projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
further MOBIKE stuff:
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43
44 #include "kernel_interface.h"
45
46 #include <daemon.h>
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52 #include <processing/jobs/roam_job.h>
53
54 /** kernel level protocol identifiers */
55 #define KERNEL_ESP 50
56 #define KERNEL_AH 51
57
58 /** default priority of installed policies */
59 #define PRIO_LOW 3000
60 #define PRIO_HIGH 2000
61
62 #define BUFFER_SIZE 1024
63
64 /**
65 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
66 * 'usual' netlink data x like 'struct xfrm_usersa_info'
67 */
68 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
69 /**
70 * returns a pointer to the next rtattr following rta.
71 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
72 */
73 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
74 /**
75 * returns the total size of attached rta data
76 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
77 */
78 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
79
80 typedef struct kernel_algorithm_t kernel_algorithm_t;
81
82 /**
83 * Mapping from the algorithms defined in IKEv2 to
84 * kernel level algorithm names and their key length
85 */
86 struct kernel_algorithm_t {
87 /**
88 * Identifier specified in IKEv2
89 */
90 int ikev2_id;
91
92 /**
93 * Name of the algorithm, as used as kernel identifier
94 */
95 char *name;
96
97 /**
98 * Key length in bits, if fixed size
99 */
100 u_int key_size;
101 };
102 #define END_OF_LIST -1
103
104 /**
105 * Algorithms for encryption
106 */
107 kernel_algorithm_t encryption_algs[] = {
108 /* {ENCR_DES_IV64, "***", 0}, */
109 {ENCR_DES, "des", 64},
110 {ENCR_3DES, "des3_ede", 192},
111 /* {ENCR_RC5, "***", 0}, */
112 /* {ENCR_IDEA, "***", 0}, */
113 {ENCR_CAST, "cast128", 0},
114 {ENCR_BLOWFISH, "blowfish", 0},
115 /* {ENCR_3IDEA, "***", 0}, */
116 /* {ENCR_DES_IV32, "***", 0}, */
117 {ENCR_NULL, "cipher_null", 0},
118 {ENCR_AES_CBC, "aes", 0},
119 /* {ENCR_AES_CTR, "***", 0}, */
120 {END_OF_LIST, NULL, 0},
121 };
122
123 /**
124 * Algorithms for integrity protection
125 */
126 kernel_algorithm_t integrity_algs[] = {
127 {AUTH_HMAC_MD5_96, "md5", 128},
128 {AUTH_HMAC_SHA1_96, "sha1", 160},
129 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
130 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
131 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
132 /* {AUTH_DES_MAC, "***", 0}, */
133 /* {AUTH_KPDK_MD5, "***", 0}, */
134 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
135 {END_OF_LIST, NULL, 0},
136 };
137
138 /**
139 * Look up a kernel algorithm name and its key size
140 */
141 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
142 algorithm_t *ikev2_algo, u_int *key_size)
143 {
144 while (kernel_algo->ikev2_id != END_OF_LIST)
145 {
146 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
147 {
148 /* match, evaluate key length */
149 if (ikev2_algo->key_size)
150 { /* variable length */
151 *key_size = ikev2_algo->key_size;
152 }
153 else
154 { /* fixed length */
155 *key_size = kernel_algo->key_size;
156 }
157 return kernel_algo->name;
158 }
159 kernel_algo++;
160 }
161 return NULL;
162 }
163
164 typedef struct route_entry_t route_entry_t;
165
166 /**
167 * installed routing entry
168 */
169 struct route_entry_t {
170
171 /** Index of the interface the route is bound to */
172 int if_index;
173
174 /** Source ip of the route */
175 host_t *src_ip;
176
177 /** gateway for this route */
178 host_t *gateway;
179
180 /** Destination net */
181 chunk_t dst_net;
182
183 /** Destination net prefixlen */
184 u_int8_t prefixlen;
185 };
186
187 /**
188 * destroy an route_entry_t object
189 */
190 static void route_entry_destroy(route_entry_t *this)
191 {
192 this->src_ip->destroy(this->src_ip);
193 this->gateway->destroy(this->gateway);
194 chunk_free(&this->dst_net);
195 free(this);
196 }
197
198 typedef struct policy_entry_t policy_entry_t;
199
200 /**
201 * installed kernel policy.
202 */
203 struct policy_entry_t {
204
205 /** direction of this policy: in, out, forward */
206 u_int8_t direction;
207
208 /** reqid of the policy */
209 u_int32_t reqid;
210
211 /** parameters of installed policy */
212 struct xfrm_selector sel;
213
214 /** associated route installed for this policy */
215 route_entry_t *route;
216
217 /** by how many CHILD_SA's this policy is used */
218 u_int refcount;
219 };
220
221 typedef struct addr_entry_t addr_entry_t;
222
223 /**
224 * IP address in an inface_entry_t
225 */
226 struct addr_entry_t {
227
228 /** The ip address */
229 host_t *ip;
230
231 /** Number of times this IP is used, if virtual */
232 u_int refcount;
233 };
234
235 /**
236 * destroy a addr_entry_t object
237 */
238 static void addr_entry_destroy(addr_entry_t *this)
239 {
240 this->ip->destroy(this->ip);
241 free(this);
242 }
243
244 typedef struct iface_entry_t iface_entry_t;
245
246 /**
247 * A network interface on this system, containing addr_entry_t's
248 */
249 struct iface_entry_t {
250
251 /** interface index */
252 int ifindex;
253
254 /** name of the interface */
255 char ifname[IFNAMSIZ];
256
257 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
258 u_int flags;
259
260 /** list of addresses as host_t */
261 linked_list_t *addrs;
262 };
263
264 /**
265 * destroy an interface entry
266 */
267 static void iface_entry_destroy(iface_entry_t *this)
268 {
269 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
270 free(this);
271 }
272
273 typedef struct private_kernel_interface_t private_kernel_interface_t;
274
275 /**
276 * Private variables and functions of kernel_interface class.
277 */
278 struct private_kernel_interface_t {
279 /**
280 * Public part of the kernel_interface_t object.
281 */
282 kernel_interface_t public;
283
284 /**
285 * mutex to lock access to the various lists
286 */
287 pthread_mutex_t mutex;
288
289 /**
290 * List of installed policies (policy_entry_t)
291 */
292 linked_list_t *policies;
293
294 /**
295 * Cached list of interfaces and its adresses (iface_entry_t)
296 */
297 linked_list_t *ifaces;
298
299 /**
300 * iterator used in hook()
301 */
302 iterator_t *hiter;
303
304 /**
305 * job receiving netlink events
306 */
307 callback_job_t *job;
308
309 /**
310 * current sequence number for netlink request
311 */
312 int seq;
313
314 /**
315 * Netlink xfrm socket (IPsec)
316 */
317 int socket_xfrm;
318
319 /**
320 * netlink xfrm socket to receive acquire and expire events
321 */
322 int socket_xfrm_events;
323
324 /**
325 * Netlink rt socket (routing)
326 */
327 int socket_rt;
328
329 /**
330 * Netlink rt socket to receive address change events
331 */
332 int socket_rt_events;
333 };
334
335 /**
336 * convert a host_t to a struct xfrm_address
337 */
338 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
339 {
340 chunk_t chunk = host->get_address(host);
341 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
342 }
343
344 /**
345 * convert a traffic selector address range to subnet and its mask.
346 */
347 static void ts2subnet(traffic_selector_t* ts,
348 xfrm_address_t *net, u_int8_t *mask)
349 {
350 /* there is no way to do this cleanly, as the address range may
351 * be anything else but a subnet. We use from_addr as subnet
352 * and try to calculate a usable subnet mask.
353 */
354 int byte, bit;
355 bool found = FALSE;
356 chunk_t from, to;
357 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
358
359 from = ts->get_from_address(ts);
360 to = ts->get_to_address(ts);
361
362 *mask = (size * 8);
363 /* go trough all bits of the addresses, beginning in the front.
364 * as long as they are equal, the subnet gets larger
365 */
366 for (byte = 0; byte < size; byte++)
367 {
368 for (bit = 7; bit >= 0; bit--)
369 {
370 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
371 {
372 *mask = ((7 - bit) + (byte * 8));
373 found = TRUE;
374 break;
375 }
376 }
377 if (found)
378 {
379 break;
380 }
381 }
382 memcpy(net, from.ptr, from.len);
383 chunk_free(&from);
384 chunk_free(&to);
385 }
386
387 /**
388 * convert a traffic selector port range to port/portmask
389 */
390 static void ts2ports(traffic_selector_t* ts,
391 u_int16_t *port, u_int16_t *mask)
392 {
393 /* linux does not seem to accept complex portmasks. Only
394 * any or a specific port is allowed. We set to any, if we have
395 * a port range, or to a specific, if we have one port only.
396 */
397 u_int16_t from, to;
398
399 from = ts->get_from_port(ts);
400 to = ts->get_to_port(ts);
401
402 if (from == to)
403 {
404 *port = htons(from);
405 *mask = ~0;
406 }
407 else
408 {
409 *port = 0;
410 *mask = 0;
411 }
412 }
413
414 /**
415 * convert a pair of traffic_selectors to a xfrm_selector
416 */
417 static struct xfrm_selector ts2selector(traffic_selector_t *src,
418 traffic_selector_t *dst)
419 {
420 struct xfrm_selector sel;
421
422 memset(&sel, 0, sizeof(sel));
423 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
424 /* src or dest proto may be "any" (0), use more restrictive one */
425 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
426 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
427 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
428 ts2ports(dst, &sel.dport, &sel.dport_mask);
429 ts2ports(src, &sel.sport, &sel.sport_mask);
430 sel.ifindex = 0;
431 sel.user = 0;
432
433 return sel;
434 }
435
436 /**
437 * Creates an rtattr and adds it to the netlink message
438 */
439 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
440 size_t buflen)
441 {
442 struct rtattr *rta;
443
444 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
445 {
446 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
447 return;
448 }
449
450 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
451 rta->rta_type = rta_type;
452 rta->rta_len = RTA_LENGTH(data.len);
453 memcpy(RTA_DATA(rta), data.ptr, data.len);
454 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
455 }
456
457 /**
458 * process a XFRM_MSG_ACQUIRE from kernel
459 */
460 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
461 {
462 u_int32_t reqid = 0;
463 job_t *job;
464 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
465 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
466
467 if (RTA_OK(rtattr, rtsize))
468 {
469 if (rtattr->rta_type == XFRMA_TMPL)
470 {
471 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
472 reqid = tmpl->reqid;
473 }
474 }
475 if (reqid == 0)
476 {
477 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
478 return;
479 }
480 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
481 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
482 job = (job_t*)acquire_job_create(reqid);
483 charon->processor->queue_job(charon->processor, job);
484 }
485
486 /**
487 * process a XFRM_MSG_EXPIRE from kernel
488 */
489 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
490 {
491 job_t *job;
492 protocol_id_t protocol;
493 u_int32_t spi, reqid;
494 struct xfrm_user_expire *expire;
495
496 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
497 protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
498 spi = expire->state.id.spi;
499 reqid = expire->state.reqid;
500
501 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
502 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
503 expire->hard ? "delete" : "rekey", protocol_id_names,
504 protocol, ntohl(spi), reqid);
505 if (expire->hard)
506 {
507 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
508 }
509 else
510 {
511 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
512 }
513 charon->processor->queue_job(charon->processor, job);
514 }
515
516 /**
517 * process RTM_NEWLINK/RTM_DELLINK from kernel
518 */
519 static void process_link(private_kernel_interface_t *this,
520 struct nlmsghdr *hdr, bool event)
521 {
522 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
523 struct rtattr *rta = IFLA_RTA(msg);
524 size_t rtasize = IFLA_PAYLOAD (hdr);
525 iterator_t *iterator;
526 iface_entry_t *current, *entry = NULL;
527 char *name = NULL;
528 bool update = FALSE;
529
530 while(RTA_OK(rta, rtasize))
531 {
532 switch (rta->rta_type)
533 {
534 case IFLA_IFNAME:
535 name = RTA_DATA(rta);
536 break;
537 }
538 rta = RTA_NEXT(rta, rtasize);
539 }
540 if (!name)
541 {
542 name = "(unknown)";
543 }
544
545 switch (hdr->nlmsg_type)
546 {
547 case RTM_NEWLINK:
548 {
549 if (msg->ifi_flags & IFF_LOOPBACK)
550 { /* ignore loopback interfaces */
551 break;
552 }
553 iterator = this->ifaces->create_iterator_locked(this->ifaces,
554 &this->mutex);
555 while (iterator->iterate(iterator, (void**)&current))
556 {
557 if (current->ifindex == msg->ifi_index)
558 {
559 entry = current;
560 break;
561 }
562 }
563 if (!entry)
564 {
565 entry = malloc_thing(iface_entry_t);
566 entry->ifindex = msg->ifi_index;
567 entry->flags = 0;
568 entry->addrs = linked_list_create();
569 this->ifaces->insert_last(this->ifaces, entry);
570 }
571 memcpy(entry->ifname, name, IFNAMSIZ);
572 entry->ifname[IFNAMSIZ-1] = '\0';
573 if (event)
574 {
575 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
576 {
577 update = TRUE;
578 DBG1(DBG_KNL, "interface %s activated", name);
579 }
580 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
581 {
582 update = TRUE;
583 DBG1(DBG_KNL, "interface %s deactivated", name);
584 }
585 }
586 entry->flags = msg->ifi_flags;
587 iterator->destroy(iterator);
588 break;
589 }
590 case RTM_DELLINK:
591 {
592 iterator = this->ifaces->create_iterator_locked(this->ifaces,
593 &this->mutex);
594 while (iterator->iterate(iterator, (void**)&current))
595 {
596 if (current->ifindex == msg->ifi_index)
597 {
598 /* we do not remove it, as an address may be added to a
599 * "down" interface and we wan't to know that. */
600 current->flags = msg->ifi_flags;
601 break;
602 }
603 }
604 iterator->destroy(iterator);
605 break;
606 }
607 }
608
609 /* send an update to all IKE_SAs */
610 if (update && event)
611 {
612 charon->processor->queue_job(charon->processor, (job_t*)roam_job_create());
613 }
614 }
615
616 /**
617 * process RTM_NEWADDR/RTM_DELADDR from kernel
618 */
619 static void process_addr(private_kernel_interface_t *this,
620 struct nlmsghdr *hdr, bool event)
621 {
622 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
623 struct rtattr *rta = IFA_RTA(msg);
624 size_t rtasize = IFA_PAYLOAD (hdr);
625 host_t *host = NULL;
626 iterator_t *ifaces, *addrs;
627 iface_entry_t *iface;
628 addr_entry_t *addr;
629 chunk_t local = chunk_empty, address = chunk_empty;
630 bool update = FALSE, found = FALSE;
631
632 while(RTA_OK(rta, rtasize))
633 {
634 switch (rta->rta_type)
635 {
636 case IFA_LOCAL:
637 local.ptr = RTA_DATA(rta);
638 local.len = RTA_PAYLOAD(rta);
639 break;
640 case IFA_ADDRESS:
641 address.ptr = RTA_DATA(rta);
642 address.len = RTA_PAYLOAD(rta);
643 break;
644 }
645 rta = RTA_NEXT(rta, rtasize);
646 }
647
648 /* For PPP interfaces, we need the IFA_LOCAL address,
649 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
650 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
651 if (local.ptr)
652 {
653 host = host_create_from_chunk(msg->ifa_family, local, 0);
654 }
655 else if (address.ptr)
656 {
657 host = host_create_from_chunk(msg->ifa_family, address, 0);
658 }
659
660 if (host == NULL)
661 { /* bad family? */
662 return;
663 }
664
665 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
666 while (ifaces->iterate(ifaces, (void**)&iface))
667 {
668 if (iface->ifindex == msg->ifa_index)
669 {
670 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
671 while (addrs->iterate(addrs, (void**)&addr))
672 {
673 if (host->ip_equals(host, addr->ip))
674 {
675 found = TRUE;
676 if (hdr->nlmsg_type == RTM_DELADDR)
677 {
678 addrs->remove(addrs);
679 addr_entry_destroy(addr);
680 DBG1(DBG_KNL, "%H disappeared from %s", host, iface->ifname);
681 }
682 }
683 }
684 addrs->destroy(addrs);
685
686 if (hdr->nlmsg_type == RTM_NEWADDR)
687 {
688 if (!found)
689 {
690 found = TRUE;
691 addr = malloc_thing(addr_entry_t);
692 addr->ip = host->clone(host);
693 addr->refcount = 1;
694
695 iface->addrs->insert_last(iface->addrs, addr);
696 if (event)
697 {
698 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
699 }
700 }
701 }
702 if (found && (iface->flags & IFF_UP))
703 {
704 update = TRUE;
705 }
706 break;
707 }
708 }
709 ifaces->destroy(ifaces);
710 host->destroy(host);
711
712 /* send an update to all IKE_SAs */
713 if (update && event)
714 {
715 charon->processor->queue_job(charon->processor, (job_t*)roam_job_create());
716 }
717 }
718
719 /**
720 * Receives events from kernel
721 */
722 static job_requeue_t receive_events(private_kernel_interface_t *this)
723 {
724 char response[1024];
725 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
726 struct sockaddr_nl addr;
727 socklen_t addr_len = sizeof(addr);
728 int len, oldstate, maxfd, selected;
729 fd_set rfds;
730
731 FD_ZERO(&rfds);
732 FD_SET(this->socket_xfrm_events, &rfds);
733 FD_SET(this->socket_rt_events, &rfds);
734 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
735
736 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
737 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
738 pthread_setcancelstate(oldstate, NULL);
739 if (selected <= 0)
740 {
741 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
742 return JOB_REQUEUE_FAIR;
743 }
744 if (FD_ISSET(this->socket_xfrm_events, &rfds))
745 {
746 selected = this->socket_xfrm_events;
747 }
748 else if (FD_ISSET(this->socket_rt_events, &rfds))
749 {
750 selected = this->socket_rt_events;
751 }
752 else
753 {
754 return JOB_REQUEUE_DIRECT;
755 }
756
757 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
758 (struct sockaddr*)&addr, &addr_len);
759 if (len < 0)
760 {
761 switch (errno)
762 {
763 case EINTR:
764 /* interrupted, try again */
765 return JOB_REQUEUE_DIRECT;
766 case EAGAIN:
767 /* no data ready, select again */
768 return JOB_REQUEUE_DIRECT;
769 default:
770 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
771 sleep(1);
772 return JOB_REQUEUE_FAIR;
773 }
774 }
775 if (addr.nl_pid != 0)
776 { /* not from kernel. not interested, try another one */
777 return JOB_REQUEUE_DIRECT;
778 }
779
780 while (NLMSG_OK(hdr, len))
781 {
782 /* looks good so far, dispatch netlink message */
783 if (selected == this->socket_xfrm_events)
784 {
785 switch (hdr->nlmsg_type)
786 {
787 case XFRM_MSG_ACQUIRE:
788 process_acquire(this, hdr);
789 break;
790 case XFRM_MSG_EXPIRE:
791 process_expire(this, hdr);
792 break;
793 default:
794 break;
795 }
796 }
797 else if (selected == this->socket_rt_events)
798 {
799 switch (hdr->nlmsg_type)
800 {
801 case RTM_NEWADDR:
802 case RTM_DELADDR:
803 process_addr(this, hdr, TRUE);
804 break;
805 case RTM_NEWLINK:
806 case RTM_DELLINK:
807 process_link(this, hdr, TRUE);
808 break;
809 case RTM_NEWROUTE:
810 case RTM_DELROUTE:
811 charon->processor->queue_job(charon->processor,
812 (job_t*)roam_job_create());
813 break;
814 default:
815 break;
816 }
817 }
818 hdr = NLMSG_NEXT(hdr, len);
819 }
820 return JOB_REQUEUE_DIRECT;
821 }
822
823 /**
824 * send a netlink message and wait for a reply
825 */
826 static status_t netlink_send(private_kernel_interface_t *this,
827 int socket, struct nlmsghdr *in,
828 struct nlmsghdr **out, size_t *out_len)
829 {
830 int len, addr_len;
831 struct sockaddr_nl addr;
832 chunk_t result = chunk_empty, tmp;
833 struct nlmsghdr *msg, peek;
834
835 pthread_mutex_lock(&this->mutex);
836
837 in->nlmsg_seq = ++this->seq;
838 in->nlmsg_pid = getpid();
839
840 memset(&addr, 0, sizeof(addr));
841 addr.nl_family = AF_NETLINK;
842 addr.nl_pid = 0;
843 addr.nl_groups = 0;
844
845 while (TRUE)
846 {
847 len = sendto(socket, in, in->nlmsg_len, 0,
848 (struct sockaddr*)&addr, sizeof(addr));
849
850 if (len != in->nlmsg_len)
851 {
852 if (errno == EINTR)
853 {
854 /* interrupted, try again */
855 continue;
856 }
857 pthread_mutex_unlock(&this->mutex);
858 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
859 return FAILED;
860 }
861 break;
862 }
863
864 while (TRUE)
865 {
866 char buf[4096];
867 tmp.len = sizeof(buf);
868 tmp.ptr = buf;
869 msg = (struct nlmsghdr*)tmp.ptr;
870
871 memset(&addr, 0, sizeof(addr));
872 addr.nl_family = AF_NETLINK;
873 addr.nl_pid = getpid();
874 addr.nl_groups = 0;
875 addr_len = sizeof(addr);
876
877 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
878 (struct sockaddr*)&addr, &addr_len);
879
880 if (len < 0)
881 {
882 if (errno == EINTR)
883 {
884 DBG1(DBG_KNL, "got interrupted");
885 /* interrupted, try again */
886 continue;
887 }
888 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
889 pthread_mutex_unlock(&this->mutex);
890 return FAILED;
891 }
892 if (!NLMSG_OK(msg, len))
893 {
894 DBG1(DBG_KNL, "received corrupted netlink message");
895 pthread_mutex_unlock(&this->mutex);
896 return FAILED;
897 }
898 if (msg->nlmsg_seq != this->seq)
899 {
900 DBG1(DBG_KNL, "received invalid netlink sequence number");
901 if (msg->nlmsg_seq < this->seq)
902 {
903 continue;
904 }
905 pthread_mutex_unlock(&this->mutex);
906 return FAILED;
907 }
908
909 tmp.len = len;
910 result = chunk_cata("cc", result, tmp);
911
912 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
913 * numbers to detect multi header messages */
914 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
915 (struct sockaddr*)&addr, &addr_len);
916
917 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
918 {
919 /* seems to be multipart */
920 continue;
921 }
922 break;
923 }
924
925 *out_len = result.len;
926 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
927
928 pthread_mutex_unlock(&this->mutex);
929
930 return SUCCESS;
931 }
932
933 /**
934 * send a netlink message and wait for its acknowlegde
935 */
936 static status_t netlink_send_ack(private_kernel_interface_t *this,
937 int socket, struct nlmsghdr *in)
938 {
939 struct nlmsghdr *out, *hdr;
940 size_t len;
941
942 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
943 {
944 return FAILED;
945 }
946 hdr = out;
947 while (NLMSG_OK(hdr, len))
948 {
949 switch (hdr->nlmsg_type)
950 {
951 case NLMSG_ERROR:
952 {
953 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
954
955 if (err->error)
956 {
957 DBG1(DBG_KNL, "received netlink error: %s (%d)",
958 strerror(-err->error), -err->error);
959 free(out);
960 return FAILED;
961 }
962 free(out);
963 return SUCCESS;
964 }
965 default:
966 hdr = NLMSG_NEXT(hdr, len);
967 continue;
968 case NLMSG_DONE:
969 break;
970 }
971 break;
972 }
973 DBG1(DBG_KNL, "netlink request not acknowlegded");
974 free(out);
975 return FAILED;
976 }
977
978 /**
979 * Initialize a list of local addresses.
980 */
981 static status_t init_address_list(private_kernel_interface_t *this)
982 {
983 char request[BUFFER_SIZE];
984 struct nlmsghdr *out, *current, *in;
985 struct rtgenmsg *msg;
986 size_t len;
987 iterator_t *ifaces, *addrs;
988 iface_entry_t *iface;
989 addr_entry_t *addr;
990
991 DBG1(DBG_KNL, "listening on interfaces:");
992
993 memset(&request, 0, sizeof(request));
994
995 in = (struct nlmsghdr*)&request;
996 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
997 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
998 msg = (struct rtgenmsg*)NLMSG_DATA(in);
999 msg->rtgen_family = AF_UNSPEC;
1000
1001 /* get all links */
1002 in->nlmsg_type = RTM_GETLINK;
1003 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1004 {
1005 return FAILED;
1006 }
1007 current = out;
1008 while (NLMSG_OK(current, len))
1009 {
1010 switch (current->nlmsg_type)
1011 {
1012 case NLMSG_DONE:
1013 break;
1014 case RTM_NEWLINK:
1015 process_link(this, current, FALSE);
1016 /* fall through */
1017 default:
1018 current = NLMSG_NEXT(current, len);
1019 continue;
1020 }
1021 break;
1022 }
1023 free(out);
1024
1025 /* get all interface addresses */
1026 in->nlmsg_type = RTM_GETADDR;
1027 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1028 {
1029 return FAILED;
1030 }
1031 current = out;
1032 while (NLMSG_OK(current, len))
1033 {
1034 switch (current->nlmsg_type)
1035 {
1036 case NLMSG_DONE:
1037 break;
1038 case RTM_NEWADDR:
1039 process_addr(this, current, FALSE);
1040 /* fall through */
1041 default:
1042 current = NLMSG_NEXT(current, len);
1043 continue;
1044 }
1045 break;
1046 }
1047 free(out);
1048
1049 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1050 while (ifaces->iterate(ifaces, (void**)&iface))
1051 {
1052 if (iface->flags & IFF_UP)
1053 {
1054 DBG1(DBG_KNL, " %s", iface->ifname);
1055 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1056 while (addrs->iterate(addrs, (void**)&addr))
1057 {
1058 DBG1(DBG_KNL, " %H", addr->ip);
1059 }
1060 addrs->destroy(addrs);
1061 }
1062 }
1063 ifaces->destroy(ifaces);
1064 return SUCCESS;
1065 }
1066
1067 /**
1068 * iterator hook to iterate over addrs
1069 */
1070 static hook_result_t addr_hook(private_kernel_interface_t *this,
1071 addr_entry_t *in, host_t **out)
1072 {
1073 *out = in->ip;
1074 return HOOK_NEXT;
1075 }
1076
1077 /**
1078 * iterator hook to iterate over ifaces
1079 */
1080 static hook_result_t iface_hook(private_kernel_interface_t *this,
1081 iface_entry_t *in, host_t **out)
1082 {
1083 if (!(in->flags & IFF_UP))
1084 { /* skip interfaces not up */
1085 return HOOK_SKIP;
1086 }
1087
1088 if (this->hiter == NULL)
1089 {
1090 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1091 this->hiter->set_iterator_hook(this->hiter,
1092 (iterator_hook_t*)addr_hook, this);
1093 }
1094 while (this->hiter->iterate(this->hiter, (void**)out))
1095 {
1096 return HOOK_AGAIN;
1097 }
1098 this->hiter->destroy(this->hiter);
1099 this->hiter = NULL;
1100 return HOOK_SKIP;
1101 }
1102
1103 /**
1104 * Implements kernel_interface_t.create_address_iterator.
1105 */
1106 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1107 {
1108 iterator_t *iterator;
1109
1110 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1111 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1112 return iterator;
1113 }
1114
1115 /**
1116 * implementation of kernel_interface_t.get_interface_name
1117 */
1118 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1119 {
1120 iterator_t *ifaces, *addrs;
1121 iface_entry_t *iface;
1122 addr_entry_t *addr;
1123 char *name = NULL;
1124
1125 DBG2(DBG_KNL, "getting interface name for %H", ip);
1126
1127 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1128 while (ifaces->iterate(ifaces, (void**)&iface))
1129 {
1130 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1131 while (addrs->iterate(addrs, (void**)&addr))
1132 {
1133 if (ip->ip_equals(ip, addr->ip))
1134 {
1135 name = strdup(iface->ifname);
1136 break;
1137 }
1138 }
1139 addrs->destroy(addrs);
1140 if (name)
1141 {
1142 break;
1143 }
1144 }
1145 ifaces->destroy(ifaces);
1146
1147 if (name)
1148 {
1149 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1150 }
1151 else
1152 {
1153 DBG2(DBG_KNL, "%H is not a local address", ip);
1154 }
1155 return name;
1156 }
1157
1158 /**
1159 * Tries to find an ip address of a local interface that is included in the
1160 * supplied traffic selector.
1161 */
1162 static status_t get_address_by_ts(private_kernel_interface_t *this,
1163 traffic_selector_t *ts, host_t **ip)
1164 {
1165 iterator_t *ifaces, *addrs;
1166 iface_entry_t *iface;
1167 addr_entry_t *addr;
1168 host_t *host;
1169 int family;
1170 bool found = FALSE;
1171
1172 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1173
1174 /* if we have a family which includes localhost, we do not
1175 * search for an IP, we use the default */
1176 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1177
1178 if (family == AF_INET)
1179 {
1180 host = host_create_from_string("127.0.0.1", 0);
1181 }
1182 else
1183 {
1184 host = host_create_from_string("::1", 0);
1185 }
1186
1187 if (ts->includes(ts, host))
1188 {
1189 *ip = host_create_any(family);
1190 host->destroy(host);
1191 DBG2(DBG_KNL, "using host %H", *ip);
1192 return SUCCESS;
1193 }
1194 host->destroy(host);
1195
1196 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1197 while (ifaces->iterate(ifaces, (void**)&iface))
1198 {
1199 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1200 while (addrs->iterate(addrs, (void**)&addr))
1201 {
1202 if (ts->includes(ts, addr->ip))
1203 {
1204 found = TRUE;
1205 *ip = addr->ip->clone(addr->ip);
1206 break;
1207 }
1208 }
1209 addrs->destroy(addrs);
1210 if (found)
1211 {
1212 break;
1213 }
1214 }
1215 ifaces->destroy(ifaces);
1216
1217 if (!found)
1218 {
1219 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1220 return FAILED;
1221 }
1222 DBG2(DBG_KNL, "using host %H", *ip);
1223 return SUCCESS;
1224 }
1225
1226 /**
1227 * get the interface of a local address
1228 */
1229 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1230 {
1231 iterator_t *ifaces, *addrs;
1232 iface_entry_t *iface;
1233 addr_entry_t *addr;
1234 int ifindex = 0;
1235
1236 DBG2(DBG_KNL, "getting iface for %H", ip);
1237
1238 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1239 while (ifaces->iterate(ifaces, (void**)&iface))
1240 {
1241 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1242 while (addrs->iterate(addrs, (void**)&addr))
1243 {
1244 if (ip->ip_equals(ip, addr->ip))
1245 {
1246 ifindex = iface->ifindex;
1247 break;
1248 }
1249 }
1250 addrs->destroy(addrs);
1251 if (ifindex)
1252 {
1253 break;
1254 }
1255 }
1256 ifaces->destroy(ifaces);
1257
1258 if (ifindex == 0)
1259 {
1260 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1261 }
1262 return ifindex;
1263 }
1264
1265 /**
1266 * Manages the creation and deletion of ip addresses on an interface.
1267 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1268 */
1269 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1270 int flags, int if_index, host_t *ip)
1271 {
1272 unsigned char request[BUFFER_SIZE];
1273 struct nlmsghdr *hdr;
1274 struct ifaddrmsg *msg;
1275 chunk_t chunk;
1276
1277 memset(&request, 0, sizeof(request));
1278
1279 chunk = ip->get_address(ip);
1280
1281 hdr = (struct nlmsghdr*)request;
1282 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1283 hdr->nlmsg_type = nlmsg_type;
1284 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1285
1286 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1287 msg->ifa_family = ip->get_family(ip);
1288 msg->ifa_flags = 0;
1289 msg->ifa_prefixlen = 8 * chunk.len;
1290 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1291 msg->ifa_index = if_index;
1292
1293 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1294
1295 return netlink_send_ack(this, this->socket_rt, hdr);
1296 }
1297
1298 /**
1299 * Manages source routes in the routing table.
1300 * By setting the appropriate nlmsg_type, the route added or r.
1301 */
1302 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1303 int flags, route_entry_t *route)
1304 {
1305 unsigned char request[BUFFER_SIZE];
1306 struct nlmsghdr *hdr;
1307 struct rtmsg *msg;
1308 chunk_t chunk;
1309
1310 /* if route is 0.0.0.0/0, we can't install it, as it would
1311 * overwrite the default route. Instead, we add two routes:
1312 * 0.0.0.0/1 and 128.0.0.0/1
1313 * TODO: use metrics instead */
1314 if (route->prefixlen == 0)
1315 {
1316 route_entry_t half;
1317 status_t status;
1318
1319 half.dst_net = chunk_alloca(route->dst_net.len);
1320 memset(half.dst_net.ptr, 0, half.dst_net.len);
1321 half.src_ip = route->src_ip;
1322 half.gateway = route->gateway;
1323 half.if_index = route->if_index;
1324 half.prefixlen = 1;
1325
1326 status = manage_srcroute(this, nlmsg_type, flags, &half);
1327 half.dst_net.ptr[0] |= 0x80;
1328 status = manage_srcroute(this, nlmsg_type, flags, &half);
1329 return status;
1330 }
1331
1332 memset(&request, 0, sizeof(request));
1333
1334 hdr = (struct nlmsghdr*)request;
1335 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1336 hdr->nlmsg_type = nlmsg_type;
1337 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1338
1339 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1340 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1341 msg->rtm_dst_len = route->prefixlen;
1342 msg->rtm_table = RT_TABLE_MAIN;
1343 msg->rtm_protocol = RTPROT_STATIC;
1344 msg->rtm_type = RTN_UNICAST;
1345 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1346
1347 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1348 chunk = route->src_ip->get_address(route->src_ip);
1349 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1350 chunk = route->gateway->get_address(route->gateway);
1351 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1352 chunk.ptr = (char*)&route->if_index;
1353 chunk.len = sizeof(route->if_index);
1354 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1355
1356 return netlink_send_ack(this, this->socket_rt, hdr);
1357 }
1358
1359 /**
1360 * Implementation of kernel_interface_t.get_source_addr.
1361 */
1362 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1363 {
1364 unsigned char request[BUFFER_SIZE];
1365 struct nlmsghdr *hdr, *out, *current;
1366 struct rtmsg *msg;
1367 chunk_t chunk;
1368 size_t len;
1369 host_t *source = NULL;
1370
1371 memset(&request, 0, sizeof(request));
1372
1373 hdr = (struct nlmsghdr*)request;
1374 hdr->nlmsg_flags = NLM_F_REQUEST;
1375 hdr->nlmsg_type = RTM_GETROUTE;
1376 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1377
1378 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1379 msg->rtm_family = dest->get_family(dest);
1380 msg->rtm_dst_len = msg->rtm_family == AF_INET ? 32 : 128;
1381 msg->rtm_table = RT_TABLE_MAIN;
1382 msg->rtm_protocol = RTPROT_STATIC;
1383 msg->rtm_type = RTN_UNICAST;
1384 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1385
1386 chunk = dest->get_address(dest);
1387 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1388
1389 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1390 {
1391 DBG1(DBG_KNL, "getting source address to %H failed", dest);
1392 return NULL;
1393 }
1394 current = out;
1395 while (NLMSG_OK(current, len))
1396 {
1397 switch (current->nlmsg_type)
1398 {
1399 case NLMSG_DONE:
1400 break;
1401 case RTM_NEWROUTE:
1402 {
1403 struct rtattr *rta;
1404 size_t rtasize;
1405
1406 msg = (struct rtmsg*)(NLMSG_DATA(current));
1407 rta = RTM_RTA(msg);
1408 rtasize = RTM_PAYLOAD(current);
1409 while(RTA_OK(rta, rtasize))
1410 {
1411 switch (rta->rta_type)
1412 {
1413 case RTA_PREFSRC:
1414 chunk.ptr = RTA_DATA(rta);
1415 chunk.len = RTA_PAYLOAD(rta);
1416 source = host_create_from_chunk(msg->rtm_family,
1417 chunk, 0);
1418 break;
1419 }
1420 rta = RTA_NEXT(rta, rtasize);
1421 }
1422 break;
1423 }
1424 default:
1425 current = NLMSG_NEXT(current, len);
1426 continue;
1427 }
1428 break;
1429 }
1430 if (source == NULL)
1431 {
1432 DBG2(DBG_KNL, "no route found to %H", dest);
1433 }
1434 free(out);
1435 return source;
1436 }
1437
1438 /**
1439 * Implementation of kernel_interface_t.add_ip.
1440 */
1441 static status_t add_ip(private_kernel_interface_t *this,
1442 host_t *virtual_ip, host_t *iface_ip)
1443 {
1444 iface_entry_t *iface;
1445 addr_entry_t *addr;
1446 iterator_t *addrs, *ifaces;
1447
1448 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1449
1450 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1451 while (ifaces->iterate(ifaces, (void**)&iface))
1452 {
1453 bool iface_found = FALSE;
1454
1455 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1456 while (addrs->iterate(addrs, (void**)&addr))
1457 {
1458 if (iface_ip->ip_equals(iface_ip, addr->ip))
1459 {
1460 iface_found = TRUE;
1461 }
1462 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1463 {
1464 addr->refcount++;
1465 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1466 virtual_ip, iface->ifname);
1467 addrs->destroy(addrs);
1468 ifaces->destroy(ifaces);
1469 return SUCCESS;
1470 }
1471 }
1472 addrs->destroy(addrs);
1473
1474 if (iface_found)
1475 {
1476 int ifindex = iface->ifindex;
1477 ifaces->destroy(ifaces);
1478 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1479 ifindex, virtual_ip) == SUCCESS)
1480 {
1481 addr = malloc_thing(addr_entry_t);
1482 addr->ip = virtual_ip->clone(virtual_ip);
1483 addr->refcount = 1;
1484 pthread_mutex_lock(&this->mutex);
1485 iface->addrs->insert_last(iface->addrs, addr);
1486 pthread_mutex_unlock(&this->mutex);
1487 return SUCCESS;
1488 }
1489 DBG2(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1490 return FAILED;
1491
1492 }
1493
1494 }
1495 ifaces->destroy(ifaces);
1496
1497 DBG2(DBG_KNL, "interface address %H not found, unable to install"
1498 "virtual IP %H", iface_ip, virtual_ip);
1499 return FAILED;
1500 }
1501
1502 /**
1503 * Implementation of kernel_interface_t.del_ip.
1504 */
1505 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1506 {
1507 iface_entry_t *iface;
1508 addr_entry_t *addr;
1509 iterator_t *addrs, *ifaces;
1510
1511 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1512
1513 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1514 while (ifaces->iterate(ifaces, (void**)&iface))
1515 {
1516 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1517 while (addrs->iterate(addrs, (void**)&addr))
1518 {
1519 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1520 {
1521 int ifindex = iface->ifindex;
1522 addr->refcount--;
1523 if (addr->refcount == 0)
1524 {
1525 addrs->remove(addrs);
1526 addrs->destroy(addrs);
1527 ifaces->destroy(ifaces);
1528 addr_entry_destroy(addr);
1529 return manage_ipaddr(this, RTM_DELADDR, 0,
1530 ifindex, virtual_ip);
1531 }
1532 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1533 virtual_ip);
1534 addrs->destroy(addrs);
1535 ifaces->destroy(ifaces);
1536 return SUCCESS;
1537 }
1538 }
1539 addrs->destroy(addrs);
1540 }
1541 ifaces->destroy(ifaces);
1542
1543 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1544 return FAILED;
1545 }
1546
1547 /**
1548 * Implementation of kernel_interface_t.get_spi.
1549 */
1550 static status_t get_spi(private_kernel_interface_t *this,
1551 host_t *src, host_t *dst,
1552 protocol_id_t protocol, u_int32_t reqid,
1553 u_int32_t *spi)
1554 {
1555 unsigned char request[BUFFER_SIZE];
1556 struct nlmsghdr *hdr, *out;
1557 struct xfrm_userspi_info *userspi;
1558 u_int32_t received_spi = 0;
1559 size_t len;
1560
1561 memset(&request, 0, sizeof(request));
1562
1563 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1564
1565 hdr = (struct nlmsghdr*)request;
1566 hdr->nlmsg_flags = NLM_F_REQUEST;
1567 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1568 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1569
1570 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1571 host2xfrm(src, &userspi->info.saddr);
1572 host2xfrm(dst, &userspi->info.id.daddr);
1573 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1574 userspi->info.mode = TRUE; /* tunnel mode */
1575 userspi->info.reqid = reqid;
1576 userspi->info.family = src->get_family(src);
1577 userspi->min = 0xc0000000;
1578 userspi->max = 0xcFFFFFFF;
1579
1580 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1581 {
1582 hdr = out;
1583 while (NLMSG_OK(hdr, len))
1584 {
1585 switch (hdr->nlmsg_type)
1586 {
1587 case XFRM_MSG_NEWSA:
1588 {
1589 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1590 received_spi = usersa->id.spi;
1591 break;
1592 }
1593 case NLMSG_ERROR:
1594 {
1595 struct nlmsgerr *err = NLMSG_DATA(hdr);
1596
1597 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1598 strerror(-err->error), -err->error);
1599 break;
1600 }
1601 default:
1602 hdr = NLMSG_NEXT(hdr, len);
1603 continue;
1604 case NLMSG_DONE:
1605 break;
1606 }
1607 break;
1608 }
1609 free(out);
1610 }
1611
1612 if (received_spi == 0)
1613 {
1614 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1615 return FAILED;
1616 }
1617
1618 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1619
1620 *spi = received_spi;
1621 return SUCCESS;
1622 }
1623
1624 /**
1625 * Implementation of kernel_interface_t.add_sa.
1626 */
1627 static status_t add_sa(private_kernel_interface_t *this,
1628 host_t *src, host_t *dst, u_int32_t spi,
1629 protocol_id_t protocol, u_int32_t reqid,
1630 u_int64_t expire_soft, u_int64_t expire_hard,
1631 algorithm_t *enc_alg, algorithm_t *int_alg,
1632 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1633 bool replace)
1634 {
1635 unsigned char request[BUFFER_SIZE];
1636 char *alg_name;
1637 u_int key_size;
1638 struct nlmsghdr *hdr;
1639 struct xfrm_usersa_info *sa;
1640
1641 memset(&request, 0, sizeof(request));
1642
1643 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1644
1645 hdr = (struct nlmsghdr*)request;
1646 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1647 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1648 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1649
1650 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1651 host2xfrm(src, &sa->saddr);
1652 host2xfrm(dst, &sa->id.daddr);
1653 sa->id.spi = spi;
1654 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1655 sa->family = src->get_family(src);
1656 sa->mode = mode;
1657 sa->replay_window = 32;
1658 sa->reqid = reqid;
1659 /* we currently do not expire SAs by volume/packet count */
1660 sa->lft.soft_byte_limit = XFRM_INF;
1661 sa->lft.hard_byte_limit = XFRM_INF;
1662 sa->lft.soft_packet_limit = XFRM_INF;
1663 sa->lft.hard_packet_limit = XFRM_INF;
1664 /* we use lifetimes since added, not since used */
1665 sa->lft.soft_add_expires_seconds = expire_soft;
1666 sa->lft.hard_add_expires_seconds = expire_hard;
1667 sa->lft.soft_use_expires_seconds = 0;
1668 sa->lft.hard_use_expires_seconds = 0;
1669
1670 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1671
1672 if (enc_alg->algorithm != ENCR_UNDEFINED)
1673 {
1674 rthdr->rta_type = XFRMA_ALG_CRYPT;
1675 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1676 if (alg_name == NULL)
1677 {
1678 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1679 encryption_algorithm_names, enc_alg->algorithm);
1680 return FAILED;
1681 }
1682 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1683 encryption_algorithm_names, enc_alg->algorithm, key_size);
1684
1685 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1686 hdr->nlmsg_len += rthdr->rta_len;
1687 if (hdr->nlmsg_len > sizeof(request))
1688 {
1689 return FAILED;
1690 }
1691
1692 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1693 algo->alg_key_len = key_size;
1694 strcpy(algo->alg_name, alg_name);
1695 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1696
1697 rthdr = XFRM_RTA_NEXT(rthdr);
1698 }
1699
1700 if (int_alg->algorithm != AUTH_UNDEFINED)
1701 {
1702 rthdr->rta_type = XFRMA_ALG_AUTH;
1703 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1704 if (alg_name == NULL)
1705 {
1706 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1707 integrity_algorithm_names, int_alg->algorithm);
1708 return FAILED;
1709 }
1710 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1711 integrity_algorithm_names, int_alg->algorithm, key_size);
1712
1713 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1714 hdr->nlmsg_len += rthdr->rta_len;
1715 if (hdr->nlmsg_len > sizeof(request))
1716 {
1717 return FAILED;
1718 }
1719
1720 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1721 algo->alg_key_len = key_size;
1722 strcpy(algo->alg_name, alg_name);
1723 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1724
1725 rthdr = XFRM_RTA_NEXT(rthdr);
1726 }
1727
1728 /* TODO: add IPComp here */
1729
1730 if (natt)
1731 {
1732 rthdr->rta_type = XFRMA_ENCAP;
1733 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1734
1735 hdr->nlmsg_len += rthdr->rta_len;
1736 if (hdr->nlmsg_len > sizeof(request))
1737 {
1738 return FAILED;
1739 }
1740
1741 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1742 encap->encap_type = UDP_ENCAP_ESPINUDP;
1743 encap->encap_sport = htons(natt->sport);
1744 encap->encap_dport = htons(natt->dport);
1745 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1746 /* encap_oa could probably be derived from the
1747 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1748 * pluto does the same as we do here but it uses encap_oa in the
1749 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1750 * the kernel ignores it anyway
1751 * -> does that mean that NAT-T encap doesn't work in transport mode?
1752 * No. The reason the kernel ignores NAT-OA is that it recomputes
1753 * (or, rather, just ignores) the checksum. If packets pass
1754 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1755 rthdr = XFRM_RTA_NEXT(rthdr);
1756 }
1757
1758 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1759 {
1760 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1761 return FAILED;
1762 }
1763 return SUCCESS;
1764 }
1765
1766 /**
1767 * Implementation of kernel_interface_t.update_sa.
1768 */
1769 static status_t update_sa(private_kernel_interface_t *this,
1770 host_t *dst, u_int32_t spi,
1771 protocol_id_t protocol,
1772 host_t *new_src, host_t *new_dst,
1773 host_diff_t src_changes, host_diff_t dst_changes)
1774 {
1775 unsigned char request[BUFFER_SIZE];
1776 struct nlmsghdr *hdr, *out = NULL;
1777 struct xfrm_usersa_id *sa_id;
1778 struct xfrm_usersa_info *sa = NULL;
1779 size_t len;
1780
1781 memset(&request, 0, sizeof(request));
1782
1783 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1784
1785 hdr = (struct nlmsghdr*)request;
1786 hdr->nlmsg_flags = NLM_F_REQUEST;
1787 hdr->nlmsg_type = XFRM_MSG_GETSA;
1788 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1789
1790 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1791 host2xfrm(dst, &sa_id->daddr);
1792 sa_id->spi = spi;
1793 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1794 sa_id->family = dst->get_family(dst);
1795
1796 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1797 {
1798 hdr = out;
1799 while (NLMSG_OK(hdr, len))
1800 {
1801 switch (hdr->nlmsg_type)
1802 {
1803 case XFRM_MSG_NEWSA:
1804 {
1805 sa = NLMSG_DATA(hdr);
1806 break;
1807 }
1808 case NLMSG_ERROR:
1809 {
1810 struct nlmsgerr *err = NLMSG_DATA(hdr);
1811 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1812 strerror(-err->error), -err->error);
1813 break;
1814 }
1815 default:
1816 hdr = NLMSG_NEXT(hdr, len);
1817 continue;
1818 case NLMSG_DONE:
1819 break;
1820 }
1821 break;
1822 }
1823 }
1824 if (sa == NULL)
1825 {
1826 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1827 free(out);
1828 return FAILED;
1829 }
1830
1831 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
1832
1833 hdr = out;
1834 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1835 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1836
1837 if (src_changes & HOST_DIFF_ADDR)
1838 {
1839 host2xfrm(new_src, &sa->saddr);
1840 }
1841
1842 if (dst_changes & HOST_DIFF_ADDR)
1843 {
1844 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1845 host2xfrm(new_dst, &sa->id.daddr);
1846 }
1847
1848 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1849 {
1850 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1851 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1852 while (RTA_OK(rtattr, rtsize))
1853 {
1854 if (rtattr->rta_type == XFRMA_ENCAP)
1855 {
1856 struct xfrm_encap_tmpl* encap;
1857 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1858 encap->encap_sport = ntohs(new_src->get_port(new_src));
1859 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1860 break;
1861 }
1862 rtattr = RTA_NEXT(rtattr, rtsize);
1863 }
1864 }
1865 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1866 {
1867 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1868 free(out);
1869 return FAILED;
1870 }
1871 free(out);
1872
1873 if (dst_changes & HOST_DIFF_ADDR)
1874 {
1875 return this->public.del_sa(&this->public, dst, spi, protocol);
1876 }
1877 return SUCCESS;
1878 }
1879
1880 /**
1881 * Implementation of kernel_interface_t.query_sa.
1882 */
1883 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1884 u_int32_t spi, protocol_id_t protocol,
1885 u_int32_t *use_time)
1886 {
1887 unsigned char request[BUFFER_SIZE];
1888 struct nlmsghdr *out = NULL, *hdr;
1889 struct xfrm_usersa_id *sa_id;
1890 struct xfrm_usersa_info *sa = NULL;
1891 size_t len;
1892
1893 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1894 memset(&request, 0, sizeof(request));
1895
1896 hdr = (struct nlmsghdr*)request;
1897 hdr->nlmsg_flags = NLM_F_REQUEST;
1898 hdr->nlmsg_type = XFRM_MSG_GETSA;
1899 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1900
1901 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1902 host2xfrm(dst, &sa_id->daddr);
1903 sa_id->spi = spi;
1904 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1905 sa_id->family = dst->get_family(dst);
1906
1907 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1908 {
1909 hdr = out;
1910 while (NLMSG_OK(hdr, len))
1911 {
1912 switch (hdr->nlmsg_type)
1913 {
1914 case XFRM_MSG_NEWSA:
1915 {
1916 sa = NLMSG_DATA(hdr);
1917 break;
1918 }
1919 case NLMSG_ERROR:
1920 {
1921 struct nlmsgerr *err = NLMSG_DATA(hdr);
1922 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1923 strerror(-err->error), -err->error);
1924 break;
1925 }
1926 default:
1927 hdr = NLMSG_NEXT(hdr, len);
1928 continue;
1929 case NLMSG_DONE:
1930 break;
1931 }
1932 break;
1933 }
1934 }
1935
1936 if (sa == NULL)
1937 {
1938 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1939 free(out);
1940 return FAILED;
1941 }
1942
1943 *use_time = sa->curlft.use_time;
1944 free (out);
1945 return SUCCESS;
1946 }
1947
1948 /**
1949 * Implementation of kernel_interface_t.del_sa.
1950 */
1951 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1952 u_int32_t spi, protocol_id_t protocol)
1953 {
1954 unsigned char request[BUFFER_SIZE];
1955 struct nlmsghdr *hdr;
1956 struct xfrm_usersa_id *sa_id;
1957
1958 memset(&request, 0, sizeof(request));
1959
1960 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1961
1962 hdr = (struct nlmsghdr*)request;
1963 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1964 hdr->nlmsg_type = XFRM_MSG_DELSA;
1965 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1966
1967 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1968 host2xfrm(dst, &sa_id->daddr);
1969 sa_id->spi = spi;
1970 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1971 sa_id->family = dst->get_family(dst);
1972
1973 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1974 {
1975 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1976 return FAILED;
1977 }
1978 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1979 return SUCCESS;
1980 }
1981
1982 /**
1983 * Implementation of kernel_interface_t.add_policy.
1984 */
1985 static status_t add_policy(private_kernel_interface_t *this,
1986 host_t *src, host_t *dst,
1987 traffic_selector_t *src_ts,
1988 traffic_selector_t *dst_ts,
1989 policy_dir_t direction, protocol_id_t protocol,
1990 u_int32_t reqid, bool high_prio, mode_t mode,
1991 bool update)
1992 {
1993 iterator_t *iterator;
1994 policy_entry_t *current, *policy;
1995 bool found = FALSE;
1996 unsigned char request[BUFFER_SIZE];
1997 struct xfrm_userpolicy_info *policy_info;
1998 struct nlmsghdr *hdr;
1999
2000 /* create a policy */
2001 policy = malloc_thing(policy_entry_t);
2002 memset(policy, 0, sizeof(policy_entry_t));
2003 policy->sel = ts2selector(src_ts, dst_ts);
2004 policy->direction = direction;
2005
2006 /* find the policy, which matches EXACTLY */
2007 pthread_mutex_lock(&this->mutex);
2008 iterator = this->policies->create_iterator(this->policies, TRUE);
2009 while (iterator->iterate(iterator, (void**)&current))
2010 {
2011 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
2012 policy->direction == current->direction)
2013 {
2014 /* use existing policy */
2015 if (!update)
2016 {
2017 current->refcount++;
2018 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
2019 "refcount", src_ts, dst_ts);
2020 }
2021 free(policy);
2022 policy = current;
2023 found = TRUE;
2024 break;
2025 }
2026 }
2027 iterator->destroy(iterator);
2028 if (!found)
2029 { /* apply the new one, if we have no such policy */
2030 this->policies->insert_last(this->policies, policy);
2031 policy->refcount = 1;
2032 }
2033
2034 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2035
2036 memset(&request, 0, sizeof(request));
2037 hdr = (struct nlmsghdr*)request;
2038 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2039 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2040 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2041
2042 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2043 policy_info->sel = policy->sel;
2044 policy_info->dir = policy->direction;
2045 /* calculate priority based on source selector size, small size = high prio */
2046 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2047 policy_info->priority -= policy->sel.prefixlen_s * 10;
2048 policy_info->priority -= policy->sel.proto ? 2 : 0;
2049 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2050 policy_info->action = XFRM_POLICY_ALLOW;
2051 policy_info->share = XFRM_SHARE_ANY;
2052 pthread_mutex_unlock(&this->mutex);
2053
2054 /* policies don't expire */
2055 policy_info->lft.soft_byte_limit = XFRM_INF;
2056 policy_info->lft.soft_packet_limit = XFRM_INF;
2057 policy_info->lft.hard_byte_limit = XFRM_INF;
2058 policy_info->lft.hard_packet_limit = XFRM_INF;
2059 policy_info->lft.soft_add_expires_seconds = 0;
2060 policy_info->lft.hard_add_expires_seconds = 0;
2061 policy_info->lft.soft_use_expires_seconds = 0;
2062 policy_info->lft.hard_use_expires_seconds = 0;
2063
2064 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2065 rthdr->rta_type = XFRMA_TMPL;
2066
2067 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
2068 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
2069
2070 hdr->nlmsg_len += rthdr->rta_len;
2071 if (hdr->nlmsg_len > sizeof(request))
2072 {
2073 return FAILED;
2074 }
2075
2076 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2077 tmpl->reqid = reqid;
2078 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
2079 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2080 tmpl->mode = mode;
2081 tmpl->family = src->get_family(src);
2082
2083 host2xfrm(src, &tmpl->saddr);
2084 host2xfrm(dst, &tmpl->id.daddr);
2085
2086 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2087 {
2088 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2089 return FAILED;
2090 }
2091
2092 /* install a route, if:
2093 * - we are NOT updating a policy
2094 * - this is a forward policy (to just get one for each child)
2095 * - we are in tunnel mode
2096 * - we are not using IPv6 (does not work correctly yet!)
2097 */
2098 if (policy->route == NULL && direction == POLICY_FWD &&
2099 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
2100 {
2101 policy->route = malloc_thing(route_entry_t);
2102 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2103 {
2104 policy->route->gateway = dst->clone(dst);
2105 policy->route->if_index = get_interface_index(this, dst);
2106 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2107 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2108 policy->route->prefixlen = policy->sel.prefixlen_s;
2109
2110 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2111 policy->route) != SUCCESS)
2112 {
2113 DBG1(DBG_KNL, "unable to install source route for %H",
2114 policy->route->src_ip);
2115 route_entry_destroy(policy->route);
2116 policy->route = NULL;
2117 }
2118 }
2119 else
2120 {
2121 free(policy->route);
2122 policy->route = NULL;
2123 }
2124 }
2125
2126 return SUCCESS;
2127 }
2128
2129 /**
2130 * Implementation of kernel_interface_t.query_policy.
2131 */
2132 static status_t query_policy(private_kernel_interface_t *this,
2133 traffic_selector_t *src_ts,
2134 traffic_selector_t *dst_ts,
2135 policy_dir_t direction, u_int32_t *use_time)
2136 {
2137 unsigned char request[BUFFER_SIZE];
2138 struct nlmsghdr *out = NULL, *hdr;
2139 struct xfrm_userpolicy_id *policy_id;
2140 struct xfrm_userpolicy_info *policy = NULL;
2141 size_t len;
2142
2143 memset(&request, 0, sizeof(request));
2144
2145 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2146
2147 hdr = (struct nlmsghdr*)request;
2148 hdr->nlmsg_flags = NLM_F_REQUEST;
2149 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2150 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2151
2152 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2153 policy_id->sel = ts2selector(src_ts, dst_ts);
2154 policy_id->dir = direction;
2155
2156 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2157 {
2158 hdr = out;
2159 while (NLMSG_OK(hdr, len))
2160 {
2161 switch (hdr->nlmsg_type)
2162 {
2163 case XFRM_MSG_NEWPOLICY:
2164 {
2165 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2166 break;
2167 }
2168 case NLMSG_ERROR:
2169 {
2170 struct nlmsgerr *err = NLMSG_DATA(hdr);
2171 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2172 strerror(-err->error), -err->error);
2173 break;
2174 }
2175 default:
2176 hdr = NLMSG_NEXT(hdr, len);
2177 continue;
2178 case NLMSG_DONE:
2179 break;
2180 }
2181 break;
2182 }
2183 }
2184
2185 if (policy == NULL)
2186 {
2187 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2188 free(out);
2189 return FAILED;
2190 }
2191 *use_time = (time_t)policy->curlft.use_time;
2192
2193 free(out);
2194 return SUCCESS;
2195 }
2196
2197 /**
2198 * Implementation of kernel_interface_t.del_policy.
2199 */
2200 static status_t del_policy(private_kernel_interface_t *this,
2201 traffic_selector_t *src_ts,
2202 traffic_selector_t *dst_ts,
2203 policy_dir_t direction)
2204 {
2205 policy_entry_t *current, policy, *to_delete = NULL;
2206 route_entry_t *route;
2207 unsigned char request[BUFFER_SIZE];
2208 struct nlmsghdr *hdr;
2209 struct xfrm_userpolicy_id *policy_id;
2210 iterator_t *iterator;
2211
2212 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2213
2214 /* create a policy */
2215 memset(&policy, 0, sizeof(policy_entry_t));
2216 policy.sel = ts2selector(src_ts, dst_ts);
2217 policy.direction = direction;
2218
2219 /* find the policy */
2220 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2221 while (iterator->iterate(iterator, (void**)&current))
2222 {
2223 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2224 policy.direction == current->direction)
2225 {
2226 to_delete = current;
2227 if (--to_delete->refcount > 0)
2228 {
2229 /* is used by more SAs, keep in kernel */
2230 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2231 iterator->destroy(iterator);
2232 return SUCCESS;
2233 }
2234 /* remove if last reference */
2235 iterator->remove(iterator);
2236 break;
2237 }
2238 }
2239 iterator->destroy(iterator);
2240 if (!to_delete)
2241 {
2242 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2243 return NOT_FOUND;
2244 }
2245
2246 memset(&request, 0, sizeof(request));
2247
2248 hdr = (struct nlmsghdr*)request;
2249 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2250 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2251 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2252
2253 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2254 policy_id->sel = to_delete->sel;
2255 policy_id->dir = direction;
2256
2257 route = to_delete->route;
2258 free(to_delete);
2259
2260 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2261 {
2262 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2263 return FAILED;
2264 }
2265
2266 if (route)
2267 {
2268 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2269 {
2270 DBG1(DBG_KNL, "error uninstalling route installed with "
2271 "policy %R===%R", src_ts, dst_ts);
2272 }
2273 route_entry_destroy(route);
2274 }
2275 return SUCCESS;
2276 }
2277
2278 /**
2279 * Implementation of kernel_interface_t.destroy.
2280 */
2281 static void destroy(private_kernel_interface_t *this)
2282 {
2283 this->job->cancel(this->job);
2284 close(this->socket_xfrm_events);
2285 close(this->socket_xfrm);
2286 close(this->socket_rt_events);
2287 close(this->socket_rt);
2288 this->policies->destroy(this->policies);
2289 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
2290 free(this);
2291 }
2292
2293 /*
2294 * Described in header.
2295 */
2296 kernel_interface_t *kernel_interface_create()
2297 {
2298 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2299 struct sockaddr_nl addr;
2300
2301
2302 /* public functions */
2303 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2304 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
2305 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
2306 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2307 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2308 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
2309 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2310 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2311 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2312 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2313 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2314 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2315 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
2316 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2317
2318 /* private members */
2319 this->policies = linked_list_create();
2320 this->ifaces = linked_list_create();
2321 this->hiter = NULL;
2322 this->seq = 200;
2323 pthread_mutex_init(&this->mutex,NULL);
2324
2325 memset(&addr, 0, sizeof(addr));
2326 addr.nl_family = AF_NETLINK;
2327
2328 /* create and bind RT socket */
2329 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2330 if (this->socket_rt <= 0)
2331 {
2332 charon->kill(charon, "unable to create RT netlink socket");
2333 }
2334 addr.nl_groups = 0;
2335 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2336 {
2337 charon->kill(charon, "unable to bind RT netlink socket");
2338 }
2339
2340 /* create and bind RT socket for events (address/interface/route changes) */
2341 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2342 if (this->socket_rt_events <= 0)
2343 {
2344 charon->kill(charon, "unable to create RT event socket");
2345 }
2346 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
2347 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
2348 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2349 {
2350 charon->kill(charon, "unable to bind RT event socket");
2351 }
2352
2353 /* create and bind XFRM socket */
2354 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2355 if (this->socket_xfrm <= 0)
2356 {
2357 charon->kill(charon, "unable to create XFRM netlink socket");
2358 }
2359 addr.nl_groups = 0;
2360 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2361 {
2362 charon->kill(charon, "unable to bind XFRM netlink socket");
2363 }
2364
2365 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2366 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2367 if (this->socket_xfrm_events <= 0)
2368 {
2369 charon->kill(charon, "unable to create XFRM event socket");
2370 }
2371 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2372 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2373 {
2374 charon->kill(charon, "unable to bind XFRM event socket");
2375 }
2376
2377 this->job = callback_job_create((callback_job_cb_t)receive_events,
2378 this, NULL, NULL);
2379 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2380
2381 if (init_address_list(this) != SUCCESS)
2382 {
2383 charon->kill(charon, "unable to get interface list");
2384 }
2385
2386 return &this->public;
2387 }
2388
strongSwan - IPsec VPN