2 * @file kernel_interface.c
4 * @brief Implementation of kernel_interface_t.
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
17 * Based on xfrm code from pluto.
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
42 #include <sys/ioctl.h>
44 #include "kernel_interface.h"
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52 #include <processing/jobs/roam_job.h>
54 /** kernel level protocol identifiers */
58 /** default priority of installed policies */
60 #define PRIO_HIGH 2000
62 #define BUFFER_SIZE 1024
65 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
66 * 'usual' netlink data x like 'struct xfrm_usersa_info'
68 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
70 * returns a pointer to the next rtattr following rta.
71 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
73 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
75 * returns the total size of attached rta data
76 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
78 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
80 typedef struct kernel_algorithm_t kernel_algorithm_t
;
83 * Mapping from the algorithms defined in IKEv2 to
84 * kernel level algorithm names and their key length
86 struct kernel_algorithm_t
{
88 * Identifier specified in IKEv2
93 * Name of the algorithm, as used as kernel identifier
98 * Key length in bits, if fixed size
102 #define END_OF_LIST -1
105 * Algorithms for encryption
107 kernel_algorithm_t encryption_algs
[] = {
108 /* {ENCR_DES_IV64, "***", 0}, */
109 {ENCR_DES
, "des", 64},
110 {ENCR_3DES
, "des3_ede", 192},
111 /* {ENCR_RC5, "***", 0}, */
112 /* {ENCR_IDEA, "***", 0}, */
113 {ENCR_CAST
, "cast128", 0},
114 {ENCR_BLOWFISH
, "blowfish", 0},
115 /* {ENCR_3IDEA, "***", 0}, */
116 /* {ENCR_DES_IV32, "***", 0}, */
117 {ENCR_NULL
, "cipher_null", 0},
118 {ENCR_AES_CBC
, "aes", 0},
119 /* {ENCR_AES_CTR, "***", 0}, */
120 {END_OF_LIST
, NULL
, 0},
124 * Algorithms for integrity protection
126 kernel_algorithm_t integrity_algs
[] = {
127 {AUTH_HMAC_MD5_96
, "md5", 128},
128 {AUTH_HMAC_SHA1_96
, "sha1", 160},
129 {AUTH_HMAC_SHA2_256_128
, "sha256", 256},
130 {AUTH_HMAC_SHA2_384_192
, "sha384", 384},
131 {AUTH_HMAC_SHA2_512_256
, "sha512", 512},
132 /* {AUTH_DES_MAC, "***", 0}, */
133 /* {AUTH_KPDK_MD5, "***", 0}, */
134 {AUTH_AES_XCBC_96
, "xcbc(aes)", 128},
135 {END_OF_LIST
, NULL
, 0},
139 * Look up a kernel algorithm name and its key size
141 char* lookup_algorithm(kernel_algorithm_t
*kernel_algo
,
142 algorithm_t
*ikev2_algo
, u_int
*key_size
)
144 while (kernel_algo
->ikev2_id
!= END_OF_LIST
)
146 if (ikev2_algo
->algorithm
== kernel_algo
->ikev2_id
)
148 /* match, evaluate key length */
149 if (ikev2_algo
->key_size
)
150 { /* variable length */
151 *key_size
= ikev2_algo
->key_size
;
155 *key_size
= kernel_algo
->key_size
;
157 return kernel_algo
->name
;
164 typedef struct route_entry_t route_entry_t
;
167 * installed routing entry
169 struct route_entry_t
{
171 /** Index of the interface the route is bound to */
174 /** Source ip of the route */
177 /** gateway for this route */
180 /** Destination net */
183 /** Destination net prefixlen */
188 * destroy an route_entry_t object
190 static void route_entry_destroy(route_entry_t
*this)
192 this->src_ip
->destroy(this->src_ip
);
193 this->gateway
->destroy(this->gateway
);
194 chunk_free(&this->dst_net
);
198 typedef struct policy_entry_t policy_entry_t
;
201 * installed kernel policy.
203 struct policy_entry_t
{
205 /** direction of this policy: in, out, forward */
208 /** reqid of the policy */
211 /** parameters of installed policy */
212 struct xfrm_selector sel
;
214 /** associated route installed for this policy */
215 route_entry_t
*route
;
217 /** by how many CHILD_SA's this policy is used */
221 typedef struct addr_entry_t addr_entry_t
;
224 * IP address in an inface_entry_t
226 struct addr_entry_t
{
228 /** The ip address */
231 /** Number of times this IP is used, if virtual */
236 * destroy a addr_entry_t object
238 static void addr_entry_destroy(addr_entry_t
*this)
240 this->ip
->destroy(this->ip
);
244 typedef struct iface_entry_t iface_entry_t
;
247 * A network interface on this system, containing addr_entry_t's
249 struct iface_entry_t
{
251 /** interface index */
254 /** name of the interface */
255 char ifname
[IFNAMSIZ
];
257 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
260 /** list of addresses as host_t */
261 linked_list_t
*addrs
;
265 * destroy an interface entry
267 static void iface_entry_destroy(iface_entry_t
*this)
269 this->addrs
->destroy_function(this->addrs
, (void*)addr_entry_destroy
);
273 typedef struct private_kernel_interface_t private_kernel_interface_t
;
276 * Private variables and functions of kernel_interface class.
278 struct private_kernel_interface_t
{
280 * Public part of the kernel_interface_t object.
282 kernel_interface_t
public;
285 * mutex to lock access to the various lists
287 pthread_mutex_t mutex
;
290 * List of installed policies (policy_entry_t)
292 linked_list_t
*policies
;
295 * Cached list of interfaces and its adresses (iface_entry_t)
297 linked_list_t
*ifaces
;
300 * iterator used in hook()
305 * job receiving netlink events
310 * current sequence number for netlink request
315 * Netlink xfrm socket (IPsec)
320 * netlink xfrm socket to receive acquire and expire events
322 int socket_xfrm_events
;
325 * Netlink rt socket (routing)
330 * Netlink rt socket to receive address change events
332 int socket_rt_events
;
336 * convert a host_t to a struct xfrm_address
338 static void host2xfrm(host_t
*host
, xfrm_address_t
*xfrm
)
340 chunk_t chunk
= host
->get_address(host
);
341 memcpy(xfrm
, chunk
.ptr
, min(chunk
.len
, sizeof(xfrm_address_t
)));
345 * convert a traffic selector address range to subnet and its mask.
347 static void ts2subnet(traffic_selector_t
* ts
,
348 xfrm_address_t
*net
, u_int8_t
*mask
)
350 /* there is no way to do this cleanly, as the address range may
351 * be anything else but a subnet. We use from_addr as subnet
352 * and try to calculate a usable subnet mask.
357 size_t size
= (ts
->get_type(ts
) == TS_IPV4_ADDR_RANGE
) ?
4 : 16;
359 from
= ts
->get_from_address(ts
);
360 to
= ts
->get_to_address(ts
);
363 /* go trough all bits of the addresses, beginning in the front.
364 * as long as they are equal, the subnet gets larger
366 for (byte
= 0; byte
< size
; byte
++)
368 for (bit
= 7; bit
>= 0; bit
--)
370 if ((1<<bit
& from
.ptr
[byte
]) != (1<<bit
& to
.ptr
[byte
]))
372 *mask
= ((7 - bit
) + (byte
* 8));
382 memcpy(net
, from
.ptr
, from
.len
);
388 * convert a traffic selector port range to port/portmask
390 static void ts2ports(traffic_selector_t
* ts
,
391 u_int16_t
*port
, u_int16_t
*mask
)
393 /* linux does not seem to accept complex portmasks. Only
394 * any or a specific port is allowed. We set to any, if we have
395 * a port range, or to a specific, if we have one port only.
399 from
= ts
->get_from_port(ts
);
400 to
= ts
->get_to_port(ts
);
415 * convert a pair of traffic_selectors to a xfrm_selector
417 static struct xfrm_selector
ts2selector(traffic_selector_t
*src
,
418 traffic_selector_t
*dst
)
420 struct xfrm_selector sel
;
422 memset(&sel
, 0, sizeof(sel
));
423 sel
.family
= src
->get_type(src
) == TS_IPV4_ADDR_RANGE ? AF_INET
: AF_INET6
;
424 /* src or dest proto may be "any" (0), use more restrictive one */
425 sel
.proto
= max(src
->get_protocol(src
), dst
->get_protocol(dst
));
426 ts2subnet(dst
, &sel
.daddr
, &sel
.prefixlen_d
);
427 ts2subnet(src
, &sel
.saddr
, &sel
.prefixlen_s
);
428 ts2ports(dst
, &sel
.dport
, &sel
.dport_mask
);
429 ts2ports(src
, &sel
.sport
, &sel
.sport_mask
);
437 * Creates an rtattr and adds it to the netlink message
439 static void add_attribute(struct nlmsghdr
*hdr
, int rta_type
, chunk_t data
,
444 if (NLMSG_ALIGN(hdr
->nlmsg_len
) + RTA_ALIGN(data
.len
) > buflen
)
446 DBG1(DBG_KNL
, "unable to add attribute, buffer too small");
450 rta
= (struct rtattr
*)(((char*)hdr
) + NLMSG_ALIGN(hdr
->nlmsg_len
));
451 rta
->rta_type
= rta_type
;
452 rta
->rta_len
= RTA_LENGTH(data
.len
);
453 memcpy(RTA_DATA(rta
), data
.ptr
, data
.len
);
454 hdr
->nlmsg_len
= NLMSG_ALIGN(hdr
->nlmsg_len
) + rta
->rta_len
;
458 * process a XFRM_MSG_ACQUIRE from kernel
460 static void process_acquire(private_kernel_interface_t
*this, struct nlmsghdr
*hdr
)
464 struct rtattr
*rtattr
= XFRM_RTA(hdr
, struct xfrm_user_acquire
);
465 size_t rtsize
= XFRM_PAYLOAD(hdr
, struct xfrm_user_tmpl
);
467 if (RTA_OK(rtattr
, rtsize
))
469 if (rtattr
->rta_type
== XFRMA_TMPL
)
471 struct xfrm_user_tmpl
* tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rtattr
);
477 DBG1(DBG_KNL
, "received a XFRM_MSG_ACQUIRE, but no reqid found");
480 DBG2(DBG_KNL
, "received a XFRM_MSG_ACQUIRE");
481 DBG1(DBG_KNL
, "creating acquire job for CHILD_SA with reqid %d", reqid
);
482 job
= (job_t
*)acquire_job_create(reqid
);
483 charon
->processor
->queue_job(charon
->processor
, job
);
487 * process a XFRM_MSG_EXPIRE from kernel
489 static void process_expire(private_kernel_interface_t
*this, struct nlmsghdr
*hdr
)
492 protocol_id_t protocol
;
493 u_int32_t spi
, reqid
;
494 struct xfrm_user_expire
*expire
;
496 expire
= (struct xfrm_user_expire
*)NLMSG_DATA(hdr
);
497 protocol
= expire
->state
.id
.proto
== KERNEL_ESP ? PROTO_ESP
: PROTO_AH
;
498 spi
= expire
->state
.id
.spi
;
499 reqid
= expire
->state
.reqid
;
501 DBG2(DBG_KNL
, "received a XFRM_MSG_EXPIRE");
502 DBG1(DBG_KNL
, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
503 expire
->hard ?
"delete" : "rekey", protocol_id_names
,
504 protocol
, ntohl(spi
), reqid
);
507 job
= (job_t
*)delete_child_sa_job_create(reqid
, protocol
, spi
);
511 job
= (job_t
*)rekey_child_sa_job_create(reqid
, protocol
, spi
);
513 charon
->processor
->queue_job(charon
->processor
, job
);
517 * process RTM_NEWLINK/RTM_DELLINK from kernel
519 static void process_link(private_kernel_interface_t
*this,
520 struct nlmsghdr
*hdr
, bool event
)
522 struct ifinfomsg
* msg
= (struct ifinfomsg
*)(NLMSG_DATA(hdr
));
523 struct rtattr
*rta
= IFLA_RTA(msg
);
524 size_t rtasize
= IFLA_PAYLOAD (hdr
);
525 iterator_t
*iterator
;
526 iface_entry_t
*current
, *entry
= NULL
;
530 while(RTA_OK(rta
, rtasize
))
532 switch (rta
->rta_type
)
535 name
= RTA_DATA(rta
);
538 rta
= RTA_NEXT(rta
, rtasize
);
545 switch (hdr
->nlmsg_type
)
549 if (msg
->ifi_flags
& IFF_LOOPBACK
)
550 { /* ignore loopback interfaces */
553 iterator
= this->ifaces
->create_iterator_locked(this->ifaces
,
555 while (iterator
->iterate(iterator
, (void**)¤t
))
557 if (current
->ifindex
== msg
->ifi_index
)
565 entry
= malloc_thing(iface_entry_t
);
566 entry
->ifindex
= msg
->ifi_index
;
568 entry
->addrs
= linked_list_create();
569 this->ifaces
->insert_last(this->ifaces
, entry
);
571 memcpy(entry
->ifname
, name
, IFNAMSIZ
);
572 entry
->ifname
[IFNAMSIZ
-1] = '\0';
575 if (!(entry
->flags
& IFF_UP
) && (msg
->ifi_flags
& IFF_UP
))
578 DBG1(DBG_KNL
, "interface %s activated", name
);
580 if ((entry
->flags
& IFF_UP
) && !(msg
->ifi_flags
& IFF_UP
))
583 DBG1(DBG_KNL
, "interface %s deactivated", name
);
586 entry
->flags
= msg
->ifi_flags
;
587 iterator
->destroy(iterator
);
592 iterator
= this->ifaces
->create_iterator_locked(this->ifaces
,
594 while (iterator
->iterate(iterator
, (void**)¤t
))
596 if (current
->ifindex
== msg
->ifi_index
)
598 /* we do not remove it, as an address may be added to a
599 * "down" interface and we wan't to know that. */
600 current
->flags
= msg
->ifi_flags
;
604 iterator
->destroy(iterator
);
609 /* send an update to all IKE_SAs */
612 charon
->processor
->queue_job(charon
->processor
, (job_t
*)roam_job_create());
617 * process RTM_NEWADDR/RTM_DELADDR from kernel
619 static void process_addr(private_kernel_interface_t
*this,
620 struct nlmsghdr
*hdr
, bool event
)
622 struct ifaddrmsg
* msg
= (struct ifaddrmsg
*)(NLMSG_DATA(hdr
));
623 struct rtattr
*rta
= IFA_RTA(msg
);
624 size_t rtasize
= IFA_PAYLOAD (hdr
);
626 iterator_t
*ifaces
, *addrs
;
627 iface_entry_t
*iface
;
629 chunk_t local
= chunk_empty
, address
= chunk_empty
;
630 bool update
= FALSE
, found
= FALSE
;
632 while(RTA_OK(rta
, rtasize
))
634 switch (rta
->rta_type
)
637 local
.ptr
= RTA_DATA(rta
);
638 local
.len
= RTA_PAYLOAD(rta
);
641 address
.ptr
= RTA_DATA(rta
);
642 address
.len
= RTA_PAYLOAD(rta
);
645 rta
= RTA_NEXT(rta
, rtasize
);
648 /* For PPP interfaces, we need the IFA_LOCAL address,
649 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
650 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
653 host
= host_create_from_chunk(msg
->ifa_family
, local
, 0);
655 else if (address
.ptr
)
657 host
= host_create_from_chunk(msg
->ifa_family
, address
, 0);
665 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
666 while (ifaces
->iterate(ifaces
, (void**)&iface
))
668 if (iface
->ifindex
== msg
->ifa_index
)
670 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
671 while (addrs
->iterate(addrs
, (void**)&addr
))
673 if (host
->ip_equals(host
, addr
->ip
))
676 if (hdr
->nlmsg_type
== RTM_DELADDR
)
678 addrs
->remove(addrs
);
679 addr_entry_destroy(addr
);
680 DBG1(DBG_KNL
, "%H disappeared from %s", host
, iface
->ifname
);
684 addrs
->destroy(addrs
);
686 if (hdr
->nlmsg_type
== RTM_NEWADDR
)
691 addr
= malloc_thing(addr_entry_t
);
692 addr
->ip
= host
->clone(host
);
695 iface
->addrs
->insert_last(iface
->addrs
, addr
);
698 DBG1(DBG_KNL
, "%H appeared on %s", host
, iface
->ifname
);
702 if (found
&& (iface
->flags
& IFF_UP
))
709 ifaces
->destroy(ifaces
);
712 /* send an update to all IKE_SAs */
715 charon
->processor
->queue_job(charon
->processor
, (job_t
*)roam_job_create());
720 * Receives events from kernel
722 static job_requeue_t
receive_events(private_kernel_interface_t
*this)
725 struct nlmsghdr
*hdr
= (struct nlmsghdr
*)response
;
726 struct sockaddr_nl addr
;
727 socklen_t addr_len
= sizeof(addr
);
728 int len
, oldstate
, maxfd
, selected
;
732 FD_SET(this->socket_xfrm_events
, &rfds
);
733 FD_SET(this->socket_rt_events
, &rfds
);
734 maxfd
= max(this->socket_xfrm_events
, this->socket_rt_events
);
736 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE
, &oldstate
);
737 selected
= select(maxfd
+ 1, &rfds
, NULL
, NULL
, NULL
);
738 pthread_setcancelstate(oldstate
, NULL
);
741 DBG1(DBG_KNL
, "selecting on sockets failed: %s", strerror(errno
));
742 return JOB_REQUEUE_FAIR
;
744 if (FD_ISSET(this->socket_xfrm_events
, &rfds
))
746 selected
= this->socket_xfrm_events
;
748 else if (FD_ISSET(this->socket_rt_events
, &rfds
))
750 selected
= this->socket_rt_events
;
754 return JOB_REQUEUE_DIRECT
;
757 len
= recvfrom(selected
, response
, sizeof(response
), MSG_DONTWAIT
,
758 (struct sockaddr
*)&addr
, &addr_len
);
764 /* interrupted, try again */
765 return JOB_REQUEUE_DIRECT
;
767 /* no data ready, select again */
768 return JOB_REQUEUE_DIRECT
;
770 DBG1(DBG_KNL
, "unable to receive from xfrm event socket");
772 return JOB_REQUEUE_FAIR
;
775 if (addr
.nl_pid
!= 0)
776 { /* not from kernel. not interested, try another one */
777 return JOB_REQUEUE_DIRECT
;
780 while (NLMSG_OK(hdr
, len
))
782 /* looks good so far, dispatch netlink message */
783 if (selected
== this->socket_xfrm_events
)
785 switch (hdr
->nlmsg_type
)
787 case XFRM_MSG_ACQUIRE
:
788 process_acquire(this, hdr
);
790 case XFRM_MSG_EXPIRE
:
791 process_expire(this, hdr
);
797 else if (selected
== this->socket_rt_events
)
799 switch (hdr
->nlmsg_type
)
803 process_addr(this, hdr
, TRUE
);
807 process_link(this, hdr
, TRUE
);
811 charon
->processor
->queue_job(charon
->processor
,
812 (job_t
*)roam_job_create());
818 hdr
= NLMSG_NEXT(hdr
, len
);
820 return JOB_REQUEUE_DIRECT
;
824 * send a netlink message and wait for a reply
826 static status_t
netlink_send(private_kernel_interface_t
*this,
827 int socket
, struct nlmsghdr
*in
,
828 struct nlmsghdr
**out
, size_t *out_len
)
831 struct sockaddr_nl addr
;
832 chunk_t result
= chunk_empty
, tmp
;
833 struct nlmsghdr
*msg
, peek
;
835 pthread_mutex_lock(&this->mutex
);
837 in
->nlmsg_seq
= ++this->seq
;
838 in
->nlmsg_pid
= getpid();
840 memset(&addr
, 0, sizeof(addr
));
841 addr
.nl_family
= AF_NETLINK
;
847 len
= sendto(socket
, in
, in
->nlmsg_len
, 0,
848 (struct sockaddr
*)&addr
, sizeof(addr
));
850 if (len
!= in
->nlmsg_len
)
854 /* interrupted, try again */
857 pthread_mutex_unlock(&this->mutex
);
858 DBG1(DBG_KNL
, "error sending to netlink socket: %s", strerror(errno
));
867 tmp
.len
= sizeof(buf
);
869 msg
= (struct nlmsghdr
*)tmp
.ptr
;
871 memset(&addr
, 0, sizeof(addr
));
872 addr
.nl_family
= AF_NETLINK
;
873 addr
.nl_pid
= getpid();
875 addr_len
= sizeof(addr
);
877 len
= recvfrom(socket
, tmp
.ptr
, tmp
.len
, 0,
878 (struct sockaddr
*)&addr
, &addr_len
);
884 DBG1(DBG_KNL
, "got interrupted");
885 /* interrupted, try again */
888 DBG1(DBG_KNL
, "error reading from netlink socket: %s", strerror(errno
));
889 pthread_mutex_unlock(&this->mutex
);
892 if (!NLMSG_OK(msg
, len
))
894 DBG1(DBG_KNL
, "received corrupted netlink message");
895 pthread_mutex_unlock(&this->mutex
);
898 if (msg
->nlmsg_seq
!= this->seq
)
900 DBG1(DBG_KNL
, "received invalid netlink sequence number");
901 if (msg
->nlmsg_seq
< this->seq
)
905 pthread_mutex_unlock(&this->mutex
);
910 result
= chunk_cata("cc", result
, tmp
);
912 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
913 * numbers to detect multi header messages */
914 len
= recvfrom(socket
, &peek
, sizeof(peek
), MSG_PEEK
| MSG_DONTWAIT
,
915 (struct sockaddr
*)&addr
, &addr_len
);
917 if (len
== sizeof(peek
) && peek
.nlmsg_seq
== this->seq
)
919 /* seems to be multipart */
925 *out_len
= result
.len
;
926 *out
= (struct nlmsghdr
*)clalloc(result
.ptr
, result
.len
);
928 pthread_mutex_unlock(&this->mutex
);
934 * send a netlink message and wait for its acknowlegde
936 static status_t
netlink_send_ack(private_kernel_interface_t
*this,
937 int socket
, struct nlmsghdr
*in
)
939 struct nlmsghdr
*out
, *hdr
;
942 if (netlink_send(this, socket
, in
, &out
, &len
) != SUCCESS
)
947 while (NLMSG_OK(hdr
, len
))
949 switch (hdr
->nlmsg_type
)
953 struct nlmsgerr
* err
= (struct nlmsgerr
*)NLMSG_DATA(hdr
);
957 DBG1(DBG_KNL
, "received netlink error: %s (%d)",
958 strerror(-err
->error
), -err
->error
);
966 hdr
= NLMSG_NEXT(hdr
, len
);
973 DBG1(DBG_KNL
, "netlink request not acknowlegded");
979 * Initialize a list of local addresses.
981 static status_t
init_address_list(private_kernel_interface_t
*this)
983 char request
[BUFFER_SIZE
];
984 struct nlmsghdr
*out
, *current
, *in
;
985 struct rtgenmsg
*msg
;
987 iterator_t
*ifaces
, *addrs
;
988 iface_entry_t
*iface
;
991 DBG1(DBG_KNL
, "listening on interfaces:");
993 memset(&request
, 0, sizeof(request
));
995 in
= (struct nlmsghdr
*)&request
;
996 in
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtgenmsg
));
997 in
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_MATCH
| NLM_F_ROOT
;
998 msg
= (struct rtgenmsg
*)NLMSG_DATA(in
);
999 msg
->rtgen_family
= AF_UNSPEC
;
1002 in
->nlmsg_type
= RTM_GETLINK
;
1003 if (netlink_send(this, this->socket_rt
, in
, &out
, &len
) != SUCCESS
)
1008 while (NLMSG_OK(current
, len
))
1010 switch (current
->nlmsg_type
)
1015 process_link(this, current
, FALSE
);
1018 current
= NLMSG_NEXT(current
, len
);
1025 /* get all interface addresses */
1026 in
->nlmsg_type
= RTM_GETADDR
;
1027 if (netlink_send(this, this->socket_rt
, in
, &out
, &len
) != SUCCESS
)
1032 while (NLMSG_OK(current
, len
))
1034 switch (current
->nlmsg_type
)
1039 process_addr(this, current
, FALSE
);
1042 current
= NLMSG_NEXT(current
, len
);
1049 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1050 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1052 if (iface
->flags
& IFF_UP
)
1054 DBG1(DBG_KNL
, " %s", iface
->ifname
);
1055 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1056 while (addrs
->iterate(addrs
, (void**)&addr
))
1058 DBG1(DBG_KNL
, " %H", addr
->ip
);
1060 addrs
->destroy(addrs
);
1063 ifaces
->destroy(ifaces
);
1068 * iterator hook to iterate over addrs
1070 static hook_result_t
addr_hook(private_kernel_interface_t
*this,
1071 addr_entry_t
*in
, host_t
**out
)
1078 * iterator hook to iterate over ifaces
1080 static hook_result_t
iface_hook(private_kernel_interface_t
*this,
1081 iface_entry_t
*in
, host_t
**out
)
1083 if (!(in
->flags
& IFF_UP
))
1084 { /* skip interfaces not up */
1088 if (this->hiter
== NULL
)
1090 this->hiter
= in
->addrs
->create_iterator(in
->addrs
, TRUE
);
1091 this->hiter
->set_iterator_hook(this->hiter
,
1092 (iterator_hook_t
*)addr_hook
, this);
1094 while (this->hiter
->iterate(this->hiter
, (void**)out
))
1098 this->hiter
->destroy(this->hiter
);
1104 * Implements kernel_interface_t.create_address_iterator.
1106 static iterator_t
*create_address_iterator(private_kernel_interface_t
*this)
1108 iterator_t
*iterator
;
1110 iterator
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1111 iterator
->set_iterator_hook(iterator
, (iterator_hook_t
*)iface_hook
, this);
1116 * implementation of kernel_interface_t.get_interface_name
1118 static char *get_interface_name(private_kernel_interface_t
*this, host_t
* ip
)
1120 iterator_t
*ifaces
, *addrs
;
1121 iface_entry_t
*iface
;
1125 DBG2(DBG_KNL
, "getting interface name for %H", ip
);
1127 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1128 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1130 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1131 while (addrs
->iterate(addrs
, (void**)&addr
))
1133 if (ip
->ip_equals(ip
, addr
->ip
))
1135 name
= strdup(iface
->ifname
);
1139 addrs
->destroy(addrs
);
1145 ifaces
->destroy(ifaces
);
1149 DBG2(DBG_KNL
, "%H is on interface %s", ip
, name
);
1153 DBG2(DBG_KNL
, "%H is not a local address", ip
);
1159 * Tries to find an ip address of a local interface that is included in the
1160 * supplied traffic selector.
1162 static status_t
get_address_by_ts(private_kernel_interface_t
*this,
1163 traffic_selector_t
*ts
, host_t
**ip
)
1165 iterator_t
*ifaces
, *addrs
;
1166 iface_entry_t
*iface
;
1172 DBG2(DBG_KNL
, "getting a local address in traffic selector %R", ts
);
1174 /* if we have a family which includes localhost, we do not
1175 * search for an IP, we use the default */
1176 family
= ts
->get_type(ts
) == TS_IPV4_ADDR_RANGE ? AF_INET
: AF_INET6
;
1178 if (family
== AF_INET
)
1180 host
= host_create_from_string("127.0.0.1", 0);
1184 host
= host_create_from_string("::1", 0);
1187 if (ts
->includes(ts
, host
))
1189 *ip
= host_create_any(family
);
1190 host
->destroy(host
);
1191 DBG2(DBG_KNL
, "using host %H", *ip
);
1194 host
->destroy(host
);
1196 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1197 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1199 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1200 while (addrs
->iterate(addrs
, (void**)&addr
))
1202 if (ts
->includes(ts
, addr
->ip
))
1205 *ip
= addr
->ip
->clone(addr
->ip
);
1209 addrs
->destroy(addrs
);
1215 ifaces
->destroy(ifaces
);
1219 DBG1(DBG_KNL
, "no local address found in traffic selector %R", ts
);
1222 DBG2(DBG_KNL
, "using host %H", *ip
);
1227 * get the interface of a local address
1229 static int get_interface_index(private_kernel_interface_t
*this, host_t
* ip
)
1231 iterator_t
*ifaces
, *addrs
;
1232 iface_entry_t
*iface
;
1236 DBG2(DBG_KNL
, "getting iface for %H", ip
);
1238 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1239 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1241 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1242 while (addrs
->iterate(addrs
, (void**)&addr
))
1244 if (ip
->ip_equals(ip
, addr
->ip
))
1246 ifindex
= iface
->ifindex
;
1250 addrs
->destroy(addrs
);
1256 ifaces
->destroy(ifaces
);
1260 DBG1(DBG_KNL
, "unable to get interface for %H", ip
);
1266 * Manages the creation and deletion of ip addresses on an interface.
1267 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1269 static status_t
manage_ipaddr(private_kernel_interface_t
*this, int nlmsg_type
,
1270 int flags
, int if_index
, host_t
*ip
)
1272 unsigned char request
[BUFFER_SIZE
];
1273 struct nlmsghdr
*hdr
;
1274 struct ifaddrmsg
*msg
;
1277 memset(&request
, 0, sizeof(request
));
1279 chunk
= ip
->get_address(ip
);
1281 hdr
= (struct nlmsghdr
*)request
;
1282 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
| flags
;
1283 hdr
->nlmsg_type
= nlmsg_type
;
1284 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct ifaddrmsg
));
1286 msg
= (struct ifaddrmsg
*)NLMSG_DATA(hdr
);
1287 msg
->ifa_family
= ip
->get_family(ip
);
1289 msg
->ifa_prefixlen
= 8 * chunk
.len
;
1290 msg
->ifa_scope
= RT_SCOPE_UNIVERSE
;
1291 msg
->ifa_index
= if_index
;
1293 add_attribute(hdr
, IFA_LOCAL
, chunk
, sizeof(request
));
1295 return netlink_send_ack(this, this->socket_rt
, hdr
);
1299 * Manages source routes in the routing table.
1300 * By setting the appropriate nlmsg_type, the route added or r.
1302 static status_t
manage_srcroute(private_kernel_interface_t
*this, int nlmsg_type
,
1303 int flags
, route_entry_t
*route
)
1305 unsigned char request
[BUFFER_SIZE
];
1306 struct nlmsghdr
*hdr
;
1310 /* if route is 0.0.0.0/0, we can't install it, as it would
1311 * overwrite the default route. Instead, we add two routes:
1312 * 0.0.0.0/1 and 128.0.0.0/1
1313 * TODO: use metrics instead */
1314 if (route
->prefixlen
== 0)
1319 half
.dst_net
= chunk_alloca(route
->dst_net
.len
);
1320 memset(half
.dst_net
.ptr
, 0, half
.dst_net
.len
);
1321 half
.src_ip
= route
->src_ip
;
1322 half
.gateway
= route
->gateway
;
1323 half
.if_index
= route
->if_index
;
1326 status
= manage_srcroute(this, nlmsg_type
, flags
, &half
);
1327 half
.dst_net
.ptr
[0] |= 0x80;
1328 status
= manage_srcroute(this, nlmsg_type
, flags
, &half
);
1332 memset(&request
, 0, sizeof(request
));
1334 hdr
= (struct nlmsghdr
*)request
;
1335 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
| flags
;
1336 hdr
->nlmsg_type
= nlmsg_type
;
1337 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtmsg
));
1339 msg
= (struct rtmsg
*)NLMSG_DATA(hdr
);
1340 msg
->rtm_family
= route
->src_ip
->get_family(route
->src_ip
);
1341 msg
->rtm_dst_len
= route
->prefixlen
;
1342 msg
->rtm_table
= RT_TABLE_MAIN
;
1343 msg
->rtm_protocol
= RTPROT_STATIC
;
1344 msg
->rtm_type
= RTN_UNICAST
;
1345 msg
->rtm_scope
= RT_SCOPE_UNIVERSE
;
1347 add_attribute(hdr
, RTA_DST
, route
->dst_net
, sizeof(request
));
1348 chunk
= route
->src_ip
->get_address(route
->src_ip
);
1349 add_attribute(hdr
, RTA_PREFSRC
, chunk
, sizeof(request
));
1350 chunk
= route
->gateway
->get_address(route
->gateway
);
1351 add_attribute(hdr
, RTA_GATEWAY
, chunk
, sizeof(request
));
1352 chunk
.ptr
= (char*)&route
->if_index
;
1353 chunk
.len
= sizeof(route
->if_index
);
1354 add_attribute(hdr
, RTA_OIF
, chunk
, sizeof(request
));
1356 return netlink_send_ack(this, this->socket_rt
, hdr
);
1360 * Implementation of kernel_interface_t.get_source_addr.
1362 static host_t
* get_source_addr(private_kernel_interface_t
*this, host_t
*dest
)
1364 unsigned char request
[BUFFER_SIZE
];
1365 struct nlmsghdr
*hdr
, *out
, *current
;
1369 host_t
*source
= NULL
;
1371 memset(&request
, 0, sizeof(request
));
1373 hdr
= (struct nlmsghdr
*)request
;
1374 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1375 hdr
->nlmsg_type
= RTM_GETROUTE
;
1376 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtmsg
));
1378 msg
= (struct rtmsg
*)NLMSG_DATA(hdr
);
1379 msg
->rtm_family
= dest
->get_family(dest
);
1380 msg
->rtm_dst_len
= msg
->rtm_family
== AF_INET ?
32 : 128;
1381 msg
->rtm_table
= RT_TABLE_MAIN
;
1382 msg
->rtm_protocol
= RTPROT_STATIC
;
1383 msg
->rtm_type
= RTN_UNICAST
;
1384 msg
->rtm_scope
= RT_SCOPE_UNIVERSE
;
1386 chunk
= dest
->get_address(dest
);
1387 add_attribute(hdr
, RTA_DST
, chunk
, sizeof(request
));
1389 if (netlink_send(this, this->socket_rt
, hdr
, &out
, &len
) != SUCCESS
)
1391 DBG1(DBG_KNL
, "getting source address to %H failed", dest
);
1395 while (NLMSG_OK(current
, len
))
1397 switch (current
->nlmsg_type
)
1406 msg
= (struct rtmsg
*)(NLMSG_DATA(current
));
1408 rtasize
= RTM_PAYLOAD(current
);
1409 while(RTA_OK(rta
, rtasize
))
1411 switch (rta
->rta_type
)
1414 chunk
.ptr
= RTA_DATA(rta
);
1415 chunk
.len
= RTA_PAYLOAD(rta
);
1416 source
= host_create_from_chunk(msg
->rtm_family
,
1420 rta
= RTA_NEXT(rta
, rtasize
);
1425 current
= NLMSG_NEXT(current
, len
);
1432 DBG2(DBG_KNL
, "no route found to %H", dest
);
1439 * Implementation of kernel_interface_t.add_ip.
1441 static status_t
add_ip(private_kernel_interface_t
*this,
1442 host_t
*virtual_ip
, host_t
*iface_ip
)
1444 iface_entry_t
*iface
;
1446 iterator_t
*addrs
, *ifaces
;
1448 DBG2(DBG_KNL
, "adding virtual IP %H", virtual_ip
);
1450 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1451 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1453 bool iface_found
= FALSE
;
1455 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1456 while (addrs
->iterate(addrs
, (void**)&addr
))
1458 if (iface_ip
->ip_equals(iface_ip
, addr
->ip
))
1462 else if (virtual_ip
->ip_equals(virtual_ip
, addr
->ip
))
1465 DBG2(DBG_KNL
, "virtual IP %H already installed on %s",
1466 virtual_ip
, iface
->ifname
);
1467 addrs
->destroy(addrs
);
1468 ifaces
->destroy(ifaces
);
1472 addrs
->destroy(addrs
);
1476 int ifindex
= iface
->ifindex
;
1477 ifaces
->destroy(ifaces
);
1478 if (manage_ipaddr(this, RTM_NEWADDR
, NLM_F_CREATE
| NLM_F_EXCL
,
1479 ifindex
, virtual_ip
) == SUCCESS
)
1481 addr
= malloc_thing(addr_entry_t
);
1482 addr
->ip
= virtual_ip
->clone(virtual_ip
);
1484 pthread_mutex_lock(&this->mutex
);
1485 iface
->addrs
->insert_last(iface
->addrs
, addr
);
1486 pthread_mutex_unlock(&this->mutex
);
1489 DBG2(DBG_KNL
, "adding virtual IP %H failed", virtual_ip
);
1495 ifaces
->destroy(ifaces
);
1497 DBG2(DBG_KNL
, "interface address %H not found, unable to install"
1498 "virtual IP %H", iface_ip
, virtual_ip
);
1503 * Implementation of kernel_interface_t.del_ip.
1505 static status_t
del_ip(private_kernel_interface_t
*this, host_t
*virtual_ip
)
1507 iface_entry_t
*iface
;
1509 iterator_t
*addrs
, *ifaces
;
1511 DBG2(DBG_KNL
, "deleting virtual IP %H", virtual_ip
);
1513 ifaces
= this->ifaces
->create_iterator_locked(this->ifaces
, &this->mutex
);
1514 while (ifaces
->iterate(ifaces
, (void**)&iface
))
1516 addrs
= iface
->addrs
->create_iterator(iface
->addrs
, TRUE
);
1517 while (addrs
->iterate(addrs
, (void**)&addr
))
1519 if (virtual_ip
->ip_equals(virtual_ip
, addr
->ip
))
1521 int ifindex
= iface
->ifindex
;
1523 if (addr
->refcount
== 0)
1525 addrs
->remove(addrs
);
1526 addrs
->destroy(addrs
);
1527 ifaces
->destroy(ifaces
);
1528 addr_entry_destroy(addr
);
1529 return manage_ipaddr(this, RTM_DELADDR
, 0,
1530 ifindex
, virtual_ip
);
1532 DBG2(DBG_KNL
, "virtual IP %H used by other SAs, not deleting",
1534 addrs
->destroy(addrs
);
1535 ifaces
->destroy(ifaces
);
1539 addrs
->destroy(addrs
);
1541 ifaces
->destroy(ifaces
);
1543 DBG2(DBG_KNL
, "virtual IP %H not cached, unable to delete", virtual_ip
);
1548 * Implementation of kernel_interface_t.get_spi.
1550 static status_t
get_spi(private_kernel_interface_t
*this,
1551 host_t
*src
, host_t
*dst
,
1552 protocol_id_t protocol
, u_int32_t reqid
,
1555 unsigned char request
[BUFFER_SIZE
];
1556 struct nlmsghdr
*hdr
, *out
;
1557 struct xfrm_userspi_info
*userspi
;
1558 u_int32_t received_spi
= 0;
1561 memset(&request
, 0, sizeof(request
));
1563 DBG2(DBG_KNL
, "getting SPI for reqid %d", reqid
);
1565 hdr
= (struct nlmsghdr
*)request
;
1566 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1567 hdr
->nlmsg_type
= XFRM_MSG_ALLOCSPI
;
1568 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userspi_info
));
1570 userspi
= (struct xfrm_userspi_info
*)NLMSG_DATA(hdr
);
1571 host2xfrm(src
, &userspi
->info
.saddr
);
1572 host2xfrm(dst
, &userspi
->info
.id
.daddr
);
1573 userspi
->info
.id
.proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1574 userspi
->info
.mode
= TRUE
; /* tunnel mode */
1575 userspi
->info
.reqid
= reqid
;
1576 userspi
->info
.family
= src
->get_family(src
);
1577 userspi
->min
= 0xc0000000;
1578 userspi
->max
= 0xcFFFFFFF;
1580 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1583 while (NLMSG_OK(hdr
, len
))
1585 switch (hdr
->nlmsg_type
)
1587 case XFRM_MSG_NEWSA
:
1589 struct xfrm_usersa_info
* usersa
= NLMSG_DATA(hdr
);
1590 received_spi
= usersa
->id
.spi
;
1595 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1597 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
1598 strerror(-err
->error
), -err
->error
);
1602 hdr
= NLMSG_NEXT(hdr
, len
);
1612 if (received_spi
== 0)
1614 DBG1(DBG_KNL
, "unable to get SPI for reqid %d", reqid
);
1618 DBG2(DBG_KNL
, "got SPI 0x%x for reqid %d", received_spi
, reqid
);
1620 *spi
= received_spi
;
1625 * Implementation of kernel_interface_t.add_sa.
1627 static status_t
add_sa(private_kernel_interface_t
*this,
1628 host_t
*src
, host_t
*dst
, u_int32_t spi
,
1629 protocol_id_t protocol
, u_int32_t reqid
,
1630 u_int64_t expire_soft
, u_int64_t expire_hard
,
1631 algorithm_t
*enc_alg
, algorithm_t
*int_alg
,
1632 prf_plus_t
*prf_plus
, natt_conf_t
*natt
, mode_t mode
,
1635 unsigned char request
[BUFFER_SIZE
];
1638 struct nlmsghdr
*hdr
;
1639 struct xfrm_usersa_info
*sa
;
1641 memset(&request
, 0, sizeof(request
));
1643 DBG2(DBG_KNL
, "adding SAD entry with SPI 0x%x", spi
);
1645 hdr
= (struct nlmsghdr
*)request
;
1646 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1647 hdr
->nlmsg_type
= replace ? XFRM_MSG_UPDSA
: XFRM_MSG_NEWSA
;
1648 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1650 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
1651 host2xfrm(src
, &sa
->saddr
);
1652 host2xfrm(dst
, &sa
->id
.daddr
);
1654 sa
->id
.proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1655 sa
->family
= src
->get_family(src
);
1657 sa
->replay_window
= 32;
1659 /* we currently do not expire SAs by volume/packet count */
1660 sa
->lft
.soft_byte_limit
= XFRM_INF
;
1661 sa
->lft
.hard_byte_limit
= XFRM_INF
;
1662 sa
->lft
.soft_packet_limit
= XFRM_INF
;
1663 sa
->lft
.hard_packet_limit
= XFRM_INF
;
1664 /* we use lifetimes since added, not since used */
1665 sa
->lft
.soft_add_expires_seconds
= expire_soft
;
1666 sa
->lft
.hard_add_expires_seconds
= expire_hard
;
1667 sa
->lft
.soft_use_expires_seconds
= 0;
1668 sa
->lft
.hard_use_expires_seconds
= 0;
1670 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1672 if (enc_alg
->algorithm
!= ENCR_UNDEFINED
)
1674 rthdr
->rta_type
= XFRMA_ALG_CRYPT
;
1675 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
, &key_size
);
1676 if (alg_name
== NULL
)
1678 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1679 encryption_algorithm_names
, enc_alg
->algorithm
);
1682 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1683 encryption_algorithm_names
, enc_alg
->algorithm
, key_size
);
1685 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + key_size
);
1686 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1687 if (hdr
->nlmsg_len
> sizeof(request
))
1692 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1693 algo
->alg_key_len
= key_size
;
1694 strcpy(algo
->alg_name
, alg_name
);
1695 prf_plus
->get_bytes(prf_plus
, key_size
/ 8, algo
->alg_key
);
1697 rthdr
= XFRM_RTA_NEXT(rthdr
);
1700 if (int_alg
->algorithm
!= AUTH_UNDEFINED
)
1702 rthdr
->rta_type
= XFRMA_ALG_AUTH
;
1703 alg_name
= lookup_algorithm(integrity_algs
, int_alg
, &key_size
);
1704 if (alg_name
== NULL
)
1706 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1707 integrity_algorithm_names
, int_alg
->algorithm
);
1710 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1711 integrity_algorithm_names
, int_alg
->algorithm
, key_size
);
1713 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + key_size
);
1714 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1715 if (hdr
->nlmsg_len
> sizeof(request
))
1720 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1721 algo
->alg_key_len
= key_size
;
1722 strcpy(algo
->alg_name
, alg_name
);
1723 prf_plus
->get_bytes(prf_plus
, key_size
/ 8, algo
->alg_key
);
1725 rthdr
= XFRM_RTA_NEXT(rthdr
);
1728 /* TODO: add IPComp here */
1732 rthdr
->rta_type
= XFRMA_ENCAP
;
1733 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1735 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1736 if (hdr
->nlmsg_len
> sizeof(request
))
1741 struct xfrm_encap_tmpl
* encap
= (struct xfrm_encap_tmpl
*)RTA_DATA(rthdr
);
1742 encap
->encap_type
= UDP_ENCAP_ESPINUDP
;
1743 encap
->encap_sport
= htons(natt
->sport
);
1744 encap
->encap_dport
= htons(natt
->dport
);
1745 memset(&encap
->encap_oa
, 0, sizeof (xfrm_address_t
));
1746 /* encap_oa could probably be derived from the
1747 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1748 * pluto does the same as we do here but it uses encap_oa in the
1749 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1750 * the kernel ignores it anyway
1751 * -> does that mean that NAT-T encap doesn't work in transport mode?
1752 * No. The reason the kernel ignores NAT-OA is that it recomputes
1753 * (or, rather, just ignores) the checksum. If packets pass
1754 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1755 rthdr
= XFRM_RTA_NEXT(rthdr
);
1758 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1760 DBG1(DBG_KNL
, "unalbe to add SAD entry with SPI 0x%x", spi
);
1767 * Implementation of kernel_interface_t.update_sa.
1769 static status_t
update_sa(private_kernel_interface_t
*this,
1770 host_t
*dst
, u_int32_t spi
,
1771 protocol_id_t protocol
,
1772 host_t
*new_src
, host_t
*new_dst
,
1773 host_diff_t src_changes
, host_diff_t dst_changes
)
1775 unsigned char request
[BUFFER_SIZE
];
1776 struct nlmsghdr
*hdr
, *out
= NULL
;
1777 struct xfrm_usersa_id
*sa_id
;
1778 struct xfrm_usersa_info
*sa
= NULL
;
1781 memset(&request
, 0, sizeof(request
));
1783 DBG2(DBG_KNL
, "querying SAD entry with SPI 0x%x", spi
);
1785 hdr
= (struct nlmsghdr
*)request
;
1786 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1787 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1788 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1790 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1791 host2xfrm(dst
, &sa_id
->daddr
);
1793 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1794 sa_id
->family
= dst
->get_family(dst
);
1796 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1799 while (NLMSG_OK(hdr
, len
))
1801 switch (hdr
->nlmsg_type
)
1803 case XFRM_MSG_NEWSA
:
1805 sa
= NLMSG_DATA(hdr
);
1810 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1811 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1812 strerror(-err
->error
), -err
->error
);
1816 hdr
= NLMSG_NEXT(hdr
, len
);
1826 DBG1(DBG_KNL
, "unable to update SAD entry with SPI 0x%x", spi
);
1831 DBG2(DBG_KNL
, "updating SAD entry with SPI 0x%x", spi
);
1834 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1835 hdr
->nlmsg_type
= XFRM_MSG_UPDSA
;
1837 if (src_changes
& HOST_DIFF_ADDR
)
1839 host2xfrm(new_src
, &sa
->saddr
);
1842 if (dst_changes
& HOST_DIFF_ADDR
)
1844 hdr
->nlmsg_type
= XFRM_MSG_NEWSA
;
1845 host2xfrm(new_dst
, &sa
->id
.daddr
);
1848 if (src_changes
& HOST_DIFF_PORT
|| dst_changes
& HOST_DIFF_PORT
)
1850 struct rtattr
*rtattr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1851 size_t rtsize
= XFRM_PAYLOAD(hdr
, struct xfrm_usersa_info
);
1852 while (RTA_OK(rtattr
, rtsize
))
1854 if (rtattr
->rta_type
== XFRMA_ENCAP
)
1856 struct xfrm_encap_tmpl
* encap
;
1857 encap
= (struct xfrm_encap_tmpl
*)RTA_DATA(rtattr
);
1858 encap
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1859 encap
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1862 rtattr
= RTA_NEXT(rtattr
, rtsize
);
1865 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1867 DBG1(DBG_KNL
, "unalbe to update SAD entry with SPI 0x%x", spi
);
1873 if (dst_changes
& HOST_DIFF_ADDR
)
1875 return this->public.del_sa(&this->public, dst
, spi
, protocol
);
1881 * Implementation of kernel_interface_t.query_sa.
1883 static status_t
query_sa(private_kernel_interface_t
*this, host_t
*dst
,
1884 u_int32_t spi
, protocol_id_t protocol
,
1885 u_int32_t
*use_time
)
1887 unsigned char request
[BUFFER_SIZE
];
1888 struct nlmsghdr
*out
= NULL
, *hdr
;
1889 struct xfrm_usersa_id
*sa_id
;
1890 struct xfrm_usersa_info
*sa
= NULL
;
1893 DBG2(DBG_KNL
, "querying SAD entry with SPI 0x%x", spi
);
1894 memset(&request
, 0, sizeof(request
));
1896 hdr
= (struct nlmsghdr
*)request
;
1897 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1898 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1899 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1901 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1902 host2xfrm(dst
, &sa_id
->daddr
);
1904 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1905 sa_id
->family
= dst
->get_family(dst
);
1907 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1910 while (NLMSG_OK(hdr
, len
))
1912 switch (hdr
->nlmsg_type
)
1914 case XFRM_MSG_NEWSA
:
1916 sa
= NLMSG_DATA(hdr
);
1921 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1922 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1923 strerror(-err
->error
), -err
->error
);
1927 hdr
= NLMSG_NEXT(hdr
, len
);
1938 DBG1(DBG_KNL
, "unable to query SAD entry with SPI 0x%x", spi
);
1943 *use_time
= sa
->curlft
.use_time
;
1949 * Implementation of kernel_interface_t.del_sa.
1951 static status_t
del_sa(private_kernel_interface_t
*this, host_t
*dst
,
1952 u_int32_t spi
, protocol_id_t protocol
)
1954 unsigned char request
[BUFFER_SIZE
];
1955 struct nlmsghdr
*hdr
;
1956 struct xfrm_usersa_id
*sa_id
;
1958 memset(&request
, 0, sizeof(request
));
1960 DBG2(DBG_KNL
, "deleting SAD entry with SPI 0x%x", spi
);
1962 hdr
= (struct nlmsghdr
*)request
;
1963 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1964 hdr
->nlmsg_type
= XFRM_MSG_DELSA
;
1965 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1967 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1968 host2xfrm(dst
, &sa_id
->daddr
);
1970 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1971 sa_id
->family
= dst
->get_family(dst
);
1973 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1975 DBG1(DBG_KNL
, "unalbe to delete SAD entry with SPI 0x%x", spi
);
1978 DBG2(DBG_KNL
, "deleted SAD entry with SPI 0x%x", spi
);
1983 * Implementation of kernel_interface_t.add_policy.
1985 static status_t
add_policy(private_kernel_interface_t
*this,
1986 host_t
*src
, host_t
*dst
,
1987 traffic_selector_t
*src_ts
,
1988 traffic_selector_t
*dst_ts
,
1989 policy_dir_t direction
, protocol_id_t protocol
,
1990 u_int32_t reqid
, bool high_prio
, mode_t mode
,
1993 iterator_t
*iterator
;
1994 policy_entry_t
*current
, *policy
;
1996 unsigned char request
[BUFFER_SIZE
];
1997 struct xfrm_userpolicy_info
*policy_info
;
1998 struct nlmsghdr
*hdr
;
2000 /* create a policy */
2001 policy
= malloc_thing(policy_entry_t
);
2002 memset(policy
, 0, sizeof(policy_entry_t
));
2003 policy
->sel
= ts2selector(src_ts
, dst_ts
);
2004 policy
->direction
= direction
;
2006 /* find the policy, which matches EXACTLY */
2007 pthread_mutex_lock(&this->mutex
);
2008 iterator
= this->policies
->create_iterator(this->policies
, TRUE
);
2009 while (iterator
->iterate(iterator
, (void**)¤t
))
2011 if (memcmp(¤t
->sel
, &policy
->sel
, sizeof(struct xfrm_selector
)) == 0 &&
2012 policy
->direction
== current
->direction
)
2014 /* use existing policy */
2017 current
->refcount
++;
2018 DBG2(DBG_KNL
, "policy %R===%R already exists, increasing ",
2019 "refcount", src_ts
, dst_ts
);
2027 iterator
->destroy(iterator
);
2029 { /* apply the new one, if we have no such policy */
2030 this->policies
->insert_last(this->policies
, policy
);
2031 policy
->refcount
= 1;
2034 DBG2(DBG_KNL
, "adding policy %R===%R", src_ts
, dst_ts
);
2036 memset(&request
, 0, sizeof(request
));
2037 hdr
= (struct nlmsghdr
*)request
;
2038 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2039 hdr
->nlmsg_type
= XFRM_MSG_UPDPOLICY
;
2040 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info
));
2042 policy_info
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2043 policy_info
->sel
= policy
->sel
;
2044 policy_info
->dir
= policy
->direction
;
2045 /* calculate priority based on source selector size, small size = high prio */
2046 policy_info
->priority
= high_prio ? PRIO_HIGH
: PRIO_LOW
;
2047 policy_info
->priority
-= policy
->sel
.prefixlen_s
* 10;
2048 policy_info
->priority
-= policy
->sel
.proto ?
2 : 0;
2049 policy_info
->priority
-= policy
->sel
.sport_mask ?
1 : 0;
2050 policy_info
->action
= XFRM_POLICY_ALLOW
;
2051 policy_info
->share
= XFRM_SHARE_ANY
;
2052 pthread_mutex_unlock(&this->mutex
);
2054 /* policies don't expire */
2055 policy_info
->lft
.soft_byte_limit
= XFRM_INF
;
2056 policy_info
->lft
.soft_packet_limit
= XFRM_INF
;
2057 policy_info
->lft
.hard_byte_limit
= XFRM_INF
;
2058 policy_info
->lft
.hard_packet_limit
= XFRM_INF
;
2059 policy_info
->lft
.soft_add_expires_seconds
= 0;
2060 policy_info
->lft
.hard_add_expires_seconds
= 0;
2061 policy_info
->lft
.soft_use_expires_seconds
= 0;
2062 policy_info
->lft
.hard_use_expires_seconds
= 0;
2064 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_info
);
2065 rthdr
->rta_type
= XFRMA_TMPL
;
2067 rthdr
->rta_len
= sizeof(struct xfrm_user_tmpl
);
2068 rthdr
->rta_len
= RTA_LENGTH(rthdr
->rta_len
);
2070 hdr
->nlmsg_len
+= rthdr
->rta_len
;
2071 if (hdr
->nlmsg_len
> sizeof(request
))
2076 struct xfrm_user_tmpl
*tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rthdr
);
2077 tmpl
->reqid
= reqid
;
2078 tmpl
->id
.proto
= (protocol
== PROTO_AH
) ? KERNEL_AH
: KERNEL_ESP
;
2079 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
2081 tmpl
->family
= src
->get_family(src
);
2083 host2xfrm(src
, &tmpl
->saddr
);
2084 host2xfrm(dst
, &tmpl
->id
.daddr
);
2086 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
2088 DBG1(DBG_KNL
, "unable to add policy %R===%R", src_ts
, dst_ts
);
2092 /* install a route, if:
2093 * - we are NOT updating a policy
2094 * - this is a forward policy (to just get one for each child)
2095 * - we are in tunnel mode
2096 * - we are not using IPv6 (does not work correctly yet!)
2098 if (policy
->route
== NULL
&& direction
== POLICY_FWD
&&
2099 mode
!= MODE_TRANSPORT
&& src
->get_family(src
) != AF_INET6
)
2101 policy
->route
= malloc_thing(route_entry_t
);
2102 if (get_address_by_ts(this, dst_ts
, &policy
->route
->src_ip
) == SUCCESS
)
2104 policy
->route
->gateway
= dst
->clone(dst
);
2105 policy
->route
->if_index
= get_interface_index(this, dst
);
2106 policy
->route
->dst_net
= chunk_alloc(policy
->sel
.family
== AF_INET ?
4 : 16);
2107 memcpy(policy
->route
->dst_net
.ptr
, &policy
->sel
.saddr
, policy
->route
->dst_net
.len
);
2108 policy
->route
->prefixlen
= policy
->sel
.prefixlen_s
;
2110 if (manage_srcroute(this, RTM_NEWROUTE
, NLM_F_CREATE
| NLM_F_EXCL
,
2111 policy
->route
) != SUCCESS
)
2113 DBG1(DBG_KNL
, "unable to install source route for %H",
2114 policy
->route
->src_ip
);
2115 route_entry_destroy(policy
->route
);
2116 policy
->route
= NULL
;
2121 free(policy
->route
);
2122 policy
->route
= NULL
;
2130 * Implementation of kernel_interface_t.query_policy.
2132 static status_t
query_policy(private_kernel_interface_t
*this,
2133 traffic_selector_t
*src_ts
,
2134 traffic_selector_t
*dst_ts
,
2135 policy_dir_t direction
, u_int32_t
*use_time
)
2137 unsigned char request
[BUFFER_SIZE
];
2138 struct nlmsghdr
*out
= NULL
, *hdr
;
2139 struct xfrm_userpolicy_id
*policy_id
;
2140 struct xfrm_userpolicy_info
*policy
= NULL
;
2143 memset(&request
, 0, sizeof(request
));
2145 DBG2(DBG_KNL
, "querying policy %R===%R", src_ts
, dst_ts
);
2147 hdr
= (struct nlmsghdr
*)request
;
2148 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
2149 hdr
->nlmsg_type
= XFRM_MSG_GETPOLICY
;
2150 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2152 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2153 policy_id
->sel
= ts2selector(src_ts
, dst_ts
);
2154 policy_id
->dir
= direction
;
2156 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
2159 while (NLMSG_OK(hdr
, len
))
2161 switch (hdr
->nlmsg_type
)
2163 case XFRM_MSG_NEWPOLICY
:
2165 policy
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2170 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
2171 DBG1(DBG_KNL
, "querying policy failed: %s (%d)",
2172 strerror(-err
->error
), -err
->error
);
2176 hdr
= NLMSG_NEXT(hdr
, len
);
2187 DBG2(DBG_KNL
, "unable to query policy %R===%R", src_ts
, dst_ts
);
2191 *use_time
= (time_t)policy
->curlft
.use_time
;
2198 * Implementation of kernel_interface_t.del_policy.
2200 static status_t
del_policy(private_kernel_interface_t
*this,
2201 traffic_selector_t
*src_ts
,
2202 traffic_selector_t
*dst_ts
,
2203 policy_dir_t direction
)
2205 policy_entry_t
*current
, policy
, *to_delete
= NULL
;
2206 route_entry_t
*route
;
2207 unsigned char request
[BUFFER_SIZE
];
2208 struct nlmsghdr
*hdr
;
2209 struct xfrm_userpolicy_id
*policy_id
;
2210 iterator_t
*iterator
;
2212 DBG2(DBG_KNL
, "deleting policy %R===%R", src_ts
, dst_ts
);
2214 /* create a policy */
2215 memset(&policy
, 0, sizeof(policy_entry_t
));
2216 policy
.sel
= ts2selector(src_ts
, dst_ts
);
2217 policy
.direction
= direction
;
2219 /* find the policy */
2220 iterator
= this->policies
->create_iterator_locked(this->policies
, &this->mutex
);
2221 while (iterator
->iterate(iterator
, (void**)¤t
))
2223 if (memcmp(¤t
->sel
, &policy
.sel
, sizeof(struct xfrm_selector
)) == 0 &&
2224 policy
.direction
== current
->direction
)
2226 to_delete
= current
;
2227 if (--to_delete
->refcount
> 0)
2229 /* is used by more SAs, keep in kernel */
2230 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
2231 iterator
->destroy(iterator
);
2234 /* remove if last reference */
2235 iterator
->remove(iterator
);
2239 iterator
->destroy(iterator
);
2242 DBG1(DBG_KNL
, "deleting policy %R===%R failed, not found", src_ts
, dst_ts
);
2246 memset(&request
, 0, sizeof(request
));
2248 hdr
= (struct nlmsghdr
*)request
;
2249 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2250 hdr
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
2251 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2253 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2254 policy_id
->sel
= to_delete
->sel
;
2255 policy_id
->dir
= direction
;
2257 route
= to_delete
->route
;
2260 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
2262 DBG1(DBG_KNL
, "unable to delete policy %R===%R", src_ts
, dst_ts
);
2268 if (manage_srcroute(this, RTM_DELROUTE
, 0, route
) != SUCCESS
)
2270 DBG1(DBG_KNL
, "error uninstalling route installed with "
2271 "policy %R===%R", src_ts
, dst_ts
);
2273 route_entry_destroy(route
);
2279 * Implementation of kernel_interface_t.destroy.
2281 static void destroy(private_kernel_interface_t
*this)
2283 this->job
->cancel(this->job
);
2284 close(this->socket_xfrm_events
);
2285 close(this->socket_xfrm
);
2286 close(this->socket_rt_events
);
2287 close(this->socket_rt
);
2288 this->policies
->destroy(this->policies
);
2289 this->ifaces
->destroy_function(this->ifaces
, (void*)iface_entry_destroy
);
2294 * Described in header.
2296 kernel_interface_t
*kernel_interface_create()
2298 private_kernel_interface_t
*this = malloc_thing(private_kernel_interface_t
);
2299 struct sockaddr_nl addr
;
2302 /* public functions */
2303 this->public.get_spi
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,protocol_id_t
,u_int32_t
,u_int32_t
*))get_spi
;
2304 this->public.add_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
,u_int64_t
,u_int64_t
,algorithm_t
*,algorithm_t
*,prf_plus_t
*,natt_conf_t
*,mode_t
,bool))add_sa
;
2305 this->public.update_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
,host_t
*,host_t
*,host_diff_t
,host_diff_t
))update_sa
;
2306 this->public.query_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
*))query_sa
;
2307 this->public.del_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
))del_sa
;
2308 this->public.add_policy
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,protocol_id_t
,u_int32_t
,bool,mode_t
,bool))add_policy
;
2309 this->public.query_policy
= (status_t(*)(kernel_interface_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,u_int32_t
*))query_policy
;
2310 this->public.del_policy
= (status_t(*)(kernel_interface_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
))del_policy
;
2311 this->public.get_interface
= (char*(*)(kernel_interface_t
*,host_t
*))get_interface_name
;
2312 this->public.create_address_iterator
= (iterator_t
*(*)(kernel_interface_t
*))create_address_iterator
;
2313 this->public.get_source_addr
= (host_t
*(*)(kernel_interface_t
*, host_t
*dest
))get_source_addr
;
2314 this->public.add_ip
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*)) add_ip
;
2315 this->public.del_ip
= (status_t(*)(kernel_interface_t
*,host_t
*)) del_ip
;
2316 this->public.destroy
= (void(*)(kernel_interface_t
*)) destroy
;
2318 /* private members */
2319 this->policies
= linked_list_create();
2320 this->ifaces
= linked_list_create();
2323 pthread_mutex_init(&this->mutex
,NULL
);
2325 memset(&addr
, 0, sizeof(addr
));
2326 addr
.nl_family
= AF_NETLINK
;
2328 /* create and bind RT socket */
2329 this->socket_rt
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_ROUTE
);
2330 if (this->socket_rt
<= 0)
2332 charon
->kill(charon
, "unable to create RT netlink socket");
2335 if (bind(this->socket_rt
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2337 charon
->kill(charon
, "unable to bind RT netlink socket");
2340 /* create and bind RT socket for events (address/interface/route changes) */
2341 this->socket_rt_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_ROUTE
);
2342 if (this->socket_rt_events
<= 0)
2344 charon
->kill(charon
, "unable to create RT event socket");
2346 addr
.nl_groups
= RTMGRP_IPV4_IFADDR
| RTMGRP_IPV6_IFADDR
|
2347 RTMGRP_IPV4_ROUTE
| RTMGRP_IPV4_ROUTE
| RTMGRP_LINK
;
2348 if (bind(this->socket_rt_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2350 charon
->kill(charon
, "unable to bind RT event socket");
2353 /* create and bind XFRM socket */
2354 this->socket_xfrm
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2355 if (this->socket_xfrm
<= 0)
2357 charon
->kill(charon
, "unable to create XFRM netlink socket");
2360 if (bind(this->socket_xfrm
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2362 charon
->kill(charon
, "unable to bind XFRM netlink socket");
2365 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2366 this->socket_xfrm_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2367 if (this->socket_xfrm_events
<= 0)
2369 charon
->kill(charon
, "unable to create XFRM event socket");
2371 addr
.nl_groups
= XFRMGRP_ACQUIRE
| XFRMGRP_EXPIRE
;
2372 if (bind(this->socket_xfrm_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2374 charon
->kill(charon
, "unable to bind XFRM event socket");
2377 this->job
= callback_job_create((callback_job_cb_t
)receive_events
,
2379 charon
->processor
->queue_job(charon
->processor
, (job_t
*)this->job
);
2381 if (init_address_list(this) != SUCCESS
)
2383 charon
->kill(charon
, "unable to get interface list");
2386 return &this->public;