projects / strongswan.git / blob
? search:


90b148638b9e65e9e136481e00c7f8ca84f858e6
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <sys/time.h>
33 #include <linux/netlink.h>
34 #include <linux/rtnetlink.h>
35 #include <linux/xfrm.h>
36 #include <linux/udp.h>
37 #define __USE_UNIX98
38 #include <pthread.h>
39 #include <unistd.h>
40 #include <fcntl.h>
41 #include <errno.h>
42 #include <string.h>
43 #include <net/if.h>
44 #include <sys/ioctl.h>
45
46 #include "kernel_interface.h"
47
48 #include <daemon.h>
49 #include <utils/linked_list.h>
50 #include <processing/jobs/delete_child_sa_job.h>
51 #include <processing/jobs/rekey_child_sa_job.h>
52 #include <processing/jobs/acquire_job.h>
53 #include <processing/jobs/callback_job.h>
54 #include <processing/jobs/roam_job.h>
55
56 /** routing table for routes installed by us */
57 #ifndef IPSEC_ROUTING_TABLE
58 #define IPSEC_ROUTING_TABLE 100
59 #endif
60 #ifndef IPSEC_ROUTING_TABLE_PRIO
61 #define IPSEC_ROUTING_TABLE_PRIO 100
62 #endif
63
64 /** kernel level protocol identifiers */
65 #define KERNEL_ESP 50
66 #define KERNEL_AH 51
67
68 /** default priority of installed policies */
69 #define PRIO_LOW 3000
70 #define PRIO_HIGH 2000
71
72 /** delay before firing roam jobs (ms) */
73 #define ROAM_DELAY 100
74
75 #define BUFFER_SIZE 1024
76
77 /**
78 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
79 * 'usual' netlink data x like 'struct xfrm_usersa_info'
80 */
81 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
82 /**
83 * returns a pointer to the next rtattr following rta.
84 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
85 */
86 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
87 /**
88 * returns the total size of attached rta data
89 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
90 */
91 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
92
93 typedef struct kernel_algorithm_t kernel_algorithm_t;
94
95 /**
96 * Mapping from the algorithms defined in IKEv2 to
97 * kernel level algorithm names and their key length
98 */
99 struct kernel_algorithm_t {
100 /**
101 * Identifier specified in IKEv2
102 */
103 int ikev2_id;
104
105 /**
106 * Name of the algorithm, as used as kernel identifier
107 */
108 char *name;
109
110 /**
111 * Key length in bits, if fixed size
112 */
113 u_int key_size;
114 };
115 #define END_OF_LIST -1
116
117 /**
118 * Algorithms for encryption
119 */
120 kernel_algorithm_t encryption_algs[] = {
121 /* {ENCR_DES_IV64, "***", 0}, */
122 {ENCR_DES, "des", 64},
123 {ENCR_3DES, "des3_ede", 192},
124 /* {ENCR_RC5, "***", 0}, */
125 /* {ENCR_IDEA, "***", 0}, */
126 {ENCR_CAST, "cast128", 0},
127 {ENCR_BLOWFISH, "blowfish", 0},
128 /* {ENCR_3IDEA, "***", 0}, */
129 /* {ENCR_DES_IV32, "***", 0}, */
130 {ENCR_NULL, "cipher_null", 0},
131 {ENCR_AES_CBC, "aes", 0},
132 /* {ENCR_AES_CTR, "***", 0}, */
133 {END_OF_LIST, NULL, 0},
134 };
135
136 /**
137 * Algorithms for integrity protection
138 */
139 kernel_algorithm_t integrity_algs[] = {
140 {AUTH_HMAC_MD5_96, "md5", 128},
141 {AUTH_HMAC_SHA1_96, "sha1", 160},
142 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
143 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
144 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
145 /* {AUTH_DES_MAC, "***", 0}, */
146 /* {AUTH_KPDK_MD5, "***", 0}, */
147 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
148 {END_OF_LIST, NULL, 0},
149 };
150
151 /**
152 * Look up a kernel algorithm name and its key size
153 */
154 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
155 algorithm_t *ikev2_algo, u_int *key_size)
156 {
157 while (kernel_algo->ikev2_id != END_OF_LIST)
158 {
159 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
160 {
161 /* match, evaluate key length */
162 if (ikev2_algo->key_size)
163 { /* variable length */
164 *key_size = ikev2_algo->key_size;
165 }
166 else
167 { /* fixed length */
168 *key_size = kernel_algo->key_size;
169 }
170 return kernel_algo->name;
171 }
172 kernel_algo++;
173 }
174 return NULL;
175 }
176
177 typedef struct route_entry_t route_entry_t;
178
179 /**
180 * installed routing entry
181 */
182 struct route_entry_t {
183
184 /** Index of the interface the route is bound to */
185 int if_index;
186
187 /** Source ip of the route */
188 host_t *src_ip;
189
190 /** gateway for this route */
191 host_t *gateway;
192
193 /** Destination net */
194 chunk_t dst_net;
195
196 /** Destination net prefixlen */
197 u_int8_t prefixlen;
198 };
199
200 /**
201 * destroy an route_entry_t object
202 */
203 static void route_entry_destroy(route_entry_t *this)
204 {
205 this->src_ip->destroy(this->src_ip);
206 this->gateway->destroy(this->gateway);
207 chunk_free(&this->dst_net);
208 free(this);
209 }
210
211 typedef struct policy_entry_t policy_entry_t;
212
213 /**
214 * installed kernel policy.
215 */
216 struct policy_entry_t {
217
218 /** direction of this policy: in, out, forward */
219 u_int8_t direction;
220
221 /** reqid of the policy */
222 u_int32_t reqid;
223
224 /** parameters of installed policy */
225 struct xfrm_selector sel;
226
227 /** associated route installed for this policy */
228 route_entry_t *route;
229
230 /** by how many CHILD_SA's this policy is used */
231 u_int refcount;
232 };
233
234 typedef struct addr_entry_t addr_entry_t;
235
236 /**
237 * IP address in an inface_entry_t
238 */
239 struct addr_entry_t {
240
241 /** The ip address */
242 host_t *ip;
243
244 /** virtual IP managed by us */
245 bool virtual;
246
247 /** scope of the address */
248 u_char scope;
249
250 /** Number of times this IP is used, if virtual */
251 u_int refcount;
252 };
253
254 /**
255 * destroy a addr_entry_t object
256 */
257 static void addr_entry_destroy(addr_entry_t *this)
258 {
259 this->ip->destroy(this->ip);
260 free(this);
261 }
262
263 typedef struct iface_entry_t iface_entry_t;
264
265 /**
266 * A network interface on this system, containing addr_entry_t's
267 */
268 struct iface_entry_t {
269
270 /** interface index */
271 int ifindex;
272
273 /** name of the interface */
274 char ifname[IFNAMSIZ];
275
276 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
277 u_int flags;
278
279 /** list of addresses as host_t */
280 linked_list_t *addrs;
281 };
282
283 /**
284 * destroy an interface entry
285 */
286 static void iface_entry_destroy(iface_entry_t *this)
287 {
288 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
289 free(this);
290 }
291
292 typedef struct private_kernel_interface_t private_kernel_interface_t;
293
294 /**
295 * Private variables and functions of kernel_interface class.
296 */
297 struct private_kernel_interface_t {
298 /**
299 * Public part of the kernel_interface_t object.
300 */
301 kernel_interface_t public;
302
303 /**
304 * mutex to lock access to the various lists
305 */
306 pthread_mutex_t mutex;
307
308 /**
309 * condition variable to signal virtual IP add/removal
310 */
311 pthread_cond_t cond;
312
313 /**
314 * List of installed policies (policy_entry_t)
315 */
316 linked_list_t *policies;
317
318 /**
319 * Cached list of interfaces and its adresses (iface_entry_t)
320 */
321 linked_list_t *ifaces;
322
323 /**
324 * iterator used in hook()
325 */
326 iterator_t *hiter;
327
328 /**
329 * job receiving netlink events
330 */
331 callback_job_t *job;
332
333 /**
334 * current sequence number for netlink request
335 */
336 int seq;
337
338 /**
339 * Netlink xfrm socket (IPsec)
340 */
341 int socket_xfrm;
342
343 /**
344 * netlink xfrm socket to receive acquire and expire events
345 */
346 int socket_xfrm_events;
347
348 /**
349 * Netlink rt socket (routing)
350 */
351 int socket_rt;
352
353 /**
354 * Netlink rt socket to receive address change events
355 */
356 int socket_rt_events;
357
358 /**
359 * time of the last roam_job
360 */
361 struct timeval last_roam;
362 };
363
364 /**
365 * convert a host_t to a struct xfrm_address
366 */
367 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
368 {
369 chunk_t chunk = host->get_address(host);
370 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
371 }
372
373 /**
374 * convert a traffic selector address range to subnet and its mask.
375 */
376 static void ts2subnet(traffic_selector_t* ts,
377 xfrm_address_t *net, u_int8_t *mask)
378 {
379 /* there is no way to do this cleanly, as the address range may
380 * be anything else but a subnet. We use from_addr as subnet
381 * and try to calculate a usable subnet mask.
382 */
383 int byte, bit;
384 bool found = FALSE;
385 chunk_t from, to;
386 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
387
388 from = ts->get_from_address(ts);
389 to = ts->get_to_address(ts);
390
391 *mask = (size * 8);
392 /* go trough all bits of the addresses, beginning in the front.
393 * as long as they are equal, the subnet gets larger
394 */
395 for (byte = 0; byte < size; byte++)
396 {
397 for (bit = 7; bit >= 0; bit--)
398 {
399 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
400 {
401 *mask = ((7 - bit) + (byte * 8));
402 found = TRUE;
403 break;
404 }
405 }
406 if (found)
407 {
408 break;
409 }
410 }
411 memcpy(net, from.ptr, from.len);
412 chunk_free(&from);
413 chunk_free(&to);
414 }
415
416 /**
417 * convert a traffic selector port range to port/portmask
418 */
419 static void ts2ports(traffic_selector_t* ts,
420 u_int16_t *port, u_int16_t *mask)
421 {
422 /* linux does not seem to accept complex portmasks. Only
423 * any or a specific port is allowed. We set to any, if we have
424 * a port range, or to a specific, if we have one port only.
425 */
426 u_int16_t from, to;
427
428 from = ts->get_from_port(ts);
429 to = ts->get_to_port(ts);
430
431 if (from == to)
432 {
433 *port = htons(from);
434 *mask = ~0;
435 }
436 else
437 {
438 *port = 0;
439 *mask = 0;
440 }
441 }
442
443 /**
444 * convert a pair of traffic_selectors to a xfrm_selector
445 */
446 static struct xfrm_selector ts2selector(traffic_selector_t *src,
447 traffic_selector_t *dst)
448 {
449 struct xfrm_selector sel;
450
451 memset(&sel, 0, sizeof(sel));
452 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
453 /* src or dest proto may be "any" (0), use more restrictive one */
454 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
455 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
456 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
457 ts2ports(dst, &sel.dport, &sel.dport_mask);
458 ts2ports(src, &sel.sport, &sel.sport_mask);
459 sel.ifindex = 0;
460 sel.user = 0;
461
462 return sel;
463 }
464
465 /**
466 * Creates an rtattr and adds it to the netlink message
467 */
468 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
469 size_t buflen)
470 {
471 struct rtattr *rta;
472
473 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
474 {
475 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
476 return;
477 }
478
479 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
480 rta->rta_type = rta_type;
481 rta->rta_len = RTA_LENGTH(data.len);
482 memcpy(RTA_DATA(rta), data.ptr, data.len);
483 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
484 }
485
486 /**
487 * process a XFRM_MSG_ACQUIRE from kernel
488 */
489 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
490 {
491 u_int32_t reqid = 0;
492 job_t *job;
493 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
494 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
495
496 if (RTA_OK(rtattr, rtsize))
497 {
498 if (rtattr->rta_type == XFRMA_TMPL)
499 {
500 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
501 reqid = tmpl->reqid;
502 }
503 }
504 if (reqid == 0)
505 {
506 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
507 return;
508 }
509 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
510 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
511 job = (job_t*)acquire_job_create(reqid);
512 charon->processor->queue_job(charon->processor, job);
513 }
514
515 /**
516 * process a XFRM_MSG_EXPIRE from kernel
517 */
518 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
519 {
520 job_t *job;
521 protocol_id_t protocol;
522 u_int32_t spi, reqid;
523 struct xfrm_user_expire *expire;
524
525 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
526 protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
527 spi = expire->state.id.spi;
528 reqid = expire->state.reqid;
529
530 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
531 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
532 expire->hard ? "delete" : "rekey", protocol_id_names,
533 protocol, ntohl(spi), reqid);
534 if (expire->hard)
535 {
536 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
537 }
538 else
539 {
540 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
541 }
542 charon->processor->queue_job(charon->processor, job);
543 }
544
545 /**
546 * start a roaming job. We delay it for a second and fire only one job
547 * for multiple events. Otherwise we would create two many jobs.
548 */
549 static void fire_roam_job(private_kernel_interface_t *this, bool address)
550 {
551 struct timeval now;
552
553 if (gettimeofday(&now, NULL) == 0)
554 {
555 if (timercmp(&now, &this->last_roam, >))
556 {
557 now.tv_usec += ROAM_DELAY * 1000;
558 while (now.tv_usec > 1000000)
559 {
560 now.tv_sec++;
561 now.tv_usec -= 1000000;
562 }
563 this->last_roam = now;
564 charon->scheduler->schedule_job(charon->scheduler,
565 (job_t*)roam_job_create(address), ROAM_DELAY);
566 }
567 }
568 }
569
570 /**
571 * process RTM_NEWLINK/RTM_DELLINK from kernel
572 */
573 static void process_link(private_kernel_interface_t *this,
574 struct nlmsghdr *hdr, bool event)
575 {
576 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
577 struct rtattr *rta = IFLA_RTA(msg);
578 size_t rtasize = IFLA_PAYLOAD (hdr);
579 iterator_t *iterator;
580 iface_entry_t *current, *entry = NULL;
581 char *name = NULL;
582 bool update = FALSE;
583
584 while(RTA_OK(rta, rtasize))
585 {
586 switch (rta->rta_type)
587 {
588 case IFLA_IFNAME:
589 name = RTA_DATA(rta);
590 break;
591 }
592 rta = RTA_NEXT(rta, rtasize);
593 }
594 if (!name)
595 {
596 name = "(unknown)";
597 }
598
599 switch (hdr->nlmsg_type)
600 {
601 case RTM_NEWLINK:
602 {
603 if (msg->ifi_flags & IFF_LOOPBACK)
604 { /* ignore loopback interfaces */
605 break;
606 }
607 iterator = this->ifaces->create_iterator_locked(this->ifaces,
608 &this->mutex);
609 while (iterator->iterate(iterator, (void**)&current))
610 {
611 if (current->ifindex == msg->ifi_index)
612 {
613 entry = current;
614 break;
615 }
616 }
617 if (!entry)
618 {
619 entry = malloc_thing(iface_entry_t);
620 entry->ifindex = msg->ifi_index;
621 entry->flags = 0;
622 entry->addrs = linked_list_create();
623 this->ifaces->insert_last(this->ifaces, entry);
624 }
625 memcpy(entry->ifname, name, IFNAMSIZ);
626 entry->ifname[IFNAMSIZ-1] = '\0';
627 if (event)
628 {
629 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
630 {
631 update = TRUE;
632 DBG1(DBG_KNL, "interface %s activated", name);
633 }
634 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
635 {
636 update = TRUE;
637 DBG1(DBG_KNL, "interface %s deactivated", name);
638 }
639 }
640 entry->flags = msg->ifi_flags;
641 iterator->destroy(iterator);
642 break;
643 }
644 case RTM_DELLINK:
645 {
646 iterator = this->ifaces->create_iterator_locked(this->ifaces,
647 &this->mutex);
648 while (iterator->iterate(iterator, (void**)&current))
649 {
650 if (current->ifindex == msg->ifi_index)
651 {
652 /* we do not remove it, as an address may be added to a
653 * "down" interface and we wan't to know that. */
654 current->flags = msg->ifi_flags;
655 break;
656 }
657 }
658 iterator->destroy(iterator);
659 break;
660 }
661 }
662
663 /* send an update to all IKE_SAs */
664 if (update && event)
665 {
666 fire_roam_job(this, TRUE);
667 }
668 }
669
670 /**
671 * process RTM_NEWADDR/RTM_DELADDR from kernel
672 */
673 static void process_addr(private_kernel_interface_t *this,
674 struct nlmsghdr *hdr, bool event)
675 {
676 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
677 struct rtattr *rta = IFA_RTA(msg);
678 size_t rtasize = IFA_PAYLOAD (hdr);
679 host_t *host = NULL;
680 iterator_t *ifaces, *addrs;
681 iface_entry_t *iface;
682 addr_entry_t *addr;
683 chunk_t local = chunk_empty, address = chunk_empty;
684 bool update = FALSE, found = FALSE, changed = FALSE;
685
686 while(RTA_OK(rta, rtasize))
687 {
688 switch (rta->rta_type)
689 {
690 case IFA_LOCAL:
691 local.ptr = RTA_DATA(rta);
692 local.len = RTA_PAYLOAD(rta);
693 break;
694 case IFA_ADDRESS:
695 address.ptr = RTA_DATA(rta);
696 address.len = RTA_PAYLOAD(rta);
697 break;
698 }
699 rta = RTA_NEXT(rta, rtasize);
700 }
701
702 /* For PPP interfaces, we need the IFA_LOCAL address,
703 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
704 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
705 if (local.ptr)
706 {
707 host = host_create_from_chunk(msg->ifa_family, local, 0);
708 }
709 else if (address.ptr)
710 {
711 host = host_create_from_chunk(msg->ifa_family, address, 0);
712 }
713
714 if (host == NULL)
715 { /* bad family? */
716 return;
717 }
718
719 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
720 while (ifaces->iterate(ifaces, (void**)&iface))
721 {
722 if (iface->ifindex == msg->ifa_index)
723 {
724 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
725 while (addrs->iterate(addrs, (void**)&addr))
726 {
727 if (host->ip_equals(host, addr->ip))
728 {
729 found = TRUE;
730 if (hdr->nlmsg_type == RTM_DELADDR)
731 {
732 changed = TRUE;
733 addrs->remove(addrs);
734 if (!addr->virtual)
735 {
736 DBG1(DBG_KNL, "%H disappeared from %s",
737 host, iface->ifname);
738 }
739 addr_entry_destroy(addr);
740 }
741 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
742 {
743 addr->refcount = 1;
744 }
745 }
746 }
747 addrs->destroy(addrs);
748
749 if (hdr->nlmsg_type == RTM_NEWADDR)
750 {
751 if (!found)
752 {
753 found = TRUE;
754 changed = TRUE;
755 addr = malloc_thing(addr_entry_t);
756 addr->ip = host->clone(host);
757 addr->virtual = FALSE;
758 addr->refcount = 1;
759 addr->scope = msg->ifa_scope;
760
761 iface->addrs->insert_last(iface->addrs, addr);
762 if (event)
763 {
764 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
765 }
766 }
767 }
768 if (found && (iface->flags & IFF_UP))
769 {
770 update = TRUE;
771 }
772 break;
773 }
774 }
775 ifaces->destroy(ifaces);
776 host->destroy(host);
777
778 /* send an update to all IKE_SAs */
779 if (update && event && changed)
780 {
781 fire_roam_job(this, TRUE);
782 }
783 }
784
785 /**
786 * Receives events from kernel
787 */
788 static job_requeue_t receive_events(private_kernel_interface_t *this)
789 {
790 char response[1024];
791 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
792 struct sockaddr_nl addr;
793 socklen_t addr_len = sizeof(addr);
794 int len, oldstate, maxfd, selected;
795 fd_set rfds;
796
797 FD_ZERO(&rfds);
798 FD_SET(this->socket_xfrm_events, &rfds);
799 FD_SET(this->socket_rt_events, &rfds);
800 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
801
802 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
803 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
804 pthread_setcancelstate(oldstate, NULL);
805 if (selected <= 0)
806 {
807 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
808 return JOB_REQUEUE_FAIR;
809 }
810 if (FD_ISSET(this->socket_xfrm_events, &rfds))
811 {
812 selected = this->socket_xfrm_events;
813 }
814 else if (FD_ISSET(this->socket_rt_events, &rfds))
815 {
816 selected = this->socket_rt_events;
817 }
818 else
819 {
820 return JOB_REQUEUE_DIRECT;
821 }
822
823 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
824 (struct sockaddr*)&addr, &addr_len);
825 if (len < 0)
826 {
827 switch (errno)
828 {
829 case EINTR:
830 /* interrupted, try again */
831 return JOB_REQUEUE_DIRECT;
832 case EAGAIN:
833 /* no data ready, select again */
834 return JOB_REQUEUE_DIRECT;
835 default:
836 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
837 sleep(1);
838 return JOB_REQUEUE_FAIR;
839 }
840 }
841 if (addr.nl_pid != 0)
842 { /* not from kernel. not interested, try another one */
843 return JOB_REQUEUE_DIRECT;
844 }
845
846 while (NLMSG_OK(hdr, len))
847 {
848 /* looks good so far, dispatch netlink message */
849 if (selected == this->socket_xfrm_events)
850 {
851 switch (hdr->nlmsg_type)
852 {
853 case XFRM_MSG_ACQUIRE:
854 process_acquire(this, hdr);
855 break;
856 case XFRM_MSG_EXPIRE:
857 process_expire(this, hdr);
858 break;
859 default:
860 break;
861 }
862 }
863 else if (selected == this->socket_rt_events)
864 {
865 switch (hdr->nlmsg_type)
866 {
867 case RTM_NEWADDR:
868 case RTM_DELADDR:
869 process_addr(this, hdr, TRUE);
870 pthread_cond_signal(&this->cond);
871 break;
872 case RTM_NEWLINK:
873 case RTM_DELLINK:
874 process_link(this, hdr, TRUE);
875 pthread_cond_signal(&this->cond);
876 break;
877 case RTM_NEWROUTE:
878 case RTM_DELROUTE:
879 fire_roam_job(this, FALSE);
880 break;
881 default:
882 break;
883 }
884 }
885 hdr = NLMSG_NEXT(hdr, len);
886 }
887 return JOB_REQUEUE_DIRECT;
888 }
889
890 /**
891 * send a netlink message and wait for a reply
892 */
893 static status_t netlink_send(private_kernel_interface_t *this,
894 int socket, struct nlmsghdr *in,
895 struct nlmsghdr **out, size_t *out_len)
896 {
897 int len, addr_len;
898 struct sockaddr_nl addr;
899 chunk_t result = chunk_empty, tmp;
900 struct nlmsghdr *msg, peek;
901
902 pthread_mutex_lock(&this->mutex);
903
904 in->nlmsg_seq = ++this->seq;
905 in->nlmsg_pid = getpid();
906
907 memset(&addr, 0, sizeof(addr));
908 addr.nl_family = AF_NETLINK;
909 addr.nl_pid = 0;
910 addr.nl_groups = 0;
911
912 while (TRUE)
913 {
914 len = sendto(socket, in, in->nlmsg_len, 0,
915 (struct sockaddr*)&addr, sizeof(addr));
916
917 if (len != in->nlmsg_len)
918 {
919 if (errno == EINTR)
920 {
921 /* interrupted, try again */
922 continue;
923 }
924 pthread_mutex_unlock(&this->mutex);
925 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
926 return FAILED;
927 }
928 break;
929 }
930
931 while (TRUE)
932 {
933 char buf[4096];
934 tmp.len = sizeof(buf);
935 tmp.ptr = buf;
936 msg = (struct nlmsghdr*)tmp.ptr;
937
938 memset(&addr, 0, sizeof(addr));
939 addr.nl_family = AF_NETLINK;
940 addr.nl_pid = getpid();
941 addr.nl_groups = 0;
942 addr_len = sizeof(addr);
943
944 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
945 (struct sockaddr*)&addr, &addr_len);
946
947 if (len < 0)
948 {
949 if (errno == EINTR)
950 {
951 DBG1(DBG_KNL, "got interrupted");
952 /* interrupted, try again */
953 continue;
954 }
955 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
956 pthread_mutex_unlock(&this->mutex);
957 return FAILED;
958 }
959 if (!NLMSG_OK(msg, len))
960 {
961 DBG1(DBG_KNL, "received corrupted netlink message");
962 pthread_mutex_unlock(&this->mutex);
963 return FAILED;
964 }
965 if (msg->nlmsg_seq != this->seq)
966 {
967 DBG1(DBG_KNL, "received invalid netlink sequence number");
968 if (msg->nlmsg_seq < this->seq)
969 {
970 continue;
971 }
972 pthread_mutex_unlock(&this->mutex);
973 return FAILED;
974 }
975
976 tmp.len = len;
977 result = chunk_cata("cc", result, tmp);
978
979 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
980 * numbers to detect multi header messages */
981 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
982 (struct sockaddr*)&addr, &addr_len);
983
984 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
985 {
986 /* seems to be multipart */
987 continue;
988 }
989 break;
990 }
991
992 *out_len = result.len;
993 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
994
995 pthread_mutex_unlock(&this->mutex);
996
997 return SUCCESS;
998 }
999
1000 /**
1001 * send a netlink message and wait for its acknowlegde
1002 */
1003 static status_t netlink_send_ack(private_kernel_interface_t *this,
1004 int socket, struct nlmsghdr *in)
1005 {
1006 struct nlmsghdr *out, *hdr;
1007 size_t len;
1008
1009 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
1010 {
1011 return FAILED;
1012 }
1013 hdr = out;
1014 while (NLMSG_OK(hdr, len))
1015 {
1016 switch (hdr->nlmsg_type)
1017 {
1018 case NLMSG_ERROR:
1019 {
1020 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
1021
1022 if (err->error)
1023 {
1024 DBG1(DBG_KNL, "received netlink error: %s (%d)",
1025 strerror(-err->error), -err->error);
1026 free(out);
1027 return FAILED;
1028 }
1029 free(out);
1030 return SUCCESS;
1031 }
1032 default:
1033 hdr = NLMSG_NEXT(hdr, len);
1034 continue;
1035 case NLMSG_DONE:
1036 break;
1037 }
1038 break;
1039 }
1040 DBG1(DBG_KNL, "netlink request not acknowlegded");
1041 free(out);
1042 return FAILED;
1043 }
1044
1045 /**
1046 * Initialize a list of local addresses.
1047 */
1048 static status_t init_address_list(private_kernel_interface_t *this)
1049 {
1050 char request[BUFFER_SIZE];
1051 struct nlmsghdr *out, *current, *in;
1052 struct rtgenmsg *msg;
1053 size_t len;
1054 iterator_t *ifaces, *addrs;
1055 iface_entry_t *iface;
1056 addr_entry_t *addr;
1057
1058 DBG1(DBG_KNL, "listening on interfaces:");
1059
1060 memset(&request, 0, sizeof(request));
1061
1062 in = (struct nlmsghdr*)&request;
1063 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1064 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1065 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1066 msg->rtgen_family = AF_UNSPEC;
1067
1068 /* get all links */
1069 in->nlmsg_type = RTM_GETLINK;
1070 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1071 {
1072 return FAILED;
1073 }
1074 current = out;
1075 while (NLMSG_OK(current, len))
1076 {
1077 switch (current->nlmsg_type)
1078 {
1079 case NLMSG_DONE:
1080 break;
1081 case RTM_NEWLINK:
1082 process_link(this, current, FALSE);
1083 /* fall through */
1084 default:
1085 current = NLMSG_NEXT(current, len);
1086 continue;
1087 }
1088 break;
1089 }
1090 free(out);
1091
1092 /* get all interface addresses */
1093 in->nlmsg_type = RTM_GETADDR;
1094 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1095 {
1096 return FAILED;
1097 }
1098 current = out;
1099 while (NLMSG_OK(current, len))
1100 {
1101 switch (current->nlmsg_type)
1102 {
1103 case NLMSG_DONE:
1104 break;
1105 case RTM_NEWADDR:
1106 process_addr(this, current, FALSE);
1107 /* fall through */
1108 default:
1109 current = NLMSG_NEXT(current, len);
1110 continue;
1111 }
1112 break;
1113 }
1114 free(out);
1115
1116 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1117 while (ifaces->iterate(ifaces, (void**)&iface))
1118 {
1119 if (iface->flags & IFF_UP)
1120 {
1121 DBG1(DBG_KNL, " %s", iface->ifname);
1122 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1123 while (addrs->iterate(addrs, (void**)&addr))
1124 {
1125 DBG1(DBG_KNL, " %H", addr->ip);
1126 }
1127 addrs->destroy(addrs);
1128 }
1129 }
1130 ifaces->destroy(ifaces);
1131 return SUCCESS;
1132 }
1133
1134 /**
1135 * iterator hook to iterate over addrs
1136 */
1137 static hook_result_t addr_hook(private_kernel_interface_t *this,
1138 addr_entry_t *in, host_t **out)
1139 {
1140 if (in->virtual)
1141 { /* skip virtual interfaces added by us */
1142 return HOOK_SKIP;
1143 }
1144 if (in->scope >= RT_SCOPE_LINK)
1145 { /* skip addresses with a unusable scope */
1146 return HOOK_SKIP;
1147 }
1148 *out = in->ip;
1149 return HOOK_NEXT;
1150 }
1151
1152 /**
1153 * iterator hook to iterate over ifaces
1154 */
1155 static hook_result_t iface_hook(private_kernel_interface_t *this,
1156 iface_entry_t *in, host_t **out)
1157 {
1158 if (!(in->flags & IFF_UP))
1159 { /* skip interfaces not up */
1160 return HOOK_SKIP;
1161 }
1162
1163 if (this->hiter == NULL)
1164 {
1165 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1166 this->hiter->set_iterator_hook(this->hiter,
1167 (iterator_hook_t*)addr_hook, this);
1168 }
1169 while (this->hiter->iterate(this->hiter, (void**)out))
1170 {
1171 return HOOK_AGAIN;
1172 }
1173 this->hiter->destroy(this->hiter);
1174 this->hiter = NULL;
1175 return HOOK_SKIP;
1176 }
1177
1178 /**
1179 * Implements kernel_interface_t.create_address_iterator.
1180 */
1181 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1182 {
1183 iterator_t *iterator;
1184
1185 /* This iterator is not only hooked, is is double-hooked. As we have stored
1186 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1187 * entries in each interface we iterate. This does the iface_hook. The
1188 * addr_hook returns the ip instead of the addr_entry. */
1189
1190 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1191 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1192 return iterator;
1193 }
1194
1195 /**
1196 * implementation of kernel_interface_t.get_interface_name
1197 */
1198 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1199 {
1200 iterator_t *ifaces, *addrs;
1201 iface_entry_t *iface;
1202 addr_entry_t *addr;
1203 char *name = NULL;
1204
1205 DBG2(DBG_KNL, "getting interface name for %H", ip);
1206
1207 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1208 while (ifaces->iterate(ifaces, (void**)&iface))
1209 {
1210 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1211 while (addrs->iterate(addrs, (void**)&addr))
1212 {
1213 if (ip->ip_equals(ip, addr->ip))
1214 {
1215 name = strdup(iface->ifname);
1216 break;
1217 }
1218 }
1219 addrs->destroy(addrs);
1220 if (name)
1221 {
1222 break;
1223 }
1224 }
1225 ifaces->destroy(ifaces);
1226
1227 if (name)
1228 {
1229 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1230 }
1231 else
1232 {
1233 DBG2(DBG_KNL, "%H is not a local address", ip);
1234 }
1235 return name;
1236 }
1237
1238 /**
1239 * Tries to find an ip address of a local interface that is included in the
1240 * supplied traffic selector.
1241 */
1242 static status_t get_address_by_ts(private_kernel_interface_t *this,
1243 traffic_selector_t *ts, host_t **ip)
1244 {
1245 iterator_t *ifaces, *addrs;
1246 iface_entry_t *iface;
1247 addr_entry_t *addr;
1248 host_t *host;
1249 int family;
1250 bool found = FALSE;
1251
1252 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1253
1254 /* if we have a family which includes localhost, we do not
1255 * search for an IP, we use the default */
1256 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1257
1258 if (family == AF_INET)
1259 {
1260 host = host_create_from_string("127.0.0.1", 0);
1261 }
1262 else
1263 {
1264 host = host_create_from_string("::1", 0);
1265 }
1266
1267 if (ts->includes(ts, host))
1268 {
1269 *ip = host_create_any(family);
1270 host->destroy(host);
1271 DBG2(DBG_KNL, "using host %H", *ip);
1272 return SUCCESS;
1273 }
1274 host->destroy(host);
1275
1276 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1277 while (ifaces->iterate(ifaces, (void**)&iface))
1278 {
1279 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1280 while (addrs->iterate(addrs, (void**)&addr))
1281 {
1282 if (ts->includes(ts, addr->ip))
1283 {
1284 found = TRUE;
1285 *ip = addr->ip->clone(addr->ip);
1286 break;
1287 }
1288 }
1289 addrs->destroy(addrs);
1290 if (found)
1291 {
1292 break;
1293 }
1294 }
1295 ifaces->destroy(ifaces);
1296
1297 if (!found)
1298 {
1299 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1300 return FAILED;
1301 }
1302 DBG2(DBG_KNL, "using host %H", *ip);
1303 return SUCCESS;
1304 }
1305
1306 /**
1307 * get the interface of a local address
1308 */
1309 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1310 {
1311 iterator_t *ifaces, *addrs;
1312 iface_entry_t *iface;
1313 addr_entry_t *addr;
1314 int ifindex = 0;
1315
1316 DBG2(DBG_KNL, "getting iface for %H", ip);
1317
1318 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1319 while (ifaces->iterate(ifaces, (void**)&iface))
1320 {
1321 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1322 while (addrs->iterate(addrs, (void**)&addr))
1323 {
1324 if (ip->ip_equals(ip, addr->ip))
1325 {
1326 ifindex = iface->ifindex;
1327 break;
1328 }
1329 }
1330 addrs->destroy(addrs);
1331 if (ifindex)
1332 {
1333 break;
1334 }
1335 }
1336 ifaces->destroy(ifaces);
1337
1338 if (ifindex == 0)
1339 {
1340 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1341 }
1342 return ifindex;
1343 }
1344
1345 /**
1346 * get the refcount of a virtual ip
1347 */
1348 static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
1349 {
1350 iterator_t *ifaces, *addrs;
1351 iface_entry_t *iface;
1352 addr_entry_t *addr;
1353 int refcount = 0;
1354
1355 ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
1356 while (ifaces->iterate(ifaces, (void**)&iface))
1357 {
1358 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1359 while (addrs->iterate(addrs, (void**)&addr))
1360 {
1361 if (addr->virtual && (iface->flags & IFF_UP) &&
1362 ip->ip_equals(ip, addr->ip))
1363 {
1364 refcount = addr->refcount;
1365 break;
1366 }
1367 }
1368 addrs->destroy(addrs);
1369 if (refcount)
1370 {
1371 break;
1372 }
1373 }
1374 ifaces->destroy(ifaces);
1375
1376 return refcount;
1377 }
1378
1379 /**
1380 * Manages the creation and deletion of ip addresses on an interface.
1381 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1382 */
1383 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1384 int flags, int if_index, host_t *ip)
1385 {
1386 unsigned char request[BUFFER_SIZE];
1387 struct nlmsghdr *hdr;
1388 struct ifaddrmsg *msg;
1389 chunk_t chunk;
1390
1391 memset(&request, 0, sizeof(request));
1392
1393 chunk = ip->get_address(ip);
1394
1395 hdr = (struct nlmsghdr*)request;
1396 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1397 hdr->nlmsg_type = nlmsg_type;
1398 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1399
1400 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1401 msg->ifa_family = ip->get_family(ip);
1402 msg->ifa_flags = 0;
1403 msg->ifa_prefixlen = 8 * chunk.len;
1404 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1405 msg->ifa_index = if_index;
1406
1407 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1408
1409 return netlink_send_ack(this, this->socket_rt, hdr);
1410 }
1411
1412 /**
1413 * Manages source routes in the routing table.
1414 * By setting the appropriate nlmsg_type, the route added or r.
1415 */
1416 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1417 int flags, route_entry_t *route)
1418 {
1419 unsigned char request[BUFFER_SIZE];
1420 struct nlmsghdr *hdr;
1421 struct rtmsg *msg;
1422 chunk_t chunk;
1423
1424 #if IPSEC_ROUTING_TABLE == 0
1425 /* if route is 0.0.0.0/0, we can't install it, as it would
1426 * overwrite the default route. Instead, we add two routes:
1427 * 0.0.0.0/1 and 128.0.0.0/1 */
1428 if (route->prefixlen == 0)
1429 {
1430 route_entry_t half;
1431 status_t status;
1432
1433 half.dst_net = chunk_alloca(route->dst_net.len);
1434 memset(half.dst_net.ptr, 0, half.dst_net.len);
1435 half.src_ip = route->src_ip;
1436 half.gateway = route->gateway;
1437 half.if_index = route->if_index;
1438 half.prefixlen = 1;
1439
1440 status = manage_srcroute(this, nlmsg_type, flags, &half);
1441 half.dst_net.ptr[0] |= 0x80;
1442 status = manage_srcroute(this, nlmsg_type, flags, &half);
1443 return status;
1444 }
1445 #endif
1446
1447 memset(&request, 0, sizeof(request));
1448
1449 hdr = (struct nlmsghdr*)request;
1450 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1451 hdr->nlmsg_type = nlmsg_type;
1452 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1453
1454 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1455 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1456 msg->rtm_dst_len = route->prefixlen;
1457 msg->rtm_table = IPSEC_ROUTING_TABLE;
1458 msg->rtm_protocol = RTPROT_STATIC;
1459 msg->rtm_type = RTN_UNICAST;
1460 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1461
1462 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1463 chunk = route->src_ip->get_address(route->src_ip);
1464 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1465 chunk = route->gateway->get_address(route->gateway);
1466 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1467 chunk.ptr = (char*)&route->if_index;
1468 chunk.len = sizeof(route->if_index);
1469 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1470
1471 return netlink_send_ack(this, this->socket_rt, hdr);
1472 }
1473
1474 /**
1475 * create or delete an rule to use our routing table
1476 */
1477 static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
1478 u_int32_t table, u_int32_t prio)
1479 {
1480 unsigned char request[BUFFER_SIZE];
1481 struct nlmsghdr *hdr;
1482 struct rtmsg *msg;
1483 chunk_t chunk;
1484
1485 memset(&request, 0, sizeof(request));
1486 hdr = (struct nlmsghdr*)request;
1487 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1488 hdr->nlmsg_type = nlmsg_type;
1489 if (nlmsg_type == RTM_NEWRULE)
1490 {
1491 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1492 }
1493 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1494
1495 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1496 msg->rtm_table = table;
1497 msg->rtm_family = AF_INET;
1498 msg->rtm_protocol = RTPROT_BOOT;
1499 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1500 msg->rtm_type = RTN_UNICAST;
1501
1502 chunk = chunk_from_thing(prio);
1503 add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1504
1505 return netlink_send_ack(this, this->socket_rt, hdr);
1506 }
1507
1508 /**
1509 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1510 */
1511 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1512 {
1513 int bit, byte;
1514
1515 if (addr.len != net.len)
1516 {
1517 return FALSE;
1518 }
1519 /* scan through all bits, beginning in the front */
1520 for (byte = 0; byte < addr.len; byte++)
1521 {
1522 for (bit = 7; bit >= 0; bit--)
1523 {
1524 /* check if bits are equal (or we reached the end of the net) */
1525 if (bit + byte * 8 > net_len)
1526 {
1527 return TRUE;
1528 }
1529 if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
1530 {
1531 return FALSE;
1532 }
1533 }
1534 }
1535 return TRUE;
1536 }
1537
1538 /**
1539 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1540 */
1541 static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
1542 bool nexthop)
1543 {
1544 unsigned char request[BUFFER_SIZE];
1545 struct nlmsghdr *hdr, *out, *current;
1546 struct rtmsg *msg;
1547 chunk_t chunk;
1548 size_t len;
1549 int best = -1;
1550 host_t *src = NULL, *gtw = NULL;
1551
1552 DBG2(DBG_KNL, "getting address to reach %H", dest);
1553
1554 memset(&request, 0, sizeof(request));
1555
1556 hdr = (struct nlmsghdr*)request;
1557 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
1558 hdr->nlmsg_type = RTM_GETROUTE;
1559 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1560
1561 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1562 msg->rtm_family = dest->get_family(dest);
1563
1564 chunk = dest->get_address(dest);
1565 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1566
1567 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1568 {
1569 DBG1(DBG_KNL, "getting address to %H failed", dest);
1570 return NULL;
1571 }
1572 current = out;
1573 while (NLMSG_OK(current, len))
1574 {
1575 switch (current->nlmsg_type)
1576 {
1577 case NLMSG_DONE:
1578 break;
1579 case RTM_NEWROUTE:
1580 {
1581 struct rtattr *rta;
1582 size_t rtasize;
1583 chunk_t rta_gtw, rta_src, rta_dst;
1584 u_int32_t rta_oif = 0;
1585
1586 rta_gtw = rta_src = rta_dst = chunk_empty;
1587 msg = (struct rtmsg*)(NLMSG_DATA(current));
1588 rta = RTM_RTA(msg);
1589 rtasize = RTM_PAYLOAD(current);
1590 while (RTA_OK(rta, rtasize))
1591 {
1592 switch (rta->rta_type)
1593 {
1594 case RTA_PREFSRC:
1595 rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1596 break;
1597 case RTA_GATEWAY:
1598 rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1599 break;
1600 case RTA_DST:
1601 rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1602 break;
1603 case RTA_OIF:
1604 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1605 {
1606 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1607 }
1608 break;
1609 }
1610 rta = RTA_NEXT(rta, rtasize);
1611 }
1612
1613 /* apply the route if:
1614 * - it is not from our own ipsec routing table
1615 * - is better than a previous one
1616 * - is the default route or
1617 * - its destination net contains our destination
1618 */
1619 if (msg->rtm_table != IPSEC_ROUTING_TABLE
1620 && msg->rtm_dst_len > best
1621 && (msg->rtm_dst_len == 0 || /* default route */
1622 (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
1623 {
1624 iterator_t *ifaces, *addrs;
1625 iface_entry_t *iface;
1626 addr_entry_t *addr;
1627
1628 best = msg->rtm_dst_len;
1629 if (nexthop)
1630 {
1631 DESTROY_IF(gtw);
1632 gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
1633 }
1634 else if (rta_src.ptr)
1635 {
1636 DESTROY_IF(src);
1637 src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
1638 }
1639 else
1640 {
1641 /* no source addr, get one from the interfaces */
1642 ifaces = this->ifaces->create_iterator_locked(
1643 this->ifaces, &this->mutex);
1644 while (ifaces->iterate(ifaces, (void**)&iface))
1645 {
1646 if (iface->ifindex == rta_oif)
1647 {
1648 addrs = iface->addrs->create_iterator(
1649 iface->addrs, TRUE);
1650 while (addrs->iterate(addrs, (void**)&addr))
1651 {
1652 chunk_t ip = addr->ip->get_address(addr->ip);
1653 if (msg->rtm_dst_len == 0
1654 || addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
1655 {
1656 DESTROY_IF(src);
1657 src = addr->ip->clone(addr->ip);
1658 break;
1659 }
1660 }
1661 addrs->destroy(addrs);
1662 }
1663 }
1664 ifaces->destroy(ifaces);
1665 }
1666 }
1667 /* FALL through */
1668 }
1669 default:
1670 current = NLMSG_NEXT(current, len);
1671 continue;
1672 }
1673 break;
1674 }
1675 free(out);
1676
1677 if (nexthop)
1678 {
1679 if (gtw)
1680 {
1681 return gtw;
1682 }
1683 return dest->clone(dest);
1684 }
1685 return src;
1686 }
1687
1688 /**
1689 * Implementation of kernel_interface_t.get_source_addr.
1690 */
1691 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1692 {
1693 return get_route(this, dest, FALSE);
1694 }
1695
1696 /**
1697 * Implementation of kernel_interface_t.add_ip.
1698 */
1699 static status_t add_ip(private_kernel_interface_t *this,
1700 host_t *virtual_ip, host_t *iface_ip)
1701 {
1702 iface_entry_t *iface;
1703 addr_entry_t *addr;
1704 iterator_t *addrs, *ifaces;
1705 int ifindex;
1706
1707 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1708
1709 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1710 while (ifaces->iterate(ifaces, (void**)&iface))
1711 {
1712 bool iface_found = FALSE;
1713
1714 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1715 while (addrs->iterate(addrs, (void**)&addr))
1716 {
1717 if (iface_ip->ip_equals(iface_ip, addr->ip))
1718 {
1719 iface_found = TRUE;
1720 }
1721 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1722 {
1723 addr->refcount++;
1724 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1725 virtual_ip, iface->ifname);
1726 addrs->destroy(addrs);
1727 ifaces->destroy(ifaces);
1728 return SUCCESS;
1729 }
1730 }
1731 addrs->destroy(addrs);
1732
1733 if (iface_found)
1734 {
1735 ifindex = iface->ifindex;
1736 addr = malloc_thing(addr_entry_t);
1737 addr->ip = virtual_ip->clone(virtual_ip);
1738 addr->refcount = 0;
1739 addr->virtual = TRUE;
1740 addr->scope = RT_SCOPE_UNIVERSE;
1741 iface->addrs->insert_last(iface->addrs, addr);
1742
1743 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1744 ifindex, virtual_ip) == SUCCESS)
1745 {
1746 while (get_vip_refcount(this, virtual_ip) == 0)
1747 { /* wait until address appears */
1748 pthread_cond_wait(&this->cond, &this->mutex);
1749 }
1750 ifaces->destroy(ifaces);
1751 return SUCCESS;
1752 }
1753 ifaces->destroy(ifaces);
1754 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1755 return FAILED;
1756 }
1757 }
1758 ifaces->destroy(ifaces);
1759
1760 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1761 "virtual IP %H", iface_ip, virtual_ip);
1762 return FAILED;
1763 }
1764
1765 /**
1766 * Implementation of kernel_interface_t.del_ip.
1767 */
1768 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1769 {
1770 iface_entry_t *iface;
1771 addr_entry_t *addr;
1772 iterator_t *addrs, *ifaces;
1773 status_t status;
1774 int ifindex;
1775
1776 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1777
1778 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1779 while (ifaces->iterate(ifaces, (void**)&iface))
1780 {
1781 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1782 while (addrs->iterate(addrs, (void**)&addr))
1783 {
1784 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1785 {
1786 ifindex = iface->ifindex;
1787 if (addr->refcount == 1)
1788 {
1789 status = manage_ipaddr(this, RTM_DELADDR, 0,
1790 ifindex, virtual_ip);
1791 if (status == SUCCESS)
1792 { /* wait until the address is really gone */
1793 while (get_vip_refcount(this, virtual_ip) > 0)
1794 {
1795 pthread_cond_wait(&this->cond, &this->mutex);
1796 }
1797 }
1798 addrs->destroy(addrs);
1799 ifaces->destroy(ifaces);
1800 return status;
1801 }
1802 else
1803 {
1804 addr->refcount--;
1805 }
1806 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1807 virtual_ip);
1808 addrs->destroy(addrs);
1809 ifaces->destroy(ifaces);
1810 return SUCCESS;
1811 }
1812 }
1813 addrs->destroy(addrs);
1814 }
1815 ifaces->destroy(ifaces);
1816
1817 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1818 return FAILED;
1819 }
1820
1821 /**
1822 * Implementation of kernel_interface_t.get_spi.
1823 */
1824 static status_t get_spi(private_kernel_interface_t *this,
1825 host_t *src, host_t *dst,
1826 protocol_id_t protocol, u_int32_t reqid,
1827 u_int32_t *spi)
1828 {
1829 unsigned char request[BUFFER_SIZE];
1830 struct nlmsghdr *hdr, *out;
1831 struct xfrm_userspi_info *userspi;
1832 u_int32_t received_spi = 0;
1833 size_t len;
1834
1835 memset(&request, 0, sizeof(request));
1836
1837 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1838
1839 hdr = (struct nlmsghdr*)request;
1840 hdr->nlmsg_flags = NLM_F_REQUEST;
1841 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1842 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1843
1844 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1845 host2xfrm(src, &userspi->info.saddr);
1846 host2xfrm(dst, &userspi->info.id.daddr);
1847 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1848 userspi->info.mode = TRUE; /* tunnel mode */
1849 userspi->info.reqid = reqid;
1850 userspi->info.family = src->get_family(src);
1851 userspi->min = 0xc0000000;
1852 userspi->max = 0xcFFFFFFF;
1853
1854 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1855 {
1856 hdr = out;
1857 while (NLMSG_OK(hdr, len))
1858 {
1859 switch (hdr->nlmsg_type)
1860 {
1861 case XFRM_MSG_NEWSA:
1862 {
1863 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1864 received_spi = usersa->id.spi;
1865 break;
1866 }
1867 case NLMSG_ERROR:
1868 {
1869 struct nlmsgerr *err = NLMSG_DATA(hdr);
1870
1871 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1872 strerror(-err->error), -err->error);
1873 break;
1874 }
1875 default:
1876 hdr = NLMSG_NEXT(hdr, len);
1877 continue;
1878 case NLMSG_DONE:
1879 break;
1880 }
1881 break;
1882 }
1883 free(out);
1884 }
1885
1886 if (received_spi == 0)
1887 {
1888 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1889 return FAILED;
1890 }
1891
1892 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1893
1894 *spi = received_spi;
1895 return SUCCESS;
1896 }
1897
1898 /**
1899 * Implementation of kernel_interface_t.add_sa.
1900 */
1901 static status_t add_sa(private_kernel_interface_t *this,
1902 host_t *src, host_t *dst, u_int32_t spi,
1903 protocol_id_t protocol, u_int32_t reqid,
1904 u_int64_t expire_soft, u_int64_t expire_hard,
1905 algorithm_t *enc_alg, algorithm_t *int_alg,
1906 prf_plus_t *prf_plus, mode_t mode, bool encap,
1907 bool replace)
1908 {
1909 unsigned char request[BUFFER_SIZE];
1910 char *alg_name;
1911 u_int key_size;
1912 struct nlmsghdr *hdr;
1913 struct xfrm_usersa_info *sa;
1914
1915 memset(&request, 0, sizeof(request));
1916
1917 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1918
1919 hdr = (struct nlmsghdr*)request;
1920 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1921 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1922 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1923
1924 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1925 host2xfrm(src, &sa->saddr);
1926 host2xfrm(dst, &sa->id.daddr);
1927 sa->id.spi = spi;
1928 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1929 sa->family = src->get_family(src);
1930 sa->mode = mode;
1931 sa->replay_window = 32;
1932 sa->reqid = reqid;
1933 /* we currently do not expire SAs by volume/packet count */
1934 sa->lft.soft_byte_limit = XFRM_INF;
1935 sa->lft.hard_byte_limit = XFRM_INF;
1936 sa->lft.soft_packet_limit = XFRM_INF;
1937 sa->lft.hard_packet_limit = XFRM_INF;
1938 /* we use lifetimes since added, not since used */
1939 sa->lft.soft_add_expires_seconds = expire_soft;
1940 sa->lft.hard_add_expires_seconds = expire_hard;
1941 sa->lft.soft_use_expires_seconds = 0;
1942 sa->lft.hard_use_expires_seconds = 0;
1943
1944 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1945
1946 if (enc_alg->algorithm != ENCR_UNDEFINED)
1947 {
1948 rthdr->rta_type = XFRMA_ALG_CRYPT;
1949 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1950 if (alg_name == NULL)
1951 {
1952 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1953 encryption_algorithm_names, enc_alg->algorithm);
1954 return FAILED;
1955 }
1956 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1957 encryption_algorithm_names, enc_alg->algorithm, key_size);
1958
1959 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1960 hdr->nlmsg_len += rthdr->rta_len;
1961 if (hdr->nlmsg_len > sizeof(request))
1962 {
1963 return FAILED;
1964 }
1965
1966 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1967 algo->alg_key_len = key_size;
1968 strcpy(algo->alg_name, alg_name);
1969 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1970
1971 rthdr = XFRM_RTA_NEXT(rthdr);
1972 }
1973
1974 if (int_alg->algorithm != AUTH_UNDEFINED)
1975 {
1976 rthdr->rta_type = XFRMA_ALG_AUTH;
1977 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1978 if (alg_name == NULL)
1979 {
1980 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1981 integrity_algorithm_names, int_alg->algorithm);
1982 return FAILED;
1983 }
1984 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1985 integrity_algorithm_names, int_alg->algorithm, key_size);
1986
1987 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1988 hdr->nlmsg_len += rthdr->rta_len;
1989 if (hdr->nlmsg_len > sizeof(request))
1990 {
1991 return FAILED;
1992 }
1993
1994 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1995 algo->alg_key_len = key_size;
1996 strcpy(algo->alg_name, alg_name);
1997 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1998
1999 rthdr = XFRM_RTA_NEXT(rthdr);
2000 }
2001
2002 /* TODO: add IPComp here */
2003
2004 if (encap)
2005 {
2006 rthdr->rta_type = XFRMA_ENCAP;
2007 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2008
2009 hdr->nlmsg_len += rthdr->rta_len;
2010 if (hdr->nlmsg_len > sizeof(request))
2011 {
2012 return FAILED;
2013 }
2014
2015 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
2016 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2017 tmpl->encap_sport = htons(src->get_port(src));
2018 tmpl->encap_dport = htons(dst->get_port(dst));
2019 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2020 /* encap_oa could probably be derived from the
2021 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
2022 * pluto does the same as we do here but it uses encap_oa in the
2023 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
2024 * the kernel ignores it anyway
2025 * -> does that mean that NAT-T encap doesn't work in transport mode?
2026 * No. The reason the kernel ignores NAT-OA is that it recomputes
2027 * (or, rather, just ignores) the checksum. If packets pass
2028 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
2029 rthdr = XFRM_RTA_NEXT(rthdr);
2030 }
2031
2032 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2033 {
2034 DBG1(DBG_KNL, "unable to add SAD entry with SPI 0x%x", spi);
2035 return FAILED;
2036 }
2037 return SUCCESS;
2038 }
2039
2040 /**
2041 * Implementation of kernel_interface_t.update_sa.
2042 */
2043 static status_t update_sa(private_kernel_interface_t *this,
2044 u_int32_t spi, protocol_id_t protocol,
2045 host_t *src, host_t *dst,
2046 host_t *new_src, host_t *new_dst, bool encap)
2047 {
2048 unsigned char request[BUFFER_SIZE], *pos;
2049 struct nlmsghdr *hdr, *out = NULL;
2050 struct xfrm_usersa_id *sa_id;
2051 struct xfrm_usersa_info *out_sa = NULL, *sa;
2052 size_t len;
2053 struct rtattr *rta;
2054 size_t rtasize;
2055 struct xfrm_encap_tmpl* tmpl = NULL;
2056
2057 memset(&request, 0, sizeof(request));
2058
2059 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x for update", spi);
2060
2061 /* query the exisiting SA first */
2062 hdr = (struct nlmsghdr*)request;
2063 hdr->nlmsg_flags = NLM_F_REQUEST;
2064 hdr->nlmsg_type = XFRM_MSG_GETSA;
2065 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2066
2067 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2068 host2xfrm(dst, &sa_id->daddr);
2069 sa_id->spi = spi;
2070 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
2071 sa_id->family = dst->get_family(dst);
2072
2073 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2074 {
2075 hdr = out;
2076 while (NLMSG_OK(hdr, len))
2077 {
2078 switch (hdr->nlmsg_type)
2079 {
2080 case XFRM_MSG_NEWSA:
2081 {
2082 out_sa = NLMSG_DATA(hdr);
2083 break;
2084 }
2085 case NLMSG_ERROR:
2086 {
2087 struct nlmsgerr *err = NLMSG_DATA(hdr);
2088 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2089 strerror(-err->error), -err->error);
2090 break;
2091 }
2092 default:
2093 hdr = NLMSG_NEXT(hdr, len);
2094 continue;
2095 case NLMSG_DONE:
2096 break;
2097 }
2098 break;
2099 }
2100 }
2101 if (out_sa == NULL ||
2102 this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
2103 {
2104 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2105 free(out);
2106 return FAILED;
2107 }
2108
2109 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
2110 spi, src, dst, new_src, new_dst);
2111
2112 /* copy over the SA from out to request */
2113 hdr = (struct nlmsghdr*)request;
2114 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
2115 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2116 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2117 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2118 sa = NLMSG_DATA(hdr);
2119 sa->family = new_dst->get_family(new_dst);
2120
2121 if (!src->ip_equals(src, new_src))
2122 {
2123 host2xfrm(new_src, &sa->saddr);
2124 }
2125 if (!dst->ip_equals(dst, new_dst))
2126 {
2127 host2xfrm(new_dst, &sa->id.daddr);
2128 }
2129
2130 rta = XFRM_RTA(out, struct xfrm_usersa_info);
2131 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
2132 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
2133 while(RTA_OK(rta, rtasize))
2134 {
2135 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2136 if (rta->rta_type != XFRMA_ENCAP || encap)
2137 {
2138 if (rta->rta_type == XFRMA_ENCAP)
2139 { /* update encap tmpl */
2140 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2141 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2142 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2143 }
2144 memcpy(pos, rta, rta->rta_len);
2145 pos += rta->rta_len;
2146 hdr->nlmsg_len += rta->rta_len;
2147 }
2148 rta = RTA_NEXT(rta, rtasize);
2149 }
2150 if (tmpl == NULL && encap)
2151 { /* add tmpl if we are enabling it */
2152 rta = (struct rtattr*)pos;
2153 rta->rta_type = XFRMA_ENCAP;
2154 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2155 hdr->nlmsg_len += rta->rta_len;
2156 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2157 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2158 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2159 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2160 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2161 }
2162
2163 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2164 {
2165 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2166 free(out);
2167 return FAILED;
2168 }
2169 free(out);
2170
2171 return SUCCESS;
2172 }
2173
2174 /**
2175 * Implementation of kernel_interface_t.query_sa.
2176 */
2177 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
2178 u_int32_t spi, protocol_id_t protocol,
2179 u_int32_t *use_time)
2180 {
2181 unsigned char request[BUFFER_SIZE];
2182 struct nlmsghdr *out = NULL, *hdr;
2183 struct xfrm_usersa_id *sa_id;
2184 struct xfrm_usersa_info *sa = NULL;
2185 size_t len;
2186
2187 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
2188 memset(&request, 0, sizeof(request));
2189
2190 hdr = (struct nlmsghdr*)request;
2191 hdr->nlmsg_flags = NLM_F_REQUEST;
2192 hdr->nlmsg_type = XFRM_MSG_GETSA;
2193 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2194
2195 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2196 host2xfrm(dst, &sa_id->daddr);
2197 sa_id->spi = spi;
2198 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
2199 sa_id->family = dst->get_family(dst);
2200
2201 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2202 {
2203 hdr = out;
2204 while (NLMSG_OK(hdr, len))
2205 {
2206 switch (hdr->nlmsg_type)
2207 {
2208 case XFRM_MSG_NEWSA:
2209 {
2210 sa = NLMSG_DATA(hdr);
2211 break;
2212 }
2213 case NLMSG_ERROR:
2214 {
2215 struct nlmsgerr *err = NLMSG_DATA(hdr);
2216 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2217 strerror(-err->error), -err->error);
2218 break;
2219 }
2220 default:
2221 hdr = NLMSG_NEXT(hdr, len);
2222 continue;
2223 case NLMSG_DONE:
2224 break;
2225 }
2226 break;
2227 }
2228 }
2229
2230 if (sa == NULL)
2231 {
2232 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
2233 free(out);
2234 return FAILED;
2235 }
2236
2237 *use_time = sa->curlft.use_time;
2238 free (out);
2239 return SUCCESS;
2240 }
2241
2242 /**
2243 * Implementation of kernel_interface_t.del_sa.
2244 */
2245 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
2246 u_int32_t spi, protocol_id_t protocol)
2247 {
2248 unsigned char request[BUFFER_SIZE];
2249 struct nlmsghdr *hdr;
2250 struct xfrm_usersa_id *sa_id;
2251
2252 memset(&request, 0, sizeof(request));
2253
2254 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
2255
2256 hdr = (struct nlmsghdr*)request;
2257 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2258 hdr->nlmsg_type = XFRM_MSG_DELSA;
2259 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2260
2261 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2262 host2xfrm(dst, &sa_id->daddr);
2263 sa_id->spi = spi;
2264 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
2265 sa_id->family = dst->get_family(dst);
2266
2267 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2268 {
2269 DBG1(DBG_KNL, "unable to delete SAD entry with SPI 0x%x", spi);
2270 return FAILED;
2271 }
2272 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
2273 return SUCCESS;
2274 }
2275
2276 /**
2277 * Implementation of kernel_interface_t.add_policy.
2278 */
2279 static status_t add_policy(private_kernel_interface_t *this,
2280 host_t *src, host_t *dst,
2281 traffic_selector_t *src_ts,
2282 traffic_selector_t *dst_ts,
2283 policy_dir_t direction, protocol_id_t protocol,
2284 u_int32_t reqid, bool high_prio, mode_t mode)
2285 {
2286 iterator_t *iterator;
2287 policy_entry_t *current, *policy;
2288 bool found = FALSE;
2289 unsigned char request[BUFFER_SIZE];
2290 struct xfrm_userpolicy_info *policy_info;
2291 struct nlmsghdr *hdr;
2292
2293 /* create a policy */
2294 policy = malloc_thing(policy_entry_t);
2295 memset(policy, 0, sizeof(policy_entry_t));
2296 policy->sel = ts2selector(src_ts, dst_ts);
2297 policy->direction = direction;
2298
2299 /* find the policy, which matches EXACTLY */
2300 pthread_mutex_lock(&this->mutex);
2301 iterator = this->policies->create_iterator(this->policies, TRUE);
2302 while (iterator->iterate(iterator, (void**)&current))
2303 {
2304 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
2305 policy->direction == current->direction)
2306 {
2307 /* use existing policy */
2308 current->refcount++;
2309 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
2310 "refcount", src_ts, dst_ts);
2311 free(policy);
2312 policy = current;
2313 found = TRUE;
2314 break;
2315 }
2316 }
2317 iterator->destroy(iterator);
2318 if (!found)
2319 { /* apply the new one, if we have no such policy */
2320 this->policies->insert_last(this->policies, policy);
2321 policy->refcount = 1;
2322 }
2323
2324 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2325
2326 memset(&request, 0, sizeof(request));
2327 hdr = (struct nlmsghdr*)request;
2328 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2329 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2330 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2331
2332 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2333 policy_info->sel = policy->sel;
2334 policy_info->dir = policy->direction;
2335 /* calculate priority based on source selector size, small size = high prio */
2336 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2337 policy_info->priority -= policy->sel.prefixlen_s * 10;
2338 policy_info->priority -= policy->sel.proto ? 2 : 0;
2339 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2340 policy_info->action = XFRM_POLICY_ALLOW;
2341 policy_info->share = XFRM_SHARE_ANY;
2342 pthread_mutex_unlock(&this->mutex);
2343
2344 /* policies don't expire */
2345 policy_info->lft.soft_byte_limit = XFRM_INF;
2346 policy_info->lft.soft_packet_limit = XFRM_INF;
2347 policy_info->lft.hard_byte_limit = XFRM_INF;
2348 policy_info->lft.hard_packet_limit = XFRM_INF;
2349 policy_info->lft.soft_add_expires_seconds = 0;
2350 policy_info->lft.hard_add_expires_seconds = 0;
2351 policy_info->lft.soft_use_expires_seconds = 0;
2352 policy_info->lft.hard_use_expires_seconds = 0;
2353
2354 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2355 rthdr->rta_type = XFRMA_TMPL;
2356
2357 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
2358 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
2359
2360 hdr->nlmsg_len += rthdr->rta_len;
2361 if (hdr->nlmsg_len > sizeof(request))
2362 {
2363 return FAILED;
2364 }
2365
2366 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2367 tmpl->reqid = reqid;
2368 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
2369 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2370 tmpl->mode = mode;
2371 tmpl->family = src->get_family(src);
2372
2373 host2xfrm(src, &tmpl->saddr);
2374 host2xfrm(dst, &tmpl->id.daddr);
2375
2376 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2377 {
2378 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2379 return FAILED;
2380 }
2381
2382 /* install a route, if:
2383 * - we are NOT updating a policy
2384 * - this is a forward policy (to just get one for each child)
2385 * - we are in tunnel mode
2386 * - we are not using IPv6 (does not work correctly yet!)
2387 */
2388 if (policy->route == NULL && direction == POLICY_FWD &&
2389 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
2390 {
2391 policy->route = malloc_thing(route_entry_t);
2392 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2393 {
2394 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2395 policy->route->gateway = get_route(this, src, TRUE);
2396 policy->route->if_index = get_interface_index(this, dst);
2397 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2398 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2399 policy->route->prefixlen = policy->sel.prefixlen_s;
2400
2401 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2402 policy->route) != SUCCESS)
2403 {
2404 DBG1(DBG_KNL, "unable to install source route for %H",
2405 policy->route->src_ip);
2406 route_entry_destroy(policy->route);
2407 policy->route = NULL;
2408 }
2409 }
2410 else
2411 {
2412 free(policy->route);
2413 policy->route = NULL;
2414 }
2415 }
2416
2417 return SUCCESS;
2418 }
2419
2420 /**
2421 * Implementation of kernel_interface_t.query_policy.
2422 */
2423 static status_t query_policy(private_kernel_interface_t *this,
2424 traffic_selector_t *src_ts,
2425 traffic_selector_t *dst_ts,
2426 policy_dir_t direction, u_int32_t *use_time)
2427 {
2428 unsigned char request[BUFFER_SIZE];
2429 struct nlmsghdr *out = NULL, *hdr;
2430 struct xfrm_userpolicy_id *policy_id;
2431 struct xfrm_userpolicy_info *policy = NULL;
2432 size_t len;
2433
2434 memset(&request, 0, sizeof(request));
2435
2436 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2437
2438 hdr = (struct nlmsghdr*)request;
2439 hdr->nlmsg_flags = NLM_F_REQUEST;
2440 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2441 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2442
2443 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2444 policy_id->sel = ts2selector(src_ts, dst_ts);
2445 policy_id->dir = direction;
2446
2447 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2448 {
2449 hdr = out;
2450 while (NLMSG_OK(hdr, len))
2451 {
2452 switch (hdr->nlmsg_type)
2453 {
2454 case XFRM_MSG_NEWPOLICY:
2455 {
2456 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2457 break;
2458 }
2459 case NLMSG_ERROR:
2460 {
2461 struct nlmsgerr *err = NLMSG_DATA(hdr);
2462 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2463 strerror(-err->error), -err->error);
2464 break;
2465 }
2466 default:
2467 hdr = NLMSG_NEXT(hdr, len);
2468 continue;
2469 case NLMSG_DONE:
2470 break;
2471 }
2472 break;
2473 }
2474 }
2475
2476 if (policy == NULL)
2477 {
2478 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2479 free(out);
2480 return FAILED;
2481 }
2482 *use_time = (time_t)policy->curlft.use_time;
2483
2484 free(out);
2485 return SUCCESS;
2486 }
2487
2488 /**
2489 * Implementation of kernel_interface_t.del_policy.
2490 */
2491 static status_t del_policy(private_kernel_interface_t *this,
2492 traffic_selector_t *src_ts,
2493 traffic_selector_t *dst_ts,
2494 policy_dir_t direction)
2495 {
2496 policy_entry_t *current, policy, *to_delete = NULL;
2497 route_entry_t *route;
2498 unsigned char request[BUFFER_SIZE];
2499 struct nlmsghdr *hdr;
2500 struct xfrm_userpolicy_id *policy_id;
2501 iterator_t *iterator;
2502
2503 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2504
2505 /* create a policy */
2506 memset(&policy, 0, sizeof(policy_entry_t));
2507 policy.sel = ts2selector(src_ts, dst_ts);
2508 policy.direction = direction;
2509
2510 /* find the policy */
2511 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2512 while (iterator->iterate(iterator, (void**)&current))
2513 {
2514 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2515 policy.direction == current->direction)
2516 {
2517 to_delete = current;
2518 if (--to_delete->refcount > 0)
2519 {
2520 /* is used by more SAs, keep in kernel */
2521 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2522 iterator->destroy(iterator);
2523 return SUCCESS;
2524 }
2525 /* remove if last reference */
2526 iterator->remove(iterator);
2527 break;
2528 }
2529 }
2530 iterator->destroy(iterator);
2531 if (!to_delete)
2532 {
2533 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2534 return NOT_FOUND;
2535 }
2536
2537 memset(&request, 0, sizeof(request));
2538
2539 hdr = (struct nlmsghdr*)request;
2540 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2541 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2542 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2543
2544 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2545 policy_id->sel = to_delete->sel;
2546 policy_id->dir = direction;
2547
2548 route = to_delete->route;
2549 free(to_delete);
2550
2551 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2552 {
2553 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2554 return FAILED;
2555 }
2556
2557 if (route)
2558 {
2559 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2560 {
2561 DBG1(DBG_KNL, "error uninstalling route installed with "
2562 "policy %R===%R", src_ts, dst_ts);
2563 }
2564 route_entry_destroy(route);
2565 }
2566 return SUCCESS;
2567 }
2568
2569 /**
2570 * Implementation of kernel_interface_t.destroy.
2571 */
2572 static void destroy(private_kernel_interface_t *this)
2573 {
2574 manage_rule(this, RTM_DELRULE, IPSEC_ROUTING_TABLE, IPSEC_ROUTING_TABLE_PRIO);
2575
2576 this->job->cancel(this->job);
2577 close(this->socket_xfrm_events);
2578 close(this->socket_xfrm);
2579 close(this->socket_rt_events);
2580 close(this->socket_rt);
2581 this->policies->destroy(this->policies);
2582 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
2583 free(this);
2584 }
2585
2586 /*
2587 * Described in header.
2588 */
2589 kernel_interface_t *kernel_interface_create()
2590 {
2591 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2592 struct sockaddr_nl addr;
2593 pthread_mutexattr_t attr;
2594
2595 /* public functions */
2596 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2597 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,mode_t,bool,bool))add_sa;
2598 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
2599 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2600 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2601 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t))add_policy;
2602 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2603 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2604 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2605 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2606 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2607 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2608 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
2609 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2610
2611 /* private members */
2612 this->policies = linked_list_create();
2613 this->ifaces = linked_list_create();
2614 this->hiter = NULL;
2615 this->seq = 200;
2616 pthread_mutexattr_init(&attr);
2617 pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE);
2618 pthread_mutex_init(&this->mutex, &attr);
2619 pthread_mutexattr_destroy(&attr);
2620 pthread_cond_init(&this->cond, NULL);
2621 timerclear(&this->last_roam);
2622
2623 memset(&addr, 0, sizeof(addr));
2624 addr.nl_family = AF_NETLINK;
2625
2626 /* create and bind RT socket */
2627 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2628 if (this->socket_rt <= 0)
2629 {
2630 charon->kill(charon, "unable to create RT netlink socket");
2631 }
2632 addr.nl_groups = 0;
2633 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2634 {
2635 charon->kill(charon, "unable to bind RT netlink socket");
2636 }
2637
2638 /* create and bind RT socket for events (address/interface/route changes) */
2639 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2640 if (this->socket_rt_events <= 0)
2641 {
2642 charon->kill(charon, "unable to create RT event socket");
2643 }
2644 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
2645 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
2646 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2647 {
2648 charon->kill(charon, "unable to bind RT event socket");
2649 }
2650
2651 /* create and bind XFRM socket */
2652 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2653 if (this->socket_xfrm <= 0)
2654 {
2655 charon->kill(charon, "unable to create XFRM netlink socket");
2656 }
2657 addr.nl_groups = 0;
2658 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2659 {
2660 charon->kill(charon, "unable to bind XFRM netlink socket");
2661 }
2662
2663 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2664 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2665 if (this->socket_xfrm_events <= 0)
2666 {
2667 charon->kill(charon, "unable to create XFRM event socket");
2668 }
2669 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2670 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2671 {
2672 charon->kill(charon, "unable to bind XFRM event socket");
2673 }
2674
2675 this->job = callback_job_create((callback_job_cb_t)receive_events,
2676 this, NULL, NULL);
2677 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2678
2679 if (init_address_list(this) != SUCCESS)
2680 {
2681 charon->kill(charon, "unable to get interface list");
2682 }
2683
2684 if (manage_rule(this, RTM_NEWRULE, IPSEC_ROUTING_TABLE,
2685 IPSEC_ROUTING_TABLE_PRIO) != SUCCESS)
2686 {
2687 DBG1(DBG_KNL, "unable to create routing table rule");
2688 }
2689
2690 return &this->public;
2691 }
2692
strongSwan - IPsec VPN