projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
further mobike improvements, regarding to NAT-T
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43
44 #include "kernel_interface.h"
45
46 #include <daemon.h>
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52 #include <processing/jobs/roam_job.h>
53
54 /** kernel level protocol identifiers */
55 #define KERNEL_ESP 50
56 #define KERNEL_AH 51
57
58 /** default priority of installed policies */
59 #define PRIO_LOW 3000
60 #define PRIO_HIGH 2000
61
62 #define BUFFER_SIZE 1024
63
64 /**
65 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
66 * 'usual' netlink data x like 'struct xfrm_usersa_info'
67 */
68 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
69 /**
70 * returns a pointer to the next rtattr following rta.
71 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
72 */
73 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
74 /**
75 * returns the total size of attached rta data
76 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
77 */
78 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
79
80 typedef struct kernel_algorithm_t kernel_algorithm_t;
81
82 /**
83 * Mapping from the algorithms defined in IKEv2 to
84 * kernel level algorithm names and their key length
85 */
86 struct kernel_algorithm_t {
87 /**
88 * Identifier specified in IKEv2
89 */
90 int ikev2_id;
91
92 /**
93 * Name of the algorithm, as used as kernel identifier
94 */
95 char *name;
96
97 /**
98 * Key length in bits, if fixed size
99 */
100 u_int key_size;
101 };
102 #define END_OF_LIST -1
103
104 /**
105 * Algorithms for encryption
106 */
107 kernel_algorithm_t encryption_algs[] = {
108 /* {ENCR_DES_IV64, "***", 0}, */
109 {ENCR_DES, "des", 64},
110 {ENCR_3DES, "des3_ede", 192},
111 /* {ENCR_RC5, "***", 0}, */
112 /* {ENCR_IDEA, "***", 0}, */
113 {ENCR_CAST, "cast128", 0},
114 {ENCR_BLOWFISH, "blowfish", 0},
115 /* {ENCR_3IDEA, "***", 0}, */
116 /* {ENCR_DES_IV32, "***", 0}, */
117 {ENCR_NULL, "cipher_null", 0},
118 {ENCR_AES_CBC, "aes", 0},
119 /* {ENCR_AES_CTR, "***", 0}, */
120 {END_OF_LIST, NULL, 0},
121 };
122
123 /**
124 * Algorithms for integrity protection
125 */
126 kernel_algorithm_t integrity_algs[] = {
127 {AUTH_HMAC_MD5_96, "md5", 128},
128 {AUTH_HMAC_SHA1_96, "sha1", 160},
129 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
130 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
131 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
132 /* {AUTH_DES_MAC, "***", 0}, */
133 /* {AUTH_KPDK_MD5, "***", 0}, */
134 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
135 {END_OF_LIST, NULL, 0},
136 };
137
138 /**
139 * Look up a kernel algorithm name and its key size
140 */
141 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
142 algorithm_t *ikev2_algo, u_int *key_size)
143 {
144 while (kernel_algo->ikev2_id != END_OF_LIST)
145 {
146 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
147 {
148 /* match, evaluate key length */
149 if (ikev2_algo->key_size)
150 { /* variable length */
151 *key_size = ikev2_algo->key_size;
152 }
153 else
154 { /* fixed length */
155 *key_size = kernel_algo->key_size;
156 }
157 return kernel_algo->name;
158 }
159 kernel_algo++;
160 }
161 return NULL;
162 }
163
164 typedef struct route_entry_t route_entry_t;
165
166 /**
167 * installed routing entry
168 */
169 struct route_entry_t {
170
171 /** Index of the interface the route is bound to */
172 int if_index;
173
174 /** Source ip of the route */
175 host_t *src_ip;
176
177 /** gateway for this route */
178 host_t *gateway;
179
180 /** Destination net */
181 chunk_t dst_net;
182
183 /** Destination net prefixlen */
184 u_int8_t prefixlen;
185 };
186
187 /**
188 * destroy an route_entry_t object
189 */
190 static void route_entry_destroy(route_entry_t *this)
191 {
192 this->src_ip->destroy(this->src_ip);
193 this->gateway->destroy(this->gateway);
194 chunk_free(&this->dst_net);
195 free(this);
196 }
197
198 typedef struct policy_entry_t policy_entry_t;
199
200 /**
201 * installed kernel policy.
202 */
203 struct policy_entry_t {
204
205 /** direction of this policy: in, out, forward */
206 u_int8_t direction;
207
208 /** reqid of the policy */
209 u_int32_t reqid;
210
211 /** parameters of installed policy */
212 struct xfrm_selector sel;
213
214 /** associated route installed for this policy */
215 route_entry_t *route;
216
217 /** by how many CHILD_SA's this policy is used */
218 u_int refcount;
219 };
220
221 typedef struct addr_entry_t addr_entry_t;
222
223 /**
224 * IP address in an inface_entry_t
225 */
226 struct addr_entry_t {
227
228 /** The ip address */
229 host_t *ip;
230
231 /** virtual IP managed by us */
232 bool virtual;
233
234 /** Number of times this IP is used, if virtual */
235 u_int refcount;
236 };
237
238 /**
239 * destroy a addr_entry_t object
240 */
241 static void addr_entry_destroy(addr_entry_t *this)
242 {
243 this->ip->destroy(this->ip);
244 free(this);
245 }
246
247 typedef struct iface_entry_t iface_entry_t;
248
249 /**
250 * A network interface on this system, containing addr_entry_t's
251 */
252 struct iface_entry_t {
253
254 /** interface index */
255 int ifindex;
256
257 /** name of the interface */
258 char ifname[IFNAMSIZ];
259
260 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
261 u_int flags;
262
263 /** list of addresses as host_t */
264 linked_list_t *addrs;
265 };
266
267 /**
268 * destroy an interface entry
269 */
270 static void iface_entry_destroy(iface_entry_t *this)
271 {
272 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
273 free(this);
274 }
275
276 typedef struct private_kernel_interface_t private_kernel_interface_t;
277
278 /**
279 * Private variables and functions of kernel_interface class.
280 */
281 struct private_kernel_interface_t {
282 /**
283 * Public part of the kernel_interface_t object.
284 */
285 kernel_interface_t public;
286
287 /**
288 * mutex to lock access to the various lists
289 */
290 pthread_mutex_t mutex;
291
292 /**
293 * List of installed policies (policy_entry_t)
294 */
295 linked_list_t *policies;
296
297 /**
298 * Cached list of interfaces and its adresses (iface_entry_t)
299 */
300 linked_list_t *ifaces;
301
302 /**
303 * iterator used in hook()
304 */
305 iterator_t *hiter;
306
307 /**
308 * job receiving netlink events
309 */
310 callback_job_t *job;
311
312 /**
313 * current sequence number for netlink request
314 */
315 int seq;
316
317 /**
318 * Netlink xfrm socket (IPsec)
319 */
320 int socket_xfrm;
321
322 /**
323 * netlink xfrm socket to receive acquire and expire events
324 */
325 int socket_xfrm_events;
326
327 /**
328 * Netlink rt socket (routing)
329 */
330 int socket_rt;
331
332 /**
333 * Netlink rt socket to receive address change events
334 */
335 int socket_rt_events;
336 };
337
338 /**
339 * convert a host_t to a struct xfrm_address
340 */
341 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
342 {
343 chunk_t chunk = host->get_address(host);
344 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
345 }
346
347 /**
348 * convert a traffic selector address range to subnet and its mask.
349 */
350 static void ts2subnet(traffic_selector_t* ts,
351 xfrm_address_t *net, u_int8_t *mask)
352 {
353 /* there is no way to do this cleanly, as the address range may
354 * be anything else but a subnet. We use from_addr as subnet
355 * and try to calculate a usable subnet mask.
356 */
357 int byte, bit;
358 bool found = FALSE;
359 chunk_t from, to;
360 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
361
362 from = ts->get_from_address(ts);
363 to = ts->get_to_address(ts);
364
365 *mask = (size * 8);
366 /* go trough all bits of the addresses, beginning in the front.
367 * as long as they are equal, the subnet gets larger
368 */
369 for (byte = 0; byte < size; byte++)
370 {
371 for (bit = 7; bit >= 0; bit--)
372 {
373 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
374 {
375 *mask = ((7 - bit) + (byte * 8));
376 found = TRUE;
377 break;
378 }
379 }
380 if (found)
381 {
382 break;
383 }
384 }
385 memcpy(net, from.ptr, from.len);
386 chunk_free(&from);
387 chunk_free(&to);
388 }
389
390 /**
391 * convert a traffic selector port range to port/portmask
392 */
393 static void ts2ports(traffic_selector_t* ts,
394 u_int16_t *port, u_int16_t *mask)
395 {
396 /* linux does not seem to accept complex portmasks. Only
397 * any or a specific port is allowed. We set to any, if we have
398 * a port range, or to a specific, if we have one port only.
399 */
400 u_int16_t from, to;
401
402 from = ts->get_from_port(ts);
403 to = ts->get_to_port(ts);
404
405 if (from == to)
406 {
407 *port = htons(from);
408 *mask = ~0;
409 }
410 else
411 {
412 *port = 0;
413 *mask = 0;
414 }
415 }
416
417 /**
418 * convert a pair of traffic_selectors to a xfrm_selector
419 */
420 static struct xfrm_selector ts2selector(traffic_selector_t *src,
421 traffic_selector_t *dst)
422 {
423 struct xfrm_selector sel;
424
425 memset(&sel, 0, sizeof(sel));
426 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
427 /* src or dest proto may be "any" (0), use more restrictive one */
428 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
429 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
430 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
431 ts2ports(dst, &sel.dport, &sel.dport_mask);
432 ts2ports(src, &sel.sport, &sel.sport_mask);
433 sel.ifindex = 0;
434 sel.user = 0;
435
436 return sel;
437 }
438
439 /**
440 * Creates an rtattr and adds it to the netlink message
441 */
442 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
443 size_t buflen)
444 {
445 struct rtattr *rta;
446
447 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
448 {
449 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
450 return;
451 }
452
453 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
454 rta->rta_type = rta_type;
455 rta->rta_len = RTA_LENGTH(data.len);
456 memcpy(RTA_DATA(rta), data.ptr, data.len);
457 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
458 }
459
460 /**
461 * process a XFRM_MSG_ACQUIRE from kernel
462 */
463 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
464 {
465 u_int32_t reqid = 0;
466 job_t *job;
467 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
468 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
469
470 if (RTA_OK(rtattr, rtsize))
471 {
472 if (rtattr->rta_type == XFRMA_TMPL)
473 {
474 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
475 reqid = tmpl->reqid;
476 }
477 }
478 if (reqid == 0)
479 {
480 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
481 return;
482 }
483 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
484 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
485 job = (job_t*)acquire_job_create(reqid);
486 charon->processor->queue_job(charon->processor, job);
487 }
488
489 /**
490 * process a XFRM_MSG_EXPIRE from kernel
491 */
492 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
493 {
494 job_t *job;
495 protocol_id_t protocol;
496 u_int32_t spi, reqid;
497 struct xfrm_user_expire *expire;
498
499 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
500 protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
501 spi = expire->state.id.spi;
502 reqid = expire->state.reqid;
503
504 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
505 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
506 expire->hard ? "delete" : "rekey", protocol_id_names,
507 protocol, ntohl(spi), reqid);
508 if (expire->hard)
509 {
510 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
511 }
512 else
513 {
514 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
515 }
516 charon->processor->queue_job(charon->processor, job);
517 }
518
519 /**
520 * process RTM_NEWLINK/RTM_DELLINK from kernel
521 */
522 static void process_link(private_kernel_interface_t *this,
523 struct nlmsghdr *hdr, bool event)
524 {
525 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
526 struct rtattr *rta = IFLA_RTA(msg);
527 size_t rtasize = IFLA_PAYLOAD (hdr);
528 iterator_t *iterator;
529 iface_entry_t *current, *entry = NULL;
530 char *name = NULL;
531 bool update = FALSE;
532
533 while(RTA_OK(rta, rtasize))
534 {
535 switch (rta->rta_type)
536 {
537 case IFLA_IFNAME:
538 name = RTA_DATA(rta);
539 break;
540 }
541 rta = RTA_NEXT(rta, rtasize);
542 }
543 if (!name)
544 {
545 name = "(unknown)";
546 }
547
548 switch (hdr->nlmsg_type)
549 {
550 case RTM_NEWLINK:
551 {
552 if (msg->ifi_flags & IFF_LOOPBACK)
553 { /* ignore loopback interfaces */
554 break;
555 }
556 iterator = this->ifaces->create_iterator_locked(this->ifaces,
557 &this->mutex);
558 while (iterator->iterate(iterator, (void**)&current))
559 {
560 if (current->ifindex == msg->ifi_index)
561 {
562 entry = current;
563 break;
564 }
565 }
566 if (!entry)
567 {
568 entry = malloc_thing(iface_entry_t);
569 entry->ifindex = msg->ifi_index;
570 entry->flags = 0;
571 entry->addrs = linked_list_create();
572 this->ifaces->insert_last(this->ifaces, entry);
573 }
574 memcpy(entry->ifname, name, IFNAMSIZ);
575 entry->ifname[IFNAMSIZ-1] = '\0';
576 if (event)
577 {
578 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
579 {
580 update = TRUE;
581 DBG1(DBG_KNL, "interface %s activated", name);
582 }
583 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
584 {
585 update = TRUE;
586 DBG1(DBG_KNL, "interface %s deactivated", name);
587 }
588 }
589 entry->flags = msg->ifi_flags;
590 iterator->destroy(iterator);
591 break;
592 }
593 case RTM_DELLINK:
594 {
595 iterator = this->ifaces->create_iterator_locked(this->ifaces,
596 &this->mutex);
597 while (iterator->iterate(iterator, (void**)&current))
598 {
599 if (current->ifindex == msg->ifi_index)
600 {
601 /* we do not remove it, as an address may be added to a
602 * "down" interface and we wan't to know that. */
603 current->flags = msg->ifi_flags;
604 break;
605 }
606 }
607 iterator->destroy(iterator);
608 break;
609 }
610 }
611
612 /* send an update to all IKE_SAs */
613 if (update && event)
614 {
615 charon->processor->queue_job(charon->processor, (job_t*)roam_job_create());
616 }
617 }
618
619 /**
620 * process RTM_NEWADDR/RTM_DELADDR from kernel
621 */
622 static void process_addr(private_kernel_interface_t *this,
623 struct nlmsghdr *hdr, bool event)
624 {
625 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
626 struct rtattr *rta = IFA_RTA(msg);
627 size_t rtasize = IFA_PAYLOAD (hdr);
628 host_t *host = NULL;
629 iterator_t *ifaces, *addrs;
630 iface_entry_t *iface;
631 addr_entry_t *addr;
632 chunk_t local = chunk_empty, address = chunk_empty;
633 bool update = FALSE, found = FALSE;
634
635 while(RTA_OK(rta, rtasize))
636 {
637 switch (rta->rta_type)
638 {
639 case IFA_LOCAL:
640 local.ptr = RTA_DATA(rta);
641 local.len = RTA_PAYLOAD(rta);
642 break;
643 case IFA_ADDRESS:
644 address.ptr = RTA_DATA(rta);
645 address.len = RTA_PAYLOAD(rta);
646 break;
647 }
648 rta = RTA_NEXT(rta, rtasize);
649 }
650
651 /* For PPP interfaces, we need the IFA_LOCAL address,
652 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
653 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
654 if (local.ptr)
655 {
656 host = host_create_from_chunk(msg->ifa_family, local, 0);
657 }
658 else if (address.ptr)
659 {
660 host = host_create_from_chunk(msg->ifa_family, address, 0);
661 }
662
663 if (host == NULL)
664 { /* bad family? */
665 return;
666 }
667
668 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
669 while (ifaces->iterate(ifaces, (void**)&iface))
670 {
671 if (iface->ifindex == msg->ifa_index)
672 {
673 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
674 while (addrs->iterate(addrs, (void**)&addr))
675 {
676 if (host->ip_equals(host, addr->ip))
677 {
678 found = TRUE;
679 if (hdr->nlmsg_type == RTM_DELADDR)
680 {
681 addrs->remove(addrs);
682 addr_entry_destroy(addr);
683 DBG1(DBG_KNL, "%H disappeared from %s", host, iface->ifname);
684 }
685 }
686 }
687 addrs->destroy(addrs);
688
689 if (hdr->nlmsg_type == RTM_NEWADDR)
690 {
691 if (!found)
692 {
693 found = TRUE;
694 addr = malloc_thing(addr_entry_t);
695 addr->ip = host->clone(host);
696 addr->virtual = FALSE;
697 addr->refcount = 1;
698
699 iface->addrs->insert_last(iface->addrs, addr);
700 if (event)
701 {
702 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
703 }
704 }
705 }
706 if (found && (iface->flags & IFF_UP))
707 {
708 update = TRUE;
709 }
710 break;
711 }
712 }
713 ifaces->destroy(ifaces);
714 host->destroy(host);
715
716 /* send an update to all IKE_SAs */
717 if (update && event)
718 {
719 charon->processor->queue_job(charon->processor, (job_t*)roam_job_create());
720 }
721 }
722
723 /**
724 * Receives events from kernel
725 */
726 static job_requeue_t receive_events(private_kernel_interface_t *this)
727 {
728 char response[1024];
729 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
730 struct sockaddr_nl addr;
731 socklen_t addr_len = sizeof(addr);
732 int len, oldstate, maxfd, selected;
733 fd_set rfds;
734
735 FD_ZERO(&rfds);
736 FD_SET(this->socket_xfrm_events, &rfds);
737 FD_SET(this->socket_rt_events, &rfds);
738 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
739
740 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
741 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
742 pthread_setcancelstate(oldstate, NULL);
743 if (selected <= 0)
744 {
745 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
746 return JOB_REQUEUE_FAIR;
747 }
748 if (FD_ISSET(this->socket_xfrm_events, &rfds))
749 {
750 selected = this->socket_xfrm_events;
751 }
752 else if (FD_ISSET(this->socket_rt_events, &rfds))
753 {
754 selected = this->socket_rt_events;
755 }
756 else
757 {
758 return JOB_REQUEUE_DIRECT;
759 }
760
761 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
762 (struct sockaddr*)&addr, &addr_len);
763 if (len < 0)
764 {
765 switch (errno)
766 {
767 case EINTR:
768 /* interrupted, try again */
769 return JOB_REQUEUE_DIRECT;
770 case EAGAIN:
771 /* no data ready, select again */
772 return JOB_REQUEUE_DIRECT;
773 default:
774 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
775 sleep(1);
776 return JOB_REQUEUE_FAIR;
777 }
778 }
779 if (addr.nl_pid != 0)
780 { /* not from kernel. not interested, try another one */
781 return JOB_REQUEUE_DIRECT;
782 }
783
784 while (NLMSG_OK(hdr, len))
785 {
786 /* looks good so far, dispatch netlink message */
787 if (selected == this->socket_xfrm_events)
788 {
789 switch (hdr->nlmsg_type)
790 {
791 case XFRM_MSG_ACQUIRE:
792 process_acquire(this, hdr);
793 break;
794 case XFRM_MSG_EXPIRE:
795 process_expire(this, hdr);
796 break;
797 default:
798 break;
799 }
800 }
801 else if (selected == this->socket_rt_events)
802 {
803 switch (hdr->nlmsg_type)
804 {
805 case RTM_NEWADDR:
806 case RTM_DELADDR:
807 process_addr(this, hdr, TRUE);
808 break;
809 case RTM_NEWLINK:
810 case RTM_DELLINK:
811 process_link(this, hdr, TRUE);
812 break;
813 case RTM_NEWROUTE:
814 case RTM_DELROUTE:
815 charon->processor->queue_job(charon->processor,
816 (job_t*)roam_job_create());
817 break;
818 default:
819 break;
820 }
821 }
822 hdr = NLMSG_NEXT(hdr, len);
823 }
824 return JOB_REQUEUE_DIRECT;
825 }
826
827 /**
828 * send a netlink message and wait for a reply
829 */
830 static status_t netlink_send(private_kernel_interface_t *this,
831 int socket, struct nlmsghdr *in,
832 struct nlmsghdr **out, size_t *out_len)
833 {
834 int len, addr_len;
835 struct sockaddr_nl addr;
836 chunk_t result = chunk_empty, tmp;
837 struct nlmsghdr *msg, peek;
838
839 pthread_mutex_lock(&this->mutex);
840
841 in->nlmsg_seq = ++this->seq;
842 in->nlmsg_pid = getpid();
843
844 memset(&addr, 0, sizeof(addr));
845 addr.nl_family = AF_NETLINK;
846 addr.nl_pid = 0;
847 addr.nl_groups = 0;
848
849 while (TRUE)
850 {
851 len = sendto(socket, in, in->nlmsg_len, 0,
852 (struct sockaddr*)&addr, sizeof(addr));
853
854 if (len != in->nlmsg_len)
855 {
856 if (errno == EINTR)
857 {
858 /* interrupted, try again */
859 continue;
860 }
861 pthread_mutex_unlock(&this->mutex);
862 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
863 return FAILED;
864 }
865 break;
866 }
867
868 while (TRUE)
869 {
870 char buf[4096];
871 tmp.len = sizeof(buf);
872 tmp.ptr = buf;
873 msg = (struct nlmsghdr*)tmp.ptr;
874
875 memset(&addr, 0, sizeof(addr));
876 addr.nl_family = AF_NETLINK;
877 addr.nl_pid = getpid();
878 addr.nl_groups = 0;
879 addr_len = sizeof(addr);
880
881 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
882 (struct sockaddr*)&addr, &addr_len);
883
884 if (len < 0)
885 {
886 if (errno == EINTR)
887 {
888 DBG1(DBG_KNL, "got interrupted");
889 /* interrupted, try again */
890 continue;
891 }
892 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
893 pthread_mutex_unlock(&this->mutex);
894 return FAILED;
895 }
896 if (!NLMSG_OK(msg, len))
897 {
898 DBG1(DBG_KNL, "received corrupted netlink message");
899 pthread_mutex_unlock(&this->mutex);
900 return FAILED;
901 }
902 if (msg->nlmsg_seq != this->seq)
903 {
904 DBG1(DBG_KNL, "received invalid netlink sequence number");
905 if (msg->nlmsg_seq < this->seq)
906 {
907 continue;
908 }
909 pthread_mutex_unlock(&this->mutex);
910 return FAILED;
911 }
912
913 tmp.len = len;
914 result = chunk_cata("cc", result, tmp);
915
916 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
917 * numbers to detect multi header messages */
918 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
919 (struct sockaddr*)&addr, &addr_len);
920
921 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
922 {
923 /* seems to be multipart */
924 continue;
925 }
926 break;
927 }
928
929 *out_len = result.len;
930 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
931
932 pthread_mutex_unlock(&this->mutex);
933
934 return SUCCESS;
935 }
936
937 /**
938 * send a netlink message and wait for its acknowlegde
939 */
940 static status_t netlink_send_ack(private_kernel_interface_t *this,
941 int socket, struct nlmsghdr *in)
942 {
943 struct nlmsghdr *out, *hdr;
944 size_t len;
945
946 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
947 {
948 return FAILED;
949 }
950 hdr = out;
951 while (NLMSG_OK(hdr, len))
952 {
953 switch (hdr->nlmsg_type)
954 {
955 case NLMSG_ERROR:
956 {
957 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
958
959 if (err->error)
960 {
961 DBG1(DBG_KNL, "received netlink error: %s (%d)",
962 strerror(-err->error), -err->error);
963 free(out);
964 return FAILED;
965 }
966 free(out);
967 return SUCCESS;
968 }
969 default:
970 hdr = NLMSG_NEXT(hdr, len);
971 continue;
972 case NLMSG_DONE:
973 break;
974 }
975 break;
976 }
977 DBG1(DBG_KNL, "netlink request not acknowlegded");
978 free(out);
979 return FAILED;
980 }
981
982 /**
983 * Initialize a list of local addresses.
984 */
985 static status_t init_address_list(private_kernel_interface_t *this)
986 {
987 char request[BUFFER_SIZE];
988 struct nlmsghdr *out, *current, *in;
989 struct rtgenmsg *msg;
990 size_t len;
991 iterator_t *ifaces, *addrs;
992 iface_entry_t *iface;
993 addr_entry_t *addr;
994
995 DBG1(DBG_KNL, "listening on interfaces:");
996
997 memset(&request, 0, sizeof(request));
998
999 in = (struct nlmsghdr*)&request;
1000 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1001 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1002 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1003 msg->rtgen_family = AF_UNSPEC;
1004
1005 /* get all links */
1006 in->nlmsg_type = RTM_GETLINK;
1007 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1008 {
1009 return FAILED;
1010 }
1011 current = out;
1012 while (NLMSG_OK(current, len))
1013 {
1014 switch (current->nlmsg_type)
1015 {
1016 case NLMSG_DONE:
1017 break;
1018 case RTM_NEWLINK:
1019 process_link(this, current, FALSE);
1020 /* fall through */
1021 default:
1022 current = NLMSG_NEXT(current, len);
1023 continue;
1024 }
1025 break;
1026 }
1027 free(out);
1028
1029 /* get all interface addresses */
1030 in->nlmsg_type = RTM_GETADDR;
1031 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1032 {
1033 return FAILED;
1034 }
1035 current = out;
1036 while (NLMSG_OK(current, len))
1037 {
1038 switch (current->nlmsg_type)
1039 {
1040 case NLMSG_DONE:
1041 break;
1042 case RTM_NEWADDR:
1043 process_addr(this, current, FALSE);
1044 /* fall through */
1045 default:
1046 current = NLMSG_NEXT(current, len);
1047 continue;
1048 }
1049 break;
1050 }
1051 free(out);
1052
1053 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1054 while (ifaces->iterate(ifaces, (void**)&iface))
1055 {
1056 if (iface->flags & IFF_UP)
1057 {
1058 DBG1(DBG_KNL, " %s", iface->ifname);
1059 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1060 while (addrs->iterate(addrs, (void**)&addr))
1061 {
1062 DBG1(DBG_KNL, " %H", addr->ip);
1063 }
1064 addrs->destroy(addrs);
1065 }
1066 }
1067 ifaces->destroy(ifaces);
1068 return SUCCESS;
1069 }
1070
1071 /**
1072 * iterator hook to iterate over addrs
1073 */
1074 static hook_result_t addr_hook(private_kernel_interface_t *this,
1075 addr_entry_t *in, host_t **out)
1076 {
1077 if (in->virtual)
1078 { /* skip virtual interfaces added by us */
1079 return HOOK_SKIP;
1080 }
1081 *out = in->ip;
1082 return HOOK_NEXT;
1083 }
1084
1085 /**
1086 * iterator hook to iterate over ifaces
1087 */
1088 static hook_result_t iface_hook(private_kernel_interface_t *this,
1089 iface_entry_t *in, host_t **out)
1090 {
1091 if (!(in->flags & IFF_UP))
1092 { /* skip interfaces not up */
1093 return HOOK_SKIP;
1094 }
1095
1096 if (this->hiter == NULL)
1097 {
1098 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1099 this->hiter->set_iterator_hook(this->hiter,
1100 (iterator_hook_t*)addr_hook, this);
1101 }
1102 while (this->hiter->iterate(this->hiter, (void**)out))
1103 {
1104 return HOOK_AGAIN;
1105 }
1106 this->hiter->destroy(this->hiter);
1107 this->hiter = NULL;
1108 return HOOK_SKIP;
1109 }
1110
1111 /**
1112 * Implements kernel_interface_t.create_address_iterator.
1113 */
1114 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1115 {
1116 iterator_t *iterator;
1117
1118 /* This iterator is not only hooked, is is double-hooked. As we have stored
1119 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1120 * entries in each interface we iterate. This does the iface_hook. The
1121 * addr_hook returns the ip instead of the addr_entry. */
1122
1123 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1124 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1125 return iterator;
1126 }
1127
1128 /**
1129 * implementation of kernel_interface_t.get_interface_name
1130 */
1131 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1132 {
1133 iterator_t *ifaces, *addrs;
1134 iface_entry_t *iface;
1135 addr_entry_t *addr;
1136 char *name = NULL;
1137
1138 DBG2(DBG_KNL, "getting interface name for %H", ip);
1139
1140 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1141 while (ifaces->iterate(ifaces, (void**)&iface))
1142 {
1143 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1144 while (addrs->iterate(addrs, (void**)&addr))
1145 {
1146 if (ip->ip_equals(ip, addr->ip))
1147 {
1148 name = strdup(iface->ifname);
1149 break;
1150 }
1151 }
1152 addrs->destroy(addrs);
1153 if (name)
1154 {
1155 break;
1156 }
1157 }
1158 ifaces->destroy(ifaces);
1159
1160 if (name)
1161 {
1162 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1163 }
1164 else
1165 {
1166 DBG2(DBG_KNL, "%H is not a local address", ip);
1167 }
1168 return name;
1169 }
1170
1171 /**
1172 * Tries to find an ip address of a local interface that is included in the
1173 * supplied traffic selector.
1174 */
1175 static status_t get_address_by_ts(private_kernel_interface_t *this,
1176 traffic_selector_t *ts, host_t **ip)
1177 {
1178 iterator_t *ifaces, *addrs;
1179 iface_entry_t *iface;
1180 addr_entry_t *addr;
1181 host_t *host;
1182 int family;
1183 bool found = FALSE;
1184
1185 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1186
1187 /* if we have a family which includes localhost, we do not
1188 * search for an IP, we use the default */
1189 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1190
1191 if (family == AF_INET)
1192 {
1193 host = host_create_from_string("127.0.0.1", 0);
1194 }
1195 else
1196 {
1197 host = host_create_from_string("::1", 0);
1198 }
1199
1200 if (ts->includes(ts, host))
1201 {
1202 *ip = host_create_any(family);
1203 host->destroy(host);
1204 DBG2(DBG_KNL, "using host %H", *ip);
1205 return SUCCESS;
1206 }
1207 host->destroy(host);
1208
1209 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1210 while (ifaces->iterate(ifaces, (void**)&iface))
1211 {
1212 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1213 while (addrs->iterate(addrs, (void**)&addr))
1214 {
1215 if (ts->includes(ts, addr->ip))
1216 {
1217 found = TRUE;
1218 *ip = addr->ip->clone(addr->ip);
1219 break;
1220 }
1221 }
1222 addrs->destroy(addrs);
1223 if (found)
1224 {
1225 break;
1226 }
1227 }
1228 ifaces->destroy(ifaces);
1229
1230 if (!found)
1231 {
1232 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1233 return FAILED;
1234 }
1235 DBG2(DBG_KNL, "using host %H", *ip);
1236 return SUCCESS;
1237 }
1238
1239 /**
1240 * get the interface of a local address
1241 */
1242 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1243 {
1244 iterator_t *ifaces, *addrs;
1245 iface_entry_t *iface;
1246 addr_entry_t *addr;
1247 int ifindex = 0;
1248
1249 DBG2(DBG_KNL, "getting iface for %H", ip);
1250
1251 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1252 while (ifaces->iterate(ifaces, (void**)&iface))
1253 {
1254 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1255 while (addrs->iterate(addrs, (void**)&addr))
1256 {
1257 if (ip->ip_equals(ip, addr->ip))
1258 {
1259 ifindex = iface->ifindex;
1260 break;
1261 }
1262 }
1263 addrs->destroy(addrs);
1264 if (ifindex)
1265 {
1266 break;
1267 }
1268 }
1269 ifaces->destroy(ifaces);
1270
1271 if (ifindex == 0)
1272 {
1273 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1274 }
1275 return ifindex;
1276 }
1277
1278 /**
1279 * Manages the creation and deletion of ip addresses on an interface.
1280 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1281 */
1282 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1283 int flags, int if_index, host_t *ip)
1284 {
1285 unsigned char request[BUFFER_SIZE];
1286 struct nlmsghdr *hdr;
1287 struct ifaddrmsg *msg;
1288 chunk_t chunk;
1289
1290 memset(&request, 0, sizeof(request));
1291
1292 chunk = ip->get_address(ip);
1293
1294 hdr = (struct nlmsghdr*)request;
1295 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1296 hdr->nlmsg_type = nlmsg_type;
1297 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1298
1299 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1300 msg->ifa_family = ip->get_family(ip);
1301 msg->ifa_flags = 0;
1302 msg->ifa_prefixlen = 8 * chunk.len;
1303 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1304 msg->ifa_index = if_index;
1305
1306 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1307
1308 return netlink_send_ack(this, this->socket_rt, hdr);
1309 }
1310
1311 /**
1312 * Manages source routes in the routing table.
1313 * By setting the appropriate nlmsg_type, the route added or r.
1314 */
1315 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1316 int flags, route_entry_t *route)
1317 {
1318 unsigned char request[BUFFER_SIZE];
1319 struct nlmsghdr *hdr;
1320 struct rtmsg *msg;
1321 chunk_t chunk;
1322
1323 /* if route is 0.0.0.0/0, we can't install it, as it would
1324 * overwrite the default route. Instead, we add two routes:
1325 * 0.0.0.0/1 and 128.0.0.0/1
1326 * TODO: use metrics instead */
1327 if (route->prefixlen == 0)
1328 {
1329 route_entry_t half;
1330 status_t status;
1331
1332 half.dst_net = chunk_alloca(route->dst_net.len);
1333 memset(half.dst_net.ptr, 0, half.dst_net.len);
1334 half.src_ip = route->src_ip;
1335 half.gateway = route->gateway;
1336 half.if_index = route->if_index;
1337 half.prefixlen = 1;
1338
1339 status = manage_srcroute(this, nlmsg_type, flags, &half);
1340 half.dst_net.ptr[0] |= 0x80;
1341 status = manage_srcroute(this, nlmsg_type, flags, &half);
1342 return status;
1343 }
1344
1345 memset(&request, 0, sizeof(request));
1346
1347 hdr = (struct nlmsghdr*)request;
1348 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1349 hdr->nlmsg_type = nlmsg_type;
1350 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1351
1352 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1353 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1354 msg->rtm_dst_len = route->prefixlen;
1355 msg->rtm_table = RT_TABLE_MAIN;
1356 msg->rtm_protocol = RTPROT_STATIC;
1357 msg->rtm_type = RTN_UNICAST;
1358 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1359
1360 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1361 chunk = route->src_ip->get_address(route->src_ip);
1362 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1363 chunk = route->gateway->get_address(route->gateway);
1364 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1365 chunk.ptr = (char*)&route->if_index;
1366 chunk.len = sizeof(route->if_index);
1367 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1368
1369 return netlink_send_ack(this, this->socket_rt, hdr);
1370 }
1371
1372 /**
1373 * Implementation of kernel_interface_t.get_source_addr.
1374 */
1375 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1376 {
1377 unsigned char request[BUFFER_SIZE];
1378 struct nlmsghdr *hdr, *out, *current;
1379 struct rtmsg *msg;
1380 chunk_t chunk;
1381 size_t len;
1382 host_t *source = NULL;
1383
1384 DBG2(DBG_KNL, "getting source address to reach %H", dest);
1385
1386 memset(&request, 0, sizeof(request));
1387
1388 hdr = (struct nlmsghdr*)request;
1389 hdr->nlmsg_flags = NLM_F_REQUEST;
1390 hdr->nlmsg_type = RTM_GETROUTE;
1391 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1392
1393 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1394 msg->rtm_family = dest->get_family(dest);
1395 msg->rtm_dst_len = msg->rtm_family == AF_INET ? 32 : 128;
1396 msg->rtm_table = RT_TABLE_MAIN;
1397 msg->rtm_protocol = RTPROT_STATIC;
1398 msg->rtm_type = RTN_UNICAST;
1399 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1400
1401 chunk = dest->get_address(dest);
1402 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1403
1404 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1405 {
1406 DBG1(DBG_KNL, "getting source address to %H failed", dest);
1407 return NULL;
1408 }
1409 current = out;
1410 while (NLMSG_OK(current, len))
1411 {
1412 switch (current->nlmsg_type)
1413 {
1414 case NLMSG_DONE:
1415 break;
1416 case RTM_NEWROUTE:
1417 {
1418 struct rtattr *rta;
1419 size_t rtasize;
1420
1421 msg = (struct rtmsg*)(NLMSG_DATA(current));
1422 rta = RTM_RTA(msg);
1423 rtasize = RTM_PAYLOAD(current);
1424 while(RTA_OK(rta, rtasize))
1425 {
1426 switch (rta->rta_type)
1427 {
1428 case RTA_PREFSRC:
1429 chunk.ptr = RTA_DATA(rta);
1430 chunk.len = RTA_PAYLOAD(rta);
1431 source = host_create_from_chunk(msg->rtm_family,
1432 chunk, 0);
1433 break;
1434 }
1435 rta = RTA_NEXT(rta, rtasize);
1436 }
1437 break;
1438 }
1439 default:
1440 current = NLMSG_NEXT(current, len);
1441 continue;
1442 }
1443 break;
1444 }
1445 free(out);
1446 if (source == NULL)
1447 {
1448 DBG2(DBG_KNL, "no route found to %H", dest);
1449 }
1450 return source;
1451 }
1452
1453 /**
1454 * Implementation of kernel_interface_t.add_ip.
1455 */
1456 static status_t add_ip(private_kernel_interface_t *this,
1457 host_t *virtual_ip, host_t *iface_ip)
1458 {
1459 iface_entry_t *iface;
1460 addr_entry_t *addr;
1461 iterator_t *addrs, *ifaces;
1462
1463 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1464
1465 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1466 while (ifaces->iterate(ifaces, (void**)&iface))
1467 {
1468 bool iface_found = FALSE;
1469
1470 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1471 while (addrs->iterate(addrs, (void**)&addr))
1472 {
1473 if (iface_ip->ip_equals(iface_ip, addr->ip))
1474 {
1475 iface_found = TRUE;
1476 }
1477 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1478 {
1479 addr->refcount++;
1480 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1481 virtual_ip, iface->ifname);
1482 addrs->destroy(addrs);
1483 ifaces->destroy(ifaces);
1484 return SUCCESS;
1485 }
1486 }
1487 addrs->destroy(addrs);
1488
1489 if (iface_found)
1490 {
1491 int ifindex = iface->ifindex;
1492 ifaces->destroy(ifaces);
1493 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1494 ifindex, virtual_ip) == SUCCESS)
1495 {
1496 addr = malloc_thing(addr_entry_t);
1497 addr->ip = virtual_ip->clone(virtual_ip);
1498 addr->refcount = 1;
1499 addr->virtual = TRUE;
1500 pthread_mutex_lock(&this->mutex);
1501 iface->addrs->insert_last(iface->addrs, addr);
1502 pthread_mutex_unlock(&this->mutex);
1503 return SUCCESS;
1504 }
1505 DBG2(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1506 return FAILED;
1507
1508 }
1509
1510 }
1511 ifaces->destroy(ifaces);
1512
1513 DBG2(DBG_KNL, "interface address %H not found, unable to install"
1514 "virtual IP %H", iface_ip, virtual_ip);
1515 return FAILED;
1516 }
1517
1518 /**
1519 * Implementation of kernel_interface_t.del_ip.
1520 */
1521 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1522 {
1523 iface_entry_t *iface;
1524 addr_entry_t *addr;
1525 iterator_t *addrs, *ifaces;
1526
1527 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1528
1529 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1530 while (ifaces->iterate(ifaces, (void**)&iface))
1531 {
1532 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1533 while (addrs->iterate(addrs, (void**)&addr))
1534 {
1535 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1536 {
1537 int ifindex = iface->ifindex;
1538 addr->refcount--;
1539 if (addr->refcount == 0)
1540 {
1541 addrs->remove(addrs);
1542 addrs->destroy(addrs);
1543 ifaces->destroy(ifaces);
1544 addr_entry_destroy(addr);
1545 return manage_ipaddr(this, RTM_DELADDR, 0,
1546 ifindex, virtual_ip);
1547 }
1548 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1549 virtual_ip);
1550 addrs->destroy(addrs);
1551 ifaces->destroy(ifaces);
1552 return SUCCESS;
1553 }
1554 }
1555 addrs->destroy(addrs);
1556 }
1557 ifaces->destroy(ifaces);
1558
1559 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1560 return FAILED;
1561 }
1562
1563 /**
1564 * Implementation of kernel_interface_t.get_spi.
1565 */
1566 static status_t get_spi(private_kernel_interface_t *this,
1567 host_t *src, host_t *dst,
1568 protocol_id_t protocol, u_int32_t reqid,
1569 u_int32_t *spi)
1570 {
1571 unsigned char request[BUFFER_SIZE];
1572 struct nlmsghdr *hdr, *out;
1573 struct xfrm_userspi_info *userspi;
1574 u_int32_t received_spi = 0;
1575 size_t len;
1576
1577 memset(&request, 0, sizeof(request));
1578
1579 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1580
1581 hdr = (struct nlmsghdr*)request;
1582 hdr->nlmsg_flags = NLM_F_REQUEST;
1583 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1584 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1585
1586 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1587 host2xfrm(src, &userspi->info.saddr);
1588 host2xfrm(dst, &userspi->info.id.daddr);
1589 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1590 userspi->info.mode = TRUE; /* tunnel mode */
1591 userspi->info.reqid = reqid;
1592 userspi->info.family = src->get_family(src);
1593 userspi->min = 0xc0000000;
1594 userspi->max = 0xcFFFFFFF;
1595
1596 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1597 {
1598 hdr = out;
1599 while (NLMSG_OK(hdr, len))
1600 {
1601 switch (hdr->nlmsg_type)
1602 {
1603 case XFRM_MSG_NEWSA:
1604 {
1605 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1606 received_spi = usersa->id.spi;
1607 break;
1608 }
1609 case NLMSG_ERROR:
1610 {
1611 struct nlmsgerr *err = NLMSG_DATA(hdr);
1612
1613 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1614 strerror(-err->error), -err->error);
1615 break;
1616 }
1617 default:
1618 hdr = NLMSG_NEXT(hdr, len);
1619 continue;
1620 case NLMSG_DONE:
1621 break;
1622 }
1623 break;
1624 }
1625 free(out);
1626 }
1627
1628 if (received_spi == 0)
1629 {
1630 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1631 return FAILED;
1632 }
1633
1634 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1635
1636 *spi = received_spi;
1637 return SUCCESS;
1638 }
1639
1640 /**
1641 * Implementation of kernel_interface_t.add_sa.
1642 */
1643 static status_t add_sa(private_kernel_interface_t *this,
1644 host_t *src, host_t *dst, u_int32_t spi,
1645 protocol_id_t protocol, u_int32_t reqid,
1646 u_int64_t expire_soft, u_int64_t expire_hard,
1647 algorithm_t *enc_alg, algorithm_t *int_alg,
1648 prf_plus_t *prf_plus, mode_t mode, bool encap,
1649 bool replace)
1650 {
1651 unsigned char request[BUFFER_SIZE];
1652 char *alg_name;
1653 u_int key_size;
1654 struct nlmsghdr *hdr;
1655 struct xfrm_usersa_info *sa;
1656
1657 memset(&request, 0, sizeof(request));
1658
1659 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1660
1661 hdr = (struct nlmsghdr*)request;
1662 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1663 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1664 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1665
1666 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1667 host2xfrm(src, &sa->saddr);
1668 host2xfrm(dst, &sa->id.daddr);
1669 sa->id.spi = spi;
1670 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1671 sa->family = src->get_family(src);
1672 sa->mode = mode;
1673 sa->replay_window = 32;
1674 sa->reqid = reqid;
1675 /* we currently do not expire SAs by volume/packet count */
1676 sa->lft.soft_byte_limit = XFRM_INF;
1677 sa->lft.hard_byte_limit = XFRM_INF;
1678 sa->lft.soft_packet_limit = XFRM_INF;
1679 sa->lft.hard_packet_limit = XFRM_INF;
1680 /* we use lifetimes since added, not since used */
1681 sa->lft.soft_add_expires_seconds = expire_soft;
1682 sa->lft.hard_add_expires_seconds = expire_hard;
1683 sa->lft.soft_use_expires_seconds = 0;
1684 sa->lft.hard_use_expires_seconds = 0;
1685
1686 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1687
1688 if (enc_alg->algorithm != ENCR_UNDEFINED)
1689 {
1690 rthdr->rta_type = XFRMA_ALG_CRYPT;
1691 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1692 if (alg_name == NULL)
1693 {
1694 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1695 encryption_algorithm_names, enc_alg->algorithm);
1696 return FAILED;
1697 }
1698 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1699 encryption_algorithm_names, enc_alg->algorithm, key_size);
1700
1701 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1702 hdr->nlmsg_len += rthdr->rta_len;
1703 if (hdr->nlmsg_len > sizeof(request))
1704 {
1705 return FAILED;
1706 }
1707
1708 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1709 algo->alg_key_len = key_size;
1710 strcpy(algo->alg_name, alg_name);
1711 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1712
1713 rthdr = XFRM_RTA_NEXT(rthdr);
1714 }
1715
1716 if (int_alg->algorithm != AUTH_UNDEFINED)
1717 {
1718 rthdr->rta_type = XFRMA_ALG_AUTH;
1719 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1720 if (alg_name == NULL)
1721 {
1722 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1723 integrity_algorithm_names, int_alg->algorithm);
1724 return FAILED;
1725 }
1726 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1727 integrity_algorithm_names, int_alg->algorithm, key_size);
1728
1729 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1730 hdr->nlmsg_len += rthdr->rta_len;
1731 if (hdr->nlmsg_len > sizeof(request))
1732 {
1733 return FAILED;
1734 }
1735
1736 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1737 algo->alg_key_len = key_size;
1738 strcpy(algo->alg_name, alg_name);
1739 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1740
1741 rthdr = XFRM_RTA_NEXT(rthdr);
1742 }
1743
1744 /* TODO: add IPComp here */
1745
1746 if (encap)
1747 {
1748 rthdr->rta_type = XFRMA_ENCAP;
1749 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1750
1751 hdr->nlmsg_len += rthdr->rta_len;
1752 if (hdr->nlmsg_len > sizeof(request))
1753 {
1754 return FAILED;
1755 }
1756
1757 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1758 encap->encap_type = UDP_ENCAP_ESPINUDP;
1759 encap->encap_sport = htons(src->get_port(src));
1760 encap->encap_dport = htons(dst->get_port(dst));
1761 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1762 /* encap_oa could probably be derived from the
1763 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1764 * pluto does the same as we do here but it uses encap_oa in the
1765 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1766 * the kernel ignores it anyway
1767 * -> does that mean that NAT-T encap doesn't work in transport mode?
1768 * No. The reason the kernel ignores NAT-OA is that it recomputes
1769 * (or, rather, just ignores) the checksum. If packets pass
1770 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1771 rthdr = XFRM_RTA_NEXT(rthdr);
1772 }
1773
1774 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1775 {
1776 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1777 return FAILED;
1778 }
1779 return SUCCESS;
1780 }
1781
1782 /**
1783 * Implementation of kernel_interface_t.update_sa.
1784 */
1785 static status_t update_sa(private_kernel_interface_t *this,
1786 u_int32_t spi, protocol_id_t protocol,
1787 host_t *src, host_t *dst,
1788 host_t *new_src, host_t *new_dst)
1789 {
1790 unsigned char request[BUFFER_SIZE];
1791 struct nlmsghdr *hdr, *out = NULL;
1792 struct xfrm_usersa_id *sa_id;
1793 struct xfrm_usersa_info *sa = NULL;
1794 size_t len;
1795
1796 memset(&request, 0, sizeof(request));
1797
1798 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x for update", spi);
1799
1800 /* query the exisiting SA first */
1801 hdr = (struct nlmsghdr*)request;
1802 hdr->nlmsg_flags = NLM_F_REQUEST;
1803 hdr->nlmsg_type = XFRM_MSG_GETSA;
1804 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1805
1806 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1807 host2xfrm(dst, &sa_id->daddr);
1808 sa_id->spi = spi;
1809 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1810 sa_id->family = dst->get_family(dst);
1811
1812 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1813 {
1814 hdr = out;
1815 while (NLMSG_OK(hdr, len))
1816 {
1817 switch (hdr->nlmsg_type)
1818 {
1819 case XFRM_MSG_NEWSA:
1820 {
1821 sa = NLMSG_DATA(hdr);
1822 break;
1823 }
1824 case NLMSG_ERROR:
1825 {
1826 struct nlmsgerr *err = NLMSG_DATA(hdr);
1827 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1828 strerror(-err->error), -err->error);
1829 break;
1830 }
1831 default:
1832 hdr = NLMSG_NEXT(hdr, len);
1833 continue;
1834 case NLMSG_DONE:
1835 break;
1836 }
1837 break;
1838 }
1839 }
1840 if (sa == NULL ||
1841 this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
1842 {
1843 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1844 free(out);
1845 return FAILED;
1846 }
1847
1848 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
1849 spi, src, dst, new_src, new_dst);
1850
1851 /* update the values in the queried SA */
1852 hdr = out;
1853 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1854 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1855
1856 if (!src->ip_equals(src, new_src))
1857 {
1858 host2xfrm(new_src, &sa->saddr);
1859 }
1860 if (!dst->ip_equals(dst, new_dst))
1861 {
1862 host2xfrm(new_dst, &sa->id.daddr);
1863 }
1864
1865 if (src->get_port(src) != new_src->get_port(new_src) ||
1866 dst->get_port(dst) != new_dst->get_port(new_dst))
1867 {
1868 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1869 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1870 while (RTA_OK(rtattr, rtsize))
1871 {
1872 if (rtattr->rta_type == XFRMA_ENCAP)
1873 {
1874 struct xfrm_encap_tmpl* encap;
1875 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1876 encap->encap_sport = ntohs(new_src->get_port(new_src));
1877 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1878 break;
1879 }
1880 rtattr = RTA_NEXT(rtattr, rtsize);
1881 }
1882 }
1883 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1884 {
1885 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1886 free(out);
1887 return FAILED;
1888 }
1889 free(out);
1890
1891 return SUCCESS;
1892 }
1893
1894 /**
1895 * Implementation of kernel_interface_t.query_sa.
1896 */
1897 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1898 u_int32_t spi, protocol_id_t protocol,
1899 u_int32_t *use_time)
1900 {
1901 unsigned char request[BUFFER_SIZE];
1902 struct nlmsghdr *out = NULL, *hdr;
1903 struct xfrm_usersa_id *sa_id;
1904 struct xfrm_usersa_info *sa = NULL;
1905 size_t len;
1906
1907 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1908 memset(&request, 0, sizeof(request));
1909
1910 hdr = (struct nlmsghdr*)request;
1911 hdr->nlmsg_flags = NLM_F_REQUEST;
1912 hdr->nlmsg_type = XFRM_MSG_GETSA;
1913 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1914
1915 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1916 host2xfrm(dst, &sa_id->daddr);
1917 sa_id->spi = spi;
1918 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1919 sa_id->family = dst->get_family(dst);
1920
1921 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1922 {
1923 hdr = out;
1924 while (NLMSG_OK(hdr, len))
1925 {
1926 switch (hdr->nlmsg_type)
1927 {
1928 case XFRM_MSG_NEWSA:
1929 {
1930 sa = NLMSG_DATA(hdr);
1931 break;
1932 }
1933 case NLMSG_ERROR:
1934 {
1935 struct nlmsgerr *err = NLMSG_DATA(hdr);
1936 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1937 strerror(-err->error), -err->error);
1938 break;
1939 }
1940 default:
1941 hdr = NLMSG_NEXT(hdr, len);
1942 continue;
1943 case NLMSG_DONE:
1944 break;
1945 }
1946 break;
1947 }
1948 }
1949
1950 if (sa == NULL)
1951 {
1952 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1953 free(out);
1954 return FAILED;
1955 }
1956
1957 *use_time = sa->curlft.use_time;
1958 free (out);
1959 return SUCCESS;
1960 }
1961
1962 /**
1963 * Implementation of kernel_interface_t.del_sa.
1964 */
1965 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1966 u_int32_t spi, protocol_id_t protocol)
1967 {
1968 unsigned char request[BUFFER_SIZE];
1969 struct nlmsghdr *hdr;
1970 struct xfrm_usersa_id *sa_id;
1971
1972 memset(&request, 0, sizeof(request));
1973
1974 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1975
1976 hdr = (struct nlmsghdr*)request;
1977 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1978 hdr->nlmsg_type = XFRM_MSG_DELSA;
1979 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1980
1981 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1982 host2xfrm(dst, &sa_id->daddr);
1983 sa_id->spi = spi;
1984 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1985 sa_id->family = dst->get_family(dst);
1986
1987 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1988 {
1989 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1990 return FAILED;
1991 }
1992 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1993 return SUCCESS;
1994 }
1995
1996 /**
1997 * Implementation of kernel_interface_t.add_policy.
1998 */
1999 static status_t add_policy(private_kernel_interface_t *this,
2000 host_t *src, host_t *dst,
2001 traffic_selector_t *src_ts,
2002 traffic_selector_t *dst_ts,
2003 policy_dir_t direction, protocol_id_t protocol,
2004 u_int32_t reqid, bool high_prio, mode_t mode,
2005 bool update)
2006 {
2007 iterator_t *iterator;
2008 policy_entry_t *current, *policy;
2009 bool found = FALSE;
2010 unsigned char request[BUFFER_SIZE];
2011 struct xfrm_userpolicy_info *policy_info;
2012 struct nlmsghdr *hdr;
2013
2014 /* create a policy */
2015 policy = malloc_thing(policy_entry_t);
2016 memset(policy, 0, sizeof(policy_entry_t));
2017 policy->sel = ts2selector(src_ts, dst_ts);
2018 policy->direction = direction;
2019
2020 /* find the policy, which matches EXACTLY */
2021 pthread_mutex_lock(&this->mutex);
2022 iterator = this->policies->create_iterator(this->policies, TRUE);
2023 while (iterator->iterate(iterator, (void**)&current))
2024 {
2025 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
2026 policy->direction == current->direction)
2027 {
2028 /* use existing policy */
2029 if (!update)
2030 {
2031 current->refcount++;
2032 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
2033 "refcount", src_ts, dst_ts);
2034 }
2035 free(policy);
2036 policy = current;
2037 found = TRUE;
2038 break;
2039 }
2040 }
2041 iterator->destroy(iterator);
2042 if (!found)
2043 { /* apply the new one, if we have no such policy */
2044 this->policies->insert_last(this->policies, policy);
2045 policy->refcount = 1;
2046 }
2047
2048 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2049
2050 memset(&request, 0, sizeof(request));
2051 hdr = (struct nlmsghdr*)request;
2052 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2053 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2054 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2055
2056 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2057 policy_info->sel = policy->sel;
2058 policy_info->dir = policy->direction;
2059 /* calculate priority based on source selector size, small size = high prio */
2060 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2061 policy_info->priority -= policy->sel.prefixlen_s * 10;
2062 policy_info->priority -= policy->sel.proto ? 2 : 0;
2063 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2064 policy_info->action = XFRM_POLICY_ALLOW;
2065 policy_info->share = XFRM_SHARE_ANY;
2066 pthread_mutex_unlock(&this->mutex);
2067
2068 /* policies don't expire */
2069 policy_info->lft.soft_byte_limit = XFRM_INF;
2070 policy_info->lft.soft_packet_limit = XFRM_INF;
2071 policy_info->lft.hard_byte_limit = XFRM_INF;
2072 policy_info->lft.hard_packet_limit = XFRM_INF;
2073 policy_info->lft.soft_add_expires_seconds = 0;
2074 policy_info->lft.hard_add_expires_seconds = 0;
2075 policy_info->lft.soft_use_expires_seconds = 0;
2076 policy_info->lft.hard_use_expires_seconds = 0;
2077
2078 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2079 rthdr->rta_type = XFRMA_TMPL;
2080
2081 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
2082 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
2083
2084 hdr->nlmsg_len += rthdr->rta_len;
2085 if (hdr->nlmsg_len > sizeof(request))
2086 {
2087 return FAILED;
2088 }
2089
2090 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2091 tmpl->reqid = reqid;
2092 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
2093 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2094 tmpl->mode = mode;
2095 tmpl->family = src->get_family(src);
2096
2097 host2xfrm(src, &tmpl->saddr);
2098 host2xfrm(dst, &tmpl->id.daddr);
2099
2100 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2101 {
2102 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2103 return FAILED;
2104 }
2105
2106 /* install a route, if:
2107 * - we are NOT updating a policy
2108 * - this is a forward policy (to just get one for each child)
2109 * - we are in tunnel mode
2110 * - we are not using IPv6 (does not work correctly yet!)
2111 */
2112 if (policy->route == NULL && direction == POLICY_FWD &&
2113 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
2114 {
2115 policy->route = malloc_thing(route_entry_t);
2116 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2117 {
2118 policy->route->gateway = dst->clone(dst);
2119 policy->route->if_index = get_interface_index(this, dst);
2120 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2121 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2122 policy->route->prefixlen = policy->sel.prefixlen_s;
2123
2124 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2125 policy->route) != SUCCESS)
2126 {
2127 DBG1(DBG_KNL, "unable to install source route for %H",
2128 policy->route->src_ip);
2129 route_entry_destroy(policy->route);
2130 policy->route = NULL;
2131 }
2132 }
2133 else
2134 {
2135 free(policy->route);
2136 policy->route = NULL;
2137 }
2138 }
2139
2140 return SUCCESS;
2141 }
2142
2143 /**
2144 * Implementation of kernel_interface_t.query_policy.
2145 */
2146 static status_t query_policy(private_kernel_interface_t *this,
2147 traffic_selector_t *src_ts,
2148 traffic_selector_t *dst_ts,
2149 policy_dir_t direction, u_int32_t *use_time)
2150 {
2151 unsigned char request[BUFFER_SIZE];
2152 struct nlmsghdr *out = NULL, *hdr;
2153 struct xfrm_userpolicy_id *policy_id;
2154 struct xfrm_userpolicy_info *policy = NULL;
2155 size_t len;
2156
2157 memset(&request, 0, sizeof(request));
2158
2159 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2160
2161 hdr = (struct nlmsghdr*)request;
2162 hdr->nlmsg_flags = NLM_F_REQUEST;
2163 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2164 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2165
2166 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2167 policy_id->sel = ts2selector(src_ts, dst_ts);
2168 policy_id->dir = direction;
2169
2170 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2171 {
2172 hdr = out;
2173 while (NLMSG_OK(hdr, len))
2174 {
2175 switch (hdr->nlmsg_type)
2176 {
2177 case XFRM_MSG_NEWPOLICY:
2178 {
2179 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2180 break;
2181 }
2182 case NLMSG_ERROR:
2183 {
2184 struct nlmsgerr *err = NLMSG_DATA(hdr);
2185 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2186 strerror(-err->error), -err->error);
2187 break;
2188 }
2189 default:
2190 hdr = NLMSG_NEXT(hdr, len);
2191 continue;
2192 case NLMSG_DONE:
2193 break;
2194 }
2195 break;
2196 }
2197 }
2198
2199 if (policy == NULL)
2200 {
2201 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2202 free(out);
2203 return FAILED;
2204 }
2205 *use_time = (time_t)policy->curlft.use_time;
2206
2207 free(out);
2208 return SUCCESS;
2209 }
2210
2211 /**
2212 * Implementation of kernel_interface_t.del_policy.
2213 */
2214 static status_t del_policy(private_kernel_interface_t *this,
2215 traffic_selector_t *src_ts,
2216 traffic_selector_t *dst_ts,
2217 policy_dir_t direction)
2218 {
2219 policy_entry_t *current, policy, *to_delete = NULL;
2220 route_entry_t *route;
2221 unsigned char request[BUFFER_SIZE];
2222 struct nlmsghdr *hdr;
2223 struct xfrm_userpolicy_id *policy_id;
2224 iterator_t *iterator;
2225
2226 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2227
2228 /* create a policy */
2229 memset(&policy, 0, sizeof(policy_entry_t));
2230 policy.sel = ts2selector(src_ts, dst_ts);
2231 policy.direction = direction;
2232
2233 /* find the policy */
2234 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2235 while (iterator->iterate(iterator, (void**)&current))
2236 {
2237 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2238 policy.direction == current->direction)
2239 {
2240 to_delete = current;
2241 if (--to_delete->refcount > 0)
2242 {
2243 /* is used by more SAs, keep in kernel */
2244 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2245 iterator->destroy(iterator);
2246 return SUCCESS;
2247 }
2248 /* remove if last reference */
2249 iterator->remove(iterator);
2250 break;
2251 }
2252 }
2253 iterator->destroy(iterator);
2254 if (!to_delete)
2255 {
2256 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2257 return NOT_FOUND;
2258 }
2259
2260 memset(&request, 0, sizeof(request));
2261
2262 hdr = (struct nlmsghdr*)request;
2263 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2264 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2265 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2266
2267 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2268 policy_id->sel = to_delete->sel;
2269 policy_id->dir = direction;
2270
2271 route = to_delete->route;
2272 free(to_delete);
2273
2274 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2275 {
2276 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2277 return FAILED;
2278 }
2279
2280 if (route)
2281 {
2282 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2283 {
2284 DBG1(DBG_KNL, "error uninstalling route installed with "
2285 "policy %R===%R", src_ts, dst_ts);
2286 }
2287 route_entry_destroy(route);
2288 }
2289 return SUCCESS;
2290 }
2291
2292 /**
2293 * Implementation of kernel_interface_t.destroy.
2294 */
2295 static void destroy(private_kernel_interface_t *this)
2296 {
2297 this->job->cancel(this->job);
2298 close(this->socket_xfrm_events);
2299 close(this->socket_xfrm);
2300 close(this->socket_rt_events);
2301 close(this->socket_rt);
2302 this->policies->destroy(this->policies);
2303 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
2304 free(this);
2305 }
2306
2307 /*
2308 * Described in header.
2309 */
2310 kernel_interface_t *kernel_interface_create()
2311 {
2312 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2313 struct sockaddr_nl addr;
2314
2315 /* public functions */
2316 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2317 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,mode_t,bool,bool))add_sa;
2318 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*))update_sa;
2319 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2320 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2321 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
2322 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2323 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2324 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2325 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2326 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2327 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2328 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
2329 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2330
2331 /* private members */
2332 this->policies = linked_list_create();
2333 this->ifaces = linked_list_create();
2334 this->hiter = NULL;
2335 this->seq = 200;
2336 pthread_mutex_init(&this->mutex,NULL);
2337
2338 memset(&addr, 0, sizeof(addr));
2339 addr.nl_family = AF_NETLINK;
2340
2341 /* create and bind RT socket */
2342 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2343 if (this->socket_rt <= 0)
2344 {
2345 charon->kill(charon, "unable to create RT netlink socket");
2346 }
2347 addr.nl_groups = 0;
2348 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2349 {
2350 charon->kill(charon, "unable to bind RT netlink socket");
2351 }
2352
2353 /* create and bind RT socket for events (address/interface/route changes) */
2354 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2355 if (this->socket_rt_events <= 0)
2356 {
2357 charon->kill(charon, "unable to create RT event socket");
2358 }
2359 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
2360 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
2361 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2362 {
2363 charon->kill(charon, "unable to bind RT event socket");
2364 }
2365
2366 /* create and bind XFRM socket */
2367 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2368 if (this->socket_xfrm <= 0)
2369 {
2370 charon->kill(charon, "unable to create XFRM netlink socket");
2371 }
2372 addr.nl_groups = 0;
2373 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2374 {
2375 charon->kill(charon, "unable to bind XFRM netlink socket");
2376 }
2377
2378 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2379 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2380 if (this->socket_xfrm_events <= 0)
2381 {
2382 charon->kill(charon, "unable to create XFRM event socket");
2383 }
2384 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2385 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2386 {
2387 charon->kill(charon, "unable to bind XFRM event socket");
2388 }
2389
2390 this->job = callback_job_create((callback_job_cb_t)receive_events,
2391 this, NULL, NULL);
2392 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2393
2394 if (init_address_list(this) != SUCCESS)
2395 {
2396 charon->kill(charon, "unable to get interface list");
2397 }
2398
2399 return &this->public;
2400 }
2401
strongSwan - IPsec VPN