increased receive buffer to handle more interfaces
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43
44 #include "kernel_interface.h"
45
46 #include <daemon.h>
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51 #include <processing/jobs/callback_job.h>
52
53 /** kernel level protocol identifiers */
54 #define KERNEL_ESP 50
55 #define KERNEL_AH 51
56
57 /** default priority of installed policies */
58 #define PRIO_LOW 3000
59 #define PRIO_HIGH 2000
60
61 #define BUFFER_SIZE 1024
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
84 */
85 struct kernel_algorithm_t {
86 /**
87 * Identifier specified in IKEv2
88 */
89 int ikev2_id;
90
91 /**
92 * Name of the algorithm, as used as kernel identifier
93 */
94 char *name;
95
96 /**
97 * Key length in bits, if fixed size
98 */
99 u_int key_size;
100 };
101 #define END_OF_LIST -1
102
103 /**
104 * Algorithms for encryption
105 */
106 kernel_algorithm_t encryption_algs[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES, "des", 64},
109 {ENCR_3DES, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST, "cast128", 0},
113 {ENCR_BLOWFISH, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL, "cipher_null", 0},
117 {ENCR_AES_CBC, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST, NULL, 0},
120 };
121
122 /**
123 * Algorithms for integrity protection
124 */
125 kernel_algorithm_t integrity_algs[] = {
126 {AUTH_HMAC_MD5_96, "md5", 128},
127 {AUTH_HMAC_SHA1_96, "sha1", 160},
128 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
129 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
130 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
131 /* {AUTH_DES_MAC, "***", 0}, */
132 /* {AUTH_KPDK_MD5, "***", 0}, */
133 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
134 {END_OF_LIST, NULL, 0},
135 };
136
137 /**
138 * Look up a kernel algorithm name and its key size
139 */
140 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
141 algorithm_t *ikev2_algo, u_int *key_size)
142 {
143 while (kernel_algo->ikev2_id != END_OF_LIST)
144 {
145 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
146 {
147 /* match, evaluate key length */
148 if (ikev2_algo->key_size)
149 { /* variable length */
150 *key_size = ikev2_algo->key_size;
151 }
152 else
153 { /* fixed length */
154 *key_size = kernel_algo->key_size;
155 }
156 return kernel_algo->name;
157 }
158 kernel_algo++;
159 }
160 return NULL;
161 }
162
163 typedef struct route_entry_t route_entry_t;
164
165 /**
166 * installed routing entry
167 */
168 struct route_entry_t {
169
170 /** Index of the interface the route is bound to */
171 int if_index;
172
173 /** Source ip of the route */
174 host_t *src_ip;
175
176 /** gateway for this route */
177 host_t *gateway;
178
179 /** Destination net */
180 chunk_t dst_net;
181
182 /** Destination net prefixlen */
183 u_int8_t prefixlen;
184 };
185
186 /**
187 * destroy an route_entry_t object
188 */
189 static void route_entry_destroy(route_entry_t *this)
190 {
191 this->src_ip->destroy(this->src_ip);
192 this->gateway->destroy(this->gateway);
193 chunk_free(&this->dst_net);
194 free(this);
195 }
196
197 typedef struct policy_entry_t policy_entry_t;
198
199 /**
200 * installed kernel policy.
201 */
202 struct policy_entry_t {
203
204 /** direction of this policy: in, out, forward */
205 u_int8_t direction;
206
207 /** reqid of the policy */
208 u_int32_t reqid;
209
210 /** parameters of installed policy */
211 struct xfrm_selector sel;
212
213 /** associated route installed for this policy */
214 route_entry_t *route;
215
216 /** by how many CHILD_SA's this policy is used */
217 u_int refcount;
218 };
219
220 typedef struct vip_entry_t vip_entry_t;
221
222 /**
223 * Installed virtual ip
224 */
225 struct vip_entry_t {
226 /** Index of the interface the ip is bound to */
227 u_int8_t if_index;
228
229 /** The ip address */
230 host_t *ip;
231
232 /** Number of times this IP is used */
233 u_int refcount;
234 };
235
236 /**
237 * destroy a vip_entry_t object
238 */
239 static void vip_entry_destroy(vip_entry_t *this)
240 {
241 this->ip->destroy(this->ip);
242 free(this);
243 }
244
245 typedef struct interface_entry_t interface_entry_t;
246
247 /**
248 * A network interface on this system, containing addresses
249 */
250 struct interface_entry_t {
251
252 /** interface index */
253 int ifindex;
254
255 /** name of the interface */
256 char ifname[IFNAMSIZ];
257
258 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
259 u_int flags;
260
261 /** list of addresses as host_t */
262 linked_list_t *addresses;
263 };
264
265 /**
266 * destroy an interface entry
267 */
268 static void interface_entry_destroy(interface_entry_t *this)
269 {
270 this->addresses->destroy_offset(this->addresses, offsetof(host_t, destroy));
271 free(this);
272 }
273
274 typedef struct private_kernel_interface_t private_kernel_interface_t;
275
276 /**
277 * Private variables and functions of kernel_interface class.
278 */
279 struct private_kernel_interface_t {
280 /**
281 * Public part of the kernel_interface_t object.
282 */
283 kernel_interface_t public;
284
285 /**
286 * mutex to lock access to the various lists
287 */
288 pthread_mutex_t mutex;
289
290 /**
291 * List of installed policies (kernel_entry_t)
292 */
293 linked_list_t *policies;
294
295 /**
296 * List of installed virtual IPs. (vip_entry_t)
297 */
298 linked_list_t *vips;
299
300 /**
301 * Cached list of interfaces and its adresses (interface_entry_t)
302 */
303 linked_list_t *interfaces;
304
305 /**
306 * iterator used in hook()
307 */
308 iterator_t *hiter;
309
310 /**
311 * job receiving netlink events
312 */
313 callback_job_t *job;
314
315 /**
316 * current sequence number for netlink request
317 */
318 int seq;
319
320 /**
321 * Netlink xfrm socket (IPsec)
322 */
323 int socket_xfrm;
324
325 /**
326 * netlink xfrm socket to receive acquire and expire events
327 */
328 int socket_xfrm_events;
329
330 /**
331 * Netlink rt socket (routing)
332 */
333 int socket_rt;
334
335 /**
336 * Netlink rt socket to receive address change events
337 */
338 int socket_rt_events;
339 };
340
341 /**
342 * convert a host_t to a struct xfrm_address
343 */
344 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
345 {
346 chunk_t chunk = host->get_address(host);
347 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
348 }
349
350 /**
351 * convert a traffic selector address range to subnet and its mask.
352 */
353 static void ts2subnet(traffic_selector_t* ts,
354 xfrm_address_t *net, u_int8_t *mask)
355 {
356 /* there is no way to do this cleanly, as the address range may
357 * be anything else but a subnet. We use from_addr as subnet
358 * and try to calculate a usable subnet mask.
359 */
360 int byte, bit;
361 bool found = FALSE;
362 chunk_t from, to;
363 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
364
365 from = ts->get_from_address(ts);
366 to = ts->get_to_address(ts);
367
368 *mask = (size * 8);
369 /* go trough all bits of the addresses, beginning in the front.
370 * as long as they are equal, the subnet gets larger
371 */
372 for (byte = 0; byte < size; byte++)
373 {
374 for (bit = 7; bit >= 0; bit--)
375 {
376 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
377 {
378 *mask = ((7 - bit) + (byte * 8));
379 found = TRUE;
380 break;
381 }
382 }
383 if (found)
384 {
385 break;
386 }
387 }
388 memcpy(net, from.ptr, from.len);
389 chunk_free(&from);
390 chunk_free(&to);
391 }
392
393 /**
394 * convert a traffic selector port range to port/portmask
395 */
396 static void ts2ports(traffic_selector_t* ts,
397 u_int16_t *port, u_int16_t *mask)
398 {
399 /* linux does not seem to accept complex portmasks. Only
400 * any or a specific port is allowed. We set to any, if we have
401 * a port range, or to a specific, if we have one port only.
402 */
403 u_int16_t from, to;
404
405 from = ts->get_from_port(ts);
406 to = ts->get_to_port(ts);
407
408 if (from == to)
409 {
410 *port = htons(from);
411 *mask = ~0;
412 }
413 else
414 {
415 *port = 0;
416 *mask = 0;
417 }
418 }
419
420 /**
421 * convert a pair of traffic_selectors to a xfrm_selector
422 */
423 static struct xfrm_selector ts2selector(traffic_selector_t *src,
424 traffic_selector_t *dst)
425 {
426 struct xfrm_selector sel;
427
428 memset(&sel, 0, sizeof(sel));
429 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
430 /* src or dest proto may be "any" (0), use more restrictive one */
431 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
432 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
433 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
434 ts2ports(dst, &sel.dport, &sel.dport_mask);
435 ts2ports(src, &sel.sport, &sel.sport_mask);
436 sel.ifindex = 0;
437 sel.user = 0;
438
439 return sel;
440 }
441
442 /**
443 * Creates an rtattr and adds it to the netlink message
444 */
445 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
446 size_t buflen)
447 {
448 struct rtattr *rta;
449
450 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
451 {
452 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
453 return;
454 }
455
456 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
457 rta->rta_type = rta_type;
458 rta->rta_len = RTA_LENGTH(data.len);
459 memcpy(RTA_DATA(rta), data.ptr, data.len);
460 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
461 }
462
463 /**
464 * process a XFRM_MSG_ACQUIRE from kernel
465 */
466 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
467 {
468 u_int32_t reqid = 0;
469 job_t *job;
470 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
471 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
472
473 if (RTA_OK(rtattr, rtsize))
474 {
475 if (rtattr->rta_type == XFRMA_TMPL)
476 {
477 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
478 reqid = tmpl->reqid;
479 }
480 }
481 if (reqid == 0)
482 {
483 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
484 return;
485 }
486 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
487 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
488 job = (job_t*)acquire_job_create(reqid);
489 charon->processor->queue_job(charon->processor, job);
490 }
491
492 /**
493 * process a XFRM_MSG_EXPIRE from kernel
494 */
495 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
496 {
497 job_t *job;
498 protocol_id_t protocol;
499 u_int32_t spi, reqid;
500 struct xfrm_user_expire *expire;
501
502 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
503 protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
504 spi = expire->state.id.spi;
505 reqid = expire->state.reqid;
506
507 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
508 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
509 expire->hard ? "delete" : "rekey", protocol_id_names,
510 protocol, ntohl(spi), reqid);
511 if (expire->hard)
512 {
513 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
514 }
515 else
516 {
517 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
518 }
519 charon->processor->queue_job(charon->processor, job);
520 }
521
522 /**
523 * process RTM_NEWLINK/RTM_DELLINK from kernel
524 */
525 static void process_link(private_kernel_interface_t *this,
526 struct nlmsghdr *hdr, bool event)
527 {
528 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
529 struct rtattr *rta = IFLA_RTA(msg);
530 size_t rtasize = IFLA_PAYLOAD (hdr);
531 iterator_t *iterator;
532 interface_entry_t *current, *entry = NULL;
533 char *name = NULL;
534
535 while(RTA_OK(rta, rtasize))
536 {
537 switch (rta->rta_type)
538 {
539 case IFLA_IFNAME:
540 name = RTA_DATA(rta);
541 break;
542 }
543 rta = RTA_NEXT(rta, rtasize);
544 }
545 if (!name)
546 {
547 name = "(unknown)";
548 }
549
550 switch (hdr->nlmsg_type)
551 {
552 case RTM_NEWLINK:
553 {
554 if (msg->ifi_flags & IFF_LOOPBACK)
555 { /* ignore loopback interfaces */
556 break;
557 }
558 iterator = this->interfaces->create_iterator_locked(this->interfaces,
559 &this->mutex);
560 while (iterator->iterate(iterator, (void**)&current))
561 {
562 if (current->ifindex == msg->ifi_index)
563 {
564 entry = current;
565 break;
566 }
567 }
568 if (!entry)
569 {
570 entry = malloc_thing(interface_entry_t);
571 entry->ifindex = msg->ifi_index;
572 entry->flags = 0;
573 entry->addresses = linked_list_create();
574 this->interfaces->insert_last(this->interfaces, entry);
575 }
576 memcpy(entry->ifname, name, IFNAMSIZ);
577 entry->ifname[IFNAMSIZ-1] = '\0';
578 if (event)
579 {
580 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
581 {
582 DBG1(DBG_KNL, "interface %s activated", name);
583 }
584 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
585 {
586 DBG1(DBG_KNL, "interface %s deactivated", name);
587 }
588 }
589 entry->flags = msg->ifi_flags;
590 iterator->destroy(iterator);
591 break;
592 }
593 case RTM_DELLINK:
594 {
595 iterator = this->interfaces->create_iterator_locked(this->interfaces,
596 &this->mutex);
597 while (iterator->iterate(iterator, (void**)&current))
598 {
599 if (current->ifindex == msg->ifi_index)
600 {
601 /* we do not remove it, as an address may be added to a
602 * "down" interface and we wan't to know that. */
603 current->flags = msg->ifi_flags;
604 break;
605 }
606 }
607 iterator->destroy(iterator);
608 break;
609 }
610 }
611 }
612
613 /**
614 * process RTM_NEWADDR/RTM_DELADDR from kernel
615 */
616 static void process_addr(private_kernel_interface_t *this,
617 struct nlmsghdr *hdr, bool event)
618 {
619 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
620 struct rtattr *rta = IFA_RTA(msg);
621 size_t rtasize = IFA_PAYLOAD (hdr);
622 host_t *host = NULL;
623 iterator_t *iterator;
624 interface_entry_t *entry;
625 chunk_t local = chunk_empty, address = chunk_empty;
626
627 while(RTA_OK(rta, rtasize))
628 {
629 switch (rta->rta_type)
630 {
631 case IFA_LOCAL:
632 local.ptr = RTA_DATA(rta);
633 local.len = RTA_PAYLOAD(rta);
634 break;
635 case IFA_ADDRESS:
636 address.ptr = RTA_DATA(rta);
637 address.len = RTA_PAYLOAD(rta);
638 break;
639 }
640 rta = RTA_NEXT(rta, rtasize);
641 }
642
643 /* For PPP interfaces, we need the IFA_LOCAL address,
644 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
645 * not included in all cases, so fallback to IFA_ADDRESS. */
646 if (local.ptr)
647 {
648 host = host_create_from_chunk(msg->ifa_family, local, 0);
649 }
650 else if (address.ptr)
651 {
652 host = host_create_from_chunk(msg->ifa_family, address, 0);
653 }
654
655 if (host == NULL)
656 { /* bad family? */
657 return;
658 }
659
660 switch (hdr->nlmsg_type)
661 {
662 case RTM_NEWADDR:
663 {
664 iterator = this->interfaces->create_iterator_locked(this->interfaces,
665 &this->mutex);
666 while (iterator->iterate(iterator, (void**)&entry))
667 {
668 if (entry->ifindex == msg->ifa_index)
669 {
670 entry->addresses->insert_last(entry->addresses,
671 host->clone(host));
672 if (event)
673 {
674 DBG1(DBG_KNL, "%H appeared on %s", host, entry->ifname);
675 }
676 break;
677 }
678 }
679 iterator->destroy(iterator);
680 break;
681 }
682 case RTM_DELADDR:
683 {
684 iterator = this->interfaces->create_iterator_locked(this->interfaces,
685 &this->mutex);
686 while (iterator->iterate(iterator, (void**)&entry))
687 {
688 if (entry->ifindex == msg->ifa_index)
689 {
690 iterator_t *addresses;
691 host_t *current;
692
693 addresses = entry->addresses->create_iterator(
694 entry->addresses, TRUE);
695 while (addresses->iterate(addresses, (void**)&current))
696 {
697 if (current->equals(current, host))
698 {
699 addresses->remove(addresses);
700 current->destroy(current);
701 DBG1(DBG_KNL, "%H disappeared from %s",
702 host, entry->ifname);
703 }
704 }
705 addresses->destroy(addresses);
706 }
707 }
708 iterator->destroy(iterator);
709 break;
710 }
711 default:
712 break;
713 }
714 host->destroy(host);
715 }
716
717 /**
718 * Receives events from kernel
719 */
720 static job_requeue_t receive_events(private_kernel_interface_t *this)
721 {
722 char response[1024];
723 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
724 struct sockaddr_nl addr;
725 socklen_t addr_len = sizeof(addr);
726 int len, oldstate, maxfd, selected;
727 fd_set rfds;
728
729 FD_ZERO(&rfds);
730 FD_SET(this->socket_xfrm_events, &rfds);
731 FD_SET(this->socket_rt_events, &rfds);
732 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
733
734 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
735 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
736 pthread_setcancelstate(oldstate, NULL);
737 if (selected <= 0)
738 {
739 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
740 return JOB_REQUEUE_FAIR;
741 }
742 if (FD_ISSET(this->socket_xfrm_events, &rfds))
743 {
744 selected = this->socket_xfrm_events;
745 }
746 else if (FD_ISSET(this->socket_rt_events, &rfds))
747 {
748 selected = this->socket_rt_events;
749 }
750 else
751 {
752 return JOB_REQUEUE_DIRECT;
753 }
754
755 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
756 (struct sockaddr*)&addr, &addr_len);
757 if (len < 0)
758 {
759 switch (errno)
760 {
761 case EINTR:
762 /* interrupted, try again */
763 return JOB_REQUEUE_DIRECT;
764 case EAGAIN:
765 /* no data ready, select again */
766 return JOB_REQUEUE_DIRECT;
767 default:
768 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
769 sleep(1);
770 return JOB_REQUEUE_FAIR;
771 }
772 }
773 if (addr.nl_pid != 0)
774 { /* not from kernel. not interested, try another one */
775 return JOB_REQUEUE_DIRECT;
776 }
777
778 while (NLMSG_OK(hdr, len))
779 {
780 /* looks good so far, dispatch netlink message */
781 if (selected == this->socket_xfrm_events)
782 {
783 switch (hdr->nlmsg_type)
784 {
785 case XFRM_MSG_ACQUIRE:
786 process_acquire(this, hdr);
787 break;
788 case XFRM_MSG_EXPIRE:
789 process_expire(this, hdr);
790 break;
791 default:
792 break;
793 }
794 }
795 else if (selected == this->socket_rt_events)
796 {
797 switch (hdr->nlmsg_type)
798 {
799 case RTM_NEWADDR:
800 case RTM_DELADDR:
801 process_addr(this, hdr, TRUE);
802 break;
803 case RTM_NEWLINK:
804 case RTM_DELLINK:
805 process_link(this, hdr, TRUE);
806 break;
807 default:
808 break;
809 }
810 }
811 hdr = NLMSG_NEXT(hdr, len);
812 }
813 return JOB_REQUEUE_DIRECT;
814 }
815
816 /**
817 * send a netlink message and wait for a reply
818 */
819 static status_t netlink_send(private_kernel_interface_t *this,
820 int socket, struct nlmsghdr *in,
821 struct nlmsghdr **out, size_t *out_len)
822 {
823 int len, addr_len;
824 struct sockaddr_nl addr;
825 chunk_t result = chunk_empty, tmp;
826 struct nlmsghdr *msg, peek;
827
828 pthread_mutex_lock(&this->mutex);
829
830 in->nlmsg_seq = ++this->seq;
831 in->nlmsg_pid = getpid();
832
833 memset(&addr, 0, sizeof(addr));
834 addr.nl_family = AF_NETLINK;
835 addr.nl_pid = 0;
836 addr.nl_groups = 0;
837
838 while (TRUE)
839 {
840 len = sendto(socket, in, in->nlmsg_len, 0,
841 (struct sockaddr*)&addr, sizeof(addr));
842
843 if (len != in->nlmsg_len)
844 {
845 if (errno == EINTR)
846 {
847 /* interrupted, try again */
848 continue;
849 }
850 pthread_mutex_unlock(&this->mutex);
851 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
852 return FAILED;
853 }
854 break;
855 }
856
857 while (TRUE)
858 {
859 char buf[4096];
860 tmp.len = sizeof(buf);
861 tmp.ptr = buf;
862 msg = (struct nlmsghdr*)tmp.ptr;
863
864 memset(&addr, 0, sizeof(addr));
865 addr.nl_family = AF_NETLINK;
866 addr.nl_pid = getpid();
867 addr.nl_groups = 0;
868 addr_len = sizeof(addr);
869
870 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
871 (struct sockaddr*)&addr, &addr_len);
872
873 if (len < 0)
874 {
875 if (errno == EINTR)
876 {
877 DBG1(DBG_IKE, "got interrupted");
878 /* interrupted, try again */
879 continue;
880 }
881 DBG1(DBG_IKE, "error reading from netlink socket: %s", strerror(errno));
882 pthread_mutex_unlock(&this->mutex);
883 return FAILED;
884 }
885 if (!NLMSG_OK(msg, len))
886 {
887 DBG1(DBG_IKE, "received corrupted netlink message");
888 pthread_mutex_unlock(&this->mutex);
889 return FAILED;
890 }
891 if (msg->nlmsg_seq != this->seq)
892 {
893 DBG1(DBG_IKE, "received invalid netlink sequence number");
894 if (msg->nlmsg_seq < this->seq)
895 {
896 continue;
897 }
898 pthread_mutex_unlock(&this->mutex);
899 return FAILED;
900 }
901
902 tmp.len = len;
903 result = chunk_cata("cc", result, tmp);
904
905 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
906 * numbers to detect multi header messages */
907 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
908 (struct sockaddr*)&addr, &addr_len);
909
910 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
911 {
912 /* seems to be multipart */
913 continue;
914 }
915 break;
916 }
917
918 *out_len = result.len;
919 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
920
921 pthread_mutex_unlock(&this->mutex);
922
923 return SUCCESS;
924 }
925
926 /**
927 * send a netlink message and wait for its acknowlegde
928 */
929 static status_t netlink_send_ack(private_kernel_interface_t *this,
930 int socket, struct nlmsghdr *in)
931 {
932 struct nlmsghdr *out, *hdr;
933 size_t len;
934
935 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
936 {
937 return FAILED;
938 }
939 hdr = out;
940 while (NLMSG_OK(hdr, len))
941 {
942 switch (hdr->nlmsg_type)
943 {
944 case NLMSG_ERROR:
945 {
946 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
947
948 if (err->error)
949 {
950 DBG1(DBG_KNL, "received netlink error: %s (%d)",
951 strerror(-err->error), -err->error);
952 free(out);
953 return FAILED;
954 }
955 free(out);
956 return SUCCESS;
957 }
958 default:
959 hdr = NLMSG_NEXT(hdr, len);
960 continue;
961 case NLMSG_DONE:
962 break;
963 }
964 break;
965 }
966 DBG1(DBG_KNL, "netlink request not acknowlegded");
967 free(out);
968 return FAILED;
969 }
970
971 /**
972 * Initialize a list of local addresses.
973 */
974 static status_t init_address_list(private_kernel_interface_t *this)
975 {
976 char request[BUFFER_SIZE];
977 struct nlmsghdr *out, *current, *in;
978 struct rtgenmsg *msg;
979 size_t len;
980 iterator_t *i_iface, *i_addr;
981 host_t *address;
982 interface_entry_t *entry;
983
984 DBG1(DBG_IKE, "listening on interfaces:");
985
986 memset(&request, 0, sizeof(request));
987
988 in = (struct nlmsghdr*)&request;
989 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
990 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
991 msg = (struct rtgenmsg*)NLMSG_DATA(in);
992 msg->rtgen_family = AF_UNSPEC;
993
994 /* get all links */
995 in->nlmsg_type = RTM_GETLINK;
996 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
997 {
998 return FAILED;
999 }
1000 current = out;
1001 while (NLMSG_OK(current, len))
1002 {
1003 switch (current->nlmsg_type)
1004 {
1005 case NLMSG_DONE:
1006 break;
1007 case RTM_NEWLINK:
1008 process_link(this, current, FALSE);
1009 /* fall through */
1010 default:
1011 current = NLMSG_NEXT(current, len);
1012 continue;
1013 }
1014 break;
1015 }
1016 free(out);
1017
1018 /* get all interface addresses */
1019 in->nlmsg_type = RTM_GETADDR;
1020 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1021 {
1022 return FAILED;
1023 }
1024 current = out;
1025 while (NLMSG_OK(current, len))
1026 {
1027 switch (current->nlmsg_type)
1028 {
1029 case NLMSG_DONE:
1030 break;
1031 case RTM_NEWADDR:
1032 process_addr(this, current, FALSE);
1033 /* fall through */
1034 default:
1035 current = NLMSG_NEXT(current, len);
1036 continue;
1037 }
1038 break;
1039 }
1040 free(out);
1041
1042 i_iface = this->interfaces->create_iterator_locked(this->interfaces,
1043 &this->mutex);
1044 while (i_iface->iterate(i_iface, (void**)&entry))
1045 {
1046 if (entry->flags & IFF_UP)
1047 {
1048 DBG1(DBG_KNL, " %s", entry->ifname);
1049 i_addr = entry->addresses->create_iterator(entry->addresses, TRUE);
1050 while (i_addr->iterate(i_addr, (void**)&address))
1051 {
1052 DBG1(DBG_KNL, " %H", address);
1053 }
1054 i_addr->destroy(i_addr);
1055 }
1056 }
1057 i_iface->destroy(i_iface);
1058
1059 return SUCCESS;
1060 }
1061
1062 /**
1063 * iterator hook to return address, not address_entry_t
1064 */
1065 static hook_result_t hook(private_kernel_interface_t *this,
1066 interface_entry_t *in, host_t **out)
1067 {
1068 if (!(in->flags & IFF_UP))
1069 { /* skip interfaces not up */
1070 return HOOK_SKIP;
1071 }
1072
1073 if (this->hiter == NULL)
1074 {
1075 this->hiter = in->addresses->create_iterator(in->addresses, TRUE);
1076 }
1077 while (this->hiter->iterate(this->hiter, (void**)out))
1078 {
1079 return HOOK_AGAIN;
1080 }
1081 this->hiter->destroy(this->hiter);
1082 this->hiter = NULL;
1083 return HOOK_SKIP;
1084 }
1085
1086 /**
1087 * Implements kernel_interface_t.create_address_iterator.
1088 */
1089 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1090 {
1091 iterator_t *iterator;
1092
1093 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1094 &this->mutex);
1095 iterator->set_iterator_hook(iterator, (iterator_hook_t*)hook, this);
1096 return iterator;
1097 }
1098
1099 /**
1100 * implementation of kernel_interface_t.get_interface_name
1101 */
1102 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1103 {
1104 iterator_t *iterator, *addresses;
1105 interface_entry_t *entry;
1106 host_t *host;
1107 char *name = NULL;
1108
1109 DBG2(DBG_IKE, "getting interface name for %H", ip);
1110
1111 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1112 &this->mutex);
1113 while (iterator->iterate(iterator, (void**)&entry))
1114 {
1115 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1116 while (addresses->iterate(addresses, (void**)&host))
1117 {
1118 if (ip->ip_equals(ip, host))
1119 {
1120 name = strdup(entry->ifname);
1121 break;
1122 }
1123 }
1124 addresses->destroy(addresses);
1125 if (name)
1126 {
1127 break;
1128 }
1129 }
1130 iterator->destroy(iterator);
1131
1132 if (name)
1133 {
1134 DBG2(DBG_IKE, "%H is on interface %s", ip, name);
1135 }
1136 else
1137 {
1138 DBG2(DBG_IKE, "%H is not a local address", ip);
1139 }
1140 return name;
1141 }
1142
1143 /**
1144 * Tries to find an ip address of a local interface that is included in the
1145 * supplied traffic selector.
1146 */
1147 static status_t get_address_by_ts(private_kernel_interface_t *this,
1148 traffic_selector_t *ts, host_t **ip)
1149 {
1150 iterator_t *iterator, *addresses;
1151 interface_entry_t *entry;
1152 host_t *host;
1153 int family;
1154 bool found = FALSE;
1155
1156 DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
1157
1158 /* if we have a family which includes localhost, we do not
1159 * search for an IP, we use the default */
1160 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1161
1162 if (family == AF_INET)
1163 {
1164 host = host_create_from_string("127.0.0.1", 0);
1165 }
1166 else
1167 {
1168 host = host_create_from_string("::1", 0);
1169 }
1170
1171 if (ts->includes(ts, host))
1172 {
1173 *ip = host_create_any(family);
1174 host->destroy(host);
1175 DBG2(DBG_IKE, "using host %H", *ip);
1176 return SUCCESS;
1177 }
1178 host->destroy(host);
1179
1180 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1181 &this->mutex);
1182 while (iterator->iterate(iterator, (void**)&entry))
1183 {
1184 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1185 while (addresses->iterate(addresses, (void**)&host))
1186 {
1187 if (ts->includes(ts, host))
1188 {
1189 found = TRUE;
1190 *ip = host->clone(host);
1191 break;
1192 }
1193 }
1194 addresses->destroy(addresses);
1195 if (found)
1196 {
1197 break;
1198 }
1199 }
1200 iterator->destroy(iterator);
1201
1202 if (!found)
1203 {
1204 DBG1(DBG_IKE, "no local address found in traffic selector %R", ts);
1205 return FAILED;
1206 }
1207 DBG2(DBG_IKE, "using host %H", *ip);
1208 return SUCCESS;
1209 }
1210
1211 /**
1212 * get the interface of a local address
1213 */
1214 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1215 {
1216 iterator_t *iterator, *addresses;
1217 interface_entry_t *entry;
1218 host_t *host;
1219 int ifindex = 0;
1220
1221 DBG2(DBG_IKE, "getting iface for %H", ip);
1222
1223 iterator = this->interfaces->create_iterator_locked(this->interfaces,
1224 &this->mutex);
1225 while (iterator->iterate(iterator, (void**)&entry))
1226 {
1227 addresses = entry->addresses->create_iterator(entry->addresses, TRUE);
1228 while (addresses->iterate(addresses, (void**)&host))
1229 {
1230 if (ip->ip_equals(ip, host))
1231 {
1232 ifindex = entry->ifindex;
1233 break;
1234 }
1235 }
1236 addresses->destroy(addresses);
1237 if (ifindex)
1238 {
1239 break;
1240 }
1241 }
1242 iterator->destroy(iterator);
1243
1244 if (ifindex == 0)
1245 {
1246 DBG1(DBG_IKE, "unable to get interface for %H", ip);
1247 }
1248 return ifindex;
1249 }
1250
1251 /**
1252 * Manages the creation and deletion of ip addresses on an interface.
1253 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1254 */
1255 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1256 int flags, int if_index, host_t *ip)
1257 {
1258 unsigned char request[BUFFER_SIZE];
1259 struct nlmsghdr *hdr;
1260 struct ifaddrmsg *msg;
1261 chunk_t chunk;
1262
1263 memset(&request, 0, sizeof(request));
1264
1265 chunk = ip->get_address(ip);
1266
1267 hdr = (struct nlmsghdr*)request;
1268 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1269 hdr->nlmsg_type = nlmsg_type;
1270 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1271
1272 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1273 msg->ifa_family = ip->get_family(ip);
1274 msg->ifa_flags = 0;
1275 msg->ifa_prefixlen = 8 * chunk.len;
1276 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1277 msg->ifa_index = if_index;
1278
1279 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1280
1281 return netlink_send_ack(this, this->socket_rt, hdr);
1282 }
1283
1284 /**
1285 * Manages source routes in the routing table.
1286 * By setting the appropriate nlmsg_type, the route added or r.
1287 */
1288 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1289 int flags, route_entry_t *route)
1290 {
1291 unsigned char request[BUFFER_SIZE];
1292 struct nlmsghdr *hdr;
1293 struct rtmsg *msg;
1294 chunk_t chunk;
1295
1296 /* if route is 0.0.0.0/0, we can't install it, as it would
1297 * overwrite the default route. Instead, we add two routes:
1298 * 0.0.0.0/1 and 128.0.0.0/1
1299 * TODO: use metrics instead */
1300 if (route->prefixlen == 0)
1301 {
1302 route_entry_t half;
1303 status_t status;
1304
1305 half.dst_net = chunk_alloca(route->dst_net.len);
1306 memset(half.dst_net.ptr, 0, half.dst_net.len);
1307 half.src_ip = route->src_ip;
1308 half.gateway = route->gateway;
1309 half.if_index = route->if_index;
1310 half.prefixlen = 1;
1311
1312 status = manage_srcroute(this, nlmsg_type, flags, &half);
1313 half.dst_net.ptr[0] |= 0x80;
1314 status = manage_srcroute(this, nlmsg_type, flags, &half);
1315 return status;
1316 }
1317
1318 memset(&request, 0, sizeof(request));
1319
1320 hdr = (struct nlmsghdr*)request;
1321 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1322 hdr->nlmsg_type = nlmsg_type;
1323 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1324
1325 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1326 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1327 msg->rtm_dst_len = route->prefixlen;
1328 msg->rtm_table = RT_TABLE_MAIN;
1329 msg->rtm_protocol = RTPROT_STATIC;
1330 msg->rtm_type = RTN_UNICAST;
1331 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1332
1333 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1334 chunk = route->src_ip->get_address(route->src_ip);
1335 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1336 chunk = route->gateway->get_address(route->gateway);
1337 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1338 chunk.ptr = (char*)&route->if_index;
1339 chunk.len = sizeof(route->if_index);
1340 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1341
1342 return netlink_send_ack(this, this->socket_rt, hdr);
1343 }
1344
1345
1346 /**
1347 * Implementation of kernel_interface_t.add_ip.
1348 */
1349 static status_t add_ip(private_kernel_interface_t *this,
1350 host_t *virtual_ip, host_t *iface_ip)
1351 {
1352 int targetif;
1353 vip_entry_t *listed;
1354 iterator_t *iterator;
1355
1356 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1357
1358 targetif = get_interface_index(this, iface_ip);
1359 if (targetif == 0)
1360 {
1361 DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
1362 virtual_ip, iface_ip);
1363 return FAILED;
1364 }
1365
1366 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1367 iterator = this->vips->create_iterator_locked(this->vips, &this->mutex);
1368 while (iterator->iterate(iterator, (void**)&listed))
1369 {
1370 if (listed->if_index == targetif &&
1371 virtual_ip->ip_equals(virtual_ip, listed->ip))
1372 {
1373 listed->refcount++;
1374 iterator->destroy(iterator);
1375 DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
1376 virtual_ip, targetif);
1377 return SUCCESS;
1378 }
1379 }
1380 iterator->destroy(iterator);
1381
1382 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1383 targetif, virtual_ip) == SUCCESS)
1384 {
1385 listed = malloc_thing(vip_entry_t);
1386 listed->ip = virtual_ip->clone(virtual_ip);
1387 listed->if_index = targetif;
1388 listed->refcount = 1;
1389 this->vips->insert_last(this->vips, listed);
1390 DBG2(DBG_KNL, "virtual IP %H added to iface %d",
1391 virtual_ip, targetif);
1392 return SUCCESS;
1393 }
1394
1395 DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
1396 virtual_ip, targetif);
1397 return FAILED;
1398 }
1399
1400 /**
1401 * Implementation of kernel_interface_t.del_ip.
1402 */
1403 static status_t del_ip(private_kernel_interface_t *this,
1404 host_t *virtual_ip, host_t *iface_ip)
1405 {
1406 int targetif;
1407 vip_entry_t *listed;
1408 iterator_t *iterator;
1409
1410 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1411
1412 targetif = get_interface_index(this, iface_ip);
1413 if (targetif == 0)
1414 {
1415 DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
1416 virtual_ip, iface_ip);
1417 return FAILED;
1418 }
1419
1420 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1421 iterator = this->vips->create_iterator_locked(this->vips, &this->mutex);
1422 while (iterator->iterate(iterator, (void**)&listed))
1423 {
1424 if (listed->if_index == targetif &&
1425 virtual_ip->ip_equals(virtual_ip, listed->ip))
1426 {
1427 listed->refcount--;
1428 if (listed->refcount == 0)
1429 {
1430 iterator->remove(iterator);
1431 vip_entry_destroy(listed);
1432 iterator->destroy(iterator);
1433 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1434 }
1435 iterator->destroy(iterator);
1436 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1437 virtual_ip);
1438 return SUCCESS;
1439 }
1440 }
1441 iterator->destroy(iterator);
1442
1443 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1444 return FAILED;
1445 }
1446
1447 /**
1448 * Implementation of kernel_interface_t.get_spi.
1449 */
1450 static status_t get_spi(private_kernel_interface_t *this,
1451 host_t *src, host_t *dst,
1452 protocol_id_t protocol, u_int32_t reqid,
1453 u_int32_t *spi)
1454 {
1455 unsigned char request[BUFFER_SIZE];
1456 struct nlmsghdr *hdr, *out;
1457 struct xfrm_userspi_info *userspi;
1458 u_int32_t received_spi = 0;
1459 size_t len;
1460
1461 memset(&request, 0, sizeof(request));
1462
1463 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1464
1465 hdr = (struct nlmsghdr*)request;
1466 hdr->nlmsg_flags = NLM_F_REQUEST;
1467 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1468 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1469
1470 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1471 host2xfrm(src, &userspi->info.saddr);
1472 host2xfrm(dst, &userspi->info.id.daddr);
1473 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1474 userspi->info.mode = TRUE; /* tunnel mode */
1475 userspi->info.reqid = reqid;
1476 userspi->info.family = src->get_family(src);
1477 userspi->min = 0xc0000000;
1478 userspi->max = 0xcFFFFFFF;
1479
1480 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1481 {
1482 hdr = out;
1483 while (NLMSG_OK(hdr, len))
1484 {
1485 switch (hdr->nlmsg_type)
1486 {
1487 case XFRM_MSG_NEWSA:
1488 {
1489 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1490 received_spi = usersa->id.spi;
1491 break;
1492 }
1493 case NLMSG_ERROR:
1494 {
1495 struct nlmsgerr *err = NLMSG_DATA(hdr);
1496
1497 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1498 strerror(-err->error), -err->error);
1499 break;
1500 }
1501 default:
1502 hdr = NLMSG_NEXT(hdr, len);
1503 continue;
1504 case NLMSG_DONE:
1505 break;
1506 }
1507 break;
1508 }
1509 free(out);
1510 }
1511
1512 if (received_spi == 0)
1513 {
1514 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1515 return FAILED;
1516 }
1517
1518 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1519
1520 *spi = received_spi;
1521 return SUCCESS;
1522 }
1523
1524 /**
1525 * Implementation of kernel_interface_t.add_sa.
1526 */
1527 static status_t add_sa(private_kernel_interface_t *this,
1528 host_t *src, host_t *dst, u_int32_t spi,
1529 protocol_id_t protocol, u_int32_t reqid,
1530 u_int64_t expire_soft, u_int64_t expire_hard,
1531 algorithm_t *enc_alg, algorithm_t *int_alg,
1532 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1533 bool replace)
1534 {
1535 unsigned char request[BUFFER_SIZE];
1536 char *alg_name;
1537 u_int key_size;
1538 struct nlmsghdr *hdr;
1539 struct xfrm_usersa_info *sa;
1540
1541 memset(&request, 0, sizeof(request));
1542
1543 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1544
1545 hdr = (struct nlmsghdr*)request;
1546 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1547 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1548 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1549
1550 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1551 host2xfrm(src, &sa->saddr);
1552 host2xfrm(dst, &sa->id.daddr);
1553 sa->id.spi = spi;
1554 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1555 sa->family = src->get_family(src);
1556 sa->mode = mode;
1557 sa->replay_window = 32;
1558 sa->reqid = reqid;
1559 /* we currently do not expire SAs by volume/packet count */
1560 sa->lft.soft_byte_limit = XFRM_INF;
1561 sa->lft.hard_byte_limit = XFRM_INF;
1562 sa->lft.soft_packet_limit = XFRM_INF;
1563 sa->lft.hard_packet_limit = XFRM_INF;
1564 /* we use lifetimes since added, not since used */
1565 sa->lft.soft_add_expires_seconds = expire_soft;
1566 sa->lft.hard_add_expires_seconds = expire_hard;
1567 sa->lft.soft_use_expires_seconds = 0;
1568 sa->lft.hard_use_expires_seconds = 0;
1569
1570 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1571
1572 if (enc_alg->algorithm != ENCR_UNDEFINED)
1573 {
1574 rthdr->rta_type = XFRMA_ALG_CRYPT;
1575 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1576 if (alg_name == NULL)
1577 {
1578 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1579 encryption_algorithm_names, enc_alg->algorithm);
1580 return FAILED;
1581 }
1582 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1583 encryption_algorithm_names, enc_alg->algorithm, key_size);
1584
1585 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1586 hdr->nlmsg_len += rthdr->rta_len;
1587 if (hdr->nlmsg_len > sizeof(request))
1588 {
1589 return FAILED;
1590 }
1591
1592 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1593 algo->alg_key_len = key_size;
1594 strcpy(algo->alg_name, alg_name);
1595 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1596
1597 rthdr = XFRM_RTA_NEXT(rthdr);
1598 }
1599
1600 if (int_alg->algorithm != AUTH_UNDEFINED)
1601 {
1602 rthdr->rta_type = XFRMA_ALG_AUTH;
1603 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1604 if (alg_name == NULL)
1605 {
1606 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1607 integrity_algorithm_names, int_alg->algorithm);
1608 return FAILED;
1609 }
1610 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1611 integrity_algorithm_names, int_alg->algorithm, key_size);
1612
1613 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1614 hdr->nlmsg_len += rthdr->rta_len;
1615 if (hdr->nlmsg_len > sizeof(request))
1616 {
1617 return FAILED;
1618 }
1619
1620 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1621 algo->alg_key_len = key_size;
1622 strcpy(algo->alg_name, alg_name);
1623 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1624
1625 rthdr = XFRM_RTA_NEXT(rthdr);
1626 }
1627
1628 /* TODO: add IPComp here */
1629
1630 if (natt)
1631 {
1632 rthdr->rta_type = XFRMA_ENCAP;
1633 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1634
1635 hdr->nlmsg_len += rthdr->rta_len;
1636 if (hdr->nlmsg_len > sizeof(request))
1637 {
1638 return FAILED;
1639 }
1640
1641 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1642 encap->encap_type = UDP_ENCAP_ESPINUDP;
1643 encap->encap_sport = htons(natt->sport);
1644 encap->encap_dport = htons(natt->dport);
1645 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1646 /* encap_oa could probably be derived from the
1647 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1648 * pluto does the same as we do here but it uses encap_oa in the
1649 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1650 * the kernel ignores it anyway
1651 * -> does that mean that NAT-T encap doesn't work in transport mode?
1652 * No. The reason the kernel ignores NAT-OA is that it recomputes
1653 * (or, rather, just ignores) the checksum. If packets pass
1654 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1655 rthdr = XFRM_RTA_NEXT(rthdr);
1656 }
1657
1658 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1659 {
1660 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1661 return FAILED;
1662 }
1663 return SUCCESS;
1664 }
1665
1666 /**
1667 * Implementation of kernel_interface_t.update_sa.
1668 */
1669 static status_t update_sa(private_kernel_interface_t *this,
1670 host_t *src, host_t *dst,
1671 host_t *new_src, host_t *new_dst,
1672 host_diff_t src_changes, host_diff_t dst_changes,
1673 u_int32_t spi, protocol_id_t protocol)
1674 {
1675 unsigned char request[BUFFER_SIZE];
1676 struct nlmsghdr *hdr, *out = NULL;
1677 struct xfrm_usersa_id *sa_id;
1678 struct xfrm_usersa_info *sa = NULL;
1679 size_t len;
1680
1681 memset(&request, 0, sizeof(request));
1682
1683 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1684
1685 hdr = (struct nlmsghdr*)request;
1686 hdr->nlmsg_flags = NLM_F_REQUEST;
1687 hdr->nlmsg_type = XFRM_MSG_GETSA;
1688 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1689
1690 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1691 host2xfrm(dst, &sa_id->daddr);
1692 sa_id->spi = spi;
1693 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1694 sa_id->family = dst->get_family(dst);
1695
1696 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1697 {
1698 hdr = out;
1699 while (NLMSG_OK(hdr, len))
1700 {
1701 switch (hdr->nlmsg_type)
1702 {
1703 case XFRM_MSG_NEWSA:
1704 {
1705 sa = NLMSG_DATA(hdr);
1706 break;
1707 }
1708 case NLMSG_ERROR:
1709 {
1710 struct nlmsgerr *err = NLMSG_DATA(hdr);
1711 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1712 strerror(-err->error), -err->error);
1713 break;
1714 }
1715 default:
1716 hdr = NLMSG_NEXT(hdr, len);
1717 continue;
1718 case NLMSG_DONE:
1719 break;
1720 }
1721 break;
1722 }
1723 }
1724 if (sa == NULL)
1725 {
1726 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1727 free(out);
1728 return FAILED;
1729 }
1730
1731 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
1732
1733 hdr = out;
1734 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1735 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1736
1737 if (src_changes & HOST_DIFF_ADDR)
1738 {
1739 host2xfrm(new_src, &sa->saddr);
1740 }
1741
1742 if (dst_changes & HOST_DIFF_ADDR)
1743 {
1744 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1745 host2xfrm(new_dst, &sa->id.daddr);
1746 }
1747
1748 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1749 {
1750 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1751 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1752 while (RTA_OK(rtattr, rtsize))
1753 {
1754 if (rtattr->rta_type == XFRMA_ENCAP)
1755 {
1756 struct xfrm_encap_tmpl* encap;
1757 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1758 encap->encap_sport = ntohs(new_src->get_port(new_src));
1759 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1760 break;
1761 }
1762 rtattr = RTA_NEXT(rtattr, rtsize);
1763 }
1764 }
1765 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1766 {
1767 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1768 free(out);
1769 return FAILED;
1770 }
1771 free(out);
1772
1773 if (dst_changes & HOST_DIFF_ADDR)
1774 {
1775 return this->public.del_sa(&this->public, dst, spi, protocol);
1776 }
1777 return SUCCESS;
1778 }
1779
1780 /**
1781 * Implementation of kernel_interface_t.query_sa.
1782 */
1783 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1784 u_int32_t spi, protocol_id_t protocol,
1785 u_int32_t *use_time)
1786 {
1787 unsigned char request[BUFFER_SIZE];
1788 struct nlmsghdr *out = NULL, *hdr;
1789 struct xfrm_usersa_id *sa_id;
1790 struct xfrm_usersa_info *sa = NULL;
1791 size_t len;
1792
1793 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1794 memset(&request, 0, sizeof(request));
1795
1796 hdr = (struct nlmsghdr*)request;
1797 hdr->nlmsg_flags = NLM_F_REQUEST;
1798 hdr->nlmsg_type = XFRM_MSG_GETSA;
1799 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1800
1801 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1802 host2xfrm(dst, &sa_id->daddr);
1803 sa_id->spi = spi;
1804 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1805 sa_id->family = dst->get_family(dst);
1806
1807 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1808 {
1809 hdr = out;
1810 while (NLMSG_OK(hdr, len))
1811 {
1812 switch (hdr->nlmsg_type)
1813 {
1814 case XFRM_MSG_NEWSA:
1815 {
1816 sa = NLMSG_DATA(hdr);
1817 break;
1818 }
1819 case NLMSG_ERROR:
1820 {
1821 struct nlmsgerr *err = NLMSG_DATA(hdr);
1822 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1823 strerror(-err->error), -err->error);
1824 break;
1825 }
1826 default:
1827 hdr = NLMSG_NEXT(hdr, len);
1828 continue;
1829 case NLMSG_DONE:
1830 break;
1831 }
1832 break;
1833 }
1834 }
1835
1836 if (sa == NULL)
1837 {
1838 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1839 free(out);
1840 return FAILED;
1841 }
1842
1843 *use_time = sa->curlft.use_time;
1844 free (out);
1845 return SUCCESS;
1846 }
1847
1848 /**
1849 * Implementation of kernel_interface_t.del_sa.
1850 */
1851 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1852 u_int32_t spi, protocol_id_t protocol)
1853 {
1854 unsigned char request[BUFFER_SIZE];
1855 struct nlmsghdr *hdr;
1856 struct xfrm_usersa_id *sa_id;
1857
1858 memset(&request, 0, sizeof(request));
1859
1860 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1861
1862 hdr = (struct nlmsghdr*)request;
1863 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1864 hdr->nlmsg_type = XFRM_MSG_DELSA;
1865 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1866
1867 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1868 host2xfrm(dst, &sa_id->daddr);
1869 sa_id->spi = spi;
1870 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1871 sa_id->family = dst->get_family(dst);
1872
1873 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1874 {
1875 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1876 return FAILED;
1877 }
1878 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1879 return SUCCESS;
1880 }
1881
1882 /**
1883 * Implementation of kernel_interface_t.add_policy.
1884 */
1885 static status_t add_policy(private_kernel_interface_t *this,
1886 host_t *src, host_t *dst,
1887 traffic_selector_t *src_ts,
1888 traffic_selector_t *dst_ts,
1889 policy_dir_t direction, protocol_id_t protocol,
1890 u_int32_t reqid, bool high_prio, mode_t mode,
1891 bool update)
1892 {
1893 iterator_t *iterator;
1894 policy_entry_t *current, *policy;
1895 bool found = FALSE;
1896 unsigned char request[BUFFER_SIZE];
1897 struct xfrm_userpolicy_info *policy_info;
1898 struct nlmsghdr *hdr;
1899
1900 /* create a policy */
1901 policy = malloc_thing(policy_entry_t);
1902 memset(policy, 0, sizeof(policy_entry_t));
1903 policy->sel = ts2selector(src_ts, dst_ts);
1904 policy->direction = direction;
1905
1906 /* find the policy, which matches EXACTLY */
1907 pthread_mutex_lock(&this->mutex);
1908 iterator = this->policies->create_iterator(this->policies, TRUE);
1909 while (iterator->iterate(iterator, (void**)&current))
1910 {
1911 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
1912 policy->direction == current->direction)
1913 {
1914 /* use existing policy */
1915 if (!update)
1916 {
1917 current->refcount++;
1918 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
1919 "refcount", src_ts, dst_ts);
1920 }
1921 free(policy);
1922 policy = current;
1923 found = TRUE;
1924 break;
1925 }
1926 }
1927 iterator->destroy(iterator);
1928 if (!found)
1929 { /* apply the new one, if we have no such policy */
1930 this->policies->insert_last(this->policies, policy);
1931 policy->refcount = 1;
1932 }
1933
1934 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
1935
1936 memset(&request, 0, sizeof(request));
1937 hdr = (struct nlmsghdr*)request;
1938 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1939 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
1940 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1941
1942 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1943 policy_info->sel = policy->sel;
1944 policy_info->dir = policy->direction;
1945 /* calculate priority based on source selector size, small size = high prio */
1946 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1947 policy_info->priority -= policy->sel.prefixlen_s * 10;
1948 policy_info->priority -= policy->sel.proto ? 2 : 0;
1949 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1950 policy_info->action = XFRM_POLICY_ALLOW;
1951 policy_info->share = XFRM_SHARE_ANY;
1952 pthread_mutex_unlock(&this->mutex);
1953
1954 /* policies don't expire */
1955 policy_info->lft.soft_byte_limit = XFRM_INF;
1956 policy_info->lft.soft_packet_limit = XFRM_INF;
1957 policy_info->lft.hard_byte_limit = XFRM_INF;
1958 policy_info->lft.hard_packet_limit = XFRM_INF;
1959 policy_info->lft.soft_add_expires_seconds = 0;
1960 policy_info->lft.hard_add_expires_seconds = 0;
1961 policy_info->lft.soft_use_expires_seconds = 0;
1962 policy_info->lft.hard_use_expires_seconds = 0;
1963
1964 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1965 rthdr->rta_type = XFRMA_TMPL;
1966
1967 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
1968 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
1969
1970 hdr->nlmsg_len += rthdr->rta_len;
1971 if (hdr->nlmsg_len > sizeof(request))
1972 {
1973 return FAILED;
1974 }
1975
1976 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1977 tmpl->reqid = reqid;
1978 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
1979 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1980 tmpl->mode = mode;
1981 tmpl->family = src->get_family(src);
1982
1983 host2xfrm(src, &tmpl->saddr);
1984 host2xfrm(dst, &tmpl->id.daddr);
1985
1986 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
1987 {
1988 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
1989 return FAILED;
1990 }
1991
1992 /* install a route, if:
1993 * - we are NOT updating a policy
1994 * - this is a forward policy (to just get one for each child)
1995 * - we are in tunnel mode
1996 * - we are not using IPv6 (does not work correctly yet!)
1997 */
1998 if (policy->route == NULL && direction == POLICY_FWD &&
1999 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
2000 {
2001 policy->route = malloc_thing(route_entry_t);
2002 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2003 {
2004 policy->route->gateway = dst->clone(dst);
2005 policy->route->if_index = get_interface_index(this, dst);
2006 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2007 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
2008 policy->route->prefixlen = policy->sel.prefixlen_s;
2009
2010 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
2011 policy->route) != SUCCESS)
2012 {
2013 DBG1(DBG_KNL, "unable to install source route for %H",
2014 policy->route->src_ip);
2015 route_entry_destroy(policy->route);
2016 policy->route = NULL;
2017 }
2018 }
2019 else
2020 {
2021 free(policy->route);
2022 policy->route = NULL;
2023 }
2024 }
2025
2026 return SUCCESS;
2027 }
2028
2029 /**
2030 * Implementation of kernel_interface_t.query_policy.
2031 */
2032 static status_t query_policy(private_kernel_interface_t *this,
2033 traffic_selector_t *src_ts,
2034 traffic_selector_t *dst_ts,
2035 policy_dir_t direction, u_int32_t *use_time)
2036 {
2037 unsigned char request[BUFFER_SIZE];
2038 struct nlmsghdr *out = NULL, *hdr;
2039 struct xfrm_userpolicy_id *policy_id;
2040 struct xfrm_userpolicy_info *policy = NULL;
2041 size_t len;
2042
2043 memset(&request, 0, sizeof(request));
2044
2045 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2046
2047 hdr = (struct nlmsghdr*)request;
2048 hdr->nlmsg_flags = NLM_F_REQUEST;
2049 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2050 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2051
2052 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2053 policy_id->sel = ts2selector(src_ts, dst_ts);
2054 policy_id->dir = direction;
2055
2056 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2057 {
2058 hdr = out;
2059 while (NLMSG_OK(hdr, len))
2060 {
2061 switch (hdr->nlmsg_type)
2062 {
2063 case XFRM_MSG_NEWPOLICY:
2064 {
2065 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2066 break;
2067 }
2068 case NLMSG_ERROR:
2069 {
2070 struct nlmsgerr *err = NLMSG_DATA(hdr);
2071 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2072 strerror(-err->error), -err->error);
2073 break;
2074 }
2075 default:
2076 hdr = NLMSG_NEXT(hdr, len);
2077 continue;
2078 case NLMSG_DONE:
2079 break;
2080 }
2081 break;
2082 }
2083 }
2084
2085 if (policy == NULL)
2086 {
2087 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2088 free(out);
2089 return FAILED;
2090 }
2091 *use_time = (time_t)policy->curlft.use_time;
2092
2093 free(out);
2094 return SUCCESS;
2095 }
2096
2097 /**
2098 * Implementation of kernel_interface_t.del_policy.
2099 */
2100 static status_t del_policy(private_kernel_interface_t *this,
2101 traffic_selector_t *src_ts,
2102 traffic_selector_t *dst_ts,
2103 policy_dir_t direction)
2104 {
2105 policy_entry_t *current, policy, *to_delete = NULL;
2106 route_entry_t *route;
2107 unsigned char request[BUFFER_SIZE];
2108 struct nlmsghdr *hdr;
2109 struct xfrm_userpolicy_id *policy_id;
2110 iterator_t *iterator;
2111
2112 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2113
2114 /* create a policy */
2115 memset(&policy, 0, sizeof(policy_entry_t));
2116 policy.sel = ts2selector(src_ts, dst_ts);
2117 policy.direction = direction;
2118
2119 /* find the policy */
2120 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2121 while (iterator->iterate(iterator, (void**)&current))
2122 {
2123 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2124 policy.direction == current->direction)
2125 {
2126 to_delete = current;
2127 if (--to_delete->refcount > 0)
2128 {
2129 /* is used by more SAs, keep in kernel */
2130 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2131 iterator->destroy(iterator);
2132 return SUCCESS;
2133 }
2134 /* remove if last reference */
2135 iterator->remove(iterator);
2136 break;
2137 }
2138 }
2139 iterator->destroy(iterator);
2140 if (!to_delete)
2141 {
2142 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2143 return NOT_FOUND;
2144 }
2145
2146 memset(&request, 0, sizeof(request));
2147
2148 hdr = (struct nlmsghdr*)request;
2149 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2150 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2151 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2152
2153 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2154 policy_id->sel = to_delete->sel;
2155 policy_id->dir = direction;
2156
2157 route = to_delete->route;
2158 free(to_delete);
2159
2160 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2161 {
2162 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2163 return FAILED;
2164 }
2165
2166 if (route)
2167 {
2168 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2169 {
2170 DBG1(DBG_KNL, "error uninstalling route installed with "
2171 "policy %R===%R", src_ts, dst_ts);
2172 }
2173 route_entry_destroy(route);
2174 }
2175 return SUCCESS;
2176 }
2177
2178 /**
2179 * Implementation of kernel_interface_t.destroy.
2180 */
2181 static void destroy(private_kernel_interface_t *this)
2182 {
2183 this->job->cancel(this->job);
2184 close(this->socket_xfrm_events);
2185 close(this->socket_xfrm);
2186 close(this->socket_rt_events);
2187 close(this->socket_rt);
2188 this->vips->destroy(this->vips);
2189 this->policies->destroy(this->policies);
2190 this->interfaces->destroy_function(this->interfaces, (void*)interface_entry_destroy);
2191 free(this);
2192 }
2193
2194 /*
2195 * Described in header.
2196 */
2197 kernel_interface_t *kernel_interface_create()
2198 {
2199 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2200 struct sockaddr_nl addr;
2201
2202
2203 /* public functions */
2204 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2205 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
2206 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
2207 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2208 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2209 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
2210 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2211 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2212
2213 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2214 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2215 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2216 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
2217 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2218
2219 /* private members */
2220 this->vips = linked_list_create();
2221 this->policies = linked_list_create();
2222 this->interfaces = linked_list_create();
2223 this->hiter = NULL;
2224 this->seq = 200;
2225 pthread_mutex_init(&this->mutex,NULL);
2226
2227 memset(&addr, 0, sizeof(addr));
2228 addr.nl_family = AF_NETLINK;
2229
2230 /* create and bind RT socket */
2231 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2232 if (this->socket_rt <= 0)
2233 {
2234 charon->kill(charon, "unable to create RT netlink socket");
2235 }
2236 addr.nl_groups = 0;
2237 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
2238 {
2239 charon->kill(charon, "unable to bind RT netlink socket");
2240 }
2241
2242 /* create and bind RT socket for events (address/interface changes) */
2243 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2244 if (this->socket_rt_events <= 0)
2245 {
2246 charon->kill(charon, "unable to create RT event socket");
2247 }
2248 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | RTMGRP_LINK;
2249 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
2250 {
2251 charon->kill(charon, "unable to bind RT event socket");
2252 }
2253
2254 /* create and bind XFRM socket */
2255 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2256 if (this->socket_xfrm <= 0)
2257 {
2258 charon->kill(charon, "unable to create XFRM netlink socket");
2259 }
2260 addr.nl_groups = 0;
2261 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
2262 {
2263 charon->kill(charon, "unable to bind XFRM netlink socket");
2264 }
2265
2266 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
2267 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2268 if (this->socket_xfrm_events <= 0)
2269 {
2270 charon->kill(charon, "unable to create XFRM event socket");
2271 }
2272 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2273 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2274 {
2275 charon->kill(charon, "unable to bind XFRM event socket");
2276 }
2277
2278 this->job = callback_job_create((callback_job_cb_t)receive_events,
2279 this, NULL, NULL);
2280 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2281
2282 if (init_address_list(this) != SUCCESS)
2283 {
2284 charon->kill(charon, "unable to get interface list");
2285 }
2286
2287 return &this->public;
2288 }
2289