implemented address change notification (for MOBIKE)
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43
44 #include "kernel_interface.h"
45
46 #include <daemon.h>
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52
53 /** kernel level protocol identifiers */
54 #define KERNEL_ESP 50
55 #define KERNEL_AH 51
56
57 /** default priority of installed policies */
58 #define PRIO_LOW 3000
59 #define PRIO_HIGH 2000
60
61 #define BUFFER_SIZE 1024
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
84 */
85 struct kernel_algorithm_t {
86 /**
87 * Identifier specified in IKEv2
88 */
89 int ikev2_id;
90
91 /**
92 * Name of the algorithm, as used as kernel identifier
93 */
94 char *name;
95
96 /**
97 * Key length in bits, if fixed size
98 */
99 u_int key_size;
100 };
101 #define END_OF_LIST -1
102
103 /**
104 * Algorithms for encryption
105 */
106 kernel_algorithm_t encryption_algs[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES, "des", 64},
109 {ENCR_3DES, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST, "cast128", 0},
113 {ENCR_BLOWFISH, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL, "cipher_null", 0},
117 {ENCR_AES_CBC, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST, NULL, 0},
120 };
121
122 /**
123 * Algorithms for integrity protection
124 */
125 kernel_algorithm_t integrity_algs[] = {
126 {AUTH_HMAC_MD5_96, "md5", 128},
127 {AUTH_HMAC_SHA1_96, "sha1", 160},
128 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
129 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
130 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
131 /* {AUTH_DES_MAC, "***", 0}, */
132 /* {AUTH_KPDK_MD5, "***", 0}, */
133 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
134 {END_OF_LIST, NULL, 0},
135 };
136
137 /**
138 * Look up a kernel algorithm name and its key size
139 */
140 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
141 algorithm_t *ikev2_algo, u_int *key_size)
142 {
143 while (kernel_algo->ikev2_id != END_OF_LIST)
144 {
145 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
146 {
147 /* match, evaluate key length */
148 if (ikev2_algo->key_size)
149 { /* variable length */
150 *key_size = ikev2_algo->key_size;
151 }
152 else
153 { /* fixed length */
154 *key_size = kernel_algo->key_size;
155 }
156 return kernel_algo->name;
157 }
158 kernel_algo++;
159 }
160 return NULL;
161 }
162
163 typedef struct route_entry_t route_entry_t;
164
165 /**
166 * installed routing entry
167 */
168 struct route_entry_t {
169
170 /** Index of the interface the route is bound to */
171 int if_index;
172
173 /** Source ip of the route */
174 host_t *src_ip;
175
176 /** gateway for this route */
177 host_t *gateway;
178
179 /** Destination net */
180 chunk_t dst_net;
181
182 /** Destination net prefixlen */
183 u_int8_t prefixlen;
184 };
185
186 /**
187 * destroy an route_entry_t object
188 */
189 static void route_entry_destroy(route_entry_t *this)
190 {
191 this->src_ip->destroy(this->src_ip);
192 this->gateway->destroy(this->gateway);
193 chunk_free(&this->dst_net);
194 free(this);
195 }
196
197 typedef struct policy_entry_t policy_entry_t;
198
199 /**
200 * installed kernel policy.
201 */
202 struct policy_entry_t {
203
204 /** direction of this policy: in, out, forward */
205 u_int8_t direction;
206
207 /** reqid of the policy */
208 u_int32_t reqid;
209
210 /** parameters of installed policy */
211 struct xfrm_selector sel;
212
213 /** associated route installed for this policy */
214 route_entry_t *route;
215
216 /** by how many CHILD_SA's this policy is used */
217 u_int refcount;
218 };
219
220 typedef struct vip_entry_t vip_entry_t;
221
222 /**
223 * Installed virtual ip
224 */
225 struct vip_entry_t {
226 /** Index of the interface the ip is bound to */
227 u_int8_t if_index;
228
229 /** The ip address */
230 host_t *ip;
231
232 /** Number of times this IP is used */
233 u_int refcount;
234 };
235
236 /**
237 * destroy a vip_entry_t object
238 */
239 static void vip_entry_destroy(vip_entry_t *this)
240 {
241 this->ip->destroy(this->ip);
242 free(this);
243 }
244
245 typedef struct address_entry_t address_entry_t;
246
247 /**
248 * an address found on the system, containg address and interface info
249 */
250 struct address_entry_t {
251
252 /** address of this entry */
253 host_t *host;
254
255 /** interface index */
256 int ifindex;
257
258 /** name of the index */
259 char ifname[IFNAMSIZ];
260 };
261
262 /**
263 * destroy an address entry
264 */
265 static void address_entry_destroy(address_entry_t *this)
266 {
267 this->host->destroy(this->host);
268 free(this);
269 }
270
271 typedef struct private_kernel_interface_t private_kernel_interface_t;
272
273 /**
274 * Private variables and functions of kernel_interface class.
275 */
276 struct private_kernel_interface_t {
277 /**
278 * Public part of the kernel_interface_t object.
279 */
280 kernel_interface_t public;
281
282 /**
283 * List of installed policies (kernel_entry_t)
284 */
285 linked_list_t *policies;
286
287 /**
288 * Mutex locks access to policies
289 */
290 pthread_mutex_t policies_mutex;
291
292 /**
293 * List of installed virtual IPs. (vip_entry_t)
294 */
295 linked_list_t *vips;
296
297 /**
298 * Mutex to lock access to vips.
299 */
300 pthread_mutex_t vips_mutex;
301
302 /**
303 * Cached list of IP adresses (address_entry_t)
304 */
305 linked_list_t *addrs;
306
307 /**
308 * Mutex to lock access to addr.
309 */
310 pthread_mutex_t addrs_mutex;
311
312 /**
313 * job receiving xfrm events
314 */
315 callback_job_t *job;
316
317 /**
318 * Netlink xfrm socket (IPsec)
319 */
320 int socket_xfrm;
321
322 /**
323 * netlink xfrm socket to receive acquire and expire events
324 */
325 int socket_xfrm_events;
326
327 /**
328 * Netlink rt socket (routing)
329 */
330 int socket_rt;
331
332 /**
333 * Netlink rt socket to receive address change events
334 */
335 int socket_rt_events;
336 };
337
338 /**
339 * convert a host_t to a struct xfrm_address
340 */
341 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
342 {
343 chunk_t chunk = host->get_address(host);
344 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
345 }
346
347 /**
348 * convert a traffic selector address range to subnet and its mask.
349 */
350 static void ts2subnet(traffic_selector_t* ts,
351 xfrm_address_t *net, u_int8_t *mask)
352 {
353 /* there is no way to do this cleanly, as the address range may
354 * be anything else but a subnet. We use from_addr as subnet
355 * and try to calculate a usable subnet mask.
356 */
357 int byte, bit;
358 bool found = FALSE;
359 chunk_t from, to;
360 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
361
362 from = ts->get_from_address(ts);
363 to = ts->get_to_address(ts);
364
365 *mask = (size * 8);
366 /* go trough all bits of the addresses, beginning in the front.
367 * as long as they are equal, the subnet gets larger
368 */
369 for (byte = 0; byte < size; byte++)
370 {
371 for (bit = 7; bit >= 0; bit--)
372 {
373 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
374 {
375 *mask = ((7 - bit) + (byte * 8));
376 found = TRUE;
377 break;
378 }
379 }
380 if (found)
381 {
382 break;
383 }
384 }
385 memcpy(net, from.ptr, from.len);
386 chunk_free(&from);
387 chunk_free(&to);
388 }
389
390 /**
391 * convert a traffic selector port range to port/portmask
392 */
393 static void ts2ports(traffic_selector_t* ts,
394 u_int16_t *port, u_int16_t *mask)
395 {
396 /* linux does not seem to accept complex portmasks. Only
397 * any or a specific port is allowed. We set to any, if we have
398 * a port range, or to a specific, if we have one port only.
399 */
400 u_int16_t from, to;
401
402 from = ts->get_from_port(ts);
403 to = ts->get_to_port(ts);
404
405 if (from == to)
406 {
407 *port = htons(from);
408 *mask = ~0;
409 }
410 else
411 {
412 *port = 0;
413 *mask = 0;
414 }
415 }
416
417 /**
418 * convert a pair of traffic_selectors to a xfrm_selector
419 */
420 static struct xfrm_selector ts2selector(traffic_selector_t *src,
421 traffic_selector_t *dst)
422 {
423 struct xfrm_selector sel;
424
425 memset(&sel, 0, sizeof(sel));
426 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
427 /* src or dest proto may be "any" (0), use more restrictive one */
428 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
429 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
430 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
431 ts2ports(dst, &sel.dport, &sel.dport_mask);
432 ts2ports(src, &sel.sport, &sel.sport_mask);
433 sel.ifindex = 0;
434 sel.user = 0;
435
436 return sel;
437 }
438
439 /**
440 * Creates an rtattr and adds it to the netlink message
441 */
442 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
443 size_t buflen)
444 {
445 struct rtattr *rta;
446
447 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
448 {
449 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
450 return;
451 }
452
453 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
454 rta->rta_type = rta_type;
455 rta->rta_len = RTA_LENGTH(data.len);
456 memcpy(RTA_DATA(rta), data.ptr, data.len);
457 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
458 }
459
460 /**
461 * process a XFRM_MSG_ACQUIRE from kernel
462 */
463 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
464 {
465 u_int32_t reqid = 0;
466 job_t *job;
467 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
468 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
469
470 if (RTA_OK(rtattr, rtsize))
471 {
472 if (rtattr->rta_type == XFRMA_TMPL)
473 {
474 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
475 reqid = tmpl->reqid;
476 }
477 }
478 if (reqid == 0)
479 {
480 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
481 return;
482 }
483 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
484 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
485 job = (job_t*)acquire_job_create(reqid);
486 charon->processor->queue_job(charon->processor, job);
487 }
488
489 /**
490 * process a XFRM_MSG_EXPIRE from kernel
491 */
492 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
493 {
494 job_t *job;
495 protocol_id_t protocol;
496 u_int32_t spi, reqid;
497 struct xfrm_user_expire *expire;
498
499 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
500 protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
501 spi = expire->state.id.spi;
502 reqid = expire->state.reqid;
503
504 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
505 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
506 expire->hard ? "delete" : "rekey", protocol_id_names,
507 protocol, ntohl(spi), reqid);
508 if (expire->hard)
509 {
510 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
511 }
512 else
513 {
514 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
515 }
516 charon->processor->queue_job(charon->processor, job);
517 }
518
519 /**
520 * process a RTM_NEWADDR from kernel
521 */
522 static void process_newaddr(private_kernel_interface_t *this,
523 struct nlmsghdr *hdr, bool initial)
524 {
525 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
526 struct rtattr *rta = IFA_RTA(msg);
527 size_t rtasize = IFA_PAYLOAD (hdr);
528 host_t *host = NULL;
529 char *name = NULL;
530 chunk_t local = chunk_empty, address = chunk_empty;
531
532 while(RTA_OK(rta, rtasize))
533 {
534 switch (rta->rta_type)
535 {
536 case IFA_LOCAL:
537 local.ptr = RTA_DATA(rta);
538 local.len = RTA_PAYLOAD(rta);
539 break;
540 case IFA_ADDRESS:
541 address.ptr = RTA_DATA(rta);
542 address.len = RTA_PAYLOAD(rta);
543 break;
544 case IFA_LABEL:
545 name = RTA_DATA(rta);
546 break;
547 }
548 rta = RTA_NEXT(rta, rtasize);
549 }
550
551 /* For PPP interfaces, we need the IFA_LOCAL address,
552 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
553 * not included in all cases, so fallback to IFA_ADDRESS. */
554 if (local.ptr)
555 {
556 host = host_create_from_chunk(msg->ifa_family, local, 0);
557 }
558 else if (address.ptr)
559 {
560 host = host_create_from_chunk(msg->ifa_family, address, 0);
561 }
562
563 if (host)
564 {
565 address_entry_t *entry;
566
567 entry = malloc_thing(address_entry_t);
568 entry->host = host;
569 entry->ifindex = msg->ifa_index;
570 if (name)
571 {
572 memcpy(entry->ifname, name, IFNAMSIZ);
573 }
574 else
575 {
576 strcpy(entry->ifname, "(unknown)");
577 }
578
579 if (initial)
580 {
581 DBG1(DBG_KNL, " %H on %s", host, entry->ifname);
582 }
583 else
584 {
585 DBG1(DBG_KNL, "%H appeared on %s", host, entry->ifname);
586 }
587
588 pthread_mutex_lock(&this->addrs_mutex);
589 this->addrs->insert_last(this->addrs, entry);
590 pthread_mutex_unlock(&this->addrs_mutex);
591 }
592 }
593
594
595 /**
596 * process a RTM_DELADDR from kernel
597 */
598 static void process_deladdr(private_kernel_interface_t *this, struct nlmsghdr *hdr)
599 {
600 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
601 struct rtattr *rta = IFA_RTA(msg);
602 size_t rtasize = IFA_PAYLOAD (hdr);
603 host_t *host = NULL;
604 chunk_t local = chunk_empty, address = chunk_empty;
605
606 while(RTA_OK(rta, rtasize))
607 {
608 switch (rta->rta_type)
609 {
610 case IFA_LOCAL:
611 local.ptr = RTA_DATA(rta);
612 local.len = RTA_PAYLOAD(rta);
613 break;
614 case IFA_ADDRESS:
615 address.ptr = RTA_DATA(rta);
616 address.len = RTA_PAYLOAD(rta);
617 break;
618 }
619 rta = RTA_NEXT(rta, rtasize);
620 }
621
622 /* same stuff as in newaddr */
623 if (local.ptr)
624 {
625 host = host_create_from_chunk(msg->ifa_family, local, 0);
626 }
627 else if (address.ptr)
628 {
629 host = host_create_from_chunk(msg->ifa_family, address, 0);
630 }
631
632 if (host)
633 {
634 address_entry_t *entry;
635 iterator_t *iterator;
636
637 iterator = this->addrs->create_iterator_locked(this->addrs,
638 &this->addrs_mutex);
639 while (iterator->iterate(iterator, (void**)&entry))
640 {
641 if (entry->ifindex == msg->ifa_index &&
642 host->equals(host, entry->host))
643 {
644 iterator->remove(iterator);
645 DBG1(DBG_KNL, "%H disappeared from %s", host, entry->ifname);
646 address_entry_destroy(entry);
647 }
648 }
649 iterator->destroy(iterator);
650 host->destroy(host);
651 }
652 }
653
654 /**
655 * Receives events from kernel
656 */
657 static job_requeue_t receive_events(private_kernel_interface_t *this)
658 {
659 char response[512];
660 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
661 struct sockaddr_nl addr;
662 socklen_t addr_len = sizeof(addr);
663 int len, oldstate, maxfd, selected;
664 fd_set rfds;
665
666 FD_ZERO(&rfds);
667 FD_SET(this->socket_xfrm_events, &rfds);
668 FD_SET(this->socket_rt_events, &rfds);
669 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
670
671 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
672 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
673 pthread_setcancelstate(oldstate, NULL);
674 if (selected <= 0)
675 {
676 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
677 return JOB_REQUEUE_FAIR;
678 }
679 if (FD_ISSET(this->socket_xfrm_events, &rfds))
680 {
681 selected = this->socket_xfrm_events;
682 }
683 else if (FD_ISSET(this->socket_rt_events, &rfds))
684 {
685 selected = this->socket_rt_events;
686 }
687 else
688 {
689 return JOB_REQUEUE_DIRECT;
690 }
691
692 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
693 (struct sockaddr*)&addr, &addr_len);
694 if (len < 0)
695 {
696 switch (errno)
697 {
698 case EINTR:
699 /* interrupted, try again */
700 return JOB_REQUEUE_DIRECT;
701 case EAGAIN:
702 /* no data ready, select again */
703 return JOB_REQUEUE_DIRECT;
704 default:
705 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
706 sleep(1);
707 return JOB_REQUEUE_FAIR;
708 }
709 }
710 if (addr.nl_pid != 0)
711 { /* not from kernel. not interested, try another one */
712 return JOB_REQUEUE_DIRECT;
713 }
714
715 while (NLMSG_OK(hdr, len))
716 {
717 /* looks good so far, dispatch netlink message */
718 if (selected == this->socket_xfrm_events)
719 {
720 switch (hdr->nlmsg_type)
721 {
722 case XFRM_MSG_ACQUIRE:
723 process_acquire(this, hdr);
724 break;
725 case XFRM_MSG_EXPIRE:
726 process_expire(this, hdr);
727 break;
728 default:
729 break;
730 }
731 }
732 else if (selected == this->socket_rt_events)
733 {
734 switch (hdr->nlmsg_type)
735 {
736 case RTM_NEWADDR:
737 process_newaddr(this, hdr, FALSE);
738 break;
739 case RTM_DELADDR:
740 process_deladdr(this, hdr);
741 break;
742 default:
743 break;
744 }
745 }
746 hdr = NLMSG_NEXT(hdr, len);
747
748 }
749 return JOB_REQUEUE_DIRECT;
750 }
751
752 /**
753 * send a netlink message and wait for a reply
754 */
755 static status_t netlink_send(int socket, struct nlmsghdr *in,
756 struct nlmsghdr **out, size_t *out_len)
757 {
758 int len, addr_len;
759 struct sockaddr_nl addr;
760 chunk_t result = chunk_empty, tmp;
761 struct nlmsghdr *msg, peek;
762
763 static int seq = 200;
764 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
765
766
767 pthread_mutex_lock(&mutex);
768
769 in->nlmsg_seq = ++seq;
770 in->nlmsg_pid = getpid();
771
772 memset(&addr, 0, sizeof(addr));
773 addr.nl_family = AF_NETLINK;
774 addr.nl_pid = 0;
775 addr.nl_groups = 0;
776
777 while (TRUE)
778 {
779 len = sendto(socket, in, in->nlmsg_len, 0,
780 (struct sockaddr*)&addr, sizeof(addr));
781
782 if (len != in->nlmsg_len)
783 {
784 if (errno == EINTR)
785 {
786 /* interrupted, try again */
787 continue;
788 }
789 pthread_mutex_unlock(&mutex);
790 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
791 return FAILED;
792 }
793 break;
794 }
795
796 while (TRUE)
797 {
798 char buf[1024];
799 tmp.len = sizeof(buf);
800 tmp.ptr = buf;
801 msg = (struct nlmsghdr*)tmp.ptr;
802
803 memset(&addr, 0, sizeof(addr));
804 addr.nl_family = AF_NETLINK;
805 addr.nl_pid = getpid();
806 addr.nl_groups = 0;
807 addr_len = sizeof(addr);
808
809 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
810 (struct sockaddr*)&addr, &addr_len);
811
812 if (len < 0)
813 {
814 if (errno == EINTR)
815 {
816 DBG1(DBG_IKE, "got interrupted");
817 /* interrupted, try again */
818 continue;
819 }
820 DBG1(DBG_IKE, "error reading from netlink socket: %s", strerror(errno));
821 pthread_mutex_unlock(&mutex);
822 return FAILED;
823 }
824 if (!NLMSG_OK(msg, len))
825 {
826 DBG1(DBG_IKE, "received corrupted netlink message");
827 pthread_mutex_unlock(&mutex);
828 return FAILED;
829 }
830 if (msg->nlmsg_seq != seq)
831 {
832 DBG1(DBG_IKE, "received invalid netlink sequence number");
833 if (msg->nlmsg_seq < seq)
834 {
835 continue;
836 }
837 pthread_mutex_unlock(&mutex);
838 return FAILED;
839 }
840
841 tmp.len = len;
842 result = chunk_cata("cc", result, tmp);
843
844 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
845 * numbers to detect multi header messages */
846 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
847 (struct sockaddr*)&addr, &addr_len);
848
849 if (len == sizeof(peek) && peek.nlmsg_seq == seq)
850 {
851 /* seems to be multipart */
852 continue;
853 }
854 break;
855 }
856
857 *out_len = result.len;
858 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
859
860 pthread_mutex_unlock(&mutex);
861
862 return SUCCESS;
863 }
864
865 /**
866 * send a netlink message and wait for its acknowlegde
867 */
868 static status_t netlink_send_ack(int socket, struct nlmsghdr *in)
869 {
870 struct nlmsghdr *out, *hdr;
871 size_t len;
872
873 if (netlink_send(socket, in, &out, &len) != SUCCESS)
874 {
875 return FAILED;
876 }
877 hdr = out;
878 while (NLMSG_OK(hdr, len))
879 {
880 switch (hdr->nlmsg_type)
881 {
882 case NLMSG_ERROR:
883 {
884 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
885
886 if (err->error)
887 {
888 DBG1(DBG_KNL, "received netlink error: %s (%d)",
889 strerror(-err->error), -err->error);
890 free(out);
891 return FAILED;
892 }
893 free(out);
894 return SUCCESS;
895 }
896 default:
897 hdr = NLMSG_NEXT(hdr, len);
898 continue;
899 case NLMSG_DONE:
900 break;
901 }
902 break;
903 }
904 DBG1(DBG_KNL, "netlink request not acknowlegded");
905 free(out);
906 return FAILED;
907 }
908
909 /**
910 * Initialize a list of local addresses.
911 */
912 static void init_address_list(private_kernel_interface_t *this)
913 {
914 char request[BUFFER_SIZE];
915 struct nlmsghdr *out, *hdr;
916 struct rtgenmsg *msg;
917 size_t len;
918
919 DBG1(DBG_IKE, "listening on interfaces:");
920
921 memset(&request, 0, sizeof(request));
922
923 hdr = (struct nlmsghdr*)&request;
924 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
925 hdr->nlmsg_type = RTM_GETADDR;
926 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
927 msg = (struct rtgenmsg*)NLMSG_DATA(hdr);
928 msg->rtgen_family = AF_UNSPEC;
929
930 if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS)
931 {
932 hdr = out;
933 while (NLMSG_OK(hdr, len))
934 {
935 switch (hdr->nlmsg_type)
936 {
937 case RTM_NEWADDR:
938 {
939 process_newaddr(this, hdr, TRUE);
940 hdr = NLMSG_NEXT(hdr, len);
941 continue;
942 }
943 default:
944 hdr = NLMSG_NEXT(hdr, len);
945 continue;
946 case NLMSG_DONE:
947 break;
948 }
949 break;
950 }
951 free(out);
952 }
953 else
954 {
955 DBG1(DBG_IKE, "unable to get local address list");
956 }
957 }
958
959 /**
960 * iterator hook to return address, not address_entry_t
961 */
962 bool address_iterator_hook(private_kernel_interface_t *this,
963 address_entry_t *in, host_t **out)
964 {
965 *out = in->host;
966 return TRUE;
967 }
968
969 /**
970 * Implements kernel_interface_t.create_address_iterator.
971 */
972 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
973 {
974 iterator_t *iterator;
975
976 iterator = this->addrs->create_iterator_locked(this->addrs, &this->addrs_mutex);
977 iterator->set_iterator_hook(iterator,
978 (iterator_hook_t*)address_iterator_hook, this);
979 return iterator;
980 }
981
982 /**
983 * implementation of kernel_interface_t.get_interface_name
984 */
985 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
986 {
987 iterator_t *iterator;
988 address_entry_t *entry;
989 char *name = NULL;
990
991 DBG2(DBG_IKE, "getting interface name for %H", ip);
992
993 iterator = this->addrs->create_iterator_locked(this->addrs, &this->addrs_mutex);
994 while (iterator->iterate(iterator, (void**)&entry))
995 {
996 if (ip->ip_equals(ip, entry->host))
997 {
998 name = strdup(entry->ifname);
999 break;
1000 }
1001 }
1002 iterator->destroy(iterator);
1003
1004 if (name)
1005 {
1006 DBG2(DBG_IKE, "%H is on interface %s", ip, name);
1007 }
1008 else
1009 {
1010 DBG2(DBG_IKE, "%H is not a local address", ip);
1011 }
1012 return name;
1013 }
1014
1015 /**
1016 * Tries to find an ip address of a local interface that is included in the
1017 * supplied traffic selector.
1018 */
1019 static status_t get_address_by_ts(private_kernel_interface_t *this,
1020 traffic_selector_t *ts, host_t **ip)
1021 {
1022 iterator_t *iterator;
1023 address_entry_t *entry;
1024 host_t *host;
1025 int family;
1026 bool found = FALSE;
1027
1028 DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
1029
1030 /* if we have a family which includes localhost, we do not
1031 * search for an IP, we use the default */
1032 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1033
1034 if (family == AF_INET)
1035 {
1036 host = host_create_from_string("127.0.0.1", 0);
1037 }
1038 else
1039 {
1040 host = host_create_from_string("::1", 0);
1041 }
1042
1043 if (ts->includes(ts, host))
1044 {
1045 *ip = host_create_any(family);
1046 host->destroy(host);
1047 DBG2(DBG_IKE, "using host %H", *ip);
1048 return SUCCESS;
1049 }
1050 host->destroy(host);
1051
1052 iterator = this->addrs->create_iterator_locked(this->addrs, &this->addrs_mutex);
1053 while (iterator->iterate(iterator, (void**)&entry))
1054 {
1055 if (ts->includes(ts, entry->host))
1056 {
1057 found = TRUE;
1058 *ip = entry->host->clone(entry->host);
1059 break;
1060 }
1061 }
1062 iterator->destroy(iterator);
1063
1064 if (!found)
1065 {
1066 DBG1(DBG_IKE, "no local address found in traffic selector %R", ts);
1067 return FAILED;
1068 }
1069 DBG2(DBG_IKE, "using host %H", *ip);
1070 return SUCCESS;
1071 }
1072
1073 /**
1074 * get the interface of a local address
1075 */
1076 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1077 {
1078 iterator_t *iterator;
1079 address_entry_t *entry;
1080 int ifindex = 0;
1081
1082 DBG2(DBG_IKE, "getting iface for %H", ip);
1083
1084 iterator = this->addrs->create_iterator_locked(this->addrs, &this->addrs_mutex);
1085 while (iterator->iterate(iterator, (void**)&entry))
1086 {
1087 if (ip->ip_equals(ip, entry->host))
1088 {
1089 ifindex = entry->ifindex;
1090 break;
1091 }
1092 }
1093 iterator->destroy(iterator);
1094
1095 if (ifindex == 0)
1096 {
1097 DBG1(DBG_IKE, "unable to get interface for %H", ip);
1098 }
1099 return ifindex;
1100 }
1101
1102 /**
1103 * Manages the creation and deletion of ip addresses on an interface.
1104 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1105 */
1106 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1107 int flags, int if_index, host_t *ip)
1108 {
1109 unsigned char request[BUFFER_SIZE];
1110 struct nlmsghdr *hdr;
1111 struct ifaddrmsg *msg;
1112 chunk_t chunk;
1113
1114 memset(&request, 0, sizeof(request));
1115
1116 chunk = ip->get_address(ip);
1117
1118 hdr = (struct nlmsghdr*)request;
1119 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1120 hdr->nlmsg_type = nlmsg_type;
1121 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1122
1123 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1124 msg->ifa_family = ip->get_family(ip);
1125 msg->ifa_flags = 0;
1126 msg->ifa_prefixlen = 8 * chunk.len;
1127 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1128 msg->ifa_index = if_index;
1129
1130 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1131
1132 return netlink_send_ack(this->socket_rt, hdr);
1133 }
1134
1135 /**
1136 * Manages source routes in the routing table.
1137 * By setting the appropriate nlmsg_type, the route added or r.
1138 */
1139 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1140 int flags, route_entry_t *route)
1141 {
1142 unsigned char request[BUFFER_SIZE];
1143 struct nlmsghdr *hdr;
1144 struct rtmsg *msg;
1145 chunk_t chunk;
1146
1147 /* if route is 0.0.0.0/0, we can't install it, as it would
1148 * overwrite the default route. Instead, we add two routes:
1149 * 0.0.0.0/1 and 128.0.0.0/1
1150 * TODO: use metrics instead */
1151 if (route->prefixlen == 0)
1152 {
1153 route_entry_t half;
1154 status_t status;
1155
1156 half.dst_net = chunk_alloca(route->dst_net.len);
1157 memset(half.dst_net.ptr, 0, half.dst_net.len);
1158 half.src_ip = route->src_ip;
1159 half.gateway = route->gateway;
1160 half.if_index = route->if_index;
1161 half.prefixlen = 1;
1162
1163 status = manage_srcroute(this, nlmsg_type, flags, &half);
1164 half.dst_net.ptr[0] |= 0x80;
1165 status = manage_srcroute(this, nlmsg_type, flags, &half);
1166 return status;
1167 }
1168
1169 memset(&request, 0, sizeof(request));
1170
1171 hdr = (struct nlmsghdr*)request;
1172 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1173 hdr->nlmsg_type = nlmsg_type;
1174 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1175
1176 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1177 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1178 msg->rtm_dst_len = route->prefixlen;
1179 msg->rtm_table = RT_TABLE_MAIN;
1180 msg->rtm_protocol = RTPROT_STATIC;
1181 msg->rtm_type = RTN_UNICAST;
1182 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1183
1184 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1185 chunk = route->src_ip->get_address(route->src_ip);
1186 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1187 chunk = route->gateway->get_address(route->gateway);
1188 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1189 chunk.ptr = (char*)&route->if_index;
1190 chunk.len = sizeof(route->if_index);
1191 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1192
1193 return netlink_send_ack(this->socket_rt, hdr);
1194 }
1195
1196
1197 /**
1198 * Implementation of kernel_interface_t.add_ip.
1199 */
1200 static status_t add_ip(private_kernel_interface_t *this,
1201 host_t *virtual_ip, host_t *iface_ip)
1202 {
1203 int targetif;
1204 vip_entry_t *listed;
1205 iterator_t *iterator;
1206
1207 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1208
1209 targetif = get_interface_index(this, iface_ip);
1210 if (targetif == 0)
1211 {
1212 DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
1213 virtual_ip, iface_ip);
1214 return FAILED;
1215 }
1216
1217 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1218 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
1219 while (iterator->iterate(iterator, (void**)&listed))
1220 {
1221 if (listed->if_index == targetif &&
1222 virtual_ip->ip_equals(virtual_ip, listed->ip))
1223 {
1224 listed->refcount++;
1225 iterator->destroy(iterator);
1226 DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
1227 virtual_ip, targetif);
1228 return SUCCESS;
1229 }
1230 }
1231 iterator->destroy(iterator);
1232
1233 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1234 targetif, virtual_ip) == SUCCESS)
1235 {
1236 listed = malloc_thing(vip_entry_t);
1237 listed->ip = virtual_ip->clone(virtual_ip);
1238 listed->if_index = targetif;
1239 listed->refcount = 1;
1240 this->vips->insert_last(this->vips, listed);
1241 DBG2(DBG_KNL, "virtual IP %H added to iface %d",
1242 virtual_ip, targetif);
1243 return SUCCESS;
1244 }
1245
1246 DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
1247 virtual_ip, targetif);
1248 return FAILED;
1249 }
1250
1251 /**
1252 * Implementation of kernel_interface_t.del_ip.
1253 */
1254 static status_t del_ip(private_kernel_interface_t *this,
1255 host_t *virtual_ip, host_t *iface_ip)
1256 {
1257 int targetif;
1258 vip_entry_t *listed;
1259 iterator_t *iterator;
1260
1261 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1262
1263 targetif = get_interface_index(this, iface_ip);
1264 if (targetif == 0)
1265 {
1266 DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
1267 virtual_ip, iface_ip);
1268 return FAILED;
1269 }
1270
1271 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1272 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
1273 while (iterator->iterate(iterator, (void**)&listed))
1274 {
1275 if (listed->if_index == targetif &&
1276 virtual_ip->ip_equals(virtual_ip, listed->ip))
1277 {
1278 listed->refcount--;
1279 if (listed->refcount == 0)
1280 {
1281 iterator->remove(iterator);
1282 vip_entry_destroy(listed);
1283 iterator->destroy(iterator);
1284 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1285 }
1286 iterator->destroy(iterator);
1287 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1288 virtual_ip);
1289 return SUCCESS;
1290 }
1291 }
1292 iterator->destroy(iterator);
1293
1294 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1295 return FAILED;
1296 }
1297
1298 /**
1299 * Implementation of kernel_interface_t.get_spi.
1300 */
1301 static status_t get_spi(private_kernel_interface_t *this,
1302 host_t *src, host_t *dst,
1303 protocol_id_t protocol, u_int32_t reqid,
1304 u_int32_t *spi)
1305 {
1306 unsigned char request[BUFFER_SIZE];
1307 struct nlmsghdr *hdr, *out;
1308 struct xfrm_userspi_info *userspi;
1309 u_int32_t received_spi = 0;
1310 size_t len;
1311
1312 memset(&request, 0, sizeof(request));
1313
1314 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1315
1316 hdr = (struct nlmsghdr*)request;
1317 hdr->nlmsg_flags = NLM_F_REQUEST;
1318 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1319 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1320
1321 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1322 host2xfrm(src, &userspi->info.saddr);
1323 host2xfrm(dst, &userspi->info.id.daddr);
1324 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1325 userspi->info.mode = TRUE; /* tunnel mode */
1326 userspi->info.reqid = reqid;
1327 userspi->info.family = src->get_family(src);
1328 userspi->min = 0xc0000000;
1329 userspi->max = 0xcFFFFFFF;
1330
1331 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1332 {
1333 hdr = out;
1334 while (NLMSG_OK(hdr, len))
1335 {
1336 switch (hdr->nlmsg_type)
1337 {
1338 case XFRM_MSG_NEWSA:
1339 {
1340 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1341 received_spi = usersa->id.spi;
1342 break;
1343 }
1344 case NLMSG_ERROR:
1345 {
1346 struct nlmsgerr *err = NLMSG_DATA(hdr);
1347
1348 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1349 strerror(-err->error), -err->error);
1350 break;
1351 }
1352 default:
1353 hdr = NLMSG_NEXT(hdr, len);
1354 continue;
1355 case NLMSG_DONE:
1356 break;
1357 }
1358 break;
1359 }
1360 free(out);
1361 }
1362
1363 if (received_spi == 0)
1364 {
1365 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1366 return FAILED;
1367 }
1368
1369 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1370
1371 *spi = received_spi;
1372 return SUCCESS;
1373 }
1374
1375 /**
1376 * Implementation of kernel_interface_t.add_sa.
1377 */
1378 static status_t add_sa(private_kernel_interface_t *this,
1379 host_t *src, host_t *dst, u_int32_t spi,
1380 protocol_id_t protocol, u_int32_t reqid,
1381 u_int64_t expire_soft, u_int64_t expire_hard,
1382 algorithm_t *enc_alg, algorithm_t *int_alg,
1383 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1384 bool replace)
1385 {
1386 unsigned char request[BUFFER_SIZE];
1387 char *alg_name;
1388 u_int key_size;
1389 struct nlmsghdr *hdr;
1390 struct xfrm_usersa_info *sa;
1391
1392 memset(&request, 0, sizeof(request));
1393
1394 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1395
1396 hdr = (struct nlmsghdr*)request;
1397 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1398 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1399 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1400
1401 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1402 host2xfrm(src, &sa->saddr);
1403 host2xfrm(dst, &sa->id.daddr);
1404 sa->id.spi = spi;
1405 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1406 sa->family = src->get_family(src);
1407 sa->mode = mode;
1408 sa->replay_window = 32;
1409 sa->reqid = reqid;
1410 /* we currently do not expire SAs by volume/packet count */
1411 sa->lft.soft_byte_limit = XFRM_INF;
1412 sa->lft.hard_byte_limit = XFRM_INF;
1413 sa->lft.soft_packet_limit = XFRM_INF;
1414 sa->lft.hard_packet_limit = XFRM_INF;
1415 /* we use lifetimes since added, not since used */
1416 sa->lft.soft_add_expires_seconds = expire_soft;
1417 sa->lft.hard_add_expires_seconds = expire_hard;
1418 sa->lft.soft_use_expires_seconds = 0;
1419 sa->lft.hard_use_expires_seconds = 0;
1420
1421 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1422
1423 if (enc_alg->algorithm != ENCR_UNDEFINED)
1424 {
1425 rthdr->rta_type = XFRMA_ALG_CRYPT;
1426 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1427 if (alg_name == NULL)
1428 {
1429 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1430 encryption_algorithm_names, enc_alg->algorithm);
1431 return FAILED;
1432 }
1433 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1434 encryption_algorithm_names, enc_alg->algorithm, key_size);
1435
1436 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1437 hdr->nlmsg_len += rthdr->rta_len;
1438 if (hdr->nlmsg_len > sizeof(request))
1439 {
1440 return FAILED;
1441 }
1442
1443 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1444 algo->alg_key_len = key_size;
1445 strcpy(algo->alg_name, alg_name);
1446 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1447
1448 rthdr = XFRM_RTA_NEXT(rthdr);
1449 }
1450
1451 if (int_alg->algorithm != AUTH_UNDEFINED)
1452 {
1453 rthdr->rta_type = XFRMA_ALG_AUTH;
1454 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1455 if (alg_name == NULL)
1456 {
1457 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1458 integrity_algorithm_names, int_alg->algorithm);
1459 return FAILED;
1460 }
1461 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1462 integrity_algorithm_names, int_alg->algorithm, key_size);
1463
1464 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1465 hdr->nlmsg_len += rthdr->rta_len;
1466 if (hdr->nlmsg_len > sizeof(request))
1467 {
1468 return FAILED;
1469 }
1470
1471 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1472 algo->alg_key_len = key_size;
1473 strcpy(algo->alg_name, alg_name);
1474 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1475
1476 rthdr = XFRM_RTA_NEXT(rthdr);
1477 }
1478
1479 /* TODO: add IPComp here */
1480
1481 if (natt)
1482 {
1483 rthdr->rta_type = XFRMA_ENCAP;
1484 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1485
1486 hdr->nlmsg_len += rthdr->rta_len;
1487 if (hdr->nlmsg_len > sizeof(request))
1488 {
1489 return FAILED;
1490 }
1491
1492 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1493 encap->encap_type = UDP_ENCAP_ESPINUDP;
1494 encap->encap_sport = htons(natt->sport);
1495 encap->encap_dport = htons(natt->dport);
1496 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1497 /* encap_oa could probably be derived from the
1498 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1499 * pluto does the same as we do here but it uses encap_oa in the
1500 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1501 * the kernel ignores it anyway
1502 * -> does that mean that NAT-T encap doesn't work in transport mode?
1503 * No. The reason the kernel ignores NAT-OA is that it recomputes
1504 * (or, rather, just ignores) the checksum. If packets pass
1505 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1506 rthdr = XFRM_RTA_NEXT(rthdr);
1507 }
1508
1509 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1510 {
1511 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1512 return FAILED;
1513 }
1514 return SUCCESS;
1515 }
1516
1517 /**
1518 * Implementation of kernel_interface_t.update_sa.
1519 */
1520 static status_t update_sa(private_kernel_interface_t *this,
1521 host_t *src, host_t *dst,
1522 host_t *new_src, host_t *new_dst,
1523 host_diff_t src_changes, host_diff_t dst_changes,
1524 u_int32_t spi, protocol_id_t protocol)
1525 {
1526 unsigned char request[BUFFER_SIZE];
1527 struct nlmsghdr *hdr, *out = NULL;
1528 struct xfrm_usersa_id *sa_id;
1529 struct xfrm_usersa_info *sa = NULL;
1530 size_t len;
1531
1532 memset(&request, 0, sizeof(request));
1533
1534 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1535
1536 hdr = (struct nlmsghdr*)request;
1537 hdr->nlmsg_flags = NLM_F_REQUEST;
1538 hdr->nlmsg_type = XFRM_MSG_GETSA;
1539 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1540
1541 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1542 host2xfrm(dst, &sa_id->daddr);
1543 sa_id->spi = spi;
1544 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1545 sa_id->family = dst->get_family(dst);
1546
1547 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1548 {
1549 hdr = out;
1550 while (NLMSG_OK(hdr, len))
1551 {
1552 switch (hdr->nlmsg_type)
1553 {
1554 case XFRM_MSG_NEWSA:
1555 {
1556 sa = NLMSG_DATA(hdr);
1557 break;
1558 }
1559 case NLMSG_ERROR:
1560 {
1561 struct nlmsgerr *err = NLMSG_DATA(hdr);
1562 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1563 strerror(-err->error), -err->error);
1564 break;
1565 }
1566 default:
1567 hdr = NLMSG_NEXT(hdr, len);
1568 continue;
1569 case NLMSG_DONE:
1570 break;
1571 }
1572 break;
1573 }
1574 }
1575 if (sa == NULL)
1576 {
1577 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1578 free(out);
1579 return FAILED;
1580 }
1581
1582 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
1583
1584 hdr = out;
1585 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1586 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1587
1588 if (src_changes & HOST_DIFF_ADDR)
1589 {
1590 host2xfrm(new_src, &sa->saddr);
1591 }
1592
1593 if (dst_changes & HOST_DIFF_ADDR)
1594 {
1595 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1596 host2xfrm(new_dst, &sa->id.daddr);
1597 }
1598
1599 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1600 {
1601 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1602 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1603 while (RTA_OK(rtattr, rtsize))
1604 {
1605 if (rtattr->rta_type == XFRMA_ENCAP)
1606 {
1607 struct xfrm_encap_tmpl* encap;
1608 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1609 encap->encap_sport = ntohs(new_src->get_port(new_src));
1610 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1611 break;
1612 }
1613 rtattr = RTA_NEXT(rtattr, rtsize);
1614 }
1615 }
1616 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1617 {
1618 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1619 free(out);
1620 return FAILED;
1621 }
1622 free(out);
1623
1624 if (dst_changes & HOST_DIFF_ADDR)
1625 {
1626 return this->public.del_sa(&this->public, dst, spi, protocol);
1627 }
1628 return SUCCESS;
1629 }
1630
1631 /**
1632 * Implementation of kernel_interface_t.query_sa.
1633 */
1634 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1635 u_int32_t spi, protocol_id_t protocol,
1636 u_int32_t *use_time)
1637 {
1638 unsigned char request[BUFFER_SIZE];
1639 struct nlmsghdr *out = NULL, *hdr;
1640 struct xfrm_usersa_id *sa_id;
1641 struct xfrm_usersa_info *sa = NULL;
1642 size_t len;
1643
1644 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1645 memset(&request, 0, sizeof(request));
1646
1647 hdr = (struct nlmsghdr*)request;
1648 hdr->nlmsg_flags = NLM_F_REQUEST;
1649 hdr->nlmsg_type = XFRM_MSG_GETSA;
1650 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1651
1652 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1653 host2xfrm(dst, &sa_id->daddr);
1654 sa_id->spi = spi;
1655 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1656 sa_id->family = dst->get_family(dst);
1657
1658 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1659 {
1660 hdr = out;
1661 while (NLMSG_OK(hdr, len))
1662 {
1663 switch (hdr->nlmsg_type)
1664 {
1665 case XFRM_MSG_NEWSA:
1666 {
1667 sa = NLMSG_DATA(hdr);
1668 break;
1669 }
1670 case NLMSG_ERROR:
1671 {
1672 struct nlmsgerr *err = NLMSG_DATA(hdr);
1673 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1674 strerror(-err->error), -err->error);
1675 break;
1676 }
1677 default:
1678 hdr = NLMSG_NEXT(hdr, len);
1679 continue;
1680 case NLMSG_DONE:
1681 break;
1682 }
1683 break;
1684 }
1685 }
1686
1687 if (sa == NULL)
1688 {
1689 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1690 free(out);
1691 return FAILED;
1692 }
1693
1694 *use_time = sa->curlft.use_time;
1695 free (out);
1696 return SUCCESS;
1697 }
1698
1699 /**
1700 * Implementation of kernel_interface_t.del_sa.
1701 */
1702 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1703 u_int32_t spi, protocol_id_t protocol)
1704 {
1705 unsigned char request[BUFFER_SIZE];
1706 struct nlmsghdr *hdr;
1707 struct xfrm_usersa_id *sa_id;
1708
1709 memset(&request, 0, sizeof(request));
1710
1711 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1712
1713 hdr = (struct nlmsghdr*)request;
1714 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1715 hdr->nlmsg_type = XFRM_MSG_DELSA;
1716 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1717
1718 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1719 host2xfrm(dst, &sa_id->daddr);
1720 sa_id->spi = spi;
1721 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1722 sa_id->family = dst->get_family(dst);
1723
1724 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1725 {
1726 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1727 return FAILED;
1728 }
1729 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1730 return SUCCESS;
1731 }
1732
1733 /**
1734 * Implementation of kernel_interface_t.add_policy.
1735 */
1736 static status_t add_policy(private_kernel_interface_t *this,
1737 host_t *src, host_t *dst,
1738 traffic_selector_t *src_ts,
1739 traffic_selector_t *dst_ts,
1740 policy_dir_t direction, protocol_id_t protocol,
1741 u_int32_t reqid, bool high_prio, mode_t mode,
1742 bool update)
1743 {
1744 iterator_t *iterator;
1745 policy_entry_t *current, *policy;
1746 bool found = FALSE;
1747 unsigned char request[BUFFER_SIZE];
1748 struct xfrm_userpolicy_info *policy_info;
1749 struct nlmsghdr *hdr;
1750
1751 /* create a policy */
1752 policy = malloc_thing(policy_entry_t);
1753 memset(policy, 0, sizeof(policy_entry_t));
1754 policy->sel = ts2selector(src_ts, dst_ts);
1755 policy->direction = direction;
1756
1757 /* find the policy, which matches EXACTLY */
1758 pthread_mutex_lock(&this->policies_mutex);
1759 iterator = this->policies->create_iterator(this->policies, TRUE);
1760 while (iterator->iterate(iterator, (void**)&current))
1761 {
1762 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
1763 policy->direction == current->direction)
1764 {
1765 /* use existing policy */
1766 if (!update)
1767 {
1768 current->refcount++;
1769 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
1770 "refcount", src_ts, dst_ts);
1771 }
1772 free(policy);
1773 policy = current;
1774 found = TRUE;
1775 break;
1776 }
1777 }
1778 iterator->destroy(iterator);
1779 if (!found)
1780 { /* apply the new one, if we have no such policy */
1781 this->policies->insert_last(this->policies, policy);
1782 policy->refcount = 1;
1783 }
1784
1785 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
1786
1787 memset(&request, 0, sizeof(request));
1788 hdr = (struct nlmsghdr*)request;
1789 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1790 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
1791 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1792
1793 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1794 policy_info->sel = policy->sel;
1795 policy_info->dir = policy->direction;
1796 /* calculate priority based on source selector size, small size = high prio */
1797 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1798 policy_info->priority -= policy->sel.prefixlen_s * 10;
1799 policy_info->priority -= policy->sel.proto ? 2 : 0;
1800 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1801 policy_info->action = XFRM_POLICY_ALLOW;
1802 policy_info->share = XFRM_SHARE_ANY;
1803 pthread_mutex_unlock(&this->policies_mutex);
1804
1805 /* policies don't expire */
1806 policy_info->lft.soft_byte_limit = XFRM_INF;
1807 policy_info->lft.soft_packet_limit = XFRM_INF;
1808 policy_info->lft.hard_byte_limit = XFRM_INF;
1809 policy_info->lft.hard_packet_limit = XFRM_INF;
1810 policy_info->lft.soft_add_expires_seconds = 0;
1811 policy_info->lft.hard_add_expires_seconds = 0;
1812 policy_info->lft.soft_use_expires_seconds = 0;
1813 policy_info->lft.hard_use_expires_seconds = 0;
1814
1815 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1816 rthdr->rta_type = XFRMA_TMPL;
1817
1818 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
1819 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
1820
1821 hdr->nlmsg_len += rthdr->rta_len;
1822 if (hdr->nlmsg_len > sizeof(request))
1823 {
1824 return FAILED;
1825 }
1826
1827 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1828 tmpl->reqid = reqid;
1829 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
1830 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1831 tmpl->mode = mode;
1832 tmpl->family = src->get_family(src);
1833
1834 host2xfrm(src, &tmpl->saddr);
1835 host2xfrm(dst, &tmpl->id.daddr);
1836
1837 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1838 {
1839 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
1840 return FAILED;
1841 }
1842
1843 /* install a route, if:
1844 * - we are NOT updating a policy
1845 * - this is a forward policy (to just get one for each child)
1846 * - we are in tunnel mode
1847 * - we are not using IPv6 (does not work correctly yet!)
1848 */
1849 if (policy->route == NULL && direction == POLICY_FWD &&
1850 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
1851 {
1852 policy->route = malloc_thing(route_entry_t);
1853 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
1854 {
1855 policy->route->gateway = dst->clone(dst);
1856 policy->route->if_index = get_interface_index(this, dst);
1857 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1858 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
1859 policy->route->prefixlen = policy->sel.prefixlen_s;
1860
1861 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
1862 policy->route) != SUCCESS)
1863 {
1864 DBG1(DBG_KNL, "unable to install source route for %H",
1865 policy->route->src_ip);
1866 route_entry_destroy(policy->route);
1867 policy->route = NULL;
1868 }
1869 }
1870 else
1871 {
1872 free(policy->route);
1873 policy->route = NULL;
1874 }
1875 }
1876
1877 return SUCCESS;
1878 }
1879
1880 /**
1881 * Implementation of kernel_interface_t.query_policy.
1882 */
1883 static status_t query_policy(private_kernel_interface_t *this,
1884 traffic_selector_t *src_ts,
1885 traffic_selector_t *dst_ts,
1886 policy_dir_t direction, u_int32_t *use_time)
1887 {
1888 unsigned char request[BUFFER_SIZE];
1889 struct nlmsghdr *out = NULL, *hdr;
1890 struct xfrm_userpolicy_id *policy_id;
1891 struct xfrm_userpolicy_info *policy = NULL;
1892 size_t len;
1893
1894 memset(&request, 0, sizeof(request));
1895
1896 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
1897
1898 hdr = (struct nlmsghdr*)request;
1899 hdr->nlmsg_flags = NLM_F_REQUEST;
1900 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1901 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1902
1903 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1904 policy_id->sel = ts2selector(src_ts, dst_ts);
1905 policy_id->dir = direction;
1906
1907 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1908 {
1909 hdr = out;
1910 while (NLMSG_OK(hdr, len))
1911 {
1912 switch (hdr->nlmsg_type)
1913 {
1914 case XFRM_MSG_NEWPOLICY:
1915 {
1916 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1917 break;
1918 }
1919 case NLMSG_ERROR:
1920 {
1921 struct nlmsgerr *err = NLMSG_DATA(hdr);
1922 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1923 strerror(-err->error), -err->error);
1924 break;
1925 }
1926 default:
1927 hdr = NLMSG_NEXT(hdr, len);
1928 continue;
1929 case NLMSG_DONE:
1930 break;
1931 }
1932 break;
1933 }
1934 }
1935
1936 if (policy == NULL)
1937 {
1938 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
1939 free(out);
1940 return FAILED;
1941 }
1942 *use_time = (time_t)policy->curlft.use_time;
1943
1944 free(out);
1945 return SUCCESS;
1946 }
1947
1948 /**
1949 * Implementation of kernel_interface_t.del_policy.
1950 */
1951 static status_t del_policy(private_kernel_interface_t *this,
1952 traffic_selector_t *src_ts,
1953 traffic_selector_t *dst_ts,
1954 policy_dir_t direction)
1955 {
1956 policy_entry_t *current, policy, *to_delete = NULL;
1957 route_entry_t *route;
1958 unsigned char request[BUFFER_SIZE];
1959 struct nlmsghdr *hdr;
1960 struct xfrm_userpolicy_id *policy_id;
1961 iterator_t *iterator;
1962
1963 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
1964
1965 /* create a policy */
1966 memset(&policy, 0, sizeof(policy_entry_t));
1967 policy.sel = ts2selector(src_ts, dst_ts);
1968 policy.direction = direction;
1969
1970 /* find the policy */
1971 pthread_mutex_lock(&this->policies_mutex);
1972 iterator = this->policies->create_iterator(this->policies, TRUE);
1973 while (iterator->iterate(iterator, (void**)&current))
1974 {
1975 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
1976 policy.direction == current->direction)
1977 {
1978 to_delete = current;
1979 if (--to_delete->refcount > 0)
1980 {
1981 /* is used by more SAs, keep in kernel */
1982 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1983 iterator->destroy(iterator);
1984 pthread_mutex_unlock(&this->policies_mutex);
1985 return SUCCESS;
1986 }
1987 /* remove if last reference */
1988 iterator->remove(iterator);
1989 break;
1990 }
1991 }
1992 iterator->destroy(iterator);
1993 pthread_mutex_unlock(&this->policies_mutex);
1994 if (!to_delete)
1995 {
1996 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
1997 return NOT_FOUND;
1998 }
1999
2000 memset(&request, 0, sizeof(request));
2001
2002 hdr = (struct nlmsghdr*)request;
2003 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2004 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2005 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2006
2007 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2008 policy_id->sel = to_delete->sel;
2009 policy_id->dir = direction;
2010
2011 route = to_delete->route;
2012 free(to_delete);
2013
2014 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
2015 {
2016 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2017 return FAILED;
2018 }
2019
2020 if (route)
2021 {
2022 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2023 {
2024 DBG1(DBG_KNL, "error uninstalling route installed with "
2025 "policy %R===%R", src_ts, dst_ts);
2026 }
2027 route_entry_destroy(route);
2028 }
2029 return SUCCESS;
2030 }
2031
2032 /**
2033 * Implementation of kernel_interface_t.destroy.
2034 */
2035 static void destroy(private_kernel_interface_t *this)
2036 {
2037 this->job->cancel(this->job);
2038 close(this->socket_xfrm_events);
2039 close(this->socket_xfrm);
2040 close(this->socket_rt_events);
2041 close(this->socket_rt);
2042 this->vips->destroy(this->vips);
2043 this->policies->destroy(this->policies);
2044 this->addrs->destroy_function(this->addrs, (void*)address_entry_destroy);
2045 free(this);
2046 }
2047
2048 /*
2049 * Described in header.
2050 */
2051 kernel_interface_t *kernel_interface_create()
2052 {
2053 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2054 struct sockaddr_nl addr;
2055
2056 /* public functions */
2057 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2058 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
2059 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
2060 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2061 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2062 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
2063 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2064 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2065
2066 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2067 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2068 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2069 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
2070 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2071
2072 /* private members */
2073 this->vips = linked_list_create();
2074 this->policies = linked_list_create();
2075 this->addrs = linked_list_create();
2076 pthread_mutex_init(&this->policies_mutex,NULL);
2077 pthread_mutex_init(&this->vips_mutex,NULL);
2078 pthread_mutex_init(&this->addrs_mutex,NULL);
2079
2080 memset(&addr, 0, sizeof(addr));
2081 addr.nl_family = AF_NETLINK;
2082
2083 /* create and bind RT socket */
2084 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2085 if (this->socket_rt <= 0)
2086 {
2087 charon->kill(charon, "unable to create RT netlink socket");
2088 }
2089 addr.nl_groups = 0;
2090 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2091 {
2092 charon->kill(charon, "unable to bind RT netlink socket");
2093 }
2094
2095 /* create and bind RT socket for events (address changes) */
2096 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2097 if (this->socket_rt_events <= 0)
2098 {
2099 charon->kill(charon, "unable to create RT event socket");
2100 }
2101 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR;
2102 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2103 {
2104 charon->kill(charon, "unable to bind RT event socket");
2105 }
2106
2107 /* create and bind XFRM socket */
2108 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2109 if (this->socket_xfrm <= 0)
2110 {
2111 charon->kill(charon, "unable to create XFRM netlink socket");
2112 }
2113 addr.nl_groups = 0;
2114 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2115 {
2116 charon->kill(charon, "unable to bind XFRM netlink socket");
2117 }
2118
2119 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2120 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2121 if (this->socket_xfrm_events <= 0)
2122 {
2123 charon->kill(charon, "unable to create XFRM event socket");
2124 }
2125 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2126 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2127 {
2128 charon->kill(charon, "unable to bind XFRM event socket");
2129 }
2130
2131 this->job = callback_job_create((callback_job_cb_t)receive_events,
2132 this, NULL, NULL);
2133 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2134
2135 init_address_list(this);
2136
2137 return &this->public;
2138 }
2139