| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
| |
getsockopt(SO_PROTOCOL) is not supported before 2.6.32. Default to UDP if
either the SO_PROTOCOL define is missing or the syscall fails.
|
| |
|
|
|
|
| |
The socket based IKE bypass policies are usually superior, but not supported
on all networking stacks. The port based variant uses global policies for the
UDP ports we have IKE sockets for.
|
| |
|
|
|
|
| |
As under vanilla Linux the kernel can't handle parallel dump queries and returns
EBUSY, it makes not much sense to use them. Disable parallel queries by default
to basically restore original behavior, improving performance.
|
| |
|
|
|
|
|
|
| |
Besides that it can improve throughput, it avoids a deadlock situation. If
all threads are busy, watcher will invoke the FD notification for NEWADDR
events itself. If the lock is held, it gets locked up. As watcher is not
dispatching anymore, it can't signal Netlink socket send() completion, and
the send() operation does not return and keeps the lock.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If the kernel can't execute a Netlink query because a different query is already
active, it returns EBUSY. As this can happen now as we support parallel queries,
retry on this error condition.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of locking the socket exclusively to wait for replies, use watcher
to wait for and read in responses asynchronously. This allows multiple parallel
Netlink queries, which can significantly improve performance if the kernel
Netlink layer has longer latencies and supports parallel queries.
For vanilla Linux, parallel queries don't make much sense, as it usually returns
EBUSY for the relevant dump requests. This requires a retry, and in the end
makes queries more expensive under high load.
Instead of checking the Netlink message sequence number to detect multi-part
messages, this code now relies on the NLM_F_MULTI flag to detect them. This
has previously been avoided (by 1d51abb7). It is unclear if the flag did not
work correctly on very old Linux kernels, or if the flag was not used
appropriately by strongSwan. The flag seems to work just fine back to 2.6.18,
which is a kernel still in use by RedHat/CentOS 5.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no offline leases are available for the current client and assigning online
leases is disabled, and if all IPs of the pool have already been assigned to
clients we look for offline leases that previously were assigned to other
clients.
In case the current client has online leases the previous code would
replace the existing mapping entry and besides resulting in a memory leak
the online leases would be lost forever (even if the client later releases
the addresses). If this happens repeatedly the number of available addresses
would decrease even though the total number of online and offline leases seen
in `ipsec leases` would indicate that there are free addresses available.
Fixes #764.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Previously one more than the first and last address was ignored.
And if the base address is not the network ID of the subnet we
should not skip it. But we should adjust the size as it does not
represent the actual number of IP addresses assignable.
|
| |
|
|
| |
This message is not available on OS X.
|
| | |
|
| |
|
|
|
| |
This avoid the hard dependency on enum names, and makes kernel_netlink_shared
independent of kernel_netlink_ipsec.
|
| | |
|
| | |
|
| |
|
|
|
| |
As we are not interested in the returned address, there is really no need
in passing that argument.
|
| |
|
|
| |
There is really no need for doing so, and it makes the code just unreadable.
|
| |
|
|
|
| |
This allows us to streamline the netlink buffers, and avoid extensive
casting.
|
| |
|
|
|
|
|
|
| |
Since 4b670a20 we require an explicit strongswan.conf to re-load configurations.
However, the define was missing in the build, breaking SIGHUP based config
reloading.
Fixes #651.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We actually never deleted cached interfaces. So if the kernel reuses
interface indices events for newly created interfaces could have been
associated with interface objects of deactivated and deleted interfaces.
Since we also didn't update the interface name when such an interface
got reactivated we ended up using the old name e.g. to install routes.
A trigger for this was the deletion and recreation of TUN devices during
reauthentication of SAs that use virtual IPs.
|
| |
|
|
|
|
| |
Seems that packet counts can be retrieved after all. At least the Linux
and FreeBSD kernels treat the number of allocations as number of packets.
We actually installed packet limits in that field already.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The condvar is signaled for every handled message received from the
kernel not only for replies (this changed with 2a2d7a4dc8). This may
cause segfaults because this->reply is not set when the waiting thread is
woken due to an IP address change.
Since this->reply is only set when it is actually the expected reply (and
only one request is sent at a time, thanks to c9a323c1d9) we only have
to make sure the reply is there (and clear it once we handled it).
Using separate condvars could also be an option in the future.
|
| |
|
|
|
|
|
|
|
|
|
| |
Even if the XFRM identifier was named cast128 in the kernel before 2.6.31, it
actually never worked, because there is no such crypto algorithm.
The identifier has been changed to cast5 in
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=245acb87
to make it work, so we should use that.
Fixes #633.
|
| | |
|
| |
|
|
|
|
| |
policy routes
This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.
|
| | |
|
| |
|
|
| |
On Android these macros are defined as functions.
|
| |
|
|
|
|
|
|
| |
This should prevent the kernel's IPv6 source address selection algorithm
from using this address unless it is forced to by our source route.
This is helpful if split tunneling is used.
Fixes #598.
|
| | |
|
| | |
|
| |
|
|
|
| |
This allows to determine the next hop to reach a subnet, for instance, when
installing routes for shunt policies.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Instead of using the first address we find on an interface we should
consider properties like an address' scope or whether it is temporary
or public.
Fixes #543.
|
| |
|
|
|
|
| |
Trying to disable replay windows using the ESN attribute fails with EINVAL.
Use non-ESN legacy format to disable replay windows, even if ESN has been
negotiated over IKE.
|
| | |
|
| | |
|
| | |
|
