aboutsummaryrefslogtreecommitdiffstats
path: root/src/libhydra/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* kernel-netlink: Implement configurable Netlink request retransmissionMartin Willi2014-11-211-15/+86
|
* kernel-netlink: Add a stress test with several threads doing Netlink exchangesMartin Willi2014-11-211-0/+62
|
* kernel-netlink: Retry netlink query while kernel returns EBUSYMartin Willi2014-11-211-3/+37
| | | | | | If the kernel can't execute a Netlink query because a different query is already active, it returns EBUSY. As this can happen now as we support parallel queries, retry on this error condition.
* kernel-netlink: Support parallel Netlink queriesMartin Willi2014-11-211-74/+192
| | | | | | | | | | | | | | | | | | Instead of locking the socket exclusively to wait for replies, use watcher to wait for and read in responses asynchronously. This allows multiple parallel Netlink queries, which can significantly improve performance if the kernel Netlink layer has longer latencies and supports parallel queries. For vanilla Linux, parallel queries don't make much sense, as it usually returns EBUSY for the relevant dump requests. This requires a retry, and in the end makes queries more expensive under high load. Instead of checking the Netlink message sequence number to detect multi-part messages, this code now relies on the NLM_F_MULTI flag to detect them. This has previously been avoided (by 1d51abb7). It is unclear if the flag did not work correctly on very old Linux kernels, or if the flag was not used appropriately by strongSwan. The flag seems to work just fine back to 2.6.18, which is a kernel still in use by RedHat/CentOS 5.
* kernel-netlink: Add a simple send message test querying available linksMartin Willi2014-11-213-0/+70
|
* kernel-netlink: Add a stub for a test-runnerMartin Willi2014-11-214-0/+85
|
* kernel-pfroute: Check for RTM_IFANNOUNCE availabilityMartin Willi2014-10-141-0/+10
| | | | This message is not available on OS X.
* kernel-netlink: Define and use rtnetlink message typesMartin Willi2014-09-241-1/+22
|
* kernel-netlink: Pass protocol specific enum names to socket constructorMartin Willi2014-09-244-12/+13
| | | | | This avoid the hard dependency on enum names, and makes kernel_netlink_shared independent of kernel_netlink_ipsec.
* kernel-netlink: Clean up socket initialization, handle 0 as valid socket fdMartin Willi2014-09-241-9/+6
|
* kernel-netlink: Clean up response buffer managementMartin Willi2014-09-241-24/+16
|
* kernel-netlink: Use recv() instead of recvfrom()Martin Willi2014-09-241-11/+3
| | | | | As we are not interested in the returned address, there is really no need in passing that argument.
* kernel-netlink: Avoid casting the NLMSG_DATA() return valueMartin Willi2014-09-243-26/+26
| | | | There is really no need for doing so, and it makes the code just unreadable.
* kernel-netlink: Define netlink buffer as an union having a netlink headerMartin Willi2014-09-243-20/+23
| | | | | This allows us to streamline the netlink buffers, and avoid extensive casting.
* kernel-netlink: Optionally install protocol and ports on transport mode SAsTobias Brunner2014-09-121-6/+18
|
* kernel-netlink: Add global option to configure MSS-clamping on installed routesTobias Brunner2014-09-121-6/+26
|
* kernel-netlink: Add global option to set MTU on installed routesTobias Brunner2014-09-121-0/+19
|
* kernel-pfroute: Delete interfaces on RTM_IFANNOUNCE/IFAN_DEPARTURE eventsTobias Brunner2014-09-091-0/+38
| | | | | | | | | | | | We actually never deleted cached interfaces. So if the kernel reuses interface indices events for newly created interfaces could have been associated with interface objects of deactivated and deleted interfaces. Since we also didn't update the interface name when such an interface got reactivated we ended up using the old name e.g. to install routes. A trigger for this was the deletion and recreation of TUN devices during reauthentication of SAs that use virtual IPs.
* kernel-pfkey: Report packet counts of IPsec SAsTobias Brunner2014-09-091-2/+2
| | | | | | Seems that packet counts can be retrieved after all. At least the Linux and FreeBSD kernels treat the number of allocations as number of packets. We actually installed packet limits in that field already.
* kernel-pfroute: Fix kernel response handlingTobias Brunner2014-08-191-2/+3
| | | | | | | | | | | | | The condvar is signaled for every handled message received from the kernel not only for replies (this changed with 2a2d7a4dc8). This may cause segfaults because this->reply is not set when the waiting thread is woken due to an IP address change. Since this->reply is only set when it is actually the expected reply (and only one request is sent at a time, thanks to c9a323c1d9) we only have to make sure the reply is there (and clear it once we handled it). Using separate condvars could also be an option in the future.
* kernel-netlink: Rename algorithm identifier from cast128 to cast5Martin Willi2014-07-041-1/+1
| | | | | | | | | | | Even if the XFRM identifier was named cast128 in the kernel before 2.6.31, it actually never worked, because there is no such crypto algorithm. The identifier has been changed to cast5 in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=245acb87 to make it work, so we should use that. Fixes #633.
* kernel-pfkey: Use address in TS to determine interface for shunt routesTobias Brunner2014-06-261-6/+9
|
* kernel-pfkey: Use subnet and prefix when determining nexthop for shunt ↵Tobias Brunner2014-06-261-2/+12
| | | | | | policy routes This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.
* kernel-pfkey: Install routes for shunt policiesTobias Brunner2014-06-261-4/+4
|
* kernel-netlink: Cast IPv6 address blobs to the proper typeTobias Brunner2014-06-241-3/+3
| | | | On Android these macros are defined as functions.
* kernel-netlink: Install virtual IPv6 addresses as deprecatedTobias Brunner2014-06-201-0/+11
| | | | | | | | This should prevent the kernel's IPv6 source address selection algorithm from using this address unless it is forced to by our source route. This is helpful if split tunneling is used. Fixes #598.
* kernel-netlink: Pass prefix when looking up next hop for shunt policiesTobias Brunner2014-06-191-1/+12
|
* kernel-netlink: Add support for destination prefix when determining next hopTobias Brunner2014-06-191-20/+35
|
* kernel-interface: Add destination prefix to get_nexthop()Tobias Brunner2014-06-194-5/+5
| | | | | This allows to determine the next hop to reach a subnet, for instance, when installing routes for shunt policies.
* kernel-pfkey: Add support for new policy priority classTobias Brunner2014-06-191-2/+5
|
* kernel-netlink: Add support for new policy priority classTobias Brunner2014-06-191-2/+5
|
* Remove kernel-klips pluginTobias Brunner2014-06-196-3157/+0
|
* kernel-netlink: Follow RFC 6724 when selecting IPv6 source addressesTobias Brunner2014-06-191-26/+170
| | | | | | | | Instead of using the first address we find on an interface we should consider properties like an address' scope or whether it is temporary or public. Fixes #543.
* kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windowsMartin Willi2014-06-181-1/+1
| | | | | | Trying to disable replay windows using the ESN attribute fails with EINVAL. Use non-ESN legacy format to disable replay windows, even if ESN has been negotiated over IKE.
* kernel-pfkey: Support connection specific replay window sizes up to 32 packetsMartin Willi2014-06-171-1/+1
|
* kernel-netlink: Support connection specific replay window sizesMartin Willi2014-06-171-39/+16
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-173-9/+12
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-047-7/+7
|
* pfkey: Always include stdint.hTobias Brunner2014-05-191-1/+1
| | | | | | On some systems (e.g. on Debian/kFreeBSD) that header is required when including ipsec.h, on Linux we require it too when including pfkeyv2.h, so to simplify things we just always include it.
* kernel-klips: Pass a pointer to a properly sized integer for algorithm lookupMartin Willi2014-05-161-1/+1
|
* kernel-pfkey: Added IPComp supportFrancois ten Krooden2014-04-241-19/+138
| | | | | | - get_cpi function was implemented to retrieve a CPI from the kernel. - add_sa/update_sa/del_sa were updated to accommodate for IPComp SA. - Updated add_policy_internal to update the SPD to support IPComp.
* attr: Don't shift the 32-bit netmask by 32Tobias Brunner2014-04-091-3/+6
| | | | | | | | | | This is undefined behavior as per the C99 standard (sentence 1185): "If the value of the right operand is negative or is greater or equal to the width of the promoted left operand, the behavior is undefined." Apparently shifts may be done modulo the width on some platforms so a shift by 32 would not shift at all.
* kernel-pfroute: Let get_nexthop() default to destination addressTobias Brunner2014-03-311-3/+7
|
* attr: Silently skip over load optionTobias Brunner2014-02-121-0/+4
|
* libhydra: Use lib->ns instead of hydra->daemonTobias Brunner2014-02-127-26/+26
|
* attr-sql: Use namespace for attr-sql config, with fallbackTobias Brunner2014-02-122-2/+4
|
* kernel-pfroute: Don't cache route entries if installation failsTobias Brunner2014-02-121-2/+5
|
* kernel-netlink: Don't cache route entries if installation failsTobias Brunner2014-02-121-2/+5
| | | | Fixes #500.
* kernel-netlink: Set selector on transport mode IPComp SAsTobias Brunner2014-01-231-1/+1
|
* kernel-netlink: Selectively add selector on SAs that use IPCompTobias Brunner2014-01-231-1/+7
| | | | | | Don't add a selector to tunnel mode SAs, these might serve multiple traffic selectors but with only one selector on the SA only the traffic matching the first one would actually get tunneled.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 19:40:57 +0000