moved auth_method to policy
[strongswan.git] / src / charon / network / socket.c
1 /**
2 * @file socket.c
3 *
4 * @brief Implementation of socket_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include <pthread.h>
26 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <string.h>
29 #include <errno.h>
30 #include <unistd.h>
31 #include <stdlib.h>
32 #include <fcntl.h>
33 #include <sys/ioctl.h>
34 #include <netinet/in.h>
35 #include <netinet/ip.h>
36 #include <netinet/ip6.h>
37 #include <netinet/udp.h>
38 #include <linux/ipsec.h>
39 #include <linux/filter.h>
40 #include <net/if.h>
41 #include <ifaddrs.h>
42
43 #include "socket.h"
44
45 #include <daemon.h>
46 #include <utils/logger_manager.h>
47
48 /* constants for packet handling */
49 #define IP_LEN sizeof(struct iphdr)
50 #define IP6_LEN sizeof(struct ip6_hdr)
51 #define UDP_LEN sizeof(struct udphdr)
52 #define MARKER_LEN sizeof(u_int32_t)
53
54 /* offsets for packet handling */
55 #define IP_PROTO_OFFSET 9
56 #define IP6_PROTO_OFFSET 6
57 #define IKE_VERSION_OFFSET 17
58 #define IKE_LENGTH_OFFSET 24
59
60 /* from linux/in.h */
61 #ifndef IP_IPSEC_POLICY
62 #define IP_IPSEC_POLICY 16
63 #endif /*IP_IPSEC_POLICY*/
64
65 /* from linux/udp.h */
66 #ifndef UDP_ENCAP
67 #define UDP_ENCAP 100
68 #endif /*UDP_ENCAP*/
69
70 #ifndef UDP_ENCAP_ESPINUDP
71 #define UDP_ENCAP_ESPINUDP 2
72 #endif /*UDP_ENCAP_ESPINUDP*/
73
74 typedef struct private_socket_t private_socket_t;
75
76 /**
77 * Private data of an socket_t object
78 */
79 struct private_socket_t{
80 /**
81 * public functions
82 */
83 socket_t public;
84
85 /**
86 * regular port
87 */
88 int port;
89
90 /**
91 * port used for nat-t
92 */
93 int natt_port;
94
95 /**
96 * raw receiver socket for IPv4
97 */
98 int recv4;
99
100 /**
101 * raw receiver socket for IPv6
102 */
103 int recv6;
104
105 /**
106 * send socket on regular port for IPv4
107 */
108 int send4;
109
110 /**
111 * send socket on regular port for IPv6
112 */
113 int send6;
114
115 /**
116 * send socket on nat-t port for IPv4
117 */
118 int send4_natt;
119
120 /**
121 * send socket on nat-t port for IPv6
122 */
123 int send6_natt;
124
125 /**
126 * logger for this socket
127 */
128 logger_t *logger;
129 };
130
131 /**
132 * implementation of socket_t.receive
133 */
134 static status_t receiver(private_socket_t *this, packet_t **packet)
135 {
136 char buffer[MAX_PACKET];
137 chunk_t data;
138 packet_t *pkt;
139 struct udphdr *udp;
140 host_t *source = NULL, *dest = NULL;
141 int bytes_read = 0;
142 int data_offset, oldstate;
143 fd_set rfds;
144
145 FD_ZERO(&rfds);
146
147 if (this->recv4)
148 {
149 FD_SET(this->recv4, &rfds);
150 }
151 if (this->recv6)
152 {
153 FD_SET(this->recv6, &rfds);
154 }
155
156 this->logger->log(this->logger, CONTROL|LEVEL1,
157 "waiting for data on raw sockets");
158
159 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
160 if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
161 {
162 pthread_setcancelstate(oldstate, NULL);
163 return FAILED;
164 }
165 pthread_setcancelstate(oldstate, NULL);
166
167 if (this->recv4 && FD_ISSET(this->recv4, &rfds))
168 {
169 /* IPv4 raw sockets return the IP header. We read src/dest
170 * information directly from the raw header */
171 struct iphdr *ip;
172 struct sockaddr_in src, dst;
173
174 bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
175 if (bytes_read < 0)
176 {
177 this->logger->log(this->logger, ERROR,
178 "error reading from IPv4 socket: %s",
179 strerror(errno));
180 return FAILED;
181 }
182 this->logger->log_bytes(this->logger, RAW,
183 "received IPv4 packet", buffer, bytes_read);
184
185 /* read source/dest from raw IP/UDP header */
186 if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
187 {
188 this->logger->log(this->logger, ERROR,
189 "received IPv4 packet too short");
190 return FAILED;
191 }
192 ip = (struct iphdr*) buffer;
193 udp = (struct udphdr*) (buffer + IP_LEN);
194 src.sin_family = AF_INET;
195 src.sin_addr.s_addr = ip->saddr;
196 src.sin_port = udp->source;
197 dst.sin_family = AF_INET;
198 dst.sin_addr.s_addr = ip->daddr;
199 dst.sin_port = udp->dest;
200 source = host_create_from_sockaddr((sockaddr_t*)&src);
201 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
202
203 pkt = packet_create();
204 pkt->set_source(pkt, source);
205 pkt->set_destination(pkt, dest);
206 this->logger->log(this->logger, CONTROL|LEVEL1,
207 "received packet: from %s[%d] to %s[%d]",
208 source->get_string(source), source->get_port(source),
209 dest->get_string(dest), dest->get_port(dest));
210 data_offset = IP_LEN + UDP_LEN;
211 /* remove non esp marker */
212 if (dest->get_port(dest) == this->natt_port)
213 {
214 data_offset += MARKER_LEN;
215 }
216 /* fill in packet */
217 data.len = bytes_read - data_offset;
218 data.ptr = malloc(data.len);
219 memcpy(data.ptr, buffer + data_offset, data.len);
220 pkt->set_data(pkt, data);
221 }
222 else if (this->recv6 && FD_ISSET(this->recv6, &rfds))
223 {
224 /* IPv6 raw sockets return no IP header. We must query
225 * src/dest via socket options/ancillary data */
226 struct msghdr msg;
227 struct cmsghdr *cmsgptr;
228 struct sockaddr_in6 src, dst;
229 struct iovec iov;
230 char ancillary[64];
231
232 msg.msg_name = &src;
233 msg.msg_namelen = sizeof(src);
234 iov.iov_base = buffer;
235 iov.iov_len = sizeof(buffer);
236 msg.msg_iov = &iov;
237 msg.msg_iovlen = 1;
238 msg.msg_control = ancillary;
239 msg.msg_controllen = sizeof(ancillary);
240 msg.msg_flags = 0;
241
242 bytes_read = recvmsg(this->recv6, &msg, 0);
243 if (bytes_read < 0)
244 {
245 this->logger->log(this->logger, ERROR,
246 "error reading from IPv6 socket: %s",
247 strerror(errno));
248 return FAILED;
249 }
250 this->logger->log_bytes(this->logger, RAW,
251 "received IPv6 packet", buffer, bytes_read);
252
253 if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
254 {
255 this->logger->log(this->logger, ERROR,
256 "received IPv6 packet too short");
257 return FAILED;
258 }
259
260 /* read ancillary data to get destination address */
261 for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
262 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
263 {
264 if (cmsgptr->cmsg_len == 0)
265 {
266 this->logger->log(this->logger, ERROR,
267 "error reading IPv6 ancillary data: %s",
268 strerror(errno));
269 return FAILED;
270 }
271 if (cmsgptr->cmsg_level == IPPROTO_IPV6 &&
272 cmsgptr->cmsg_type == IPV6_PKTINFO)
273 {
274 struct in6_pktinfo *pktinfo;
275 pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
276
277 memset(&dst, 0, sizeof(dst));
278 memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
279 dst.sin6_family = AF_INET6;
280 udp = (struct udphdr*) (buffer);
281 dst.sin6_port = udp->dest;
282 src.sin6_port = udp->source;
283 dest = host_create_from_sockaddr((sockaddr_t*)&dst);
284 }
285 }
286 /* ancillary data missing? */
287 if (dest == NULL)
288 {
289 this->logger->log(this->logger, ERROR,
290 "error reading IPv6 packet header");
291 return FAILED;
292 }
293
294 source = host_create_from_sockaddr((sockaddr_t*)&src);
295
296 pkt = packet_create();
297 pkt->set_source(pkt, source);
298 pkt->set_destination(pkt, dest);
299 this->logger->log(this->logger, CONTROL|LEVEL1,
300 "received packet: from %s[%d] to %s[%d]",
301 source->get_string(source), source->get_port(source),
302 dest->get_string(dest), dest->get_port(dest));
303 data_offset = UDP_LEN;
304 /* remove non esp marker */
305 if (dest->get_port(dest) == this->natt_port)
306 {
307 data_offset += MARKER_LEN;
308 }
309 /* fill in packet */
310 data.len = bytes_read - data_offset;
311 data.ptr = malloc(data.len);
312 memcpy(data.ptr, buffer + data_offset, data.len);
313 pkt->set_data(pkt, data);
314 }
315 else
316 {
317 /* oops, shouldn't happen */
318 return FAILED;
319 }
320
321 /* return packet */
322 *packet = pkt;
323 return SUCCESS;
324 }
325
326 /**
327 * implementation of socket_t.send
328 */
329 status_t sender(private_socket_t *this, packet_t *packet)
330 {
331 int sport, skt, family;
332 ssize_t bytes_sent;
333 chunk_t data, marked;
334 host_t *src, *dst;
335
336 src = packet->get_source(packet);
337 dst = packet->get_destination(packet);
338 data = packet->get_data(packet);
339
340 this->logger->log(this->logger, CONTROL|LEVEL1, "sending packet: from %s[%d] to %s[%d]",
341 src->get_string(src), src->get_port(src),
342 dst->get_string(dst), dst->get_port(dst));
343
344 /* send data */
345 sport = src->get_port(src);
346 family = dst->get_family(dst);
347 if (sport == this->port)
348 {
349 if (family == AF_INET)
350 {
351 skt = this->send4;
352 }
353 else
354 {
355 skt = this->send6;
356 }
357 }
358 else if (sport == this->natt_port)
359 {
360 if (family == AF_INET)
361 {
362 skt = this->send4_natt;
363 }
364 else
365 {
366 skt = this->send6_natt;
367 }
368 /* NAT keepalives without marker */
369 if (data.len != 1 || data.ptr[0] != 0xFF)
370 {
371 /* add non esp marker to packet */
372 if (data.len > MAX_PACKET - MARKER_LEN)
373 {
374 this->logger->log(this->logger, ERROR,
375 "unable to send packet: it's too big");
376 return FAILED;
377 }
378 marked = chunk_alloc(data.len + MARKER_LEN);
379 memset(marked.ptr, 0, MARKER_LEN);
380 memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
381 /* let the packet do the clean up for us */
382 packet->set_data(packet, marked);
383 data = marked;
384 }
385 }
386 else
387 {
388 this->logger->log(this->logger, ERROR,
389 "unable to locate a send socket for port %d", sport);
390 return FAILED;
391 }
392
393 bytes_sent = sendto(skt, data.ptr, data.len, 0,
394 dst->get_sockaddr(dst), *(dst->get_sockaddr_len(dst)));
395
396 if (bytes_sent != data.len)
397 {
398 this->logger->log(this->logger, ERROR,
399 "error writing to socket: %s", strerror(errno));
400 return FAILED;
401 }
402 return SUCCESS;
403 }
404
405 /**
406 * implements socket_t.is_local_address
407 */
408 static bool is_local_address(private_socket_t *this, host_t *host, char **dev)
409 {
410 struct ifaddrs *list;
411 struct ifaddrs *cur;
412 bool found = FALSE;
413
414 if (getifaddrs(&list) < 0)
415 {
416 return FALSE;
417 }
418
419 for (cur = list; cur != NULL; cur = cur->ifa_next)
420 {
421 if (!(cur->ifa_flags & IFF_UP))
422 {
423 /* ignore interface which are down */
424 continue;
425 }
426
427 if (cur->ifa_addr == NULL ||
428 cur->ifa_addr->sa_family != host->get_family(host))
429 {
430 /* no match in family */
431 continue;
432 }
433
434 switch (cur->ifa_addr->sa_family)
435 {
436 case AF_INET:
437 {
438 struct sockaddr_in *listed, *requested;
439 listed = (struct sockaddr_in*)cur->ifa_addr;
440 requested = (struct sockaddr_in*)host->get_sockaddr(host);
441 if (listed->sin_addr.s_addr == requested->sin_addr.s_addr)
442 {
443 found = TRUE;
444 }
445 break;
446 }
447 case AF_INET6:
448 {
449 struct sockaddr_in6 *listed, *requested;
450 listed = (struct sockaddr_in6*)cur->ifa_addr;
451 requested = (struct sockaddr_in6*)host->get_sockaddr(host);
452 if (memcmp(&listed->sin6_addr, &requested->sin6_addr,
453 sizeof(listed->sin6_addr)) == 0)
454 {
455 found = TRUE;
456 }
457 break;
458 }
459 default:
460 break;
461 }
462
463 if (found)
464 {
465 if (dev && cur->ifa_name)
466 {
467 /* return interface name, if requested */
468 *dev = strdup(cur->ifa_name);
469 }
470 break;
471 }
472 }
473 freeifaddrs(list);
474 return found;
475 }
476
477
478 /**
479 * implements socket_t.create_local_address_list
480 */
481 static linked_list_t* create_local_address_list(private_socket_t *this)
482 {
483 struct ifaddrs *list;
484 struct ifaddrs *cur;
485 host_t *host;
486 linked_list_t *result = linked_list_create();
487
488 if (getifaddrs(&list) < 0)
489 {
490 return result;
491 }
492
493 for (cur = list; cur != NULL; cur = cur->ifa_next)
494 {
495 if (!(cur->ifa_flags & IFF_UP))
496 {
497 /* ignore interface which are down */
498 continue;
499 }
500
501 host = host_create_from_sockaddr(cur->ifa_addr);
502 if (host)
503 {
504 /* we use always the IKEv2 port. This is relevant for
505 * natd payload hashing. */
506 host->set_port(host, this->port);
507 result->insert_last(result, host);
508 }
509 }
510 freeifaddrs(list);
511 return result;
512 }
513
514 /**
515 * open a socket to send packets
516 */
517 static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
518 {
519 int on = TRUE;
520 int type = UDP_ENCAP_ESPINUDP;
521 struct sockaddr_storage addr;
522 u_int ip_proto, ipsec_policy;
523 struct sadb_x_policy policy;
524 int skt;
525
526 memset(&addr, 0, sizeof(addr));
527 /* precalculate constants depending on address family */
528 switch (family)
529 {
530 case AF_INET:
531 {
532 struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
533 sin->sin_family = AF_INET;
534 sin->sin_addr.s_addr = INADDR_ANY;
535 sin->sin_port = htons(port);
536 ip_proto = IPPROTO_IP;
537 ipsec_policy = IP_IPSEC_POLICY;
538 break;
539 }
540 case AF_INET6:
541 {
542 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
543 sin6->sin6_family = AF_INET6;
544 memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
545 sin6->sin6_port = htons(port);
546 ip_proto = IPPROTO_IPV6;
547 ipsec_policy = IPV6_IPSEC_POLICY;
548 break;
549 }
550 default:
551 return 0;
552 }
553
554 skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
555 if (skt < 0)
556 {
557 this->logger->log(this->logger, ERROR, "could not open send socket: %s",
558 strerror(errno));
559 return 0;
560 }
561
562 if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
563 {
564 this->logger->log(this->logger, ERROR,
565 "unable to set SO_REUSEADDR on send socket: %s",
566 strerror(errno));
567 close(skt);
568 return 0;
569 }
570
571 /* bypass outgoung IKE traffic on send socket */
572 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
573 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
574 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
575 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
576 policy.sadb_x_policy_reserved = 0;
577 policy.sadb_x_policy_id = 0;
578
579 if (setsockopt(skt, ip_proto, ipsec_policy, &policy, sizeof(policy)) < 0)
580 {
581 this->logger->log(this->logger, ERROR,
582 "unable to set IPSEC_POLICY on send socket: %s",
583 strerror(errno));
584 close(skt);
585 return 0;
586 }
587
588 /* We don't receive packets on the send socket, but we need a INBOUND policy.
589 * Otherwise, UDP decapsulation does not work!!! */
590 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
591 if (setsockopt(skt, ip_proto, ipsec_policy, &policy, sizeof(policy)) < 0)
592 {
593 this->logger->log(this->logger, ERROR,
594 "unable to set IPSEC_POLICY on send socket: %s",
595 strerror(errno));
596 close(skt);
597 return 0;
598 }
599
600 /* bind the send socket */
601 if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
602 {
603 this->logger->log(this->logger, ERROR, "unable to bind send socket: %s",
604 strerror(errno));
605 close(skt);
606 return 0;
607 }
608
609 if (family == AF_INET)
610 {
611 /* enable UDP decapsulation globally, only for one socket needed */
612 if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
613 {
614 this->logger->log(this->logger, ERROR,
615 "unable to set UDP_ENCAP: %s; NAT-T may fail",
616 strerror(errno));
617 }
618 }
619
620 return skt;
621 }
622
623 /**
624 * open a socket to receive packets
625 */
626 static int open_recv_socket(private_socket_t *this, int family)
627 {
628 int skt;
629 int on = TRUE;
630 u_int proto_offset, ip_len, ip_proto, ipsec_policy, ip_pktinfo, udp_header, ike_header;
631 struct sadb_x_policy policy;
632
633 /* precalculate constants depending on address family */
634 switch (family)
635 {
636 case AF_INET:
637 proto_offset = IP_PROTO_OFFSET;
638 ip_len = IP_LEN;
639 ip_proto = IPPROTO_IP;
640 ip_pktinfo = IP_PKTINFO;
641 ipsec_policy = IP_IPSEC_POLICY;
642 break;
643 case AF_INET6:
644 proto_offset = IP6_PROTO_OFFSET;
645 ip_len = 0; /* IPv6 raw sockets contain no IP header */
646 ip_proto = IPPROTO_IPV6;
647 ip_pktinfo = IPV6_PKTINFO;
648 ipsec_policy = IPV6_IPSEC_POLICY;
649 break;
650 default:
651 return 0;
652 }
653 udp_header = ip_len;
654 ike_header = ip_len + UDP_LEN;
655
656 /* This filter code filters out all non-IKEv2 traffic on
657 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
658 * IKE versions is done in pluto.
659 */
660 struct sock_filter ikev2_filter_code[] =
661 {
662 /* Destination Port must be either port or natt_port */
663 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
664 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, this->port, 1, 0),
665 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, this->natt_port, 5, 12),
666 /* port */
667 /* IKE version must be 2.0 */
668 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
669 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10),
670 /* packet length is length in IKEv2 header + ip header + udp header */
671 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
672 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
673 BPF_STMT(BPF_RET+BPF_A, 0),
674 /* natt_port */
675 /* nat-t: check for marker */
676 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
677 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5),
678 /* nat-t: IKE version must be 2.0 */
679 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
680 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
681 /* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
682 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
683 BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
684 BPF_STMT(BPF_RET+BPF_A, 0),
685 /* packet doesn't match, ignore */
686 BPF_STMT(BPF_RET+BPF_K, 0),
687 };
688
689 /* Filter struct to use with setsockopt */
690 struct sock_fprog ikev2_filter = {
691 sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
692 ikev2_filter_code
693 };
694
695 /* set up a raw socket */
696 skt = socket(family, SOCK_RAW, IPPROTO_UDP);
697 if (skt < 0)
698 {
699 this->logger->log(this->logger, ERROR,
700 "unable to create raw socket: %s",
701 strerror(errno));
702 return 0;
703 }
704
705 if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
706 &ikev2_filter, sizeof(ikev2_filter)) < 0)
707 {
708 this->logger->log(this->logger, ERROR,
709 "unable to attach IKEv2 filter to raw socket: %s",
710 strerror(errno));
711 close(skt);
712 return 0;
713 }
714
715 if (family == AF_INET6 &&
716 setsockopt(skt, ip_proto, ip_pktinfo, &on, sizeof(on)) < 0)
717 {
718 this->logger->log(this->logger, ERROR,
719 "unable to set IPV6_PKTINFO on raw socket: %s",
720 strerror(errno));
721 close(skt);
722 return 0;
723 }
724
725 /* bypass incomining IKE traffic on this socket */
726 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
727 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
728 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
729 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
730 policy.sadb_x_policy_reserved = 0;
731 policy.sadb_x_policy_id = 0;
732
733 if (setsockopt(skt, ip_proto, ipsec_policy, &policy, sizeof(policy)) < 0)
734 {
735 this->logger->log(this->logger, ERROR,
736 "unable to set IPSEC_POLICY on raw socket: %s",
737 strerror(errno));
738 close(skt);
739 return 0;
740 }
741
742 return skt;
743 }
744
745 /**
746 * implementation of socket_t.destroy
747 */
748 static void destroy(private_socket_t *this)
749 {
750 if (this->recv4)
751 {
752 close(this->recv4);
753 }
754 if (this->recv6)
755 {
756 close(this->recv6);
757 }
758 if (this->send4)
759 {
760 close(this->send4);
761 }
762 if (this->send6)
763 {
764 close(this->send6);
765 }
766 if (this->send4_natt)
767 {
768 close(this->send4_natt);
769 }
770 if (this->send6_natt)
771 {
772 close(this->send6_natt);
773 }
774 free(this);
775 }
776
777 /*
778 * See header for description
779 */
780 socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
781 {
782 private_socket_t *this = malloc_thing(private_socket_t);
783
784 /* public functions */
785 this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
786 this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
787 this->public.is_local_address = (bool(*)(socket_t*, host_t*,char**))is_local_address;
788 this->public.create_local_address_list = (linked_list_t*(*)(socket_t*))create_local_address_list;
789 this->public.destroy = (void(*)(socket_t*)) destroy;
790
791 this->logger = logger_manager->get_logger(logger_manager, SOCKET);
792
793 this->port = port;
794 this->natt_port = natt_port;
795 this->recv4 = 0;
796 this->recv6 = 0;
797 this->send4 = 0;
798 this->send6 = 0;
799 this->send4_natt = 0;
800 this->send6_natt = 0;
801
802 this->recv4 = open_recv_socket(this, AF_INET);
803 if (this->recv4 == 0)
804 {
805 this->logger->log(this->logger, ERROR,
806 "could not open IPv4 receive socket, IPv4 disabled");
807 }
808 else
809 {
810 this->send4 = open_send_socket(this, AF_INET, this->port);
811 if (this->send4 == 0)
812 {
813 this->logger->log(this->logger, ERROR,
814 "could not open IPv4 send socket, IPv4 disabled");
815 close(this->recv4);
816 }
817 else
818 {
819 this->send4_natt = open_send_socket(this, AF_INET, this->natt_port);
820 if (this->send4_natt == 0)
821 {
822 this->logger->log(this->logger, ERROR,
823 "could not open IPv4 NAT-T send socket");
824 }
825 }
826 }
827
828 this->recv6 = open_recv_socket(this, AF_INET6);
829 if (this->recv6 == 0)
830 {
831 this->logger->log(this->logger, ERROR,
832 "could not open IPv6 receive socket, IPv6 disabled");
833 }
834 else
835 {
836 this->send6 = open_send_socket(this, AF_INET6, this->port);
837 if (this->send6 == 0)
838 {
839 this->logger->log(this->logger, ERROR,
840 "could not open IPv6 send socket, IPv6 disabled");
841 close(this->recv6);
842 }
843 else
844 {
845 this->send6_natt = open_send_socket(this, AF_INET6, this->natt_port);
846 if (this->send6_natt == 0)
847 {
848 this->logger->log(this->logger, ERROR,
849 "could not open IPv6 NAT-T send socket");
850 }
851 }
852 }
853
854 if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
855 {
856 this->logger->log(this->logger, ERROR,
857 "could not create any sockets");
858 destroy(this);
859 charon->kill(charon, "socket initialization failed");
860 }
861
862 return (socket_t*)this;
863 }