source address lookup in kernel interface
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43
44 #include "kernel_interface.h"
45
46 #include <daemon.h>
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52
53 /** kernel level protocol identifiers */
54 #define KERNEL_ESP 50
55 #define KERNEL_AH 51
56
57 /** default priority of installed policies */
58 #define PRIO_LOW 3000
59 #define PRIO_HIGH 2000
60
61 #define BUFFER_SIZE 1024
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
84 */
85 struct kernel_algorithm_t {
86 /**
87 * Identifier specified in IKEv2
88 */
89 int ikev2_id;
90
91 /**
92 * Name of the algorithm, as used as kernel identifier
93 */
94 char *name;
95
96 /**
97 * Key length in bits, if fixed size
98 */
99 u_int key_size;
100 };
101 #define END_OF_LIST -1
102
103 /**
104 * Algorithms for encryption
105 */
106 kernel_algorithm_t encryption_algs[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES, "des", 64},
109 {ENCR_3DES, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST, "cast128", 0},
113 {ENCR_BLOWFISH, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL, "cipher_null", 0},
117 {ENCR_AES_CBC, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST, NULL, 0},
120 };
121
122 /**
123 * Algorithms for integrity protection
124 */
125 kernel_algorithm_t integrity_algs[] = {
126 {AUTH_HMAC_MD5_96, "md5", 128},
127 {AUTH_HMAC_SHA1_96, "sha1", 160},
128 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
129 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
130 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
131 /* {AUTH_DES_MAC, "***", 0}, */
132 /* {AUTH_KPDK_MD5, "***", 0}, */
133 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
134 {END_OF_LIST, NULL, 0},
135 };
136
137 /**
138 * Look up a kernel algorithm name and its key size
139 */
140 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
141 algorithm_t *ikev2_algo, u_int *key_size)
142 {
143 while (kernel_algo->ikev2_id != END_OF_LIST)
144 {
145 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
146 {
147 /* match, evaluate key length */
148 if (ikev2_algo->key_size)
149 { /* variable length */
150 *key_size = ikev2_algo->key_size;
151 }
152 else
153 { /* fixed length */
154 *key_size = kernel_algo->key_size;
155 }
156 return kernel_algo->name;
157 }
158 kernel_algo++;
159 }
160 return NULL;
161 }
162
163 typedef struct route_entry_t route_entry_t;
164
165 /**
166 * installed routing entry
167 */
168 struct route_entry_t {
169
170 /** Index of the interface the route is bound to */
171 int if_index;
172
173 /** Source ip of the route */
174 host_t *src_ip;
175
176 /** gateway for this route */
177 host_t *gateway;
178
179 /** Destination net */
180 chunk_t dst_net;
181
182 /** Destination net prefixlen */
183 u_int8_t prefixlen;
184 };
185
186 /**
187 * destroy an route_entry_t object
188 */
189 static void route_entry_destroy(route_entry_t *this)
190 {
191 this->src_ip->destroy(this->src_ip);
192 this->gateway->destroy(this->gateway);
193 chunk_free(&this->dst_net);
194 free(this);
195 }
196
197 typedef struct policy_entry_t policy_entry_t;
198
199 /**
200 * installed kernel policy.
201 */
202 struct policy_entry_t {
203
204 /** direction of this policy: in, out, forward */
205 u_int8_t direction;
206
207 /** reqid of the policy */
208 u_int32_t reqid;
209
210 /** parameters of installed policy */
211 struct xfrm_selector sel;
212
213 /** associated route installed for this policy */
214 route_entry_t *route;
215
216 /** by how many CHILD_SA's this policy is used */
217 u_int refcount;
218 };
219
220 typedef struct vip_entry_t vip_entry_t;
221
222 /**
223 * Installed virtual ip
224 */
225 struct vip_entry_t {
226 /** Index of the interface the ip is bound to */
227 u_int8_t if_index;
228
229 /** The ip address */
230 host_t *ip;
231
232 /** Number of times this IP is used */
233 u_int refcount;
234 };
235
236 /**
237 * destroy a vip_entry_t object
238 */
239 static void vip_entry_destroy(vip_entry_t *this)
240 {
241 this->ip->destroy(this->ip);
242 free(this);
243 }
244
245 typedef struct interface_entry_t interface_entry_t;
246
247 /**
248 * A network interface on this system, containing addresses
249 */
250 struct interface_entry_t {
251
252 /** interface index */
253 int ifindex;
254
255 /** name of the interface */
256 char ifname[IFNAMSIZ];
257
258 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
259 u_int flags;
260
261 /** list of addresses as host_t */
262 linked_list_t *addresses;
263 };
264
265 /**
266 * destroy an interface entry
267 */
268 static void interface_entry_destroy(interface_entry_t *this)
269 {
270 this->addresses->destroy_offset(this->addresses, offsetof(host_t, destroy));
271 free(this);
272 }
273
274 typedef struct private_kernel_interface_t private_kernel_interface_t;
275
276 /**
277 * Private variables and functions of kernel_interface class.
278 */
279 struct private_kernel_interface_t {
280 /**
281 * Public part of the kernel_interface_t object.
282 */
283 kernel_interface_t public;
284
285 /**
286 * mutex to lock access to the various lists
287 */
288 pthread_mutex_t mutex;
289
290 /**
291 * List of installed policies (kernel_entry_t)
292 */
293 linked_list_t *policies;
294
295 /**
296 * List of installed virtual IPs. (vip_entry_t)
297 */
298 linked_list_t *vips;
299
300 /**
301 * Cached list of interfaces and its adresses (interface_entry_t)
302 */
303 linked_list_t *interfaces;
304
305 /**
306 * iterator used in hook()
307 */
308 iterator_t *hiter;
309
310 /**
311 * job receiving netlink events
312 */
313 callback_job_t *job;
314
315 /**
316 * current sequence number for netlink request
317 */
318 int seq;
319
320 /**
321 * Netlink xfrm socket (IPsec)
322 */
323 int socket_xfrm;
324
325 /**
326 * netlink xfrm socket to receive acquire and expire events
327 */
328 int socket_xfrm_events;
329
330 /**
331 * Netlink rt socket (routing)
332 */
333 int socket_rt;
334
335 /**
336 * Netlink rt socket to receive address change events
337 */
338 int socket_rt_events;
339 };
340
341 /**
342 * convert a host_t to a struct xfrm_address
343 */
344 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
345 {
346 chunk_t chunk = host->get_address(host);
347 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
348 }
349
350 /**
351 * convert a traffic selector address range to subnet and its mask.
352 */
353 static void ts2subnet(traffic_selector_t* ts,
354 xfrm_address_t *net, u_int8_t *mask)
355 {
356 /* there is no way to do this cleanly, as the address range may
357 * be anything else but a subnet. We use from_addr as subnet
358 * and try to calculate a usable subnet mask.
359 */
360 int byte, bit;
361 bool found = FALSE;
362 chunk_t from, to;
363 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
364
365 from = ts->get_from_address(ts);
366 to = ts->get_to_address(ts);
367
368 *mask = (size * 8);
369 /* go trough all bits of the addresses, beginning in the front.
370 * as long as they are equal, the subnet gets larger
371 */
372 for (byte = 0; byte < size; byte++)
373 {
374 for (bit = 7; bit >= 0; bit--)
375 {
376 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
377 {
378 *mask = ((7 - bit) + (byte * 8));
379 found = TRUE;
380 break;
381 }
382 }
383 if (found)
384 {
385 break;
386 }
387 }
388 memcpy(net, from.ptr, from.len);
389 chunk_free(&from);
390 chunk_free(&to);
391 }
392
393 /**
394 * convert a traffic selector port range to port/portmask
395 */
396 static void ts2ports(traffic_selector_t* ts,
397 u_int16_t *port, u_int16_t *mask)
398 {
399 /* linux does not seem to accept complex portmasks. Only
400 * any or a specific port is allowed. We set to any, if we have
401 * a port range, or to a specific, if we have one port only.
402 */
403 u_int16_t from, to;
404
405 from = ts->get_from_port(ts);
406 to = ts->get_to_port(ts);
407
408 if (from == to)
409 {
410 *port = htons(from);
411 *mask = ~0;
412 }
413 else
414 {
415 *port = 0;
416 *mask = 0;
417 }
418 }
419
420 /**
421 * convert a pair of traffic_selectors to a xfrm_selector
422 */
423 static struct xfrm_selector ts2selector(traffic_selector_t *src,
424 traffic_selector_t *dst)
425 {
426 struct xfrm_selector sel;
427
428 memset(&sel, 0, sizeof(sel));
429 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
430 /* src or dest proto may be "any" (0), use more restrictive one */
431 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
432 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
433 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
434 ts2ports(dst, &sel.dport, &sel.dport_mask);
435 ts2ports(src, &sel.sport, &sel.sport_mask);
436 sel.ifindex = 0;
437 sel.user = 0;
438
439 return sel;
440 }
441
442 /**
443 * Creates an rtattr and adds it to the netlink message
444 */
445 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
446 size_t buflen)
447 {
448 struct rtattr *rta;
449
450 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
451 {
452 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
453 return;
454 }
455
456 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
457 rta->rta_type = rta_type;
458 rta->rta_len = RTA_LENGTH(data.len);
459 memcpy(RTA_DATA(rta), data.ptr, data.len);
460 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
461 }
462
463 /**
464 * process a XFRM_MSG_ACQUIRE from kernel
465 */
466 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
467 {
468 u_int32_t reqid = 0;
469 job_t *job;
470 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
471 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
472
473 if (RTA_OK(rtattr, rtsize))
474 {
475 if (rtattr->rta_type == XFRMA_TMPL)
476 {
477 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
478 reqid = tmpl->reqid;
479 }
480 }
481 if (reqid == 0)
482 {
483 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
484 return;
485 }
486 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
487 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
488 job = (job_t*)acquire_job_create(reqid);
489 charon->processor->queue_job(charon->processor, job);
490 }
491
492 /**
493 * process a XFRM_MSG_EXPIRE from kernel
494 */
495 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
496 {
497 job_t *job;
498 protocol_id_t protocol;
499 u_int32_t spi, reqid;
500 struct xfrm_user_expire *expire;
501
502 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
503 protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
504 spi = expire->state.id.spi;
505 reqid = expire->state.reqid;
506
507 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
508 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
509 expire->hard ? "delete" : "rekey", protocol_id_names,
510 protocol, ntohl(spi), reqid);
511 if (expire->hard)
512 {
513 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
514 }
515 else
516 {
517 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
518 }
519 charon->processor->queue_job(charon->processor, job);
520 }
521
522 /**
523 * process RTM_NEWLINK/RTM_DELLINK from kernel
524 */
525 static void process_link(private_kernel_interface_t *this,
526 struct nlmsghdr *hdr, bool event)
527 {
528 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
529 struct rtattr *rta = IFLA_RTA(msg);
530 size_t rtasize = IFLA_PAYLOAD (hdr);
531 iterator_t *iterator;
532 interface_entry_t *current, *entry = NULL;
533 char *name = NULL;
534
535 while(RTA_OK(rta, rtasize))
536 {
537 switch (rta->rta_type)
538 {
539 case IFLA_IFNAME:
540 name = RTA_DATA(rta);
541 break;
542 }
543 rta = RTA_NEXT(rta, rtasize);
544 }
545 if (!name)
546 {
547 name = "(unknown)";
548 }
549
550 switch (hdr->nlmsg_type)
551 {
552 case RTM_NEWLINK:
553 {
554 if (msg->ifi_flags & IFF_LOOPBACK)
555 { /* ignore loopback interfaces */
556 break;
557 }
558 iterator = this->interfaces->create_iterator_locked(this->interfaces,
559 &this->mutex);
560 while (iterator->iterate(iterator, (void**)&current))
561 {
562 if (current->ifindex == msg->ifi_index)
563 {
564 entry = current;
565 break;
566 }
567 }
568 if (!entry)
569 {
570 entry = malloc_thing(interface_entry_t);
571 entry->ifindex = msg->ifi_index;
572 entry->flags = 0;
573 entry->addresses = linked_list_create();
574 this->interfaces->insert_last(this->interfaces, entry);
575 }
576 memcpy(entry->ifname, name, IFNAMSIZ);
577 entry->ifname[IFNAMSIZ-1] = '\0';
578 if (event)
579 {
580 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
581 {
582 DBG1(DBG_KNL, "interface %s activated", name);
583 }
584 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
585 {
586 DBG1(DBG_KNL, "interface %s deactivated", name);
587 }
588 }
589 entry->flags = msg->ifi_flags;
590 iterator->destroy(iterator);
591 break;
592 }
593 case RTM_DELLINK:
594 {
595 iterator = this->interfaces->create_iterator_locked(this->interfaces,
596 &this->mutex);
597 while (iterator->iterate(iterator, (void**)&current))
598 {
599 if (current->ifindex == msg->ifi_index)
600 {
601 /* we do not remove it, as an address may be added to a
602 * "down" interface and we wan't to know that. */
603 current->flags = msg->ifi_flags;
604 break;
605 }
606 }
607 iterator->destroy(iterator);
608 break;
609 }
610 }
611 }
612
613 /**
614 * process RTM_NEWADDR/RTM_DELADDR from kernel
615 */
616 static void process_addr(private_kernel_interface_t *this,
617 struct nlmsghdr *hdr, bool event)
618 {
619 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
620 struct rtattr *rta = IFA_RTA(msg);
621 size_t rtasize = IFA_PAYLOAD (hdr);
622 host_t *host = NULL;
623 iterator_t *iterator;
624 interface_entry_t *entry;
625 chunk_t local = chunk_empty, address = chunk_empty;
626
627 while(RTA_OK(rta, rtasize))
628 {
629 switch (rta->rta_type)
630 {
631 case IFA_LOCAL:
632 local.ptr = RTA_DATA(rta);
633 local.len = RTA_PAYLOAD(rta);
634 break;
635 case IFA_ADDRESS:
636 address.ptr = RTA_DATA(rta);
637 address.len = RTA_PAYLOAD(rta);
638 break;
639 }
640 rta = RTA_NEXT(rta, rtasize);
641 }
642
643 /* For PPP interfaces, we need the IFA_LOCAL address,
644 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
645 * not included in all cases, so fallback to IFA_ADDRESS. */
646 if (local.ptr)
647 {
648 host = host_create_from_chunk(msg->ifa_family, local, 0);
649 }
650 else if (address.ptr)
651 {
652 host = host_create_from_chunk(msg->ifa_family, address, 0);
653 }
654
655 if (host == NULL)
656 { /* bad family? */
657 return;
658 }
659
660 switch (hdr->nlmsg_type)
661 {
662 case RTM_NEWADDR:
663 {
664 iterator = this->interfaces->create_iterator_locked(this->interfaces,
665 &this->mutex);
666 while (iterator->iterate(iterator, (void**)&entry))
667 {
668 if (entry->ifindex == msg->ifa_index)
669 {
670 entry->addresses->insert_last(entry->addresses,
671 host->clone(host));
672 if (event)
673 {
674 DBG1(DBG_KNL, "%H appeared on %s", host, entry->ifname);
675 }
676 break;
677 }
678 }
679 iterator->destroy(iterator);
680 break;
681 }
682 case RTM_DELADDR:
683 {
684 iterator = this->interfaces->create_iterator_locked(this->interfaces,
685 &this->mutex);
686 while (iterator->iterate(iterator, (void**)&entry))
687 {
688 if (entry->ifindex == msg->ifa_index)
689 {
690 iterator_t *addresses;
691 host_t *current;
692
693 addresses = entry->addresses->create_iterator(
694 entry->addresses, TRUE);
695 while (addresses->iterate(addresses, (void**)&current))
696 {
697 if (current->equals(current, host))
698 {
699 addresses->remove(addresses);
700 current->destroy(current);
701 DBG1(DBG_KNL, "%H disappeared from %s",
702 host, entry->ifname);
703 }
704 }
705 addresses->destroy(addresses);
706 }
707 }
708 iterator->destroy(iterator);
709 break;
710 }
711 default:
712 break;
713 }
714 host->destroy(host);
715 }
716
717 /**
718 * Receives events from kernel
719 */
720 static job_requeue_t receive_events(private_kernel_interface_t *this)
721 {
722 char response[1024];
723 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
724 struct sockaddr_nl addr;
725 socklen_t addr_len = sizeof(addr);
726 int len, oldstate, maxfd, selected;
727 fd_set rfds;
728
729 FD_ZERO(&rfds);
730 FD_SET(this->socket_xfrm_events, &rfds);
731 FD_SET(this->socket_rt_events, &rfds);
732 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
733
734 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
735 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
736 pthread_setcancelstate(oldstate, NULL);
737 if (selected <= 0)
738 {
739 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
740 return JOB_REQUEUE_FAIR;
741 }
742 if (FD_ISSET(this->socket_xfrm_events, &rfds))
743 {
744 selected = this->socket_xfrm_events;
745 }
746 else if (FD_ISSET(this->socket_rt_events, &rfds))
747 {
748 selected = this->socket_rt_events;
749 }
750 else
751 {
752 return JOB_REQUEUE_DIRECT;
753 }
754
755 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
756 (struct sockaddr*)&addr, &addr_len);
757 if (len < 0)
758 {
759 switch (errno)
760 {
761 case EINTR:
762 /* interrupted, try again */
763 return JOB_REQUEUE_DIRECT;
764 case EAGAIN:
765 /* no data ready, select again */
766 return JOB_REQUEUE_DIRECT;
767 default:
768 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
769 sleep(1);
770 return JOB_REQUEUE_FAIR;
771 }
772 }
773 if (addr.nl_pid != 0)
774 { /* not from kernel. not interested, try another one */
775 return JOB_REQUEUE_DIRECT;
776 }
777
778 while (NLMSG_OK(hdr, len))
779 {
780 /* looks good so far, dispatch netlink message */
781 if (selected == this->socket_xfrm_events)
782 {
783 switch (hdr->nlmsg_type)
784 {
785 case XFRM_MSG_ACQUIRE:
786 process_acquire(this, hdr);
787 break;
788 case XFRM_MSG_EXPIRE:
789 process_expire(this, hdr);
790 break;
791 default:
792 break;
793 }
794 }
795 else if (selected == this->socket_rt_events)
796 {
797 switch (hdr->nlmsg_type)
798 {
799 case RTM_NEWADDR:
800 case RTM_DELADDR:
801 process_addr(this, hdr, TRUE);
802 break;
803 case RTM_NEWLINK:
804 case RTM_DELLINK:
805 process_link(this, hdr, TRUE);
806 break;
807 default:
808 break;
809 }
810 }
811 hdr = NLMSG_NEXT(hdr, len);
812 }
813 return JOB_REQUEUE_DIRECT;
814 }
815
816 /**
817 * send a netlink message and wait for a reply
818 */
819 static status_t netlink_send(private_kernel_interface_t *this,
820 int socket, struct nlmsghdr *in,
821 struct nlmsghdr **out, size_t *out_len)
822 {
823 int len, addr_len;
824 struct sockaddr_nl addr;
825 chunk_t result = chunk_empty, tmp;
826 struct nlmsghdr *msg, peek;
827
828 pthread_mutex_lock(&this->mutex);
829
830 in->nlmsg_seq = ++this->seq;
831 in->nlmsg_pid = getpid();
832
833 memset(&addr, 0, sizeof(addr));
834 addr.nl_family = AF_NETLINK;
835 addr.nl_pid = 0;
836 addr.nl_groups = 0;
837
838 while (TRUE)
839 {
840 len = sendto(socket, in, in->nlmsg_len, 0,
841 (struct sockaddr*)&addr, sizeof(addr));
842
843 if (len != in->nlmsg_len)
844 {
845 if (errno == EINTR)
846 {
847 /* interrupted, try again */
848 continue;
849 }
850 pthread_mutex_unlock(&this->mutex);
851 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
852 return FAILED;
853 }
854 break;
855 }
856
857 while (TRUE)
858 {
859 char buf[4096];
860 tmp.len = sizeof(buf);
861 tmp.ptr = buf;
862 msg = (struct nlmsghdr*)tmp.ptr;
863
864 memset(&addr, 0, sizeof(addr));
865 addr.nl_family = AF_NETLINK;
866 addr.nl_pid = getpid();
867 addr.nl_groups = 0;
868 addr_len = sizeof(addr);
869
870 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
871 (struct sockaddr*)&addr, &addr_len);
872
873 if (len < 0)
874 {
875 if (errno == EINTR)
876 {
877 DBG1(DBG_IKE, "got interrupted");
878 /* interrupted, try again */
879 continue;
880 }
881 DBG1(DBG_IKE, "error reading from netlink socket: %s", strerror(errno));
882 pthread_mutex_unlock(&this->mutex);
883 return FAILED;
884 }
885 if (!NLMSG_OK(msg, len))
886 {
887 DBG1(DBG_IKE, "received corrupted netlink message");
888 pthread_mutex_unlock(&this->mutex);
889 return FAILED;
890 }
891 if (msg->nlmsg_seq != this->seq)
892 {
893 DBG1(DBG_IKE, "received invalid netlink sequence number");
894 if (msg->nlmsg_seq < this->seq)
895 {
896 continue;
897 }
898 pthread_mutex_unlock(&this->mutex);
899 return FAILED;
900 }
901
902 tmp.len = len;
903 result = chunk_cata("cc", result, tmp);
904
905 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
906 * numbers to detect multi header messages */
907 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
908 (struct sockaddr*)&addr, &addr_len);
909
910 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
911 {
912 /* seems to be multipart */
913 continue;
914 }
915 break;
916 }
917
918 *out_len = result.len;
919 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
920
921 pthread_mutex_unlock(&this->mutex);
922
923 return SUCCESS;
924 }
925
926 /**
927 * send a netlink message and wait for its acknowlegde
928 */
929 static status_t netlink_send_ack(private_kernel_interface_t *this,
930 int socket, struct nlmsghdr *in)
931 {
932 struct nlmsghdr *out, *hdr;
933 size_t len;
934
935 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
936 {
937 return FAILED;
938 }
939 hdr = out;
940 while (NLMSG_OK(hdr, len))
941 {
942 switch (hdr->nlmsg_type)
943 {
944 case NLMSG_ERROR:
945 {
946 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
947
948 if (err->error)
949 {
950 DBG1(DBG_KNL, "received netlink error: %s (%d)",
951 strerror(-err->error), -err->error);
952 free(out);
953 return FAILED;
954 }
955 free(out);
956 return SUCCESS;
957 }
958 default:
959 hdr = NLMSG_NEXT(hdr, len);
960 continue;
961 case NLMSG_DONE:
962 break;
963 }
964 break;
965 }
966 DBG1(DBG_KNL, "netlink request not acknowlegded");
967 free(out);
968 return FAILED;
969 }
970
971 /**
972 * Initialize a list of local addresses.
973 */
974 static status_t init_address_list(private_kernel_interface_t *this)
975 {
976 char request[BUFFER_SIZE];
977 struct nlmsghdr *out, *current, *in;
978 struct rtgenmsg *msg;
979 size_t len;
980 iterator_t *i_iface, *i_addr;
981 host_t *address;
982 interface_entry_t *entry;
983
984 DBG1(DBG_IKE, "listening on interfaces:");
985
986 memset(&request, 0, sizeof(request));
987
988 in = (struct nlmsghdr*)&request;
989 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
990 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
991 msg = (struct rtgenmsg*)NLMSG_DATA(in);
992 msg->rtgen_family = AF_UNSPEC;
993
994 /* get all links */
995 in->nlmsg_type = RTM_GETLINK;
996 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
997 {
998 return FAILED;
999 }
1000 current = out;
1001 while (NLMSG_OK(current, len))
1002 {
1003 switch (current->nlmsg_type)
1004 {
1005 case NLMSG_DONE:
1006 break;
1007 case RTM_NEWLINK:
1008 process_link(this, current, FALSE);
1009 /* fall through */
1010 default:
1011 current = NLMSG_NEXT(current, len);
1012 continue;
1013 }
1014 break;
1015 }
1016 free(out);
1017
1018 /* get all interface addresses */
1019 in->nlmsg_type = RTM_GETADDR;
1020 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1021 {
1022 return FAILED;
1023 }
1024 current = out;
1025 while (NLMSG_OK(current, len))
1026 {
1027 switch (current->nlmsg_type)
1028 {
1029 case NLMSG_DONE:
1030 break;
1031 case RTM_NEWADDR:
1032 process_addr(this, current, FALSE);
1033 /* fall through */
1034 default:
1035 current = NLMSG_NEXT(current, len);
1036 continue;
1037 }
1038 break;
1039 }
1040 free(out);
1041
1042 i_iface = this->interfaces->create_iterator_locked(this->interfaces,
1043 &this->mutex);
1044 while (i_iface->iterate(i_iface, (void**)&entry))
1045 {
1046 if (entry->flags & IFF_UP)
1047 {
1048 DBG1(DBG_KNL, " %s", entry->ifname);
1049 i_addr = entry->addresses->create_iterator(entry->addresses, TRUE);
1050 while (i_addr->iterate(i_addr, (void**)&address))
1051 {
1052 DBG1(DBG_KNL, " %H", address);
1053 }
1054 i_addr->destroy(i_addr);
1055 }
1056 }
1057 i_iface->destroy(i_iface);
1058
1059 return SUCCESS;
1060 }
1061
1062 /**
1063 * iterator hook to return address, not address_entry_t
1064 */
1065 static hook_result_t hook(private_kernel_interface_t *this,
1066 interface_entry_t *in, host_t **out)
1067 {
1068 if (!(in->flags & IFF_UP))
1069 { /* skip interfaces not up */
1070 return HOOK_SKIP;
1071 }
1072
1073 if (this->hiter == NULL)
1074 {
1075 this->hiter = in->addresses->create_iterator(in->addresses, TRUE);
1076 }
1077 while (this->hiter->iterate(this->hiter, (void**)out))
1078 {
1079 return HOOK_AGAIN;
1080 }
1081 this->hiter->destroy(this->hiter);
1082 this->hiter = NULL;
1083 return HOOK_SKIP;
1084 }
1085
1086 /**
1087 * Implements kernel_interface_t.create_address_iterator.
1088 */
1089 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1090 {
1091 iterator_t *iterator;
1092
1093 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1094 &this->mutex);
1095 iterator->set_iterator_hook(iterator, (iterator_hook_t*)hook, this);
1096 return iterator;
1097 }
1098
1099 /**
1100 * implementation of kernel_interface_t.get_interface_name
1101 */
1102 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1103 {
1104 iterator_t *iterator, *addresses;
1105 interface_entry_t *entry;
1106 host_t *host;
1107 char *name = NULL;
1108
1109 DBG2(DBG_IKE, "getting interface name for %H", ip);
1110
1111 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1112 &this->mutex);
1113 while (iterator->iterate(iterator, (void**)&entry))
1114 {
1115 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1116 while (addresses->iterate(addresses, (void**)&host))
1117 {
1118 if (ip->ip_equals(ip, host))
1119 {
1120 name = strdup(entry->ifname);
1121 break;
1122 }
1123 }
1124 addresses->destroy(addresses);
1125 if (name)
1126 {
1127 break;
1128 }
1129 }
1130 iterator->destroy(iterator);
1131
1132 if (name)
1133 {
1134 DBG2(DBG_IKE, "%H is on interface %s", ip, name);
1135 }
1136 else
1137 {
1138 DBG2(DBG_IKE, "%H is not a local address", ip);
1139 }
1140 return name;
1141 }
1142
1143 /**
1144 * Tries to find an ip address of a local interface that is included in the
1145 * supplied traffic selector.
1146 */
1147 static status_t get_address_by_ts(private_kernel_interface_t *this,
1148 traffic_selector_t *ts, host_t **ip)
1149 {
1150 iterator_t *iterator, *addresses;
1151 interface_entry_t *entry;
1152 host_t *host;
1153 int family;
1154 bool found = FALSE;
1155
1156 DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
1157
1158 /* if we have a family which includes localhost, we do not
1159 * search for an IP, we use the default */
1160 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1161
1162 if (family == AF_INET)
1163 {
1164 host = host_create_from_string("127.0.0.1", 0);
1165 }
1166 else
1167 {
1168 host = host_create_from_string("::1", 0);
1169 }
1170
1171 if (ts->includes(ts, host))
1172 {
1173 *ip = host_create_any(family);
1174 host->destroy(host);
1175 DBG2(DBG_IKE, "using host %H", *ip);
1176 return SUCCESS;
1177 }
1178 host->destroy(host);
1179
1180 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1181 &this->mutex);
1182 while (iterator->iterate(iterator, (void**)&entry))
1183 {
1184 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1185 while (addresses->iterate(addresses, (void**)&host))
1186 {
1187 if (ts->includes(ts, host))
1188 {
1189 found = TRUE;
1190 *ip = host->clone(host);
1191 break;
1192 }
1193 }
1194 addresses->destroy(addresses);
1195 if (found)
1196 {
1197 break;
1198 }
1199 }
1200 iterator->destroy(iterator);
1201
1202 if (!found)
1203 {
1204 DBG1(DBG_IKE, "no local address found in traffic selector %R", ts);
1205 return FAILED;
1206 }
1207 DBG2(DBG_IKE, "using host %H", *ip);
1208 return SUCCESS;
1209 }
1210
1211 /**
1212 * get the interface of a local address
1213 */
1214 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1215 {
1216 iterator_t *iterator, *addresses;
1217 interface_entry_t *entry;
1218 host_t *host;
1219 int ifindex = 0;
1220
1221 DBG2(DBG_IKE, "getting iface for %H", ip);
1222
1223 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1224 &this->mutex);
1225 while (iterator->iterate(iterator, (void**)&entry))
1226 {
1227 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1228 while (addresses->iterate(addresses, (void**)&host))
1229 {
1230 if (ip->ip_equals(ip, host))
1231 {
1232 ifindex = entry->ifindex;
1233 break;
1234 }
1235 }
1236 addresses->destroy(addresses);
1237 if (ifindex)
1238 {
1239 break;
1240 }
1241 }
1242 iterator->destroy(iterator);
1243
1244 if (ifindex == 0)
1245 {
1246 DBG1(DBG_IKE, "unable to get interface for %H", ip);
1247 }
1248 return ifindex;
1249 }
1250
1251 /**
1252 * Manages the creation and deletion of ip addresses on an interface.
1253 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1254 */
1255 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1256 int flags, int if_index, host_t *ip)
1257 {
1258 unsigned char request[BUFFER_SIZE];
1259 struct nlmsghdr *hdr;
1260 struct ifaddrmsg *msg;
1261 chunk_t chunk;
1262
1263 memset(&request, 0, sizeof(request));
1264
1265 chunk = ip->get_address(ip);
1266
1267 hdr = (struct nlmsghdr*)request;
1268 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1269 hdr->nlmsg_type = nlmsg_type;
1270 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1271
1272 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1273 msg->ifa_family = ip->get_family(ip);
1274 msg->ifa_flags = 0;
1275 msg->ifa_prefixlen = 8 * chunk.len;
1276 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1277 msg->ifa_index = if_index;
1278
1279 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1280
1281 return netlink_send_ack(this, this->socket_rt, hdr);
1282 }
1283
1284 /**
1285 * Manages source routes in the routing table.
1286 * By setting the appropriate nlmsg_type, the route added or r.
1287 */
1288 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1289 int flags, route_entry_t *route)
1290 {
1291 unsigned char request[BUFFER_SIZE];
1292 struct nlmsghdr *hdr;
1293 struct rtmsg *msg;
1294 chunk_t chunk;
1295
1296 /* if route is 0.0.0.0/0, we can't install it, as it would
1297 * overwrite the default route. Instead, we add two routes:
1298 * 0.0.0.0/1 and 128.0.0.0/1
1299 * TODO: use metrics instead */
1300 if (route->prefixlen == 0)
1301 {
1302 route_entry_t half;
1303 status_t status;
1304
1305 half.dst_net = chunk_alloca(route->dst_net.len);
1306 memset(half.dst_net.ptr, 0, half.dst_net.len);
1307 half.src_ip = route->src_ip;
1308 half.gateway = route->gateway;
1309 half.if_index = route->if_index;
1310 half.prefixlen = 1;
1311
1312 status = manage_srcroute(this, nlmsg_type, flags, &half);
1313 half.dst_net.ptr[0] |= 0x80;
1314 status = manage_srcroute(this, nlmsg_type, flags, &half);
1315 return status;
1316 }
1317
1318 memset(&request, 0, sizeof(request));
1319
1320 hdr = (struct nlmsghdr*)request;
1321 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1322 hdr->nlmsg_type = nlmsg_type;
1323 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1324
1325 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1326 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1327 msg->rtm_dst_len = route->prefixlen;
1328 msg->rtm_table = RT_TABLE_MAIN;
1329 msg->rtm_protocol = RTPROT_STATIC;
1330 msg->rtm_type = RTN_UNICAST;
1331 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1332
1333 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1334 chunk = route->src_ip->get_address(route->src_ip);
1335 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1336 chunk = route->gateway->get_address(route->gateway);
1337 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1338 chunk.ptr = (char*)&route->if_index;
1339 chunk.len = sizeof(route->if_index);
1340 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1341
1342 return netlink_send_ack(this, this->socket_rt, hdr);
1343 }
1344
1345 /**
1346 * Implementation of kernel_interface_t.get_source_addr.
1347 */
1348 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1349 {
1350 unsigned char request[BUFFER_SIZE];
1351 struct nlmsghdr *hdr, *out, *current;
1352 struct rtmsg *msg;
1353 chunk_t chunk;
1354 size_t len;
1355 host_t *source = NULL;
1356
1357 memset(&request, 0, sizeof(request));
1358
1359 hdr = (struct nlmsghdr*)request;
1360 hdr->nlmsg_flags = NLM_F_REQUEST;
1361 hdr->nlmsg_type = RTM_GETROUTE;
1362 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1363
1364 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1365 msg->rtm_family = dest->get_family(dest);
1366 msg->rtm_dst_len = msg->rtm_family == AF_INET ? 32 : 128;
1367 msg->rtm_table = RT_TABLE_MAIN;
1368 msg->rtm_protocol = RTPROT_STATIC;
1369 msg->rtm_type = RTN_UNICAST;
1370 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1371
1372 chunk = dest->get_address(dest);
1373 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1374
1375 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1376 {
1377 DBG1(DBG_KNL, "getting source address to %H failed", dest);
1378 return NULL;
1379 }
1380 current = out;
1381 while (NLMSG_OK(current, len))
1382 {
1383 switch (current->nlmsg_type)
1384 {
1385 case NLMSG_DONE:
1386 break;
1387 case RTM_NEWROUTE:
1388 {
1389 struct rtattr *rta;
1390 size_t rtasize;
1391
1392 msg = (struct rtmsg*)(NLMSG_DATA(current));
1393 rta = RTM_RTA(msg);
1394 rtasize = RTM_PAYLOAD(current);
1395 while(RTA_OK(rta, rtasize))
1396 {
1397 switch (rta->rta_type)
1398 {
1399 case RTA_PREFSRC:
1400 chunk.ptr = RTA_DATA(rta);
1401 chunk.len = RTA_PAYLOAD(rta);
1402 source = host_create_from_chunk(msg->rtm_family,
1403 chunk, 0);
1404 break;
1405 }
1406 rta = RTA_NEXT(rta, rtasize);
1407 }
1408 break;
1409 }
1410 default:
1411 current = NLMSG_NEXT(current, len);
1412 continue;
1413 }
1414 break;
1415 }
1416 if (source == NULL)
1417 {
1418 DBG1(DBG_KNL, "no route found to %H", dest);
1419 }
1420 free(out);
1421 return source;
1422 }
1423
1424 /**
1425 * Implementation of kernel_interface_t.add_ip.
1426 */
1427 static status_t add_ip(private_kernel_interface_t *this,
1428 host_t *virtual_ip, host_t *iface_ip)
1429 {
1430 int targetif;
1431 vip_entry_t *listed;
1432 iterator_t *iterator;
1433
1434 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1435
1436 targetif = get_interface_index(this, iface_ip);
1437 if (targetif == 0)
1438 {
1439 DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
1440 virtual_ip, iface_ip);
1441 return FAILED;
1442 }
1443
1444 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1445 iterator = this->vips->create_iterator_locked(this->vips, &this->mutex);
1446 while (iterator->iterate(iterator, (void**)&listed))
1447 {
1448 if (listed->if_index == targetif &&
1449 virtual_ip->ip_equals(virtual_ip, listed->ip))
1450 {
1451 listed->refcount++;
1452 iterator->destroy(iterator);
1453 DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
1454 virtual_ip, targetif);
1455 return SUCCESS;
1456 }
1457 }
1458 iterator->destroy(iterator);
1459
1460 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1461 targetif, virtual_ip) == SUCCESS)
1462 {
1463 listed = malloc_thing(vip_entry_t);
1464 listed->ip = virtual_ip->clone(virtual_ip);
1465 listed->if_index = targetif;
1466 listed->refcount = 1;
1467 this->vips->insert_last(this->vips, listed);
1468 DBG2(DBG_KNL, "virtual IP %H added to iface %d",
1469 virtual_ip, targetif);
1470 return SUCCESS;
1471 }
1472
1473 DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
1474 virtual_ip, targetif);
1475 return FAILED;
1476 }
1477
1478 /**
1479 * Implementation of kernel_interface_t.del_ip.
1480 */
1481 static status_t del_ip(private_kernel_interface_t *this,
1482 host_t *virtual_ip, host_t *iface_ip)
1483 {
1484 int targetif;
1485 vip_entry_t *listed;
1486 iterator_t *iterator;
1487
1488 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1489
1490 targetif = get_interface_index(this, iface_ip);
1491 if (targetif == 0)
1492 {
1493 DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
1494 virtual_ip, iface_ip);
1495 return FAILED;
1496 }
1497
1498 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1499 iterator = this->vips->create_iterator_locked(this->vips, &this->mutex);
1500 while (iterator->iterate(iterator, (void**)&listed))
1501 {
1502 if (listed->if_index == targetif &&
1503 virtual_ip->ip_equals(virtual_ip, listed->ip))
1504 {
1505 listed->refcount--;
1506 if (listed->refcount == 0)
1507 {
1508 iterator->remove(iterator);
1509 vip_entry_destroy(listed);
1510 iterator->destroy(iterator);
1511 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1512 }
1513 iterator->destroy(iterator);
1514 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1515 virtual_ip);
1516 return SUCCESS;
1517 }
1518 }
1519 iterator->destroy(iterator);
1520
1521 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1522 return FAILED;
1523 }
1524
1525 /**
1526 * Implementation of kernel_interface_t.get_spi.
1527 */
1528 static status_t get_spi(private_kernel_interface_t *this,
1529 host_t *src, host_t *dst,
1530 protocol_id_t protocol, u_int32_t reqid,
1531 u_int32_t *spi)
1532 {
1533 unsigned char request[BUFFER_SIZE];
1534 struct nlmsghdr *hdr, *out;
1535 struct xfrm_userspi_info *userspi;
1536 u_int32_t received_spi = 0;
1537 size_t len;
1538
1539 memset(&request, 0, sizeof(request));
1540
1541 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1542
1543 hdr = (struct nlmsghdr*)request;
1544 hdr->nlmsg_flags = NLM_F_REQUEST;
1545 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1546 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1547
1548 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1549 host2xfrm(src, &userspi->info.saddr);
1550 host2xfrm(dst, &userspi->info.id.daddr);
1551 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1552 userspi->info.mode = TRUE; /* tunnel mode */
1553 userspi->info.reqid = reqid;
1554 userspi->info.family = src->get_family(src);
1555 userspi->min = 0xc0000000;
1556 userspi->max = 0xcFFFFFFF;
1557
1558 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1559 {
1560 hdr = out;
1561 while (NLMSG_OK(hdr, len))
1562 {
1563 switch (hdr->nlmsg_type)
1564 {
1565 case XFRM_MSG_NEWSA:
1566 {
1567 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1568 received_spi = usersa->id.spi;
1569 break;
1570 }
1571 case NLMSG_ERROR:
1572 {
1573 struct nlmsgerr *err = NLMSG_DATA(hdr);
1574
1575 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1576 strerror(-err->error), -err->error);
1577 break;
1578 }
1579 default:
1580 hdr = NLMSG_NEXT(hdr, len);
1581 continue;
1582 case NLMSG_DONE:
1583 break;
1584 }
1585 break;
1586 }
1587 free(out);
1588 }
1589
1590 if (received_spi == 0)
1591 {
1592 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1593 return FAILED;
1594 }
1595
1596 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1597
1598 *spi = received_spi;
1599 return SUCCESS;
1600 }
1601
1602 /**
1603 * Implementation of kernel_interface_t.add_sa.
1604 */
1605 static status_t add_sa(private_kernel_interface_t *this,
1606 host_t *src, host_t *dst, u_int32_t spi,
1607 protocol_id_t protocol, u_int32_t reqid,
1608 u_int64_t expire_soft, u_int64_t expire_hard,
1609 algorithm_t *enc_alg, algorithm_t *int_alg,
1610 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1611 bool replace)
1612 {
1613 unsigned char request[BUFFER_SIZE];
1614 char *alg_name;
1615 u_int key_size;
1616 struct nlmsghdr *hdr;
1617 struct xfrm_usersa_info *sa;
1618
1619 memset(&request, 0, sizeof(request));
1620
1621 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1622
1623 hdr = (struct nlmsghdr*)request;
1624 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1625 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1626 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1627
1628 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1629 host2xfrm(src, &sa->saddr);
1630 host2xfrm(dst, &sa->id.daddr);
1631 sa->id.spi = spi;
1632 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1633 sa->family = src->get_family(src);
1634 sa->mode = mode;
1635 sa->replay_window = 32;
1636 sa->reqid = reqid;
1637 /* we currently do not expire SAs by volume/packet count */
1638 sa->lft.soft_byte_limit = XFRM_INF;
1639 sa->lft.hard_byte_limit = XFRM_INF;
1640 sa->lft.soft_packet_limit = XFRM_INF;
1641 sa->lft.hard_packet_limit = XFRM_INF;
1642 /* we use lifetimes since added, not since used */
1643 sa->lft.soft_add_expires_seconds = expire_soft;
1644 sa->lft.hard_add_expires_seconds = expire_hard;
1645 sa->lft.soft_use_expires_seconds = 0;
1646 sa->lft.hard_use_expires_seconds = 0;
1647
1648 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1649
1650 if (enc_alg->algorithm != ENCR_UNDEFINED)
1651 {
1652 rthdr->rta_type = XFRMA_ALG_CRYPT;
1653 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1654 if (alg_name == NULL)
1655 {
1656 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1657 encryption_algorithm_names, enc_alg->algorithm);
1658 return FAILED;
1659 }
1660 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1661 encryption_algorithm_names, enc_alg->algorithm, key_size);
1662
1663 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1664 hdr->nlmsg_len += rthdr->rta_len;
1665 if (hdr->nlmsg_len > sizeof(request))
1666 {
1667 return FAILED;
1668 }
1669
1670 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1671 algo->alg_key_len = key_size;
1672 strcpy(algo->alg_name, alg_name);
1673 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1674
1675 rthdr = XFRM_RTA_NEXT(rthdr);
1676 }
1677
1678 if (int_alg->algorithm != AUTH_UNDEFINED)
1679 {
1680 rthdr->rta_type = XFRMA_ALG_AUTH;
1681 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1682 if (alg_name == NULL)
1683 {
1684 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1685 integrity_algorithm_names, int_alg->algorithm);
1686 return FAILED;
1687 }
1688 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1689 integrity_algorithm_names, int_alg->algorithm, key_size);
1690
1691 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1692 hdr->nlmsg_len += rthdr->rta_len;
1693 if (hdr->nlmsg_len > sizeof(request))
1694 {
1695 return FAILED;
1696 }
1697
1698 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1699 algo->alg_key_len = key_size;
1700 strcpy(algo->alg_name, alg_name);
1701 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1702
1703 rthdr = XFRM_RTA_NEXT(rthdr);
1704 }
1705
1706 /* TODO: add IPComp here */
1707
1708 if (natt)
1709 {
1710 rthdr->rta_type = XFRMA_ENCAP;
1711 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1712
1713 hdr->nlmsg_len += rthdr->rta_len;
1714 if (hdr->nlmsg_len > sizeof(request))
1715 {
1716 return FAILED;
1717 }
1718
1719 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1720 encap->encap_type = UDP_ENCAP_ESPINUDP;
1721 encap->encap_sport = htons(natt->sport);
1722 encap->encap_dport = htons(natt->dport);
1723 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1724 /* encap_oa could probably be derived from the
1725 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1726 * pluto does the same as we do here but it uses encap_oa in the
1727 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1728 * the kernel ignores it anyway
1729 * -> does that mean that NAT-T encap doesn't work in transport mode?
1730 * No. The reason the kernel ignores NAT-OA is that it recomputes
1731 * (or, rather, just ignores) the checksum. If packets pass
1732 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1733 rthdr = XFRM_RTA_NEXT(rthdr);
1734 }
1735
1736 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1737 {
1738 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1739 return FAILED;
1740 }
1741 return SUCCESS;
1742 }
1743
1744 /**
1745 * Implementation of kernel_interface_t.update_sa.
1746 */
1747 static status_t update_sa(private_kernel_interface_t *this,
1748 host_t *src, host_t *dst,
1749 host_t *new_src, host_t *new_dst,
1750 host_diff_t src_changes, host_diff_t dst_changes,
1751 u_int32_t spi, protocol_id_t protocol)
1752 {
1753 unsigned char request[BUFFER_SIZE];
1754 struct nlmsghdr *hdr, *out = NULL;
1755 struct xfrm_usersa_id *sa_id;
1756 struct xfrm_usersa_info *sa = NULL;
1757 size_t len;
1758
1759 memset(&request, 0, sizeof(request));
1760
1761 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1762
1763 hdr = (struct nlmsghdr*)request;
1764 hdr->nlmsg_flags = NLM_F_REQUEST;
1765 hdr->nlmsg_type = XFRM_MSG_GETSA;
1766 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1767
1768 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1769 host2xfrm(dst, &sa_id->daddr);
1770 sa_id->spi = spi;
1771 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1772 sa_id->family = dst->get_family(dst);
1773
1774 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1775 {
1776 hdr = out;
1777 while (NLMSG_OK(hdr, len))
1778 {
1779 switch (hdr->nlmsg_type)
1780 {
1781 case XFRM_MSG_NEWSA:
1782 {
1783 sa = NLMSG_DATA(hdr);
1784 break;
1785 }
1786 case NLMSG_ERROR:
1787 {
1788 struct nlmsgerr *err = NLMSG_DATA(hdr);
1789 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1790 strerror(-err->error), -err->error);
1791 break;
1792 }
1793 default:
1794 hdr = NLMSG_NEXT(hdr, len);
1795 continue;
1796 case NLMSG_DONE:
1797 break;
1798 }
1799 break;
1800 }
1801 }
1802 if (sa == NULL)
1803 {
1804 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1805 free(out);
1806 return FAILED;
1807 }
1808
1809 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
1810
1811 hdr = out;
1812 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1813 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1814
1815 if (src_changes & HOST_DIFF_ADDR)
1816 {
1817 host2xfrm(new_src, &sa->saddr);
1818 }
1819
1820 if (dst_changes & HOST_DIFF_ADDR)
1821 {
1822 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1823 host2xfrm(new_dst, &sa->id.daddr);
1824 }
1825
1826 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1827 {
1828 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1829 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1830 while (RTA_OK(rtattr, rtsize))
1831 {
1832 if (rtattr->rta_type == XFRMA_ENCAP)
1833 {
1834 struct xfrm_encap_tmpl* encap;
1835 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1836 encap->encap_sport = ntohs(new_src->get_port(new_src));
1837 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1838 break;
1839 }
1840 rtattr = RTA_NEXT(rtattr, rtsize);
1841 }
1842 }
1843 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1844 {
1845 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1846 free(out);
1847 return FAILED;
1848 }
1849 free(out);
1850
1851 if (dst_changes & HOST_DIFF_ADDR)
1852 {
1853 return this->public.del_sa(&this->public, dst, spi, protocol);
1854 }
1855 return SUCCESS;
1856 }
1857
1858 /**
1859 * Implementation of kernel_interface_t.query_sa.
1860 */
1861 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1862 u_int32_t spi, protocol_id_t protocol,
1863 u_int32_t *use_time)
1864 {
1865 unsigned char request[BUFFER_SIZE];
1866 struct nlmsghdr *out = NULL, *hdr;
1867 struct xfrm_usersa_id *sa_id;
1868 struct xfrm_usersa_info *sa = NULL;
1869 size_t len;
1870
1871 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1872 memset(&request, 0, sizeof(request));
1873
1874 hdr = (struct nlmsghdr*)request;
1875 hdr->nlmsg_flags = NLM_F_REQUEST;
1876 hdr->nlmsg_type = XFRM_MSG_GETSA;
1877 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1878
1879 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1880 host2xfrm(dst, &sa_id->daddr);
1881 sa_id->spi = spi;
1882 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1883 sa_id->family = dst->get_family(dst);
1884
1885 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1886 {
1887 hdr = out;
1888 while (NLMSG_OK(hdr, len))
1889 {
1890 switch (hdr->nlmsg_type)
1891 {
1892 case XFRM_MSG_NEWSA:
1893 {
1894 sa = NLMSG_DATA(hdr);
1895 break;
1896 }
1897 case NLMSG_ERROR:
1898 {
1899 struct nlmsgerr *err = NLMSG_DATA(hdr);
1900 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1901 strerror(-err->error), -err->error);
1902 break;
1903 }
1904 default:
1905 hdr = NLMSG_NEXT(hdr, len);
1906 continue;
1907 case NLMSG_DONE:
1908 break;
1909 }
1910 break;
1911 }
1912 }
1913
1914 if (sa == NULL)
1915 {
1916 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1917 free(out);
1918 return FAILED;
1919 }
1920
1921 *use_time = sa->curlft.use_time;
1922 free (out);
1923 return SUCCESS;
1924 }
1925
1926 /**
1927 * Implementation of kernel_interface_t.del_sa.
1928 */
1929 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1930 u_int32_t spi, protocol_id_t protocol)
1931 {
1932 unsigned char request[BUFFER_SIZE];
1933 struct nlmsghdr *hdr;
1934 struct xfrm_usersa_id *sa_id;
1935
1936 memset(&request, 0, sizeof(request));
1937
1938 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1939
1940 hdr = (struct nlmsghdr*)request;
1941 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1942 hdr->nlmsg_type = XFRM_MSG_DELSA;
1943 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1944
1945 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1946 host2xfrm(dst, &sa_id->daddr);
1947 sa_id->spi = spi;
1948 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1949 sa_id->family = dst->get_family(dst);
1950
1951 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1952 {
1953 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1954 return FAILED;
1955 }
1956 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1957 return SUCCESS;
1958 }
1959
1960 /**
1961 * Implementation of kernel_interface_t.add_policy.
1962 */
1963 static status_t add_policy(private_kernel_interface_t *this,
1964 host_t *src, host_t *dst,
1965 traffic_selector_t *src_ts,
1966 traffic_selector_t *dst_ts,
1967 policy_dir_t direction, protocol_id_t protocol,
1968 u_int32_t reqid, bool high_prio, mode_t mode,
1969 bool update)
1970 {
1971 iterator_t *iterator;
1972 policy_entry_t *current, *policy;
1973 bool found = FALSE;
1974 unsigned char request[BUFFER_SIZE];
1975 struct xfrm_userpolicy_info *policy_info;
1976 struct nlmsghdr *hdr;
1977
1978 /* create a policy */
1979 policy = malloc_thing(policy_entry_t);
1980 memset(policy, 0, sizeof(policy_entry_t));
1981 policy->sel = ts2selector(src_ts, dst_ts);
1982 policy->direction = direction;
1983
1984 /* find the policy, which matches EXACTLY */
1985 pthread_mutex_lock(&this->mutex);
1986 iterator = this->policies->create_iterator(this->policies, TRUE);
1987 while (iterator->iterate(iterator, (void**)&current))
1988 {
1989 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
1990 policy->direction == current->direction)
1991 {
1992 /* use existing policy */
1993 if (!update)
1994 {
1995 current->refcount++;
1996 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
1997 "refcount", src_ts, dst_ts);
1998 }
1999 free(policy);
2000 policy = current;
2001 found = TRUE;
2002 break;
2003 }
2004 }
2005 iterator->destroy(iterator);
2006 if (!found)
2007 { /* apply the new one, if we have no such policy */
2008 this->policies->insert_last(this->policies, policy);
2009 policy->refcount = 1;
2010 }
2011
2012 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2013
2014 memset(&request, 0, sizeof(request));
2015 hdr = (struct nlmsghdr*)request;
2016 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2017 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2018 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2019
2020 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2021 policy_info->sel = policy->sel;
2022 policy_info->dir = policy->direction;
2023 /* calculate priority based on source selector size, small size = high prio */
2024 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2025 policy_info->priority -= policy->sel.prefixlen_s * 10;
2026 policy_info->priority -= policy->sel.proto ? 2 : 0;
2027 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2028 policy_info->action = XFRM_POLICY_ALLOW;
2029 policy_info->share = XFRM_SHARE_ANY;
2030 pthread_mutex_unlock(&this->mutex);
2031
2032 /* policies don't expire */
2033 policy_info->lft.soft_byte_limit = XFRM_INF;
2034 policy_info->lft.soft_packet_limit = XFRM_INF;
2035 policy_info->lft.hard_byte_limit = XFRM_INF;
2036 policy_info->lft.hard_packet_limit = XFRM_INF;
2037 policy_info->lft.soft_add_expires_seconds = 0;
2038 policy_info->lft.hard_add_expires_seconds = 0;
2039 policy_info->lft.soft_use_expires_seconds = 0;
2040 policy_info->lft.hard_use_expires_seconds = 0;
2041
2042 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2043 rthdr->rta_type = XFRMA_TMPL;
2044
2045 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
2046 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
2047
2048 hdr->nlmsg_len += rthdr->rta_len;
2049 if (hdr->nlmsg_len > sizeof(request))
2050 {
2051 return FAILED;
2052 }
2053
2054 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2055 tmpl->reqid = reqid;
2056 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
2057 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2058 tmpl->mode = mode;
2059 tmpl->family = src->get_family(src);
2060
2061 host2xfrm(src, &tmpl->saddr);
2062 host2xfrm(dst, &tmpl->id.daddr);
2063
2064 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2065 {
2066 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2067 return FAILED;
2068 }
2069
2070 /* install a route, if:
2071 * - we are NOT updating a policy
2072 * - this is a forward policy (to just get one for each child)
2073 * - we are in tunnel mode
2074 * - we are not using IPv6 (does not work correctly yet!)
2075 */
2076 if (policy->route == NULL && direction == POLICY_FWD &&
2077 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
2078 {
2079 policy->route = malloc_thing(route_entry_t);
2080 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2081 {
2082 policy->route->gateway = dst->clone(dst);
2083 policy->route->if_index = get_interface_index(this, dst);
2084 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2085 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2086 policy->route->prefixlen = policy->sel.prefixlen_s;
2087
2088 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2089 policy->route) != SUCCESS)
2090 {
2091 DBG1(DBG_KNL, "unable to install source route for %H",
2092 policy->route->src_ip);
2093 route_entry_destroy(policy->route);
2094 policy->route = NULL;
2095 }
2096 }
2097 else
2098 {
2099 free(policy->route);
2100 policy->route = NULL;
2101 }
2102 }
2103
2104 return SUCCESS;
2105 }
2106
2107 /**
2108 * Implementation of kernel_interface_t.query_policy.
2109 */
2110 static status_t query_policy(private_kernel_interface_t *this,
2111 traffic_selector_t *src_ts,
2112 traffic_selector_t *dst_ts,
2113 policy_dir_t direction, u_int32_t *use_time)
2114 {
2115 unsigned char request[BUFFER_SIZE];
2116 struct nlmsghdr *out = NULL, *hdr;
2117 struct xfrm_userpolicy_id *policy_id;
2118 struct xfrm_userpolicy_info *policy = NULL;
2119 size_t len;
2120
2121 memset(&request, 0, sizeof(request));
2122
2123 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2124
2125 hdr = (struct nlmsghdr*)request;
2126 hdr->nlmsg_flags = NLM_F_REQUEST;
2127 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2128 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2129
2130 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2131 policy_id->sel = ts2selector(src_ts, dst_ts);
2132 policy_id->dir = direction;
2133
2134 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2135 {
2136 hdr = out;
2137 while (NLMSG_OK(hdr, len))
2138 {
2139 switch (hdr->nlmsg_type)
2140 {
2141 case XFRM_MSG_NEWPOLICY:
2142 {
2143 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2144 break;
2145 }
2146 case NLMSG_ERROR:
2147 {
2148 struct nlmsgerr *err = NLMSG_DATA(hdr);
2149 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2150 strerror(-err->error), -err->error);
2151 break;
2152 }
2153 default:
2154 hdr = NLMSG_NEXT(hdr, len);
2155 continue;
2156 case NLMSG_DONE:
2157 break;
2158 }
2159 break;
2160 }
2161 }
2162
2163 if (policy == NULL)
2164 {
2165 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2166 free(out);
2167 return FAILED;
2168 }
2169 *use_time = (time_t)policy->curlft.use_time;
2170
2171 free(out);
2172 return SUCCESS;
2173 }
2174
2175 /**
2176 * Implementation of kernel_interface_t.del_policy.
2177 */
2178 static status_t del_policy(private_kernel_interface_t *this,
2179 traffic_selector_t *src_ts,
2180 traffic_selector_t *dst_ts,
2181 policy_dir_t direction)
2182 {
2183 policy_entry_t *current, policy, *to_delete = NULL;
2184 route_entry_t *route;
2185 unsigned char request[BUFFER_SIZE];
2186 struct nlmsghdr *hdr;
2187 struct xfrm_userpolicy_id *policy_id;
2188 iterator_t *iterator;
2189
2190 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2191
2192 /* create a policy */
2193 memset(&policy, 0, sizeof(policy_entry_t));
2194 policy.sel = ts2selector(src_ts, dst_ts);
2195 policy.direction = direction;
2196
2197 /* find the policy */
2198 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2199 while (iterator->iterate(iterator, (void**)&current))
2200 {
2201 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2202 policy.direction == current->direction)
2203 {
2204 to_delete = current;
2205 if (--to_delete->refcount > 0)
2206 {
2207 /* is used by more SAs, keep in kernel */
2208 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2209 iterator->destroy(iterator);
2210 return SUCCESS;
2211 }
2212 /* remove if last reference */
2213 iterator->remove(iterator);
2214 break;
2215 }
2216 }
2217 iterator->destroy(iterator);
2218 if (!to_delete)
2219 {
2220 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2221 return NOT_FOUND;
2222 }
2223
2224 memset(&request, 0, sizeof(request));
2225
2226 hdr = (struct nlmsghdr*)request;
2227 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2228 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2229 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2230
2231 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2232 policy_id->sel = to_delete->sel;
2233 policy_id->dir = direction;
2234
2235 route = to_delete->route;
2236 free(to_delete);
2237
2238 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2239 {
2240 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2241 return FAILED;
2242 }
2243
2244 if (route)
2245 {
2246 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2247 {
2248 DBG1(DBG_KNL, "error uninstalling route installed with "
2249 "policy %R===%R", src_ts, dst_ts);
2250 }
2251 route_entry_destroy(route);
2252 }
2253 return SUCCESS;
2254 }
2255
2256 /**
2257 * Implementation of kernel_interface_t.destroy.
2258 */
2259 static void destroy(private_kernel_interface_t *this)
2260 {
2261 this->job->cancel(this->job);
2262 close(this->socket_xfrm_events);
2263 close(this->socket_xfrm);
2264 close(this->socket_rt_events);
2265 close(this->socket_rt);
2266 this->vips->destroy(this->vips);
2267 this->policies->destroy(this->policies);
2268 this->interfaces->destroy_function(this->interfaces, (void*)interface_entry_destroy);
2269 free(this);
2270 }
2271
2272 /*
2273 * Described in header.
2274 */
2275 kernel_interface_t *kernel_interface_create()
2276 {
2277 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2278 struct sockaddr_nl addr;
2279
2280
2281 /* public functions */
2282 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2283 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
2284 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
2285 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2286 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2287 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
2288 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2289 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2290 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2291 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2292 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2293 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2294 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
2295 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2296
2297 /* private members */
2298 this->vips = linked_list_create();
2299 this->policies = linked_list_create();
2300 this->interfaces = linked_list_create();
2301 this->hiter = NULL;
2302 this->seq = 200;
2303 pthread_mutex_init(&this->mutex,NULL);
2304
2305 memset(&addr, 0, sizeof(addr));
2306 addr.nl_family = AF_NETLINK;
2307
2308 /* create and bind RT socket */
2309 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2310 if (this->socket_rt <= 0)
2311 {
2312 charon->kill(charon, "unable to create RT netlink socket");
2313 }
2314 addr.nl_groups = 0;
2315 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2316 {
2317 charon->kill(charon, "unable to bind RT netlink socket");
2318 }
2319
2320 /* create and bind RT socket for events (address/interface changes) */
2321 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2322 if (this->socket_rt_events <= 0)
2323 {
2324 charon->kill(charon, "unable to create RT event socket");
2325 }
2326 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | RTMGRP_LINK;
2327 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2328 {
2329 charon->kill(charon, "unable to bind RT event socket");
2330 }
2331
2332 /* create and bind XFRM socket */
2333 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2334 if (this->socket_xfrm <= 0)
2335 {
2336 charon->kill(charon, "unable to create XFRM netlink socket");
2337 }
2338 addr.nl_groups = 0;
2339 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2340 {
2341 charon->kill(charon, "unable to bind XFRM netlink socket");
2342 }
2343
2344 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2345 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2346 if (this->socket_xfrm_events <= 0)
2347 {
2348 charon->kill(charon, "unable to create XFRM event socket");
2349 }
2350 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2351 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2352 {
2353 charon->kill(charon, "unable to bind XFRM event socket");
2354 }
2355
2356 this->job = callback_job_create((callback_job_cb_t)receive_events,
2357 this, NULL, NULL);
2358 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2359
2360 if (init_address_list(this) != SUCCESS)
2361 {
2362 charon->kill(charon, "unable to get interface list");
2363 }
2364
2365 return &this->public;
2366 }
2367