypt the
response that the responder sends using the new CHILD_SA.
By delaying the revocation checks until the make-before-break
reauthentication is completed we avoid the problems described above.
Since this only affects reauthentication, not the original IKE_SA, and the
delay until the checks are performed is usually not that long this
doesn't impose much of a reduction in the overall security.
|
| |
|
|
|
|
| |
On failure the SA is deleted and reestablished as configured. The task
is activated after the REAUTH_COMPLETE task so a make-before-break reauth
is completed before the new SA might get torn down.
|
| | |
|
| |
|
|
| |
We also update the auth config so the constraints are not enforced.
|
| |
|
|
| |
IKE_SA
|
| | |
|
| |
|
|
| |
enumerator
|
| |
|
|
| |
This also leaves unmodified configs as they are.
|
| | |
|
| | |
|
| |
|
|
| |
This also compares the complete lists not only the first two items.
|
| | |
|
