projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fixed typo
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 * Copyright (C) 2003 Herbert Xu.
9 *
10 * Based on xfrm code from pluto.
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 *
22 * $Id$
23 */
24
25 #include <sys/types.h>
26 #include <sys/socket.h>
27 #include <sys/time.h>
28 #include <linux/netlink.h>
29 #include <linux/rtnetlink.h>
30 #include <linux/xfrm.h>
31 #include <linux/udp.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <fcntl.h>
35 #include <errno.h>
36 #include <string.h>
37 #include <net/if.h>
38 #include <sys/ioctl.h>
39
40 #include "kernel_interface.h"
41
42 #include <daemon.h>
43 #include <utils/linked_list.h>
44 #include <processing/jobs/delete_child_sa_job.h>
45 #include <processing/jobs/rekey_child_sa_job.h>
46 #include <processing/jobs/acquire_job.h>
47 #include <processing/jobs/callback_job.h>
48 #include <processing/jobs/roam_job.h>
49
50 /** routing table for routes installed by us */
51 #ifndef IPSEC_ROUTING_TABLE
52 #define IPSEC_ROUTING_TABLE 100
53 #endif
54 #ifndef IPSEC_ROUTING_TABLE_PRIO
55 #define IPSEC_ROUTING_TABLE_PRIO 100
56 #endif
57
58 /** kernel level protocol identifiers */
59 #define KERNEL_ESP 50
60 #define KERNEL_AH 51
61
62 /** default priority of installed policies */
63 #define PRIO_LOW 3000
64 #define PRIO_HIGH 2000
65
66 /** delay before firing roam jobs (ms) */
67 #define ROAM_DELAY 100
68
69 #define BUFFER_SIZE 1024
70
71 /**
72 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
73 * 'usual' netlink data x like 'struct xfrm_usersa_info'
74 */
75 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
76 /**
77 * returns a pointer to the next rtattr following rta.
78 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
79 */
80 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
81 /**
82 * returns the total size of attached rta data
83 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
84 */
85 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
86
87 typedef struct kernel_algorithm_t kernel_algorithm_t;
88
89 /**
90 * Mapping from the algorithms defined in IKEv2 to
91 * kernel level algorithm names and their key length
92 */
93 struct kernel_algorithm_t {
94 /**
95 * Identifier specified in IKEv2
96 */
97 int ikev2_id;
98
99 /**
100 * Name of the algorithm, as used as kernel identifier
101 */
102 char *name;
103
104 /**
105 * Key length in bits, if fixed size
106 */
107 u_int key_size;
108 };
109 #define END_OF_LIST -1
110
111 /**
112 * Algorithms for encryption
113 */
114 static kernel_algorithm_t encryption_algs[] = {
115 /* {ENCR_DES_IV64, "***", 0}, */
116 {ENCR_DES, "des", 64},
117 {ENCR_3DES, "des3_ede", 192},
118 /* {ENCR_RC5, "***", 0}, */
119 /* {ENCR_IDEA, "***", 0}, */
120 {ENCR_CAST, "cast128", 0},
121 {ENCR_BLOWFISH, "blowfish", 0},
122 /* {ENCR_3IDEA, "***", 0}, */
123 /* {ENCR_DES_IV32, "***", 0}, */
124 {ENCR_NULL, "cipher_null", 0},
125 {ENCR_AES_CBC, "aes", 0},
126 /* {ENCR_AES_CTR, "***", 0}, */
127 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
128 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
129 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
130 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
131 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
132 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
133 {END_OF_LIST, NULL, 0},
134 };
135
136 /**
137 * Algorithms for integrity protection
138 */
139 static kernel_algorithm_t integrity_algs[] = {
140 {AUTH_HMAC_MD5_96, "md5", 128},
141 {AUTH_HMAC_SHA1_96, "sha1", 160},
142 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
143 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
144 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
145 /* {AUTH_DES_MAC, "***", 0}, */
146 /* {AUTH_KPDK_MD5, "***", 0}, */
147 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
148 {END_OF_LIST, NULL, 0},
149 };
150
151 /**
152 * Algorithms for IPComp
153 */
154 static kernel_algorithm_t compression_algs[] = {
155 /* {IPCOMP_OUI, "***", 0}, */
156 {IPCOMP_DEFLATE, "deflate", 0},
157 {IPCOMP_LZS, "lzs", 0},
158 {IPCOMP_LZJH, "lzjh", 0},
159 {END_OF_LIST, NULL, 0},
160 };
161
162 /**
163 * Look up a kernel algorithm name and its key size
164 */
165 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
166 u_int16_t ikev2_algo, u_int16_t *key_size)
167 {
168 while (kernel_algo->ikev2_id != END_OF_LIST)
169 {
170 if (ikev2_algo == kernel_algo->ikev2_id)
171 {
172 /* match, evaluate key length */
173 if (key_size && *key_size == 0)
174 { /* update key size if not set */
175 *key_size = kernel_algo->key_size;
176 }
177 return kernel_algo->name;
178 }
179 kernel_algo++;
180 }
181 return NULL;
182 }
183
184 typedef struct route_entry_t route_entry_t;
185
186 /**
187 * installed routing entry
188 */
189 struct route_entry_t {
190
191 /** Index of the interface the route is bound to */
192 int if_index;
193
194 /** Source ip of the route */
195 host_t *src_ip;
196
197 /** gateway for this route */
198 host_t *gateway;
199
200 /** Destination net */
201 chunk_t dst_net;
202
203 /** Destination net prefixlen */
204 u_int8_t prefixlen;
205 };
206
207 /**
208 * destroy an route_entry_t object
209 */
210 static void route_entry_destroy(route_entry_t *this)
211 {
212 this->src_ip->destroy(this->src_ip);
213 this->gateway->destroy(this->gateway);
214 chunk_free(&this->dst_net);
215 free(this);
216 }
217
218 typedef struct policy_entry_t policy_entry_t;
219
220 /**
221 * installed kernel policy.
222 */
223 struct policy_entry_t {
224
225 /** direction of this policy: in, out, forward */
226 u_int8_t direction;
227
228 /** reqid of the policy */
229 u_int32_t reqid;
230
231 /** parameters of installed policy */
232 struct xfrm_selector sel;
233
234 /** associated route installed for this policy */
235 route_entry_t *route;
236
237 /** by how many CHILD_SA's this policy is used */
238 u_int refcount;
239 };
240
241 typedef struct addr_entry_t addr_entry_t;
242
243 /**
244 * IP address in an inface_entry_t
245 */
246 struct addr_entry_t {
247
248 /** The ip address */
249 host_t *ip;
250
251 /** virtual IP managed by us */
252 bool virtual;
253
254 /** scope of the address */
255 u_char scope;
256
257 /** Number of times this IP is used, if virtual */
258 u_int refcount;
259 };
260
261 /**
262 * destroy a addr_entry_t object
263 */
264 static void addr_entry_destroy(addr_entry_t *this)
265 {
266 this->ip->destroy(this->ip);
267 free(this);
268 }
269
270 typedef struct iface_entry_t iface_entry_t;
271
272 /**
273 * A network interface on this system, containing addr_entry_t's
274 */
275 struct iface_entry_t {
276
277 /** interface index */
278 int ifindex;
279
280 /** name of the interface */
281 char ifname[IFNAMSIZ];
282
283 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
284 u_int flags;
285
286 /** list of addresses as host_t */
287 linked_list_t *addrs;
288 };
289
290 /**
291 * destroy an interface entry
292 */
293 static void iface_entry_destroy(iface_entry_t *this)
294 {
295 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
296 free(this);
297 }
298
299 typedef struct private_kernel_interface_t private_kernel_interface_t;
300
301 /**
302 * Private variables and functions of kernel_interface class.
303 */
304 struct private_kernel_interface_t {
305 /**
306 * Public part of the kernel_interface_t object.
307 */
308 kernel_interface_t public;
309
310 /**
311 * mutex to lock access to netlink socket
312 */
313 pthread_mutex_t nl_mutex;
314
315 /**
316 * mutex to lock access to various lists
317 */
318 pthread_mutex_t mutex;
319
320 /**
321 * condition variable to signal virtual IP add/removal
322 */
323 pthread_cond_t cond;
324
325 /**
326 * List of installed policies (policy_entry_t)
327 */
328 linked_list_t *policies;
329
330 /**
331 * Cached list of interfaces and its adresses (iface_entry_t)
332 */
333 linked_list_t *ifaces;
334
335 /**
336 * iterator used in hook()
337 */
338 iterator_t *hiter;
339
340 /**
341 * job receiving netlink events
342 */
343 callback_job_t *job;
344
345 /**
346 * current sequence number for netlink request
347 */
348 int seq;
349
350 /**
351 * Netlink xfrm socket (IPsec)
352 */
353 int socket_xfrm;
354
355 /**
356 * netlink xfrm socket to receive acquire and expire events
357 */
358 int socket_xfrm_events;
359
360 /**
361 * Netlink rt socket (routing)
362 */
363 int socket_rt;
364
365 /**
366 * Netlink rt socket to receive address change events
367 */
368 int socket_rt_events;
369
370 /**
371 * time of the last roam_job
372 */
373 struct timeval last_roam;
374 };
375
376 /**
377 * convert a host_t to a struct xfrm_address
378 */
379 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
380 {
381 chunk_t chunk = host->get_address(host);
382 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
383 }
384
385 /**
386 * convert a traffic selector address range to subnet and its mask.
387 */
388 static void ts2subnet(traffic_selector_t* ts,
389 xfrm_address_t *net, u_int8_t *mask)
390 {
391 /* there is no way to do this cleanly, as the address range may
392 * be anything else but a subnet. We use from_addr as subnet
393 * and try to calculate a usable subnet mask.
394 */
395 int byte, bit;
396 bool found = FALSE;
397 chunk_t from, to;
398 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
399
400 from = ts->get_from_address(ts);
401 to = ts->get_to_address(ts);
402
403 *mask = (size * 8);
404 /* go trough all bits of the addresses, beginning in the front.
405 * as long as they are equal, the subnet gets larger
406 */
407 for (byte = 0; byte < size; byte++)
408 {
409 for (bit = 7; bit >= 0; bit--)
410 {
411 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
412 {
413 *mask = ((7 - bit) + (byte * 8));
414 found = TRUE;
415 break;
416 }
417 }
418 if (found)
419 {
420 break;
421 }
422 }
423 memcpy(net, from.ptr, from.len);
424 chunk_free(&from);
425 chunk_free(&to);
426 }
427
428 /**
429 * convert a traffic selector port range to port/portmask
430 */
431 static void ts2ports(traffic_selector_t* ts,
432 u_int16_t *port, u_int16_t *mask)
433 {
434 /* linux does not seem to accept complex portmasks. Only
435 * any or a specific port is allowed. We set to any, if we have
436 * a port range, or to a specific, if we have one port only.
437 */
438 u_int16_t from, to;
439
440 from = ts->get_from_port(ts);
441 to = ts->get_to_port(ts);
442
443 if (from == to)
444 {
445 *port = htons(from);
446 *mask = ~0;
447 }
448 else
449 {
450 *port = 0;
451 *mask = 0;
452 }
453 }
454
455 /**
456 * convert a pair of traffic_selectors to a xfrm_selector
457 */
458 static struct xfrm_selector ts2selector(traffic_selector_t *src,
459 traffic_selector_t *dst)
460 {
461 struct xfrm_selector sel;
462
463 memset(&sel, 0, sizeof(sel));
464 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
465 /* src or dest proto may be "any" (0), use more restrictive one */
466 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
467 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
468 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
469 ts2ports(dst, &sel.dport, &sel.dport_mask);
470 ts2ports(src, &sel.sport, &sel.sport_mask);
471 sel.ifindex = 0;
472 sel.user = 0;
473
474 return sel;
475 }
476
477 /**
478 * Creates an rtattr and adds it to the netlink message
479 */
480 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
481 size_t buflen)
482 {
483 struct rtattr *rta;
484
485 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
486 {
487 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
488 return;
489 }
490
491 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
492 rta->rta_type = rta_type;
493 rta->rta_len = RTA_LENGTH(data.len);
494 memcpy(RTA_DATA(rta), data.ptr, data.len);
495 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
496 }
497
498 /**
499 * process a XFRM_MSG_ACQUIRE from kernel
500 */
501 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
502 {
503 u_int32_t reqid = 0;
504 job_t *job;
505 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
506 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
507
508 if (RTA_OK(rtattr, rtsize))
509 {
510 if (rtattr->rta_type == XFRMA_TMPL)
511 {
512 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
513 reqid = tmpl->reqid;
514 }
515 }
516 if (reqid == 0)
517 {
518 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
519 return;
520 }
521 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
522 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
523 job = (job_t*)acquire_job_create(reqid);
524 charon->processor->queue_job(charon->processor, job);
525 }
526
527 /**
528 * process a XFRM_MSG_EXPIRE from kernel
529 */
530 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
531 {
532 job_t *job;
533 protocol_id_t protocol;
534 u_int32_t spi, reqid;
535 struct xfrm_user_expire *expire;
536
537 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
538 protocol = expire->state.id.proto;
539 protocol = (protocol == KERNEL_ESP) ? PROTO_ESP : (protocol == KERNEL_AH) ? PROTO_AH : protocol;
540 spi = expire->state.id.spi;
541 reqid = expire->state.reqid;
542
543 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
544
545 if (protocol != PROTO_ESP && protocol != PROTO_AH)
546 {
547 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA 0x%x (reqid %d) which is "
548 "not a CHILD_SA", ntohl(spi), reqid);
549 return;
550 }
551
552 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
553 expire->hard ? "delete" : "rekey", protocol_id_names,
554 protocol, ntohl(spi), reqid);
555 if (expire->hard)
556 {
557 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
558 }
559 else
560 {
561 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
562 }
563 charon->processor->queue_job(charon->processor, job);
564 }
565
566 /**
567 * start a roaming job. We delay it for a second and fire only one job
568 * for multiple events. Otherwise we would create two many jobs.
569 */
570 static void fire_roam_job(private_kernel_interface_t *this, bool address)
571 {
572 struct timeval now;
573
574 if (gettimeofday(&now, NULL) == 0)
575 {
576 if (timercmp(&now, &this->last_roam, >))
577 {
578 now.tv_usec += ROAM_DELAY * 1000;
579 while (now.tv_usec > 1000000)
580 {
581 now.tv_sec++;
582 now.tv_usec -= 1000000;
583 }
584 this->last_roam = now;
585 charon->scheduler->schedule_job(charon->scheduler,
586 (job_t*)roam_job_create(address), ROAM_DELAY);
587 }
588 }
589 }
590
591 /**
592 * process RTM_NEWLINK/RTM_DELLINK from kernel
593 */
594 static void process_link(private_kernel_interface_t *this,
595 struct nlmsghdr *hdr, bool event)
596 {
597 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
598 struct rtattr *rta = IFLA_RTA(msg);
599 size_t rtasize = IFLA_PAYLOAD (hdr);
600 iterator_t *iterator;
601 iface_entry_t *current, *entry = NULL;
602 char *name = NULL;
603 bool update = FALSE;
604
605 while(RTA_OK(rta, rtasize))
606 {
607 switch (rta->rta_type)
608 {
609 case IFLA_IFNAME:
610 name = RTA_DATA(rta);
611 break;
612 }
613 rta = RTA_NEXT(rta, rtasize);
614 }
615 if (!name)
616 {
617 name = "(unknown)";
618 }
619
620 switch (hdr->nlmsg_type)
621 {
622 case RTM_NEWLINK:
623 {
624 if (msg->ifi_flags & IFF_LOOPBACK)
625 { /* ignore loopback interfaces */
626 break;
627 }
628 iterator = this->ifaces->create_iterator_locked(this->ifaces,
629 &this->mutex);
630 while (iterator->iterate(iterator, (void**)&current))
631 {
632 if (current->ifindex == msg->ifi_index)
633 {
634 entry = current;
635 break;
636 }
637 }
638 if (!entry)
639 {
640 entry = malloc_thing(iface_entry_t);
641 entry->ifindex = msg->ifi_index;
642 entry->flags = 0;
643 entry->addrs = linked_list_create();
644 this->ifaces->insert_last(this->ifaces, entry);
645 }
646 memcpy(entry->ifname, name, IFNAMSIZ);
647 entry->ifname[IFNAMSIZ-1] = '\0';
648 if (event)
649 {
650 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
651 {
652 update = TRUE;
653 DBG1(DBG_KNL, "interface %s activated", name);
654 }
655 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
656 {
657 update = TRUE;
658 DBG1(DBG_KNL, "interface %s deactivated", name);
659 }
660 }
661 entry->flags = msg->ifi_flags;
662 iterator->destroy(iterator);
663 break;
664 }
665 case RTM_DELLINK:
666 {
667 iterator = this->ifaces->create_iterator_locked(this->ifaces,
668 &this->mutex);
669 while (iterator->iterate(iterator, (void**)&current))
670 {
671 if (current->ifindex == msg->ifi_index)
672 {
673 /* we do not remove it, as an address may be added to a
674 * "down" interface and we wan't to know that. */
675 current->flags = msg->ifi_flags;
676 break;
677 }
678 }
679 iterator->destroy(iterator);
680 break;
681 }
682 }
683
684 /* send an update to all IKE_SAs */
685 if (update && event)
686 {
687 fire_roam_job(this, TRUE);
688 }
689 }
690
691 /**
692 * process RTM_NEWADDR/RTM_DELADDR from kernel
693 */
694 static void process_addr(private_kernel_interface_t *this,
695 struct nlmsghdr *hdr, bool event)
696 {
697 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
698 struct rtattr *rta = IFA_RTA(msg);
699 size_t rtasize = IFA_PAYLOAD (hdr);
700 host_t *host = NULL;
701 iterator_t *ifaces, *addrs;
702 iface_entry_t *iface;
703 addr_entry_t *addr;
704 chunk_t local = chunk_empty, address = chunk_empty;
705 bool update = FALSE, found = FALSE, changed = FALSE;
706
707 while(RTA_OK(rta, rtasize))
708 {
709 switch (rta->rta_type)
710 {
711 case IFA_LOCAL:
712 local.ptr = RTA_DATA(rta);
713 local.len = RTA_PAYLOAD(rta);
714 break;
715 case IFA_ADDRESS:
716 address.ptr = RTA_DATA(rta);
717 address.len = RTA_PAYLOAD(rta);
718 break;
719 }
720 rta = RTA_NEXT(rta, rtasize);
721 }
722
723 /* For PPP interfaces, we need the IFA_LOCAL address,
724 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
725 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
726 if (local.ptr)
727 {
728 host = host_create_from_chunk(msg->ifa_family, local, 0);
729 }
730 else if (address.ptr)
731 {
732 host = host_create_from_chunk(msg->ifa_family, address, 0);
733 }
734
735 if (host == NULL)
736 { /* bad family? */
737 return;
738 }
739
740 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
741 while (ifaces->iterate(ifaces, (void**)&iface))
742 {
743 if (iface->ifindex == msg->ifa_index)
744 {
745 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
746 while (addrs->iterate(addrs, (void**)&addr))
747 {
748 if (host->ip_equals(host, addr->ip))
749 {
750 found = TRUE;
751 if (hdr->nlmsg_type == RTM_DELADDR)
752 {
753 changed = TRUE;
754 addrs->remove(addrs);
755 if (!addr->virtual)
756 {
757 DBG1(DBG_KNL, "%H disappeared from %s",
758 host, iface->ifname);
759 }
760 addr_entry_destroy(addr);
761 }
762 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
763 {
764 addr->refcount = 1;
765 }
766 }
767 }
768 addrs->destroy(addrs);
769
770 if (hdr->nlmsg_type == RTM_NEWADDR)
771 {
772 if (!found)
773 {
774 found = TRUE;
775 changed = TRUE;
776 addr = malloc_thing(addr_entry_t);
777 addr->ip = host->clone(host);
778 addr->virtual = FALSE;
779 addr->refcount = 1;
780 addr->scope = msg->ifa_scope;
781
782 iface->addrs->insert_last(iface->addrs, addr);
783 if (event)
784 {
785 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
786 }
787 }
788 }
789 if (found && (iface->flags & IFF_UP))
790 {
791 update = TRUE;
792 }
793 break;
794 }
795 }
796 ifaces->destroy(ifaces);
797 host->destroy(host);
798
799 /* send an update to all IKE_SAs */
800 if (update && event && changed)
801 {
802 fire_roam_job(this, TRUE);
803 }
804 }
805
806 /**
807 * Receives events from kernel
808 */
809 static job_requeue_t receive_events(private_kernel_interface_t *this)
810 {
811 char response[1024];
812 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
813 struct sockaddr_nl addr;
814 socklen_t addr_len = sizeof(addr);
815 int len, oldstate, maxfd, selected;
816 fd_set rfds;
817
818 FD_ZERO(&rfds);
819 FD_SET(this->socket_xfrm_events, &rfds);
820 FD_SET(this->socket_rt_events, &rfds);
821 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
822
823 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
824 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
825 pthread_setcancelstate(oldstate, NULL);
826 if (selected <= 0)
827 {
828 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
829 return JOB_REQUEUE_FAIR;
830 }
831 if (FD_ISSET(this->socket_xfrm_events, &rfds))
832 {
833 selected = this->socket_xfrm_events;
834 }
835 else if (FD_ISSET(this->socket_rt_events, &rfds))
836 {
837 selected = this->socket_rt_events;
838 }
839 else
840 {
841 return JOB_REQUEUE_DIRECT;
842 }
843
844 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
845 (struct sockaddr*)&addr, &addr_len);
846 if (len < 0)
847 {
848 switch (errno)
849 {
850 case EINTR:
851 /* interrupted, try again */
852 return JOB_REQUEUE_DIRECT;
853 case EAGAIN:
854 /* no data ready, select again */
855 return JOB_REQUEUE_DIRECT;
856 default:
857 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
858 sleep(1);
859 return JOB_REQUEUE_FAIR;
860 }
861 }
862 if (addr.nl_pid != 0)
863 { /* not from kernel. not interested, try another one */
864 return JOB_REQUEUE_DIRECT;
865 }
866
867 while (NLMSG_OK(hdr, len))
868 {
869 /* looks good so far, dispatch netlink message */
870 if (selected == this->socket_xfrm_events)
871 {
872 switch (hdr->nlmsg_type)
873 {
874 case XFRM_MSG_ACQUIRE:
875 process_acquire(this, hdr);
876 break;
877 case XFRM_MSG_EXPIRE:
878 process_expire(this, hdr);
879 break;
880 default:
881 break;
882 }
883 }
884 else if (selected == this->socket_rt_events)
885 {
886 switch (hdr->nlmsg_type)
887 {
888 case RTM_NEWADDR:
889 case RTM_DELADDR:
890 process_addr(this, hdr, TRUE);
891 pthread_cond_signal(&this->cond);
892 break;
893 case RTM_NEWLINK:
894 case RTM_DELLINK:
895 process_link(this, hdr, TRUE);
896 pthread_cond_signal(&this->cond);
897 break;
898 case RTM_NEWROUTE:
899 case RTM_DELROUTE:
900 fire_roam_job(this, FALSE);
901 break;
902 default:
903 break;
904 }
905 }
906 hdr = NLMSG_NEXT(hdr, len);
907 }
908 return JOB_REQUEUE_DIRECT;
909 }
910
911 /**
912 * send a netlink message and wait for a reply
913 */
914 static status_t netlink_send(private_kernel_interface_t *this,
915 int socket, struct nlmsghdr *in,
916 struct nlmsghdr **out, size_t *out_len)
917 {
918 int len, addr_len;
919 struct sockaddr_nl addr;
920 chunk_t result = chunk_empty, tmp;
921 struct nlmsghdr *msg, peek;
922
923 pthread_mutex_lock(&this->nl_mutex);
924
925 in->nlmsg_seq = ++this->seq;
926 in->nlmsg_pid = getpid();
927
928 memset(&addr, 0, sizeof(addr));
929 addr.nl_family = AF_NETLINK;
930 addr.nl_pid = 0;
931 addr.nl_groups = 0;
932
933 while (TRUE)
934 {
935 len = sendto(socket, in, in->nlmsg_len, 0,
936 (struct sockaddr*)&addr, sizeof(addr));
937
938 if (len != in->nlmsg_len)
939 {
940 if (errno == EINTR)
941 {
942 /* interrupted, try again */
943 continue;
944 }
945 pthread_mutex_unlock(&this->nl_mutex);
946 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
947 return FAILED;
948 }
949 break;
950 }
951
952 while (TRUE)
953 {
954 char buf[4096];
955 tmp.len = sizeof(buf);
956 tmp.ptr = buf;
957 msg = (struct nlmsghdr*)tmp.ptr;
958
959 memset(&addr, 0, sizeof(addr));
960 addr.nl_family = AF_NETLINK;
961 addr.nl_pid = getpid();
962 addr.nl_groups = 0;
963 addr_len = sizeof(addr);
964
965 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
966 (struct sockaddr*)&addr, &addr_len);
967
968 if (len < 0)
969 {
970 if (errno == EINTR)
971 {
972 DBG1(DBG_KNL, "got interrupted");
973 /* interrupted, try again */
974 continue;
975 }
976 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
977 pthread_mutex_unlock(&this->nl_mutex);
978 return FAILED;
979 }
980 if (!NLMSG_OK(msg, len))
981 {
982 DBG1(DBG_KNL, "received corrupted netlink message");
983 pthread_mutex_unlock(&this->nl_mutex);
984 return FAILED;
985 }
986 if (msg->nlmsg_seq != this->seq)
987 {
988 DBG1(DBG_KNL, "received invalid netlink sequence number");
989 if (msg->nlmsg_seq < this->seq)
990 {
991 continue;
992 }
993 pthread_mutex_unlock(&this->nl_mutex);
994 return FAILED;
995 }
996
997 tmp.len = len;
998 result = chunk_cata("cc", result, tmp);
999
1000 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
1001 * numbers to detect multi header messages */
1002 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
1003 (struct sockaddr*)&addr, &addr_len);
1004
1005 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
1006 {
1007 /* seems to be multipart */
1008 continue;
1009 }
1010 break;
1011 }
1012
1013 *out_len = result.len;
1014 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
1015
1016 pthread_mutex_unlock(&this->nl_mutex);
1017
1018 return SUCCESS;
1019 }
1020
1021 /**
1022 * send a netlink message and wait for its acknowlegde
1023 */
1024 static status_t netlink_send_ack(private_kernel_interface_t *this,
1025 int socket, struct nlmsghdr *in)
1026 {
1027 struct nlmsghdr *out, *hdr;
1028 size_t len;
1029
1030 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
1031 {
1032 return FAILED;
1033 }
1034 hdr = out;
1035 while (NLMSG_OK(hdr, len))
1036 {
1037 switch (hdr->nlmsg_type)
1038 {
1039 case NLMSG_ERROR:
1040 {
1041 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
1042
1043 if (err->error)
1044 {
1045 DBG1(DBG_KNL, "received netlink error: %s (%d)",
1046 strerror(-err->error), -err->error);
1047 free(out);
1048 return FAILED;
1049 }
1050 free(out);
1051 return SUCCESS;
1052 }
1053 default:
1054 hdr = NLMSG_NEXT(hdr, len);
1055 continue;
1056 case NLMSG_DONE:
1057 break;
1058 }
1059 break;
1060 }
1061 DBG1(DBG_KNL, "netlink request not acknowlegded");
1062 free(out);
1063 return FAILED;
1064 }
1065
1066 /**
1067 * Initialize a list of local addresses.
1068 */
1069 static status_t init_address_list(private_kernel_interface_t *this)
1070 {
1071 char request[BUFFER_SIZE];
1072 struct nlmsghdr *out, *current, *in;
1073 struct rtgenmsg *msg;
1074 size_t len;
1075 iterator_t *ifaces, *addrs;
1076 iface_entry_t *iface;
1077 addr_entry_t *addr;
1078
1079 DBG1(DBG_KNL, "listening on interfaces:");
1080
1081 memset(&request, 0, sizeof(request));
1082
1083 in = (struct nlmsghdr*)&request;
1084 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1085 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1086 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1087 msg->rtgen_family = AF_UNSPEC;
1088
1089 /* get all links */
1090 in->nlmsg_type = RTM_GETLINK;
1091 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1092 {
1093 return FAILED;
1094 }
1095 current = out;
1096 while (NLMSG_OK(current, len))
1097 {
1098 switch (current->nlmsg_type)
1099 {
1100 case NLMSG_DONE:
1101 break;
1102 case RTM_NEWLINK:
1103 process_link(this, current, FALSE);
1104 /* fall through */
1105 default:
1106 current = NLMSG_NEXT(current, len);
1107 continue;
1108 }
1109 break;
1110 }
1111 free(out);
1112
1113 /* get all interface addresses */
1114 in->nlmsg_type = RTM_GETADDR;
1115 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1116 {
1117 return FAILED;
1118 }
1119 current = out;
1120 while (NLMSG_OK(current, len))
1121 {
1122 switch (current->nlmsg_type)
1123 {
1124 case NLMSG_DONE:
1125 break;
1126 case RTM_NEWADDR:
1127 process_addr(this, current, FALSE);
1128 /* fall through */
1129 default:
1130 current = NLMSG_NEXT(current, len);
1131 continue;
1132 }
1133 break;
1134 }
1135 free(out);
1136
1137 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1138 while (ifaces->iterate(ifaces, (void**)&iface))
1139 {
1140 if (iface->flags & IFF_UP)
1141 {
1142 DBG1(DBG_KNL, " %s", iface->ifname);
1143 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1144 while (addrs->iterate(addrs, (void**)&addr))
1145 {
1146 DBG1(DBG_KNL, " %H", addr->ip);
1147 }
1148 addrs->destroy(addrs);
1149 }
1150 }
1151 ifaces->destroy(ifaces);
1152 return SUCCESS;
1153 }
1154
1155 /**
1156 * iterator hook to iterate over addrs
1157 */
1158 static hook_result_t addr_hook(private_kernel_interface_t *this,
1159 addr_entry_t *in, host_t **out)
1160 {
1161 if (in->virtual)
1162 { /* skip virtual interfaces added by us */
1163 return HOOK_SKIP;
1164 }
1165 if (in->scope >= RT_SCOPE_LINK)
1166 { /* skip addresses with a unusable scope */
1167 return HOOK_SKIP;
1168 }
1169 *out = in->ip;
1170 return HOOK_NEXT;
1171 }
1172
1173 /**
1174 * iterator hook to iterate over ifaces
1175 */
1176 static hook_result_t iface_hook(private_kernel_interface_t *this,
1177 iface_entry_t *in, host_t **out)
1178 {
1179 if (!(in->flags & IFF_UP))
1180 { /* skip interfaces not up */
1181 return HOOK_SKIP;
1182 }
1183
1184 if (this->hiter == NULL)
1185 {
1186 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1187 this->hiter->set_iterator_hook(this->hiter,
1188 (iterator_hook_t*)addr_hook, this);
1189 }
1190 while (this->hiter->iterate(this->hiter, (void**)out))
1191 {
1192 return HOOK_AGAIN;
1193 }
1194 this->hiter->destroy(this->hiter);
1195 this->hiter = NULL;
1196 return HOOK_SKIP;
1197 }
1198
1199 /**
1200 * Implements kernel_interface_t.create_address_iterator.
1201 */
1202 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1203 {
1204 iterator_t *iterator;
1205
1206 /* This iterator is not only hooked, is is double-hooked. As we have stored
1207 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1208 * entries in each interface we iterate. This does the iface_hook. The
1209 * addr_hook returns the ip instead of the addr_entry. */
1210
1211 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1212 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1213 return iterator;
1214 }
1215
1216 /**
1217 * implementation of kernel_interface_t.get_interface_name
1218 */
1219 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1220 {
1221 iterator_t *ifaces, *addrs;
1222 iface_entry_t *iface;
1223 addr_entry_t *addr;
1224 char *name = NULL;
1225
1226 DBG2(DBG_KNL, "getting interface name for %H", ip);
1227
1228 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1229 while (ifaces->iterate(ifaces, (void**)&iface))
1230 {
1231 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1232 while (addrs->iterate(addrs, (void**)&addr))
1233 {
1234 if (ip->ip_equals(ip, addr->ip))
1235 {
1236 name = strdup(iface->ifname);
1237 break;
1238 }
1239 }
1240 addrs->destroy(addrs);
1241 if (name)
1242 {
1243 break;
1244 }
1245 }
1246 ifaces->destroy(ifaces);
1247
1248 if (name)
1249 {
1250 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1251 }
1252 else
1253 {
1254 DBG2(DBG_KNL, "%H is not a local address", ip);
1255 }
1256 return name;
1257 }
1258
1259 /**
1260 * Tries to find an ip address of a local interface that is included in the
1261 * supplied traffic selector.
1262 */
1263 static status_t get_address_by_ts(private_kernel_interface_t *this,
1264 traffic_selector_t *ts, host_t **ip)
1265 {
1266 iterator_t *ifaces, *addrs;
1267 iface_entry_t *iface;
1268 addr_entry_t *addr;
1269 host_t *host;
1270 int family;
1271 bool found = FALSE;
1272
1273 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1274
1275 /* if we have a family which includes localhost, we do not
1276 * search for an IP, we use the default */
1277 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1278
1279 if (family == AF_INET)
1280 {
1281 host = host_create_from_string("127.0.0.1", 0);
1282 }
1283 else
1284 {
1285 host = host_create_from_string("::1", 0);
1286 }
1287
1288 if (ts->includes(ts, host))
1289 {
1290 *ip = host_create_any(family);
1291 host->destroy(host);
1292 DBG2(DBG_KNL, "using host %H", *ip);
1293 return SUCCESS;
1294 }
1295 host->destroy(host);
1296
1297 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1298 while (ifaces->iterate(ifaces, (void**)&iface))
1299 {
1300 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1301 while (addrs->iterate(addrs, (void**)&addr))
1302 {
1303 if (ts->includes(ts, addr->ip))
1304 {
1305 found = TRUE;
1306 *ip = addr->ip->clone(addr->ip);
1307 break;
1308 }
1309 }
1310 addrs->destroy(addrs);
1311 if (found)
1312 {
1313 break;
1314 }
1315 }
1316 ifaces->destroy(ifaces);
1317
1318 if (!found)
1319 {
1320 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1321 return FAILED;
1322 }
1323 DBG2(DBG_KNL, "using host %H", *ip);
1324 return SUCCESS;
1325 }
1326
1327 /**
1328 * get the interface of a local address
1329 */
1330 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1331 {
1332 iterator_t *ifaces, *addrs;
1333 iface_entry_t *iface;
1334 addr_entry_t *addr;
1335 int ifindex = 0;
1336
1337 DBG2(DBG_KNL, "getting iface for %H", ip);
1338
1339 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1340 while (ifaces->iterate(ifaces, (void**)&iface))
1341 {
1342 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1343 while (addrs->iterate(addrs, (void**)&addr))
1344 {
1345 if (ip->ip_equals(ip, addr->ip))
1346 {
1347 ifindex = iface->ifindex;
1348 break;
1349 }
1350 }
1351 addrs->destroy(addrs);
1352 if (ifindex)
1353 {
1354 break;
1355 }
1356 }
1357 ifaces->destroy(ifaces);
1358
1359 if (ifindex == 0)
1360 {
1361 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1362 }
1363 return ifindex;
1364 }
1365
1366 /**
1367 * get the refcount of a virtual ip
1368 */
1369 static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
1370 {
1371 iterator_t *ifaces, *addrs;
1372 iface_entry_t *iface;
1373 addr_entry_t *addr;
1374 int refcount = 0;
1375
1376 ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
1377 while (ifaces->iterate(ifaces, (void**)&iface))
1378 {
1379 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1380 while (addrs->iterate(addrs, (void**)&addr))
1381 {
1382 if (addr->virtual && (iface->flags & IFF_UP) &&
1383 ip->ip_equals(ip, addr->ip))
1384 {
1385 refcount = addr->refcount;
1386 break;
1387 }
1388 }
1389 addrs->destroy(addrs);
1390 if (refcount)
1391 {
1392 break;
1393 }
1394 }
1395 ifaces->destroy(ifaces);
1396
1397 return refcount;
1398 }
1399
1400 /**
1401 * Manages the creation and deletion of ip addresses on an interface.
1402 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1403 */
1404 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1405 int flags, int if_index, host_t *ip)
1406 {
1407 unsigned char request[BUFFER_SIZE];
1408 struct nlmsghdr *hdr;
1409 struct ifaddrmsg *msg;
1410 chunk_t chunk;
1411
1412 memset(&request, 0, sizeof(request));
1413
1414 chunk = ip->get_address(ip);
1415
1416 hdr = (struct nlmsghdr*)request;
1417 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1418 hdr->nlmsg_type = nlmsg_type;
1419 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1420
1421 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1422 msg->ifa_family = ip->get_family(ip);
1423 msg->ifa_flags = 0;
1424 msg->ifa_prefixlen = 8 * chunk.len;
1425 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1426 msg->ifa_index = if_index;
1427
1428 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1429
1430 return netlink_send_ack(this, this->socket_rt, hdr);
1431 }
1432
1433 /**
1434 * Manages source routes in the routing table.
1435 * By setting the appropriate nlmsg_type, the route added or r.
1436 */
1437 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1438 int flags, route_entry_t *route)
1439 {
1440 unsigned char request[BUFFER_SIZE];
1441 struct nlmsghdr *hdr;
1442 struct rtmsg *msg;
1443 chunk_t chunk;
1444
1445 #if IPSEC_ROUTING_TABLE == 0
1446 /* if route is 0.0.0.0/0, we can't install it, as it would
1447 * overwrite the default route. Instead, we add two routes:
1448 * 0.0.0.0/1 and 128.0.0.0/1 */
1449 if (route->prefixlen == 0)
1450 {
1451 route_entry_t half;
1452 status_t status;
1453
1454 half.dst_net = chunk_alloca(route->dst_net.len);
1455 memset(half.dst_net.ptr, 0, half.dst_net.len);
1456 half.src_ip = route->src_ip;
1457 half.gateway = route->gateway;
1458 half.if_index = route->if_index;
1459 half.prefixlen = 1;
1460
1461 status = manage_srcroute(this, nlmsg_type, flags, &half);
1462 half.dst_net.ptr[0] |= 0x80;
1463 status = manage_srcroute(this, nlmsg_type, flags, &half);
1464 return status;
1465 }
1466 #endif
1467
1468 memset(&request, 0, sizeof(request));
1469
1470 hdr = (struct nlmsghdr*)request;
1471 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1472 hdr->nlmsg_type = nlmsg_type;
1473 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1474
1475 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1476 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1477 msg->rtm_dst_len = route->prefixlen;
1478 msg->rtm_table = IPSEC_ROUTING_TABLE;
1479 msg->rtm_protocol = RTPROT_STATIC;
1480 msg->rtm_type = RTN_UNICAST;
1481 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1482
1483 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1484 chunk = route->src_ip->get_address(route->src_ip);
1485 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1486 chunk = route->gateway->get_address(route->gateway);
1487 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1488 chunk.ptr = (char*)&route->if_index;
1489 chunk.len = sizeof(route->if_index);
1490 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1491
1492 return netlink_send_ack(this, this->socket_rt, hdr);
1493 }
1494
1495 /**
1496 * create or delete an rule to use our routing table
1497 */
1498 static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
1499 u_int32_t table, u_int32_t prio)
1500 {
1501 unsigned char request[BUFFER_SIZE];
1502 struct nlmsghdr *hdr;
1503 struct rtmsg *msg;
1504 chunk_t chunk;
1505
1506 memset(&request, 0, sizeof(request));
1507 hdr = (struct nlmsghdr*)request;
1508 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1509 hdr->nlmsg_type = nlmsg_type;
1510 if (nlmsg_type == RTM_NEWRULE)
1511 {
1512 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1513 }
1514 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1515
1516 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1517 msg->rtm_table = table;
1518 msg->rtm_family = AF_INET;
1519 msg->rtm_protocol = RTPROT_BOOT;
1520 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1521 msg->rtm_type = RTN_UNICAST;
1522
1523 chunk = chunk_from_thing(prio);
1524 add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1525
1526 return netlink_send_ack(this, this->socket_rt, hdr);
1527 }
1528
1529 /**
1530 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1531 */
1532 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1533 {
1534 int bit, byte;
1535
1536 if (addr.len != net.len)
1537 {
1538 return FALSE;
1539 }
1540 /* scan through all bits, beginning in the front */
1541 for (byte = 0; byte < addr.len; byte++)
1542 {
1543 for (bit = 7; bit >= 0; bit--)
1544 {
1545 /* check if bits are equal (or we reached the end of the net) */
1546 if (bit + byte * 8 > net_len)
1547 {
1548 return TRUE;
1549 }
1550 if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
1551 {
1552 return FALSE;
1553 }
1554 }
1555 }
1556 return TRUE;
1557 }
1558
1559 /**
1560 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1561 */
1562 static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
1563 bool nexthop)
1564 {
1565 unsigned char request[BUFFER_SIZE];
1566 struct nlmsghdr *hdr, *out, *current;
1567 struct rtmsg *msg;
1568 chunk_t chunk;
1569 size_t len;
1570 int best = -1;
1571 host_t *src = NULL, *gtw = NULL;
1572
1573 DBG2(DBG_KNL, "getting address to reach %H", dest);
1574
1575 memset(&request, 0, sizeof(request));
1576
1577 hdr = (struct nlmsghdr*)request;
1578 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
1579 hdr->nlmsg_type = RTM_GETROUTE;
1580 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1581
1582 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1583 msg->rtm_family = dest->get_family(dest);
1584
1585 chunk = dest->get_address(dest);
1586 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1587
1588 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1589 {
1590 DBG1(DBG_KNL, "getting address to %H failed", dest);
1591 return NULL;
1592 }
1593 current = out;
1594 while (NLMSG_OK(current, len))
1595 {
1596 switch (current->nlmsg_type)
1597 {
1598 case NLMSG_DONE:
1599 break;
1600 case RTM_NEWROUTE:
1601 {
1602 struct rtattr *rta;
1603 size_t rtasize;
1604 chunk_t rta_gtw, rta_src, rta_dst;
1605 u_int32_t rta_oif = 0;
1606
1607 rta_gtw = rta_src = rta_dst = chunk_empty;
1608 msg = (struct rtmsg*)(NLMSG_DATA(current));
1609 rta = RTM_RTA(msg);
1610 rtasize = RTM_PAYLOAD(current);
1611 while (RTA_OK(rta, rtasize))
1612 {
1613 switch (rta->rta_type)
1614 {
1615 case RTA_PREFSRC:
1616 rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1617 break;
1618 case RTA_GATEWAY:
1619 rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1620 break;
1621 case RTA_DST:
1622 rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1623 break;
1624 case RTA_OIF:
1625 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1626 {
1627 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1628 }
1629 break;
1630 }
1631 rta = RTA_NEXT(rta, rtasize);
1632 }
1633
1634 /* apply the route if:
1635 * - it is not from our own ipsec routing table
1636 * - is better than a previous one
1637 * - is the default route or
1638 * - its destination net contains our destination
1639 */
1640 if (msg->rtm_table != IPSEC_ROUTING_TABLE
1641 && msg->rtm_dst_len > best
1642 && (msg->rtm_dst_len == 0 || /* default route */
1643 (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
1644 {
1645 iterator_t *ifaces, *addrs;
1646 iface_entry_t *iface;
1647 addr_entry_t *addr;
1648
1649 best = msg->rtm_dst_len;
1650 if (nexthop)
1651 {
1652 DESTROY_IF(gtw);
1653 gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
1654 }
1655 else if (rta_src.ptr)
1656 {
1657 DESTROY_IF(src);
1658 src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
1659 }
1660 else
1661 {
1662 /* no source addr, get one from the interfaces */
1663 ifaces = this->ifaces->create_iterator_locked(
1664 this->ifaces, &this->mutex);
1665 while (ifaces->iterate(ifaces, (void**)&iface))
1666 {
1667 if (iface->ifindex == rta_oif)
1668 {
1669 addrs = iface->addrs->create_iterator(
1670 iface->addrs, TRUE);
1671 while (addrs->iterate(addrs, (void**)&addr))
1672 {
1673 chunk_t ip = addr->ip->get_address(addr->ip);
1674 if (msg->rtm_dst_len == 0
1675 || addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
1676 {
1677 DESTROY_IF(src);
1678 src = addr->ip->clone(addr->ip);
1679 break;
1680 }
1681 }
1682 addrs->destroy(addrs);
1683 }
1684 }
1685 ifaces->destroy(ifaces);
1686 }
1687 }
1688 /* FALL through */
1689 }
1690 default:
1691 current = NLMSG_NEXT(current, len);
1692 continue;
1693 }
1694 break;
1695 }
1696 free(out);
1697
1698 if (nexthop)
1699 {
1700 if (gtw)
1701 {
1702 return gtw;
1703 }
1704 return dest->clone(dest);
1705 }
1706 return src;
1707 }
1708
1709 /**
1710 * Implementation of kernel_interface_t.get_source_addr.
1711 */
1712 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1713 {
1714 return get_route(this, dest, FALSE);
1715 }
1716
1717 /**
1718 * Implementation of kernel_interface_t.add_ip.
1719 */
1720 static status_t add_ip(private_kernel_interface_t *this,
1721 host_t *virtual_ip, host_t *iface_ip)
1722 {
1723 iface_entry_t *iface;
1724 addr_entry_t *addr;
1725 iterator_t *addrs, *ifaces;
1726 int ifindex;
1727
1728 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1729
1730 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1731 while (ifaces->iterate(ifaces, (void**)&iface))
1732 {
1733 bool iface_found = FALSE;
1734
1735 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1736 while (addrs->iterate(addrs, (void**)&addr))
1737 {
1738 if (iface_ip->ip_equals(iface_ip, addr->ip))
1739 {
1740 iface_found = TRUE;
1741 }
1742 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1743 {
1744 addr->refcount++;
1745 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1746 virtual_ip, iface->ifname);
1747 addrs->destroy(addrs);
1748 ifaces->destroy(ifaces);
1749 return SUCCESS;
1750 }
1751 }
1752 addrs->destroy(addrs);
1753
1754 if (iface_found)
1755 {
1756 ifindex = iface->ifindex;
1757 addr = malloc_thing(addr_entry_t);
1758 addr->ip = virtual_ip->clone(virtual_ip);
1759 addr->refcount = 0;
1760 addr->virtual = TRUE;
1761 addr->scope = RT_SCOPE_UNIVERSE;
1762 iface->addrs->insert_last(iface->addrs, addr);
1763
1764 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1765 ifindex, virtual_ip) == SUCCESS)
1766 {
1767 while (get_vip_refcount(this, virtual_ip) == 0)
1768 { /* wait until address appears */
1769 pthread_cond_wait(&this->cond, &this->mutex);
1770 }
1771 ifaces->destroy(ifaces);
1772 return SUCCESS;
1773 }
1774 ifaces->destroy(ifaces);
1775 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1776 return FAILED;
1777 }
1778 }
1779 ifaces->destroy(ifaces);
1780
1781 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1782 "virtual IP %H", iface_ip, virtual_ip);
1783 return FAILED;
1784 }
1785
1786 /**
1787 * Implementation of kernel_interface_t.del_ip.
1788 */
1789 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1790 {
1791 iface_entry_t *iface;
1792 addr_entry_t *addr;
1793 iterator_t *addrs, *ifaces;
1794 status_t status;
1795 int ifindex;
1796
1797 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1798
1799 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1800 while (ifaces->iterate(ifaces, (void**)&iface))
1801 {
1802 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1803 while (addrs->iterate(addrs, (void**)&addr))
1804 {
1805 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1806 {
1807 ifindex = iface->ifindex;
1808 if (addr->refcount == 1)
1809 {
1810 status = manage_ipaddr(this, RTM_DELADDR, 0,
1811 ifindex, virtual_ip);
1812 if (status == SUCCESS)
1813 { /* wait until the address is really gone */
1814 while (get_vip_refcount(this, virtual_ip) > 0)
1815 {
1816 pthread_cond_wait(&this->cond, &this->mutex);
1817 }
1818 }
1819 addrs->destroy(addrs);
1820 ifaces->destroy(ifaces);
1821 return status;
1822 }
1823 else
1824 {
1825 addr->refcount--;
1826 }
1827 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1828 virtual_ip);
1829 addrs->destroy(addrs);
1830 ifaces->destroy(ifaces);
1831 return SUCCESS;
1832 }
1833 }
1834 addrs->destroy(addrs);
1835 }
1836 ifaces->destroy(ifaces);
1837
1838 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1839 return FAILED;
1840 }
1841
1842 /**
1843 * Get an SPI for a specific protocol from the kernel.
1844 */
1845 static status_t get_spi_internal(private_kernel_interface_t *this,
1846 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
1847 u_int32_t reqid, u_int32_t *spi)
1848 {
1849 unsigned char request[BUFFER_SIZE];
1850 struct nlmsghdr *hdr, *out;
1851 struct xfrm_userspi_info *userspi;
1852 u_int32_t received_spi = 0;
1853 size_t len;
1854
1855 memset(&request, 0, sizeof(request));
1856
1857 hdr = (struct nlmsghdr*)request;
1858 hdr->nlmsg_flags = NLM_F_REQUEST;
1859 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1860 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1861
1862 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1863 host2xfrm(src, &userspi->info.saddr);
1864 host2xfrm(dst, &userspi->info.id.daddr);
1865 userspi->info.id.proto = proto;
1866 userspi->info.mode = TRUE; /* tunnel mode */
1867 userspi->info.reqid = reqid;
1868 userspi->info.family = src->get_family(src);
1869 userspi->min = min;
1870 userspi->max = max;
1871
1872 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1873 {
1874 hdr = out;
1875 while (NLMSG_OK(hdr, len))
1876 {
1877 switch (hdr->nlmsg_type)
1878 {
1879 case XFRM_MSG_NEWSA:
1880 {
1881 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1882 received_spi = usersa->id.spi;
1883 break;
1884 }
1885 case NLMSG_ERROR:
1886 {
1887 struct nlmsgerr *err = NLMSG_DATA(hdr);
1888
1889 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1890 strerror(-err->error), -err->error);
1891 break;
1892 }
1893 default:
1894 hdr = NLMSG_NEXT(hdr, len);
1895 continue;
1896 case NLMSG_DONE:
1897 break;
1898 }
1899 break;
1900 }
1901 free(out);
1902 }
1903
1904 if (received_spi == 0)
1905 {
1906 return FAILED;
1907 }
1908
1909 *spi = received_spi;
1910 return SUCCESS;
1911 }
1912
1913 /**
1914 * Implementation of kernel_interface_t.get_spi.
1915 */
1916 static status_t get_spi(private_kernel_interface_t *this,
1917 host_t *src, host_t *dst,
1918 protocol_id_t protocol, u_int32_t reqid,
1919 u_int32_t *spi)
1920 {
1921 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1922
1923 if (get_spi_internal(this, src, dst,
1924 (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH,
1925 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
1926 {
1927 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1928 return FAILED;
1929 }
1930
1931 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", *spi, reqid);
1932
1933 return SUCCESS;
1934 }
1935
1936 /**
1937 * Implementation of kernel_interface_t.get_cpi.
1938 */
1939 static status_t get_cpi(private_kernel_interface_t *this,
1940 host_t *src, host_t *dst,
1941 u_int32_t reqid, u_int16_t *cpi)
1942 {
1943 u_int32_t received_spi = 0;
1944 DBG2(DBG_KNL, "getting CPI for reqid %d", reqid);
1945
1946 if (get_spi_internal(this, src, dst,
1947 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
1948 {
1949 DBG1(DBG_KNL, "unable to get CPI for reqid %d", reqid);
1950 return FAILED;
1951 }
1952
1953 *cpi = htons((u_int16_t)ntohl(received_spi));
1954
1955 DBG2(DBG_KNL, "got CPI 0x%x for reqid %d", *cpi, reqid);
1956
1957 return SUCCESS;
1958 }
1959
1960 /**
1961 * Implementation of kernel_interface_t.add_sa.
1962 */
1963 static status_t add_sa(private_kernel_interface_t *this,
1964 host_t *src, host_t *dst, u_int32_t spi,
1965 protocol_id_t protocol, u_int32_t reqid,
1966 u_int64_t expire_soft, u_int64_t expire_hard,
1967 u_int16_t enc_alg, u_int16_t enc_size,
1968 u_int16_t int_alg, u_int16_t int_size,
1969 prf_plus_t *prf_plus, mode_t mode,
1970 u_int16_t ipcomp, bool encap,
1971 bool replace)
1972 {
1973 unsigned char request[BUFFER_SIZE];
1974 char *alg_name;
1975 u_int16_t add_keymat = 32; /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
1976 struct nlmsghdr *hdr;
1977 struct xfrm_usersa_info *sa;
1978
1979 memset(&request, 0, sizeof(request));
1980
1981 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x and reqid %d", spi, reqid);
1982
1983 hdr = (struct nlmsghdr*)request;
1984 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1985 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1986 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1987
1988 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1989 host2xfrm(src, &sa->saddr);
1990 host2xfrm(dst, &sa->id.daddr);
1991 sa->id.spi = spi;
1992 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
1993 sa->family = src->get_family(src);
1994 sa->mode = mode;
1995 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
1996 sa->reqid = reqid;
1997 /* we currently do not expire SAs by volume/packet count */
1998 sa->lft.soft_byte_limit = XFRM_INF;
1999 sa->lft.hard_byte_limit = XFRM_INF;
2000 sa->lft.soft_packet_limit = XFRM_INF;
2001 sa->lft.hard_packet_limit = XFRM_INF;
2002 /* we use lifetimes since added, not since used */
2003 sa->lft.soft_add_expires_seconds = expire_soft;
2004 sa->lft.hard_add_expires_seconds = expire_hard;
2005 sa->lft.soft_use_expires_seconds = 0;
2006 sa->lft.hard_use_expires_seconds = 0;
2007
2008 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
2009
2010 switch (enc_alg)
2011 {
2012 case ENCR_UNDEFINED:
2013 /* no encryption */
2014 break;
2015 case ENCR_AES_CCM_ICV8:
2016 case ENCR_AES_CCM_ICV12:
2017 case ENCR_AES_CCM_ICV16:
2018 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
2019 add_keymat = 24;
2020 /* fall-through */
2021 case ENCR_AES_GCM_ICV8:
2022 case ENCR_AES_GCM_ICV12:
2023 case ENCR_AES_GCM_ICV16:
2024 {
2025 u_int16_t icv_size = 0;
2026 rthdr->rta_type = XFRMA_ALG_AEAD;
2027 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
2028 if (alg_name == NULL)
2029 {
2030 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2031 encryption_algorithm_names, enc_alg);
2032 return FAILED;
2033 }
2034 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2035 encryption_algorithm_names, enc_alg, enc_size);
2036
2037 /* additional KEYMAT required */
2038 enc_size += add_keymat;
2039
2040 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
2041 hdr->nlmsg_len += rthdr->rta_len;
2042 if (hdr->nlmsg_len > sizeof(request))
2043 {
2044 return FAILED;
2045 }
2046
2047 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
2048 algo->alg_key_len = enc_size;
2049 algo->alg_icv_len = icv_size;
2050 strcpy(algo->alg_name, alg_name);
2051 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2052
2053 rthdr = XFRM_RTA_NEXT(rthdr);
2054 break;
2055 }
2056 default:
2057 {
2058 rthdr->rta_type = XFRMA_ALG_CRYPT;
2059 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
2060 if (alg_name == NULL)
2061 {
2062 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2063 encryption_algorithm_names, enc_alg);
2064 return FAILED;
2065 }
2066 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2067 encryption_algorithm_names, enc_alg, enc_size);
2068
2069 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
2070 hdr->nlmsg_len += rthdr->rta_len;
2071 if (hdr->nlmsg_len > sizeof(request))
2072 {
2073 return FAILED;
2074 }
2075
2076 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2077 algo->alg_key_len = enc_size;
2078 strcpy(algo->alg_name, alg_name);
2079 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2080
2081 rthdr = XFRM_RTA_NEXT(rthdr);
2082 break;
2083 }
2084 }
2085
2086 if (int_alg != AUTH_UNDEFINED)
2087 {
2088 rthdr->rta_type = XFRMA_ALG_AUTH;
2089 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
2090 if (alg_name == NULL)
2091 {
2092 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2093 integrity_algorithm_names, int_alg);
2094 return FAILED;
2095 }
2096 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
2097 integrity_algorithm_names, int_alg, int_size);
2098
2099 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
2100 hdr->nlmsg_len += rthdr->rta_len;
2101 if (hdr->nlmsg_len > sizeof(request))
2102 {
2103 return FAILED;
2104 }
2105
2106 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2107 algo->alg_key_len = int_size;
2108 strcpy(algo->alg_name, alg_name);
2109 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
2110
2111 rthdr = XFRM_RTA_NEXT(rthdr);
2112 }
2113
2114 if (ipcomp != IPCOMP_NONE)
2115 {
2116 rthdr->rta_type = XFRMA_ALG_COMP;
2117 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
2118 if (alg_name == NULL)
2119 {
2120 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2121 ipcomp_transform_names, ipcomp);
2122 return FAILED;
2123 }
2124 DBG2(DBG_KNL, " using compression algorithm %N",
2125 ipcomp_transform_names, ipcomp);
2126
2127 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
2128 hdr->nlmsg_len += rthdr->rta_len;
2129 if (hdr->nlmsg_len > sizeof(request))
2130 {
2131 return FAILED;
2132 }
2133
2134 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2135 algo->alg_key_len = 0;
2136 strcpy(algo->alg_name, alg_name);
2137
2138 rthdr = XFRM_RTA_NEXT(rthdr);
2139 }
2140
2141 if (encap)
2142 {
2143 rthdr->rta_type = XFRMA_ENCAP;
2144 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2145
2146 hdr->nlmsg_len += rthdr->rta_len;
2147 if (hdr->nlmsg_len > sizeof(request))
2148 {
2149 return FAILED;
2150 }
2151
2152 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
2153 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2154 tmpl->encap_sport = htons(src->get_port(src));
2155 tmpl->encap_dport = htons(dst->get_port(dst));
2156 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2157 /* encap_oa could probably be derived from the
2158 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
2159 * pluto does the same as we do here but it uses encap_oa in the
2160 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
2161 * the kernel ignores it anyway
2162 * -> does that mean that NAT-T encap doesn't work in transport mode?
2163 * No. The reason the kernel ignores NAT-OA is that it recomputes
2164 * (or, rather, just ignores) the checksum. If packets pass
2165 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
2166 rthdr = XFRM_RTA_NEXT(rthdr);
2167 }
2168
2169 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2170 {
2171 DBG1(DBG_KNL, "unable to add SAD entry with SPI 0x%x", spi);
2172 return FAILED;
2173 }
2174 return SUCCESS;
2175 }
2176
2177 /**
2178 * Implementation of kernel_interface_t.update_sa.
2179 */
2180 static status_t update_sa(private_kernel_interface_t *this,
2181 u_int32_t spi, protocol_id_t protocol,
2182 host_t *src, host_t *dst,
2183 host_t *new_src, host_t *new_dst, bool encap)
2184 {
2185 unsigned char request[BUFFER_SIZE], *pos;
2186 struct nlmsghdr *hdr, *out = NULL;
2187 struct xfrm_usersa_id *sa_id;
2188 struct xfrm_usersa_info *out_sa = NULL, *sa;
2189 size_t len;
2190 struct rtattr *rta;
2191 size_t rtasize;
2192 struct xfrm_encap_tmpl* tmpl = NULL;
2193
2194 memset(&request, 0, sizeof(request));
2195
2196 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x for update", spi);
2197
2198 /* query the exisiting SA first */
2199 hdr = (struct nlmsghdr*)request;
2200 hdr->nlmsg_flags = NLM_F_REQUEST;
2201 hdr->nlmsg_type = XFRM_MSG_GETSA;
2202 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2203
2204 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2205 host2xfrm(dst, &sa_id->daddr);
2206 sa_id->spi = spi;
2207 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
2208 sa_id->family = dst->get_family(dst);
2209
2210 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2211 {
2212 hdr = out;
2213 while (NLMSG_OK(hdr, len))
2214 {
2215 switch (hdr->nlmsg_type)
2216 {
2217 case XFRM_MSG_NEWSA:
2218 {
2219 out_sa = NLMSG_DATA(hdr);
2220 break;
2221 }
2222 case NLMSG_ERROR:
2223 {
2224 struct nlmsgerr *err = NLMSG_DATA(hdr);
2225 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2226 strerror(-err->error), -err->error);
2227 break;
2228 }
2229 default:
2230 hdr = NLMSG_NEXT(hdr, len);
2231 continue;
2232 case NLMSG_DONE:
2233 break;
2234 }
2235 break;
2236 }
2237 }
2238 if (out_sa == NULL ||
2239 this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
2240 {
2241 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2242 free(out);
2243 return FAILED;
2244 }
2245
2246 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
2247 spi, src, dst, new_src, new_dst);
2248
2249 /* copy over the SA from out to request */
2250 hdr = (struct nlmsghdr*)request;
2251 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
2252 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2253 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2254 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2255 sa = NLMSG_DATA(hdr);
2256 sa->family = new_dst->get_family(new_dst);
2257
2258 if (!src->ip_equals(src, new_src))
2259 {
2260 host2xfrm(new_src, &sa->saddr);
2261 }
2262 if (!dst->ip_equals(dst, new_dst))
2263 {
2264 host2xfrm(new_dst, &sa->id.daddr);
2265 }
2266
2267 rta = XFRM_RTA(out, struct xfrm_usersa_info);
2268 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
2269 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
2270 while(RTA_OK(rta, rtasize))
2271 {
2272 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2273 if (rta->rta_type != XFRMA_ENCAP || encap)
2274 {
2275 if (rta->rta_type == XFRMA_ENCAP)
2276 { /* update encap tmpl */
2277 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2278 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2279 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2280 }
2281 memcpy(pos, rta, rta->rta_len);
2282 pos += rta->rta_len;
2283 hdr->nlmsg_len += rta->rta_len;
2284 }
2285 rta = RTA_NEXT(rta, rtasize);
2286 }
2287 if (tmpl == NULL && encap)
2288 { /* add tmpl if we are enabling it */
2289 rta = (struct rtattr*)pos;
2290 rta->rta_type = XFRMA_ENCAP;
2291 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2292 hdr->nlmsg_len += rta->rta_len;
2293 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2294 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2295 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2296 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2297 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2298 }
2299
2300 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2301 {
2302 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2303 free(out);
2304 return FAILED;
2305 }
2306 free(out);
2307
2308 return SUCCESS;
2309 }
2310
2311 /**
2312 * Implementation of kernel_interface_t.query_sa.
2313 */
2314 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
2315 u_int32_t spi, protocol_id_t protocol,
2316 u_int32_t *use_time)
2317 {
2318 unsigned char request[BUFFER_SIZE];
2319 struct nlmsghdr *out = NULL, *hdr;
2320 struct xfrm_usersa_id *sa_id;
2321 struct xfrm_usersa_info *sa = NULL;
2322 size_t len;
2323
2324 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
2325 memset(&request, 0, sizeof(request));
2326
2327 hdr = (struct nlmsghdr*)request;
2328 hdr->nlmsg_flags = NLM_F_REQUEST;
2329 hdr->nlmsg_type = XFRM_MSG_GETSA;
2330 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2331
2332 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2333 host2xfrm(dst, &sa_id->daddr);
2334 sa_id->spi = spi;
2335 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
2336 sa_id->family = dst->get_family(dst);
2337
2338 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2339 {
2340 hdr = out;
2341 while (NLMSG_OK(hdr, len))
2342 {
2343 switch (hdr->nlmsg_type)
2344 {
2345 case XFRM_MSG_NEWSA:
2346 {
2347 sa = NLMSG_DATA(hdr);
2348 break;
2349 }
2350 case NLMSG_ERROR:
2351 {
2352 struct nlmsgerr *err = NLMSG_DATA(hdr);
2353 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2354 strerror(-err->error), -err->error);
2355 break;
2356 }
2357 default:
2358 hdr = NLMSG_NEXT(hdr, len);
2359 continue;
2360 case NLMSG_DONE:
2361 break;
2362 }
2363 break;
2364 }
2365 }
2366
2367 if (sa == NULL)
2368 {
2369 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
2370 free(out);
2371 return FAILED;
2372 }
2373
2374 *use_time = sa->curlft.use_time;
2375 free (out);
2376 return SUCCESS;
2377 }
2378
2379 /**
2380 * Implementation of kernel_interface_t.del_sa.
2381 */
2382 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
2383 u_int32_t spi, protocol_id_t protocol)
2384 {
2385 unsigned char request[BUFFER_SIZE];
2386 struct nlmsghdr *hdr;
2387 struct xfrm_usersa_id *sa_id;
2388
2389 memset(&request, 0, sizeof(request));
2390
2391 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
2392
2393 hdr = (struct nlmsghdr*)request;
2394 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2395 hdr->nlmsg_type = XFRM_MSG_DELSA;
2396 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2397
2398 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2399 host2xfrm(dst, &sa_id->daddr);
2400 sa_id->spi = spi;
2401 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : (protocol == PROTO_AH) ? KERNEL_AH : protocol;
2402 sa_id->family = dst->get_family(dst);
2403
2404 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2405 {
2406 DBG1(DBG_KNL, "unable to delete SAD entry with SPI 0x%x", spi);
2407 return FAILED;
2408 }
2409 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
2410 return SUCCESS;
2411 }
2412
2413 /**
2414 * Implementation of kernel_interface_t.add_policy.
2415 */
2416 static status_t add_policy(private_kernel_interface_t *this,
2417 host_t *src, host_t *dst,
2418 traffic_selector_t *src_ts,
2419 traffic_selector_t *dst_ts,
2420 policy_dir_t direction, protocol_id_t protocol,
2421 u_int32_t reqid, bool high_prio, mode_t mode,
2422 u_int16_t ipcomp)
2423 {
2424 iterator_t *iterator;
2425 policy_entry_t *current, *policy;
2426 bool found = FALSE;
2427 unsigned char request[BUFFER_SIZE];
2428 struct xfrm_userpolicy_info *policy_info;
2429 struct nlmsghdr *hdr;
2430
2431 /* create a policy */
2432 policy = malloc_thing(policy_entry_t);
2433 memset(policy, 0, sizeof(policy_entry_t));
2434 policy->sel = ts2selector(src_ts, dst_ts);
2435 policy->direction = direction;
2436
2437 /* find the policy, which matches EXACTLY */
2438 pthread_mutex_lock(&this->mutex);
2439 iterator = this->policies->create_iterator(this->policies, TRUE);
2440 while (iterator->iterate(iterator, (void**)&current))
2441 {
2442 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
2443 policy->direction == current->direction)
2444 {
2445 /* use existing policy */
2446 current->refcount++;
2447 DBG2(DBG_KNL, "policy %R===%R already exists, increasing "
2448 "refcount", src_ts, dst_ts);
2449 free(policy);
2450 policy = current;
2451 found = TRUE;
2452 break;
2453 }
2454 }
2455 iterator->destroy(iterator);
2456 if (!found)
2457 { /* apply the new one, if we have no such policy */
2458 this->policies->insert_last(this->policies, policy);
2459 policy->refcount = 1;
2460 }
2461
2462 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2463
2464 memset(&request, 0, sizeof(request));
2465 hdr = (struct nlmsghdr*)request;
2466 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2467 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2468 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2469
2470 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2471 policy_info->sel = policy->sel;
2472 policy_info->dir = policy->direction;
2473 /* calculate priority based on source selector size, small size = high prio */
2474 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2475 policy_info->priority -= policy->sel.prefixlen_s * 10;
2476 policy_info->priority -= policy->sel.proto ? 2 : 0;
2477 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2478 policy_info->action = XFRM_POLICY_ALLOW;
2479 policy_info->share = XFRM_SHARE_ANY;
2480 pthread_mutex_unlock(&this->mutex);
2481
2482 /* policies don't expire */
2483 policy_info->lft.soft_byte_limit = XFRM_INF;
2484 policy_info->lft.soft_packet_limit = XFRM_INF;
2485 policy_info->lft.hard_byte_limit = XFRM_INF;
2486 policy_info->lft.hard_packet_limit = XFRM_INF;
2487 policy_info->lft.soft_add_expires_seconds = 0;
2488 policy_info->lft.hard_add_expires_seconds = 0;
2489 policy_info->lft.soft_use_expires_seconds = 0;
2490 policy_info->lft.hard_use_expires_seconds = 0;
2491
2492 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2493 rthdr->rta_type = XFRMA_TMPL;
2494 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2495
2496 hdr->nlmsg_len += rthdr->rta_len;
2497 if (hdr->nlmsg_len > sizeof(request))
2498 {
2499 return FAILED;
2500 }
2501
2502 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2503
2504 if (ipcomp != IPCOMP_NONE)
2505 {
2506 tmpl->reqid = reqid;
2507 tmpl->id.proto = IPPROTO_COMP;
2508 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2509 tmpl->mode = mode;
2510 tmpl->optional = direction != POLICY_OUT;
2511 tmpl->family = src->get_family(src);
2512
2513 host2xfrm(src, &tmpl->saddr);
2514 host2xfrm(dst, &tmpl->id.daddr);
2515
2516 /* add an additional xfrm_user_tmpl */
2517 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2518 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2519 if (hdr->nlmsg_len > sizeof(request))
2520 {
2521 return FAILED;
2522 }
2523
2524 tmpl++;
2525 }
2526
2527 tmpl->reqid = reqid;
2528 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
2529 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2530 tmpl->mode = mode;
2531 tmpl->family = src->get_family(src);
2532
2533 host2xfrm(src, &tmpl->saddr);
2534 host2xfrm(dst, &tmpl->id.daddr);
2535
2536 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2537 {
2538 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2539 return FAILED;
2540 }
2541
2542 /* install a route, if:
2543 * - we are NOT updating a policy
2544 * - this is a forward policy (to just get one for each child)
2545 * - we are in tunnel mode
2546 * - we are not using IPv6 (does not work correctly yet!)
2547 */
2548 if (policy->route == NULL && direction == POLICY_FWD &&
2549 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
2550 {
2551 policy->route = malloc_thing(route_entry_t);
2552 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2553 {
2554 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2555 policy->route->gateway = get_route(this, src, TRUE);
2556 policy->route->if_index = get_interface_index(this, dst);
2557 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2558 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2559 policy->route->prefixlen = policy->sel.prefixlen_s;
2560
2561 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2562 policy->route) != SUCCESS)
2563 {
2564 DBG1(DBG_KNL, "unable to install source route for %H",
2565 policy->route->src_ip);
2566 route_entry_destroy(policy->route);
2567 policy->route = NULL;
2568 }
2569 }
2570 else
2571 {
2572 free(policy->route);
2573 policy->route = NULL;
2574 }
2575 }
2576
2577 return SUCCESS;
2578 }
2579
2580 /**
2581 * Implementation of kernel_interface_t.query_policy.
2582 */
2583 static status_t query_policy(private_kernel_interface_t *this,
2584 traffic_selector_t *src_ts,
2585 traffic_selector_t *dst_ts,
2586 policy_dir_t direction, u_int32_t *use_time)
2587 {
2588 unsigned char request[BUFFER_SIZE];
2589 struct nlmsghdr *out = NULL, *hdr;
2590 struct xfrm_userpolicy_id *policy_id;
2591 struct xfrm_userpolicy_info *policy = NULL;
2592 size_t len;
2593
2594 memset(&request, 0, sizeof(request));
2595
2596 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2597
2598 hdr = (struct nlmsghdr*)request;
2599 hdr->nlmsg_flags = NLM_F_REQUEST;
2600 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2601 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2602
2603 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2604 policy_id->sel = ts2selector(src_ts, dst_ts);
2605 policy_id->dir = direction;
2606
2607 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2608 {
2609 hdr = out;
2610 while (NLMSG_OK(hdr, len))
2611 {
2612 switch (hdr->nlmsg_type)
2613 {
2614 case XFRM_MSG_NEWPOLICY:
2615 {
2616 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2617 break;
2618 }
2619 case NLMSG_ERROR:
2620 {
2621 struct nlmsgerr *err = NLMSG_DATA(hdr);
2622 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2623 strerror(-err->error), -err->error);
2624 break;
2625 }
2626 default:
2627 hdr = NLMSG_NEXT(hdr, len);
2628 continue;
2629 case NLMSG_DONE:
2630 break;
2631 }
2632 break;
2633 }
2634 }
2635
2636 if (policy == NULL)
2637 {
2638 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2639 free(out);
2640 return FAILED;
2641 }
2642 *use_time = (time_t)policy->curlft.use_time;
2643
2644 free(out);
2645 return SUCCESS;
2646 }
2647
2648 /**
2649 * Implementation of kernel_interface_t.del_policy.
2650 */
2651 static status_t del_policy(private_kernel_interface_t *this,
2652 traffic_selector_t *src_ts,
2653 traffic_selector_t *dst_ts,
2654 policy_dir_t direction)
2655 {
2656 policy_entry_t *current, policy, *to_delete = NULL;
2657 route_entry_t *route;
2658 unsigned char request[BUFFER_SIZE];
2659 struct nlmsghdr *hdr;
2660 struct xfrm_userpolicy_id *policy_id;
2661 iterator_t *iterator;
2662
2663 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2664
2665 /* create a policy */
2666 memset(&policy, 0, sizeof(policy_entry_t));
2667 policy.sel = ts2selector(src_ts, dst_ts);
2668 policy.direction = direction;
2669
2670 /* find the policy */
2671 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2672 while (iterator->iterate(iterator, (void**)&current))
2673 {
2674 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2675 policy.direction == current->direction)
2676 {
2677 to_delete = current;
2678 if (--to_delete->refcount > 0)
2679 {
2680 /* is used by more SAs, keep in kernel */
2681 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2682 iterator->destroy(iterator);
2683 return SUCCESS;
2684 }
2685 /* remove if last reference */
2686 iterator->remove(iterator);
2687 break;
2688 }
2689 }
2690 iterator->destroy(iterator);
2691 if (!to_delete)
2692 {
2693 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2694 return NOT_FOUND;
2695 }
2696
2697 memset(&request, 0, sizeof(request));
2698
2699 hdr = (struct nlmsghdr*)request;
2700 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2701 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2702 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2703
2704 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2705 policy_id->sel = to_delete->sel;
2706 policy_id->dir = direction;
2707
2708 route = to_delete->route;
2709 free(to_delete);
2710
2711 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2712 {
2713 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2714 return FAILED;
2715 }
2716
2717 if (route)
2718 {
2719 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2720 {
2721 DBG1(DBG_KNL, "error uninstalling route installed with "
2722 "policy %R===%R", src_ts, dst_ts);
2723 }
2724 route_entry_destroy(route);
2725 }
2726 return SUCCESS;
2727 }
2728
2729 /**
2730 * Implementation of kernel_interface_t.destroy.
2731 */
2732 static void destroy(private_kernel_interface_t *this)
2733 {
2734 manage_rule(this, RTM_DELRULE, IPSEC_ROUTING_TABLE, IPSEC_ROUTING_TABLE_PRIO);
2735
2736 this->job->cancel(this->job);
2737 close(this->socket_xfrm_events);
2738 close(this->socket_xfrm);
2739 close(this->socket_rt_events);
2740 close(this->socket_rt);
2741 this->policies->destroy(this->policies);
2742 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
2743 free(this);
2744 }
2745
2746 /*
2747 * Described in header.
2748 */
2749 kernel_interface_t *kernel_interface_create()
2750 {
2751 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2752 struct sockaddr_nl addr;
2753
2754 /* public functions */
2755 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2756 this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2757 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,mode_t,u_int16_t,bool,bool))add_sa;
2758 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
2759 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2760 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2761 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,u_int16_t))add_policy;
2762 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2763 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2764 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2765 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2766 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2767 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2768 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
2769 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2770
2771 /* private members */
2772 this->policies = linked_list_create();
2773 this->ifaces = linked_list_create();
2774 this->hiter = NULL;
2775 this->seq = 200;
2776 pthread_mutex_init(&this->mutex, NULL);
2777 pthread_mutex_init(&this->nl_mutex, NULL);
2778 pthread_cond_init(&this->cond, NULL);
2779 timerclear(&this->last_roam);
2780
2781 memset(&addr, 0, sizeof(addr));
2782 addr.nl_family = AF_NETLINK;
2783
2784 /* create and bind RT socket */
2785 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2786 if (this->socket_rt <= 0)
2787 {
2788 charon->kill(charon, "unable to create RT netlink socket");
2789 }
2790 addr.nl_groups = 0;
2791 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2792 {
2793 charon->kill(charon, "unable to bind RT netlink socket");
2794 }
2795
2796 /* create and bind RT socket for events (address/interface/route changes) */
2797 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2798 if (this->socket_rt_events <= 0)
2799 {
2800 charon->kill(charon, "unable to create RT event socket");
2801 }
2802 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
2803 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
2804 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2805 {
2806 charon->kill(charon, "unable to bind RT event socket");
2807 }
2808
2809 /* create and bind XFRM socket */
2810 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2811 if (this->socket_xfrm <= 0)
2812 {
2813 charon->kill(charon, "unable to create XFRM netlink socket");
2814 }
2815 addr.nl_groups = 0;
2816 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2817 {
2818 charon->kill(charon, "unable to bind XFRM netlink socket");
2819 }
2820
2821 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2822 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2823 if (this->socket_xfrm_events <= 0)
2824 {
2825 charon->kill(charon, "unable to create XFRM event socket");
2826 }
2827 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2828 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2829 {
2830 charon->kill(charon, "unable to bind XFRM event socket");
2831 }
2832
2833 this->job = callback_job_create((callback_job_cb_t)receive_events,
2834 this, NULL, NULL);
2835 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2836
2837 if (init_address_list(this) != SUCCESS)
2838 {
2839 charon->kill(charon, "unable to get interface list");
2840 }
2841
2842 if (manage_rule(this, RTM_NEWRULE, IPSEC_ROUTING_TABLE,
2843 IPSEC_ROUTING_TABLE_PRIO) != SUCCESS)
2844 {
2845 DBG1(DBG_KNL, "unable to create routing table rule");
2846 }
2847
2848 return &this->public;
2849 }
2850
strongSwan - IPsec VPN