2 * @file kernel_interface.c
4 * @brief Implementation of kernel_interface_t.
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
17 * Based on xfrm code from pluto.
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
42 #include <sys/ioctl.h>
44 #include "kernel_interface.h"
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52 #include <processing/jobs/roam_job.h>
54 /** kernel level protocol identifiers */
58 /** default priority of installed policies */
60 #define PRIO_HIGH 2000
62 #define BUFFER_SIZE 1024
65 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
66 * 'usual' netlink data x like 'struct xfrm_usersa_info'
68 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
70 * returns a pointer to the next rtattr following rta.
71 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
73 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
75 * returns the total size of attached rta data
76 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
78 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
80 typedef struct kernel_algorithm_t kernel_algorithm_t
;
83 * Mapping from the algorithms defined in IKEv2 to
84 * kernel level algorithm names and their key length
86 struct kernel_algorithm_t
{
88 * Identifier specified in IKEv2
93 * Name of the algorithm, as used as kernel identifier
98 * Key length in bits, if fixed size
102 #define END_OF_LIST -1
105 * Algorithms for encryption
107 kernel_algorithm_t encryption_algs
[] = {
108 /* {ENCR_DES_IV64, "***", 0}, */
109 {ENCR_DES
, "des", 64},
110 {ENCR_3DES
, "des3_ede", 192},
111 /* {ENCR_RC5, "***", 0}, */
112 /* {ENCR_IDEA, "***", 0}, */
113 {ENCR_CAST
, "cast128", 0},
114 {ENCR_BLOWFISH
, "blowfish", 0},
115 /* {ENCR_3IDEA, "***", 0}, */
116 /* {ENCR_DES_IV32, "***", 0}, */
117 {ENCR_NULL
, "cipher_null", 0},
118 {ENCR_AES_CBC
, "aes", 0},
119 /* {ENCR_AES_CTR, "***", 0}, */
120 {END_OF_LIST
, NULL
, 0},
124 * Algorithms for integrity protection
126 kernel_algorithm_t integrity_algs
[] = {
127 {AUTH_HMAC_MD5_96
, "md5", 128},
128 {AUTH_HMAC_SHA1_96
, "sha1", 160},
129 {AUTH_HMAC_SHA2_256_128
, "sha256", 256},
130 {AUTH_HMAC_SHA2_384_192
, "sha384", 384},
131 {AUTH_HMAC_SHA2_512_256
, "sha512", 512},
132 /* {AUTH_DES_MAC, "***", 0}, */
133 /* {AUTH_KPDK_MD5, "***", 0}, */
134 {AUTH_AES_XCBC_96
, "xcbc(aes)", 128},
135 {END_OF_LIST
, NULL
, 0},
139 * Look up a kernel algorithm name and its key size
141 char* lookup_algorithm(kernel_algorithm_t
*kernel_algo
,
142 algorithm_t
*ikev2_algo
, u_int
*key_size
)
144 while (kernel_algo
->ikev2_id
!= END_OF_LIST
)
146 if (ikev2_algo
->algorithm
== kernel_algo
->ikev2_id
)
148 /* match, evaluate key length */
149 if (ikev2_algo
->key_size
)
150 { /* variable length */
151 *key_size
= ikev2_algo
->key_size
;
155 *key_size
= kernel_algo
->key_size
;
157 return kernel_algo
->name
;
164 typedef struct route_entry_t route_entry_t
;
167 * installed routing entry
169 struct route_entry_t
{
171 /** Index of the interface the route is bound to */
174 /** Source ip of the route */
177 /** gateway for this route */
180 /** Destination net */
183 /** Destination net prefixlen */
188 * destroy an route_entry_t object
190 static void route_entry_destroy(route_entry_t
*this)
192 this->src_ip
->destroy(this->src_ip
);
193 this->gateway
->destroy(this->gateway
);
194 chunk_free(&this->dst_net
);
198 typedef struct policy_entry_t policy_entry_t
;
201 * installed kernel policy.
203 struct policy_entry_t
{
205 /** direction of this policy: in, out, forward */
208 /** reqid of the policy */
211 /** parameters of installed policy */
212 struct xfrm_selector sel
;
214 /** associated route installed for this policy */
215 route_entry_t
*route
;
217 /** by how many CHILD_SA's this policy is used */
221 typedef struct addr_entry_t addr_entry_t
;
224 * IP address in an inface_entry_t
226 struct addr_entry_t
{
228 /** The ip address */
231 /** virtual IP managed by us */
234 /** Number of times this IP is used, if virtual */
239 * destroy a addr_entry_t object
241 static void addr_entry_destroy(addr_entry_t
*this)
243 this->ip
->destroy(this->ip
);
247 typedef struct iface_entry_t iface_entry_t
;
250 * A network interface on this system, containing addr_entry_t's
252 struct iface_entry_t
{
254 /** interface index */
257 /** name of the interface */
258 char ifname
[IFNAMSIZ
];
260 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
263 /** list of addresses as host_t */
264 linked_list_t
*addrs
;
268 * destroy an interface entry
270 static void iface_entry_destroy(iface_entry_t
*this)
272 this->addrs
->destroy_function(this->addrs
, (void*)addr_entry_destroy
);
276 typedef struct private_kernel_interface_t private_kernel_interface_t
;
279 * Private variables and functions of kernel_interface class.
281 struct private_kernel_interface_t
{
283 * Public part of the kernel_interface_t object.
285 kernel_interface_t
public;
288 * mutex to lock access to the various lists
290 pthread_mutex_t mutex
;
293 * List of installed policies (policy_entry_t)
295 linked_list_t
*policies
;
298 * Cached list of interfaces and its adresses (iface_entry_t)
300 linked_list_t
*ifaces
;
303 * iterator used in hook()
308 * job receiving netlink events
313 * current sequence number for netlink request
318 * Netlink xfrm socket (IPsec)
323 * netlink xfrm socket to receive acquire and expire events
325 int socket_xfrm_events
;
328 * Netlink rt socket (routing)
333 * Netlink rt socket to receive address change events
335 int socket_rt_events
;
339 * convert a host_t to a struct xfrm_address
341 static void host2xfrm(host_t
*host
, xfrm_address_t
*xfrm
)
343 chunk_t chunk
= host
->get_address(host
);
344 memcpy(xfrm
, chunk
.ptr
, min(chunk
.len
, sizeof(xfrm_address_t
)));
348 * convert a traffic selector address range to subnet and its mask.
350 static void ts2subnet(traffic_selector_t
* ts
,
351 xfrm_address_t
*net
, u_int8_t
*mask
)
353 /* there is no way to do this cleanly, as the address range may
354 * be anything else but a subnet. We use from_addr as subnet
355 * and try to calculate a usable subnet mask.
360 size_t size
= (ts
->get_type(ts
) == TS_IPV4_ADDR_RANGE
) ?
4 : 16;
362 from
= ts
->get_from_address(ts
);
363 to
= ts
->get_to_address(ts
);
366 /* go trough all bits of the addresses, beginning in the front.
367 * as long as they are equal, the subnet gets larger
369 for (byte
= 0; byte
< size
; byte
++)
371 for (bit
= 7; bit
>= 0; bit
--)
373 if ((1<<bit
& from
.ptr
[byte
]) != (1<<bit
& to
.ptr
[byte
]))
375 *mask
= ((7 - bit
) + (byte
* 8));
385 memcpy(net
, from
.ptr
, from
.len
);
391 * convert a traffic selector port range to port/portmask
393 static void ts2ports(traffic_selector_t
* ts
,
394 u_int16_t
*port
, u_int16_t
*mask
)
396 /* linux does not seem to accept complex portmasks. Only
397 * any or a specific port is allowed. We set to any, if we have
398 * a port range, or to a specific, if we have one port only.
402 from
= ts
->get_from_port(ts
);
403 to
= ts
->get_to_port(ts
);
418 * convert a pair of traffic_selectors to a xfrm_selector
420 static struct xfrm_selector
ts2selector(traffic_selector_t
*src
,
421 traffic_selector_t
*dst
)
423 struct xfrm_selector sel
;
425 memset(&sel
, 0, sizeof(sel
));
426 sel
.family
= src
->get_type(src
) == TS_IPV4_ADDR_RANGE ? AF_INET
: AF_INET6
;
427 /* src or dest proto may be "any" (0), use more restrictive one */
428 sel
.proto
= max(src
->get_protocol(src
), dst
->get_protocol(dst
));
429 ts2subnet(dst
, &sel
.daddr
, &sel
.prefixlen_d
);
430 ts2subnet(src
, &sel
.saddr
, &sel
.prefixlen_s
);
431 ts2ports(dst
, &sel
.dport
, &sel
.dport_mask
);
432 ts2ports(src
, &sel
.sport
, &sel
.sport_mask
);
440 * Creates an rtattr and adds it to the netlink message
442 static void add_attribute(struct nlmsghdr
*hdr
, int rta_type
, chunk_t data
,
447 if (NLMSG_ALIGN(hdr
->nlmsg_len
) + RTA_ALIGN(data
.len
) > buflen
)
449 DBG1(DBG_KNL
, "unable to add attribute, buffer too small");
453 rta
= (struct rtattr
*)(((char*)hdr
) + NLMSG_ALIGN(hdr
->nlmsg_len
));
454 rta
->rta_type
= rta_type
;
455 rta
->rta_len
= RTA_LENGTH(data
.len
);
456 memcpy(RTA_DATA(rta
), data
.ptr
, data
.len
);
457 hdr
->nlmsg_len
= NLMSG_ALIGN(hdr
->nlmsg_len
) + rta
->rta_len
;
461 * process a XFRM_MSG_ACQUIRE from kernel
463 static void process_acquire(private_kernel_interface_t
*this, struct nlmsghdr
*hdr
)
467 struct rtattr
*rtattr
= XFRM_RTA(hdr
, struct xfrm_user_acquire
);
468 size_t rtsize
= XFRM_PAYLOAD(hdr
, struct xfrm_user_tmpl
);
470 if (RTA_OK(rtattr
, rtsize
))
472 if (rtattr
->rta_type
== XFRMA_TMPL
)
474 struct xfrm_user_tmpl
* tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rtattr
);
480 DBG1(DBG_KNL
, "received a XFRM_MSG_ACQUIRE, but no reqid found");
483 DBG2(DBG_KNL
, "received a XFRM_MSG_ACQUIRE");
484 DBG1(DBG_KNL
, "creating acquire job for CHILD_SA with reqid %d", reqid
);
485 job
= (job_t
*)acquire_job_create(reqid
);
486 charon
->processor
->queue_job(charon
->processor
, job
);
490 * process a XFRM_MSG_EXPIRE from kernel
492 static void process_expire(private_kernel_interface_t
*this, struct nlmsghdr
*hdr
)
495 protocol_id_t protocol
;
496 u_int32_t spi
, reqid
;
497 struct xfrm_user_expire
*expire
;
499 expire
= (struct xfrm_user_expire
*)NLMSG_DATA(hdr
);
500 protocol
= expire
->state
.id
.proto
== KERNEL_ESP ? PROTO_ESP
: PROTO_AH
;
501 spi
= expire
->state
.id
.spi
;
502 reqid
= expire
->state
.reqid
;
504 DBG2(DBG_KNL
, "received a XFRM_MSG_EXPIRE");
505 DBG1(DBG_KNL
, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
506 expire
->hard ?
"delete" : "rekey", protocol_id_names
,
507 protocol
, ntohl(spi
), reqid
);
510 job
= (job_t
*)delete_child_sa_job_create(reqid
, protocol
, spi
);
514 job
= (job_t
*)rekey_child_sa_job_create(reqid
, protocol
, spi
);
516 charon
->processor
->queue_job(charon
->processor
, job
);
520 * process RTM_NEWLINK/RTM_DELLINK from kernel
522 static void process_link(private_kernel_interface_t
*this,
523 struct nlmsghdr
*hdr
, bool event
)
525 struct ifinfomsg
* msg
= (struct ifinfomsg
*)(NLMSG_DATA(hdr
));
526 struct rtattr
*rta
= IFLA_RTA(msg
);
527 size_t rtasize
= IFLA_PAYLOAD (hdr
);
528 iterator_t
*iterator
;
529 iface_entry_t
*current
, *entry
= NULL
;
533 while(RTA_OK(rta
, rtasize
))
535 switch (rta
->rta_type
)
538 name
= RTA_DATA(rta
);
541 rta
= RTA_NEXT(rta
, rtasize
);
548 switch (hdr
->nlmsg_type
)
552 if (msg
->ifi_flags
& IFF_LOOPBACK
)
553 { /* ignore loopback interfaces */
556 iterator
= this->ifaces
->create_iterator_locked(this->ifaces
,
558 while (iterator
->iterate(iterator
, (void**)¤t
))
560 if (current
->ifindex
== msg
->ifi_index
)
568 entry
= malloc_thing(iface_entry_t
);
569 entry
->ifindex
= msg
->ifi_index
;
571 entry
->addrs
= linked_list_create();
572 this->ifaces
->insert_last(this->ifaces
, entry
);
574 memcpy(entry
->ifname
, name
, IFNAMSIZ
);
575 entry
->ifname
[IFNAMSIZ
-1] = '\0';
578 if (!(entry
->flags
& IFF_UP
) && (msg
->ifi_flags
& IFF_UP
))
581 DBG1(DBG_KNL
, "interface %s activated", name
);
583 if ((entry
->flags
& IFF_UP
) && !(msg
->ifi_flags
& IFF_UP
))
586 DBG1(DBG_KNL
, "interface %s deactivated", name
);
589 entry
->flags
= msg
->ifi_flags
;
590 iterator
->destroy(iterator
);
595 iterator
= this->ifaces
->create_iterator_locked(this->ifaces
,
597 while (iterator
->iterate(iterator
, (void**)¤t
))
599 if (current
->ifindex
== msg
->ifi_index
)
601 /* we do not remove it, as an address may be added to a
602 * "down" interface and we wan't to know that. */
603 current
->flags
= msg
->ifi_flags
;
607 iterator
->destroy(iterator
);
612 /* send an update to all IKE_SAs */
615 charon
->processor
->queue_job(charon
->processor
, (job_t
*)roam_job_create());
620 * process RTM_NEWADDR/RTM_DELADDR from kernel
622 static void process_addr(private_kernel_interface_t
*this,
623 struct nlmsghdr
*hdr
, bool event
)
625 struct ifaddrmsg
* msg
= (struct ifaddrmsg
*)(NLMSG_DATA(hdr
));
626 struct rtattr
*rta
= IFA_RTA(msg
);
627 size_t rtasize
= IFA_PAYLOAD (hdr
);
629 iterator_t
*ifaces
, *addrs
;
630 iface_entry_t
*iface
;
632 chunk_t local
= chunk_empty
, address
= chunk_empty
;
633 bool update
= FALSE
, found
= FALSE
;
635 while(RTA_OK(rta
, rtasize
))
637 switch (rta
->rta_type
)
640 local
.ptr
= RTA_DATA(rta
);
641 local
.len
= RTA_PAYLOAD(rta
);
644 address
.ptr
= RTA_DATA(rta
);
645 address
.len
= RTA_PAYLOAD(rta
);
648 rta
= RTA_NEXT(rta
, rtasize
);
651 /* For PPP interfaces, we need the IFA_LOCAL address,
652 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
653 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
656 host
= host_create_from_chunk(msg
->ifa_family
, local
, 0);
658 else if (address
.ptr
)
660 host
= host_create_from_chunk(msg
->ifa_family
, address
, 0);
668 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
669 while (ifaces
->iterate(ifaces
, (void**)&iface
))
671 if (iface
->ifindex
== msg
->ifa_index
)
673 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
674 while (addrs
->iterate(addrs
, (void**)&addr
))
676 if (host
->ip_equals(host
, addr
->ip
))
679 if (hdr
->nlmsg_type
== RTM_DELADDR
)
681 addrs
->remove(addrs
);
682 addr_entry_destroy(addr
);
683 DBG1(DBG_KNL
, "%H disappeared from %s", host
, iface
->ifname
);
687 addrs
->destroy(addrs
);
689 if (hdr
->nlmsg_type
== RTM_NEWADDR
)
694 addr
= malloc_thing(addr_entry_t
);
695 addr
->ip
= host
->clone(host
);
696 addr
->virtual = FALSE
;
699 iface
->addrs
->insert_last(iface
->addrs
, addr
);
702 DBG1(DBG_KNL
, "%H appeared on %s", host
, iface
->ifname
);
706 if (found
&& (iface
->flags
& IFF_UP
))
713 ifaces
->destroy(ifaces
);
716 /* send an update to all IKE_SAs */
719 charon
->processor
->queue_job(charon
->processor
, (job_t
*)roam_job_create());
724 * Receives events from kernel
726 static job_requeue_t
receive_events(private_kernel_interface_t
*this)
729 struct nlmsghdr
*hdr
= (struct nlmsghdr
*)response
;
730 struct sockaddr_nl addr
;
731 socklen_t addr_len
= sizeof(addr
);
732 int len
, oldstate
, maxfd
, selected
;
736 FD_SET(this->socket_xfrm_events
, &rfds
);
737 FD_SET(this->socket_rt_events
, &rfds
);
738 maxfd
= max(this->socket_xfrm_events
, this->socket_rt_events
);
740 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE
, &oldstate
);
741 selected
= select(maxfd
+ 1, &rfds
, NULL
, NULL
, NULL
);
742 pthread_setcancelstate(oldstate
, NULL
);
745 DBG1(DBG_KNL
, "selecting on sockets failed: %s", strerror(errno
));
746 return JOB_REQUEUE_FAIR
;
748 if (FD_ISSET(this->socket_xfrm_events
, &rfds
))
750 selected
= this->socket_xfrm_events
;
752 else if (FD_ISSET(this->socket_rt_events
, &rfds
))
754 selected
= this->socket_rt_events
;
758 return JOB_REQUEUE_DIRECT
;
761 len
= recvfrom(selected
, response
, sizeof(response
), MSG_DONTWAIT
,
762 (struct sockaddr
*)&addr
, &addr_len
);
768 /* interrupted, try again */
769 return JOB_REQUEUE_DIRECT
;
771 /* no data ready, select again */
772 return JOB_REQUEUE_DIRECT
;
774 DBG1(DBG_KNL
, "unable to receive from xfrm event socket");
776 return JOB_REQUEUE_FAIR
;
779 if (addr
.nl_pid
!= 0)
780 { /* not from kernel. not interested, try another one */
781 return JOB_REQUEUE_DIRECT
;
784 while (NLMSG_OK(hdr
, len
))
786 /* looks good so far, dispatch netlink message */
787 if (selected
== this->socket_xfrm_events
)
789 switch (hdr
->nlmsg_type
)
791 case XFRM_MSG_ACQUIRE
:
792 process_acquire(this, hdr
);
794 case XFRM_MSG_EXPIRE
:
795 process_expire(this, hdr
);
801 else if (selected
== this->socket_rt_events
)
803 switch (hdr
->nlmsg_type
)
807 process_addr(this, hdr
, TRUE
);
811 process_link(this, hdr
, TRUE
);
815 charon
->processor
->queue_job(charon
->processor
,
816 (job_t
*)roam_job_create());
822 hdr
= NLMSG_NEXT(hdr
, len
);
824 return JOB_REQUEUE_DIRECT
;
828 * send a netlink message and wait for a reply
830 static status_t
netlink_send(private_kernel_interface_t
*this,
831 int socket
, struct nlmsghdr
*in
,
832 struct nlmsghdr
**out
, size_t *out_len
)
835 struct sockaddr_nl addr
;
836 chunk_t result
= chunk_empty
, tmp
;
837 struct nlmsghdr
*msg
, peek
;
839 pthread_mutex_lock(&this->mutex
);
841 in
->nlmsg_seq
= ++this->seq
;
842 in
->nlmsg_pid
= getpid();
844 memset(&addr
, 0, sizeof(addr
));
845 addr
.nl_family
= AF_NETLINK
;
851 len
= sendto(socket
, in
, in
->nlmsg_len
, 0,
852 (struct sockaddr
*)&addr
, sizeof(addr
));
854 if (len
!= in
->nlmsg_len
)
858 /* interrupted, try again */
861 pthread_mutex_unlock(&this->mutex
);
862 DBG1(DBG_KNL
, "error sending to netlink socket: %s", strerror(errno
));
871 tmp
.len
= sizeof(buf
);
873 msg
= (struct nlmsghdr
*)tmp
.ptr
;
875 memset(&addr
, 0, sizeof(addr
));
876 addr
.nl_family
= AF_NETLINK
;
877 addr
.nl_pid
= getpid();
879 addr_len
= sizeof(addr
);
881 len
= recvfrom(socket
, tmp
.ptr
, tmp
.len
, 0,
882 (struct sockaddr
*)&addr
, &addr_len
);
888 DBG1(DBG_KNL
, "got interrupted");
889 /* interrupted, try again */
892 DBG1(DBG_KNL
, "error reading from netlink socket: %s", strerror(errno
));
893 pthread_mutex_unlock(&this->mutex
);
896 if (!NLMSG_OK(msg
, len
))
898 DBG1(DBG_KNL
, "received corrupted netlink message");
899 pthread_mutex_unlock(&this->mutex
);
902 if (msg
->nlmsg_seq
!= this->seq
)
904 DBG1(DBG_KNL
, "received invalid netlink sequence number");
905 if (msg
->nlmsg_seq
< this->seq
)
909 pthread_mutex_unlock(&this->mutex
);
914 result
= chunk_cata("cc", result
, tmp
);
916 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
917 * numbers to detect multi header messages */
918 len
= recvfrom(socket
, &peek
, sizeof(peek
), MSG_PEEK
| MSG_DONTWAIT
,
919 (struct sockaddr
*)&addr
, &addr_len
);
921 if (len
== sizeof(peek
) && peek
.nlmsg_seq
== this->seq
)
923 /* seems to be multipart */
929 *out_len
= result
.len
;
930 *out
= (struct nlmsghdr
*)clalloc(result
.ptr
, result
.len
);
932 pthread_mutex_unlock(&this->mutex
);
938 * send a netlink message and wait for its acknowlegde
940 static status_t
netlink_send_ack(private_kernel_interface_t
*this,
941 int socket
, struct nlmsghdr
*in
)
943 struct nlmsghdr
*out
, *hdr
;
946 if (netlink_send(this, socket
, in
, &out
, &len
) != SUCCESS
)
951 while (NLMSG_OK(hdr
, len
))
953 switch (hdr
->nlmsg_type
)
957 struct nlmsgerr
* err
= (struct nlmsgerr
*)NLMSG_DATA(hdr
);
961 DBG1(DBG_KNL
, "received netlink error: %s (%d)",
962 strerror(-err
->error
), -err
->error
);
970 hdr
= NLMSG_NEXT(hdr
, len
);
977 DBG1(DBG_KNL
, "netlink request not acknowlegded");
983 * Initialize a list of local addresses.
985 static status_t
init_address_list(private_kernel_interface_t
*this)
987 char request
[BUFFER_SIZE
];
988 struct nlmsghdr
*out
, *current
, *in
;
989 struct rtgenmsg
*msg
;
991 iterator_t
*ifaces
, *addrs
;
992 iface_entry_t
*iface
;
995 DBG1(DBG_KNL
, "listening on interfaces:");
997 memset(&request
, 0, sizeof(request
));
999 in
= (struct nlmsghdr
*)&request
;
1000 in
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtgenmsg
));
1001 in
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_MATCH
| NLM_F_ROOT
;
1002 msg
= (struct rtgenmsg
*)NLMSG_DATA(in
);
1003 msg
->rtgen_family
= AF_UNSPEC
;
1006 in
->nlmsg_type
= RTM_GETLINK
;
1007 if (netlink_send(this, this->socket_rt
, in
, &out
, &len
) != SUCCESS
)
1012 while (NLMSG_OK(current
, len
))
1014 switch (current
->nlmsg_type
)
1019 process_link(this, current
, FALSE
);
1022 current
= NLMSG_NEXT(current
, len
);
1029 /* get all interface addresses */
1030 in
->nlmsg_type
= RTM_GETADDR
;
1031 if (netlink_send(this, this->socket_rt
, in
, &out
, &len
) != SUCCESS
)
1036 while (NLMSG_OK(current
, len
))
1038 switch (current
->nlmsg_type
)
1043 process_addr(this, current
, FALSE
);
1046 current
= NLMSG_NEXT(current
, len
);
1053 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1054 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1056 if (iface
->flags
& IFF_UP
)
1058 DBG1(DBG_KNL
, " %s", iface
->ifname
);
1059 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1060 while (addrs
->iterate(addrs
, (void**)&addr
))
1062 DBG1(DBG_KNL
, " %H", addr
->ip
);
1064 addrs
->destroy(addrs
);
1067 ifaces
->destroy(ifaces
);
1072 * iterator hook to iterate over addrs
1074 static hook_result_t
addr_hook(private_kernel_interface_t
*this,
1075 addr_entry_t
*in
, host_t
**out
)
1078 { /* skip virtual interfaces added by us */
1086 * iterator hook to iterate over ifaces
1088 static hook_result_t
iface_hook(private_kernel_interface_t
*this,
1089 iface_entry_t
*in
, host_t
**out
)
1091 if (!(in
->flags
& IFF_UP
))
1092 { /* skip interfaces not up */
1096 if (this->hiter
== NULL
)
1098 this->hiter
= in
->addrs
->create_iterator(in
->addrs
, TRUE
);
1099 this->hiter
->set_iterator_hook(this->hiter
,
1100 (iterator_hook_t
*)addr_hook
, this);
1102 while (this->hiter
->iterate(this->hiter
, (void**)out
))
1106 this->hiter
->destroy(this->hiter
);
1112 * Implements kernel_interface_t.create_address_iterator.
1114 static iterator_t
*create_address_iterator(private_kernel_interface_t
*this)
1116 iterator_t
*iterator
;
1118 /* This iterator is not only hooked, is is double-hooked. As we have stored
1119 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1120 * entries in each interface we iterate. This does the iface_hook. The
1121 * addr_hook returns the ip instead of the addr_entry. */
1123 iterator
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1124 iterator
->set_iterator_hook(iterator
, (iterator_hook_t
*)iface_hook
, this);
1129 * implementation of kernel_interface_t.get_interface_name
1131 static char *get_interface_name(private_kernel_interface_t
*this, host_t
* ip
)
1133 iterator_t
*ifaces
, *addrs
;
1134 iface_entry_t
*iface
;
1138 DBG2(DBG_KNL
, "getting interface name for %H", ip
);
1140 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1141 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1143 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1144 while (addrs
->iterate(addrs
, (void**)&addr
))
1146 if (ip
->ip_equals(ip
, addr
->ip
))
1148 name
= strdup(iface
->ifname
);
1152 addrs
->destroy(addrs
);
1158 ifaces
->destroy(ifaces
);
1162 DBG2(DBG_KNL
, "%H is on interface %s", ip
, name
);
1166 DBG2(DBG_KNL
, "%H is not a local address", ip
);
1172 * Tries to find an ip address of a local interface that is included in the
1173 * supplied traffic selector.
1175 static status_t
get_address_by_ts(private_kernel_interface_t
*this,
1176 traffic_selector_t
*ts
, host_t
**ip
)
1178 iterator_t
*ifaces
, *addrs
;
1179 iface_entry_t
*iface
;
1185 DBG2(DBG_KNL
, "getting a local address in traffic selector %R", ts
);
1187 /* if we have a family which includes localhost, we do not
1188 * search for an IP, we use the default */
1189 family
= ts
->get_type(ts
) == TS_IPV4_ADDR_RANGE ? AF_INET
: AF_INET6
;
1191 if (family
== AF_INET
)
1193 host
= host_create_from_string("127.0.0.1", 0);
1197 host
= host_create_from_string("::1", 0);
1200 if (ts
->includes(ts
, host
))
1202 *ip
= host_create_any(family
);
1203 host
->destroy(host
);
1204 DBG2(DBG_KNL
, "using host %H", *ip
);
1207 host
->destroy(host
);
1209 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1210 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1212 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1213 while (addrs
->iterate(addrs
, (void**)&addr
))
1215 if (ts
->includes(ts
, addr
->ip
))
1218 *ip
= addr
->ip
->clone(addr
->ip
);
1222 addrs
->destroy(addrs
);
1228 ifaces
->destroy(ifaces
);
1232 DBG1(DBG_KNL
, "no local address found in traffic selector %R", ts
);
1235 DBG2(DBG_KNL
, "using host %H", *ip
);
1240 * get the interface of a local address
1242 static int get_interface_index(private_kernel_interface_t
*this, host_t
* ip
)
1244 iterator_t
*ifaces
, *addrs
;
1245 iface_entry_t
*iface
;
1249 DBG2(DBG_KNL
, "getting iface for %H", ip
);
1251 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1252 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1254 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1255 while (addrs
->iterate(addrs
, (void**)&addr
))
1257 if (ip
->ip_equals(ip
, addr
->ip
))
1259 ifindex
= iface
->ifindex
;
1263 addrs
->destroy(addrs
);
1269 ifaces
->destroy(ifaces
);
1273 DBG1(DBG_KNL
, "unable to get interface for %H", ip
);
1279 * Manages the creation and deletion of ip addresses on an interface.
1280 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1282 static status_t
manage_ipaddr(private_kernel_interface_t
*this, int nlmsg_type
,
1283 int flags
, int if_index
, host_t
*ip
)
1285 unsigned char request
[BUFFER_SIZE
];
1286 struct nlmsghdr
*hdr
;
1287 struct ifaddrmsg
*msg
;
1290 memset(&request
, 0, sizeof(request
));
1292 chunk
= ip
->get_address(ip
);
1294 hdr
= (struct nlmsghdr
*)request
;
1295 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
| flags
;
1296 hdr
->nlmsg_type
= nlmsg_type
;
1297 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct ifaddrmsg
));
1299 msg
= (struct ifaddrmsg
*)NLMSG_DATA(hdr
);
1300 msg
->ifa_family
= ip
->get_family(ip
);
1302 msg
->ifa_prefixlen
= 8 * chunk
.len
;
1303 msg
->ifa_scope
= RT_SCOPE_UNIVERSE
;
1304 msg
->ifa_index
= if_index
;
1306 add_attribute(hdr
, IFA_LOCAL
, chunk
, sizeof(request
));
1308 return netlink_send_ack(this, this->socket_rt
, hdr
);
1312 * Manages source routes in the routing table.
1313 * By setting the appropriate nlmsg_type, the route added or r.
1315 static status_t
manage_srcroute(private_kernel_interface_t
*this, int nlmsg_type
,
1316 int flags
, route_entry_t
*route
)
1318 unsigned char request
[BUFFER_SIZE
];
1319 struct nlmsghdr
*hdr
;
1323 /* if route is 0.0.0.0/0, we can't install it, as it would
1324 * overwrite the default route. Instead, we add two routes:
1325 * 0.0.0.0/1 and 128.0.0.0/1
1326 * TODO: use metrics instead */
1327 if (route
->prefixlen
== 0)
1332 half
.dst_net
= chunk_alloca(route
->dst_net
.len
);
1333 memset(half
.dst_net
.ptr
, 0, half
.dst_net
.len
);
1334 half
.src_ip
= route
->src_ip
;
1335 half
.gateway
= route
->gateway
;
1336 half
.if_index
= route
->if_index
;
1339 status
= manage_srcroute(this, nlmsg_type
, flags
, &half
);
1340 half
.dst_net
.ptr
[0] |= 0x80;
1341 status
= manage_srcroute(this, nlmsg_type
, flags
, &half
);
1345 memset(&request
, 0, sizeof(request
));
1347 hdr
= (struct nlmsghdr
*)request
;
1348 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
| flags
;
1349 hdr
->nlmsg_type
= nlmsg_type
;
1350 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtmsg
));
1352 msg
= (struct rtmsg
*)NLMSG_DATA(hdr
);
1353 msg
->rtm_family
= route
->src_ip
->get_family(route
->src_ip
);
1354 msg
->rtm_dst_len
= route
->prefixlen
;
1355 msg
->rtm_table
= RT_TABLE_MAIN
;
1356 msg
->rtm_protocol
= RTPROT_STATIC
;
1357 msg
->rtm_type
= RTN_UNICAST
;
1358 msg
->rtm_scope
= RT_SCOPE_UNIVERSE
;
1360 add_attribute(hdr
, RTA_DST
, route
->dst_net
, sizeof(request
));
1361 chunk
= route
->src_ip
->get_address(route
->src_ip
);
1362 add_attribute(hdr
, RTA_PREFSRC
, chunk
, sizeof(request
));
1363 chunk
= route
->gateway
->get_address(route
->gateway
);
1364 add_attribute(hdr
, RTA_GATEWAY
, chunk
, sizeof(request
));
1365 chunk
.ptr
= (char*)&route
->if_index
;
1366 chunk
.len
= sizeof(route
->if_index
);
1367 add_attribute(hdr
, RTA_OIF
, chunk
, sizeof(request
));
1369 return netlink_send_ack(this, this->socket_rt
, hdr
);
1373 * Implementation of kernel_interface_t.get_source_addr.
1375 static host_t
* get_source_addr(private_kernel_interface_t
*this, host_t
*dest
)
1377 unsigned char request
[BUFFER_SIZE
];
1378 struct nlmsghdr
*hdr
, *out
, *current
;
1382 host_t
*source
= NULL
;
1384 DBG2(DBG_KNL
, "getting source address to reach %H", dest
);
1386 memset(&request
, 0, sizeof(request
));
1388 hdr
= (struct nlmsghdr
*)request
;
1389 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1390 hdr
->nlmsg_type
= RTM_GETROUTE
;
1391 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtmsg
));
1393 msg
= (struct rtmsg
*)NLMSG_DATA(hdr
);
1394 msg
->rtm_family
= dest
->get_family(dest
);
1395 msg
->rtm_dst_len
= msg
->rtm_family
== AF_INET ?
32 : 128;
1396 msg
->rtm_table
= RT_TABLE_MAIN
;
1397 msg
->rtm_protocol
= RTPROT_STATIC
;
1398 msg
->rtm_type
= RTN_UNICAST
;
1399 msg
->rtm_scope
= RT_SCOPE_UNIVERSE
;
1401 chunk
= dest
->get_address(dest
);
1402 add_attribute(hdr
, RTA_DST
, chunk
, sizeof(request
));
1404 if (netlink_send(this, this->socket_rt
, hdr
, &out
, &len
) != SUCCESS
)
1406 DBG1(DBG_KNL
, "getting source address to %H failed", dest
);
1410 while (NLMSG_OK(current
, len
))
1412 switch (current
->nlmsg_type
)
1421 msg
= (struct rtmsg
*)(NLMSG_DATA(current
));
1423 rtasize
= RTM_PAYLOAD(current
);
1424 while(RTA_OK(rta
, rtasize
))
1426 switch (rta
->rta_type
)
1429 chunk
.ptr
= RTA_DATA(rta
);
1430 chunk
.len
= RTA_PAYLOAD(rta
);
1431 source
= host_create_from_chunk(msg
->rtm_family
,
1435 rta
= RTA_NEXT(rta
, rtasize
);
1440 current
= NLMSG_NEXT(current
, len
);
1448 DBG2(DBG_KNL
, "no route found to %H", dest
);
1454 * Implementation of kernel_interface_t.add_ip.
1456 static status_t
add_ip(private_kernel_interface_t
*this,
1457 host_t
*virtual_ip
, host_t
*iface_ip
)
1459 iface_entry_t
*iface
;
1461 iterator_t
*addrs
, *ifaces
;
1463 DBG2(DBG_KNL
, "adding virtual IP %H", virtual_ip
);
1465 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1466 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1468 bool iface_found
= FALSE
;
1470 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1471 while (addrs
->iterate(addrs
, (void**)&addr
))
1473 if (iface_ip
->ip_equals(iface_ip
, addr
->ip
))
1477 else if (virtual_ip
->ip_equals(virtual_ip
, addr
->ip
))
1480 DBG2(DBG_KNL
, "virtual IP %H already installed on %s",
1481 virtual_ip
, iface
->ifname
);
1482 addrs
->destroy(addrs
);
1483 ifaces
->destroy(ifaces
);
1487 addrs
->destroy(addrs
);
1491 int ifindex
= iface
->ifindex
;
1492 ifaces
->destroy(ifaces
);
1493 if (manage_ipaddr(this, RTM_NEWADDR
, NLM_F_CREATE
| NLM_F_EXCL
,
1494 ifindex
, virtual_ip
) == SUCCESS
)
1496 addr
= malloc_thing(addr_entry_t
);
1497 addr
->ip
= virtual_ip
->clone(virtual_ip
);
1499 addr
->virtual = TRUE
;
1500 pthread_mutex_lock(&this->mutex
);
1501 iface
->addrs
->insert_last(iface
->addrs
, addr
);
1502 pthread_mutex_unlock(&this->mutex
);
1505 DBG2(DBG_KNL
, "adding virtual IP %H failed", virtual_ip
);
1511 ifaces
->destroy(ifaces
);
1513 DBG2(DBG_KNL
, "interface address %H not found, unable to install"
1514 "virtual IP %H", iface_ip
, virtual_ip
);
1519 * Implementation of kernel_interface_t.del_ip.
1521 static status_t
del_ip(private_kernel_interface_t
*this, host_t
*virtual_ip
)
1523 iface_entry_t
*iface
;
1525 iterator_t
*addrs
, *ifaces
;
1527 DBG2(DBG_KNL
, "deleting virtual IP %H", virtual_ip
);
1529 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1530 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1532 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1533 while (addrs
->iterate(addrs
, (void**)&addr
))
1535 if (virtual_ip
->ip_equals(virtual_ip
, addr
->ip
))
1537 int ifindex
= iface
->ifindex
;
1539 if (addr
->refcount
== 0)
1541 addrs
->remove(addrs
);
1542 addrs
->destroy(addrs
);
1543 ifaces
->destroy(ifaces
);
1544 addr_entry_destroy(addr
);
1545 return manage_ipaddr(this, RTM_DELADDR
, 0,
1546 ifindex
, virtual_ip
);
1548 DBG2(DBG_KNL
, "virtual IP %H used by other SAs, not deleting",
1550 addrs
->destroy(addrs
);
1551 ifaces
->destroy(ifaces
);
1555 addrs
->destroy(addrs
);
1557 ifaces
->destroy(ifaces
);
1559 DBG2(DBG_KNL
, "virtual IP %H not cached, unable to delete", virtual_ip
);
1564 * Implementation of kernel_interface_t.get_spi.
1566 static status_t
get_spi(private_kernel_interface_t
*this,
1567 host_t
*src
, host_t
*dst
,
1568 protocol_id_t protocol
, u_int32_t reqid
,
1571 unsigned char request
[BUFFER_SIZE
];
1572 struct nlmsghdr
*hdr
, *out
;
1573 struct xfrm_userspi_info
*userspi
;
1574 u_int32_t received_spi
= 0;
1577 memset(&request
, 0, sizeof(request
));
1579 DBG2(DBG_KNL
, "getting SPI for reqid %d", reqid
);
1581 hdr
= (struct nlmsghdr
*)request
;
1582 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1583 hdr
->nlmsg_type
= XFRM_MSG_ALLOCSPI
;
1584 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userspi_info
));
1586 userspi
= (struct xfrm_userspi_info
*)NLMSG_DATA(hdr
);
1587 host2xfrm(src
, &userspi
->info
.saddr
);
1588 host2xfrm(dst
, &userspi
->info
.id
.daddr
);
1589 userspi
->info
.id
.proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1590 userspi
->info
.mode
= TRUE
; /* tunnel mode */
1591 userspi
->info
.reqid
= reqid
;
1592 userspi
->info
.family
= src
->get_family(src
);
1593 userspi
->min
= 0xc0000000;
1594 userspi
->max
= 0xcFFFFFFF;
1596 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1599 while (NLMSG_OK(hdr
, len
))
1601 switch (hdr
->nlmsg_type
)
1603 case XFRM_MSG_NEWSA
:
1605 struct xfrm_usersa_info
* usersa
= NLMSG_DATA(hdr
);
1606 received_spi
= usersa
->id
.spi
;
1611 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1613 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
1614 strerror(-err
->error
), -err
->error
);
1618 hdr
= NLMSG_NEXT(hdr
, len
);
1628 if (received_spi
== 0)
1630 DBG1(DBG_KNL
, "unable to get SPI for reqid %d", reqid
);
1634 DBG2(DBG_KNL
, "got SPI 0x%x for reqid %d", received_spi
, reqid
);
1636 *spi
= received_spi
;
1641 * Implementation of kernel_interface_t.add_sa.
1643 static status_t
add_sa(private_kernel_interface_t
*this,
1644 host_t
*src
, host_t
*dst
, u_int32_t spi
,
1645 protocol_id_t protocol
, u_int32_t reqid
,
1646 u_int64_t expire_soft
, u_int64_t expire_hard
,
1647 algorithm_t
*enc_alg
, algorithm_t
*int_alg
,
1648 prf_plus_t
*prf_plus
, mode_t mode
, bool encap
,
1651 unsigned char request
[BUFFER_SIZE
];
1654 struct nlmsghdr
*hdr
;
1655 struct xfrm_usersa_info
*sa
;
1657 memset(&request
, 0, sizeof(request
));
1659 DBG2(DBG_KNL
, "adding SAD entry with SPI 0x%x", spi
);
1661 hdr
= (struct nlmsghdr
*)request
;
1662 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1663 hdr
->nlmsg_type
= replace ? XFRM_MSG_UPDSA
: XFRM_MSG_NEWSA
;
1664 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1666 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
1667 host2xfrm(src
, &sa
->saddr
);
1668 host2xfrm(dst
, &sa
->id
.daddr
);
1670 sa
->id
.proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1671 sa
->family
= src
->get_family(src
);
1673 sa
->replay_window
= 32;
1675 /* we currently do not expire SAs by volume/packet count */
1676 sa
->lft
.soft_byte_limit
= XFRM_INF
;
1677 sa
->lft
.hard_byte_limit
= XFRM_INF
;
1678 sa
->lft
.soft_packet_limit
= XFRM_INF
;
1679 sa
->lft
.hard_packet_limit
= XFRM_INF
;
1680 /* we use lifetimes since added, not since used */
1681 sa
->lft
.soft_add_expires_seconds
= expire_soft
;
1682 sa
->lft
.hard_add_expires_seconds
= expire_hard
;
1683 sa
->lft
.soft_use_expires_seconds
= 0;
1684 sa
->lft
.hard_use_expires_seconds
= 0;
1686 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1688 if (enc_alg
->algorithm
!= ENCR_UNDEFINED
)
1690 rthdr
->rta_type
= XFRMA_ALG_CRYPT
;
1691 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
, &key_size
);
1692 if (alg_name
== NULL
)
1694 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1695 encryption_algorithm_names
, enc_alg
->algorithm
);
1698 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1699 encryption_algorithm_names
, enc_alg
->algorithm
, key_size
);
1701 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + key_size
);
1702 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1703 if (hdr
->nlmsg_len
> sizeof(request
))
1708 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1709 algo
->alg_key_len
= key_size
;
1710 strcpy(algo
->alg_name
, alg_name
);
1711 prf_plus
->get_bytes(prf_plus
, key_size
/ 8, algo
->alg_key
);
1713 rthdr
= XFRM_RTA_NEXT(rthdr
);
1716 if (int_alg
->algorithm
!= AUTH_UNDEFINED
)
1718 rthdr
->rta_type
= XFRMA_ALG_AUTH
;
1719 alg_name
= lookup_algorithm(integrity_algs
, int_alg
, &key_size
);
1720 if (alg_name
== NULL
)
1722 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1723 integrity_algorithm_names
, int_alg
->algorithm
);
1726 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1727 integrity_algorithm_names
, int_alg
->algorithm
, key_size
);
1729 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + key_size
);
1730 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1731 if (hdr
->nlmsg_len
> sizeof(request
))
1736 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1737 algo
->alg_key_len
= key_size
;
1738 strcpy(algo
->alg_name
, alg_name
);
1739 prf_plus
->get_bytes(prf_plus
, key_size
/ 8, algo
->alg_key
);
1741 rthdr
= XFRM_RTA_NEXT(rthdr
);
1744 /* TODO: add IPComp here */
1748 rthdr
->rta_type
= XFRMA_ENCAP
;
1749 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1751 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1752 if (hdr
->nlmsg_len
> sizeof(request
))
1757 struct xfrm_encap_tmpl
* encap
= (struct xfrm_encap_tmpl
*)RTA_DATA(rthdr
);
1758 encap
->encap_type
= UDP_ENCAP_ESPINUDP
;
1759 encap
->encap_sport
= htons(src
->get_port(src
));
1760 encap
->encap_dport
= htons(dst
->get_port(dst
));
1761 memset(&encap
->encap_oa
, 0, sizeof (xfrm_address_t
));
1762 /* encap_oa could probably be derived from the
1763 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1764 * pluto does the same as we do here but it uses encap_oa in the
1765 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1766 * the kernel ignores it anyway
1767 * -> does that mean that NAT-T encap doesn't work in transport mode?
1768 * No. The reason the kernel ignores NAT-OA is that it recomputes
1769 * (or, rather, just ignores) the checksum. If packets pass
1770 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1771 rthdr
= XFRM_RTA_NEXT(rthdr
);
1774 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1776 DBG1(DBG_KNL
, "unalbe to add SAD entry with SPI 0x%x", spi
);
1783 * Implementation of kernel_interface_t.update_sa.
1785 static status_t
update_sa(private_kernel_interface_t
*this,
1786 u_int32_t spi
, protocol_id_t protocol
,
1787 host_t
*src
, host_t
*dst
,
1788 host_t
*new_src
, host_t
*new_dst
)
1790 unsigned char request
[BUFFER_SIZE
];
1791 struct nlmsghdr
*hdr
, *out
= NULL
;
1792 struct xfrm_usersa_id
*sa_id
;
1793 struct xfrm_usersa_info
*sa
= NULL
;
1796 memset(&request
, 0, sizeof(request
));
1798 DBG2(DBG_KNL
, "querying SAD entry with SPI 0x%x for update", spi
);
1800 /* query the exisiting SA first */
1801 hdr
= (struct nlmsghdr
*)request
;
1802 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1803 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1804 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1806 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1807 host2xfrm(dst
, &sa_id
->daddr
);
1809 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1810 sa_id
->family
= dst
->get_family(dst
);
1812 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1815 while (NLMSG_OK(hdr
, len
))
1817 switch (hdr
->nlmsg_type
)
1819 case XFRM_MSG_NEWSA
:
1821 sa
= NLMSG_DATA(hdr
);
1826 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1827 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1828 strerror(-err
->error
), -err
->error
);
1832 hdr
= NLMSG_NEXT(hdr
, len
);
1841 this->public.del_sa(&this->public, dst
, spi
, protocol
) != SUCCESS
)
1843 DBG1(DBG_KNL
, "unable to update SAD entry with SPI 0x%x", spi
);
1848 DBG2(DBG_KNL
, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
1849 spi
, src
, dst
, new_src
, new_dst
);
1851 /* update the values in the queried SA */
1853 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1854 hdr
->nlmsg_type
= XFRM_MSG_NEWSA
;
1856 if (!src
->ip_equals(src
, new_src
))
1858 host2xfrm(new_src
, &sa
->saddr
);
1860 if (!dst
->ip_equals(dst
, new_dst
))
1862 host2xfrm(new_dst
, &sa
->id
.daddr
);
1865 if (src
->get_port(src
) != new_src
->get_port(new_src
) ||
1866 dst
->get_port(dst
) != new_dst
->get_port(new_dst
))
1868 struct rtattr
*rtattr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1869 size_t rtsize
= XFRM_PAYLOAD(hdr
, struct xfrm_usersa_info
);
1870 while (RTA_OK(rtattr
, rtsize
))
1872 if (rtattr
->rta_type
== XFRMA_ENCAP
)
1874 struct xfrm_encap_tmpl
* encap
;
1875 encap
= (struct xfrm_encap_tmpl
*)RTA_DATA(rtattr
);
1876 encap
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1877 encap
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1880 rtattr
= RTA_NEXT(rtattr
, rtsize
);
1883 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1885 DBG1(DBG_KNL
, "unalbe to update SAD entry with SPI 0x%x", spi
);
1895 * Implementation of kernel_interface_t.query_sa.
1897 static status_t
query_sa(private_kernel_interface_t
*this, host_t
*dst
,
1898 u_int32_t spi
, protocol_id_t protocol
,
1899 u_int32_t
*use_time
)
1901 unsigned char request
[BUFFER_SIZE
];
1902 struct nlmsghdr
*out
= NULL
, *hdr
;
1903 struct xfrm_usersa_id
*sa_id
;
1904 struct xfrm_usersa_info
*sa
= NULL
;
1907 DBG2(DBG_KNL
, "querying SAD entry with SPI 0x%x", spi
);
1908 memset(&request
, 0, sizeof(request
));
1910 hdr
= (struct nlmsghdr
*)request
;
1911 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1912 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1913 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1915 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1916 host2xfrm(dst
, &sa_id
->daddr
);
1918 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1919 sa_id
->family
= dst
->get_family(dst
);
1921 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1924 while (NLMSG_OK(hdr
, len
))
1926 switch (hdr
->nlmsg_type
)
1928 case XFRM_MSG_NEWSA
:
1930 sa
= NLMSG_DATA(hdr
);
1935 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1936 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1937 strerror(-err
->error
), -err
->error
);
1941 hdr
= NLMSG_NEXT(hdr
, len
);
1952 DBG1(DBG_KNL
, "unable to query SAD entry with SPI 0x%x", spi
);
1957 *use_time
= sa
->curlft
.use_time
;
1963 * Implementation of kernel_interface_t.del_sa.
1965 static status_t
del_sa(private_kernel_interface_t
*this, host_t
*dst
,
1966 u_int32_t spi
, protocol_id_t protocol
)
1968 unsigned char request
[BUFFER_SIZE
];
1969 struct nlmsghdr
*hdr
;
1970 struct xfrm_usersa_id
*sa_id
;
1972 memset(&request
, 0, sizeof(request
));
1974 DBG2(DBG_KNL
, "deleting SAD entry with SPI 0x%x", spi
);
1976 hdr
= (struct nlmsghdr
*)request
;
1977 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1978 hdr
->nlmsg_type
= XFRM_MSG_DELSA
;
1979 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1981 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1982 host2xfrm(dst
, &sa_id
->daddr
);
1984 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1985 sa_id
->family
= dst
->get_family(dst
);
1987 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1989 DBG1(DBG_KNL
, "unalbe to delete SAD entry with SPI 0x%x", spi
);
1992 DBG2(DBG_KNL
, "deleted SAD entry with SPI 0x%x", spi
);
1997 * Implementation of kernel_interface_t.add_policy.
1999 static status_t
add_policy(private_kernel_interface_t
*this,
2000 host_t
*src
, host_t
*dst
,
2001 traffic_selector_t
*src_ts
,
2002 traffic_selector_t
*dst_ts
,
2003 policy_dir_t direction
, protocol_id_t protocol
,
2004 u_int32_t reqid
, bool high_prio
, mode_t mode
,
2007 iterator_t
*iterator
;
2008 policy_entry_t
*current
, *policy
;
2010 unsigned char request
[BUFFER_SIZE
];
2011 struct xfrm_userpolicy_info
*policy_info
;
2012 struct nlmsghdr
*hdr
;
2014 /* create a policy */
2015 policy
= malloc_thing(policy_entry_t
);
2016 memset(policy
, 0, sizeof(policy_entry_t
));
2017 policy
->sel
= ts2selector(src_ts
, dst_ts
);
2018 policy
->direction
= direction
;
2020 /* find the policy, which matches EXACTLY */
2021 pthread_mutex_lock(&this->mutex
);
2022 iterator
= this->policies
->create_iterator(this->policies
, TRUE
);
2023 while (iterator
->iterate(iterator
, (void**)¤t
))
2025 if (memcmp(¤t
->sel
, &policy
->sel
, sizeof(struct xfrm_selector
)) == 0 &&
2026 policy
->direction
== current
->direction
)
2028 /* use existing policy */
2031 current
->refcount
++;
2032 DBG2(DBG_KNL
, "policy %R===%R already exists, increasing ",
2033 "refcount", src_ts
, dst_ts
);
2041 iterator
->destroy(iterator
);
2043 { /* apply the new one, if we have no such policy */
2044 this->policies
->insert_last(this->policies
, policy
);
2045 policy
->refcount
= 1;
2048 DBG2(DBG_KNL
, "adding policy %R===%R", src_ts
, dst_ts
);
2050 memset(&request
, 0, sizeof(request
));
2051 hdr
= (struct nlmsghdr
*)request
;
2052 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2053 hdr
->nlmsg_type
= XFRM_MSG_UPDPOLICY
;
2054 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info
));
2056 policy_info
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2057 policy_info
->sel
= policy
->sel
;
2058 policy_info
->dir
= policy
->direction
;
2059 /* calculate priority based on source selector size, small size = high prio */
2060 policy_info
->priority
= high_prio ? PRIO_HIGH
: PRIO_LOW
;
2061 policy_info
->priority
-= policy
->sel
.prefixlen_s
* 10;
2062 policy_info
->priority
-= policy
->sel
.proto ?
2 : 0;
2063 policy_info
->priority
-= policy
->sel
.sport_mask ?
1 : 0;
2064 policy_info
->action
= XFRM_POLICY_ALLOW
;
2065 policy_info
->share
= XFRM_SHARE_ANY
;
2066 pthread_mutex_unlock(&this->mutex
);
2068 /* policies don't expire */
2069 policy_info
->lft
.soft_byte_limit
= XFRM_INF
;
2070 policy_info
->lft
.soft_packet_limit
= XFRM_INF
;
2071 policy_info
->lft
.hard_byte_limit
= XFRM_INF
;
2072 policy_info
->lft
.hard_packet_limit
= XFRM_INF
;
2073 policy_info
->lft
.soft_add_expires_seconds
= 0;
2074 policy_info
->lft
.hard_add_expires_seconds
= 0;
2075 policy_info
->lft
.soft_use_expires_seconds
= 0;
2076 policy_info
->lft
.hard_use_expires_seconds
= 0;
2078 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_info
);
2079 rthdr
->rta_type
= XFRMA_TMPL
;
2081 rthdr
->rta_len
= sizeof(struct xfrm_user_tmpl
);
2082 rthdr
->rta_len
= RTA_LENGTH(rthdr
->rta_len
);
2084 hdr
->nlmsg_len
+= rthdr
->rta_len
;
2085 if (hdr
->nlmsg_len
> sizeof(request
))
2090 struct xfrm_user_tmpl
*tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rthdr
);
2091 tmpl
->reqid
= reqid
;
2092 tmpl
->id
.proto
= (protocol
== PROTO_AH
) ? KERNEL_AH
: KERNEL_ESP
;
2093 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
2095 tmpl
->family
= src
->get_family(src
);
2097 host2xfrm(src
, &tmpl
->saddr
);
2098 host2xfrm(dst
, &tmpl
->id
.daddr
);
2100 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
2102 DBG1(DBG_KNL
, "unable to add policy %R===%R", src_ts
, dst_ts
);
2106 /* install a route, if:
2107 * - we are NOT updating a policy
2108 * - this is a forward policy (to just get one for each child)
2109 * - we are in tunnel mode
2110 * - we are not using IPv6 (does not work correctly yet!)
2112 if (policy
->route
== NULL
&& direction
== POLICY_FWD
&&
2113 mode
!= MODE_TRANSPORT
&& src
->get_family(src
) != AF_INET6
)
2115 policy
->route
= malloc_thing(route_entry_t
);
2116 if (get_address_by_ts(this, dst_ts
, &policy
->route
->src_ip
) == SUCCESS
)
2118 policy
->route
->gateway
= dst
->clone(dst
);
2119 policy
->route
->if_index
= get_interface_index(this, dst
);
2120 policy
->route
->dst_net
= chunk_alloc(policy
->sel
.family
== AF_INET ?
4 : 16);
2121 memcpy(policy
->route
->dst_net
.ptr
, &policy
->sel
.saddr
, policy
->route
->dst_net
.len
);
2122 policy
->route
->prefixlen
= policy
->sel
.prefixlen_s
;
2124 if (manage_srcroute(this, RTM_NEWROUTE
, NLM_F_CREATE
| NLM_F_EXCL
,
2125 policy
->route
) != SUCCESS
)
2127 DBG1(DBG_KNL
, "unable to install source route for %H",
2128 policy
->route
->src_ip
);
2129 route_entry_destroy(policy
->route
);
2130 policy
->route
= NULL
;
2135 free(policy
->route
);
2136 policy
->route
= NULL
;
2144 * Implementation of kernel_interface_t.query_policy.
2146 static status_t
query_policy(private_kernel_interface_t
*this,
2147 traffic_selector_t
*src_ts
,
2148 traffic_selector_t
*dst_ts
,
2149 policy_dir_t direction
, u_int32_t
*use_time
)
2151 unsigned char request
[BUFFER_SIZE
];
2152 struct nlmsghdr
*out
= NULL
, *hdr
;
2153 struct xfrm_userpolicy_id
*policy_id
;
2154 struct xfrm_userpolicy_info
*policy
= NULL
;
2157 memset(&request
, 0, sizeof(request
));
2159 DBG2(DBG_KNL
, "querying policy %R===%R", src_ts
, dst_ts
);
2161 hdr
= (struct nlmsghdr
*)request
;
2162 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
2163 hdr
->nlmsg_type
= XFRM_MSG_GETPOLICY
;
2164 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2166 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2167 policy_id
->sel
= ts2selector(src_ts
, dst_ts
);
2168 policy_id
->dir
= direction
;
2170 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
2173 while (NLMSG_OK(hdr
, len
))
2175 switch (hdr
->nlmsg_type
)
2177 case XFRM_MSG_NEWPOLICY
:
2179 policy
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2184 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
2185 DBG1(DBG_KNL
, "querying policy failed: %s (%d)",
2186 strerror(-err
->error
), -err
->error
);
2190 hdr
= NLMSG_NEXT(hdr
, len
);
2201 DBG2(DBG_KNL
, "unable to query policy %R===%R", src_ts
, dst_ts
);
2205 *use_time
= (time_t)policy
->curlft
.use_time
;
2212 * Implementation of kernel_interface_t.del_policy.
2214 static status_t
del_policy(private_kernel_interface_t
*this,
2215 traffic_selector_t
*src_ts
,
2216 traffic_selector_t
*dst_ts
,
2217 policy_dir_t direction
)
2219 policy_entry_t
*current
, policy
, *to_delete
= NULL
;
2220 route_entry_t
*route
;
2221 unsigned char request
[BUFFER_SIZE
];
2222 struct nlmsghdr
*hdr
;
2223 struct xfrm_userpolicy_id
*policy_id
;
2224 iterator_t
*iterator
;
2226 DBG2(DBG_KNL
, "deleting policy %R===%R", src_ts
, dst_ts
);
2228 /* create a policy */
2229 memset(&policy
, 0, sizeof(policy_entry_t
));
2230 policy
.sel
= ts2selector(src_ts
, dst_ts
);
2231 policy
.direction
= direction
;
2233 /* find the policy */
2234 iterator
= this->policies
->create_iterator_locked(this->policies
, &this->mutex
);
2235 while (iterator
->iterate(iterator
, (void**)¤t
))
2237 if (memcmp(¤t
->sel
, &policy
.sel
, sizeof(struct xfrm_selector
)) == 0 &&
2238 policy
.direction
== current
->direction
)
2240 to_delete
= current
;
2241 if (--to_delete
->refcount
> 0)
2243 /* is used by more SAs, keep in kernel */
2244 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
2245 iterator
->destroy(iterator
);
2248 /* remove if last reference */
2249 iterator
->remove(iterator
);
2253 iterator
->destroy(iterator
);
2256 DBG1(DBG_KNL
, "deleting policy %R===%R failed, not found", src_ts
, dst_ts
);
2260 memset(&request
, 0, sizeof(request
));
2262 hdr
= (struct nlmsghdr
*)request
;
2263 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2264 hdr
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
2265 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2267 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2268 policy_id
->sel
= to_delete
->sel
;
2269 policy_id
->dir
= direction
;
2271 route
= to_delete
->route
;
2274 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
2276 DBG1(DBG_KNL
, "unable to delete policy %R===%R", src_ts
, dst_ts
);
2282 if (manage_srcroute(this, RTM_DELROUTE
, 0, route
) != SUCCESS
)
2284 DBG1(DBG_KNL
, "error uninstalling route installed with "
2285 "policy %R===%R", src_ts
, dst_ts
);
2287 route_entry_destroy(route
);
2293 * Implementation of kernel_interface_t.destroy.
2295 static void destroy(private_kernel_interface_t
*this)
2297 this->job
->cancel(this->job
);
2298 close(this->socket_xfrm_events
);
2299 close(this->socket_xfrm
);
2300 close(this->socket_rt_events
);
2301 close(this->socket_rt
);
2302 this->policies
->destroy(this->policies
);
2303 this->ifaces
->destroy_function(this->ifaces
, (void*)iface_entry_destroy
);
2308 * Described in header.
2310 kernel_interface_t
*kernel_interface_create()
2312 private_kernel_interface_t
*this = malloc_thing(private_kernel_interface_t
);
2313 struct sockaddr_nl addr
;
2315 /* public functions */
2316 this->public.get_spi
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,protocol_id_t
,u_int32_t
,u_int32_t
*))get_spi
;
2317 this->public.add_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
,u_int64_t
,u_int64_t
,algorithm_t
*,algorithm_t
*,prf_plus_t
*,mode_t
,bool,bool))add_sa
;
2318 this->public.update_sa
= (status_t(*)(kernel_interface_t
*,u_int32_t
,protocol_id_t
,host_t
*,host_t
*,host_t
*,host_t
*))update_sa
;
2319 this->public.query_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
*))query_sa
;
2320 this->public.del_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
))del_sa
;
2321 this->public.add_policy
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,protocol_id_t
,u_int32_t
,bool,mode_t
,bool))add_policy
;
2322 this->public.query_policy
= (status_t(*)(kernel_interface_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,u_int32_t
*))query_policy
;
2323 this->public.del_policy
= (status_t(*)(kernel_interface_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
))del_policy
;
2324 this->public.get_interface
= (char*(*)(kernel_interface_t
*,host_t
*))get_interface_name
;
2325 this->public.create_address_iterator
= (iterator_t
*(*)(kernel_interface_t
*))create_address_iterator
;
2326 this->public.get_source_addr
= (host_t
*(*)(kernel_interface_t
*, host_t
*dest
))get_source_addr
;
2327 this->public.add_ip
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*)) add_ip
;
2328 this->public.del_ip
= (status_t(*)(kernel_interface_t
*,host_t
*)) del_ip
;
2329 this->public.destroy
= (void(*)(kernel_interface_t
*)) destroy
;
2331 /* private members */
2332 this->policies
= linked_list_create();
2333 this->ifaces
= linked_list_create();
2336 pthread_mutex_init(&this->mutex
,NULL
);
2338 memset(&addr
, 0, sizeof(addr
));
2339 addr
.nl_family
= AF_NETLINK
;
2341 /* create and bind RT socket */
2342 this->socket_rt
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_ROUTE
);
2343 if (this->socket_rt
<= 0)
2345 charon
->kill(charon
, "unable to create RT netlink socket");
2348 if (bind(this->socket_rt
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2350 charon
->kill(charon
, "unable to bind RT netlink socket");
2353 /* create and bind RT socket for events (address/interface/route changes) */
2354 this->socket_rt_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_ROUTE
);
2355 if (this->socket_rt_events
<= 0)
2357 charon
->kill(charon
, "unable to create RT event socket");
2359 addr
.nl_groups
= RTMGRP_IPV4_IFADDR
| RTMGRP_IPV6_IFADDR
|
2360 RTMGRP_IPV4_ROUTE
| RTMGRP_IPV4_ROUTE
| RTMGRP_LINK
;
2361 if (bind(this->socket_rt_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2363 charon
->kill(charon
, "unable to bind RT event socket");
2366 /* create and bind XFRM socket */
2367 this->socket_xfrm
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2368 if (this->socket_xfrm
<= 0)
2370 charon
->kill(charon
, "unable to create XFRM netlink socket");
2373 if (bind(this->socket_xfrm
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2375 charon
->kill(charon
, "unable to bind XFRM netlink socket");
2378 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2379 this->socket_xfrm_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2380 if (this->socket_xfrm_events
<= 0)
2382 charon
->kill(charon
, "unable to create XFRM event socket");
2384 addr
.nl_groups
= XFRMGRP_ACQUIRE
| XFRMGRP_EXPIRE
;
2385 if (bind(this->socket_xfrm_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2387 charon
->kill(charon
, "unable to bind XFRM event socket");
2390 this->job
= callback_job_create((callback_job_cb_t
)receive_events
,
2392 charon
->processor
->queue_job(charon
->processor
, (job_t
*)this->job
);
2394 if (init_address_list(this) != SUCCESS
)
2396 charon
->kill(charon
, "unable to get interface list");
2399 return &this->public;