aboutsummaryrefslogtreecommitdiffstats
path: root/src/libhydra/plugins/kernel_netlink
Commit message (Collapse)AuthorAgeFilesLines
...
* Let kernel interfaces decide how to enable UDP decapsulation of ESP packets.Tobias Brunner2012-08-081-0/+28
|
* Centralized thread cancellation in processor_tTobias Brunner2012-06-252-24/+8
| | | | | | | | | | This ensures that no threads are active when plugins and the rest of the daemon are unloaded. callback_job_t was simplified a lot in the process as its main functionality is now contained in processor_t. The parent-child relationships were abandoned as these were only needed to simplify job cancellation.
* Fixed IPv6 source address lookupTobias Brunner2012-06-251-5/+43
| | | | | | | | | | | | | Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes we didn't use NLM_F_DUMP to get all routes. Still routes installed with policies are installed also for IPv6. So since only one route is returned without DUMP, and we ignore all routes from our own routing table, no source address was found during roaming if DST of the installed route included the IKE peer. With newer kernels we can now use DUMP as we did for IPv4 already, for older kernels we do so if our own routes are installed in a separate routing table, otherwise we still use GET.
* NLM_F_DUMP includes NLM_F_ROOT.Tobias Brunner2012-06-151-1/+1
|
* Don't create roam jobs based on cached/cloned routes.Tobias Brunner2012-06-151-0/+4
|
* Don't compare ports when comparing cached routes.Tobias Brunner2012-06-152-4/+4
| | | | At least src_ip has a port set sometimes.
* Disabled listening for kernel events in starter.Tobias Brunner2012-06-082-45/+64
|
* Destroy Netlink socket only after deleting remaining source routes.Tobias Brunner2012-05-211-2/+1
|
* Fix route reinstallation if preferred source IP is not on outgoing interface.Tobias Brunner2012-05-071-30/+18
|
* Route reinstallation in kernel_ipsec_t implementations is not needed anymore.Tobias Brunner2012-05-021-6/+1
|
* Reinstall routes in kernel-netlink plugin, if interfaces get reactivated or ↵Tobias Brunner2012-05-021-4/+206
| | | | IPs reappear.
* Keep track of installed source routes in kernel-netlink plugin.Tobias Brunner2012-05-021-8/+141
|
* Use single DBG2 statements in kernel_netlink plugin (i.e. ignore mark.value).Tobias Brunner2012-03-271-86/+26
|
* Merge branch 'ikev1-clean' into ikev1-masterMartin Willi2012-03-202-22/+24
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: configure.in man/ipsec.conf.5.in src/libcharon/daemon.c src/libcharon/plugins/eap_ttls/eap_ttls_peer.c src/libcharon/plugins/eap_radius/eap_radius_accounting.c src/libcharon/plugins/eap_radius/eap_radius_forward.c src/libcharon/plugins/farp/farp_listener.c src/libcharon/sa/ike_sa.c src/libcharon/sa/keymat.c src/libcharon/sa/task_manager.c src/libcharon/sa/trap_manager.c src/libstrongswan/plugins/x509/x509_cert.c src/libstrongswan/utils.h Applied lost changes of moved files keymat.c and task_manager.c. Updated listener_t.message hook signature in new plugins.
| * Be less verbose when deleting SAs triggered by a hard expireMartin Willi2012-03-202-22/+24
| |
* | Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.Tobias Brunner2012-02-271-3/+21
| | | | | | | | This requires a Linux kernel >= 2.6.33.
* | Always unlock mutex for installed policies in kernel-netlink plugin.Thomas Egerer2011-12-141-1/+5
| |
* | Fix copy'n'paste error in libhydra's netlink interfaceThomas Jarosch2011-11-211-1/+1
| | | | | | | | Detected by cppcheck.
* | Fix network interface deletion handling in kernel-netlink plugin.Mirko Parthey2011-11-141-3/+7
|/ | | | | | | | | | | | | | | | | | When the kernel reports the deletion of an interface (RTM_DELLINK), the cached interface attributes, including ifindex, become invalid and must be forgotten. Interface link state changes ("up" and "down") show up as RTM_NEWLINK, so they will not cause a cached entry to be removed or prevent listening to address change notifications. Once an interface has been deleted, the kernel ought to stop sending notifications for it. If the interface gets recreated with the same name later, the kernel again reports RTM_NEWLINK, which causes a new cache entry to be created. There should be no reason to keep a stale cache entry around, as was claimed in the comment.
* Memwipe request after sa update, tooThomas Egerer2011-11-041-0/+1
|
* Extend xfrm_attr_type_names by newly added enum valuesThomas Egerer2011-11-041-2/+6
|
* Silently install route again, even if it did not change.Tobias Brunner2011-11-041-1/+6
| | | | | Address/interface changes can cause the route to disappear. Afterwards the route might look the same but that does not mean it is still installed.
* Compile warning fixed in kernel interfaces.Tobias Brunner2011-11-041-1/+1
|
* Implemented flushing of states and policies via XFRM.Tobias Brunner2011-10-211-0/+56
|
* Add features support to kernel-netlink pluginMartin Willi2011-10-141-9/+14
|
* Check for RTA_TABLE in configure.Tobias Brunner2011-10-041-0/+2
|
* Migrated netlink_socket to INIT/METHOD macrosAndreas Steffen2011-09-291-23/+18
|
* Disable policy history for pluto.4.5.3Tobias Brunner2011-08-021-21/+46
| | | | pluto tracks usage of policies already in its own way.
* Allow routing table IDs > 255 when filtering them.Tobias Brunner2011-07-291-3/+10
|
* Install fallback drop policies to avoid transmitting unencrypted packets.Tobias Brunner2011-07-271-0/+3
| | | | | | | During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy is first uninstalled and then the new one is installed. In the short time in between, where no policy is available in the kernel, unencrypted packets could have been transmitted.
* Remove policies in kernel interfaces based on their priority.Tobias Brunner2011-07-271-15/+32
| | | | | | This allows to unroute a connection while the same connection is currently established. In this case both CHILD_SAs share the same reqid but the installed policies have different priorities.
* removed stray codeAndreas Steffen2011-07-181-2/+1
|
* added log and status output for ESNAndreas Steffen2011-07-161-1/+5
|
* Simplified destruction of policy_sa_t objects in Netlink interface.Tobias Brunner2011-07-061-12/+7
|
* Some code cleanup in Netlink kernel interface.Tobias Brunner2011-07-061-108/+119
|
* Reduce memory usage of policy history caching.Tobias Brunner2011-07-061-131/+270
| | | | | Only cache data as needed (e.g. traffic selectors only for forward policies) and at most once for each IPsec SA.
* Keep the mutex locked as long as possible when deleting policies.Tobias Brunner2011-07-061-61/+57
| | | | | | | | | This change tries to prevent a race condition where a thread tries to install the same policy another thread is currently deleting. If the second thread releases the mutex in del_policy too early the first thread could assume the policy does not exist (as it is not cached anymore) but would not be able to actually install it if the second thread was not yet able to delete it.
* Properly unlock the policy if no change in the kernel is required.Tobias Brunner2011-07-061-0/+1
|
* Make sure access to policy is thread-safe during installation of route.Tobias Brunner2011-07-061-2/+17
|
* Replaced simple iterator usages.Tobias Brunner2011-07-061-5/+5
|
* Record the history of a policy installed in the kernel.Tobias Brunner2011-07-061-141/+317
| | | | | | | This allows to properly delete a policy e.g. if reauth=yes and auto=route, because reqids are increased during reauthentication. It also avoids overriding an installed policy with a trap policy.
* Add the reqid to kernel_ipsec_t.del_policy.Tobias Brunner2011-07-061-2/+2
|
* Use CRITICAL job priority class for long running dispatcher jobsMartin Willi2011-05-162-4/+4
|
* Return correct status code in kernel_netlink_ipsec_t.query_sa.Tobias Brunner2011-05-101-1/+1
|
* Wipe memory after using key material (incomplete, to be continued)Martin Willi2011-05-091-19/+29
|
* Copy ESN enabled replay state during update_sa, if supportedMartin Willi2011-04-201-48/+77
|
* Add ESN support to kernel netlink plugin, including custom replay windowsMartin Willi2011-04-201-3/+47
|
* Added an esn parameter to the kernel interface add_sa functionsMartin Willi2011-04-201-2/+2
|
* Properly copy interface name if unknown.Tobias Brunner2011-04-191-1/+1
| | | | | We use a static string if the interface name is unknown, so using memcpy with IFNAMSIZ is incorrect as that would overrun the static string.
* Added a (not yet implemented) plugin_t method to reload plugin configurationMartin Willi2011-04-151-0/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-28 04:56:07 +0000