2 * @file kernel_interface.c
4 * @brief Implementation of kernel_interface_t.
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
17 * Based on xfrm code from pluto.
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
42 #include <sys/ioctl.h>
44 #include "kernel_interface.h"
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
53 /** kernel level protocol identifiers */
57 /** default priority of installed policies */
59 #define PRIO_HIGH 2000
61 #define BUFFER_SIZE 1024
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
79 typedef struct kernel_algorithm_t kernel_algorithm_t
;
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
85 struct kernel_algorithm_t
{
87 * Identifier specified in IKEv2
92 * Name of the algorithm, as used as kernel identifier
97 * Key length in bits, if fixed size
101 #define END_OF_LIST -1
104 * Algorithms for encryption
106 kernel_algorithm_t encryption_algs
[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES
, "des", 64},
109 {ENCR_3DES
, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST
, "cast128", 0},
113 {ENCR_BLOWFISH
, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL
, "cipher_null", 0},
117 {ENCR_AES_CBC
, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST
, NULL
, 0},
123 * Algorithms for integrity protection
125 kernel_algorithm_t integrity_algs
[] = {
126 {AUTH_HMAC_MD5_96
, "md5", 128},
127 {AUTH_HMAC_SHA1_96
, "sha1", 160},
128 {AUTH_HMAC_SHA2_256_128
, "sha256", 256},
129 {AUTH_HMAC_SHA2_384_192
, "sha384", 384},
130 {AUTH_HMAC_SHA2_512_256
, "sha512", 512},
131 /* {AUTH_DES_MAC, "***", 0}, */
132 /* {AUTH_KPDK_MD5, "***", 0}, */
133 {AUTH_AES_XCBC_96
, "xcbc(aes)", 128},
134 {END_OF_LIST
, NULL
, 0},
138 * Look up a kernel algorithm name and its key size
140 char* lookup_algorithm(kernel_algorithm_t
*kernel_algo
,
141 algorithm_t
*ikev2_algo
, u_int
*key_size
)
143 while (kernel_algo
->ikev2_id
!= END_OF_LIST
)
145 if (ikev2_algo
->algorithm
== kernel_algo
->ikev2_id
)
147 /* match, evaluate key length */
148 if (ikev2_algo
->key_size
)
149 { /* variable length */
150 *key_size
= ikev2_algo
->key_size
;
154 *key_size
= kernel_algo
->key_size
;
156 return kernel_algo
->name
;
163 typedef struct route_entry_t route_entry_t
;
166 * installed routing entry
168 struct route_entry_t
{
170 /** Index of the interface the route is bound to */
173 /** Source ip of the route */
176 /** gateway for this route */
179 /** Destination net */
182 /** Destination net prefixlen */
187 * destroy an route_entry_t object
189 static void route_entry_destroy(route_entry_t
*this)
191 this->src_ip
->destroy(this->src_ip
);
192 this->gateway
->destroy(this->gateway
);
193 chunk_free(&this->dst_net
);
197 typedef struct policy_entry_t policy_entry_t
;
200 * installed kernel policy.
202 struct policy_entry_t
{
204 /** direction of this policy: in, out, forward */
207 /** reqid of the policy */
210 /** parameters of installed policy */
211 struct xfrm_selector sel
;
213 /** associated route installed for this policy */
214 route_entry_t
*route
;
216 /** by how many CHILD_SA's this policy is used */
220 typedef struct vip_entry_t vip_entry_t
;
223 * Installed virtual ip
226 /** Index of the interface the ip is bound to */
229 /** The ip address */
232 /** Number of times this IP is used */
237 * destroy a vip_entry_t object
239 static void vip_entry_destroy(vip_entry_t
*this)
241 this->ip
->destroy(this->ip
);
245 typedef struct interface_entry_t interface_entry_t
;
248 * A network interface on this system, containing addresses
250 struct interface_entry_t
{
252 /** interface index */
255 /** name of the interface */
256 char ifname
[IFNAMSIZ
];
258 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
261 /** list of addresses as host_t */
262 linked_list_t
*addresses
;
266 * destroy an interface entry
268 static void interface_entry_destroy(interface_entry_t
*this)
270 this->addresses
->destroy_offset(this->addresses
, offsetof(host_t
, destroy
));
274 typedef struct private_kernel_interface_t private_kernel_interface_t
;
277 * Private variables and functions of kernel_interface class.
279 struct private_kernel_interface_t
{
281 * Public part of the kernel_interface_t object.
283 kernel_interface_t
public;
286 * mutex to lock access to the various lists
288 pthread_mutex_t mutex
;
291 * List of installed policies (kernel_entry_t)
293 linked_list_t
*policies
;
296 * List of installed virtual IPs. (vip_entry_t)
301 * Cached list of interfaces and its adresses (interface_entry_t)
303 linked_list_t
*interfaces
;
306 * iterator used in hook()
311 * job receiving netlink events
316 * current sequence number for netlink request
321 * Netlink xfrm socket (IPsec)
326 * netlink xfrm socket to receive acquire and expire events
328 int socket_xfrm_events
;
331 * Netlink rt socket (routing)
336 * Netlink rt socket to receive address change events
338 int socket_rt_events
;
342 * convert a host_t to a struct xfrm_address
344 static void host2xfrm(host_t
*host
, xfrm_address_t
*xfrm
)
346 chunk_t chunk
= host
->get_address(host
);
347 memcpy(xfrm
, chunk
.ptr
, min(chunk
.len
, sizeof(xfrm_address_t
)));
351 * convert a traffic selector address range to subnet and its mask.
353 static void ts2subnet(traffic_selector_t
* ts
,
354 xfrm_address_t
*net
, u_int8_t
*mask
)
356 /* there is no way to do this cleanly, as the address range may
357 * be anything else but a subnet. We use from_addr as subnet
358 * and try to calculate a usable subnet mask.
363 size_t size
= (ts
->get_type(ts
) == TS_IPV4_ADDR_RANGE
) ?
4 : 16;
365 from
= ts
->get_from_address(ts
);
366 to
= ts
->get_to_address(ts
);
369 /* go trough all bits of the addresses, beginning in the front.
370 * as long as they are equal, the subnet gets larger
372 for (byte
= 0; byte
< size
; byte
++)
374 for (bit
= 7; bit
>= 0; bit
--)
376 if ((1<<bit
& from
.ptr
[byte
]) != (1<<bit
& to
.ptr
[byte
]))
378 *mask
= ((7 - bit
) + (byte
* 8));
388 memcpy(net
, from
.ptr
, from
.len
);
394 * convert a traffic selector port range to port/portmask
396 static void ts2ports(traffic_selector_t
* ts
,
397 u_int16_t
*port
, u_int16_t
*mask
)
399 /* linux does not seem to accept complex portmasks. Only
400 * any or a specific port is allowed. We set to any, if we have
401 * a port range, or to a specific, if we have one port only.
405 from
= ts
->get_from_port(ts
);
406 to
= ts
->get_to_port(ts
);
421 * convert a pair of traffic_selectors to a xfrm_selector
423 static struct xfrm_selector
ts2selector(traffic_selector_t
*src
,
424 traffic_selector_t
*dst
)
426 struct xfrm_selector sel
;
428 memset(&sel
, 0, sizeof(sel
));
429 sel
.family
= src
->get_type(src
) == TS_IPV4_ADDR_RANGE ? AF_INET
: AF_INET6
;
430 /* src or dest proto may be "any" (0), use more restrictive one */
431 sel
.proto
= max(src
->get_protocol(src
), dst
->get_protocol(dst
));
432 ts2subnet(dst
, &sel
.daddr
, &sel
.prefixlen_d
);
433 ts2subnet(src
, &sel
.saddr
, &sel
.prefixlen_s
);
434 ts2ports(dst
, &sel
.dport
, &sel
.dport_mask
);
435 ts2ports(src
, &sel
.sport
, &sel
.sport_mask
);
443 * Creates an rtattr and adds it to the netlink message
445 static void add_attribute(struct nlmsghdr
*hdr
, int rta_type
, chunk_t data
,
450 if (NLMSG_ALIGN(hdr
->nlmsg_len
) + RTA_ALIGN(data
.len
) > buflen
)
452 DBG1(DBG_KNL
, "unable to add attribute, buffer too small");
456 rta
= (struct rtattr
*)(((char*)hdr
) + NLMSG_ALIGN(hdr
->nlmsg_len
));
457 rta
->rta_type
= rta_type
;
458 rta
->rta_len
= RTA_LENGTH(data
.len
);
459 memcpy(RTA_DATA(rta
), data
.ptr
, data
.len
);
460 hdr
->nlmsg_len
= NLMSG_ALIGN(hdr
->nlmsg_len
) + rta
->rta_len
;
464 * process a XFRM_MSG_ACQUIRE from kernel
466 static void process_acquire(private_kernel_interface_t
*this, struct nlmsghdr
*hdr
)
470 struct rtattr
*rtattr
= XFRM_RTA(hdr
, struct xfrm_user_acquire
);
471 size_t rtsize
= XFRM_PAYLOAD(hdr
, struct xfrm_user_tmpl
);
473 if (RTA_OK(rtattr
, rtsize
))
475 if (rtattr
->rta_type
== XFRMA_TMPL
)
477 struct xfrm_user_tmpl
* tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rtattr
);
483 DBG1(DBG_KNL
, "received a XFRM_MSG_ACQUIRE, but no reqid found");
486 DBG2(DBG_KNL
, "received a XFRM_MSG_ACQUIRE");
487 DBG1(DBG_KNL
, "creating acquire job for CHILD_SA with reqid %d", reqid
);
488 job
= (job_t
*)acquire_job_create(reqid
);
489 charon
->processor
->queue_job(charon
->processor
, job
);
493 * process a XFRM_MSG_EXPIRE from kernel
495 static void process_expire(private_kernel_interface_t
*this, struct nlmsghdr
*hdr
)
498 protocol_id_t protocol
;
499 u_int32_t spi
, reqid
;
500 struct xfrm_user_expire
*expire
;
502 expire
= (struct xfrm_user_expire
*)NLMSG_DATA(hdr
);
503 protocol
= expire
->state
.id
.proto
== KERNEL_ESP ? PROTO_ESP
: PROTO_AH
;
504 spi
= expire
->state
.id
.spi
;
505 reqid
= expire
->state
.reqid
;
507 DBG2(DBG_KNL
, "received a XFRM_MSG_EXPIRE");
508 DBG1(DBG_KNL
, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
509 expire
->hard ?
"delete" : "rekey", protocol_id_names
,
510 protocol
, ntohl(spi
), reqid
);
513 job
= (job_t
*)delete_child_sa_job_create(reqid
, protocol
, spi
);
517 job
= (job_t
*)rekey_child_sa_job_create(reqid
, protocol
, spi
);
519 charon
->processor
->queue_job(charon
->processor
, job
);
523 * process RTM_NEWLINK/RTM_DELLINK from kernel
525 static void process_link(private_kernel_interface_t
*this,
526 struct nlmsghdr
*hdr
, bool event
)
528 struct ifinfomsg
* msg
= (struct ifinfomsg
*)(NLMSG_DATA(hdr
));
529 struct rtattr
*rta
= IFLA_RTA(msg
);
530 size_t rtasize
= IFLA_PAYLOAD (hdr
);
531 iterator_t
*iterator
;
532 interface_entry_t
*current
, *entry
= NULL
;
535 while(RTA_OK(rta
, rtasize
))
537 switch (rta
->rta_type
)
540 name
= RTA_DATA(rta
);
543 rta
= RTA_NEXT(rta
, rtasize
);
550 switch (hdr
->nlmsg_type
)
554 if (msg
->ifi_flags
& IFF_LOOPBACK
)
555 { /* ignore loopback interfaces */
558 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
560 while (iterator
->iterate(iterator
, (void**)¤t
))
562 if (current
->ifindex
== msg
->ifi_index
)
570 entry
= malloc_thing(interface_entry_t
);
571 entry
->ifindex
= msg
->ifi_index
;
573 entry
->addresses
= linked_list_create();
574 this->interfaces
->insert_last(this->interfaces
, entry
);
576 memcpy(entry
->ifname
, name
, IFNAMSIZ
);
577 entry
->ifname
[IFNAMSIZ
-1] = '\0';
580 if (!(entry
->flags
& IFF_UP
) && (msg
->ifi_flags
& IFF_UP
))
582 DBG1(DBG_KNL
, "interface %s activated", name
);
584 if ((entry
->flags
& IFF_UP
) && !(msg
->ifi_flags
& IFF_UP
))
586 DBG1(DBG_KNL
, "interface %s deactivated", name
);
589 entry
->flags
= msg
->ifi_flags
;
590 iterator
->destroy(iterator
);
595 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
597 while (iterator
->iterate(iterator
, (void**)¤t
))
599 if (current
->ifindex
== msg
->ifi_index
)
601 /* we do not remove it, as an address may be added to a
602 * "down" interface and we wan't to know that. */
603 current
->flags
= msg
->ifi_flags
;
607 iterator
->destroy(iterator
);
614 * process RTM_NEWADDR/RTM_DELADDR from kernel
616 static void process_addr(private_kernel_interface_t
*this,
617 struct nlmsghdr
*hdr
, bool event
)
619 struct ifaddrmsg
* msg
= (struct ifaddrmsg
*)(NLMSG_DATA(hdr
));
620 struct rtattr
*rta
= IFA_RTA(msg
);
621 size_t rtasize
= IFA_PAYLOAD (hdr
);
623 iterator_t
*iterator
;
624 interface_entry_t
*entry
;
625 chunk_t local
= chunk_empty
, address
= chunk_empty
;
627 while(RTA_OK(rta
, rtasize
))
629 switch (rta
->rta_type
)
632 local
.ptr
= RTA_DATA(rta
);
633 local
.len
= RTA_PAYLOAD(rta
);
636 address
.ptr
= RTA_DATA(rta
);
637 address
.len
= RTA_PAYLOAD(rta
);
640 rta
= RTA_NEXT(rta
, rtasize
);
643 /* For PPP interfaces, we need the IFA_LOCAL address,
644 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
645 * not included in all cases, so fallback to IFA_ADDRESS. */
648 host
= host_create_from_chunk(msg
->ifa_family
, local
, 0);
650 else if (address
.ptr
)
652 host
= host_create_from_chunk(msg
->ifa_family
, address
, 0);
660 switch (hdr
->nlmsg_type
)
664 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
666 while (iterator
->iterate(iterator
, (void**)&entry
))
668 if (entry
->ifindex
== msg
->ifa_index
)
670 entry
->addresses
->insert_last(entry
->addresses
,
674 DBG1(DBG_KNL
, "%H appeared on %s", host
, entry
->ifname
);
679 iterator
->destroy(iterator
);
684 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
686 while (iterator
->iterate(iterator
, (void**)&entry
))
688 if (entry
->ifindex
== msg
->ifa_index
)
690 iterator_t
*addresses
;
693 addresses
= entry
->addresses
->create_iterator(
694 entry
->addresses
, TRUE
);
695 while (addresses
->iterate(addresses
, (void**)¤t
))
697 if (current
->equals(current
, host
))
699 addresses
->remove(addresses
);
700 current
->destroy(current
);
701 DBG1(DBG_KNL
, "%H disappeared from %s",
702 host
, entry
->ifname
);
705 addresses
->destroy(addresses
);
708 iterator
->destroy(iterator
);
718 * Receives events from kernel
720 static job_requeue_t
receive_events(private_kernel_interface_t
*this)
723 struct nlmsghdr
*hdr
= (struct nlmsghdr
*)response
;
724 struct sockaddr_nl addr
;
725 socklen_t addr_len
= sizeof(addr
);
726 int len
, oldstate
, maxfd
, selected
;
730 FD_SET(this->socket_xfrm_events
, &rfds
);
731 FD_SET(this->socket_rt_events
, &rfds
);
732 maxfd
= max(this->socket_xfrm_events
, this->socket_rt_events
);
734 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE
, &oldstate
);
735 selected
= select(maxfd
+ 1, &rfds
, NULL
, NULL
, NULL
);
736 pthread_setcancelstate(oldstate
, NULL
);
739 DBG1(DBG_KNL
, "selecting on sockets failed: %s", strerror(errno
));
740 return JOB_REQUEUE_FAIR
;
742 if (FD_ISSET(this->socket_xfrm_events
, &rfds
))
744 selected
= this->socket_xfrm_events
;
746 else if (FD_ISSET(this->socket_rt_events
, &rfds
))
748 selected
= this->socket_rt_events
;
752 return JOB_REQUEUE_DIRECT
;
755 len
= recvfrom(selected
, response
, sizeof(response
), MSG_DONTWAIT
,
756 (struct sockaddr
*)&addr
, &addr_len
);
762 /* interrupted, try again */
763 return JOB_REQUEUE_DIRECT
;
765 /* no data ready, select again */
766 return JOB_REQUEUE_DIRECT
;
768 DBG1(DBG_KNL
, "unable to receive from xfrm event socket");
770 return JOB_REQUEUE_FAIR
;
773 if (addr
.nl_pid
!= 0)
774 { /* not from kernel. not interested, try another one */
775 return JOB_REQUEUE_DIRECT
;
778 while (NLMSG_OK(hdr
, len
))
780 /* looks good so far, dispatch netlink message */
781 if (selected
== this->socket_xfrm_events
)
783 switch (hdr
->nlmsg_type
)
785 case XFRM_MSG_ACQUIRE
:
786 process_acquire(this, hdr
);
788 case XFRM_MSG_EXPIRE
:
789 process_expire(this, hdr
);
795 else if (selected
== this->socket_rt_events
)
797 switch (hdr
->nlmsg_type
)
801 process_addr(this, hdr
, TRUE
);
805 process_link(this, hdr
, TRUE
);
811 hdr
= NLMSG_NEXT(hdr
, len
);
813 return JOB_REQUEUE_DIRECT
;
817 * send a netlink message and wait for a reply
819 static status_t
netlink_send(private_kernel_interface_t
*this,
820 int socket
, struct nlmsghdr
*in
,
821 struct nlmsghdr
**out
, size_t *out_len
)
824 struct sockaddr_nl addr
;
825 chunk_t result
= chunk_empty
, tmp
;
826 struct nlmsghdr
*msg
, peek
;
828 pthread_mutex_lock(&this->mutex
);
830 in
->nlmsg_seq
= ++this->seq
;
831 in
->nlmsg_pid
= getpid();
833 memset(&addr
, 0, sizeof(addr
));
834 addr
.nl_family
= AF_NETLINK
;
840 len
= sendto(socket
, in
, in
->nlmsg_len
, 0,
841 (struct sockaddr
*)&addr
, sizeof(addr
));
843 if (len
!= in
->nlmsg_len
)
847 /* interrupted, try again */
850 pthread_mutex_unlock(&this->mutex
);
851 DBG1(DBG_KNL
, "error sending to netlink socket: %s", strerror(errno
));
860 tmp
.len
= sizeof(buf
);
862 msg
= (struct nlmsghdr
*)tmp
.ptr
;
864 memset(&addr
, 0, sizeof(addr
));
865 addr
.nl_family
= AF_NETLINK
;
866 addr
.nl_pid
= getpid();
868 addr_len
= sizeof(addr
);
870 len
= recvfrom(socket
, tmp
.ptr
, tmp
.len
, 0,
871 (struct sockaddr
*)&addr
, &addr_len
);
877 DBG1(DBG_IKE
, "got interrupted");
878 /* interrupted, try again */
881 DBG1(DBG_IKE
, "error reading from netlink socket: %s", strerror(errno
));
882 pthread_mutex_unlock(&this->mutex
);
885 if (!NLMSG_OK(msg
, len
))
887 DBG1(DBG_IKE
, "received corrupted netlink message");
888 pthread_mutex_unlock(&this->mutex
);
891 if (msg
->nlmsg_seq
!= this->seq
)
893 DBG1(DBG_IKE
, "received invalid netlink sequence number");
894 if (msg
->nlmsg_seq
< this->seq
)
898 pthread_mutex_unlock(&this->mutex
);
903 result
= chunk_cata("cc", result
, tmp
);
905 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
906 * numbers to detect multi header messages */
907 len
= recvfrom(socket
, &peek
, sizeof(peek
), MSG_PEEK
| MSG_DONTWAIT
,
908 (struct sockaddr
*)&addr
, &addr_len
);
910 if (len
== sizeof(peek
) && peek
.nlmsg_seq
== this->seq
)
912 /* seems to be multipart */
918 *out_len
= result
.len
;
919 *out
= (struct nlmsghdr
*)clalloc(result
.ptr
, result
.len
);
921 pthread_mutex_unlock(&this->mutex
);
927 * send a netlink message and wait for its acknowlegde
929 static status_t
netlink_send_ack(private_kernel_interface_t
*this,
930 int socket
, struct nlmsghdr
*in
)
932 struct nlmsghdr
*out
, *hdr
;
935 if (netlink_send(this, socket
, in
, &out
, &len
) != SUCCESS
)
940 while (NLMSG_OK(hdr
, len
))
942 switch (hdr
->nlmsg_type
)
946 struct nlmsgerr
* err
= (struct nlmsgerr
*)NLMSG_DATA(hdr
);
950 DBG1(DBG_KNL
, "received netlink error: %s (%d)",
951 strerror(-err
->error
), -err
->error
);
959 hdr
= NLMSG_NEXT(hdr
, len
);
966 DBG1(DBG_KNL
, "netlink request not acknowlegded");
972 * Initialize a list of local addresses.
974 static status_t
init_address_list(private_kernel_interface_t
*this)
976 char request
[BUFFER_SIZE
];
977 struct nlmsghdr
*out
, *current
, *in
;
978 struct rtgenmsg
*msg
;
980 iterator_t
*i_iface
, *i_addr
;
982 interface_entry_t
*entry
;
984 DBG1(DBG_IKE
, "listening on interfaces:");
986 memset(&request
, 0, sizeof(request
));
988 in
= (struct nlmsghdr
*)&request
;
989 in
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtgenmsg
));
990 in
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_MATCH
| NLM_F_ROOT
;
991 msg
= (struct rtgenmsg
*)NLMSG_DATA(in
);
992 msg
->rtgen_family
= AF_UNSPEC
;
995 in
->nlmsg_type
= RTM_GETLINK
;
996 if (netlink_send(this, this->socket_rt
, in
, &out
, &len
) != SUCCESS
)
1001 while (NLMSG_OK(current
, len
))
1003 switch (current
->nlmsg_type
)
1008 process_link(this, current
, FALSE
);
1011 current
= NLMSG_NEXT(current
, len
);
1018 /* get all interface addresses */
1019 in
->nlmsg_type
= RTM_GETADDR
;
1020 if (netlink_send(this, this->socket_rt
, in
, &out
, &len
) != SUCCESS
)
1025 while (NLMSG_OK(current
, len
))
1027 switch (current
->nlmsg_type
)
1032 process_addr(this, current
, FALSE
);
1035 current
= NLMSG_NEXT(current
, len
);
1042 i_iface
= this->interfaces
->create_iterator_locked(this->interfaces
,
1044 while (i_iface
->iterate(i_iface
, (void**)&entry
))
1046 if (entry
->flags
& IFF_UP
)
1048 DBG1(DBG_KNL
, " %s", entry
->ifname
);
1049 i_addr
= entry
->addresses
->create_iterator(entry
->addresses
, TRUE
);
1050 while (i_addr
->iterate(i_addr
, (void**)&address
))
1052 DBG1(DBG_KNL
, " %H", address
);
1054 i_addr
->destroy(i_addr
);
1057 i_iface
->destroy(i_iface
);
1063 * iterator hook to return address, not address_entry_t
1065 static hook_result_t
hook(private_kernel_interface_t
*this,
1066 interface_entry_t
*in
, host_t
**out
)
1068 if (!(in
->flags
& IFF_UP
))
1069 { /* skip interfaces not up */
1073 if (this->hiter
== NULL
)
1075 this->hiter
= in
->addresses
->create_iterator(in
->addresses
, TRUE
);
1077 while (this->hiter
->iterate(this->hiter
, (void**)out
))
1081 this->hiter
->destroy(this->hiter
);
1087 * Implements kernel_interface_t.create_address_iterator.
1089 static iterator_t
*create_address_iterator(private_kernel_interface_t
*this)
1091 iterator_t
*iterator
;
1093 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
1095 iterator
->set_iterator_hook(iterator
, (iterator_hook_t
*)hook
, this);
1100 * implementation of kernel_interface_t.get_interface_name
1102 static char *get_interface_name(private_kernel_interface_t
*this, host_t
* ip
)
1104 iterator_t
*iterator
, *addresses
;
1105 interface_entry_t
*entry
;
1109 DBG2(DBG_IKE
, "getting interface name for %H", ip
);
1111 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
1113 while (iterator
->iterate(iterator
, (void**)&entry
))
1115 addresses
= entry
->addresses
->create_iterator(entry
->addresses
, TRUE
);
1116 while (addresses
->iterate(addresses
, (void**)&host
))
1118 if (ip
->ip_equals(ip
, host
))
1120 name
= strdup(entry
->ifname
);
1124 addresses
->destroy(addresses
);
1130 iterator
->destroy(iterator
);
1134 DBG2(DBG_IKE
, "%H is on interface %s", ip
, name
);
1138 DBG2(DBG_IKE
, "%H is not a local address", ip
);
1144 * Tries to find an ip address of a local interface that is included in the
1145 * supplied traffic selector.
1147 static status_t
get_address_by_ts(private_kernel_interface_t
*this,
1148 traffic_selector_t
*ts
, host_t
**ip
)
1150 iterator_t
*iterator
, *addresses
;
1151 interface_entry_t
*entry
;
1156 DBG2(DBG_IKE
, "getting a local address in traffic selector %R", ts
);
1158 /* if we have a family which includes localhost, we do not
1159 * search for an IP, we use the default */
1160 family
= ts
->get_type(ts
) == TS_IPV4_ADDR_RANGE ? AF_INET
: AF_INET6
;
1162 if (family
== AF_INET
)
1164 host
= host_create_from_string("127.0.0.1", 0);
1168 host
= host_create_from_string("::1", 0);
1171 if (ts
->includes(ts
, host
))
1173 *ip
= host_create_any(family
);
1174 host
->destroy(host
);
1175 DBG2(DBG_IKE
, "using host %H", *ip
);
1178 host
->destroy(host
);
1180 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
1182 while (iterator
->iterate(iterator
, (void**)&entry
))
1184 addresses
= entry
->addresses
->create_iterator(entry
->addresses
, TRUE
);
1185 while (addresses
->iterate(addresses
, (void**)&host
))
1187 if (ts
->includes(ts
, host
))
1190 *ip
= host
->clone(host
);
1194 addresses
->destroy(addresses
);
1200 iterator
->destroy(iterator
);
1204 DBG1(DBG_IKE
, "no local address found in traffic selector %R", ts
);
1207 DBG2(DBG_IKE
, "using host %H", *ip
);
1212 * get the interface of a local address
1214 static int get_interface_index(private_kernel_interface_t
*this, host_t
* ip
)
1216 iterator_t
*iterator
, *addresses
;
1217 interface_entry_t
*entry
;
1221 DBG2(DBG_IKE
, "getting iface for %H", ip
);
1223 iterator
= this->interfaces
->create_iterator_locked(this->interfaces
,
1225 while (iterator
->iterate(iterator
, (void**)&entry
))
1227 addresses
= entry
->addresses
->create_iterator(entry
->addresses
, TRUE
);
1228 while (addresses
->iterate(addresses
, (void**)&host
))
1230 if (ip
->ip_equals(ip
, host
))
1232 ifindex
= entry
->ifindex
;
1236 addresses
->destroy(addresses
);
1242 iterator
->destroy(iterator
);
1246 DBG1(DBG_IKE
, "unable to get interface for %H", ip
);
1252 * Manages the creation and deletion of ip addresses on an interface.
1253 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1255 static status_t
manage_ipaddr(private_kernel_interface_t
*this, int nlmsg_type
,
1256 int flags
, int if_index
, host_t
*ip
)
1258 unsigned char request
[BUFFER_SIZE
];
1259 struct nlmsghdr
*hdr
;
1260 struct ifaddrmsg
*msg
;
1263 memset(&request
, 0, sizeof(request
));
1265 chunk
= ip
->get_address(ip
);
1267 hdr
= (struct nlmsghdr
*)request
;
1268 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
| flags
;
1269 hdr
->nlmsg_type
= nlmsg_type
;
1270 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct ifaddrmsg
));
1272 msg
= (struct ifaddrmsg
*)NLMSG_DATA(hdr
);
1273 msg
->ifa_family
= ip
->get_family(ip
);
1275 msg
->ifa_prefixlen
= 8 * chunk
.len
;
1276 msg
->ifa_scope
= RT_SCOPE_UNIVERSE
;
1277 msg
->ifa_index
= if_index
;
1279 add_attribute(hdr
, IFA_LOCAL
, chunk
, sizeof(request
));
1281 return netlink_send_ack(this, this->socket_rt
, hdr
);
1285 * Manages source routes in the routing table.
1286 * By setting the appropriate nlmsg_type, the route added or r.
1288 static status_t
manage_srcroute(private_kernel_interface_t
*this, int nlmsg_type
,
1289 int flags
, route_entry_t
*route
)
1291 unsigned char request
[BUFFER_SIZE
];
1292 struct nlmsghdr
*hdr
;
1296 /* if route is 0.0.0.0/0, we can't install it, as it would
1297 * overwrite the default route. Instead, we add two routes:
1298 * 0.0.0.0/1 and 128.0.0.0/1
1299 * TODO: use metrics instead */
1300 if (route
->prefixlen
== 0)
1305 half
.dst_net
= chunk_alloca(route
->dst_net
.len
);
1306 memset(half
.dst_net
.ptr
, 0, half
.dst_net
.len
);
1307 half
.src_ip
= route
->src_ip
;
1308 half
.gateway
= route
->gateway
;
1309 half
.if_index
= route
->if_index
;
1312 status
= manage_srcroute(this, nlmsg_type
, flags
, &half
);
1313 half
.dst_net
.ptr
[0] |= 0x80;
1314 status
= manage_srcroute(this, nlmsg_type
, flags
, &half
);
1318 memset(&request
, 0, sizeof(request
));
1320 hdr
= (struct nlmsghdr
*)request
;
1321 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
| flags
;
1322 hdr
->nlmsg_type
= nlmsg_type
;
1323 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtmsg
));
1325 msg
= (struct rtmsg
*)NLMSG_DATA(hdr
);
1326 msg
->rtm_family
= route
->src_ip
->get_family(route
->src_ip
);
1327 msg
->rtm_dst_len
= route
->prefixlen
;
1328 msg
->rtm_table
= RT_TABLE_MAIN
;
1329 msg
->rtm_protocol
= RTPROT_STATIC
;
1330 msg
->rtm_type
= RTN_UNICAST
;
1331 msg
->rtm_scope
= RT_SCOPE_UNIVERSE
;
1333 add_attribute(hdr
, RTA_DST
, route
->dst_net
, sizeof(request
));
1334 chunk
= route
->src_ip
->get_address(route
->src_ip
);
1335 add_attribute(hdr
, RTA_PREFSRC
, chunk
, sizeof(request
));
1336 chunk
= route
->gateway
->get_address(route
->gateway
);
1337 add_attribute(hdr
, RTA_GATEWAY
, chunk
, sizeof(request
));
1338 chunk
.ptr
= (char*)&route
->if_index
;
1339 chunk
.len
= sizeof(route
->if_index
);
1340 add_attribute(hdr
, RTA_OIF
, chunk
, sizeof(request
));
1342 return netlink_send_ack(this, this->socket_rt
, hdr
);
1346 * Implementation of kernel_interface_t.get_source_addr.
1348 static host_t
* get_source_addr(private_kernel_interface_t
*this, host_t
*dest
)
1350 unsigned char request
[BUFFER_SIZE
];
1351 struct nlmsghdr
*hdr
, *out
, *current
;
1355 host_t
*source
= NULL
;
1357 memset(&request
, 0, sizeof(request
));
1359 hdr
= (struct nlmsghdr
*)request
;
1360 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1361 hdr
->nlmsg_type
= RTM_GETROUTE
;
1362 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct rtmsg
));
1364 msg
= (struct rtmsg
*)NLMSG_DATA(hdr
);
1365 msg
->rtm_family
= dest
->get_family(dest
);
1366 msg
->rtm_dst_len
= msg
->rtm_family
== AF_INET ?
32 : 128;
1367 msg
->rtm_table
= RT_TABLE_MAIN
;
1368 msg
->rtm_protocol
= RTPROT_STATIC
;
1369 msg
->rtm_type
= RTN_UNICAST
;
1370 msg
->rtm_scope
= RT_SCOPE_UNIVERSE
;
1372 chunk
= dest
->get_address(dest
);
1373 add_attribute(hdr
, RTA_DST
, chunk
, sizeof(request
));
1375 if (netlink_send(this, this->socket_rt
, hdr
, &out
, &len
) != SUCCESS
)
1377 DBG1(DBG_KNL
, "getting source address to %H failed", dest
);
1381 while (NLMSG_OK(current
, len
))
1383 switch (current
->nlmsg_type
)
1392 msg
= (struct rtmsg
*)(NLMSG_DATA(current
));
1394 rtasize
= RTM_PAYLOAD(current
);
1395 while(RTA_OK(rta
, rtasize
))
1397 switch (rta
->rta_type
)
1400 chunk
.ptr
= RTA_DATA(rta
);
1401 chunk
.len
= RTA_PAYLOAD(rta
);
1402 source
= host_create_from_chunk(msg
->rtm_family
,
1406 rta
= RTA_NEXT(rta
, rtasize
);
1411 current
= NLMSG_NEXT(current
, len
);
1418 DBG1(DBG_KNL
, "no route found to %H", dest
);
1425 * Implementation of kernel_interface_t.add_ip.
1427 static status_t
add_ip(private_kernel_interface_t
*this,
1428 host_t
*virtual_ip
, host_t
*iface_ip
)
1431 vip_entry_t
*listed
;
1432 iterator_t
*iterator
;
1434 DBG2(DBG_KNL
, "adding virtual IP %H", virtual_ip
);
1436 targetif
= get_interface_index(this, iface_ip
);
1439 DBG1(DBG_KNL
, "unable to add virtual IP %H, no iface found for %H",
1440 virtual_ip
, iface_ip
);
1444 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1445 iterator
= this->vips
->create_iterator_locked(this->vips
, &this->mutex
);
1446 while (iterator
->iterate(iterator
, (void**)&listed
))
1448 if (listed
->if_index
== targetif
&&
1449 virtual_ip
->ip_equals(virtual_ip
, listed
->ip
))
1452 iterator
->destroy(iterator
);
1453 DBG2(DBG_KNL
, "virtual IP %H already added to iface %d reusing it",
1454 virtual_ip
, targetif
);
1458 iterator
->destroy(iterator
);
1460 if (manage_ipaddr(this, RTM_NEWADDR
, NLM_F_CREATE
| NLM_F_EXCL
,
1461 targetif
, virtual_ip
) == SUCCESS
)
1463 listed
= malloc_thing(vip_entry_t
);
1464 listed
->ip
= virtual_ip
->clone(virtual_ip
);
1465 listed
->if_index
= targetif
;
1466 listed
->refcount
= 1;
1467 this->vips
->insert_last(this->vips
, listed
);
1468 DBG2(DBG_KNL
, "virtual IP %H added to iface %d",
1469 virtual_ip
, targetif
);
1473 DBG2(DBG_KNL
, "unable to add virtual IP %H to iface %d",
1474 virtual_ip
, targetif
);
1479 * Implementation of kernel_interface_t.del_ip.
1481 static status_t
del_ip(private_kernel_interface_t
*this,
1482 host_t
*virtual_ip
, host_t
*iface_ip
)
1485 vip_entry_t
*listed
;
1486 iterator_t
*iterator
;
1488 DBG2(DBG_KNL
, "deleting virtual IP %H", virtual_ip
);
1490 targetif
= get_interface_index(this, iface_ip
);
1493 DBG1(DBG_KNL
, "unable to delete virtual IP %H, no iface found for %H",
1494 virtual_ip
, iface_ip
);
1498 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1499 iterator
= this->vips
->create_iterator_locked(this->vips
, &this->mutex
);
1500 while (iterator
->iterate(iterator
, (void**)&listed
))
1502 if (listed
->if_index
== targetif
&&
1503 virtual_ip
->ip_equals(virtual_ip
, listed
->ip
))
1506 if (listed
->refcount
== 0)
1508 iterator
->remove(iterator
);
1509 vip_entry_destroy(listed
);
1510 iterator
->destroy(iterator
);
1511 return manage_ipaddr(this, RTM_DELADDR
, 0, targetif
, virtual_ip
);
1513 iterator
->destroy(iterator
);
1514 DBG2(DBG_KNL
, "virtual IP %H used by other SAs, not deleting",
1519 iterator
->destroy(iterator
);
1521 DBG2(DBG_KNL
, "virtual IP %H not cached, unable to delete", virtual_ip
);
1526 * Implementation of kernel_interface_t.get_spi.
1528 static status_t
get_spi(private_kernel_interface_t
*this,
1529 host_t
*src
, host_t
*dst
,
1530 protocol_id_t protocol
, u_int32_t reqid
,
1533 unsigned char request
[BUFFER_SIZE
];
1534 struct nlmsghdr
*hdr
, *out
;
1535 struct xfrm_userspi_info
*userspi
;
1536 u_int32_t received_spi
= 0;
1539 memset(&request
, 0, sizeof(request
));
1541 DBG2(DBG_KNL
, "getting SPI for reqid %d", reqid
);
1543 hdr
= (struct nlmsghdr
*)request
;
1544 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1545 hdr
->nlmsg_type
= XFRM_MSG_ALLOCSPI
;
1546 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userspi_info
));
1548 userspi
= (struct xfrm_userspi_info
*)NLMSG_DATA(hdr
);
1549 host2xfrm(src
, &userspi
->info
.saddr
);
1550 host2xfrm(dst
, &userspi
->info
.id
.daddr
);
1551 userspi
->info
.id
.proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1552 userspi
->info
.mode
= TRUE
; /* tunnel mode */
1553 userspi
->info
.reqid
= reqid
;
1554 userspi
->info
.family
= src
->get_family(src
);
1555 userspi
->min
= 0xc0000000;
1556 userspi
->max
= 0xcFFFFFFF;
1558 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1561 while (NLMSG_OK(hdr
, len
))
1563 switch (hdr
->nlmsg_type
)
1565 case XFRM_MSG_NEWSA
:
1567 struct xfrm_usersa_info
* usersa
= NLMSG_DATA(hdr
);
1568 received_spi
= usersa
->id
.spi
;
1573 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1575 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
1576 strerror(-err
->error
), -err
->error
);
1580 hdr
= NLMSG_NEXT(hdr
, len
);
1590 if (received_spi
== 0)
1592 DBG1(DBG_KNL
, "unable to get SPI for reqid %d", reqid
);
1596 DBG2(DBG_KNL
, "got SPI 0x%x for reqid %d", received_spi
, reqid
);
1598 *spi
= received_spi
;
1603 * Implementation of kernel_interface_t.add_sa.
1605 static status_t
add_sa(private_kernel_interface_t
*this,
1606 host_t
*src
, host_t
*dst
, u_int32_t spi
,
1607 protocol_id_t protocol
, u_int32_t reqid
,
1608 u_int64_t expire_soft
, u_int64_t expire_hard
,
1609 algorithm_t
*enc_alg
, algorithm_t
*int_alg
,
1610 prf_plus_t
*prf_plus
, natt_conf_t
*natt
, mode_t mode
,
1613 unsigned char request
[BUFFER_SIZE
];
1616 struct nlmsghdr
*hdr
;
1617 struct xfrm_usersa_info
*sa
;
1619 memset(&request
, 0, sizeof(request
));
1621 DBG2(DBG_KNL
, "adding SAD entry with SPI 0x%x", spi
);
1623 hdr
= (struct nlmsghdr
*)request
;
1624 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1625 hdr
->nlmsg_type
= replace ? XFRM_MSG_UPDSA
: XFRM_MSG_NEWSA
;
1626 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1628 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
1629 host2xfrm(src
, &sa
->saddr
);
1630 host2xfrm(dst
, &sa
->id
.daddr
);
1632 sa
->id
.proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1633 sa
->family
= src
->get_family(src
);
1635 sa
->replay_window
= 32;
1637 /* we currently do not expire SAs by volume/packet count */
1638 sa
->lft
.soft_byte_limit
= XFRM_INF
;
1639 sa
->lft
.hard_byte_limit
= XFRM_INF
;
1640 sa
->lft
.soft_packet_limit
= XFRM_INF
;
1641 sa
->lft
.hard_packet_limit
= XFRM_INF
;
1642 /* we use lifetimes since added, not since used */
1643 sa
->lft
.soft_add_expires_seconds
= expire_soft
;
1644 sa
->lft
.hard_add_expires_seconds
= expire_hard
;
1645 sa
->lft
.soft_use_expires_seconds
= 0;
1646 sa
->lft
.hard_use_expires_seconds
= 0;
1648 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1650 if (enc_alg
->algorithm
!= ENCR_UNDEFINED
)
1652 rthdr
->rta_type
= XFRMA_ALG_CRYPT
;
1653 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
, &key_size
);
1654 if (alg_name
== NULL
)
1656 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1657 encryption_algorithm_names
, enc_alg
->algorithm
);
1660 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1661 encryption_algorithm_names
, enc_alg
->algorithm
, key_size
);
1663 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + key_size
);
1664 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1665 if (hdr
->nlmsg_len
> sizeof(request
))
1670 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1671 algo
->alg_key_len
= key_size
;
1672 strcpy(algo
->alg_name
, alg_name
);
1673 prf_plus
->get_bytes(prf_plus
, key_size
/ 8, algo
->alg_key
);
1675 rthdr
= XFRM_RTA_NEXT(rthdr
);
1678 if (int_alg
->algorithm
!= AUTH_UNDEFINED
)
1680 rthdr
->rta_type
= XFRMA_ALG_AUTH
;
1681 alg_name
= lookup_algorithm(integrity_algs
, int_alg
, &key_size
);
1682 if (alg_name
== NULL
)
1684 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1685 integrity_algorithm_names
, int_alg
->algorithm
);
1688 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1689 integrity_algorithm_names
, int_alg
->algorithm
, key_size
);
1691 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + key_size
);
1692 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1693 if (hdr
->nlmsg_len
> sizeof(request
))
1698 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1699 algo
->alg_key_len
= key_size
;
1700 strcpy(algo
->alg_name
, alg_name
);
1701 prf_plus
->get_bytes(prf_plus
, key_size
/ 8, algo
->alg_key
);
1703 rthdr
= XFRM_RTA_NEXT(rthdr
);
1706 /* TODO: add IPComp here */
1710 rthdr
->rta_type
= XFRMA_ENCAP
;
1711 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1713 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1714 if (hdr
->nlmsg_len
> sizeof(request
))
1719 struct xfrm_encap_tmpl
* encap
= (struct xfrm_encap_tmpl
*)RTA_DATA(rthdr
);
1720 encap
->encap_type
= UDP_ENCAP_ESPINUDP
;
1721 encap
->encap_sport
= htons(natt
->sport
);
1722 encap
->encap_dport
= htons(natt
->dport
);
1723 memset(&encap
->encap_oa
, 0, sizeof (xfrm_address_t
));
1724 /* encap_oa could probably be derived from the
1725 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1726 * pluto does the same as we do here but it uses encap_oa in the
1727 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1728 * the kernel ignores it anyway
1729 * -> does that mean that NAT-T encap doesn't work in transport mode?
1730 * No. The reason the kernel ignores NAT-OA is that it recomputes
1731 * (or, rather, just ignores) the checksum. If packets pass
1732 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1733 rthdr
= XFRM_RTA_NEXT(rthdr
);
1736 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1738 DBG1(DBG_KNL
, "unalbe to add SAD entry with SPI 0x%x", spi
);
1745 * Implementation of kernel_interface_t.update_sa.
1747 static status_t
update_sa(private_kernel_interface_t
*this,
1748 host_t
*src
, host_t
*dst
,
1749 host_t
*new_src
, host_t
*new_dst
,
1750 host_diff_t src_changes
, host_diff_t dst_changes
,
1751 u_int32_t spi
, protocol_id_t protocol
)
1753 unsigned char request
[BUFFER_SIZE
];
1754 struct nlmsghdr
*hdr
, *out
= NULL
;
1755 struct xfrm_usersa_id
*sa_id
;
1756 struct xfrm_usersa_info
*sa
= NULL
;
1759 memset(&request
, 0, sizeof(request
));
1761 DBG2(DBG_KNL
, "querying SAD entry with SPI 0x%x", spi
);
1763 hdr
= (struct nlmsghdr
*)request
;
1764 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1765 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1766 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1768 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1769 host2xfrm(dst
, &sa_id
->daddr
);
1771 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1772 sa_id
->family
= dst
->get_family(dst
);
1774 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1777 while (NLMSG_OK(hdr
, len
))
1779 switch (hdr
->nlmsg_type
)
1781 case XFRM_MSG_NEWSA
:
1783 sa
= NLMSG_DATA(hdr
);
1788 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1789 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1790 strerror(-err
->error
), -err
->error
);
1794 hdr
= NLMSG_NEXT(hdr
, len
);
1804 DBG1(DBG_KNL
, "unable to update SAD entry with SPI 0x%x", spi
);
1809 DBG2(DBG_KNL
, "updating SAD entry with SPI 0x%x", spi
);
1812 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1813 hdr
->nlmsg_type
= XFRM_MSG_UPDSA
;
1815 if (src_changes
& HOST_DIFF_ADDR
)
1817 host2xfrm(new_src
, &sa
->saddr
);
1820 if (dst_changes
& HOST_DIFF_ADDR
)
1822 hdr
->nlmsg_type
= XFRM_MSG_NEWSA
;
1823 host2xfrm(new_dst
, &sa
->id
.daddr
);
1826 if (src_changes
& HOST_DIFF_PORT
|| dst_changes
& HOST_DIFF_PORT
)
1828 struct rtattr
*rtattr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1829 size_t rtsize
= XFRM_PAYLOAD(hdr
, struct xfrm_usersa_info
);
1830 while (RTA_OK(rtattr
, rtsize
))
1832 if (rtattr
->rta_type
== XFRMA_ENCAP
)
1834 struct xfrm_encap_tmpl
* encap
;
1835 encap
= (struct xfrm_encap_tmpl
*)RTA_DATA(rtattr
);
1836 encap
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1837 encap
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1840 rtattr
= RTA_NEXT(rtattr
, rtsize
);
1843 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1845 DBG1(DBG_KNL
, "unalbe to update SAD entry with SPI 0x%x", spi
);
1851 if (dst_changes
& HOST_DIFF_ADDR
)
1853 return this->public.del_sa(&this->public, dst
, spi
, protocol
);
1859 * Implementation of kernel_interface_t.query_sa.
1861 static status_t
query_sa(private_kernel_interface_t
*this, host_t
*dst
,
1862 u_int32_t spi
, protocol_id_t protocol
,
1863 u_int32_t
*use_time
)
1865 unsigned char request
[BUFFER_SIZE
];
1866 struct nlmsghdr
*out
= NULL
, *hdr
;
1867 struct xfrm_usersa_id
*sa_id
;
1868 struct xfrm_usersa_info
*sa
= NULL
;
1871 DBG2(DBG_KNL
, "querying SAD entry with SPI 0x%x", spi
);
1872 memset(&request
, 0, sizeof(request
));
1874 hdr
= (struct nlmsghdr
*)request
;
1875 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1876 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1877 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1879 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1880 host2xfrm(dst
, &sa_id
->daddr
);
1882 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1883 sa_id
->family
= dst
->get_family(dst
);
1885 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1888 while (NLMSG_OK(hdr
, len
))
1890 switch (hdr
->nlmsg_type
)
1892 case XFRM_MSG_NEWSA
:
1894 sa
= NLMSG_DATA(hdr
);
1899 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1900 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1901 strerror(-err
->error
), -err
->error
);
1905 hdr
= NLMSG_NEXT(hdr
, len
);
1916 DBG1(DBG_KNL
, "unable to query SAD entry with SPI 0x%x", spi
);
1921 *use_time
= sa
->curlft
.use_time
;
1927 * Implementation of kernel_interface_t.del_sa.
1929 static status_t
del_sa(private_kernel_interface_t
*this, host_t
*dst
,
1930 u_int32_t spi
, protocol_id_t protocol
)
1932 unsigned char request
[BUFFER_SIZE
];
1933 struct nlmsghdr
*hdr
;
1934 struct xfrm_usersa_id
*sa_id
;
1936 memset(&request
, 0, sizeof(request
));
1938 DBG2(DBG_KNL
, "deleting SAD entry with SPI 0x%x", spi
);
1940 hdr
= (struct nlmsghdr
*)request
;
1941 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1942 hdr
->nlmsg_type
= XFRM_MSG_DELSA
;
1943 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1945 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1946 host2xfrm(dst
, &sa_id
->daddr
);
1948 sa_id
->proto
= (protocol
== PROTO_ESP
) ? KERNEL_ESP
: KERNEL_AH
;
1949 sa_id
->family
= dst
->get_family(dst
);
1951 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
1953 DBG1(DBG_KNL
, "unalbe to delete SAD entry with SPI 0x%x", spi
);
1956 DBG2(DBG_KNL
, "deleted SAD entry with SPI 0x%x", spi
);
1961 * Implementation of kernel_interface_t.add_policy.
1963 static status_t
add_policy(private_kernel_interface_t
*this,
1964 host_t
*src
, host_t
*dst
,
1965 traffic_selector_t
*src_ts
,
1966 traffic_selector_t
*dst_ts
,
1967 policy_dir_t direction
, protocol_id_t protocol
,
1968 u_int32_t reqid
, bool high_prio
, mode_t mode
,
1971 iterator_t
*iterator
;
1972 policy_entry_t
*current
, *policy
;
1974 unsigned char request
[BUFFER_SIZE
];
1975 struct xfrm_userpolicy_info
*policy_info
;
1976 struct nlmsghdr
*hdr
;
1978 /* create a policy */
1979 policy
= malloc_thing(policy_entry_t
);
1980 memset(policy
, 0, sizeof(policy_entry_t
));
1981 policy
->sel
= ts2selector(src_ts
, dst_ts
);
1982 policy
->direction
= direction
;
1984 /* find the policy, which matches EXACTLY */
1985 pthread_mutex_lock(&this->mutex
);
1986 iterator
= this->policies
->create_iterator(this->policies
, TRUE
);
1987 while (iterator
->iterate(iterator
, (void**)¤t
))
1989 if (memcmp(¤t
->sel
, &policy
->sel
, sizeof(struct xfrm_selector
)) == 0 &&
1990 policy
->direction
== current
->direction
)
1992 /* use existing policy */
1995 current
->refcount
++;
1996 DBG2(DBG_KNL
, "policy %R===%R already exists, increasing ",
1997 "refcount", src_ts
, dst_ts
);
2005 iterator
->destroy(iterator
);
2007 { /* apply the new one, if we have no such policy */
2008 this->policies
->insert_last(this->policies
, policy
);
2009 policy
->refcount
= 1;
2012 DBG2(DBG_KNL
, "adding policy %R===%R", src_ts
, dst_ts
);
2014 memset(&request
, 0, sizeof(request
));
2015 hdr
= (struct nlmsghdr
*)request
;
2016 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2017 hdr
->nlmsg_type
= XFRM_MSG_UPDPOLICY
;
2018 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info
));
2020 policy_info
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2021 policy_info
->sel
= policy
->sel
;
2022 policy_info
->dir
= policy
->direction
;
2023 /* calculate priority based on source selector size, small size = high prio */
2024 policy_info
->priority
= high_prio ? PRIO_HIGH
: PRIO_LOW
;
2025 policy_info
->priority
-= policy
->sel
.prefixlen_s
* 10;
2026 policy_info
->priority
-= policy
->sel
.proto ?
2 : 0;
2027 policy_info
->priority
-= policy
->sel
.sport_mask ?
1 : 0;
2028 policy_info
->action
= XFRM_POLICY_ALLOW
;
2029 policy_info
->share
= XFRM_SHARE_ANY
;
2030 pthread_mutex_unlock(&this->mutex
);
2032 /* policies don't expire */
2033 policy_info
->lft
.soft_byte_limit
= XFRM_INF
;
2034 policy_info
->lft
.soft_packet_limit
= XFRM_INF
;
2035 policy_info
->lft
.hard_byte_limit
= XFRM_INF
;
2036 policy_info
->lft
.hard_packet_limit
= XFRM_INF
;
2037 policy_info
->lft
.soft_add_expires_seconds
= 0;
2038 policy_info
->lft
.hard_add_expires_seconds
= 0;
2039 policy_info
->lft
.soft_use_expires_seconds
= 0;
2040 policy_info
->lft
.hard_use_expires_seconds
= 0;
2042 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_info
);
2043 rthdr
->rta_type
= XFRMA_TMPL
;
2045 rthdr
->rta_len
= sizeof(struct xfrm_user_tmpl
);
2046 rthdr
->rta_len
= RTA_LENGTH(rthdr
->rta_len
);
2048 hdr
->nlmsg_len
+= rthdr
->rta_len
;
2049 if (hdr
->nlmsg_len
> sizeof(request
))
2054 struct xfrm_user_tmpl
*tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rthdr
);
2055 tmpl
->reqid
= reqid
;
2056 tmpl
->id
.proto
= (protocol
== PROTO_AH
) ? KERNEL_AH
: KERNEL_ESP
;
2057 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
2059 tmpl
->family
= src
->get_family(src
);
2061 host2xfrm(src
, &tmpl
->saddr
);
2062 host2xfrm(dst
, &tmpl
->id
.daddr
);
2064 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
2066 DBG1(DBG_KNL
, "unable to add policy %R===%R", src_ts
, dst_ts
);
2070 /* install a route, if:
2071 * - we are NOT updating a policy
2072 * - this is a forward policy (to just get one for each child)
2073 * - we are in tunnel mode
2074 * - we are not using IPv6 (does not work correctly yet!)
2076 if (policy
->route
== NULL
&& direction
== POLICY_FWD
&&
2077 mode
!= MODE_TRANSPORT
&& src
->get_family(src
) != AF_INET6
)
2079 policy
->route
= malloc_thing(route_entry_t
);
2080 if (get_address_by_ts(this, dst_ts
, &policy
->route
->src_ip
) == SUCCESS
)
2082 policy
->route
->gateway
= dst
->clone(dst
);
2083 policy
->route
->if_index
= get_interface_index(this, dst
);
2084 policy
->route
->dst_net
= chunk_alloc(policy
->sel
.family
== AF_INET ?
4 : 16);
2085 memcpy(policy
->route
->dst_net
.ptr
, &policy
->sel
.saddr
, policy
->route
->dst_net
.len
);
2086 policy
->route
->prefixlen
= policy
->sel
.prefixlen_s
;
2088 if (manage_srcroute(this, RTM_NEWROUTE
, NLM_F_CREATE
| NLM_F_EXCL
,
2089 policy
->route
) != SUCCESS
)
2091 DBG1(DBG_KNL
, "unable to install source route for %H",
2092 policy
->route
->src_ip
);
2093 route_entry_destroy(policy
->route
);
2094 policy
->route
= NULL
;
2099 free(policy
->route
);
2100 policy
->route
= NULL
;
2108 * Implementation of kernel_interface_t.query_policy.
2110 static status_t
query_policy(private_kernel_interface_t
*this,
2111 traffic_selector_t
*src_ts
,
2112 traffic_selector_t
*dst_ts
,
2113 policy_dir_t direction
, u_int32_t
*use_time
)
2115 unsigned char request
[BUFFER_SIZE
];
2116 struct nlmsghdr
*out
= NULL
, *hdr
;
2117 struct xfrm_userpolicy_id
*policy_id
;
2118 struct xfrm_userpolicy_info
*policy
= NULL
;
2121 memset(&request
, 0, sizeof(request
));
2123 DBG2(DBG_KNL
, "querying policy %R===%R", src_ts
, dst_ts
);
2125 hdr
= (struct nlmsghdr
*)request
;
2126 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
2127 hdr
->nlmsg_type
= XFRM_MSG_GETPOLICY
;
2128 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2130 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2131 policy_id
->sel
= ts2selector(src_ts
, dst_ts
);
2132 policy_id
->dir
= direction
;
2134 if (netlink_send(this, this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
2137 while (NLMSG_OK(hdr
, len
))
2139 switch (hdr
->nlmsg_type
)
2141 case XFRM_MSG_NEWPOLICY
:
2143 policy
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2148 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
2149 DBG1(DBG_KNL
, "querying policy failed: %s (%d)",
2150 strerror(-err
->error
), -err
->error
);
2154 hdr
= NLMSG_NEXT(hdr
, len
);
2165 DBG2(DBG_KNL
, "unable to query policy %R===%R", src_ts
, dst_ts
);
2169 *use_time
= (time_t)policy
->curlft
.use_time
;
2176 * Implementation of kernel_interface_t.del_policy.
2178 static status_t
del_policy(private_kernel_interface_t
*this,
2179 traffic_selector_t
*src_ts
,
2180 traffic_selector_t
*dst_ts
,
2181 policy_dir_t direction
)
2183 policy_entry_t
*current
, policy
, *to_delete
= NULL
;
2184 route_entry_t
*route
;
2185 unsigned char request
[BUFFER_SIZE
];
2186 struct nlmsghdr
*hdr
;
2187 struct xfrm_userpolicy_id
*policy_id
;
2188 iterator_t
*iterator
;
2190 DBG2(DBG_KNL
, "deleting policy %R===%R", src_ts
, dst_ts
);
2192 /* create a policy */
2193 memset(&policy
, 0, sizeof(policy_entry_t
));
2194 policy
.sel
= ts2selector(src_ts
, dst_ts
);
2195 policy
.direction
= direction
;
2197 /* find the policy */
2198 iterator
= this->policies
->create_iterator_locked(this->policies
, &this->mutex
);
2199 while (iterator
->iterate(iterator
, (void**)¤t
))
2201 if (memcmp(¤t
->sel
, &policy
.sel
, sizeof(struct xfrm_selector
)) == 0 &&
2202 policy
.direction
== current
->direction
)
2204 to_delete
= current
;
2205 if (--to_delete
->refcount
> 0)
2207 /* is used by more SAs, keep in kernel */
2208 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
2209 iterator
->destroy(iterator
);
2212 /* remove if last reference */
2213 iterator
->remove(iterator
);
2217 iterator
->destroy(iterator
);
2220 DBG1(DBG_KNL
, "deleting policy %R===%R failed, not found", src_ts
, dst_ts
);
2224 memset(&request
, 0, sizeof(request
));
2226 hdr
= (struct nlmsghdr
*)request
;
2227 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2228 hdr
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
2229 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2231 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2232 policy_id
->sel
= to_delete
->sel
;
2233 policy_id
->dir
= direction
;
2235 route
= to_delete
->route
;
2238 if (netlink_send_ack(this, this->socket_xfrm
, hdr
) != SUCCESS
)
2240 DBG1(DBG_KNL
, "unable to delete policy %R===%R", src_ts
, dst_ts
);
2246 if (manage_srcroute(this, RTM_DELROUTE
, 0, route
) != SUCCESS
)
2248 DBG1(DBG_KNL
, "error uninstalling route installed with "
2249 "policy %R===%R", src_ts
, dst_ts
);
2251 route_entry_destroy(route
);
2257 * Implementation of kernel_interface_t.destroy.
2259 static void destroy(private_kernel_interface_t
*this)
2261 this->job
->cancel(this->job
);
2262 close(this->socket_xfrm_events
);
2263 close(this->socket_xfrm
);
2264 close(this->socket_rt_events
);
2265 close(this->socket_rt
);
2266 this->vips
->destroy(this->vips
);
2267 this->policies
->destroy(this->policies
);
2268 this->interfaces
->destroy_function(this->interfaces
, (void*)interface_entry_destroy
);
2273 * Described in header.
2275 kernel_interface_t
*kernel_interface_create()
2277 private_kernel_interface_t
*this = malloc_thing(private_kernel_interface_t
);
2278 struct sockaddr_nl addr
;
2281 /* public functions */
2282 this->public.get_spi
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,protocol_id_t
,u_int32_t
,u_int32_t
*))get_spi
;
2283 this->public.add_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
,u_int64_t
,u_int64_t
,algorithm_t
*,algorithm_t
*,prf_plus_t
*,natt_conf_t
*,mode_t
,bool))add_sa
;
2284 this->public.update_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
,host_t
*,host_t
*,host_diff_t
,host_diff_t
))update_sa
;
2285 this->public.query_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
*))query_sa
;
2286 this->public.del_sa
= (status_t(*)(kernel_interface_t
*,host_t
*,u_int32_t
,protocol_id_t
))del_sa
;
2287 this->public.add_policy
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,protocol_id_t
,u_int32_t
,bool,mode_t
,bool))add_policy
;
2288 this->public.query_policy
= (status_t(*)(kernel_interface_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,u_int32_t
*))query_policy
;
2289 this->public.del_policy
= (status_t(*)(kernel_interface_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
))del_policy
;
2290 this->public.get_interface
= (char*(*)(kernel_interface_t
*,host_t
*))get_interface_name
;
2291 this->public.create_address_iterator
= (iterator_t
*(*)(kernel_interface_t
*))create_address_iterator
;
2292 this->public.get_source_addr
= (host_t
*(*)(kernel_interface_t
*, host_t
*dest
))get_source_addr
;
2293 this->public.add_ip
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*)) add_ip
;
2294 this->public.del_ip
= (status_t(*)(kernel_interface_t
*,host_t
*,host_t
*)) del_ip
;
2295 this->public.destroy
= (void(*)(kernel_interface_t
*)) destroy
;
2297 /* private members */
2298 this->vips
= linked_list_create();
2299 this->policies
= linked_list_create();
2300 this->interfaces
= linked_list_create();
2303 pthread_mutex_init(&this->mutex
,NULL
);
2305 memset(&addr
, 0, sizeof(addr
));
2306 addr
.nl_family
= AF_NETLINK
;
2308 /* create and bind RT socket */
2309 this->socket_rt
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_ROUTE
);
2310 if (this->socket_rt
<= 0)
2312 charon
->kill(charon
, "unable to create RT netlink socket");
2315 if (bind(this->socket_rt
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2317 charon
->kill(charon
, "unable to bind RT netlink socket");
2320 /* create and bind RT socket for events (address/interface changes) */
2321 this->socket_rt_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_ROUTE
);
2322 if (this->socket_rt_events
<= 0)
2324 charon
->kill(charon
, "unable to create RT event socket");
2326 addr
.nl_groups
= RTMGRP_IPV4_IFADDR
| RTMGRP_IPV6_IFADDR
| RTMGRP_LINK
;
2327 if (bind(this->socket_rt_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2329 charon
->kill(charon
, "unable to bind RT event socket");
2332 /* create and bind XFRM socket */
2333 this->socket_xfrm
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2334 if (this->socket_xfrm
<= 0)
2336 charon
->kill(charon
, "unable to create XFRM netlink socket");
2339 if (bind(this->socket_xfrm
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2341 charon
->kill(charon
, "unable to bind XFRM netlink socket");
2344 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2345 this->socket_xfrm_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2346 if (this->socket_xfrm_events
<= 0)
2348 charon
->kill(charon
, "unable to create XFRM event socket");
2350 addr
.nl_groups
= XFRMGRP_ACQUIRE
| XFRMGRP_EXPIRE
;
2351 if (bind(this->socket_xfrm_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2353 charon
->kill(charon
, "unable to bind XFRM event socket");
2356 this->job
= callback_job_create((callback_job_cb_t
)receive_events
,
2358 charon
->processor
->queue_job(charon
->processor
, (job_t
*)this->job
);
2360 if (init_address_list(this) != SUCCESS
)
2362 charon
->kill(charon
, "unable to get interface list");
2365 return &this->public;