aboutsummaryrefslogtreecommitdiffstats
path: root/src/libhydra
Commit message (Collapse)AuthorAgeFilesLines
* kernel-pfkey: Use address in TS to determine interface for shunt routesTobias Brunner2014-06-261-6/+9
|
* kernel-pfkey: Use subnet and prefix when determining nexthop for shunt ↵Tobias Brunner2014-06-261-2/+12
| | | | | | policy routes This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.
* kernel-pfkey: Install routes for shunt policiesTobias Brunner2014-06-261-4/+4
|
* kernel-netlink: Cast IPv6 address blobs to the proper typeTobias Brunner2014-06-241-3/+3
| | | | On Android these macros are defined as functions.
* kernel-netlink: Install virtual IPv6 addresses as deprecatedTobias Brunner2014-06-201-0/+11
| | | | | | | | This should prevent the kernel's IPv6 source address selection algorithm from using this address unless it is forced to by our source route. This is helpful if split tunneling is used. Fixes #598.
* kernel-netlink: Pass prefix when looking up next hop for shunt policiesTobias Brunner2014-06-191-1/+12
|
* kernel-netlink: Add support for destination prefix when determining next hopTobias Brunner2014-06-191-20/+35
|
* kernel-interface: Add destination prefix to get_nexthop()Tobias Brunner2014-06-197-9/+14
| | | | | This allows to determine the next hop to reach a subnet, for instance, when installing routes for shunt policies.
* kernel-pfkey: Add support for new policy priority classTobias Brunner2014-06-191-2/+5
|
* kernel-netlink: Add support for new policy priority classTobias Brunner2014-06-191-2/+5
|
* Remove kernel-klips pluginTobias Brunner2014-06-197-3164/+0
|
* kernel-netlink: Follow RFC 6724 when selecting IPv6 source addressesTobias Brunner2014-06-191-26/+170
| | | | | | | | Instead of using the first address we find on an interface we should consider properties like an address' scope or whether it is temporary or public. Fixes #543.
* kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windowsMartin Willi2014-06-181-1/+1
| | | | | | Trying to disable replay windows using the ESN attribute fails with EINVAL. Use non-ESN legacy format to disable replay windows, even if ESN has been negotiated over IKE.
* kernel-pfkey: Support connection specific replay window sizes up to 32 packetsMartin Willi2014-06-171-1/+1
|
* kernel-netlink: Support connection specific replay window sizesMartin Willi2014-06-171-39/+16
|
* kernel-interface: Add a replay_window parameter to add_sa()Martin Willi2014-06-176-13/+22
|
* kernel-interface: Add a flag to indicate no policy updates requiredMartin Willi2014-06-041-0/+2
|
* plugins: Don't link with -rdynamic on WindowsMartin Willi2014-06-047-7/+7
|
* windows: Link libhydra against Winsock2Martin Willi2014-06-041-0/+4
|
* pfkey: Always include stdint.hTobias Brunner2014-05-191-1/+1
| | | | | | On some systems (e.g. on Debian/kFreeBSD) that header is required when including ipsec.h, on Linux we require it too when including pfkeyv2.h, so to simplify things we just always include it.
* enum: Don't directly include enum.hMartin Willi2014-05-161-1/+1
| | | | | To allow enum.h to depend on utils.h definitions, avoid its direct inclusion. Instead include utils.h, which includes enum.h as well.
* kernel-klips: Pass a pointer to a properly sized integer for algorithm lookupMartin Willi2014-05-161-1/+1
|
* kernel-pfkey: Added IPComp supportFrancois ten Krooden2014-04-241-19/+138
| | | | | | - get_cpi function was implemented to retrieve a CPI from the kernel. - add_sa/update_sa/del_sa were updated to accommodate for IPComp SA. - Updated add_policy_internal to update the SPD to support IPComp.
* attr: Don't shift the 32-bit netmask by 32Tobias Brunner2014-04-091-3/+6
| | | | | | | | | | This is undefined behavior as per the C99 standard (sentence 1185): "If the value of the right operand is negative or is greater or equal to the width of the promoted left operand, the behavior is undefined." Apparently shifts may be done modulo the width on some platforms so a shift by 32 would not shift at all.
* kernel-pfroute: Let get_nexthop() default to destination addressTobias Brunner2014-03-311-3/+7
|
* attr: Silently skip over load optionTobias Brunner2014-02-121-0/+4
|
* libhydra: Remove unused hydra->daemonTobias Brunner2014-02-122-13/+3
|
* libhydra: Use lib->ns instead of hydra->daemonTobias Brunner2014-02-129-29/+29
|
* attr-sql: Use namespace for attr-sql config, with fallbackTobias Brunner2014-02-122-2/+4
|
* kernel-pfroute: Don't cache route entries if installation failsTobias Brunner2014-02-121-2/+5
|
* kernel-netlink: Don't cache route entries if installation failsTobias Brunner2014-02-121-2/+5
| | | | Fixes #500.
* kernel-netlink: Set selector on transport mode IPComp SAsTobias Brunner2014-01-231-1/+1
|
* kernel-netlink: Selectively add selector on SAs that use IPCompTobias Brunner2014-01-231-1/+7
| | | | | | Don't add a selector to tunnel mode SAs, these might serve multiple traffic selectors but with only one selector on the SA only the traffic matching the first one would actually get tunneled.
* kernel-netlink: Enable TFC padding only for tunnel mode ESP SAsTobias Brunner2013-11-191-2/+2
| | | | | | | The kernel does not allow them for transport mode SAs or IPComp SAs (and of course not for AH SAs). Fixes #446.
* android: Remove dependency on libvstrTobias Brunner2013-11-131-1/+0
|
* kernel-netlink: Check existence of linux/fib_rules.h, don't include it in ↵Tobias Brunner2013-10-181-1/+8
| | | | | | distribution This reverts commit b0761f1f0a5abd225edc291c8285f99a538e6a66.
* kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernelTobias Brunner2013-10-171-19/+52
|
* kernel-netlink: Convert ports in acquires to ICMP[v6] type and codeTobias Brunner2013-10-171-3/+8
|
* kernel-netlink: Properly install policies with ICMP[v6] types and codesTobias Brunner2013-10-171-1/+12
|
* kernel-netlink: Allow setting firewall marks on routing ruleTobias Brunner2013-10-111-0/+20
|
* attr-sql: Use a serializable transaction when inserting identitiesTobias Brunner2013-10-111-12/+5
|
* pool: Move the pool utility to its own directory in srcTobias Brunner2013-10-117-2232/+1
|
* attr-sql: Handle concurrent insertion of identitiesTobias Brunner2013-10-111-2/+12
| | | | | | | | | If the same identity is added concurrently by two threads (or by the pool utility) INSERT might fail even though the SELECT was unsuccessful before. We are currently not able to lock the identities table in a portable way (something like SELECT ... FOR UPDATE on MySQL).
* attr-sql: Don't use database transactions in create_attribute_enumeratorTobias Brunner2013-10-111-5/+0
| | | | | | | | | There could, of course, be race conditions when enumerating the attributes, but those probably don't matter (e.g. missing an attribute that was concurrently added). Transactions are more intended to revert multiple changes if anything fails in the process.
* kernel: Use a time_t to report use time in query_policy()Martin Willi2013-10-116-7/+7
|
* kernel: Use a time_t to report use time in query_sa()Martin Willi2013-10-116-8/+8
|
* kernel-netlink: Allow to override xfrm_acq_expires valueAnsis Atteka2013-09-231-6/+10
| | | | | | | | | | | | | | | | When using auto=route, current xfrm_acq_expires default value implies that tunnel can be down for up to 165 seconds, if other peer rejected first IKE request with an AUTH_FAILED or NO_PROPOSAL_CHOSEN error message. These error messages are completely normal in setups where another application pushes configuration to both strongSwans without waiting for acknowledgment that they have updated their configurations. This patch allows strongswan to override xfrm_acq_expires default value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in strongswan.conf. Signed-off-by: Ansis Atteka <aatteka@nicira.com>
* resolve: Remove comment when using resolvconf(8)Tobias Brunner2013-09-131-2/+1
| | | | | | | | | | | Since comments in resolv.conf are only valid at the beginning of a line resolvconf(8) seems to have started treating any text after 'nameserver <ip>' as additional IP addresses for name servers. Since it ignores comments, and we can easily remove the added servers again, there is no point to add any. Fixes #410.
* Build all shared libraries with -no-undefined and link them properlyTobias Brunner2013-09-121-1/+5
| | | | | | | | | | The flag is required to convince libtool on Cygwin to build DLLs. But on Windows these shared libraries can not have undefined symbols, so we have to link them explicitly to the libraries they reference. For plugins this is currently not done, so only the monolithic build is supported. The plugin loader wouldn't be able to load DLLs anyway, as it tries to load files that don't exist on Cygwin.
* kernel-netlink: increase buffer size for RT netlink messagesAnsis Atteka2013-09-101-1/+1
| | | | | | | | | | | | | | | | | | | | Commit 940e1b0f66dc04b0853414c1f4c45fa3f6e33bdd "Filter ignored interfaces in kernel interfaces (for events, address enumeration, etc.)" made charon to ignore routes with unusable interfaces. Unusable interface is one where charon has not seen RTM_NEWLINK message from the kernel. Sometime RTM_NEWLINK message can be 1048 bytes large. This is 24 bytes more than currently allocated buffer of 1024 bytes. If kernel sends such a large message, then it would be silently ignored by charon and corresponding interface would never become usable. Hence strongSwan might resolve invalid source IP address in get_route() function. This would prevent IPsec tunnel to be established. To reproduce create a VLAN interface with following command: vconfig add eth1 12
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-18 02:45:16 +0000