| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
option
The receive buffer size can already be changed via strongswan.conf if
necessary.
|
| |
|
|
| |
Fixes #1214.
|
| |
|
|
|
| |
Shunt policies don't have a reqid set, so we allow unequal reqids in
this particular case (i.e. if one of the reqids is 0).
|
| | |
|
| |
|
|
| |
entry
|
| |
|
|
|
|
|
| |
add_policy()
The additional data can be helpful to identify the exact policy to
delete.
|
| |
|
|
| |
This was used with pluto, which had its own policy tracking.
|
| |
|
|
|
|
| |
Obtained-from: pfSense
Sponsored-by: Rubicon Communications (Netgate)
Closes strongswan/strongswan#17.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
side
If only one traffic selector had a port (type/code) the other side had
the port mask set to 0, which canceled out the applied type/code.
It also fixes the installation of ICMP type/code on big-endian hosts.
Fixes #1091.
References #595.
|
| |
|
|
| |
References #595.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The next release of FreeBSD will support this.
While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it. When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).
|
| |
|
|
|
|
|
|
|
|
|
| |
certain mark
If the routing rule we use to direct traffic to our own routing table
excludes traffic with a certain mark (fwmark = !<mark>) we can simplify
the route lookup and avoid dumping all routes by passing the mark to the
request. That way our own routes are ignored and we get the preferred
route back without having to dump and analyze all routes, which is quite a
burden on hosts with lots of routes.
|
| |
|
|
| |
disabled
|
| |
|
|
|
|
|
|
|
|
| |
This may be the case when SAs are reestablished after a crash of the
IKE daemon.
We could actually always do updates. The kernel doesn't care, the only
difference is the possible EEXIST if XFRM_MSG_NEWPOLICY is used. The
advantage of not doing this, though, is that we get a warning in the log
if a policy already exists, as that should usually not be the case.
|
| |
|
|
|
| |
This may be the case when SAs are reestablished after a crash of the
IKE daemon.
|
| |
|
|
|
|
|
|
| |
The kernel uses NLMSG_GOODSIZE as default buffer size, which defaults to
the PAGE_SIZE if it is lower than 8192 or to that value otherwise.
In some cases (e.g. for dump messages) the kernel might use up to 16k
for messages, which might require increasing this value.
|
| |
|
|
|
|
| |
It might equal it and that's fine. With MSG_TRUNC we get the actual
message size and can only report an error if we haven't received the
complete message.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
We now properly manage thread verbosity in the test framework, and don't need
to silence thread spawning messages.
|
| |
|
|
|
| |
get_replay_state() always returns a replay_state_len when returning a
replay state, but GCC doesn't know about that.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is needed to fix usage stats sent via RADIUS Accounting if clients
use MOBIKE or e.g. the kernel notifies us about a changed NAT mapping.
The upper layers won't expect the stats to get reset if only the IPs have
changed (and some kernel interface might actually allow such updates
without reset).
It also fixes traffic based lifetimes in such situations.
Fixes #799.
|
| |
|
|
|
|
|
|
|
|
|
| |
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
|
| |
|
|
|
|
|
|
| |
If many requests are sent to the kernel the events generated by these
requests may fill the receive buffer before the daemon is able to read
these messages.
Fixes #783.
|
| |
|
|
|
|
|
|
| |
If a system uses routing metrics, we should honor them when doing (manual)
routing lookups for IKE. When enumerating routes, the kernel reports priorities
with the RTA_PRIORITY attribute, not RTA_METRICS. We prefer routes with a
lower priority value, and fall back to longest prefix match priorities if
the priority value is equal.
|
| | |
|
| | |
|
| |
|
|
| |
Since pluto is gone, all existing users build upon libcharon.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
|
| |
|
|
|
|
|
| |
On OS X 10.10, when installing a virtual IP on a tun device, there is a chance
that a RTM_IFANNOUNCE is sent before the IP is ready on that link when calling
getifaddrs(). As we don't get an RTM_NEWADDR event either, that race lets us
miss the virtual IP install event, failing the add_ip() call.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The FreeBSD and Mac OS X kernels interpret sadb_sa_replay as the size of the
replay window in bytes. Linux on the other hand does the same for PF_KEY it
does for XFRM so sadb_sa_replay denotes the number of packets/bits in the
window. Similarly, the window size on Linux is limited to 32 by the four
byte default bitmap used for IPsec SAs (may only be changed with
XFRMA_REPLAY_ESN_VAL), which is not the case on the other platforms.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As some backends over unreliable transport do not cache response messages,
retransmissions due the loss of responses perform the operation again. Add an
option to ignore some errors arising from such duplicate operations.
Note: This approach can't distinguish between real EXIST/NOTFOUND errors
and packet failures, and therefore is a source of race conditions and can't
detect any of these errors actually happening. Therefore that behavior is
disabled by default, and can be enabled with the ignore_retransmit_errors
strongswan.conf option.
To properly distinguish between real and retransmission errors, a Netlink
backend should implement retransmission detection using sequence numbers.
|
| | |
|
| |
|
|
|
| |
getsockopt(SO_PROTOCOL) is not supported before 2.6.32. Default to UDP if
either the SO_PROTOCOL define is missing or the syscall fails.
|
| |
|
|
|
|
| |
The socket based IKE bypass policies are usually superior, but not supported
on all networking stacks. The port based variant uses global policies for the
UDP ports we have IKE sockets for.
|
| |
|
|
|
|
| |
As under vanilla Linux the kernel can't handle parallel dump queries and returns
EBUSY, it makes not much sense to use them. Disable parallel queries by default
to basically restore original behavior, improving performance.
|
| |
|
|
|
|
|
|
| |
Besides that it can improve throughput, it avoids a deadlock situation. If
all threads are busy, watcher will invoke the FD notification for NEWADDR
events itself. If the lock is held, it gets locked up. As watcher is not
dispatching anymore, it can't signal Netlink socket send() completion, and
the send() operation does not return and keeps the lock.
|
| | |
|
| | |
|
| | |
|
