fixed virtua IP: adding virtual IP to interface address list cache directly
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43
44 #include "kernel_interface.h"
45
46 #include <daemon.h>
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52
53 /** kernel level protocol identifiers */
54 #define KERNEL_ESP 50
55 #define KERNEL_AH 51
56
57 /** default priority of installed policies */
58 #define PRIO_LOW 3000
59 #define PRIO_HIGH 2000
60
61 #define BUFFER_SIZE 1024
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
84 */
85 struct kernel_algorithm_t {
86 /**
87 * Identifier specified in IKEv2
88 */
89 int ikev2_id;
90
91 /**
92 * Name of the algorithm, as used as kernel identifier
93 */
94 char *name;
95
96 /**
97 * Key length in bits, if fixed size
98 */
99 u_int key_size;
100 };
101 #define END_OF_LIST -1
102
103 /**
104 * Algorithms for encryption
105 */
106 kernel_algorithm_t encryption_algs[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES, "des", 64},
109 {ENCR_3DES, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST, "cast128", 0},
113 {ENCR_BLOWFISH, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL, "cipher_null", 0},
117 {ENCR_AES_CBC, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST, NULL, 0},
120 };
121
122 /**
123 * Algorithms for integrity protection
124 */
125 kernel_algorithm_t integrity_algs[] = {
126 {AUTH_HMAC_MD5_96, "md5", 128},
127 {AUTH_HMAC_SHA1_96, "sha1", 160},
128 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
129 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
130 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
131 /* {AUTH_DES_MAC, "***", 0}, */
132 /* {AUTH_KPDK_MD5, "***", 0}, */
133 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
134 {END_OF_LIST, NULL, 0},
135 };
136
137 /**
138 * Look up a kernel algorithm name and its key size
139 */
140 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
141 algorithm_t *ikev2_algo, u_int *key_size)
142 {
143 while (kernel_algo->ikev2_id != END_OF_LIST)
144 {
145 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
146 {
147 /* match, evaluate key length */
148 if (ikev2_algo->key_size)
149 { /* variable length */
150 *key_size = ikev2_algo->key_size;
151 }
152 else
153 { /* fixed length */
154 *key_size = kernel_algo->key_size;
155 }
156 return kernel_algo->name;
157 }
158 kernel_algo++;
159 }
160 return NULL;
161 }
162
163 typedef struct route_entry_t route_entry_t;
164
165 /**
166 * installed routing entry
167 */
168 struct route_entry_t {
169
170 /** Index of the interface the route is bound to */
171 int if_index;
172
173 /** Source ip of the route */
174 host_t *src_ip;
175
176 /** gateway for this route */
177 host_t *gateway;
178
179 /** Destination net */
180 chunk_t dst_net;
181
182 /** Destination net prefixlen */
183 u_int8_t prefixlen;
184 };
185
186 /**
187 * destroy an route_entry_t object
188 */
189 static void route_entry_destroy(route_entry_t *this)
190 {
191 this->src_ip->destroy(this->src_ip);
192 this->gateway->destroy(this->gateway);
193 chunk_free(&this->dst_net);
194 free(this);
195 }
196
197 typedef struct policy_entry_t policy_entry_t;
198
199 /**
200 * installed kernel policy.
201 */
202 struct policy_entry_t {
203
204 /** direction of this policy: in, out, forward */
205 u_int8_t direction;
206
207 /** reqid of the policy */
208 u_int32_t reqid;
209
210 /** parameters of installed policy */
211 struct xfrm_selector sel;
212
213 /** associated route installed for this policy */
214 route_entry_t *route;
215
216 /** by how many CHILD_SA's this policy is used */
217 u_int refcount;
218 };
219
220 typedef struct vip_entry_t vip_entry_t;
221
222 /**
223 * Installed virtual ip
224 */
225 struct vip_entry_t {
226 /** Index of the interface the ip is bound to */
227 u_int8_t if_index;
228
229 /** The ip address */
230 host_t *ip;
231
232 /** Number of times this IP is used */
233 u_int refcount;
234 };
235
236 /**
237 * destroy a vip_entry_t object
238 */
239 static void vip_entry_destroy(vip_entry_t *this)
240 {
241 this->ip->destroy(this->ip);
242 free(this);
243 }
244
245 typedef struct interface_entry_t interface_entry_t;
246
247 /**
248 * A network interface on this system, containing addresses
249 */
250 struct interface_entry_t {
251
252 /** interface index */
253 int ifindex;
254
255 /** name of the interface */
256 char ifname[IFNAMSIZ];
257
258 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
259 u_int flags;
260
261 /** list of addresses as host_t */
262 linked_list_t *addresses;
263 };
264
265 /**
266 * destroy an interface entry
267 */
268 static void interface_entry_destroy(interface_entry_t *this)
269 {
270 this->addresses->destroy_offset(this->addresses, offsetof(host_t, destroy));
271 free(this);
272 }
273
274 typedef struct private_kernel_interface_t private_kernel_interface_t;
275
276 /**
277 * Private variables and functions of kernel_interface class.
278 */
279 struct private_kernel_interface_t {
280 /**
281 * Public part of the kernel_interface_t object.
282 */
283 kernel_interface_t public;
284
285 /**
286 * mutex to lock access to the various lists
287 */
288 pthread_mutex_t mutex;
289
290 /**
291 * List of installed policies (kernel_entry_t)
292 */
293 linked_list_t *policies;
294
295 /**
296 * List of installed virtual IPs. (vip_entry_t)
297 */
298 linked_list_t *vips;
299
300 /**
301 * Cached list of interfaces and its adresses (interface_entry_t)
302 */
303 linked_list_t *interfaces;
304
305 /**
306 * iterator used in hook()
307 */
308 iterator_t *hiter;
309
310 /**
311 * job receiving netlink events
312 */
313 callback_job_t *job;
314
315 /**
316 * current sequence number for netlink request
317 */
318 int seq;
319
320 /**
321 * Netlink xfrm socket (IPsec)
322 */
323 int socket_xfrm;
324
325 /**
326 * netlink xfrm socket to receive acquire and expire events
327 */
328 int socket_xfrm_events;
329
330 /**
331 * Netlink rt socket (routing)
332 */
333 int socket_rt;
334
335 /**
336 * Netlink rt socket to receive address change events
337 */
338 int socket_rt_events;
339 };
340
341 /**
342 * convert a host_t to a struct xfrm_address
343 */
344 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
345 {
346 chunk_t chunk = host->get_address(host);
347 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
348 }
349
350 /**
351 * convert a traffic selector address range to subnet and its mask.
352 */
353 static void ts2subnet(traffic_selector_t* ts,
354 xfrm_address_t *net, u_int8_t *mask)
355 {
356 /* there is no way to do this cleanly, as the address range may
357 * be anything else but a subnet. We use from_addr as subnet
358 * and try to calculate a usable subnet mask.
359 */
360 int byte, bit;
361 bool found = FALSE;
362 chunk_t from, to;
363 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
364
365 from = ts->get_from_address(ts);
366 to = ts->get_to_address(ts);
367
368 *mask = (size * 8);
369 /* go trough all bits of the addresses, beginning in the front.
370 * as long as they are equal, the subnet gets larger
371 */
372 for (byte = 0; byte < size; byte++)
373 {
374 for (bit = 7; bit >= 0; bit--)
375 {
376 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
377 {
378 *mask = ((7 - bit) + (byte * 8));
379 found = TRUE;
380 break;
381 }
382 }
383 if (found)
384 {
385 break;
386 }
387 }
388 memcpy(net, from.ptr, from.len);
389 chunk_free(&from);
390 chunk_free(&to);
391 }
392
393 /**
394 * convert a traffic selector port range to port/portmask
395 */
396 static void ts2ports(traffic_selector_t* ts,
397 u_int16_t *port, u_int16_t *mask)
398 {
399 /* linux does not seem to accept complex portmasks. Only
400 * any or a specific port is allowed. We set to any, if we have
401 * a port range, or to a specific, if we have one port only.
402 */
403 u_int16_t from, to;
404
405 from = ts->get_from_port(ts);
406 to = ts->get_to_port(ts);
407
408 if (from == to)
409 {
410 *port = htons(from);
411 *mask = ~0;
412 }
413 else
414 {
415 *port = 0;
416 *mask = 0;
417 }
418 }
419
420 /**
421 * convert a pair of traffic_selectors to a xfrm_selector
422 */
423 static struct xfrm_selector ts2selector(traffic_selector_t *src,
424 traffic_selector_t *dst)
425 {
426 struct xfrm_selector sel;
427
428 memset(&sel, 0, sizeof(sel));
429 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
430 /* src or dest proto may be "any" (0), use more restrictive one */
431 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
432 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
433 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
434 ts2ports(dst, &sel.dport, &sel.dport_mask);
435 ts2ports(src, &sel.sport, &sel.sport_mask);
436 sel.ifindex = 0;
437 sel.user = 0;
438
439 return sel;
440 }
441
442 /**
443 * Creates an rtattr and adds it to the netlink message
444 */
445 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
446 size_t buflen)
447 {
448 struct rtattr *rta;
449
450 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
451 {
452 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
453 return;
454 }
455
456 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
457 rta->rta_type = rta_type;
458 rta->rta_len = RTA_LENGTH(data.len);
459 memcpy(RTA_DATA(rta), data.ptr, data.len);
460 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
461 }
462
463 /**
464 * process a XFRM_MSG_ACQUIRE from kernel
465 */
466 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
467 {
468 u_int32_t reqid = 0;
469 job_t *job;
470 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
471 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
472
473 if (RTA_OK(rtattr, rtsize))
474 {
475 if (rtattr->rta_type == XFRMA_TMPL)
476 {
477 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
478 reqid = tmpl->reqid;
479 }
480 }
481 if (reqid == 0)
482 {
483 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
484 return;
485 }
486 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
487 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
488 job = (job_t*)acquire_job_create(reqid);
489 charon->processor->queue_job(charon->processor, job);
490 }
491
492 /**
493 * process a XFRM_MSG_EXPIRE from kernel
494 */
495 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
496 {
497 job_t *job;
498 protocol_id_t protocol;
499 u_int32_t spi, reqid;
500 struct xfrm_user_expire *expire;
501
502 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
503 protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
504 spi = expire->state.id.spi;
505 reqid = expire->state.reqid;
506
507 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
508 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
509 expire->hard ? "delete" : "rekey", protocol_id_names,
510 protocol, ntohl(spi), reqid);
511 if (expire->hard)
512 {
513 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
514 }
515 else
516 {
517 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
518 }
519 charon->processor->queue_job(charon->processor, job);
520 }
521
522 /**
523 * process RTM_NEWLINK/RTM_DELLINK from kernel
524 */
525 static void process_link(private_kernel_interface_t *this,
526 struct nlmsghdr *hdr, bool event)
527 {
528 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
529 struct rtattr *rta = IFLA_RTA(msg);
530 size_t rtasize = IFLA_PAYLOAD (hdr);
531 iterator_t *iterator;
532 interface_entry_t *current, *entry = NULL;
533 char *name = NULL;
534
535 while(RTA_OK(rta, rtasize))
536 {
537 switch (rta->rta_type)
538 {
539 case IFLA_IFNAME:
540 name = RTA_DATA(rta);
541 break;
542 }
543 rta = RTA_NEXT(rta, rtasize);
544 }
545 if (!name)
546 {
547 name = "(unknown)";
548 }
549
550 switch (hdr->nlmsg_type)
551 {
552 case RTM_NEWLINK:
553 {
554 if (msg->ifi_flags & IFF_LOOPBACK)
555 { /* ignore loopback interfaces */
556 break;
557 }
558 iterator = this->interfaces->create_iterator_locked(this->interfaces,
559 &this->mutex);
560 while (iterator->iterate(iterator, (void**)&current))
561 {
562 if (current->ifindex == msg->ifi_index)
563 {
564 entry = current;
565 break;
566 }
567 }
568 if (!entry)
569 {
570 entry = malloc_thing(interface_entry_t);
571 entry->ifindex = msg->ifi_index;
572 entry->flags = 0;
573 entry->addresses = linked_list_create();
574 this->interfaces->insert_last(this->interfaces, entry);
575 }
576 memcpy(entry->ifname, name, IFNAMSIZ);
577 entry->ifname[IFNAMSIZ-1] = '\0';
578 if (event)
579 {
580 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
581 {
582 DBG1(DBG_KNL, "interface %s activated", name);
583 }
584 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
585 {
586 DBG1(DBG_KNL, "interface %s deactivated", name);
587 }
588 }
589 entry->flags = msg->ifi_flags;
590 iterator->destroy(iterator);
591 break;
592 }
593 case RTM_DELLINK:
594 {
595 iterator = this->interfaces->create_iterator_locked(this->interfaces,
596 &this->mutex);
597 while (iterator->iterate(iterator, (void**)&current))
598 {
599 if (current->ifindex == msg->ifi_index)
600 {
601 /* we do not remove it, as an address may be added to a
602 * "down" interface and we wan't to know that. */
603 current->flags = msg->ifi_flags;
604 break;
605 }
606 }
607 iterator->destroy(iterator);
608 break;
609 }
610 }
611 }
612
613 /**
614 * process RTM_NEWADDR/RTM_DELADDR from kernel
615 */
616 static void process_addr(private_kernel_interface_t *this,
617 struct nlmsghdr *hdr, bool event)
618 {
619 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
620 struct rtattr *rta = IFA_RTA(msg);
621 size_t rtasize = IFA_PAYLOAD (hdr);
622 host_t *host = NULL;
623 iterator_t *iterator;
624 interface_entry_t *entry;
625 chunk_t local = chunk_empty, address = chunk_empty;
626
627 while(RTA_OK(rta, rtasize))
628 {
629 switch (rta->rta_type)
630 {
631 case IFA_LOCAL:
632 local.ptr = RTA_DATA(rta);
633 local.len = RTA_PAYLOAD(rta);
634 break;
635 case IFA_ADDRESS:
636 address.ptr = RTA_DATA(rta);
637 address.len = RTA_PAYLOAD(rta);
638 break;
639 }
640 rta = RTA_NEXT(rta, rtasize);
641 }
642
643 /* For PPP interfaces, we need the IFA_LOCAL address,
644 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
645 * not included in all cases, so fallback to IFA_ADDRESS. */
646 if (local.ptr)
647 {
648 host = host_create_from_chunk(msg->ifa_family, local, 0);
649 }
650 else if (address.ptr)
651 {
652 host = host_create_from_chunk(msg->ifa_family, address, 0);
653 }
654
655 if (host == NULL)
656 { /* bad family? */
657 return;
658 }
659
660 switch (hdr->nlmsg_type)
661 {
662 case RTM_NEWADDR:
663 {
664 iterator = this->interfaces->create_iterator_locked(this->interfaces,
665 &this->mutex);
666 while (iterator->iterate(iterator, (void**)&entry))
667 {
668 if (entry->ifindex == msg->ifa_index)
669 {
670 entry->addresses->insert_last(entry->addresses,
671 host->clone(host));
672 if (event)
673 {
674 DBG1(DBG_KNL, "%H appeared on %s", host, entry->ifname);
675 }
676 break;
677 }
678 }
679 iterator->destroy(iterator);
680 break;
681 }
682 case RTM_DELADDR:
683 {
684 iterator = this->interfaces->create_iterator_locked(this->interfaces,
685 &this->mutex);
686 while (iterator->iterate(iterator, (void**)&entry))
687 {
688 if (entry->ifindex == msg->ifa_index)
689 {
690 iterator_t *addresses;
691 host_t *current;
692
693 addresses = entry->addresses->create_iterator(
694 entry->addresses, TRUE);
695 while (addresses->iterate(addresses, (void**)&current))
696 {
697 if (current->equals(current, host))
698 {
699 addresses->remove(addresses);
700 current->destroy(current);
701 DBG1(DBG_KNL, "%H disappeared from %s",
702 host, entry->ifname);
703 }
704 }
705 addresses->destroy(addresses);
706 }
707 }
708 iterator->destroy(iterator);
709 break;
710 }
711 default:
712 break;
713 }
714 host->destroy(host);
715 }
716
717 /**
718 * Receives events from kernel
719 */
720 static job_requeue_t receive_events(private_kernel_interface_t *this)
721 {
722 char response[1024];
723 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
724 struct sockaddr_nl addr;
725 socklen_t addr_len = sizeof(addr);
726 int len, oldstate, maxfd, selected;
727 fd_set rfds;
728
729 FD_ZERO(&rfds);
730 FD_SET(this->socket_xfrm_events, &rfds);
731 FD_SET(this->socket_rt_events, &rfds);
732 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
733
734 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
735 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
736 pthread_setcancelstate(oldstate, NULL);
737 if (selected <= 0)
738 {
739 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
740 return JOB_REQUEUE_FAIR;
741 }
742 if (FD_ISSET(this->socket_xfrm_events, &rfds))
743 {
744 selected = this->socket_xfrm_events;
745 }
746 else if (FD_ISSET(this->socket_rt_events, &rfds))
747 {
748 selected = this->socket_rt_events;
749 }
750 else
751 {
752 return JOB_REQUEUE_DIRECT;
753 }
754
755 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
756 (struct sockaddr*)&addr, &addr_len);
757 if (len < 0)
758 {
759 switch (errno)
760 {
761 case EINTR:
762 /* interrupted, try again */
763 return JOB_REQUEUE_DIRECT;
764 case EAGAIN:
765 /* no data ready, select again */
766 return JOB_REQUEUE_DIRECT;
767 default:
768 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
769 sleep(1);
770 return JOB_REQUEUE_FAIR;
771 }
772 }
773 if (addr.nl_pid != 0)
774 { /* not from kernel. not interested, try another one */
775 return JOB_REQUEUE_DIRECT;
776 }
777
778 while (NLMSG_OK(hdr, len))
779 {
780 /* looks good so far, dispatch netlink message */
781 if (selected == this->socket_xfrm_events)
782 {
783 switch (hdr->nlmsg_type)
784 {
785 case XFRM_MSG_ACQUIRE:
786 process_acquire(this, hdr);
787 break;
788 case XFRM_MSG_EXPIRE:
789 process_expire(this, hdr);
790 break;
791 default:
792 break;
793 }
794 }
795 else if (selected == this->socket_rt_events)
796 {
797 switch (hdr->nlmsg_type)
798 {
799 case RTM_NEWADDR:
800 case RTM_DELADDR:
801 process_addr(this, hdr, TRUE);
802 break;
803 case RTM_NEWLINK:
804 case RTM_DELLINK:
805 process_link(this, hdr, TRUE);
806 break;
807 default:
808 break;
809 }
810 }
811 hdr = NLMSG_NEXT(hdr, len);
812 }
813 return JOB_REQUEUE_DIRECT;
814 }
815
816 /**
817 * send a netlink message and wait for a reply
818 */
819 static status_t netlink_send(private_kernel_interface_t *this,
820 int socket, struct nlmsghdr *in,
821 struct nlmsghdr **out, size_t *out_len)
822 {
823 int len, addr_len;
824 struct sockaddr_nl addr;
825 chunk_t result = chunk_empty, tmp;
826 struct nlmsghdr *msg, peek;
827
828 pthread_mutex_lock(&this->mutex);
829
830 in->nlmsg_seq = ++this->seq;
831 in->nlmsg_pid = getpid();
832
833 memset(&addr, 0, sizeof(addr));
834 addr.nl_family = AF_NETLINK;
835 addr.nl_pid = 0;
836 addr.nl_groups = 0;
837
838 while (TRUE)
839 {
840 len = sendto(socket, in, in->nlmsg_len, 0,
841 (struct sockaddr*)&addr, sizeof(addr));
842
843 if (len != in->nlmsg_len)
844 {
845 if (errno == EINTR)
846 {
847 /* interrupted, try again */
848 continue;
849 }
850 pthread_mutex_unlock(&this->mutex);
851 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
852 return FAILED;
853 }
854 break;
855 }
856
857 while (TRUE)
858 {
859 char buf[4096];
860 tmp.len = sizeof(buf);
861 tmp.ptr = buf;
862 msg = (struct nlmsghdr*)tmp.ptr;
863
864 memset(&addr, 0, sizeof(addr));
865 addr.nl_family = AF_NETLINK;
866 addr.nl_pid = getpid();
867 addr.nl_groups = 0;
868 addr_len = sizeof(addr);
869
870 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
871 (struct sockaddr*)&addr, &addr_len);
872
873 if (len < 0)
874 {
875 if (errno == EINTR)
876 {
877 DBG1(DBG_KNL, "got interrupted");
878 /* interrupted, try again */
879 continue;
880 }
881 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
882 pthread_mutex_unlock(&this->mutex);
883 return FAILED;
884 }
885 if (!NLMSG_OK(msg, len))
886 {
887 DBG1(DBG_KNL, "received corrupted netlink message");
888 pthread_mutex_unlock(&this->mutex);
889 return FAILED;
890 }
891 if (msg->nlmsg_seq != this->seq)
892 {
893 DBG1(DBG_KNL, "received invalid netlink sequence number");
894 if (msg->nlmsg_seq < this->seq)
895 {
896 continue;
897 }
898 pthread_mutex_unlock(&this->mutex);
899 return FAILED;
900 }
901
902 tmp.len = len;
903 result = chunk_cata("cc", result, tmp);
904
905 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
906 * numbers to detect multi header messages */
907 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
908 (struct sockaddr*)&addr, &addr_len);
909
910 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
911 {
912 /* seems to be multipart */
913 continue;
914 }
915 break;
916 }
917
918 *out_len = result.len;
919 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
920
921 pthread_mutex_unlock(&this->mutex);
922
923 return SUCCESS;
924 }
925
926 /**
927 * send a netlink message and wait for its acknowlegde
928 */
929 static status_t netlink_send_ack(private_kernel_interface_t *this,
930 int socket, struct nlmsghdr *in)
931 {
932 struct nlmsghdr *out, *hdr;
933 size_t len;
934
935 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
936 {
937 return FAILED;
938 }
939 hdr = out;
940 while (NLMSG_OK(hdr, len))
941 {
942 switch (hdr->nlmsg_type)
943 {
944 case NLMSG_ERROR:
945 {
946 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
947
948 if (err->error)
949 {
950 DBG1(DBG_KNL, "received netlink error: %s (%d)",
951 strerror(-err->error), -err->error);
952 free(out);
953 return FAILED;
954 }
955 free(out);
956 return SUCCESS;
957 }
958 default:
959 hdr = NLMSG_NEXT(hdr, len);
960 continue;
961 case NLMSG_DONE:
962 break;
963 }
964 break;
965 }
966 DBG1(DBG_KNL, "netlink request not acknowlegded");
967 free(out);
968 return FAILED;
969 }
970
971 /**
972 * Initialize a list of local addresses.
973 */
974 static status_t init_address_list(private_kernel_interface_t *this)
975 {
976 char request[BUFFER_SIZE];
977 struct nlmsghdr *out, *current, *in;
978 struct rtgenmsg *msg;
979 size_t len;
980 iterator_t *i_iface, *i_addr;
981 host_t *address;
982 interface_entry_t *entry;
983
984 DBG1(DBG_KNL, "listening on interfaces:");
985
986 memset(&request, 0, sizeof(request));
987
988 in = (struct nlmsghdr*)&request;
989 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
990 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
991 msg = (struct rtgenmsg*)NLMSG_DATA(in);
992 msg->rtgen_family = AF_UNSPEC;
993
994 /* get all links */
995 in->nlmsg_type = RTM_GETLINK;
996 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
997 {
998 return FAILED;
999 }
1000 current = out;
1001 while (NLMSG_OK(current, len))
1002 {
1003 switch (current->nlmsg_type)
1004 {
1005 case NLMSG_DONE:
1006 break;
1007 case RTM_NEWLINK:
1008 process_link(this, current, FALSE);
1009 /* fall through */
1010 default:
1011 current = NLMSG_NEXT(current, len);
1012 continue;
1013 }
1014 break;
1015 }
1016 free(out);
1017
1018 /* get all interface addresses */
1019 in->nlmsg_type = RTM_GETADDR;
1020 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1021 {
1022 return FAILED;
1023 }
1024 current = out;
1025 while (NLMSG_OK(current, len))
1026 {
1027 switch (current->nlmsg_type)
1028 {
1029 case NLMSG_DONE:
1030 break;
1031 case RTM_NEWADDR:
1032 process_addr(this, current, FALSE);
1033 /* fall through */
1034 default:
1035 current = NLMSG_NEXT(current, len);
1036 continue;
1037 }
1038 break;
1039 }
1040 free(out);
1041
1042 i_iface = this->interfaces->create_iterator_locked(this->interfaces,
1043 &this->mutex);
1044 while (i_iface->iterate(i_iface, (void**)&entry))
1045 {
1046 if (entry->flags & IFF_UP)
1047 {
1048 DBG1(DBG_KNL, " %s", entry->ifname);
1049 i_addr = entry->addresses->create_iterator(entry->addresses, TRUE);
1050 while (i_addr->iterate(i_addr, (void**)&address))
1051 {
1052 DBG1(DBG_KNL, " %H", address);
1053 }
1054 i_addr->destroy(i_addr);
1055 }
1056 }
1057 i_iface->destroy(i_iface);
1058
1059 return SUCCESS;
1060 }
1061
1062 /**
1063 * iterator hook to return address, not address_entry_t
1064 */
1065 static hook_result_t hook(private_kernel_interface_t *this,
1066 interface_entry_t *in, host_t **out)
1067 {
1068 if (!(in->flags & IFF_UP))
1069 { /* skip interfaces not up */
1070 return HOOK_SKIP;
1071 }
1072
1073 if (this->hiter == NULL)
1074 {
1075 this->hiter = in->addresses->create_iterator(in->addresses, TRUE);
1076 }
1077 while (this->hiter->iterate(this->hiter, (void**)out))
1078 {
1079 return HOOK_AGAIN;
1080 }
1081 this->hiter->destroy(this->hiter);
1082 this->hiter = NULL;
1083 return HOOK_SKIP;
1084 }
1085
1086 /**
1087 * Implements kernel_interface_t.create_address_iterator.
1088 */
1089 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1090 {
1091 iterator_t *iterator;
1092
1093 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1094 &this->mutex);
1095 iterator->set_iterator_hook(iterator, (iterator_hook_t*)hook, this);
1096 return iterator;
1097 }
1098
1099 /**
1100 * implementation of kernel_interface_t.get_interface_name
1101 */
1102 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1103 {
1104 iterator_t *iterator, *addresses;
1105 interface_entry_t *entry;
1106 host_t *host;
1107 char *name = NULL;
1108
1109 DBG2(DBG_KNL, "getting interface name for %H", ip);
1110
1111 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1112 &this->mutex);
1113 while (iterator->iterate(iterator, (void**)&entry))
1114 {
1115 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1116 while (addresses->iterate(addresses, (void**)&host))
1117 {
1118 if (ip->ip_equals(ip, host))
1119 {
1120 name = strdup(entry->ifname);
1121 break;
1122 }
1123 }
1124 addresses->destroy(addresses);
1125 if (name)
1126 {
1127 break;
1128 }
1129 }
1130 iterator->destroy(iterator);
1131
1132 if (name)
1133 {
1134 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1135 }
1136 else
1137 {
1138 DBG2(DBG_KNL, "%H is not a local address", ip);
1139 }
1140 return name;
1141 }
1142
1143 /**
1144 * Tries to find an ip address of a local interface that is included in the
1145 * supplied traffic selector.
1146 */
1147 static status_t get_address_by_ts(private_kernel_interface_t *this,
1148 traffic_selector_t *ts, host_t **ip)
1149 {
1150 iterator_t *iterator, *addresses;
1151 interface_entry_t *entry;
1152 host_t *host;
1153 int family;
1154 bool found = FALSE;
1155
1156 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1157
1158 /* if we have a family which includes localhost, we do not
1159 * search for an IP, we use the default */
1160 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1161
1162 if (family == AF_INET)
1163 {
1164 host = host_create_from_string("127.0.0.1", 0);
1165 }
1166 else
1167 {
1168 host = host_create_from_string("::1", 0);
1169 }
1170
1171 if (ts->includes(ts, host))
1172 {
1173 *ip = host_create_any(family);
1174 host->destroy(host);
1175 DBG2(DBG_KNL, "using host %H", *ip);
1176 return SUCCESS;
1177 }
1178 host->destroy(host);
1179
1180 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1181 &this->mutex);
1182 while (iterator->iterate(iterator, (void**)&entry))
1183 {
1184 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1185 while (addresses->iterate(addresses, (void**)&host))
1186 {
1187 if (ts->includes(ts, host))
1188 {
1189 found = TRUE;
1190 *ip = host->clone(host);
1191 break;
1192 }
1193 }
1194 addresses->destroy(addresses);
1195 if (found)
1196 {
1197 break;
1198 }
1199 }
1200 iterator->destroy(iterator);
1201
1202 if (!found)
1203 {
1204 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1205 return FAILED;
1206 }
1207 DBG2(DBG_KNL, "using host %H", *ip);
1208 return SUCCESS;
1209 }
1210
1211 /**
1212 * get the interface of a local address
1213 */
1214 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1215 {
1216 iterator_t *iterator, *addresses;
1217 interface_entry_t *entry;
1218 host_t *host;
1219 int ifindex = 0;
1220
1221 DBG2(DBG_KNL, "getting iface for %H", ip);
1222
1223 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1224 &this->mutex);
1225 while (iterator->iterate(iterator, (void**)&entry))
1226 {
1227 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1228 while (addresses->iterate(addresses, (void**)&host))
1229 {
1230 if (ip->ip_equals(ip, host))
1231 {
1232 ifindex = entry->ifindex;
1233 break;
1234 }
1235 }
1236 addresses->destroy(addresses);
1237 if (ifindex)
1238 {
1239 break;
1240 }
1241 }
1242 iterator->destroy(iterator);
1243
1244 if (ifindex == 0)
1245 {
1246 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1247 }
1248 return ifindex;
1249 }
1250
1251 /**
1252 * Manages the creation and deletion of ip addresses on an interface.
1253 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1254 */
1255 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1256 int flags, int if_index, host_t *ip)
1257 {
1258 unsigned char request[BUFFER_SIZE];
1259 struct nlmsghdr *hdr;
1260 struct ifaddrmsg *msg;
1261 chunk_t chunk;
1262
1263 memset(&request, 0, sizeof(request));
1264
1265 chunk = ip->get_address(ip);
1266
1267 hdr = (struct nlmsghdr*)request;
1268 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1269 hdr->nlmsg_type = nlmsg_type;
1270 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1271
1272 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1273 msg->ifa_family = ip->get_family(ip);
1274 msg->ifa_flags = 0;
1275 msg->ifa_prefixlen = 8 * chunk.len;
1276 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1277 msg->ifa_index = if_index;
1278
1279 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1280
1281 return netlink_send_ack(this, this->socket_rt, hdr);
1282 }
1283
1284 /**
1285 * Manages source routes in the routing table.
1286 * By setting the appropriate nlmsg_type, the route added or r.
1287 */
1288 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1289 int flags, route_entry_t *route)
1290 {
1291 unsigned char request[BUFFER_SIZE];
1292 struct nlmsghdr *hdr;
1293 struct rtmsg *msg;
1294 chunk_t chunk;
1295
1296 /* if route is 0.0.0.0/0, we can't install it, as it would
1297 * overwrite the default route. Instead, we add two routes:
1298 * 0.0.0.0/1 and 128.0.0.0/1
1299 * TODO: use metrics instead */
1300 if (route->prefixlen == 0)
1301 {
1302 route_entry_t half;
1303 status_t status;
1304
1305 half.dst_net = chunk_alloca(route->dst_net.len);
1306 memset(half.dst_net.ptr, 0, half.dst_net.len);
1307 half.src_ip = route->src_ip;
1308 half.gateway = route->gateway;
1309 half.if_index = route->if_index;
1310 half.prefixlen = 1;
1311
1312 status = manage_srcroute(this, nlmsg_type, flags, &half);
1313 half.dst_net.ptr[0] |= 0x80;
1314 status = manage_srcroute(this, nlmsg_type, flags, &half);
1315 return status;
1316 }
1317
1318 memset(&request, 0, sizeof(request));
1319
1320 hdr = (struct nlmsghdr*)request;
1321 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1322 hdr->nlmsg_type = nlmsg_type;
1323 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1324
1325 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1326 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1327 msg->rtm_dst_len = route->prefixlen;
1328 msg->rtm_table = RT_TABLE_MAIN;
1329 msg->rtm_protocol = RTPROT_STATIC;
1330 msg->rtm_type = RTN_UNICAST;
1331 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1332
1333 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1334 chunk = route->src_ip->get_address(route->src_ip);
1335 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1336 chunk = route->gateway->get_address(route->gateway);
1337 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1338 chunk.ptr = (char*)&route->if_index;
1339 chunk.len = sizeof(route->if_index);
1340 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1341
1342 return netlink_send_ack(this, this->socket_rt, hdr);
1343 }
1344
1345 /**
1346 * Implementation of kernel_interface_t.get_source_addr.
1347 */
1348 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1349 {
1350 unsigned char request[BUFFER_SIZE];
1351 struct nlmsghdr *hdr, *out, *current;
1352 struct rtmsg *msg;
1353 chunk_t chunk;
1354 size_t len;
1355 host_t *source = NULL;
1356
1357 memset(&request, 0, sizeof(request));
1358
1359 hdr = (struct nlmsghdr*)request;
1360 hdr->nlmsg_flags = NLM_F_REQUEST;
1361 hdr->nlmsg_type = RTM_GETROUTE;
1362 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1363
1364 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1365 msg->rtm_family = dest->get_family(dest);
1366 msg->rtm_dst_len = msg->rtm_family == AF_INET ? 32 : 128;
1367 msg->rtm_table = RT_TABLE_MAIN;
1368 msg->rtm_protocol = RTPROT_STATIC;
1369 msg->rtm_type = RTN_UNICAST;
1370 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1371
1372 chunk = dest->get_address(dest);
1373 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1374
1375 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1376 {
1377 DBG1(DBG_KNL, "getting source address to %H failed", dest);
1378 return NULL;
1379 }
1380 current = out;
1381 while (NLMSG_OK(current, len))
1382 {
1383 switch (current->nlmsg_type)
1384 {
1385 case NLMSG_DONE:
1386 break;
1387 case RTM_NEWROUTE:
1388 {
1389 struct rtattr *rta;
1390 size_t rtasize;
1391
1392 msg = (struct rtmsg*)(NLMSG_DATA(current));
1393 rta = RTM_RTA(msg);
1394 rtasize = RTM_PAYLOAD(current);
1395 while(RTA_OK(rta, rtasize))
1396 {
1397 switch (rta->rta_type)
1398 {
1399 case RTA_PREFSRC:
1400 chunk.ptr = RTA_DATA(rta);
1401 chunk.len = RTA_PAYLOAD(rta);
1402 source = host_create_from_chunk(msg->rtm_family,
1403 chunk, 0);
1404 break;
1405 }
1406 rta = RTA_NEXT(rta, rtasize);
1407 }
1408 break;
1409 }
1410 default:
1411 current = NLMSG_NEXT(current, len);
1412 continue;
1413 }
1414 break;
1415 }
1416 if (source == NULL)
1417 {
1418 DBG1(DBG_KNL, "no route found to %H", dest);
1419 }
1420 free(out);
1421 return source;
1422 }
1423
1424 /**
1425 * Implementation of kernel_interface_t.add_ip.
1426 */
1427 static status_t add_ip(private_kernel_interface_t *this,
1428 host_t *virtual_ip, host_t *iface_ip)
1429 {
1430 int targetif;
1431 vip_entry_t *listed;
1432 interface_entry_t *entry;
1433 iterator_t *iterator;
1434
1435 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1436
1437 targetif = get_interface_index(this, iface_ip);
1438 if (targetif == 0)
1439 {
1440 DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
1441 virtual_ip, iface_ip);
1442 return FAILED;
1443 }
1444
1445 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1446 iterator = this->vips->create_iterator_locked(this->vips, &this->mutex);
1447 while (iterator->iterate(iterator, (void**)&listed))
1448 {
1449 if (listed->if_index == targetif &&
1450 virtual_ip->ip_equals(virtual_ip, listed->ip))
1451 {
1452 listed->refcount++;
1453 iterator->destroy(iterator);
1454 DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
1455 virtual_ip, targetif);
1456 return SUCCESS;
1457 }
1458 }
1459 iterator->destroy(iterator);
1460
1461 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1462 targetif, virtual_ip) == SUCCESS)
1463 {
1464 listed = malloc_thing(vip_entry_t);
1465 listed->ip = virtual_ip->clone(virtual_ip);
1466 listed->if_index = targetif;
1467 listed->refcount = 1;
1468 DBG2(DBG_KNL, "virtual IP %H added to iface %d", virtual_ip, targetif);
1469 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1470 &this->mutex);
1471 this->vips->insert_last(this->vips, listed);
1472 /* we add the VIP also to the cached interface list; the netlink
1473 * event comes in asynchronous and may be to late */
1474 while (iterator->iterate(iterator, (void**)&entry))
1475 {
1476 if (entry->ifindex == targetif)
1477 {
1478 entry->addresses->insert_last(entry->addresses,
1479 virtual_ip->clone(virtual_ip));
1480 break;
1481 }
1482 }
1483 iterator->destroy(iterator);
1484 return SUCCESS;
1485 }
1486
1487 DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
1488 virtual_ip, targetif);
1489 return FAILED;
1490 }
1491
1492 /**
1493 * Implementation of kernel_interface_t.del_ip.
1494 */
1495 static status_t del_ip(private_kernel_interface_t *this,
1496 host_t *virtual_ip, host_t *iface_ip)
1497 {
1498 int targetif;
1499 vip_entry_t *listed;
1500 iterator_t *iterator;
1501
1502 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1503
1504 targetif = get_interface_index(this, iface_ip);
1505 if (targetif == 0)
1506 {
1507 DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
1508 virtual_ip, iface_ip);
1509 return FAILED;
1510 }
1511
1512 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1513 iterator = this->vips->create_iterator_locked(this->vips, &this->mutex);
1514 while (iterator->iterate(iterator, (void**)&listed))
1515 {
1516 if (listed->if_index == targetif &&
1517 virtual_ip->ip_equals(virtual_ip, listed->ip))
1518 {
1519 listed->refcount--;
1520 if (listed->refcount == 0)
1521 {
1522 iterator->remove(iterator);
1523 vip_entry_destroy(listed);
1524 iterator->destroy(iterator);
1525 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1526 }
1527 iterator->destroy(iterator);
1528 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1529 virtual_ip);
1530 return SUCCESS;
1531 }
1532 }
1533 iterator->destroy(iterator);
1534
1535 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1536 return FAILED;
1537 }
1538
1539 /**
1540 * Implementation of kernel_interface_t.get_spi.
1541 */
1542 static status_t get_spi(private_kernel_interface_t *this,
1543 host_t *src, host_t *dst,
1544 protocol_id_t protocol, u_int32_t reqid,
1545 u_int32_t *spi)
1546 {
1547 unsigned char request[BUFFER_SIZE];
1548 struct nlmsghdr *hdr, *out;
1549 struct xfrm_userspi_info *userspi;
1550 u_int32_t received_spi = 0;
1551 size_t len;
1552
1553 memset(&request, 0, sizeof(request));
1554
1555 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1556
1557 hdr = (struct nlmsghdr*)request;
1558 hdr->nlmsg_flags = NLM_F_REQUEST;
1559 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1560 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1561
1562 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1563 host2xfrm(src, &userspi->info.saddr);
1564 host2xfrm(dst, &userspi->info.id.daddr);
1565 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1566 userspi->info.mode = TRUE; /* tunnel mode */
1567 userspi->info.reqid = reqid;
1568 userspi->info.family = src->get_family(src);
1569 userspi->min = 0xc0000000;
1570 userspi->max = 0xcFFFFFFF;
1571
1572 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1573 {
1574 hdr = out;
1575 while (NLMSG_OK(hdr, len))
1576 {
1577 switch (hdr->nlmsg_type)
1578 {
1579 case XFRM_MSG_NEWSA:
1580 {
1581 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1582 received_spi = usersa->id.spi;
1583 break;
1584 }
1585 case NLMSG_ERROR:
1586 {
1587 struct nlmsgerr *err = NLMSG_DATA(hdr);
1588
1589 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1590 strerror(-err->error), -err->error);
1591 break;
1592 }
1593 default:
1594 hdr = NLMSG_NEXT(hdr, len);
1595 continue;
1596 case NLMSG_DONE:
1597 break;
1598 }
1599 break;
1600 }
1601 free(out);
1602 }
1603
1604 if (received_spi == 0)
1605 {
1606 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1607 return FAILED;
1608 }
1609
1610 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1611
1612 *spi = received_spi;
1613 return SUCCESS;
1614 }
1615
1616 /**
1617 * Implementation of kernel_interface_t.add_sa.
1618 */
1619 static status_t add_sa(private_kernel_interface_t *this,
1620 host_t *src, host_t *dst, u_int32_t spi,
1621 protocol_id_t protocol, u_int32_t reqid,
1622 u_int64_t expire_soft, u_int64_t expire_hard,
1623 algorithm_t *enc_alg, algorithm_t *int_alg,
1624 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1625 bool replace)
1626 {
1627 unsigned char request[BUFFER_SIZE];
1628 char *alg_name;
1629 u_int key_size;
1630 struct nlmsghdr *hdr;
1631 struct xfrm_usersa_info *sa;
1632
1633 memset(&request, 0, sizeof(request));
1634
1635 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1636
1637 hdr = (struct nlmsghdr*)request;
1638 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1639 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1640 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1641
1642 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1643 host2xfrm(src, &sa->saddr);
1644 host2xfrm(dst, &sa->id.daddr);
1645 sa->id.spi = spi;
1646 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1647 sa->family = src->get_family(src);
1648 sa->mode = mode;
1649 sa->replay_window = 32;
1650 sa->reqid = reqid;
1651 /* we currently do not expire SAs by volume/packet count */
1652 sa->lft.soft_byte_limit = XFRM_INF;
1653 sa->lft.hard_byte_limit = XFRM_INF;
1654 sa->lft.soft_packet_limit = XFRM_INF;
1655 sa->lft.hard_packet_limit = XFRM_INF;
1656 /* we use lifetimes since added, not since used */
1657 sa->lft.soft_add_expires_seconds = expire_soft;
1658 sa->lft.hard_add_expires_seconds = expire_hard;
1659 sa->lft.soft_use_expires_seconds = 0;
1660 sa->lft.hard_use_expires_seconds = 0;
1661
1662 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1663
1664 if (enc_alg->algorithm != ENCR_UNDEFINED)
1665 {
1666 rthdr->rta_type = XFRMA_ALG_CRYPT;
1667 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1668 if (alg_name == NULL)
1669 {
1670 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1671 encryption_algorithm_names, enc_alg->algorithm);
1672 return FAILED;
1673 }
1674 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1675 encryption_algorithm_names, enc_alg->algorithm, key_size);
1676
1677 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1678 hdr->nlmsg_len += rthdr->rta_len;
1679 if (hdr->nlmsg_len > sizeof(request))
1680 {
1681 return FAILED;
1682 }
1683
1684 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1685 algo->alg_key_len = key_size;
1686 strcpy(algo->alg_name, alg_name);
1687 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1688
1689 rthdr = XFRM_RTA_NEXT(rthdr);
1690 }
1691
1692 if (int_alg->algorithm != AUTH_UNDEFINED)
1693 {
1694 rthdr->rta_type = XFRMA_ALG_AUTH;
1695 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1696 if (alg_name == NULL)
1697 {
1698 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1699 integrity_algorithm_names, int_alg->algorithm);
1700 return FAILED;
1701 }
1702 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1703 integrity_algorithm_names, int_alg->algorithm, key_size);
1704
1705 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1706 hdr->nlmsg_len += rthdr->rta_len;
1707 if (hdr->nlmsg_len > sizeof(request))
1708 {
1709 return FAILED;
1710 }
1711
1712 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1713 algo->alg_key_len = key_size;
1714 strcpy(algo->alg_name, alg_name);
1715 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1716
1717 rthdr = XFRM_RTA_NEXT(rthdr);
1718 }
1719
1720 /* TODO: add IPComp here */
1721
1722 if (natt)
1723 {
1724 rthdr->rta_type = XFRMA_ENCAP;
1725 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1726
1727 hdr->nlmsg_len += rthdr->rta_len;
1728 if (hdr->nlmsg_len > sizeof(request))
1729 {
1730 return FAILED;
1731 }
1732
1733 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1734 encap->encap_type = UDP_ENCAP_ESPINUDP;
1735 encap->encap_sport = htons(natt->sport);
1736 encap->encap_dport = htons(natt->dport);
1737 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1738 /* encap_oa could probably be derived from the
1739 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1740 * pluto does the same as we do here but it uses encap_oa in the
1741 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1742 * the kernel ignores it anyway
1743 * -> does that mean that NAT-T encap doesn't work in transport mode?
1744 * No. The reason the kernel ignores NAT-OA is that it recomputes
1745 * (or, rather, just ignores) the checksum. If packets pass
1746 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1747 rthdr = XFRM_RTA_NEXT(rthdr);
1748 }
1749
1750 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1751 {
1752 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1753 return FAILED;
1754 }
1755 return SUCCESS;
1756 }
1757
1758 /**
1759 * Implementation of kernel_interface_t.update_sa.
1760 */
1761 static status_t update_sa(private_kernel_interface_t *this,
1762 host_t *src, host_t *dst,
1763 host_t *new_src, host_t *new_dst,
1764 host_diff_t src_changes, host_diff_t dst_changes,
1765 u_int32_t spi, protocol_id_t protocol)
1766 {
1767 unsigned char request[BUFFER_SIZE];
1768 struct nlmsghdr *hdr, *out = NULL;
1769 struct xfrm_usersa_id *sa_id;
1770 struct xfrm_usersa_info *sa = NULL;
1771 size_t len;
1772
1773 memset(&request, 0, sizeof(request));
1774
1775 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1776
1777 hdr = (struct nlmsghdr*)request;
1778 hdr->nlmsg_flags = NLM_F_REQUEST;
1779 hdr->nlmsg_type = XFRM_MSG_GETSA;
1780 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1781
1782 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1783 host2xfrm(dst, &sa_id->daddr);
1784 sa_id->spi = spi;
1785 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1786 sa_id->family = dst->get_family(dst);
1787
1788 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1789 {
1790 hdr = out;
1791 while (NLMSG_OK(hdr, len))
1792 {
1793 switch (hdr->nlmsg_type)
1794 {
1795 case XFRM_MSG_NEWSA:
1796 {
1797 sa = NLMSG_DATA(hdr);
1798 break;
1799 }
1800 case NLMSG_ERROR:
1801 {
1802 struct nlmsgerr *err = NLMSG_DATA(hdr);
1803 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1804 strerror(-err->error), -err->error);
1805 break;
1806 }
1807 default:
1808 hdr = NLMSG_NEXT(hdr, len);
1809 continue;
1810 case NLMSG_DONE:
1811 break;
1812 }
1813 break;
1814 }
1815 }
1816 if (sa == NULL)
1817 {
1818 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1819 free(out);
1820 return FAILED;
1821 }
1822
1823 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
1824
1825 hdr = out;
1826 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1827 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1828
1829 if (src_changes & HOST_DIFF_ADDR)
1830 {
1831 host2xfrm(new_src, &sa->saddr);
1832 }
1833
1834 if (dst_changes & HOST_DIFF_ADDR)
1835 {
1836 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1837 host2xfrm(new_dst, &sa->id.daddr);
1838 }
1839
1840 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1841 {
1842 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1843 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1844 while (RTA_OK(rtattr, rtsize))
1845 {
1846 if (rtattr->rta_type == XFRMA_ENCAP)
1847 {
1848 struct xfrm_encap_tmpl* encap;
1849 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1850 encap->encap_sport = ntohs(new_src->get_port(new_src));
1851 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1852 break;
1853 }
1854 rtattr = RTA_NEXT(rtattr, rtsize);
1855 }
1856 }
1857 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1858 {
1859 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1860 free(out);
1861 return FAILED;
1862 }
1863 free(out);
1864
1865 if (dst_changes & HOST_DIFF_ADDR)
1866 {
1867 return this->public.del_sa(&this->public, dst, spi, protocol);
1868 }
1869 return SUCCESS;
1870 }
1871
1872 /**
1873 * Implementation of kernel_interface_t.query_sa.
1874 */
1875 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1876 u_int32_t spi, protocol_id_t protocol,
1877 u_int32_t *use_time)
1878 {
1879 unsigned char request[BUFFER_SIZE];
1880 struct nlmsghdr *out = NULL, *hdr;
1881 struct xfrm_usersa_id *sa_id;
1882 struct xfrm_usersa_info *sa = NULL;
1883 size_t len;
1884
1885 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1886 memset(&request, 0, sizeof(request));
1887
1888 hdr = (struct nlmsghdr*)request;
1889 hdr->nlmsg_flags = NLM_F_REQUEST;
1890 hdr->nlmsg_type = XFRM_MSG_GETSA;
1891 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1892
1893 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1894 host2xfrm(dst, &sa_id->daddr);
1895 sa_id->spi = spi;
1896 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1897 sa_id->family = dst->get_family(dst);
1898
1899 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1900 {
1901 hdr = out;
1902 while (NLMSG_OK(hdr, len))
1903 {
1904 switch (hdr->nlmsg_type)
1905 {
1906 case XFRM_MSG_NEWSA:
1907 {
1908 sa = NLMSG_DATA(hdr);
1909 break;
1910 }
1911 case NLMSG_ERROR:
1912 {
1913 struct nlmsgerr *err = NLMSG_DATA(hdr);
1914 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1915 strerror(-err->error), -err->error);
1916 break;
1917 }
1918 default:
1919 hdr = NLMSG_NEXT(hdr, len);
1920 continue;
1921 case NLMSG_DONE:
1922 break;
1923 }
1924 break;
1925 }
1926 }
1927
1928 if (sa == NULL)
1929 {
1930 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1931 free(out);
1932 return FAILED;
1933 }
1934
1935 *use_time = sa->curlft.use_time;
1936 free (out);
1937 return SUCCESS;
1938 }
1939
1940 /**
1941 * Implementation of kernel_interface_t.del_sa.
1942 */
1943 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1944 u_int32_t spi, protocol_id_t protocol)
1945 {
1946 unsigned char request[BUFFER_SIZE];
1947 struct nlmsghdr *hdr;
1948 struct xfrm_usersa_id *sa_id;
1949
1950 memset(&request, 0, sizeof(request));
1951
1952 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1953
1954 hdr = (struct nlmsghdr*)request;
1955 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1956 hdr->nlmsg_type = XFRM_MSG_DELSA;
1957 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1958
1959 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1960 host2xfrm(dst, &sa_id->daddr);
1961 sa_id->spi = spi;
1962 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1963 sa_id->family = dst->get_family(dst);
1964
1965 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1966 {
1967 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1968 return FAILED;
1969 }
1970 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1971 return SUCCESS;
1972 }
1973
1974 /**
1975 * Implementation of kernel_interface_t.add_policy.
1976 */
1977 static status_t add_policy(private_kernel_interface_t *this,
1978 host_t *src, host_t *dst,
1979 traffic_selector_t *src_ts,
1980 traffic_selector_t *dst_ts,
1981 policy_dir_t direction, protocol_id_t protocol,
1982 u_int32_t reqid, bool high_prio, mode_t mode,
1983 bool update)
1984 {
1985 iterator_t *iterator;
1986 policy_entry_t *current, *policy;
1987 bool found = FALSE;
1988 unsigned char request[BUFFER_SIZE];
1989 struct xfrm_userpolicy_info *policy_info;
1990 struct nlmsghdr *hdr;
1991
1992 /* create a policy */
1993 policy = malloc_thing(policy_entry_t);
1994 memset(policy, 0, sizeof(policy_entry_t));
1995 policy->sel = ts2selector(src_ts, dst_ts);
1996 policy->direction = direction;
1997
1998 /* find the policy, which matches EXACTLY */
1999 pthread_mutex_lock(&this->mutex);
2000 iterator = this->policies->create_iterator(this->policies, TRUE);
2001 while (iterator->iterate(iterator, (void**)&current))
2002 {
2003 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
2004 policy->direction == current->direction)
2005 {
2006 /* use existing policy */
2007 if (!update)
2008 {
2009 current->refcount++;
2010 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
2011 "refcount", src_ts, dst_ts);
2012 }
2013 free(policy);
2014 policy = current;
2015 found = TRUE;
2016 break;
2017 }
2018 }
2019 iterator->destroy(iterator);
2020 if (!found)
2021 { /* apply the new one, if we have no such policy */
2022 this->policies->insert_last(this->policies, policy);
2023 policy->refcount = 1;
2024 }
2025
2026 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2027
2028 memset(&request, 0, sizeof(request));
2029 hdr = (struct nlmsghdr*)request;
2030 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2031 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2032 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2033
2034 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2035 policy_info->sel = policy->sel;
2036 policy_info->dir = policy->direction;
2037 /* calculate priority based on source selector size, small size = high prio */
2038 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2039 policy_info->priority -= policy->sel.prefixlen_s * 10;
2040 policy_info->priority -= policy->sel.proto ? 2 : 0;
2041 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2042 policy_info->action = XFRM_POLICY_ALLOW;
2043 policy_info->share = XFRM_SHARE_ANY;
2044 pthread_mutex_unlock(&this->mutex);
2045
2046 /* policies don't expire */
2047 policy_info->lft.soft_byte_limit = XFRM_INF;
2048 policy_info->lft.soft_packet_limit = XFRM_INF;
2049 policy_info->lft.hard_byte_limit = XFRM_INF;
2050 policy_info->lft.hard_packet_limit = XFRM_INF;
2051 policy_info->lft.soft_add_expires_seconds = 0;
2052 policy_info->lft.hard_add_expires_seconds = 0;
2053 policy_info->lft.soft_use_expires_seconds = 0;
2054 policy_info->lft.hard_use_expires_seconds = 0;
2055
2056 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2057 rthdr->rta_type = XFRMA_TMPL;
2058
2059 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
2060 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
2061
2062 hdr->nlmsg_len += rthdr->rta_len;
2063 if (hdr->nlmsg_len > sizeof(request))
2064 {
2065 return FAILED;
2066 }
2067
2068 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2069 tmpl->reqid = reqid;
2070 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
2071 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2072 tmpl->mode = mode;
2073 tmpl->family = src->get_family(src);
2074
2075 host2xfrm(src, &tmpl->saddr);
2076 host2xfrm(dst, &tmpl->id.daddr);
2077
2078 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2079 {
2080 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2081 return FAILED;
2082 }
2083
2084 /* install a route, if:
2085 * - we are NOT updating a policy
2086 * - this is a forward policy (to just get one for each child)
2087 * - we are in tunnel mode
2088 * - we are not using IPv6 (does not work correctly yet!)
2089 */
2090 if (policy->route == NULL && direction == POLICY_FWD &&
2091 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
2092 {
2093 policy->route = malloc_thing(route_entry_t);
2094 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2095 {
2096 policy->route->gateway = dst->clone(dst);
2097 policy->route->if_index = get_interface_index(this, dst);
2098 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2099 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2100 policy->route->prefixlen = policy->sel.prefixlen_s;
2101
2102 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2103 policy->route) != SUCCESS)
2104 {
2105 DBG1(DBG_KNL, "unable to install source route for %H",
2106 policy->route->src_ip);
2107 route_entry_destroy(policy->route);
2108 policy->route = NULL;
2109 }
2110 }
2111 else
2112 {
2113 free(policy->route);
2114 policy->route = NULL;
2115 }
2116 }
2117
2118 return SUCCESS;
2119 }
2120
2121 /**
2122 * Implementation of kernel_interface_t.query_policy.
2123 */
2124 static status_t query_policy(private_kernel_interface_t *this,
2125 traffic_selector_t *src_ts,
2126 traffic_selector_t *dst_ts,
2127 policy_dir_t direction, u_int32_t *use_time)
2128 {
2129 unsigned char request[BUFFER_SIZE];
2130 struct nlmsghdr *out = NULL, *hdr;
2131 struct xfrm_userpolicy_id *policy_id;
2132 struct xfrm_userpolicy_info *policy = NULL;
2133 size_t len;
2134
2135 memset(&request, 0, sizeof(request));
2136
2137 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2138
2139 hdr = (struct nlmsghdr*)request;
2140 hdr->nlmsg_flags = NLM_F_REQUEST;
2141 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2142 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2143
2144 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2145 policy_id->sel = ts2selector(src_ts, dst_ts);
2146 policy_id->dir = direction;
2147
2148 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2149 {
2150 hdr = out;
2151 while (NLMSG_OK(hdr, len))
2152 {
2153 switch (hdr->nlmsg_type)
2154 {
2155 case XFRM_MSG_NEWPOLICY:
2156 {
2157 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2158 break;
2159 }
2160 case NLMSG_ERROR:
2161 {
2162 struct nlmsgerr *err = NLMSG_DATA(hdr);
2163 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2164 strerror(-err->error), -err->error);
2165 break;
2166 }
2167 default:
2168 hdr = NLMSG_NEXT(hdr, len);
2169 continue;
2170 case NLMSG_DONE:
2171 break;
2172 }
2173 break;
2174 }
2175 }
2176
2177 if (policy == NULL)
2178 {
2179 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2180 free(out);
2181 return FAILED;
2182 }
2183 *use_time = (time_t)policy->curlft.use_time;
2184
2185 free(out);
2186 return SUCCESS;
2187 }
2188
2189 /**
2190 * Implementation of kernel_interface_t.del_policy.
2191 */
2192 static status_t del_policy(private_kernel_interface_t *this,
2193 traffic_selector_t *src_ts,
2194 traffic_selector_t *dst_ts,
2195 policy_dir_t direction)
2196 {
2197 policy_entry_t *current, policy, *to_delete = NULL;
2198 route_entry_t *route;
2199 unsigned char request[BUFFER_SIZE];
2200 struct nlmsghdr *hdr;
2201 struct xfrm_userpolicy_id *policy_id;
2202 iterator_t *iterator;
2203
2204 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2205
2206 /* create a policy */
2207 memset(&policy, 0, sizeof(policy_entry_t));
2208 policy.sel = ts2selector(src_ts, dst_ts);
2209 policy.direction = direction;
2210
2211 /* find the policy */
2212 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2213 while (iterator->iterate(iterator, (void**)&current))
2214 {
2215 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2216 policy.direction == current->direction)
2217 {
2218 to_delete = current;
2219 if (--to_delete->refcount > 0)
2220 {
2221 /* is used by more SAs, keep in kernel */
2222 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2223 iterator->destroy(iterator);
2224 return SUCCESS;
2225 }
2226 /* remove if last reference */
2227 iterator->remove(iterator);
2228 break;
2229 }
2230 }
2231 iterator->destroy(iterator);
2232 if (!to_delete)
2233 {
2234 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2235 return NOT_FOUND;
2236 }
2237
2238 memset(&request, 0, sizeof(request));
2239
2240 hdr = (struct nlmsghdr*)request;
2241 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2242 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2243 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2244
2245 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2246 policy_id->sel = to_delete->sel;
2247 policy_id->dir = direction;
2248
2249 route = to_delete->route;
2250 free(to_delete);
2251
2252 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2253 {
2254 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2255 return FAILED;
2256 }
2257
2258 if (route)
2259 {
2260 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2261 {
2262 DBG1(DBG_KNL, "error uninstalling route installed with "
2263 "policy %R===%R", src_ts, dst_ts);
2264 }
2265 route_entry_destroy(route);
2266 }
2267 return SUCCESS;
2268 }
2269
2270 /**
2271 * Implementation of kernel_interface_t.destroy.
2272 */
2273 static void destroy(private_kernel_interface_t *this)
2274 {
2275 this->job->cancel(this->job);
2276 close(this->socket_xfrm_events);
2277 close(this->socket_xfrm);
2278 close(this->socket_rt_events);
2279 close(this->socket_rt);
2280 this->vips->destroy(this->vips);
2281 this->policies->destroy(this->policies);
2282 this->interfaces->destroy_function(this->interfaces, (void*)interface_entry_destroy);
2283 free(this);
2284 }
2285
2286 /*
2287 * Described in header.
2288 */
2289 kernel_interface_t *kernel_interface_create()
2290 {
2291 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2292 struct sockaddr_nl addr;
2293
2294
2295 /* public functions */
2296 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2297 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
2298 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
2299 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2300 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2301 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
2302 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2303 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2304 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2305 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2306 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2307 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2308 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
2309 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2310
2311 /* private members */
2312 this->vips = linked_list_create();
2313 this->policies = linked_list_create();
2314 this->interfaces = linked_list_create();
2315 this->hiter = NULL;
2316 this->seq = 200;
2317 pthread_mutex_init(&this->mutex,NULL);
2318
2319 memset(&addr, 0, sizeof(addr));
2320 addr.nl_family = AF_NETLINK;
2321
2322 /* create and bind RT socket */
2323 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2324 if (this->socket_rt <= 0)
2325 {
2326 charon->kill(charon, "unable to create RT netlink socket");
2327 }
2328 addr.nl_groups = 0;
2329 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2330 {
2331 charon->kill(charon, "unable to bind RT netlink socket");
2332 }
2333
2334 /* create and bind RT socket for events (address/interface changes) */
2335 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2336 if (this->socket_rt_events <= 0)
2337 {
2338 charon->kill(charon, "unable to create RT event socket");
2339 }
2340 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | RTMGRP_LINK;
2341 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2342 {
2343 charon->kill(charon, "unable to bind RT event socket");
2344 }
2345
2346 /* create and bind XFRM socket */
2347 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2348 if (this->socket_xfrm <= 0)
2349 {
2350 charon->kill(charon, "unable to create XFRM netlink socket");
2351 }
2352 addr.nl_groups = 0;
2353 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2354 {
2355 charon->kill(charon, "unable to bind XFRM netlink socket");
2356 }
2357
2358 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2359 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2360 if (this->socket_xfrm_events <= 0)
2361 {
2362 charon->kill(charon, "unable to create XFRM event socket");
2363 }
2364 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2365 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2366 {
2367 charon->kill(charon, "unable to bind XFRM event socket");
2368 }
2369
2370 this->job = callback_job_create((callback_job_cb_t)receive_events,
2371 this, NULL, NULL);
2372 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2373
2374 if (init_address_list(this) != SUCCESS)
2375 {
2376 charon->kill(charon, "unable to get interface list");
2377 }
2378
2379 return &this->public;
2380 }
2381