added strongswan.conf option to disable route installation
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 * Copyright (C) 2003 Herbert Xu.
9 *
10 * Based on xfrm code from pluto.
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 *
22 * $Id$
23 */
24
25 #include <sys/types.h>
26 #include <sys/socket.h>
27 #include <sys/time.h>
28 #include <linux/netlink.h>
29 #include <linux/rtnetlink.h>
30 #include <linux/xfrm.h>
31 #include <linux/udp.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <fcntl.h>
35 #include <errno.h>
36 #include <string.h>
37 #include <net/if.h>
38 #include <sys/ioctl.h>
39
40 #include "kernel_interface.h"
41
42 #include <daemon.h>
43 #include <utils/linked_list.h>
44 #include <processing/jobs/delete_child_sa_job.h>
45 #include <processing/jobs/rekey_child_sa_job.h>
46 #include <processing/jobs/acquire_job.h>
47 #include <processing/jobs/callback_job.h>
48 #include <processing/jobs/roam_job.h>
49
50 /** routing table for routes installed by us */
51 #ifndef IPSEC_ROUTING_TABLE
52 #define IPSEC_ROUTING_TABLE 100
53 #endif
54 #ifndef IPSEC_ROUTING_TABLE_PRIO
55 #define IPSEC_ROUTING_TABLE_PRIO 100
56 #endif
57
58 /** kernel level protocol identifiers */
59 #define KERNEL_ESP 50
60 #define KERNEL_AH 51
61
62 /** default priority of installed policies */
63 #define PRIO_LOW 3000
64 #define PRIO_HIGH 2000
65
66 /** delay before firing roam jobs (ms) */
67 #define ROAM_DELAY 100
68
69 #define BUFFER_SIZE 1024
70
71 /**
72 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
73 * 'usual' netlink data x like 'struct xfrm_usersa_info'
74 */
75 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
76 /**
77 * returns a pointer to the next rtattr following rta.
78 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
79 */
80 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
81 /**
82 * returns the total size of attached rta data
83 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
84 */
85 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
86
87 typedef struct kernel_algorithm_t kernel_algorithm_t;
88
89 /**
90 * Mapping from the algorithms defined in IKEv2 to
91 * kernel level algorithm names and their key length
92 */
93 struct kernel_algorithm_t {
94 /**
95 * Identifier specified in IKEv2
96 */
97 int ikev2_id;
98
99 /**
100 * Name of the algorithm, as used as kernel identifier
101 */
102 char *name;
103
104 /**
105 * Key length in bits, if fixed size
106 */
107 u_int key_size;
108 };
109 #define END_OF_LIST -1
110
111 /**
112 * Algorithms for encryption
113 */
114 static kernel_algorithm_t encryption_algs[] = {
115 /* {ENCR_DES_IV64, "***", 0}, */
116 {ENCR_DES, "des", 64},
117 {ENCR_3DES, "des3_ede", 192},
118 /* {ENCR_RC5, "***", 0}, */
119 /* {ENCR_IDEA, "***", 0}, */
120 {ENCR_CAST, "cast128", 0},
121 {ENCR_BLOWFISH, "blowfish", 0},
122 /* {ENCR_3IDEA, "***", 0}, */
123 /* {ENCR_DES_IV32, "***", 0}, */
124 {ENCR_NULL, "cipher_null", 0},
125 {ENCR_AES_CBC, "aes", 0},
126 /* {ENCR_AES_CTR, "***", 0}, */
127 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
128 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
129 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
130 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
131 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
132 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
133 {END_OF_LIST, NULL, 0},
134 };
135
136 /**
137 * Algorithms for integrity protection
138 */
139 static kernel_algorithm_t integrity_algs[] = {
140 {AUTH_HMAC_MD5_96, "md5", 128},
141 {AUTH_HMAC_SHA1_96, "sha1", 160},
142 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
143 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
144 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
145 /* {AUTH_DES_MAC, "***", 0}, */
146 /* {AUTH_KPDK_MD5, "***", 0}, */
147 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
148 {END_OF_LIST, NULL, 0},
149 };
150
151 /**
152 * Algorithms for IPComp
153 */
154 static kernel_algorithm_t compression_algs[] = {
155 /* {IPCOMP_OUI, "***", 0}, */
156 {IPCOMP_DEFLATE, "deflate", 0},
157 {IPCOMP_LZS, "lzs", 0},
158 {IPCOMP_LZJH, "lzjh", 0},
159 {END_OF_LIST, NULL, 0},
160 };
161
162 /**
163 * Look up a kernel algorithm name and its key size
164 */
165 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
166 u_int16_t ikev2_algo, u_int16_t *key_size)
167 {
168 while (kernel_algo->ikev2_id != END_OF_LIST)
169 {
170 if (ikev2_algo == kernel_algo->ikev2_id)
171 {
172 /* match, evaluate key length */
173 if (key_size && *key_size == 0)
174 { /* update key size if not set */
175 *key_size = kernel_algo->key_size;
176 }
177 return kernel_algo->name;
178 }
179 kernel_algo++;
180 }
181 return NULL;
182 }
183
184 typedef struct route_entry_t route_entry_t;
185
186 /**
187 * installed routing entry
188 */
189 struct route_entry_t {
190
191 /** Index of the interface the route is bound to */
192 int if_index;
193
194 /** Source ip of the route */
195 host_t *src_ip;
196
197 /** gateway for this route */
198 host_t *gateway;
199
200 /** Destination net */
201 chunk_t dst_net;
202
203 /** Destination net prefixlen */
204 u_int8_t prefixlen;
205 };
206
207 /**
208 * destroy an route_entry_t object
209 */
210 static void route_entry_destroy(route_entry_t *this)
211 {
212 this->src_ip->destroy(this->src_ip);
213 this->gateway->destroy(this->gateway);
214 chunk_free(&this->dst_net);
215 free(this);
216 }
217
218 typedef struct policy_entry_t policy_entry_t;
219
220 /**
221 * installed kernel policy.
222 */
223 struct policy_entry_t {
224
225 /** direction of this policy: in, out, forward */
226 u_int8_t direction;
227
228 /** reqid of the policy */
229 u_int32_t reqid;
230
231 /** parameters of installed policy */
232 struct xfrm_selector sel;
233
234 /** associated route installed for this policy */
235 route_entry_t *route;
236
237 /** by how many CHILD_SA's this policy is used */
238 u_int refcount;
239 };
240
241 typedef struct addr_entry_t addr_entry_t;
242
243 /**
244 * IP address in an inface_entry_t
245 */
246 struct addr_entry_t {
247
248 /** The ip address */
249 host_t *ip;
250
251 /** virtual IP managed by us */
252 bool virtual;
253
254 /** scope of the address */
255 u_char scope;
256
257 /** Number of times this IP is used, if virtual */
258 u_int refcount;
259 };
260
261 /**
262 * destroy a addr_entry_t object
263 */
264 static void addr_entry_destroy(addr_entry_t *this)
265 {
266 this->ip->destroy(this->ip);
267 free(this);
268 }
269
270 typedef struct iface_entry_t iface_entry_t;
271
272 /**
273 * A network interface on this system, containing addr_entry_t's
274 */
275 struct iface_entry_t {
276
277 /** interface index */
278 int ifindex;
279
280 /** name of the interface */
281 char ifname[IFNAMSIZ];
282
283 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
284 u_int flags;
285
286 /** list of addresses as host_t */
287 linked_list_t *addrs;
288 };
289
290 /**
291 * destroy an interface entry
292 */
293 static void iface_entry_destroy(iface_entry_t *this)
294 {
295 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
296 free(this);
297 }
298
299 typedef struct private_kernel_interface_t private_kernel_interface_t;
300
301 /**
302 * Private variables and functions of kernel_interface class.
303 */
304 struct private_kernel_interface_t {
305 /**
306 * Public part of the kernel_interface_t object.
307 */
308 kernel_interface_t public;
309
310 /**
311 * mutex to lock access to netlink socket
312 */
313 pthread_mutex_t nl_mutex;
314
315 /**
316 * mutex to lock access to various lists
317 */
318 pthread_mutex_t mutex;
319
320 /**
321 * condition variable to signal virtual IP add/removal
322 */
323 pthread_cond_t cond;
324
325 /**
326 * List of installed policies (policy_entry_t)
327 */
328 linked_list_t *policies;
329
330 /**
331 * Cached list of interfaces and its adresses (iface_entry_t)
332 */
333 linked_list_t *ifaces;
334
335 /**
336 * iterator used in hook()
337 */
338 iterator_t *hiter;
339
340 /**
341 * job receiving netlink events
342 */
343 callback_job_t *job;
344
345 /**
346 * current sequence number for netlink request
347 */
348 int seq;
349
350 /**
351 * Netlink xfrm socket (IPsec)
352 */
353 int socket_xfrm;
354
355 /**
356 * netlink xfrm socket to receive acquire and expire events
357 */
358 int socket_xfrm_events;
359
360 /**
361 * Netlink rt socket (routing)
362 */
363 int socket_rt;
364
365 /**
366 * Netlink rt socket to receive address change events
367 */
368 int socket_rt_events;
369
370 /**
371 * time of the last roam_job
372 */
373 struct timeval last_roam;
374
375 /**
376 * whether to install routes along policies
377 */
378 bool install_routes;
379 };
380
381 /**
382 * convert a host_t to a struct xfrm_address
383 */
384 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
385 {
386 chunk_t chunk = host->get_address(host);
387 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
388 }
389
390 /**
391 * convert a traffic selector address range to subnet and its mask.
392 */
393 static void ts2subnet(traffic_selector_t* ts,
394 xfrm_address_t *net, u_int8_t *mask)
395 {
396 /* there is no way to do this cleanly, as the address range may
397 * be anything else but a subnet. We use from_addr as subnet
398 * and try to calculate a usable subnet mask.
399 */
400 int byte, bit;
401 bool found = FALSE;
402 chunk_t from, to;
403 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
404
405 from = ts->get_from_address(ts);
406 to = ts->get_to_address(ts);
407
408 *mask = (size * 8);
409 /* go trough all bits of the addresses, beginning in the front.
410 * as long as they are equal, the subnet gets larger
411 */
412 for (byte = 0; byte < size; byte++)
413 {
414 for (bit = 7; bit >= 0; bit--)
415 {
416 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
417 {
418 *mask = ((7 - bit) + (byte * 8));
419 found = TRUE;
420 break;
421 }
422 }
423 if (found)
424 {
425 break;
426 }
427 }
428 memcpy(net, from.ptr, from.len);
429 chunk_free(&from);
430 chunk_free(&to);
431 }
432
433 /**
434 * convert a traffic selector port range to port/portmask
435 */
436 static void ts2ports(traffic_selector_t* ts,
437 u_int16_t *port, u_int16_t *mask)
438 {
439 /* linux does not seem to accept complex portmasks. Only
440 * any or a specific port is allowed. We set to any, if we have
441 * a port range, or to a specific, if we have one port only.
442 */
443 u_int16_t from, to;
444
445 from = ts->get_from_port(ts);
446 to = ts->get_to_port(ts);
447
448 if (from == to)
449 {
450 *port = htons(from);
451 *mask = ~0;
452 }
453 else
454 {
455 *port = 0;
456 *mask = 0;
457 }
458 }
459
460 /**
461 * convert a pair of traffic_selectors to a xfrm_selector
462 */
463 static struct xfrm_selector ts2selector(traffic_selector_t *src,
464 traffic_selector_t *dst)
465 {
466 struct xfrm_selector sel;
467
468 memset(&sel, 0, sizeof(sel));
469 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
470 /* src or dest proto may be "any" (0), use more restrictive one */
471 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
472 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
473 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
474 ts2ports(dst, &sel.dport, &sel.dport_mask);
475 ts2ports(src, &sel.sport, &sel.sport_mask);
476 sel.ifindex = 0;
477 sel.user = 0;
478
479 return sel;
480 }
481
482 /**
483 * Creates an rtattr and adds it to the netlink message
484 */
485 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
486 size_t buflen)
487 {
488 struct rtattr *rta;
489
490 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
491 {
492 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
493 return;
494 }
495
496 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
497 rta->rta_type = rta_type;
498 rta->rta_len = RTA_LENGTH(data.len);
499 memcpy(RTA_DATA(rta), data.ptr, data.len);
500 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
501 }
502
503 /**
504 * process a XFRM_MSG_ACQUIRE from kernel
505 */
506 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
507 {
508 u_int32_t reqid = 0;
509 job_t *job;
510 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
511 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
512
513 if (RTA_OK(rtattr, rtsize))
514 {
515 if (rtattr->rta_type == XFRMA_TMPL)
516 {
517 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
518 reqid = tmpl->reqid;
519 }
520 }
521 if (reqid == 0)
522 {
523 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
524 return;
525 }
526 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
527 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
528 job = (job_t*)acquire_job_create(reqid);
529 charon->processor->queue_job(charon->processor, job);
530 }
531
532 /**
533 * process a XFRM_MSG_EXPIRE from kernel
534 */
535 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
536 {
537 job_t *job;
538 protocol_id_t protocol;
539 u_int32_t spi, reqid;
540 struct xfrm_user_expire *expire;
541
542 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
543 protocol = expire->state.id.proto;
544 protocol = (protocol == KERNEL_ESP) ? PROTO_ESP : (protocol == KERNEL_AH) ? PROTO_AH : protocol;
545 spi = expire->state.id.spi;
546 reqid = expire->state.reqid;
547
548 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
549
550 if (protocol != PROTO_ESP && protocol != PROTO_AH)
551 {
552 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA 0x%x (reqid %d) which is "
553 "not a CHILD_SA", ntohl(spi), reqid);
554 return;
555 }
556
557 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
558 expire->hard ? "delete" : "rekey", protocol_id_names,
559 protocol, ntohl(spi), reqid);
560 if (expire->hard)
561 {
562 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
563 }
564 else
565 {
566 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
567 }
568 charon->processor->queue_job(charon->processor, job);
569 }
570
571 /**
572 * start a roaming job. We delay it for a second and fire only one job
573 * for multiple events. Otherwise we would create two many jobs.
574 */
575 static void fire_roam_job(private_kernel_interface_t *this, bool address)
576 {
577 struct timeval now;
578
579 if (gettimeofday(&now, NULL) == 0)
580 {
581 if (timercmp(&now, &this->last_roam, >))
582 {
583 now.tv_usec += ROAM_DELAY * 1000;
584 while (now.tv_usec > 1000000)
585 {
586 now.tv_sec++;
587 now.tv_usec -= 1000000;
588 }
589 this->last_roam = now;
590 charon->scheduler->schedule_job(charon->scheduler,
591 (job_t*)roam_job_create(address), ROAM_DELAY);
592 }
593 }
594 }
595
596 /**
597 * process RTM_NEWLINK/RTM_DELLINK from kernel
598 */
599 static void process_link(private_kernel_interface_t *this,
600 struct nlmsghdr *hdr, bool event)
601 {
602 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
603 struct rtattr *rta = IFLA_RTA(msg);
604 size_t rtasize = IFLA_PAYLOAD (hdr);
605 iterator_t *iterator;
606 iface_entry_t *current, *entry = NULL;
607 char *name = NULL;
608 bool update = FALSE;
609
610 while(RTA_OK(rta, rtasize))
611 {
612 switch (rta->rta_type)
613 {
614 case IFLA_IFNAME:
615 name = RTA_DATA(rta);
616 break;
617 }
618 rta = RTA_NEXT(rta, rtasize);
619 }
620 if (!name)
621 {
622 name = "(unknown)";
623 }
624
625 switch (hdr->nlmsg_type)
626 {
627 case RTM_NEWLINK:
628 {
629 if (msg->ifi_flags & IFF_LOOPBACK)
630 { /* ignore loopback interfaces */
631 break;
632 }
633 iterator = this->ifaces->create_iterator_locked(this->ifaces,
634 &this->mutex);
635 while (iterator->iterate(iterator, (void**)&current))
636 {
637 if (current->ifindex == msg->ifi_index)
638 {
639 entry = current;
640 break;
641 }
642 }
643 if (!entry)
644 {
645 entry = malloc_thing(iface_entry_t);
646 entry->ifindex = msg->ifi_index;
647 entry->flags = 0;
648 entry->addrs = linked_list_create();
649 this->ifaces->insert_last(this->ifaces, entry);
650 }
651 memcpy(entry->ifname, name, IFNAMSIZ);
652 entry->ifname[IFNAMSIZ-1] = '\0';
653 if (event)
654 {
655 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
656 {
657 update = TRUE;
658 DBG1(DBG_KNL, "interface %s activated", name);
659 }
660 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
661 {
662 update = TRUE;
663 DBG1(DBG_KNL, "interface %s deactivated", name);
664 }
665 }
666 entry->flags = msg->ifi_flags;
667 iterator->destroy(iterator);
668 break;
669 }
670 case RTM_DELLINK:
671 {
672 iterator = this->ifaces->create_iterator_locked(this->ifaces,
673 &this->mutex);
674 while (iterator->iterate(iterator, (void**)&current))
675 {
676 if (current->ifindex == msg->ifi_index)
677 {
678 /* we do not remove it, as an address may be added to a
679 * "down" interface and we wan't to know that. */
680 current->flags = msg->ifi_flags;
681 break;
682 }
683 }
684 iterator->destroy(iterator);
685 break;
686 }
687 }
688
689 /* send an update to all IKE_SAs */
690 if (update && event)
691 {
692 fire_roam_job(this, TRUE);
693 }
694 }
695
696 /**
697 * process RTM_NEWADDR/RTM_DELADDR from kernel
698 */
699 static void process_addr(private_kernel_interface_t *this,
700 struct nlmsghdr *hdr, bool event)
701 {
702 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
703 struct rtattr *rta = IFA_RTA(msg);
704 size_t rtasize = IFA_PAYLOAD (hdr);
705 host_t *host = NULL;
706 iterator_t *ifaces, *addrs;
707 iface_entry_t *iface;
708 addr_entry_t *addr;
709 chunk_t local = chunk_empty, address = chunk_empty;
710 bool update = FALSE, found = FALSE, changed = FALSE;
711
712 while(RTA_OK(rta, rtasize))
713 {
714 switch (rta->rta_type)
715 {
716 case IFA_LOCAL:
717 local.ptr = RTA_DATA(rta);
718 local.len = RTA_PAYLOAD(rta);
719 break;
720 case IFA_ADDRESS:
721 address.ptr = RTA_DATA(rta);
722 address.len = RTA_PAYLOAD(rta);
723 break;
724 }
725 rta = RTA_NEXT(rta, rtasize);
726 }
727
728 /* For PPP interfaces, we need the IFA_LOCAL address,
729 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
730 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
731 if (local.ptr)
732 {
733 host = host_create_from_chunk(msg->ifa_family, local, 0);
734 }
735 else if (address.ptr)
736 {
737 host = host_create_from_chunk(msg->ifa_family, address, 0);
738 }
739
740 if (host == NULL)
741 { /* bad family? */
742 return;
743 }
744
745 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
746 while (ifaces->iterate(ifaces, (void**)&iface))
747 {
748 if (iface->ifindex == msg->ifa_index)
749 {
750 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
751 while (addrs->iterate(addrs, (void**)&addr))
752 {
753 if (host->ip_equals(host, addr->ip))
754 {
755 found = TRUE;
756 if (hdr->nlmsg_type == RTM_DELADDR)
757 {
758 changed = TRUE;
759 addrs->remove(addrs);
760 if (!addr->virtual)
761 {
762 DBG1(DBG_KNL, "%H disappeared from %s",
763 host, iface->ifname);
764 }
765 addr_entry_destroy(addr);
766 }
767 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
768 {
769 addr->refcount = 1;
770 }
771 }
772 }
773 addrs->destroy(addrs);
774
775 if (hdr->nlmsg_type == RTM_NEWADDR)
776 {
777 if (!found)
778 {
779 found = TRUE;
780 changed = TRUE;
781 addr = malloc_thing(addr_entry_t);
782 addr->ip = host->clone(host);
783 addr->virtual = FALSE;
784 addr->refcount = 1;
785 addr->scope = msg->ifa_scope;
786
787 iface->addrs->insert_last(iface->addrs, addr);
788 if (event)
789 {
790 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
791 }
792 }
793 }
794 if (found && (iface->flags & IFF_UP))
795 {
796 update = TRUE;
797 }
798 break;
799 }
800 }
801 ifaces->destroy(ifaces);
802 host->destroy(host);
803
804 /* send an update to all IKE_SAs */
805 if (update && event && changed)
806 {
807 fire_roam_job(this, TRUE);
808 }
809 }
810
811 /**
812 * Receives events from kernel
813 */
814 static job_requeue_t receive_events(private_kernel_interface_t *this)
815 {
816 char response[1024];
817 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
818 struct sockaddr_nl addr;
819 socklen_t addr_len = sizeof(addr);
820 int len, oldstate, maxfd, selected;
821 fd_set rfds;
822
823 FD_ZERO(&rfds);
824 FD_SET(this->socket_xfrm_events, &rfds);
825 FD_SET(this->socket_rt_events, &rfds);
826 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
827
828 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
829 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
830 pthread_setcancelstate(oldstate, NULL);
831 if (selected <= 0)
832 {
833 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
834 return JOB_REQUEUE_FAIR;
835 }
836 if (FD_ISSET(this->socket_xfrm_events, &rfds))
837 {
838 selected = this->socket_xfrm_events;
839 }
840 else if (FD_ISSET(this->socket_rt_events, &rfds))
841 {
842 selected = this->socket_rt_events;
843 }
844 else
845 {
846 return JOB_REQUEUE_DIRECT;
847 }
848
849 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
850 (struct sockaddr*)&addr, &addr_len);
851 if (len < 0)
852 {
853 switch (errno)
854 {
855 case EINTR:
856 /* interrupted, try again */
857 return JOB_REQUEUE_DIRECT;
858 case EAGAIN:
859 /* no data ready, select again */
860 return JOB_REQUEUE_DIRECT;
861 default:
862 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
863 sleep(1);
864 return JOB_REQUEUE_FAIR;
865 }
866 }
867 if (addr.nl_pid != 0)
868 { /* not from kernel. not interested, try another one */
869 return JOB_REQUEUE_DIRECT;
870 }
871
872 while (NLMSG_OK(hdr, len))
873 {
874 /* looks good so far, dispatch netlink message */
875 if (selected == this->socket_xfrm_events)
876 {
877 switch (hdr->nlmsg_type)
878 {
879 case XFRM_MSG_ACQUIRE:
880 process_acquire(this, hdr);
881 break;
882 case XFRM_MSG_EXPIRE:
883 process_expire(this, hdr);
884 break;
885 default:
886 break;
887 }
888 }
889 else if (selected == this->socket_rt_events)
890 {
891 switch (hdr->nlmsg_type)
892 {
893 case RTM_NEWADDR:
894 case RTM_DELADDR:
895 process_addr(this, hdr, TRUE);
896 pthread_cond_signal(&this->cond);
897 break;
898 case RTM_NEWLINK:
899 case RTM_DELLINK:
900 process_link(this, hdr, TRUE);
901 pthread_cond_signal(&this->cond);
902 break;
903 case RTM_NEWROUTE:
904 case RTM_DELROUTE:
905 fire_roam_job(this, FALSE);
906 break;
907 default:
908 break;
909 }
910 }
911 hdr = NLMSG_NEXT(hdr, len);
912 }
913 return JOB_REQUEUE_DIRECT;
914 }
915
916 /**
917 * send a netlink message and wait for a reply
918 */
919 static status_t netlink_send(private_kernel_interface_t *this,
920 int socket, struct nlmsghdr *in,
921 struct nlmsghdr **out, size_t *out_len)
922 {
923 int len, addr_len;
924 struct sockaddr_nl addr;
925 chunk_t result = chunk_empty, tmp;
926 struct nlmsghdr *msg, peek;
927
928 pthread_mutex_lock(&this->nl_mutex);
929
930 in->nlmsg_seq = ++this->seq;
931 in->nlmsg_pid = getpid();
932
933 memset(&addr, 0, sizeof(addr));
934 addr.nl_family = AF_NETLINK;
935 addr.nl_pid = 0;
936 addr.nl_groups = 0;
937
938 while (TRUE)
939 {
940 len = sendto(socket, in, in->nlmsg_len, 0,
941 (struct sockaddr*)&addr, sizeof(addr));
942
943 if (len != in->nlmsg_len)
944 {
945 if (errno == EINTR)
946 {
947 /* interrupted, try again */
948 continue;
949 }
950 pthread_mutex_unlock(&this->nl_mutex);
951 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
952 return FAILED;
953 }
954 break;
955 }
956
957 while (TRUE)
958 {
959 char buf[4096];
960 tmp.len = sizeof(buf);
961 tmp.ptr = buf;
962 msg = (struct nlmsghdr*)tmp.ptr;
963
964 memset(&addr, 0, sizeof(addr));
965 addr.nl_family = AF_NETLINK;
966 addr.nl_pid = getpid();
967 addr.nl_groups = 0;
968 addr_len = sizeof(addr);
969
970 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
971 (struct sockaddr*)&addr, &addr_len);
972
973 if (len < 0)
974 {
975 if (errno == EINTR)
976 {
977 DBG1(DBG_KNL, "got interrupted");
978 /* interrupted, try again */
979 continue;
980 }
981 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
982 pthread_mutex_unlock(&this->nl_mutex);
983 return FAILED;
984 }
985 if (!NLMSG_OK(msg, len))
986 {
987 DBG1(DBG_KNL, "received corrupted netlink message");
988 pthread_mutex_unlock(&this->nl_mutex);
989 return FAILED;
990 }
991 if (msg->nlmsg_seq != this->seq)
992 {
993 DBG1(DBG_KNL, "received invalid netlink sequence number");
994 if (msg->nlmsg_seq < this->seq)
995 {
996 continue;
997 }
998 pthread_mutex_unlock(&this->nl_mutex);
999 return FAILED;
1000 }
1001
1002 tmp.len = len;
1003 result = chunk_cata("cc", result, tmp);
1004
1005 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
1006 * numbers to detect multi header messages */
1007 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
1008 (struct sockaddr*)&addr, &addr_len);
1009
1010 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
1011 {
1012 /* seems to be multipart */
1013 continue;
1014 }
1015 break;
1016 }
1017
1018 *out_len = result.len;
1019 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
1020
1021 pthread_mutex_unlock(&this->nl_mutex);
1022
1023 return SUCCESS;
1024 }
1025
1026 /**
1027 * send a netlink message and wait for its acknowlegde
1028 */
1029 static status_t netlink_send_ack(private_kernel_interface_t *this,
1030 int socket, struct nlmsghdr *in)
1031 {
1032 struct nlmsghdr *out, *hdr;
1033 size_t len;
1034
1035 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
1036 {
1037 return FAILED;
1038 }
1039 hdr = out;
1040 while (NLMSG_OK(hdr, len))
1041 {
1042 switch (hdr->nlmsg_type)
1043 {
1044 case NLMSG_ERROR:
1045 {
1046 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
1047
1048 if (err->error)
1049 {
1050 DBG1(DBG_KNL, "received netlink error: %s (%d)",
1051 strerror(-err->error), -err->error);
1052 free(out);
1053 return FAILED;
1054 }
1055 free(out);
1056 return SUCCESS;
1057 }
1058 default:
1059 hdr = NLMSG_NEXT(hdr, len);
1060 continue;
1061 case NLMSG_DONE:
1062 break;
1063 }
1064 break;
1065 }
1066 DBG1(DBG_KNL, "netlink request not acknowlegded");
1067 free(out);
1068 return FAILED;
1069 }
1070
1071 /**
1072 * Initialize a list of local addresses.
1073 */
1074 static status_t init_address_list(private_kernel_interface_t *this)
1075 {
1076 char request[BUFFER_SIZE];
1077 struct nlmsghdr *out, *current, *in;
1078 struct rtgenmsg *msg;
1079 size_t len;
1080 iterator_t *ifaces, *addrs;
1081 iface_entry_t *iface;
1082 addr_entry_t *addr;
1083
1084 DBG1(DBG_KNL, "listening on interfaces:");
1085
1086 memset(&request, 0, sizeof(request));
1087
1088 in = (struct nlmsghdr*)&request;
1089 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1090 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1091 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1092 msg->rtgen_family = AF_UNSPEC;
1093
1094 /* get all links */
1095 in->nlmsg_type = RTM_GETLINK;
1096 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1097 {
1098 return FAILED;
1099 }
1100 current = out;
1101 while (NLMSG_OK(current, len))
1102 {
1103 switch (current->nlmsg_type)
1104 {
1105 case NLMSG_DONE:
1106 break;
1107 case RTM_NEWLINK:
1108 process_link(this, current, FALSE);
1109 /* fall through */
1110 default:
1111 current = NLMSG_NEXT(current, len);
1112 continue;
1113 }
1114 break;
1115 }
1116 free(out);
1117
1118 /* get all interface addresses */
1119 in->nlmsg_type = RTM_GETADDR;
1120 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1121 {
1122 return FAILED;
1123 }
1124 current = out;
1125 while (NLMSG_OK(current, len))
1126 {
1127 switch (current->nlmsg_type)
1128 {
1129 case NLMSG_DONE:
1130 break;
1131 case RTM_NEWADDR:
1132 process_addr(this, current, FALSE);
1133 /* fall through */
1134 default:
1135 current = NLMSG_NEXT(current, len);
1136 continue;
1137 }
1138 break;
1139 }
1140 free(out);
1141
1142 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1143 while (ifaces->iterate(ifaces, (void**)&iface))
1144 {
1145 if (iface->flags & IFF_UP)
1146 {
1147 DBG1(DBG_KNL, " %s", iface->ifname);
1148 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1149 while (addrs->iterate(addrs, (void**)&addr))
1150 {
1151 DBG1(DBG_KNL, " %H", addr->ip);
1152 }
1153 addrs->destroy(addrs);
1154 }
1155 }
1156 ifaces->destroy(ifaces);
1157 return SUCCESS;
1158 }
1159
1160 /**
1161 * iterator hook to iterate over addrs
1162 */
1163 static hook_result_t addr_hook(private_kernel_interface_t *this,
1164 addr_entry_t *in, host_t **out)
1165 {
1166 if (in->virtual)
1167 { /* skip virtual interfaces added by us */
1168 return HOOK_SKIP;
1169 }
1170 if (in->scope >= RT_SCOPE_LINK)
1171 { /* skip addresses with a unusable scope */
1172 return HOOK_SKIP;
1173 }
1174 *out = in->ip;
1175 return HOOK_NEXT;
1176 }
1177
1178 /**
1179 * iterator hook to iterate over ifaces
1180 */
1181 static hook_result_t iface_hook(private_kernel_interface_t *this,
1182 iface_entry_t *in, host_t **out)
1183 {
1184 if (!(in->flags & IFF_UP))
1185 { /* skip interfaces not up */
1186 return HOOK_SKIP;
1187 }
1188
1189 if (this->hiter == NULL)
1190 {
1191 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1192 this->hiter->set_iterator_hook(this->hiter,
1193 (iterator_hook_t*)addr_hook, this);
1194 }
1195 while (this->hiter->iterate(this->hiter, (void**)out))
1196 {
1197 return HOOK_AGAIN;
1198 }
1199 this->hiter->destroy(this->hiter);
1200 this->hiter = NULL;
1201 return HOOK_SKIP;
1202 }
1203
1204 /**
1205 * Implements kernel_interface_t.create_address_iterator.
1206 */
1207 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1208 {
1209 iterator_t *iterator;
1210
1211 /* This iterator is not only hooked, is is double-hooked. As we have stored
1212 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1213 * entries in each interface we iterate. This does the iface_hook. The
1214 * addr_hook returns the ip instead of the addr_entry. */
1215
1216 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1217 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1218 return iterator;
1219 }
1220
1221 /**
1222 * implementation of kernel_interface_t.get_interface_name
1223 */
1224 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1225 {
1226 iterator_t *ifaces, *addrs;
1227 iface_entry_t *iface;
1228 addr_entry_t *addr;
1229 char *name = NULL;
1230
1231 DBG2(DBG_KNL, "getting interface name for %H", ip);
1232
1233 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1234 while (ifaces->iterate(ifaces, (void**)&iface))
1235 {
1236 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1237 while (addrs->iterate(addrs, (void**)&addr))
1238 {
1239 if (ip->ip_equals(ip, addr->ip))
1240 {
1241 name = strdup(iface->ifname);
1242 break;
1243 }
1244 }
1245 addrs->destroy(addrs);
1246 if (name)
1247 {
1248 break;
1249 }
1250 }
1251 ifaces->destroy(ifaces);
1252
1253 if (name)
1254 {
1255 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1256 }
1257 else
1258 {
1259 DBG2(DBG_KNL, "%H is not a local address", ip);
1260 }
1261 return name;
1262 }
1263
1264 /**
1265 * Tries to find an ip address of a local interface that is included in the
1266 * supplied traffic selector.
1267 */
1268 static status_t get_address_by_ts(private_kernel_interface_t *this,
1269 traffic_selector_t *ts, host_t **ip)
1270 {
1271 iterator_t *ifaces, *addrs;
1272 iface_entry_t *iface;
1273 addr_entry_t *addr;
1274 host_t *host;
1275 int family;
1276 bool found = FALSE;
1277
1278 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1279
1280 /* if we have a family which includes localhost, we do not
1281 * search for an IP, we use the default */
1282 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1283
1284 if (family == AF_INET)
1285 {
1286 host = host_create_from_string("127.0.0.1", 0);
1287 }
1288 else
1289 {
1290 host = host_create_from_string("::1", 0);
1291 }
1292
1293 if (ts->includes(ts, host))
1294 {
1295 *ip = host_create_any(family);
1296 host->destroy(host);
1297 DBG2(DBG_KNL, "using host %H", *ip);
1298 return SUCCESS;
1299 }
1300 host->destroy(host);
1301
1302 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1303 while (ifaces->iterate(ifaces, (void**)&iface))
1304 {
1305 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1306 while (addrs->iterate(addrs, (void**)&addr))
1307 {
1308 if (ts->includes(ts, addr->ip))
1309 {
1310 found = TRUE;
1311 *ip = addr->ip->clone(addr->ip);
1312 break;
1313 }
1314 }
1315 addrs->destroy(addrs);
1316 if (found)
1317 {
1318 break;
1319 }
1320 }
1321 ifaces->destroy(ifaces);
1322
1323 if (!found)
1324 {
1325 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1326 return FAILED;
1327 }
1328 DBG2(DBG_KNL, "using host %H", *ip);
1329 return SUCCESS;
1330 }
1331
1332 /**
1333 * get the interface of a local address
1334 */
1335 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1336 {
1337 iterator_t *ifaces, *addrs;
1338 iface_entry_t *iface;
1339 addr_entry_t *addr;
1340 int ifindex = 0;
1341
1342 DBG2(DBG_KNL, "getting iface for %H", ip);
1343
1344 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1345 while (ifaces->iterate(ifaces, (void**)&iface))
1346 {
1347 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1348 while (addrs->iterate(addrs, (void**)&addr))
1349 {
1350 if (ip->ip_equals(ip, addr->ip))
1351 {
1352 ifindex = iface->ifindex;
1353 break;
1354 }
1355 }
1356 addrs->destroy(addrs);
1357 if (ifindex)
1358 {
1359 break;
1360 }
1361 }
1362 ifaces->destroy(ifaces);
1363
1364 if (ifindex == 0)
1365 {
1366 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1367 }
1368 return ifindex;
1369 }
1370
1371 /**
1372 * get the refcount of a virtual ip
1373 */
1374 static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
1375 {
1376 iterator_t *ifaces, *addrs;
1377 iface_entry_t *iface;
1378 addr_entry_t *addr;
1379 int refcount = 0;
1380
1381 ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
1382 while (ifaces->iterate(ifaces, (void**)&iface))
1383 {
1384 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1385 while (addrs->iterate(addrs, (void**)&addr))
1386 {
1387 if (addr->virtual && (iface->flags & IFF_UP) &&
1388 ip->ip_equals(ip, addr->ip))
1389 {
1390 refcount = addr->refcount;
1391 break;
1392 }
1393 }
1394 addrs->destroy(addrs);
1395 if (refcount)
1396 {
1397 break;
1398 }
1399 }
1400 ifaces->destroy(ifaces);
1401
1402 return refcount;
1403 }
1404
1405 /**
1406 * Manages the creation and deletion of ip addresses on an interface.
1407 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1408 */
1409 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1410 int flags, int if_index, host_t *ip)
1411 {
1412 unsigned char request[BUFFER_SIZE];
1413 struct nlmsghdr *hdr;
1414 struct ifaddrmsg *msg;
1415 chunk_t chunk;
1416
1417 memset(&request, 0, sizeof(request));
1418
1419 chunk = ip->get_address(ip);
1420
1421 hdr = (struct nlmsghdr*)request;
1422 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1423 hdr->nlmsg_type = nlmsg_type;
1424 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1425
1426 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1427 msg->ifa_family = ip->get_family(ip);
1428 msg->ifa_flags = 0;
1429 msg->ifa_prefixlen = 8 * chunk.len;
1430 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1431 msg->ifa_index = if_index;
1432
1433 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1434
1435 return netlink_send_ack(this, this->socket_rt, hdr);
1436 }
1437
1438 /**
1439 * Manages source routes in the routing table.
1440 * By setting the appropriate nlmsg_type, the route added or r.
1441 */
1442 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1443 int flags, route_entry_t *route)
1444 {
1445 unsigned char request[BUFFER_SIZE];
1446 struct nlmsghdr *hdr;
1447 struct rtmsg *msg;
1448 chunk_t chunk;
1449
1450 #if IPSEC_ROUTING_TABLE == 0
1451 /* if route is 0.0.0.0/0, we can't install it, as it would
1452 * overwrite the default route. Instead, we add two routes:
1453 * 0.0.0.0/1 and 128.0.0.0/1 */
1454 if (route->prefixlen == 0)
1455 {
1456 route_entry_t half;
1457 status_t status;
1458
1459 half.dst_net = chunk_alloca(route->dst_net.len);
1460 memset(half.dst_net.ptr, 0, half.dst_net.len);
1461 half.src_ip = route->src_ip;
1462 half.gateway = route->gateway;
1463 half.if_index = route->if_index;
1464 half.prefixlen = 1;
1465
1466 status = manage_srcroute(this, nlmsg_type, flags, &half);
1467 half.dst_net.ptr[0] |= 0x80;
1468 status = manage_srcroute(this, nlmsg_type, flags, &half);
1469 return status;
1470 }
1471 #endif
1472
1473 memset(&request, 0, sizeof(request));
1474
1475 hdr = (struct nlmsghdr*)request;
1476 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1477 hdr->nlmsg_type = nlmsg_type;
1478 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1479
1480 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1481 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1482 msg->rtm_dst_len = route->prefixlen;
1483 msg->rtm_table = IPSEC_ROUTING_TABLE;
1484 msg->rtm_protocol = RTPROT_STATIC;
1485 msg->rtm_type = RTN_UNICAST;
1486 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1487
1488 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1489 chunk = route->src_ip->get_address(route->src_ip);
1490 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1491 chunk = route->gateway->get_address(route->gateway);
1492 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1493 chunk.ptr = (char*)&route->if_index;
1494 chunk.len = sizeof(route->if_index);
1495 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1496
1497 return netlink_send_ack(this, this->socket_rt, hdr);
1498 }
1499
1500 /**
1501 * create or delete an rule to use our routing table
1502 */
1503 static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
1504 u_int32_t table, u_int32_t prio)
1505 {
1506 unsigned char request[BUFFER_SIZE];
1507 struct nlmsghdr *hdr;
1508 struct rtmsg *msg;
1509 chunk_t chunk;
1510
1511 memset(&request, 0, sizeof(request));
1512 hdr = (struct nlmsghdr*)request;
1513 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1514 hdr->nlmsg_type = nlmsg_type;
1515 if (nlmsg_type == RTM_NEWRULE)
1516 {
1517 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1518 }
1519 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1520
1521 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1522 msg->rtm_table = table;
1523 msg->rtm_family = AF_INET;
1524 msg->rtm_protocol = RTPROT_BOOT;
1525 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1526 msg->rtm_type = RTN_UNICAST;
1527
1528 chunk = chunk_from_thing(prio);
1529 add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1530
1531 return netlink_send_ack(this, this->socket_rt, hdr);
1532 }
1533
1534 /**
1535 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1536 */
1537 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1538 {
1539 int bit, byte;
1540
1541 if (addr.len != net.len)
1542 {
1543 return FALSE;
1544 }
1545 /* scan through all bits, beginning in the front */
1546 for (byte = 0; byte < addr.len; byte++)
1547 {
1548 for (bit = 7; bit >= 0; bit--)
1549 {
1550 /* check if bits are equal (or we reached the end of the net) */
1551 if (bit + byte * 8 > net_len)
1552 {
1553 return TRUE;
1554 }
1555 if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
1556 {
1557 return FALSE;
1558 }
1559 }
1560 }
1561 return TRUE;
1562 }
1563
1564 /**
1565 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1566 */
1567 static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
1568 bool nexthop)
1569 {
1570 unsigned char request[BUFFER_SIZE];
1571 struct nlmsghdr *hdr, *out, *current;
1572 struct rtmsg *msg;
1573 chunk_t chunk;
1574 size_t len;
1575 int best = -1;
1576 host_t *src = NULL, *gtw = NULL;
1577
1578 DBG2(DBG_KNL, "getting address to reach %H", dest);
1579
1580 memset(&request, 0, sizeof(request));
1581
1582 hdr = (struct nlmsghdr*)request;
1583 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
1584 hdr->nlmsg_type = RTM_GETROUTE;
1585 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1586
1587 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1588 msg->rtm_family = dest->get_family(dest);
1589
1590 chunk = dest->get_address(dest);
1591 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1592
1593 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1594 {
1595 DBG1(DBG_KNL, "getting address to %H failed", dest);
1596 return NULL;
1597 }
1598 current = out;
1599 while (NLMSG_OK(current, len))
1600 {
1601 switch (current->nlmsg_type)
1602 {
1603 case NLMSG_DONE:
1604 break;
1605 case RTM_NEWROUTE:
1606 {
1607 struct rtattr *rta;
1608 size_t rtasize;
1609 chunk_t rta_gtw, rta_src, rta_dst;
1610 u_int32_t rta_oif = 0;
1611
1612 rta_gtw = rta_src = rta_dst = chunk_empty;
1613 msg = (struct rtmsg*)(NLMSG_DATA(current));
1614 rta = RTM_RTA(msg);
1615 rtasize = RTM_PAYLOAD(current);
1616 while (RTA_OK(rta, rtasize))
1617 {
1618 switch (rta->rta_type)
1619 {
1620 case RTA_PREFSRC:
1621 rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1622 break;
1623 case RTA_GATEWAY:
1624 rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1625 break;
1626 case RTA_DST:
1627 rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1628 break;
1629 case RTA_OIF:
1630 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1631 {
1632 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1633 }
1634 break;
1635 }
1636 rta = RTA_NEXT(rta, rtasize);
1637 }
1638
1639 /* apply the route if:
1640 * - it is not from our own ipsec routing table
1641 * - is better than a previous one
1642 * - is the default route or
1643 * - its destination net contains our destination
1644 */
1645 if (msg->rtm_table != IPSEC_ROUTING_TABLE
1646 && msg->rtm_dst_len > best
1647 && (msg->rtm_dst_len == 0 || /* default route */
1648 (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
1649 {
1650 iterator_t *ifaces, *addrs;
1651 iface_entry_t *iface;
1652 addr_entry_t *addr;
1653
1654 best = msg->rtm_dst_len;
1655 if (nexthop)
1656 {
1657 DESTROY_IF(gtw);
1658 gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
1659 }
1660 else if (rta_src.ptr)
1661 {
1662 DESTROY_IF(src);
1663 src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
1664 }
1665 else
1666 {
1667 /* no source addr, get one from the interfaces */
1668 ifaces = this->ifaces->create_iterator_locked(
1669 this->ifaces, &this->mutex);
1670 while (ifaces->iterate(ifaces, (void**)&iface))
1671 {
1672 if (iface->ifindex == rta_oif)
1673 {
1674 addrs = iface->addrs->create_iterator(
1675 iface->addrs, TRUE);
1676 while (addrs->iterate(addrs, (void**)&addr))
1677 {
1678 chunk_t ip = addr->ip->get_address(addr->ip);
1679 if (msg->rtm_dst_len == 0
1680 || addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
1681 {
1682 DESTROY_IF(src);
1683 src = addr->ip->clone(addr->ip);
1684 break;
1685 }
1686 }
1687 addrs->destroy(addrs);
1688 }
1689 }
1690 ifaces->destroy(ifaces);
1691 }
1692 }
1693 /* FALL through */
1694 }
1695 default:
1696 current = NLMSG_NEXT(current, len);
1697 continue;
1698 }
1699 break;
1700 }
1701 free(out);
1702
1703 if (nexthop)
1704 {
1705 if (gtw)
1706 {
1707 return gtw;
1708 }
1709 return dest->clone(dest);
1710 }
1711 return src;
1712 }
1713
1714 /**
1715 * Implementation of kernel_interface_t.get_source_addr.
1716 */
1717 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1718 {
1719 return get_route(this, dest, FALSE);
1720 }
1721
1722 /**
1723 * Implementation of kernel_interface_t.add_ip.
1724 */
1725 static status_t add_ip(private_kernel_interface_t *this,
1726 host_t *virtual_ip, host_t *iface_ip)
1727 {
1728 iface_entry_t *iface;
1729 addr_entry_t *addr;
1730 iterator_t *addrs, *ifaces;
1731 int ifindex;
1732
1733 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1734
1735 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1736 while (ifaces->iterate(ifaces, (void**)&iface))
1737 {
1738 bool iface_found = FALSE;
1739
1740 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1741 while (addrs->iterate(addrs, (void**)&addr))
1742 {
1743 if (iface_ip->ip_equals(iface_ip, addr->ip))
1744 {
1745 iface_found = TRUE;
1746 }
1747 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1748 {
1749 addr->refcount++;
1750 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1751 virtual_ip, iface->ifname);
1752 addrs->destroy(addrs);
1753 ifaces->destroy(ifaces);
1754 return SUCCESS;
1755 }
1756 }
1757 addrs->destroy(addrs);
1758
1759 if (iface_found)
1760 {
1761 ifindex = iface->ifindex;
1762 addr = malloc_thing(addr_entry_t);
1763 addr->ip = virtual_ip->clone(virtual_ip);
1764 addr->refcount = 0;
1765 addr->virtual = TRUE;
1766 addr->scope = RT_SCOPE_UNIVERSE;
1767 iface->addrs->insert_last(iface->addrs, addr);
1768
1769 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1770 ifindex, virtual_ip) == SUCCESS)
1771 {
1772 while (get_vip_refcount(this, virtual_ip) == 0)
1773 { /* wait until address appears */
1774 pthread_cond_wait(&this->cond, &this->mutex);
1775 }
1776 ifaces->destroy(ifaces);
1777 return SUCCESS;
1778 }
1779 ifaces->destroy(ifaces);
1780 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1781 return FAILED;
1782 }
1783 }
1784 ifaces->destroy(ifaces);
1785
1786 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1787 "virtual IP %H", iface_ip, virtual_ip);
1788 return FAILED;
1789 }
1790
1791 /**
1792 * Implementation of kernel_interface_t.del_ip.
1793 */
1794 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1795 {
1796 iface_entry_t *iface;
1797 addr_entry_t *addr;
1798 iterator_t *addrs, *ifaces;
1799 status_t status;
1800 int ifindex;
1801
1802 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1803
1804 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1805 while (ifaces->iterate(ifaces, (void**)&iface))
1806 {
1807 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1808 while (addrs->iterate(addrs, (void**)&addr))
1809 {
1810 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1811 {
1812 ifindex = iface->ifindex;
1813 if (addr->refcount == 1)
1814 {
1815 status = manage_ipaddr(this, RTM_DELADDR, 0,
1816 ifindex, virtual_ip);
1817 if (status == SUCCESS)
1818 { /* wait until the address is really gone */
1819 while (get_vip_refcount(this, virtual_ip) > 0)
1820 {
1821 pthread_cond_wait(&this->cond, &this->mutex);
1822 }
1823 }
1824 addrs->destroy(addrs);
1825 ifaces->destroy(ifaces);
1826 return status;
1827 }
1828 else
1829 {
1830 addr->refcount--;
1831 }
1832 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1833 virtual_ip);
1834 addrs->destroy(addrs);
1835 ifaces->destroy(ifaces);
1836 return SUCCESS;
1837 }
1838 }
1839 addrs->destroy(addrs);
1840 }
1841 ifaces->destroy(ifaces);
1842
1843 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1844 return FAILED;
1845 }
1846
1847 /**
1848 * Get an SPI for a specific protocol from the kernel.
1849 */
1850 static status_t get_spi_internal(private_kernel_interface_t *this,
1851 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
1852 u_int32_t reqid, u_int32_t *spi)
1853 {
1854 unsigned char request[BUFFER_SIZE];
1855 struct nlmsghdr *hdr, *out;
1856 struct xfrm_userspi_info *userspi;
1857 u_int32_t received_spi = 0;
1858 size_t len;
1859
1860 memset(&request, 0, sizeof(request));
1861
1862 hdr = (struct nlmsghdr*)request;
1863 hdr->nlmsg_flags = NLM_F_REQUEST;
1864 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1865 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1866
1867 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1868 host2xfrm(src, &userspi->info.saddr);
1869 host2xfrm(dst, &userspi->info.id.daddr);
1870 userspi->info.id.proto = proto;
1871 userspi->info.mode = TRUE; /* tunnel mode */
1872 userspi->info.reqid = reqid;
1873 userspi->info.family = src->get_family(src);
1874 userspi->min = min;
1875 userspi->max = max;
1876
1877 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1878 {
1879 hdr = out;
1880 while (NLMSG_OK(hdr, len))
1881 {
1882 switch (hdr->nlmsg_type)
1883 {
1884 case XFRM_MSG_NEWSA:
1885 {
1886 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1887 received_spi = usersa->id.spi;
1888 break;
1889 }
1890 case NLMSG_ERROR:
1891 {
1892 struct nlmsgerr *err = NLMSG_DATA(hdr);
1893
1894 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1895 strerror(-err->error), -err->error);
1896 break;
1897 }
1898 default:
1899 hdr = NLMSG_NEXT(hdr, len);
1900 continue;
1901 case NLMSG_DONE:
1902 break;
1903 }
1904 break;
1905 }
1906 free(out);
1907 }
1908
1909 if (received_spi == 0)
1910 {
1911 return FAILED;
1912 }
1913
1914 *spi = received_spi;
1915 return SUCCESS;
1916 }
1917
1918 /**
1919 * Implementation of kernel_interface_t.get_spi.
1920 */
1921 static status_t get_spi(private_kernel_interface_t *this,
1922 host_t *src, host_t *dst,
1923 protocol_id_t protocol, u_int32_t reqid,
1924 u_int32_t *spi)
1925 {
1926 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1927
1928 if (get_spi_internal(this, src, dst,
1929 (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH,
1930 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
1931 {
1932 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1933 return FAILED;
1934 }
1935
1936 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", *spi, reqid);
1937
1938 return SUCCESS;
1939 }
1940
1941 /**
1942 * Implementation of kernel_interface_t.get_cpi.
1943 */
1944 static status_t get_cpi(private_kernel_interface_t *this,
1945 host_t *src, host_t *dst,
1946 u_int32_t reqid, u_int16_t *cpi)
1947 {
1948 u_int32_t received_spi = 0;
1949 DBG2(DBG_KNL, "getting CPI for reqid %d", reqid);
1950
1951 if (get_spi_internal(this, src, dst,
1952 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
1953 {
1954 DBG1(DBG_KNL, "unable to get CPI for reqid %d", reqid);
1955 return FAILED;
1956 }
1957
1958 *cpi = htons((u_int16_t)ntohl(received_spi));
1959
1960 DBG2(DBG_KNL, "got CPI 0x%x for reqid %d", *cpi, reqid);
1961
1962 return SUCCESS;
1963 }
1964
1965 /**
1966 * Implementation of kernel_interface_t.add_sa.
1967 */
1968 static status_t add_sa(private_kernel_interface_t *this,
1969 host_t *src, host_t *dst, u_int32_t spi,
1970 protocol_id_t protocol, u_int32_t reqid,
1971 u_int64_t expire_soft, u_int64_t expire_hard,
1972 u_int16_t enc_alg, u_int16_t enc_size,
1973 u_int16_t int_alg, u_int16_t int_size,
1974 prf_plus_t *prf_plus, mode_t mode,
1975 u_int16_t ipcomp, bool encap,
1976 bool replace)
1977 {
1978 unsigned char request[BUFFER_SIZE];
1979 char *alg_name;
1980 u_int16_t add_keymat = 32; /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
1981 struct nlmsghdr *hdr;
1982 struct xfrm_usersa_info *sa;
1983
1984 memset(&request, 0, sizeof(request));
1985
1986 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x and reqid %d", spi, reqid);
1987
1988 hdr = (struct nlmsghdr*)request;
1989 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1990 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1991 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1992
1993 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1994 host2xfrm(src, &sa->saddr);
1995 host2xfrm(dst, &sa->id.daddr);
1996 sa->id.spi = spi;
1997 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
1998 sa->family = src->get_family(src);
1999 sa->mode = mode;
2000 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
2001 sa->reqid = reqid;
2002 /* we currently do not expire SAs by volume/packet count */
2003 sa->lft.soft_byte_limit = XFRM_INF;
2004 sa->lft.hard_byte_limit = XFRM_INF;
2005 sa->lft.soft_packet_limit = XFRM_INF;
2006 sa->lft.hard_packet_limit = XFRM_INF;
2007 /* we use lifetimes since added, not since used */
2008 sa->lft.soft_add_expires_seconds = expire_soft;
2009 sa->lft.hard_add_expires_seconds = expire_hard;
2010 sa->lft.soft_use_expires_seconds = 0;
2011 sa->lft.hard_use_expires_seconds = 0;
2012
2013 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
2014
2015 switch (enc_alg)
2016 {
2017 case ENCR_UNDEFINED:
2018 /* no encryption */
2019 break;
2020 case ENCR_AES_CCM_ICV8:
2021 case ENCR_AES_CCM_ICV12:
2022 case ENCR_AES_CCM_ICV16:
2023 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
2024 add_keymat = 24;
2025 /* fall-through */
2026 case ENCR_AES_GCM_ICV8:
2027 case ENCR_AES_GCM_ICV12:
2028 case ENCR_AES_GCM_ICV16:
2029 {
2030 u_int16_t icv_size = 0;
2031 rthdr->rta_type = XFRMA_ALG_AEAD;
2032 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
2033 if (alg_name == NULL)
2034 {
2035 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2036 encryption_algorithm_names, enc_alg);
2037 return FAILED;
2038 }
2039 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2040 encryption_algorithm_names, enc_alg, enc_size);
2041
2042 /* additional KEYMAT required */
2043 enc_size += add_keymat;
2044
2045 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
2046 hdr->nlmsg_len += rthdr->rta_len;
2047 if (hdr->nlmsg_len > sizeof(request))
2048 {
2049 return FAILED;
2050 }
2051
2052 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
2053 algo->alg_key_len = enc_size;
2054 algo->alg_icv_len = icv_size;
2055 strcpy(algo->alg_name, alg_name);
2056 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2057
2058 rthdr = XFRM_RTA_NEXT(rthdr);
2059 break;
2060 }
2061 default:
2062 {
2063 rthdr->rta_type = XFRMA_ALG_CRYPT;
2064 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
2065 if (alg_name == NULL)
2066 {
2067 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2068 encryption_algorithm_names, enc_alg);
2069 return FAILED;
2070 }
2071 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2072 encryption_algorithm_names, enc_alg, enc_size);
2073
2074 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
2075 hdr->nlmsg_len += rthdr->rta_len;
2076 if (hdr->nlmsg_len > sizeof(request))
2077 {
2078 return FAILED;
2079 }
2080
2081 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2082 algo->alg_key_len = enc_size;
2083 strcpy(algo->alg_name, alg_name);
2084 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2085
2086 rthdr = XFRM_RTA_NEXT(rthdr);
2087 break;
2088 }
2089 }
2090
2091 if (int_alg != AUTH_UNDEFINED)
2092 {
2093 rthdr->rta_type = XFRMA_ALG_AUTH;
2094 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
2095 if (alg_name == NULL)
2096 {
2097 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2098 integrity_algorithm_names, int_alg);
2099 return FAILED;
2100 }
2101 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
2102 integrity_algorithm_names, int_alg, int_size);
2103
2104 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
2105 hdr->nlmsg_len += rthdr->rta_len;
2106 if (hdr->nlmsg_len > sizeof(request))
2107 {
2108 return FAILED;
2109 }
2110
2111 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2112 algo->alg_key_len = int_size;
2113 strcpy(algo->alg_name, alg_name);
2114 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
2115
2116 rthdr = XFRM_RTA_NEXT(rthdr);
2117 }
2118
2119 if (ipcomp != IPCOMP_NONE)
2120 {
2121 rthdr->rta_type = XFRMA_ALG_COMP;
2122 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
2123 if (alg_name == NULL)
2124 {
2125 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2126 ipcomp_transform_names, ipcomp);
2127 return FAILED;
2128 }
2129 DBG2(DBG_KNL, " using compression algorithm %N",
2130 ipcomp_transform_names, ipcomp);
2131
2132 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
2133 hdr->nlmsg_len += rthdr->rta_len;
2134 if (hdr->nlmsg_len > sizeof(request))
2135 {
2136 return FAILED;
2137 }
2138
2139 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2140 algo->alg_key_len = 0;
2141 strcpy(algo->alg_name, alg_name);
2142
2143 rthdr = XFRM_RTA_NEXT(rthdr);
2144 }
2145
2146 if (encap)
2147 {
2148 rthdr->rta_type = XFRMA_ENCAP;
2149 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2150
2151 hdr->nlmsg_len += rthdr->rta_len;
2152 if (hdr->nlmsg_len > sizeof(request))
2153 {
2154 return FAILED;
2155 }
2156
2157 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
2158 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2159 tmpl->encap_sport = htons(src->get_port(src));
2160 tmpl->encap_dport = htons(dst->get_port(dst));
2161 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2162 /* encap_oa could probably be derived from the
2163 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
2164 * pluto does the same as we do here but it uses encap_oa in the
2165 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
2166 * the kernel ignores it anyway
2167 * -> does that mean that NAT-T encap doesn't work in transport mode?
2168 * No. The reason the kernel ignores NAT-OA is that it recomputes
2169 * (or, rather, just ignores) the checksum. If packets pass
2170 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
2171 rthdr = XFRM_RTA_NEXT(rthdr);
2172 }
2173
2174 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2175 {
2176 DBG1(DBG_KNL, "unable to add SAD entry with SPI 0x%x", spi);
2177 return FAILED;
2178 }
2179 return SUCCESS;
2180 }
2181
2182 /**
2183 * Implementation of kernel_interface_t.update_sa.
2184 */
2185 static status_t update_sa(private_kernel_interface_t *this,
2186 u_int32_t spi, protocol_id_t protocol,
2187 host_t *src, host_t *dst,
2188 host_t *new_src, host_t *new_dst, bool encap)
2189 {
2190 unsigned char request[BUFFER_SIZE], *pos;
2191 struct nlmsghdr *hdr, *out = NULL;
2192 struct xfrm_usersa_id *sa_id;
2193 struct xfrm_usersa_info *out_sa = NULL, *sa;
2194 size_t len;
2195 struct rtattr *rta;
2196 size_t rtasize;
2197 struct xfrm_encap_tmpl* tmpl = NULL;
2198
2199 memset(&request, 0, sizeof(request));
2200
2201 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x for update", spi);
2202
2203 /* query the exisiting SA first */
2204 hdr = (struct nlmsghdr*)request;
2205 hdr->nlmsg_flags = NLM_F_REQUEST;
2206 hdr->nlmsg_type = XFRM_MSG_GETSA;
2207 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2208
2209 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2210 host2xfrm(dst, &sa_id->daddr);
2211 sa_id->spi = spi;
2212 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
2213 sa_id->family = dst->get_family(dst);
2214
2215 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2216 {
2217 hdr = out;
2218 while (NLMSG_OK(hdr, len))
2219 {
2220 switch (hdr->nlmsg_type)
2221 {
2222 case XFRM_MSG_NEWSA:
2223 {
2224 out_sa = NLMSG_DATA(hdr);
2225 break;
2226 }
2227 case NLMSG_ERROR:
2228 {
2229 struct nlmsgerr *err = NLMSG_DATA(hdr);
2230 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2231 strerror(-err->error), -err->error);
2232 break;
2233 }
2234 default:
2235 hdr = NLMSG_NEXT(hdr, len);
2236 continue;
2237 case NLMSG_DONE:
2238 break;
2239 }
2240 break;
2241 }
2242 }
2243 if (out_sa == NULL ||
2244 this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
2245 {
2246 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2247 free(out);
2248 return FAILED;
2249 }
2250
2251 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
2252 spi, src, dst, new_src, new_dst);
2253
2254 /* copy over the SA from out to request */
2255 hdr = (struct nlmsghdr*)request;
2256 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
2257 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2258 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2259 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2260 sa = NLMSG_DATA(hdr);
2261 sa->family = new_dst->get_family(new_dst);
2262
2263 if (!src->ip_equals(src, new_src))
2264 {
2265 host2xfrm(new_src, &sa->saddr);
2266 }
2267 if (!dst->ip_equals(dst, new_dst))
2268 {
2269 host2xfrm(new_dst, &sa->id.daddr);
2270 }
2271
2272 rta = XFRM_RTA(out, struct xfrm_usersa_info);
2273 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
2274 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
2275 while(RTA_OK(rta, rtasize))
2276 {
2277 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2278 if (rta->rta_type != XFRMA_ENCAP || encap)
2279 {
2280 if (rta->rta_type == XFRMA_ENCAP)
2281 { /* update encap tmpl */
2282 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2283 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2284 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2285 }
2286 memcpy(pos, rta, rta->rta_len);
2287 pos += rta->rta_len;
2288 hdr->nlmsg_len += rta->rta_len;
2289 }
2290 rta = RTA_NEXT(rta, rtasize);
2291 }
2292 if (tmpl == NULL && encap)
2293 { /* add tmpl if we are enabling it */
2294 rta = (struct rtattr*)pos;
2295 rta->rta_type = XFRMA_ENCAP;
2296 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2297 hdr->nlmsg_len += rta->rta_len;
2298 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2299 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2300 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2301 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2302 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2303 }
2304
2305 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2306 {
2307 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2308 free(out);
2309 return FAILED;
2310 }
2311 free(out);
2312
2313 return SUCCESS;
2314 }
2315
2316 /**
2317 * Implementation of kernel_interface_t.query_sa.
2318 */
2319 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
2320 u_int32_t spi, protocol_id_t protocol,
2321 u_int32_t *use_time)
2322 {
2323 unsigned char request[BUFFER_SIZE];
2324 struct nlmsghdr *out = NULL, *hdr;
2325 struct xfrm_usersa_id *sa_id;
2326 struct xfrm_usersa_info *sa = NULL;
2327 size_t len;
2328
2329 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
2330 memset(&request, 0, sizeof(request));
2331
2332 hdr = (struct nlmsghdr*)request;
2333 hdr->nlmsg_flags = NLM_F_REQUEST;
2334 hdr->nlmsg_type = XFRM_MSG_GETSA;
2335 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2336
2337 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2338 host2xfrm(dst, &sa_id->daddr);
2339 sa_id->spi = spi;
2340 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
2341 sa_id->family = dst->get_family(dst);
2342
2343 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2344 {
2345 hdr = out;
2346 while (NLMSG_OK(hdr, len))
2347 {
2348 switch (hdr->nlmsg_type)
2349 {
2350 case XFRM_MSG_NEWSA:
2351 {
2352 sa = NLMSG_DATA(hdr);
2353 break;
2354 }
2355 case NLMSG_ERROR:
2356 {
2357 struct nlmsgerr *err = NLMSG_DATA(hdr);
2358 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2359 strerror(-err->error), -err->error);
2360 break;
2361 }
2362 default:
2363 hdr = NLMSG_NEXT(hdr, len);
2364 continue;
2365 case NLMSG_DONE:
2366 break;
2367 }
2368 break;
2369 }
2370 }
2371
2372 if (sa == NULL)
2373 {
2374 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
2375 free(out);
2376 return FAILED;
2377 }
2378
2379 *use_time = sa->curlft.use_time;
2380 free (out);
2381 return SUCCESS;
2382 }
2383
2384 /**
2385 * Implementation of kernel_interface_t.del_sa.
2386 */
2387 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
2388 u_int32_t spi, protocol_id_t protocol)
2389 {
2390 unsigned char request[BUFFER_SIZE];
2391 struct nlmsghdr *hdr;
2392 struct xfrm_usersa_id *sa_id;
2393
2394 memset(&request, 0, sizeof(request));
2395
2396 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
2397
2398 hdr = (struct nlmsghdr*)request;
2399 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2400 hdr->nlmsg_type = XFRM_MSG_DELSA;
2401 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2402
2403 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2404 host2xfrm(dst, &sa_id->daddr);
2405 sa_id->spi = spi;
2406 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
2407 sa_id->family = dst->get_family(dst);
2408
2409 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2410 {
2411 DBG1(DBG_KNL, "unable to delete SAD entry with SPI 0x%x", spi);
2412 return FAILED;
2413 }
2414 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
2415 return SUCCESS;
2416 }
2417
2418 /**
2419 * Implementation of kernel_interface_t.add_policy.
2420 */
2421 static status_t add_policy(private_kernel_interface_t *this,
2422 host_t *src, host_t *dst,
2423 traffic_selector_t *src_ts,
2424 traffic_selector_t *dst_ts,
2425 policy_dir_t direction, protocol_id_t protocol,
2426 u_int32_t reqid, bool high_prio, mode_t mode,
2427 u_int16_t ipcomp)
2428 {
2429 iterator_t *iterator;
2430 policy_entry_t *current, *policy;
2431 bool found = FALSE;
2432 unsigned char request[BUFFER_SIZE];
2433 struct xfrm_userpolicy_info *policy_info;
2434 struct nlmsghdr *hdr;
2435
2436 /* create a policy */
2437 policy = malloc_thing(policy_entry_t);
2438 memset(policy, 0, sizeof(policy_entry_t));
2439 policy->sel = ts2selector(src_ts, dst_ts);
2440 policy->direction = direction;
2441
2442 /* find the policy, which matches EXACTLY */
2443 pthread_mutex_lock(&this->mutex);
2444 iterator = this->policies->create_iterator(this->policies, TRUE);
2445 while (iterator->iterate(iterator, (void**)&current))
2446 {
2447 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
2448 policy->direction == current->direction)
2449 {
2450 /* use existing policy */
2451 current->refcount++;
2452 DBG2(DBG_KNL, "policy %R===%R already exists, increasing "
2453 "refcount", src_ts, dst_ts);
2454 free(policy);
2455 policy = current;
2456 found = TRUE;
2457 break;
2458 }
2459 }
2460 iterator->destroy(iterator);
2461 if (!found)
2462 { /* apply the new one, if we have no such policy */
2463 this->policies->insert_last(this->policies, policy);
2464 policy->refcount = 1;
2465 }
2466
2467 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2468
2469 memset(&request, 0, sizeof(request));
2470 hdr = (struct nlmsghdr*)request;
2471 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2472 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2473 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2474
2475 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2476 policy_info->sel = policy->sel;
2477 policy_info->dir = policy->direction;
2478 /* calculate priority based on source selector size, small size = high prio */
2479 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2480 policy_info->priority -= policy->sel.prefixlen_s * 10;
2481 policy_info->priority -= policy->sel.proto ? 2 : 0;
2482 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2483 policy_info->action = XFRM_POLICY_ALLOW;
2484 policy_info->share = XFRM_SHARE_ANY;
2485 pthread_mutex_unlock(&this->mutex);
2486
2487 /* policies don't expire */
2488 policy_info->lft.soft_byte_limit = XFRM_INF;
2489 policy_info->lft.soft_packet_limit = XFRM_INF;
2490 policy_info->lft.hard_byte_limit = XFRM_INF;
2491 policy_info->lft.hard_packet_limit = XFRM_INF;
2492 policy_info->lft.soft_add_expires_seconds = 0;
2493 policy_info->lft.hard_add_expires_seconds = 0;
2494 policy_info->lft.soft_use_expires_seconds = 0;
2495 policy_info->lft.hard_use_expires_seconds = 0;
2496
2497 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2498 rthdr->rta_type = XFRMA_TMPL;
2499 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2500
2501 hdr->nlmsg_len += rthdr->rta_len;
2502 if (hdr->nlmsg_len > sizeof(request))
2503 {
2504 return FAILED;
2505 }
2506
2507 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2508
2509 if (ipcomp != IPCOMP_NONE)
2510 {
2511 tmpl->reqid = reqid;
2512 tmpl->id.proto = IPPROTO_COMP;
2513 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2514 tmpl->mode = mode;
2515 tmpl->optional = direction != POLICY_OUT;
2516 tmpl->family = src->get_family(src);
2517
2518 host2xfrm(src, &tmpl->saddr);
2519 host2xfrm(dst, &tmpl->id.daddr);
2520
2521 /* add an additional xfrm_user_tmpl */
2522 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2523 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2524 if (hdr->nlmsg_len > sizeof(request))
2525 {
2526 return FAILED;
2527 }
2528
2529 tmpl++;
2530 }
2531
2532 tmpl->reqid = reqid;
2533 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
2534 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2535 tmpl->mode = mode;
2536 tmpl->family = src->get_family(src);
2537
2538 host2xfrm(src, &tmpl->saddr);
2539 host2xfrm(dst, &tmpl->id.daddr);
2540
2541 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2542 {
2543 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2544 return FAILED;
2545 }
2546
2547 /* install a route, if:
2548 * - we are NOT updating a policy
2549 * - this is a forward policy (to just get one for each child)
2550 * - we are in tunnel mode
2551 * - we are not using IPv6 (does not work correctly yet!)
2552 * - routing is not disabled via strongswan.conf
2553 */
2554 if (policy->route == NULL && direction == POLICY_FWD &&
2555 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
2556 this->install_routes)
2557 {
2558 policy->route = malloc_thing(route_entry_t);
2559 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2560 {
2561 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2562 policy->route->gateway = get_route(this, src, TRUE);
2563 policy->route->if_index = get_interface_index(this, dst);
2564 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2565 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2566 policy->route->prefixlen = policy->sel.prefixlen_s;
2567
2568 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2569 policy->route) != SUCCESS)
2570 {
2571 DBG1(DBG_KNL, "unable to install source route for %H",
2572 policy->route->src_ip);
2573 route_entry_destroy(policy->route);
2574 policy->route = NULL;
2575 }
2576 }
2577 else
2578 {
2579 free(policy->route);
2580 policy->route = NULL;
2581 }
2582 }
2583
2584 return SUCCESS;
2585 }
2586
2587 /**
2588 * Implementation of kernel_interface_t.query_policy.
2589 */
2590 static status_t query_policy(private_kernel_interface_t *this,
2591 traffic_selector_t *src_ts,
2592 traffic_selector_t *dst_ts,
2593 policy_dir_t direction, u_int32_t *use_time)
2594 {
2595 unsigned char request[BUFFER_SIZE];
2596 struct nlmsghdr *out = NULL, *hdr;
2597 struct xfrm_userpolicy_id *policy_id;
2598 struct xfrm_userpolicy_info *policy = NULL;
2599 size_t len;
2600
2601 memset(&request, 0, sizeof(request));
2602
2603 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2604
2605 hdr = (struct nlmsghdr*)request;
2606 hdr->nlmsg_flags = NLM_F_REQUEST;
2607 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2608 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2609
2610 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2611 policy_id->sel = ts2selector(src_ts, dst_ts);
2612 policy_id->dir = direction;
2613
2614 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2615 {
2616 hdr = out;
2617 while (NLMSG_OK(hdr, len))
2618 {
2619 switch (hdr->nlmsg_type)
2620 {
2621 case XFRM_MSG_NEWPOLICY:
2622 {
2623 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2624 break;
2625 }
2626 case NLMSG_ERROR:
2627 {
2628 struct nlmsgerr *err = NLMSG_DATA(hdr);
2629 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2630 strerror(-err->error), -err->error);
2631 break;
2632 }
2633 default:
2634 hdr = NLMSG_NEXT(hdr, len);
2635 continue;
2636 case NLMSG_DONE:
2637 break;
2638 }
2639 break;
2640 }
2641 }
2642
2643 if (policy == NULL)
2644 {
2645 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2646 free(out);
2647 return FAILED;
2648 }
2649 *use_time = (time_t)policy->curlft.use_time;
2650
2651 free(out);
2652 return SUCCESS;
2653 }
2654
2655 /**
2656 * Implementation of kernel_interface_t.del_policy.
2657 */
2658 static status_t del_policy(private_kernel_interface_t *this,
2659 traffic_selector_t *src_ts,
2660 traffic_selector_t *dst_ts,
2661 policy_dir_t direction)
2662 {
2663 policy_entry_t *current, policy, *to_delete = NULL;
2664 route_entry_t *route;
2665 unsigned char request[BUFFER_SIZE];
2666 struct nlmsghdr *hdr;
2667 struct xfrm_userpolicy_id *policy_id;
2668 iterator_t *iterator;
2669
2670 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2671
2672 /* create a policy */
2673 memset(&policy, 0, sizeof(policy_entry_t));
2674 policy.sel = ts2selector(src_ts, dst_ts);
2675 policy.direction = direction;
2676
2677 /* find the policy */
2678 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2679 while (iterator->iterate(iterator, (void**)&current))
2680 {
2681 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2682 policy.direction == current->direction)
2683 {
2684 to_delete = current;
2685 if (--to_delete->refcount > 0)
2686 {
2687 /* is used by more SAs, keep in kernel */
2688 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2689 iterator->destroy(iterator);
2690 return SUCCESS;
2691 }
2692 /* remove if last reference */
2693 iterator->remove(iterator);
2694 break;
2695 }
2696 }
2697 iterator->destroy(iterator);
2698 if (!to_delete)
2699 {
2700 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2701 return NOT_FOUND;
2702 }
2703
2704 memset(&request, 0, sizeof(request));
2705
2706 hdr = (struct nlmsghdr*)request;
2707 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2708 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2709 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2710
2711 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2712 policy_id->sel = to_delete->sel;
2713 policy_id->dir = direction;
2714
2715 route = to_delete->route;
2716 free(to_delete);
2717
2718 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2719 {
2720 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2721 return FAILED;
2722 }
2723
2724 if (route)
2725 {
2726 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2727 {
2728 DBG1(DBG_KNL, "error uninstalling route installed with "
2729 "policy %R===%R", src_ts, dst_ts);
2730 }
2731 route_entry_destroy(route);
2732 }
2733 return SUCCESS;
2734 }
2735
2736 /**
2737 * Implementation of kernel_interface_t.destroy.
2738 */
2739 static void destroy(private_kernel_interface_t *this)
2740 {
2741 manage_rule(this, RTM_DELRULE, IPSEC_ROUTING_TABLE, IPSEC_ROUTING_TABLE_PRIO);
2742
2743 this->job->cancel(this->job);
2744 close(this->socket_xfrm_events);
2745 close(this->socket_xfrm);
2746 close(this->socket_rt_events);
2747 close(this->socket_rt);
2748 this->policies->destroy(this->policies);
2749 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
2750 free(this);
2751 }
2752
2753 /*
2754 * Described in header.
2755 */
2756 kernel_interface_t *kernel_interface_create()
2757 {
2758 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2759 struct sockaddr_nl addr;
2760
2761 /* public functions */
2762 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2763 this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2764 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,mode_t,u_int16_t,bool,bool))add_sa;
2765 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
2766 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2767 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2768 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,u_int16_t))add_policy;
2769 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2770 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2771 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2772 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2773 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2774 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2775 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
2776 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2777
2778 /* private members */
2779 this->policies = linked_list_create();
2780 this->ifaces = linked_list_create();
2781 this->hiter = NULL;
2782 this->seq = 200;
2783 pthread_mutex_init(&this->mutex, NULL);
2784 pthread_mutex_init(&this->nl_mutex, NULL);
2785 pthread_cond_init(&this->cond, NULL);
2786 timerclear(&this->last_roam);
2787 this->install_routes = lib->settings->get_bool(lib->settings,
2788 "charon.install_routes", TRUE);
2789 memset(&addr, 0, sizeof(addr));
2790 addr.nl_family = AF_NETLINK;
2791
2792 /* create and bind RT socket */
2793 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2794 if (this->socket_rt <= 0)
2795 {
2796 charon->kill(charon, "unable to create RT netlink socket");
2797 }
2798 addr.nl_groups = 0;
2799 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2800 {
2801 charon->kill(charon, "unable to bind RT netlink socket");
2802 }
2803
2804 /* create and bind RT socket for events (address/interface/route changes) */
2805 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2806 if (this->socket_rt_events <= 0)
2807 {
2808 charon->kill(charon, "unable to create RT event socket");
2809 }
2810 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
2811 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
2812 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2813 {
2814 charon->kill(charon, "unable to bind RT event socket");
2815 }
2816
2817 /* create and bind XFRM socket */
2818 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2819 if (this->socket_xfrm <= 0)
2820 {
2821 charon->kill(charon, "unable to create XFRM netlink socket");
2822 }
2823 addr.nl_groups = 0;
2824 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2825 {
2826 charon->kill(charon, "unable to bind XFRM netlink socket");
2827 }
2828
2829 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2830 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2831 if (this->socket_xfrm_events <= 0)
2832 {
2833 charon->kill(charon, "unable to create XFRM event socket");
2834 }
2835 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2836 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2837 {
2838 charon->kill(charon, "unable to bind XFRM event socket");
2839 }
2840
2841 this->job = callback_job_create((callback_job_cb_t)receive_events,
2842 this, NULL, NULL);
2843 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2844
2845 if (init_address_list(this) != SUCCESS)
2846 {
2847 charon->kill(charon, "unable to get interface list");
2848 }
2849
2850 if (manage_rule(this, RTM_NEWRULE, IPSEC_ROUTING_TABLE,
2851 IPSEC_ROUTING_TABLE_PRIO) != SUCCESS)
2852 {
2853 DBG1(DBG_KNL, "unable to create routing table rule");
2854 }
2855
2856 return &this->public;
2857 }
2858