projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fixed 64 bit issue
[strongswan.git] / src / charon / threads / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 * Copyright (C) 2003 Herbert Xu.
14 *
15 * Contains modified parts from pluto.
16 *
17 * This program is free software; you can redistribute it and/or modify it
18 * under the terms of the GNU General Public License as published by the
19 * Free Software Foundation; either version 2 of the License, or (at your
20 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
21 *
22 * This program is distributed in the hope that it will be useful, but
23 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
25 * for more details.
26 */
27
28 #include <sys/types.h>
29 #include <sys/socket.h>
30 #include <linux/netlink.h>
31 #include <linux/rtnetlink.h>
32 #include <linux/xfrm.h>
33 #include <linux/udp.h>
34 #include <pthread.h>
35 #include <unistd.h>
36 #include <fcntl.h>
37 #include <errno.h>
38 #include <string.h>
39
40 #include "kernel_interface.h"
41
42 #include <daemon.h>
43 #include <utils/linked_list.h>
44 #include <queues/jobs/delete_child_sa_job.h>
45 #include <queues/jobs/rekey_child_sa_job.h>
46 #include <queues/jobs/acquire_job.h>
47
48 /** kernel level protocol identifiers */
49 #define KERNEL_ESP 50
50 #define KERNEL_AH 51
51
52 /** default priority of installed policies */
53 #define PRIO_LOW 3000
54 #define PRIO_HIGH 2000
55
56 #define BUFFER_SIZE 1024
57
58 /**
59 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
60 * 'usual' netlink data x like 'struct xfrm_usersa_info'
61 */
62 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
63 /**
64 * returns a pointer to the next rtattr following rta.
65 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
66 */
67 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
68 /**
69 * returns the total size of attached rta data
70 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
71 */
72 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
73
74 typedef struct kernel_algorithm_t kernel_algorithm_t;
75
76 /**
77 * Mapping from the algorithms defined in IKEv2 to
78 * kernel level algorithm names and their key length
79 */
80 struct kernel_algorithm_t {
81 /**
82 * Identifier specified in IKEv2
83 */
84 int ikev2_id;
85
86 /**
87 * Name of the algorithm, as used as kernel identifier
88 */
89 char *name;
90
91 /**
92 * Key length in bits, if fixed size
93 */
94 u_int key_size;
95 };
96 #define END_OF_LIST -1
97
98 /**
99 * Algorithms for encryption
100 */
101 kernel_algorithm_t encryption_algs[] = {
102 /* {ENCR_DES_IV64, "***", 0}, */
103 {ENCR_DES, "des", 64},
104 {ENCR_3DES, "des3_ede", 192},
105 /* {ENCR_RC5, "***", 0}, */
106 /* {ENCR_IDEA, "***", 0}, */
107 {ENCR_CAST, "cast128", 0},
108 {ENCR_BLOWFISH, "blowfish", 0},
109 /* {ENCR_3IDEA, "***", 0}, */
110 /* {ENCR_DES_IV32, "***", 0}, */
111 {ENCR_NULL, "cipher_null", 0},
112 {ENCR_AES_CBC, "aes", 0},
113 /* {ENCR_AES_CTR, "***", 0}, */
114 {END_OF_LIST, NULL, 0},
115 };
116
117 /**
118 * Algorithms for integrity protection
119 */
120 kernel_algorithm_t integrity_algs[] = {
121 {AUTH_HMAC_MD5_96, "md5", 128},
122 {AUTH_HMAC_SHA1_96, "sha1", 160},
123 /* {AUTH_DES_MAC, "***", 0}, */
124 /* {AUTH_KPDK_MD5, "***", 0}, */
125 /* {AUTH_AES_XCBC_96, "***", 0}, */
126 {END_OF_LIST, NULL, 0},
127 };
128
129 /**
130 * Look up a kernel algorithm name and its key size
131 */
132 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
133 algorithm_t *ikev2_algo, u_int *key_size)
134 {
135 while (kernel_algo->ikev2_id != END_OF_LIST)
136 {
137 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
138 {
139 /* match, evaluate key length */
140 if (ikev2_algo->key_size)
141 { /* variable length */
142 *key_size = ikev2_algo->key_size;
143 }
144 else
145 { /* fixed length */
146 *key_size = kernel_algo->key_size;
147 }
148 return kernel_algo->name;
149 }
150 kernel_algo++;
151 }
152 return NULL;
153 }
154
155
156
157 typedef struct kernel_policy_t kernel_policy_t;
158
159 /**
160 * Installed kernel policy.
161 */
162 struct kernel_policy_t {
163
164 /** direction of this policy: in, out, forward */
165 u_int8_t direction;
166
167 /** reqid of the policy */
168 u_int32_t reqid;
169
170 /** parameters of installed policy */
171 struct xfrm_selector sel;
172
173 /** by how many CHILD_SA's this policy is used */
174 u_int refcount;
175 };
176
177
178 typedef struct private_kernel_interface_t private_kernel_interface_t;
179
180 /**
181 * Private Variables and Functions of kernel_interface class.
182 */
183 struct private_kernel_interface_t {
184 /**
185 * Public part of the kernel_interface_t object.
186 */
187 kernel_interface_t public;
188
189 /**
190 * List of installed policies (kernel_policy_t)
191 */
192 linked_list_t *policies;
193
194 /**
195 * Mutex locks access to policies list.
196 */
197 pthread_mutex_t pol_mutex;
198
199 /**
200 * Netlink communication socket.
201 */
202 int socket;
203
204 /**
205 * Process id of kernel thread
206 */
207 pid_t pid;
208
209 /**
210 * Sequence number for messages.
211 */
212 u_int32_t seq;
213
214 /**
215 * List of responded messages.
216 */
217 linked_list_t *responses;
218
219 /**
220 * Thread which receives messages.
221 */
222 pthread_t thread;
223
224 /**
225 * Mutex locks access to replies list.
226 */
227 pthread_mutex_t rep_mutex;
228
229 /**
230 * Condvar allows signaling of threads waiting for a reply.
231 */
232 pthread_cond_t condvar;
233 };
234
235
236 /**
237 * Send a message down to the kernel and wait for its response
238 */
239 static status_t send_message(private_kernel_interface_t *this,
240 struct nlmsghdr *request, struct nlmsghdr **response)
241 {
242 size_t length;
243 struct sockaddr_nl addr;
244
245 request->nlmsg_seq = ++this->seq;
246 request->nlmsg_pid = 0;
247
248 memset(&addr, 0, sizeof(struct sockaddr_nl));
249 addr.nl_family = AF_NETLINK;
250 addr.nl_pid = 0;
251 addr.nl_groups = 0;
252
253 length = sendto(this->socket,(void *)request, request->nlmsg_len, 0,
254 (struct sockaddr *)&addr, sizeof(addr));
255
256 if (length < 0)
257 {
258 return FAILED;
259 }
260 else if (length != request->nlmsg_len)
261 {
262 return FAILED;
263 }
264
265 pthread_mutex_lock(&(this->rep_mutex));
266
267 while (TRUE)
268 {
269 iterator_t *iterator;
270 struct nlmsghdr *listed_response;
271 bool found = FALSE;
272
273 /* search list, break if found */
274 iterator = this->responses->create_iterator(this->responses, TRUE);
275 while (iterator->iterate(iterator, (void**)&listed_response))
276 {
277 if (listed_response->nlmsg_seq == request->nlmsg_seq)
278 {
279 /* matches our request, this is the reply */
280 *response = listed_response;
281 iterator->remove(iterator);
282 found = TRUE;
283 break;
284 }
285 }
286 iterator->destroy(iterator);
287
288 if (found)
289 {
290 break;
291 }
292 /* TODO: we should time out, if something goes wrong!??? */
293 pthread_cond_wait(&(this->condvar), &(this->rep_mutex));
294 }
295
296 pthread_mutex_unlock(&(this->rep_mutex));
297
298 return SUCCESS;
299 }
300
301 /**
302 * Implementation of private_kernel_interface_t.receive_messages.
303 */
304 static void receive_messages(private_kernel_interface_t *this)
305 {
306 while(TRUE)
307 {
308 unsigned char response[BUFFER_SIZE];
309 struct nlmsghdr *hdr, *listed_response;
310 while (TRUE)
311 {
312 struct sockaddr_nl addr;
313 socklen_t addr_length;
314 size_t length;
315
316 addr_length = sizeof(addr);
317
318 length = recvfrom(this->socket, &response, sizeof(response), 0, (struct sockaddr*)&addr, &addr_length);
319 if (length < 0)
320 {
321 if (errno == EINTR)
322 {
323 /* interrupted, try again */
324 continue;
325 }
326 charon->kill(charon, "receiving from netlink socket failed");
327 }
328 if (!NLMSG_OK((struct nlmsghdr *)response, length))
329 {
330 /* bad netlink message */
331 continue;
332 }
333 if (addr.nl_pid != 0)
334 {
335 /* not from kernel. not interested, try another one */
336 continue;
337 }
338 /* good message, handle it */
339 break;
340 }
341
342 /* we handle ACQUIRE and EXPIRE messages directly */
343 hdr = (struct nlmsghdr*)response;
344 if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
345 {
346 u_int32_t reqid = 0;
347 job_t *job;
348 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_user_acquire);
349 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
350 if (RTA_OK(rthdr, rtsize))
351 {
352 if (rthdr->rta_type == XFRMA_TMPL)
353 {
354 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
355 reqid = tmpl->reqid;
356 }
357 }
358 if (reqid == 0)
359 {
360 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
361 }
362 else
363 {
364 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
365 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
366 reqid);
367 job = (job_t*)acquire_job_create(reqid);
368 charon->job_queue->add(charon->job_queue, job);
369 }
370 }
371 else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
372 {
373 job_t *job;
374 protocol_id_t protocol;
375 u_int32_t spi, reqid;
376 struct xfrm_user_expire *expire;
377
378 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
379 protocol = expire->state.id.proto == KERNEL_ESP ?
380 PROTO_ESP : PROTO_AH;
381 spi = expire->state.id.spi;
382 reqid = expire->state.reqid;
383
384 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
385 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
386 expire->hard ? "delete" : "rekey",
387 protocol_id_names, protocol, ntohl(spi),
388 reqid);
389 if (expire->hard)
390 {
391 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
392 }
393 else
394 {
395 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
396 }
397 charon->job_queue->add(charon->job_queue, job);
398 }
399 /* NLMSG_ERROR is sent back for acknowledge (or on error), an
400 * XFRM_MSG_NEWSA is returned when we alloc spis and when
401 * updating SAs.
402 * XFRM_MSG_NEWPOLICY is returned when we query a policy.
403 * list these responses for the sender
404 */
405 else if (hdr->nlmsg_type == NLMSG_ERROR ||
406 hdr->nlmsg_type == XFRM_MSG_NEWSA ||
407 hdr->nlmsg_type == XFRM_MSG_NEWPOLICY)
408 {
409 /* add response to queue */
410 listed_response = malloc(hdr->nlmsg_len);
411 memcpy(listed_response, &response, hdr->nlmsg_len);
412
413 pthread_mutex_lock(&(this->rep_mutex));
414 this->responses->insert_last(this->responses, (void*)listed_response);
415 pthread_mutex_unlock(&(this->rep_mutex));
416 /* signal ALL waiting threads */
417 pthread_cond_broadcast(&(this->condvar));
418 }
419 /* we are not interested in anything other.
420 * anyway, move on to the next message */
421 continue;
422 }
423 }
424
425 /**
426 * convert a host_t to a struct xfrm_address
427 */
428 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
429 {
430 chunk_t chunk = host->get_address(host);
431 memcpy(xfrm, chunk.ptr, max(chunk.len, sizeof(xfrm_address_t)));
432 }
433
434 /**
435 * Implementation of kernel_interface_t.get_spi.
436 */
437 static status_t get_spi(private_kernel_interface_t *this,
438 host_t *src, host_t *dst,
439 protocol_id_t protocol, u_int32_t reqid,
440 u_int32_t *spi)
441 {
442 unsigned char request[BUFFER_SIZE];
443 struct nlmsghdr *response;
444 struct nlmsghdr *hdr;
445 struct xfrm_userspi_info *userspi;
446
447 memset(&request, 0, sizeof(request));
448 status_t status = SUCCESS;
449
450 DBG2(DBG_KNL, "getting spi");
451
452 hdr = (struct nlmsghdr*)request;
453 hdr->nlmsg_flags = NLM_F_REQUEST;
454 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
455 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
456
457 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
458 host2xfrm(src, &userspi->info.saddr);
459 host2xfrm(dst, &userspi->info.id.daddr);
460 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
461 userspi->info.mode = TRUE; /* tunnel mode */
462 userspi->info.reqid = reqid;
463 userspi->info.family = src->get_family(src);
464 userspi->min = 0xc0000000;
465 userspi->max = 0xcFFFFFFF;
466
467 if (send_message(this, hdr, &response) != SUCCESS)
468 {
469 DBG1(DBG_KNL, "netlink communication failed");
470 return FAILED;
471 }
472 else if (response->nlmsg_type == NLMSG_ERROR)
473 {
474 DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an error: %s",
475 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
476 status = FAILED;
477 }
478 else if (response->nlmsg_type != XFRM_MSG_NEWSA)
479 {
480 DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got a unknown reply");
481 status = FAILED;
482 }
483 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
484 {
485 DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an invalid reply");
486 status = FAILED;
487 }
488 else
489 {
490 *spi = ((struct xfrm_usersa_info*)NLMSG_DATA(response))->id.spi;
491 DBG2(DBG_KNL, "SPI is 0x%x", *spi);
492 }
493 free(response);
494
495 return status;
496 }
497
498 /**
499 * Implementation of kernel_interface_t.add_sa.
500 */
501 static status_t add_sa(private_kernel_interface_t *this,
502 host_t *src, host_t *dst, u_int32_t spi,
503 protocol_id_t protocol, u_int32_t reqid,
504 u_int64_t expire_soft, u_int64_t expire_hard,
505 algorithm_t *enc_alg, algorithm_t *int_alg,
506 prf_plus_t *prf_plus, natt_conf_t *natt,
507 bool replace)
508 {
509 unsigned char request[BUFFER_SIZE];
510 struct nlmsghdr *response;
511 char *alg_name;
512 u_int key_size;
513 struct nlmsghdr *hdr;
514 struct xfrm_usersa_info *sa;
515
516 memset(&request, 0, sizeof(request));
517 status_t status = SUCCESS;
518
519 DBG2(DBG_KNL, "adding SA");
520
521 hdr = (struct nlmsghdr*)request;
522 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
523 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
524 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
525
526 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
527 host2xfrm(src, &sa->saddr);
528 host2xfrm(dst, &sa->id.daddr);
529 sa->id.spi = spi;
530 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
531 sa->family = src->get_family(src);
532 sa->mode = TRUE; /* tunnel mode */
533 sa->replay_window = 32;
534 sa->reqid = reqid;
535 /* we currently do not expire SAs by volume/packet count */
536 sa->lft.soft_byte_limit = XFRM_INF;
537 sa->lft.hard_byte_limit = XFRM_INF;
538 sa->lft.soft_packet_limit = XFRM_INF;
539 sa->lft.hard_packet_limit = XFRM_INF;
540 /* we use lifetimes since added, not since used */
541 sa->lft.soft_add_expires_seconds = expire_soft;
542 sa->lft.hard_add_expires_seconds = expire_hard;
543 sa->lft.soft_use_expires_seconds = 0;
544 sa->lft.hard_use_expires_seconds = 0;
545
546 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
547
548 if (enc_alg->algorithm != ENCR_UNDEFINED)
549 {
550 rthdr->rta_type = XFRMA_ALG_CRYPT;
551 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
552 if (alg_name == NULL)
553 {
554 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
555 encryption_algorithm_names, enc_alg->algorithm);
556 return FAILED;
557 }
558 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
559 encryption_algorithm_names, enc_alg->algorithm, key_size);
560
561 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
562 hdr->nlmsg_len += rthdr->rta_len;
563 if (hdr->nlmsg_len > sizeof(request))
564 {
565 return FAILED;
566 }
567
568 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
569 algo->alg_key_len = key_size;
570 strcpy(algo->alg_name, alg_name);
571 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
572
573 rthdr = XFRM_RTA_NEXT(rthdr);
574 }
575
576 if (int_alg->algorithm != AUTH_UNDEFINED)
577 {
578 rthdr->rta_type = XFRMA_ALG_AUTH;
579 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
580 if (alg_name == NULL)
581 {
582 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
583 integrity_algorithm_names, int_alg->algorithm);
584 return FAILED;
585 }
586 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
587 integrity_algorithm_names, int_alg->algorithm, key_size);
588
589 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
590 hdr->nlmsg_len += rthdr->rta_len;
591 if (hdr->nlmsg_len > sizeof(request))
592 {
593 return FAILED;
594 }
595
596 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
597 algo->alg_key_len = key_size;
598 strcpy(algo->alg_name, alg_name);
599 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
600
601 rthdr = XFRM_RTA_NEXT(rthdr);
602 }
603
604 /* TODO: add IPComp here */
605
606 if (natt)
607 {
608 rthdr->rta_type = XFRMA_ENCAP;
609 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
610
611 hdr->nlmsg_len += rthdr->rta_len;
612 if (hdr->nlmsg_len > sizeof(request))
613 {
614 return FAILED;
615 }
616
617 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
618 encap->encap_type = UDP_ENCAP_ESPINUDP;
619 encap->encap_sport = htons(natt->sport);
620 encap->encap_dport = htons(natt->dport);
621 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
622 /* encap_oa could probably be derived from the
623 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
624 * pluto does the same as we do here but it uses encap_oa in the
625 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
626 * the kernel ignores it anyway
627 * -> does that mean that NAT-T encap doesn't work in transport mode?
628 * No. The reason the kernel ignores NAT-OA is that it recomputes
629 * (or, rather, just ignores) the checksum. If packets pass
630 * the IPSec checks it marks them "checksum ok" so OA isn't needed. */
631
632 rthdr = XFRM_RTA_NEXT(rthdr);
633 }
634
635 if (send_message(this, hdr, &response) != SUCCESS)
636 {
637 DBG1(DBG_KNL, "netlink communication failed");
638 return FAILED;
639 }
640 else if (response->nlmsg_type != NLMSG_ERROR)
641 {
642 DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA not acknowledged");
643 status = FAILED;
644 }
645 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
646 {
647 DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA got an error: %s",
648 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
649 status = FAILED;
650 }
651
652 free(response);
653 return status;
654 }
655
656 /**
657 * Implementation of kernel_interface_t.update_sa.
658 */
659 static status_t update_sa(
660 private_kernel_interface_t *this,
661 host_t *src, host_t *dst,
662 host_t *new_src, host_t *new_dst,
663 host_diff_t src_changes, host_diff_t dst_changes,
664 u_int32_t spi, protocol_id_t protocol)
665 {
666 unsigned char request[BUFFER_SIZE];
667 struct nlmsghdr *update, *response;
668 struct nlmsghdr *hdr;
669 struct xfrm_usersa_id *sa_id;
670
671 memset(&request, 0, sizeof(request));
672 status_t status = SUCCESS;
673
674 DBG2(DBG_KNL, "getting SA");
675
676 hdr = (struct nlmsghdr*)request;
677 hdr->nlmsg_flags = NLM_F_REQUEST;
678 hdr->nlmsg_type = XFRM_MSG_GETSA;
679 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
680
681 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
682 host2xfrm(dst, &sa_id->daddr);
683 sa_id->spi = spi;
684 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
685 sa_id->family = dst->get_family(dst);
686
687 if (send_message(this, hdr, &update) != SUCCESS)
688 {
689 DBG1(DBG_KNL, "netlink communication failed");
690 return FAILED;
691 }
692 else if (update->nlmsg_type == NLMSG_ERROR)
693 {
694 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an error: %s",
695 strerror(-((struct nlmsgerr*)NLMSG_DATA(update))->error));
696 free(update);
697 return FAILED;
698 }
699 else if (update->nlmsg_type != XFRM_MSG_NEWSA)
700 {
701 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got a unknown reply");
702 free(update);
703 return FAILED;
704 }
705 else if (update->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
706 {
707 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
708 free(update);
709 return FAILED;
710 }
711
712 DBG2(DBG_KNL, "updating SA");
713 update->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
714 update->nlmsg_type = XFRM_MSG_UPDSA;
715
716 struct xfrm_usersa_info *sa = (struct xfrm_usersa_info*)NLMSG_DATA(update);
717 if (src_changes & HOST_DIFF_ADDR)
718 {
719 host2xfrm(new_src, &sa->saddr);
720 }
721
722 if (dst_changes & HOST_DIFF_ADDR)
723 {
724 DBG2(DBG_KNL, "destination address changed! replacing SA");
725
726 update->nlmsg_type = XFRM_MSG_NEWSA;
727 host2xfrm(new_dst, &sa->id.daddr);
728 }
729
730 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
731 {
732 struct rtattr *rthdr = XFRM_RTA(update, struct xfrm_usersa_info);
733 size_t rtsize = XFRM_PAYLOAD(update, struct xfrm_usersa_info);
734 while (RTA_OK(rthdr, rtsize))
735 {
736 if (rthdr->rta_type == XFRMA_ENCAP)
737 {
738 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
739 encap->encap_sport = ntohs(new_src->get_port(new_src));
740 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
741 break;
742 }
743 rthdr = RTA_NEXT(rthdr, rtsize);
744 }
745 }
746
747 if (send_message(this, update, &response) != SUCCESS)
748 {
749 DBG1(DBG_KNL, "netlink communication failed");
750 free(update);
751 return FAILED;
752 }
753 else if (response->nlmsg_type != NLMSG_ERROR)
754 {
755 DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA not acknowledged");
756 status = FAILED;
757 }
758 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
759 {
760 DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA got an error: %s",
761 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
762 status = FAILED;
763 }
764 else if (dst_changes & HOST_DIFF_ADDR)
765 {
766 DBG2(DBG_KNL, "deleting old SA");
767 status = this->public.del_sa(&this->public, dst, spi, protocol);
768 }
769
770 free(update);
771 free(response);
772 return status;
773 }
774
775 /**
776 * Implementation of kernel_interface_t.query_sa.
777 */
778 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
779 u_int32_t spi, protocol_id_t protocol, u_int32_t *use_time)
780 {
781 unsigned char request[BUFFER_SIZE];
782 struct nlmsghdr *response;
783 struct nlmsghdr *hdr;
784 struct xfrm_usersa_id *sa_id;
785 struct xfrm_usersa_info *sa_info;
786
787 DBG2(DBG_KNL, "querying SA");
788 memset(&request, 0, sizeof(request));
789
790 hdr = (struct nlmsghdr*)request;
791 hdr->nlmsg_flags = NLM_F_REQUEST;
792 hdr->nlmsg_type = XFRM_MSG_GETSA;
793 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
794
795 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
796 host2xfrm(dst, &sa_id->daddr);
797 sa_id->spi = spi;
798 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
799 sa_id->family = dst->get_family(dst);
800
801 if (send_message(this, hdr, &response) != SUCCESS)
802 {
803 DBG1(DBG_KNL, "netlink communication failed");
804 return FAILED;
805 }
806 else if (response->nlmsg_type != XFRM_MSG_NEWSA)
807 {
808 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA not acknowledged");
809 free(response);
810 return FAILED;
811 }
812 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
813 {
814 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
815 free(response);
816 return FAILED;
817 }
818
819 sa_info = (struct xfrm_usersa_info*)NLMSG_DATA(response);
820 *use_time = sa_info->curlft.use_time;
821
822 free(response);
823 return SUCCESS;
824 }
825
826 /**
827 * Implementation of kernel_interface_t.del_sa.
828 */
829 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
830 u_int32_t spi, protocol_id_t protocol)
831 {
832 unsigned char request[BUFFER_SIZE];
833 struct nlmsghdr *response;
834 struct nlmsghdr *hdr;
835 struct xfrm_usersa_id *sa_id;
836
837 memset(&request, 0, sizeof(request));
838 status_t status = SUCCESS;
839
840 DBG2(DBG_KNL, "deleting SA");
841
842 hdr = (struct nlmsghdr*)request;
843 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
844 hdr->nlmsg_type = XFRM_MSG_DELSA;
845 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
846
847 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
848 host2xfrm(dst, &sa_id->daddr);
849 sa_id->spi = spi;
850 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
851 sa_id->family = dst->get_family(dst);
852
853 if (send_message(this, hdr, &response) != SUCCESS)
854 {
855 DBG1(DBG_KNL, "netlink communication failed");
856 return FAILED;
857 }
858 else if (response->nlmsg_type != NLMSG_ERROR)
859 {
860 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA not acknowledged");
861 status = FAILED;
862 }
863 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
864 {
865 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA got an error: %s",
866 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
867 status = FAILED;
868 }
869
870 free(response);
871 return status;
872 }
873
874 /**
875 * convert a traffic selector address range to subnet and its mask.
876 */
877 static void ts2subnet(traffic_selector_t* ts,
878 xfrm_address_t *net, u_int8_t *mask)
879 {
880 /* there is no way to do this cleanly, as the address range may
881 * be anything else but a subnet. We use from_addr as subnet
882 * and try to calculate a usable subnet mask.
883 */
884 int byte, bit;
885 bool found = FALSE;
886 chunk_t from, to;
887 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
888
889 from = ts->get_from_address(ts);
890 to = ts->get_to_address(ts);
891
892 *mask = (size * 8);
893 /* go trough all bits of the addresses, beginning in the front.
894 * As longer as they equal, the subnet gets larger */
895 for (byte = 0; byte < size; byte++)
896 {
897 for (bit = 7; bit >= 0; bit--)
898 {
899 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
900 {
901 *mask = ((7 - bit) + (byte * 8));
902 found = TRUE;
903 break;
904 }
905 }
906 if (found)
907 {
908 break;
909 }
910 }
911 memcpy(net, from.ptr, from.len);
912 chunk_free(&from);
913 chunk_free(&to);
914 }
915
916 /**
917 * convert a traffic selector port range to port/portmask
918 */
919 static void ts2ports(traffic_selector_t* ts,
920 u_int16_t *port, u_int16_t *mask)
921 {
922 /* linux does not seem to accept complex portmasks. Only
923 * any or a specific port is allowed. We set to any, if we have
924 * a port range, or to a specific, if we have one port only.
925 */
926 u_int16_t from, to;
927
928 from = ts->get_from_port(ts);
929 to = ts->get_to_port(ts);
930
931 if (from == to)
932 {
933 *port = htons(from);
934 *mask = ~0;
935 }
936 else
937 {
938 *port = 0;
939 *mask = 0;
940 }
941 }
942
943 /**
944 * convert a pair of traffic_selectors to a xfrm_selector
945 */
946 static struct xfrm_selector ts2selector(traffic_selector_t *src,
947 traffic_selector_t *dst)
948 {
949 struct xfrm_selector sel;
950
951 memset(&sel, 0, sizeof(sel));
952 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
953 /* src or dest proto may be "any" (0), use more restrictive one */
954 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
955 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
956 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
957 ts2ports(dst, &sel.dport, &sel.dport_mask);
958 ts2ports(src, &sel.sport, &sel.sport_mask);
959 sel.ifindex = 0;
960 sel.user = 0;
961
962 return sel;
963 }
964
965 /**
966 * Implementation of kernel_interface_t.add_policy.
967 */
968 static status_t add_policy(private_kernel_interface_t *this,
969 host_t *src, host_t *dst,
970 traffic_selector_t *src_ts,
971 traffic_selector_t *dst_ts,
972 policy_dir_t direction, protocol_id_t protocol,
973 u_int32_t reqid, bool high_prio, bool update)
974 {
975 iterator_t *iterator;
976 kernel_policy_t *current, *policy;
977 bool found = FALSE;
978 unsigned char request[BUFFER_SIZE];
979 struct nlmsghdr *response;
980 struct xfrm_userpolicy_info *policy_info;
981 struct nlmsghdr *hdr;
982 status_t status = SUCCESS;
983
984 /* create a policy */
985 policy = malloc_thing(kernel_policy_t);
986 memset(policy, 0, sizeof(kernel_policy_t));
987 policy->sel = ts2selector(src_ts, dst_ts);
988 policy->direction = direction;
989
990 /* find the policy, which matches EXACTLY */
991 pthread_mutex_lock(&this->pol_mutex);
992 iterator = this->policies->create_iterator(this->policies, TRUE);
993 while (iterator->iterate(iterator, (void**)&current))
994 {
995 if (memcmp(current, policy, sizeof(struct xfrm_selector)) == 0 &&
996 policy->direction == current->direction)
997 {
998 free(policy);
999 /* use existing policy */
1000 if (!update)
1001 {
1002 current->refcount++;
1003 DBG2(DBG_KNL, "policy already exists, increasing refcount");
1004 if (!high_prio)
1005 {
1006 /* if added policy is for a ROUTED child_sa, do not
1007 * overwrite existing INSTALLED policy */
1008 iterator->destroy(iterator);
1009 pthread_mutex_unlock(&this->pol_mutex);
1010 return SUCCESS;
1011 }
1012 }
1013 policy = current;
1014 found = TRUE;
1015 break;
1016 }
1017 }
1018 iterator->destroy(iterator);
1019 if (!found)
1020 { /* apply the new one, if we have no such policy */
1021 this->policies->insert_last(this->policies, policy);
1022 policy->refcount = 1;
1023 }
1024
1025 DBG2(DBG_KNL, "adding policy");
1026
1027 memset(&request, 0, sizeof(request));
1028 hdr = (struct nlmsghdr*)request;
1029 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1030 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
1031 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1032
1033 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1034 policy_info->sel = policy->sel;
1035 policy_info->dir = policy->direction;
1036 /* calculate priority based on source selector size, small size = high prio */
1037 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1038 policy_info->priority -= policy->sel.prefixlen_s * 10;
1039 policy_info->priority -= policy->sel.proto ? 2 : 0;
1040 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1041 policy_info->action = XFRM_POLICY_ALLOW;
1042 policy_info->share = XFRM_SHARE_ANY;
1043 pthread_mutex_unlock(&this->pol_mutex);
1044
1045 /* policies don't expire */
1046 policy_info->lft.soft_byte_limit = XFRM_INF;
1047 policy_info->lft.soft_packet_limit = XFRM_INF;
1048 policy_info->lft.hard_byte_limit = XFRM_INF;
1049 policy_info->lft.hard_packet_limit = XFRM_INF;
1050 policy_info->lft.soft_add_expires_seconds = 0;
1051 policy_info->lft.hard_add_expires_seconds = 0;
1052 policy_info->lft.soft_use_expires_seconds = 0;
1053 policy_info->lft.hard_use_expires_seconds = 0;
1054
1055 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1056 rthdr->rta_type = XFRMA_TMPL;
1057
1058 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
1059 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
1060
1061 hdr->nlmsg_len += rthdr->rta_len;
1062 if (hdr->nlmsg_len > sizeof(request))
1063 {
1064 return FAILED;
1065 }
1066
1067 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1068 tmpl->reqid = reqid;
1069 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
1070 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1071 tmpl->mode = TRUE;
1072 tmpl->family = src->get_family(src);
1073
1074 host2xfrm(src, &tmpl->saddr);
1075 host2xfrm(dst, &tmpl->id.daddr);
1076
1077 if (send_message(this, hdr, &response) != SUCCESS)
1078 {
1079 DBG1(DBG_KNL, "netlink communication failed");
1080 return FAILED;
1081 }
1082 else if (response->nlmsg_type != NLMSG_ERROR)
1083 {
1084 DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY not acknowledged");
1085 status = FAILED;
1086 }
1087 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
1088 {
1089 DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY got an error: %s",
1090 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
1091 status = FAILED;
1092 }
1093
1094 free(response);
1095 return status;
1096 }
1097
1098 /**
1099 * Implementation of kernel_interface_t.query_policy.
1100 */
1101 static status_t query_policy(private_kernel_interface_t *this,
1102 traffic_selector_t *src_ts,
1103 traffic_selector_t *dst_ts,
1104 policy_dir_t direction, u_int32_t *use_time)
1105 {
1106 unsigned char request[BUFFER_SIZE];
1107 struct nlmsghdr *response;
1108 struct nlmsghdr *hdr;
1109 struct xfrm_userpolicy_id *policy_id;
1110 struct xfrm_userpolicy_info *policy;
1111
1112 memset(&request, 0, sizeof(request));
1113 status_t status = SUCCESS;
1114
1115 DBG2(DBG_KNL, "querying policy");
1116
1117 hdr = (struct nlmsghdr*)request;
1118 hdr->nlmsg_flags = NLM_F_REQUEST;
1119 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1120 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1121
1122 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1123 policy_id->sel = ts2selector(src_ts, dst_ts);
1124 policy_id->dir = direction;
1125
1126 if (send_message(this, hdr, &response) != SUCCESS)
1127 {
1128 DBG1(DBG_KNL, "netlink communication failed");
1129 return FAILED;
1130 }
1131 else if (response->nlmsg_type == NLMSG_ERROR)
1132 {
1133 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an error: %s",
1134 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
1135 free(response);
1136 return FAILED;
1137 }
1138 else if (response->nlmsg_type != XFRM_MSG_NEWPOLICY)
1139 {
1140 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an unknown reply");
1141 free(response);
1142 return FAILED;
1143 }
1144 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)))
1145 {
1146 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an invalid reply");
1147 free(response);
1148 return FAILED;
1149 }
1150
1151 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(response);
1152
1153 *use_time = (time_t)policy->curlft.use_time;
1154
1155 free(response);
1156 return status;
1157 }
1158
1159 /**
1160 * Implementation of kernel_interface_t.del_policy.
1161 */
1162 static status_t del_policy(private_kernel_interface_t *this,
1163 traffic_selector_t *src_ts,
1164 traffic_selector_t *dst_ts,
1165 policy_dir_t direction)
1166 {
1167 kernel_policy_t *current, policy, *to_delete = NULL;
1168 unsigned char request[BUFFER_SIZE];
1169 struct nlmsghdr *response;
1170 struct nlmsghdr *hdr;
1171 struct xfrm_userpolicy_id *policy_id;
1172 iterator_t *iterator;
1173 status_t status = SUCCESS;
1174
1175 DBG2(DBG_KNL, "deleting policy");
1176
1177 /* create a policy */
1178 memset(&policy, 0, sizeof(kernel_policy_t));
1179 policy.sel = ts2selector(src_ts, dst_ts);
1180 policy.direction = direction;
1181
1182 /* find the policy */
1183 pthread_mutex_lock(&this->pol_mutex);
1184 iterator = this->policies->create_iterator(this->policies, TRUE);
1185 while (iterator->iterate(iterator, (void**)&current))
1186 {
1187 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
1188 policy.direction == current->direction)
1189 {
1190 to_delete = current;
1191 if (--to_delete->refcount > 0)
1192 {
1193 /* is used by more SAs, keep in kernel */
1194 DBG2(DBG_KNL, "is used by other SAs, not removed");
1195 iterator->destroy(iterator);
1196 pthread_mutex_unlock(&this->pol_mutex);
1197 return SUCCESS;
1198 }
1199 /* remove if last reference */
1200 iterator->remove(iterator);
1201 break;
1202 }
1203 }
1204 iterator->destroy(iterator);
1205 pthread_mutex_unlock(&this->pol_mutex);
1206 if (!to_delete)
1207 {
1208 DBG1(DBG_KNL, "no such policy found");
1209 return NOT_FOUND;
1210 }
1211
1212 memset(&request, 0, sizeof(request));
1213
1214 hdr = (struct nlmsghdr*)request;
1215 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1216 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1217 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1218
1219 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1220 policy_id->sel = to_delete->sel;
1221 policy_id->dir = direction;
1222
1223 free(to_delete);
1224
1225 if (send_message(this, hdr, &response) != SUCCESS)
1226 {
1227 DBG1(DBG_KNL, "netlink communication failed");
1228 return FAILED;
1229 }
1230 else if (response->nlmsg_type != NLMSG_ERROR)
1231 {
1232 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY not acknowledged");
1233 status = FAILED;
1234 }
1235 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
1236 {
1237 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY got an error: %s",
1238 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
1239 status = FAILED;
1240 }
1241
1242 free(response);
1243 return status;
1244 }
1245
1246 /**
1247 * Implementation of kernel_interface_t.destroy.
1248 */
1249 static void destroy(private_kernel_interface_t *this)
1250 {
1251 pthread_cancel(this->thread);
1252 pthread_join(this->thread, NULL);
1253 close(this->socket);
1254 this->responses->destroy(this->responses);
1255 this->policies->destroy(this->policies);
1256 free(this);
1257 }
1258
1259 /*
1260 * Described in header.
1261 */
1262 kernel_interface_t *kernel_interface_create()
1263 {
1264 struct sockaddr_nl addr;
1265 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
1266
1267 /* public functions */
1268 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1269 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,bool))add_sa;
1270 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
1271 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
1272 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1273 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,bool))add_policy;
1274 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1275 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1276 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
1277
1278 /* private members */
1279 this->pid = getpid();
1280 this->responses = linked_list_create();
1281 this->policies = linked_list_create();
1282 pthread_mutex_init(&(this->rep_mutex),NULL);
1283 pthread_mutex_init(&(this->pol_mutex),NULL);
1284 pthread_cond_init(&(this->condvar),NULL);
1285 this->seq = 0;
1286
1287 /* open netlink socket */
1288 this->socket = socket(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1289 if (this->socket <= 0)
1290 {
1291 this->responses->destroy(this->responses);
1292 free(this);
1293 charon->kill(charon, "Unable to create netlink socket");
1294 }
1295
1296 /* bind the socket and reqister for ACQUIRE & EXPIRE */
1297 addr.nl_family = AF_NETLINK;
1298 addr.nl_pid = getpid();
1299 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
1300 if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) != 0)
1301 {
1302 this->responses->destroy(this->responses);
1303 close(this->socket);
1304 free(this);
1305 charon->kill(charon, "Unable to bind netlink socket");
1306 }
1307
1308 if (pthread_create(&this->thread, NULL, (void*(*)(void*))receive_messages, this) != 0)
1309 {
1310 this->responses->destroy(this->responses);
1311 close(this->socket);
1312 free(this);
1313 charon->kill(charon, "Unable to create netlink thread");
1314 }
1315
1316 return &this->public;
1317 }
strongSwan - IPsec VPN