| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
We now properly manage thread verbosity in the test framework, and don't need
to silence thread spawning messages.
|
| |
|
|
|
| |
get_replay_state() always returns a replay_state_len when returning a
replay state, but GCC doesn't know about that.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is needed to fix usage stats sent via RADIUS Accounting if clients
use MOBIKE or e.g. the kernel notifies us about a changed NAT mapping.
The upper layers won't expect the stats to get reset if only the IPs have
changed (and some kernel interface might actually allow such updates
without reset).
It also fixes traffic based lifetimes in such situations.
Fixes #799.
|
| |
|
|
|
|
|
|
|
|
|
| |
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
|
| |
|
|
|
|
|
|
| |
If many requests are sent to the kernel the events generated by these
requests may fill the receive buffer before the daemon is able to read
these messages.
Fixes #783.
|
| |
|
|
|
|
|
|
| |
If a system uses routing metrics, we should honor them when doing (manual)
routing lookups for IKE. When enumerating routes, the kernel reports priorities
with the RTA_PRIORITY attribute, not RTA_METRICS. We prefer routes with a
lower priority value, and fall back to longest prefix match priorities if
the priority value is equal.
|
| | |
|
| | |
|
| |
|
|
| |
Since pluto is gone, all existing users build upon libcharon.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
|
| |
|
|
|
|
|
| |
On OS X 10.10, when installing a virtual IP on a tun device, there is a chance
that a RTM_IFANNOUNCE is sent before the IP is ready on that link when calling
getifaddrs(). As we don't get an RTM_NEWADDR event either, that race lets us
miss the virtual IP install event, failing the add_ip() call.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The FreeBSD and Mac OS X kernels interpret sadb_sa_replay as the size of the
replay window in bytes. Linux on the other hand does the same for PF_KEY it
does for XFRM so sadb_sa_replay denotes the number of packets/bits in the
window. Similarly, the window size on Linux is limited to 32 by the four
byte default bitmap used for IPsec SAs (may only be changed with
XFRMA_REPLAY_ESN_VAL), which is not the case on the other platforms.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As some backends over unreliable transport do not cache response messages,
retransmissions due the loss of responses perform the operation again. Add an
option to ignore some errors arising from such duplicate operations.
Note: This approach can't distinguish between real EXIST/NOTFOUND errors
and packet failures, and therefore is a source of race conditions and can't
detect any of these errors actually happening. Therefore that behavior is
disabled by default, and can be enabled with the ignore_retransmit_errors
strongswan.conf option.
To properly distinguish between real and retransmission errors, a Netlink
backend should implement retransmission detection using sequence numbers.
|
| | |
|
| |
|
|
|
| |
getsockopt(SO_PROTOCOL) is not supported before 2.6.32. Default to UDP if
either the SO_PROTOCOL define is missing or the syscall fails.
|
| |
|
|
|
|
| |
The socket based IKE bypass policies are usually superior, but not supported
on all networking stacks. The port based variant uses global policies for the
UDP ports we have IKE sockets for.
|
| |
|
|
|
|
| |
As under vanilla Linux the kernel can't handle parallel dump queries and returns
EBUSY, it makes not much sense to use them. Disable parallel queries by default
to basically restore original behavior, improving performance.
|
| |
|
|
|
|
|
|
| |
Besides that it can improve throughput, it avoids a deadlock situation. If
all threads are busy, watcher will invoke the FD notification for NEWADDR
events itself. If the lock is held, it gets locked up. As watcher is not
dispatching anymore, it can't signal Netlink socket send() completion, and
the send() operation does not return and keeps the lock.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If the kernel can't execute a Netlink query because a different query is already
active, it returns EBUSY. As this can happen now as we support parallel queries,
retry on this error condition.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of locking the socket exclusively to wait for replies, use watcher
to wait for and read in responses asynchronously. This allows multiple parallel
Netlink queries, which can significantly improve performance if the kernel
Netlink layer has longer latencies and supports parallel queries.
For vanilla Linux, parallel queries don't make much sense, as it usually returns
EBUSY for the relevant dump requests. This requires a retry, and in the end
makes queries more expensive under high load.
Instead of checking the Netlink message sequence number to detect multi-part
messages, this code now relies on the NLM_F_MULTI flag to detect them. This
has previously been avoided (by 1d51abb7). It is unclear if the flag did not
work correctly on very old Linux kernels, or if the flag was not used
appropriately by strongSwan. The flag seems to work just fine back to 2.6.18,
which is a kernel still in use by RedHat/CentOS 5.
|
| | |
|
| | |
|
| |
|
|
| |
This message is not available on OS X.
|
| | |
|
| |
|
|
|
| |
This avoid the hard dependency on enum names, and makes kernel_netlink_shared
independent of kernel_netlink_ipsec.
|
| | |
|
| | |
|
| |
|
|
|
| |
As we are not interested in the returned address, there is really no need
in passing that argument.
|
| |
|
|
| |
There is really no need for doing so, and it makes the code just unreadable.
|
| |
|
|
|
| |
This allows us to streamline the netlink buffers, and avoid extensive
casting.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We actually never deleted cached interfaces. So if the kernel reuses
interface indices events for newly created interfaces could have been
associated with interface objects of deactivated and deleted interfaces.
Since we also didn't update the interface name when such an interface
got reactivated we ended up using the old name e.g. to install routes.
A trigger for this was the deletion and recreation of TUN devices during
reauthentication of SAs that use virtual IPs.
|
| |
|
|
|
|
| |
Seems that packet counts can be retrieved after all. At least the Linux
and FreeBSD kernels treat the number of allocations as number of packets.
We actually installed packet limits in that field already.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The condvar is signaled for every handled message received from the
kernel not only for replies (this changed with 2a2d7a4dc8). This may
cause segfaults because this->reply is not set when the waiting thread is
woken due to an IP address change.
Since this->reply is only set when it is actually the expected reply (and
only one request is sent at a time, thanks to c9a323c1d9) we only have
to make sure the reply is there (and clear it once we handled it).
Using separate condvars could also be an option in the future.
|
| |
|
|
|
|
|
|
|
|
|
| |
Even if the XFRM identifier was named cast128 in the kernel before 2.6.31, it
actually never worked, because there is no such crypto algorithm.
The identifier has been changed to cast5 in
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=245acb87
to make it work, so we should use that.
Fixes #633.
|
