b7460edb963240a1958429e5cc6d6b858613cc2a
[strongswan.git] / src / charon / threads / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006 Daniel Roethlisberger
12 * Copyright (C) 2005-2006 Martin Willi
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Contains modified parts from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43 #include <ifaddrs.h>
44
45 #include "kernel_interface.h"
46
47 #include <daemon.h>
48 #include <utils/linked_list.h>
49 #include <queues/jobs/delete_child_sa_job.h>
50 #include <queues/jobs/rekey_child_sa_job.h>
51 #include <queues/jobs/acquire_job.h>
52
53 /** kernel level protocol identifiers */
54 #define KERNEL_ESP 50
55 #define KERNEL_AH 51
56
57 /** default priority of installed policies */
58 #define PRIO_LOW 3000
59 #define PRIO_HIGH 2000
60
61 #define BUFFER_SIZE 1024
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
84 */
85 struct kernel_algorithm_t {
86 /**
87 * Identifier specified in IKEv2
88 */
89 int ikev2_id;
90
91 /**
92 * Name of the algorithm, as used as kernel identifier
93 */
94 char *name;
95
96 /**
97 * Key length in bits, if fixed size
98 */
99 u_int key_size;
100 };
101 #define END_OF_LIST -1
102
103 /**
104 * Algorithms for encryption
105 */
106 kernel_algorithm_t encryption_algs[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES, "des", 64},
109 {ENCR_3DES, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST, "cast128", 0},
113 {ENCR_BLOWFISH, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL, "cipher_null", 0},
117 {ENCR_AES_CBC, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST, NULL, 0},
120 };
121
122 /**
123 * Algorithms for integrity protection
124 */
125 kernel_algorithm_t integrity_algs[] = {
126 {AUTH_HMAC_MD5_96, "md5", 128},
127 {AUTH_HMAC_SHA1_96, "sha1", 160},
128 /* {AUTH_DES_MAC, "***", 0}, */
129 /* {AUTH_KPDK_MD5, "***", 0}, */
130 /* {AUTH_AES_XCBC_96, "***", 0}, */
131 {END_OF_LIST, NULL, 0},
132 };
133
134 /**
135 * Look up a kernel algorithm name and its key size
136 */
137 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
138 algorithm_t *ikev2_algo, u_int *key_size)
139 {
140 while (kernel_algo->ikev2_id != END_OF_LIST)
141 {
142 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
143 {
144 /* match, evaluate key length */
145 if (ikev2_algo->key_size)
146 { /* variable length */
147 *key_size = ikev2_algo->key_size;
148 }
149 else
150 { /* fixed length */
151 *key_size = kernel_algo->key_size;
152 }
153 return kernel_algo->name;
154 }
155 kernel_algo++;
156 }
157 return NULL;
158 }
159
160 typedef struct rt_refcount_t rt_refcount_t;
161
162 struct rt_refcount_t {
163 /** Index of the interface the route is bound to */
164 int if_index;
165
166 /** Source ip of the route */
167 host_t *src_ip;
168
169 /** Destination net */
170 chunk_t dst_net;
171
172 /** Destination net prefixlen */
173 u_int8_t prefixlen;
174 };
175
176 typedef struct kernel_policy_t kernel_policy_t;
177
178 /**
179 * Installed kernel policy.
180 */
181 struct kernel_policy_t {
182
183 /** direction of this policy: in, out, forward */
184 u_int8_t direction;
185
186 /** reqid of the policy */
187 u_int32_t reqid;
188
189 /** parameters of installed policy */
190 struct xfrm_selector sel;
191
192 /** associated route installed for this policy */
193 rt_refcount_t *route;
194
195 /** by how many CHILD_SA's this policy is used */
196 u_int refcount;
197 };
198
199 typedef struct vip_refcount_t vip_refcount_t;
200
201 /**
202 * Reference counter for for virtual ips.
203 */
204 struct vip_refcount_t {
205 /** Index of the interface the ip is bound to */
206 u_int8_t if_index;
207
208 /** The ip address */
209 host_t *ip;
210
211 /** Number of times this ip is used */
212 u_int refcount;
213 };
214
215 typedef struct private_kernel_interface_t private_kernel_interface_t;
216
217 /**
218 * Private variables and functions of kernel_interface class.
219 */
220 struct private_kernel_interface_t {
221 /**
222 * Public part of the kernel_interface_t object.
223 */
224 kernel_interface_t public;
225
226 /**
227 * List of installed policies (kernel_policy_t)
228 */
229 linked_list_t *policies;
230
231 /**
232 * Mutex locks access to policies list.
233 */
234 pthread_mutex_t pol_mutex;
235
236 /**
237 * Netlink communication socket for XFRM IPsec.
238 */
239 int xfrm_socket;
240
241 /**
242 * Netlink communication socket for routing & addresses.
243 */
244 int rt_socket;
245
246 /**
247 * Process id of kernel thread
248 */
249 pid_t pid;
250
251 /**
252 * Sequence number for messages.
253 */
254 u_int32_t seq;
255
256 /**
257 * List of responded messages.
258 */
259 linked_list_t *responses;
260
261 /**
262 * Thread which receives xfrm messages.
263 */
264 pthread_t xfrm_thread;
265
266 /**
267 * Thread which receives rt messages.
268 */
269 pthread_t rt_thread;
270
271 /**
272 * Mutex locks access to replies list.
273 */
274 pthread_mutex_t rep_mutex;
275
276 /**
277 * Condvar allows signaling of threads waiting for a reply.
278 */
279 pthread_cond_t condvar;
280
281 /**
282 * List of reference counter objects for all virtual ips.
283 */
284 linked_list_t *vips;
285
286 /**
287 * Mutex to lock access to vip list.
288 */
289 pthread_mutex_t vip_mutex;
290 };
291
292 /**
293 * Sends a message down to the kernel and waits for its response
294 */
295 static status_t send_message(private_kernel_interface_t *this,
296 struct nlmsghdr *request,
297 struct nlmsghdr **response,
298 int socket)
299 {
300 size_t length;
301 struct sockaddr_nl addr;
302
303 request->nlmsg_seq = ++this->seq;
304 request->nlmsg_pid = getpid();
305
306 memset(&addr, 0, sizeof(struct sockaddr_nl));
307 addr.nl_family = AF_NETLINK;
308 addr.nl_pid = 0;
309 addr.nl_groups = 0;
310
311 length = sendto(socket,(void *)request, request->nlmsg_len, 0,
312 (struct sockaddr *)&addr, sizeof(addr));
313
314 if (length < 0)
315 {
316 return FAILED;
317 }
318 else if (length != request->nlmsg_len)
319 {
320 DBG1(DBG_KNL, "error sending to netlink socket: %m");
321 return FAILED;
322 }
323
324 pthread_mutex_lock(&(this->rep_mutex));
325
326 DBG3(DBG_KNL, "waiting for netlink message with seq: %d",
327 request->nlmsg_seq);
328
329 while (TRUE)
330 {
331 iterator_t *iterator;
332 struct nlmsghdr *listed_response;
333 bool found = FALSE;
334
335 /* search list, break if found */
336 iterator = this->responses->create_iterator(this->responses, TRUE);
337 while (iterator->iterate(iterator, (void**)&listed_response))
338 {
339 if (listed_response->nlmsg_seq == request->nlmsg_seq)
340 {
341 /* matches our request, this is the reply */
342 *response = listed_response;
343 iterator->remove(iterator);
344 found = TRUE;
345 break;
346 }
347 }
348 iterator->destroy(iterator);
349
350 if (found)
351 {
352 break;
353 }
354 /* TODO: we should time out, if something goes wrong!??? */
355 pthread_cond_wait(&(this->condvar), &(this->rep_mutex));
356 }
357
358 pthread_mutex_unlock(&(this->rep_mutex));
359
360 return SUCCESS;
361 }
362
363 static int supersocket;
364
365 /**
366 * Reads from a netlink socket and returns the message in a buffer.
367 */
368 static void netlink_package_receiver(int socket, unsigned char *response, int response_size)
369 {
370 while (TRUE)
371 {
372 struct sockaddr_nl addr;
373 socklen_t addr_length;
374 size_t length;
375 addr_length = sizeof(addr);
376
377 length = recvfrom(socket, response, response_size, 0, (struct sockaddr*)&addr, &addr_length);
378 if (length < 0)
379 {
380 if (errno == EINTR)
381 {
382 /* interrupted, try again */
383 DBG1(DBG_IKE, "wtf1");
384 continue;
385 }
386 charon->kill(charon, "receiving from netlink socket failed\n");
387 }
388
389 if (!NLMSG_OK((struct nlmsghdr *)response, length))
390 {
391 /* bad netlink message */
392 continue;
393 }
394
395 if (addr.nl_pid != 0)
396 {
397 /* not from kernel. not interested, try another one */
398 continue;
399 }
400 /* good message, handle it */
401 return;
402 }
403 }
404
405 /**
406 * Takes a Netlink package from the response buffer and writes it to this->responses.
407 * Then it signals all waiting threads.
408 */
409 static void add_to_package_list(private_kernel_interface_t *this, unsigned char *response)
410 {
411 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
412 /* add response to queue */
413 struct nlmsghdr *listed_response = malloc(hdr->nlmsg_len);
414 memcpy(listed_response, response, hdr->nlmsg_len);
415
416 pthread_mutex_lock(&(this->rep_mutex));
417 this->responses->insert_last(this->responses, (void*)listed_response);
418 pthread_mutex_unlock(&(this->rep_mutex));
419 /* signal ALL waiting threads */
420 pthread_cond_broadcast(&(this->condvar));
421 }
422
423 /**
424 * Receives packages from this->xfrm_socket and puts them to this->package_list
425 */
426 static void receive_xfrm_messages(private_kernel_interface_t *this)
427 {
428 while(TRUE)
429 {
430 unsigned char response[BUFFER_SIZE];
431 struct nlmsghdr *hdr;
432 netlink_package_receiver(this->xfrm_socket, response, sizeof(response));
433
434 /* we handle ACQUIRE and EXPIRE messages directly */
435 hdr = (struct nlmsghdr*)response;
436 if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
437 {
438 u_int32_t reqid = 0;
439 job_t *job;
440 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_user_acquire);
441 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
442 if (RTA_OK(rthdr, rtsize))
443 {
444 if (rthdr->rta_type == XFRMA_TMPL)
445 {
446 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
447 reqid = tmpl->reqid;
448 }
449 }
450 if (reqid == 0)
451 {
452 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
453 }
454 else
455 {
456 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
457 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
458 reqid);
459 job = (job_t*)acquire_job_create(reqid);
460 charon->job_queue->add(charon->job_queue, job);
461 }
462 }
463 else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
464 {
465 job_t *job;
466 protocol_id_t protocol;
467 u_int32_t spi, reqid;
468 struct xfrm_user_expire *expire;
469
470 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
471 protocol = expire->state.id.proto == KERNEL_ESP ?
472 PROTO_ESP : PROTO_AH;
473 spi = expire->state.id.spi;
474 reqid = expire->state.reqid;
475
476 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
477 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
478 expire->hard ? "delete" : "rekey",
479 protocol_id_names, protocol, ntohl(spi),
480 reqid);
481 if (expire->hard)
482 {
483 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
484 }
485 else
486 {
487 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
488 }
489 charon->job_queue->add(charon->job_queue, job);
490 }
491 /* NLMSG_ERROR is sent back for acknowledge (or on error).
492 * XFRM_MSG_NEWSA is returned when we alloc spis and when
493 * updating SAs.
494 * XFRM_MSG_NEWPOLICY is returned when we query a policy.
495 */
496 else if (hdr->nlmsg_type == NLMSG_ERROR ||
497 hdr->nlmsg_type == XFRM_MSG_NEWSA ||
498 hdr->nlmsg_type == XFRM_MSG_NEWPOLICY)
499 {
500 add_to_package_list(this, response);
501 }
502 /* we are not interested in anything other.
503 * anyway, move on to the next message
504 */
505 continue;
506 }
507 }
508
509 /**
510 * Receives packages from this->rt_socket and puts them to this->package_list
511 */
512 static void receive_rt_messages(private_kernel_interface_t *this)
513 {
514 while(TRUE)
515 {
516 unsigned char response[BUFFER_SIZE*3];
517 struct nlmsghdr *hdr;
518 supersocket = this->rt_socket;
519 netlink_package_receiver(this->rt_socket,response, sizeof(response));
520
521 hdr = (struct nlmsghdr*)response;
522 /* NLMSG_ERROR is sent back for acknowledge (or on error).
523 * RTM_NEWROUTE is returned when we add a route.
524 */
525 if (hdr->nlmsg_type == NLMSG_ERROR ||
526 hdr->nlmsg_type == RTM_NEWROUTE ||
527 hdr->nlmsg_type == RTM_NEWLINK ||
528 hdr->nlmsg_type == RTM_NEWADDR)
529 {
530 add_to_package_list(this, response);
531 }
532 /* we are not interested in anything other.
533 * anyway, move on to the next message.
534 */
535 continue;
536 }
537 }
538
539 /**
540 * convert a host_t to a struct xfrm_address
541 */
542 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
543 {
544 chunk_t chunk = host->get_address(host);
545 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
546 }
547
548 /**
549 * Implementation of kernel_interface_t.get_spi.
550 */
551 static status_t get_spi(private_kernel_interface_t *this,
552 host_t *src, host_t *dst,
553 protocol_id_t protocol, u_int32_t reqid,
554 u_int32_t *spi)
555 {
556 unsigned char request[BUFFER_SIZE];
557 struct nlmsghdr *response;
558 struct nlmsghdr *hdr;
559 struct xfrm_userspi_info *userspi;
560
561 memset(&request, 0, sizeof(request));
562 status_t status = SUCCESS;
563
564 DBG2(DBG_KNL, "getting spi");
565
566 hdr = (struct nlmsghdr*)request;
567 hdr->nlmsg_flags = NLM_F_REQUEST;
568 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
569 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
570
571 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
572 host2xfrm(src, &userspi->info.saddr);
573 host2xfrm(dst, &userspi->info.id.daddr);
574 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
575 userspi->info.mode = TRUE; /* tunnel mode */
576 userspi->info.reqid = reqid;
577 userspi->info.family = src->get_family(src);
578 userspi->min = 0xc0000000;
579 userspi->max = 0xcFFFFFFF;
580
581 if (send_message(this, hdr, &response, this->xfrm_socket) != SUCCESS)
582 {
583 DBG1(DBG_KNL, "netlink communication failed");
584 return FAILED;
585 }
586 else if (response->nlmsg_type == NLMSG_ERROR)
587 {
588 DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an error: %s",
589 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
590 status = FAILED;
591 }
592 else if (response->nlmsg_type != XFRM_MSG_NEWSA)
593 {
594 DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got a unknown reply");
595 status = FAILED;
596 }
597 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
598 {
599 DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an invalid reply");
600 status = FAILED;
601 }
602 else
603 {
604 *spi = ((struct xfrm_usersa_info*)NLMSG_DATA(response))->id.spi;
605 DBG2(DBG_KNL, "SPI is 0x%x", *spi);
606 }
607 free(response);
608
609 return status;
610 }
611
612 /**
613 * Implementation of kernel_interface_t.add_sa.
614 */
615 static status_t add_sa(private_kernel_interface_t *this,
616 host_t *src, host_t *dst, u_int32_t spi,
617 protocol_id_t protocol, u_int32_t reqid,
618 u_int64_t expire_soft, u_int64_t expire_hard,
619 algorithm_t *enc_alg, algorithm_t *int_alg,
620 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
621 bool replace)
622 {
623 unsigned char request[BUFFER_SIZE];
624 struct nlmsghdr *response;
625 char *alg_name;
626 u_int key_size;
627 struct nlmsghdr *hdr;
628 struct xfrm_usersa_info *sa;
629
630 memset(&request, 0, sizeof(request));
631 status_t status = SUCCESS;
632
633 DBG2(DBG_KNL, "adding SA");
634
635 hdr = (struct nlmsghdr*)request;
636 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
637 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
638 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
639
640 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
641 host2xfrm(src, &sa->saddr);
642 host2xfrm(dst, &sa->id.daddr);
643 sa->id.spi = spi;
644 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
645 sa->family = src->get_family(src);
646 sa->mode = mode;
647 sa->replay_window = 32;
648 sa->reqid = reqid;
649 /* we currently do not expire SAs by volume/packet count */
650 sa->lft.soft_byte_limit = XFRM_INF;
651 sa->lft.hard_byte_limit = XFRM_INF;
652 sa->lft.soft_packet_limit = XFRM_INF;
653 sa->lft.hard_packet_limit = XFRM_INF;
654 /* we use lifetimes since added, not since used */
655 sa->lft.soft_add_expires_seconds = expire_soft;
656 sa->lft.hard_add_expires_seconds = expire_hard;
657 sa->lft.soft_use_expires_seconds = 0;
658 sa->lft.hard_use_expires_seconds = 0;
659
660 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
661
662 if (enc_alg->algorithm != ENCR_UNDEFINED)
663 {
664 rthdr->rta_type = XFRMA_ALG_CRYPT;
665 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
666 if (alg_name == NULL)
667 {
668 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
669 encryption_algorithm_names, enc_alg->algorithm);
670 return FAILED;
671 }
672 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
673 encryption_algorithm_names, enc_alg->algorithm, key_size);
674
675 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
676 hdr->nlmsg_len += rthdr->rta_len;
677 if (hdr->nlmsg_len > sizeof(request))
678 {
679 return FAILED;
680 }
681
682 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
683 algo->alg_key_len = key_size;
684 strcpy(algo->alg_name, alg_name);
685 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
686
687 rthdr = XFRM_RTA_NEXT(rthdr);
688 }
689
690 if (int_alg->algorithm != AUTH_UNDEFINED)
691 {
692 rthdr->rta_type = XFRMA_ALG_AUTH;
693 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
694 if (alg_name == NULL)
695 {
696 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
697 integrity_algorithm_names, int_alg->algorithm);
698 return FAILED;
699 }
700 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
701 integrity_algorithm_names, int_alg->algorithm, key_size);
702
703 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
704 hdr->nlmsg_len += rthdr->rta_len;
705 if (hdr->nlmsg_len > sizeof(request))
706 {
707 return FAILED;
708 }
709
710 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
711 algo->alg_key_len = key_size;
712 strcpy(algo->alg_name, alg_name);
713 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
714
715 rthdr = XFRM_RTA_NEXT(rthdr);
716 }
717
718 /* TODO: add IPComp here */
719
720 if (natt)
721 {
722 rthdr->rta_type = XFRMA_ENCAP;
723 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
724
725 hdr->nlmsg_len += rthdr->rta_len;
726 if (hdr->nlmsg_len > sizeof(request))
727 {
728 return FAILED;
729 }
730
731 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
732 encap->encap_type = UDP_ENCAP_ESPINUDP;
733 encap->encap_sport = htons(natt->sport);
734 encap->encap_dport = htons(natt->dport);
735 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
736 /* encap_oa could probably be derived from the
737 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
738 * pluto does the same as we do here but it uses encap_oa in the
739 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
740 * the kernel ignores it anyway
741 * -> does that mean that NAT-T encap doesn't work in transport mode?
742 * No. The reason the kernel ignores NAT-OA is that it recomputes
743 * (or, rather, just ignores) the checksum. If packets pass
744 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
745
746 rthdr = XFRM_RTA_NEXT(rthdr);
747 }
748
749 if (send_message(this, hdr, &response, this->xfrm_socket) != SUCCESS)
750 {
751 DBG1(DBG_KNL, "netlink communication failed");
752 return FAILED;
753 }
754 else if (response->nlmsg_type != NLMSG_ERROR)
755 {
756 DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA not acknowledged");
757 status = FAILED;
758 }
759 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
760 {
761 DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA got an error: %s",
762 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
763 status = FAILED;
764 }
765
766 free(response);
767 return status;
768 }
769
770 /**
771 * Implementation of kernel_interface_t.update_sa.
772 */
773 static status_t update_sa(
774 private_kernel_interface_t *this,
775 host_t *src, host_t *dst,
776 host_t *new_src, host_t *new_dst,
777 host_diff_t src_changes, host_diff_t dst_changes,
778 u_int32_t spi, protocol_id_t protocol)
779 {
780 unsigned char request[BUFFER_SIZE];
781 struct nlmsghdr *update, *response;
782 struct nlmsghdr *hdr;
783 struct xfrm_usersa_id *sa_id;
784
785 memset(&request, 0, sizeof(request));
786 status_t status = SUCCESS;
787
788 DBG2(DBG_KNL, "getting SA");
789
790 hdr = (struct nlmsghdr*)request;
791 hdr->nlmsg_flags = NLM_F_REQUEST;
792 hdr->nlmsg_type = XFRM_MSG_GETSA;
793 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
794
795 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
796 host2xfrm(dst, &sa_id->daddr);
797 sa_id->spi = spi;
798 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
799 sa_id->family = dst->get_family(dst);
800
801 if (send_message(this, hdr, &update, this->xfrm_socket) != SUCCESS)
802 {
803 DBG1(DBG_KNL, "netlink communication failed");
804 return FAILED;
805 }
806 else if (update->nlmsg_type == NLMSG_ERROR)
807 {
808 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an error: %s",
809 strerror(-((struct nlmsgerr*)NLMSG_DATA(update))->error));
810 free(update);
811 return FAILED;
812 }
813 else if (update->nlmsg_type != XFRM_MSG_NEWSA)
814 {
815 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got a unknown reply");
816 free(update);
817 return FAILED;
818 }
819 else if (update->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
820 {
821 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
822 free(update);
823 return FAILED;
824 }
825
826 DBG2(DBG_KNL, "updating SA");
827 update->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
828 update->nlmsg_type = XFRM_MSG_UPDSA;
829
830 struct xfrm_usersa_info *sa = (struct xfrm_usersa_info*)NLMSG_DATA(update);
831 if (src_changes & HOST_DIFF_ADDR)
832 {
833 host2xfrm(new_src, &sa->saddr);
834 }
835
836 if (dst_changes & HOST_DIFF_ADDR)
837 {
838 DBG2(DBG_KNL, "destination address changed! replacing SA");
839
840 update->nlmsg_type = XFRM_MSG_NEWSA;
841 host2xfrm(new_dst, &sa->id.daddr);
842 }
843
844 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
845 {
846 struct rtattr *rthdr = XFRM_RTA(update, struct xfrm_usersa_info);
847 size_t rtsize = XFRM_PAYLOAD(update, struct xfrm_usersa_info);
848 while (RTA_OK(rthdr, rtsize))
849 {
850 if (rthdr->rta_type == XFRMA_ENCAP)
851 {
852 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
853 encap->encap_sport = ntohs(new_src->get_port(new_src));
854 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
855 break;
856 }
857 rthdr = RTA_NEXT(rthdr, rtsize);
858 }
859 }
860
861 if (send_message(this, update, &response, this->xfrm_socket) != SUCCESS)
862 {
863 DBG1(DBG_KNL, "netlink communication failed");
864 free(update);
865 return FAILED;
866 }
867 else if (response->nlmsg_type != NLMSG_ERROR)
868 {
869 DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA not acknowledged");
870 status = FAILED;
871 }
872 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
873 {
874 DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA got an error: %s",
875 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
876 status = FAILED;
877 }
878 else if (dst_changes & HOST_DIFF_ADDR)
879 {
880 DBG2(DBG_KNL, "deleting old SA");
881 status = this->public.del_sa(&this->public, dst, spi, protocol);
882 }
883
884 free(update);
885 free(response);
886 return status;
887 }
888
889 /**
890 * Implementation of kernel_interface_t.query_sa.
891 */
892 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
893 u_int32_t spi, protocol_id_t protocol, u_int32_t *use_time)
894 {
895 unsigned char request[BUFFER_SIZE];
896 struct nlmsghdr *response;
897 struct nlmsghdr *hdr;
898 struct xfrm_usersa_id *sa_id;
899 struct xfrm_usersa_info *sa_info;
900
901 DBG2(DBG_KNL, "querying SA");
902 memset(&request, 0, sizeof(request));
903
904 hdr = (struct nlmsghdr*)request;
905 hdr->nlmsg_flags = NLM_F_REQUEST;
906 hdr->nlmsg_type = XFRM_MSG_GETSA;
907 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
908
909 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
910 host2xfrm(dst, &sa_id->daddr);
911 sa_id->spi = spi;
912 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
913 sa_id->family = dst->get_family(dst);
914
915 if (send_message(this, hdr, &response, this->xfrm_socket) != SUCCESS)
916 {
917 DBG1(DBG_KNL, "netlink communication failed");
918 return FAILED;
919 }
920 else if (response->nlmsg_type != XFRM_MSG_NEWSA)
921 {
922 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA not acknowledged");
923 free(response);
924 return FAILED;
925 }
926 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
927 {
928 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
929 free(response);
930 return FAILED;
931 }
932
933 sa_info = (struct xfrm_usersa_info*)NLMSG_DATA(response);
934 *use_time = sa_info->curlft.use_time;
935
936 free(response);
937 return SUCCESS;
938 }
939
940 /**
941 * Implementation of kernel_interface_t.del_sa.
942 */
943 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
944 u_int32_t spi, protocol_id_t protocol)
945 {
946 unsigned char request[BUFFER_SIZE];
947 struct nlmsghdr *response;
948 struct nlmsghdr *hdr;
949 struct xfrm_usersa_id *sa_id;
950
951 memset(&request, 0, sizeof(request));
952 status_t status = SUCCESS;
953
954 DBG2(DBG_KNL, "deleting SA");
955
956 hdr = (struct nlmsghdr*)request;
957 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
958 hdr->nlmsg_type = XFRM_MSG_DELSA;
959 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
960
961 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
962 host2xfrm(dst, &sa_id->daddr);
963 sa_id->spi = spi;
964 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
965 sa_id->family = dst->get_family(dst);
966
967 if (send_message(this, hdr, &response, this->xfrm_socket) != SUCCESS)
968 {
969 DBG1(DBG_KNL, "netlink communication failed");
970 return FAILED;
971 }
972 else if (response->nlmsg_type != NLMSG_ERROR)
973 {
974 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA not acknowledged");
975 status = FAILED;
976 }
977 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
978 {
979 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA got an error: %s",
980 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
981 status = FAILED;
982 }
983
984 free(response);
985 return status;
986 }
987
988 /**
989 * convert a traffic selector address range to subnet and its mask.
990 */
991 static void ts2subnet(traffic_selector_t* ts,
992 xfrm_address_t *net, u_int8_t *mask)
993 {
994 /* there is no way to do this cleanly, as the address range may
995 * be anything else but a subnet. We use from_addr as subnet
996 * and try to calculate a usable subnet mask.
997 */
998 int byte, bit;
999 bool found = FALSE;
1000 chunk_t from, to;
1001 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
1002
1003 from = ts->get_from_address(ts);
1004 to = ts->get_to_address(ts);
1005
1006 *mask = (size * 8);
1007 /* go trough all bits of the addresses, beginning in the front.
1008 * as long as they are equal, the subnet gets larger
1009 */
1010 for (byte = 0; byte < size; byte++)
1011 {
1012 for (bit = 7; bit >= 0; bit--)
1013 {
1014 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
1015 {
1016 *mask = ((7 - bit) + (byte * 8));
1017 found = TRUE;
1018 break;
1019 }
1020 }
1021 if (found)
1022 {
1023 break;
1024 }
1025 }
1026 memcpy(net, from.ptr, from.len);
1027 chunk_free(&from);
1028 chunk_free(&to);
1029 }
1030
1031 /**
1032 * convert a traffic selector port range to port/portmask
1033 */
1034 static void ts2ports(traffic_selector_t* ts,
1035 u_int16_t *port, u_int16_t *mask)
1036 {
1037 /* linux does not seem to accept complex portmasks. Only
1038 * any or a specific port is allowed. We set to any, if we have
1039 * a port range, or to a specific, if we have one port only.
1040 */
1041 u_int16_t from, to;
1042
1043 from = ts->get_from_port(ts);
1044 to = ts->get_to_port(ts);
1045
1046 if (from == to)
1047 {
1048 *port = htons(from);
1049 *mask = ~0;
1050 }
1051 else
1052 {
1053 *port = 0;
1054 *mask = 0;
1055 }
1056 }
1057
1058 /**
1059 * convert a pair of traffic_selectors to a xfrm_selector
1060 */
1061 static struct xfrm_selector ts2selector(traffic_selector_t *src,
1062 traffic_selector_t *dst)
1063 {
1064 struct xfrm_selector sel;
1065
1066 memset(&sel, 0, sizeof(sel));
1067 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1068 /* src or dest proto may be "any" (0), use more restrictive one */
1069 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
1070 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
1071 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
1072 ts2ports(dst, &sel.dport, &sel.dport_mask);
1073 ts2ports(src, &sel.sport, &sel.sport_mask);
1074 sel.ifindex = 0;
1075 sel.user = 0;
1076
1077 return sel;
1078 }
1079
1080 /**
1081 * Tries to find an ip address of a local interface that is included in the
1082 * supplied traffic selector.
1083 */
1084 static status_t find_addr_by_ts(traffic_selector_t *ts, host_t **ip)
1085 {
1086 host_t *try = NULL, *local;
1087 int family;
1088
1089 /* if we have a family which includes localhost, we do not
1090 * search for an IP, we use the default */
1091 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1092
1093 if (family == AF_INET)
1094 {
1095 local = host_create_from_string("127.0.0.1", 0);
1096 }
1097 else
1098 {
1099 local = host_create_from_string("::1", 0);
1100 }
1101
1102 if (ts->includes(ts, local))
1103 {
1104 *ip = host_create_any(family);
1105 local->destroy(local);
1106 return SUCCESS;
1107 }
1108 local->destroy(local);
1109
1110 #ifdef HAVE_GETIFADDRS
1111 struct ifaddrs *list;
1112 struct ifaddrs *cur;
1113
1114 if (getifaddrs(&list) < 0)
1115 {
1116 return FAILED;
1117 }
1118
1119 for (cur = list; cur != NULL; cur = cur->ifa_next)
1120 {
1121 if (!(cur->ifa_flags & IFF_UP) || !cur->ifa_addr)
1122 {
1123 /* ignore interfaces which are down or have no address assigned */
1124 continue;
1125 }
1126
1127 try = host_create_from_sockaddr(cur->ifa_addr);
1128
1129 if (try && ts->includes(ts, try))
1130 {
1131 if (ip)
1132 {
1133 *ip = try;
1134 }
1135 freeifaddrs(list);
1136 return SUCCESS;
1137 }
1138
1139 DESTROY_IF(try);
1140 }
1141 freeifaddrs(list);
1142 return FAILED;
1143 #else /* !HAVE_GETIFADDRS */
1144
1145 /* only IPv4 supported yet */
1146 if (ts->get_type(ts) != TS_IPV4_ADDR_RANGE)
1147 {
1148 return FAILED;
1149 }
1150
1151 int skt = socket(PF_INET, SOCK_DGRAM, 0);
1152 struct ifconf conf;
1153 struct ifreq reqs[16];
1154
1155 conf.ifc_len = sizeof(reqs);
1156 conf.ifc_req = reqs;
1157
1158 if (ioctl(skt, SIOCGIFCONF, &conf) == -1)
1159 {
1160 DBG1(DBG_NET, "checking address using ioctl() failed: %m");
1161 close(skt);
1162 return FAILED;
1163 }
1164 close(skt);
1165
1166 while (conf.ifc_len >= sizeof(struct ifreq))
1167 {
1168 /* only IPv4 supported yet */
1169 if (conf.ifc_req->ifr_addr.sa_family != AF_INET)
1170 {
1171 continue;
1172 }
1173
1174 try = host_create_from_sockaddr(&conf.ifc_req->ifr_addr);
1175
1176 if (try && ts->includes(ts, try))
1177 {
1178 if (ip)
1179 {
1180 *ip = try;
1181 }
1182
1183 return SUCCESS;
1184 }
1185
1186 DESTROY_IF(try);
1187
1188 conf.ifc_len -= sizeof(struct ifreq);
1189 conf.ifc_req++;
1190 }
1191 return FAILED;
1192 #endif /* HAVE_GETIFADDRS */
1193 }
1194
1195 /**
1196 * forward declarations
1197 */
1198 static status_t manage_srcroute(private_kernel_interface_t*,int,int,rt_refcount_t*);
1199 static int get_iface(private_kernel_interface_t*,host_t*);
1200 static void rt_refcount_destroy(rt_refcount_t*);
1201
1202 /**
1203 * Implementation of kernel_interface_t.add_policy.
1204 */
1205 static status_t add_policy(private_kernel_interface_t *this,
1206 host_t *src, host_t *dst,
1207 traffic_selector_t *src_ts,
1208 traffic_selector_t *dst_ts,
1209 policy_dir_t direction, protocol_id_t protocol,
1210 u_int32_t reqid, bool high_prio, mode_t mode,
1211 bool update)
1212 {
1213 iterator_t *iterator;
1214 kernel_policy_t *current, *policy;
1215 bool found = FALSE;
1216 unsigned char request[BUFFER_SIZE];
1217 struct nlmsghdr *response;
1218 struct xfrm_userpolicy_info *policy_info;
1219 struct nlmsghdr *hdr;
1220
1221 /* create a policy */
1222 policy = malloc_thing(kernel_policy_t);
1223 memset(policy, 0, sizeof(kernel_policy_t));
1224 policy->sel = ts2selector(src_ts, dst_ts);
1225 policy->direction = direction;
1226
1227 /* find the policy, which matches EXACTLY */
1228 pthread_mutex_lock(&this->pol_mutex);
1229 iterator = this->policies->create_iterator(this->policies, TRUE);
1230 while (iterator->iterate(iterator, (void**)&current))
1231 {
1232 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
1233 policy->direction == current->direction)
1234 {
1235 free(policy);
1236 /* use existing policy */
1237 if (!update)
1238 {
1239 current->refcount++;
1240 DBG2(DBG_KNL, "policy already exists, increasing refcount");
1241 if (!high_prio)
1242 {
1243 /* if added policy is for a ROUTED child_sa, do not
1244 * overwrite existing INSTALLED policy */
1245 iterator->destroy(iterator);
1246 pthread_mutex_unlock(&this->pol_mutex);
1247 return SUCCESS;
1248 }
1249 }
1250 policy = current;
1251 found = TRUE;
1252 break;
1253 }
1254 }
1255 iterator->destroy(iterator);
1256 if (!found)
1257 { /* apply the new one, if we have no such policy */
1258 this->policies->insert_last(this->policies, policy);
1259 policy->refcount = 1;
1260 }
1261
1262 DBG2(DBG_KNL, "adding policy");
1263
1264 memset(&request, 0, sizeof(request));
1265 hdr = (struct nlmsghdr*)request;
1266 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1267 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
1268 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1269
1270 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1271 policy_info->sel = policy->sel;
1272 policy_info->dir = policy->direction;
1273 /* calculate priority based on source selector size, small size = high prio */
1274 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1275 policy_info->priority -= policy->sel.prefixlen_s * 10;
1276 policy_info->priority -= policy->sel.proto ? 2 : 0;
1277 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1278 policy_info->action = XFRM_POLICY_ALLOW;
1279 policy_info->share = XFRM_SHARE_ANY;
1280 pthread_mutex_unlock(&this->pol_mutex);
1281
1282 /* policies don't expire */
1283 policy_info->lft.soft_byte_limit = XFRM_INF;
1284 policy_info->lft.soft_packet_limit = XFRM_INF;
1285 policy_info->lft.hard_byte_limit = XFRM_INF;
1286 policy_info->lft.hard_packet_limit = XFRM_INF;
1287 policy_info->lft.soft_add_expires_seconds = 0;
1288 policy_info->lft.hard_add_expires_seconds = 0;
1289 policy_info->lft.soft_use_expires_seconds = 0;
1290 policy_info->lft.hard_use_expires_seconds = 0;
1291
1292 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1293 rthdr->rta_type = XFRMA_TMPL;
1294
1295 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
1296 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
1297
1298 hdr->nlmsg_len += rthdr->rta_len;
1299 if (hdr->nlmsg_len > sizeof(request))
1300 {
1301 return FAILED;
1302 }
1303
1304 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1305 tmpl->reqid = reqid;
1306 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
1307 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1308 tmpl->mode = mode;
1309 tmpl->family = src->get_family(src);
1310
1311 host2xfrm(src, &tmpl->saddr);
1312 host2xfrm(dst, &tmpl->id.daddr);
1313
1314 if (send_message(this, hdr, &response, this->xfrm_socket) != SUCCESS)
1315 {
1316 DBG1(DBG_KNL, "netlink communication failed");
1317 return FAILED;
1318 }
1319 else if (response->nlmsg_type != NLMSG_ERROR)
1320 {
1321 DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY not acknowledged");
1322 free(response);
1323 return FAILED;
1324 }
1325 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
1326 {
1327 DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY got an error: %s",
1328 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
1329 free(response);
1330 return FAILED;
1331 }
1332
1333
1334 if (direction == POLICY_FWD)
1335 {
1336 policy->route = malloc_thing(rt_refcount_t);
1337 if (find_addr_by_ts(dst_ts, &policy->route->src_ip) == SUCCESS)
1338 {
1339 policy->route->if_index = get_iface(this, dst);
1340 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1341 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
1342 policy->route->prefixlen = policy->sel.prefixlen_s;
1343
1344 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
1345 policy->route) != SUCCESS)
1346 {
1347 DBG1(DBG_KNL, "error installing route");
1348 rt_refcount_destroy(policy->route);
1349 policy->route = NULL;
1350 }
1351 }
1352 else
1353 {
1354 free(policy->route);
1355 policy->route = NULL;
1356 }
1357 }
1358
1359 free(response);
1360 return SUCCESS;
1361 }
1362
1363 /**
1364 * Implementation of kernel_interface_t.query_policy.
1365 */
1366 static status_t query_policy(private_kernel_interface_t *this,
1367 traffic_selector_t *src_ts,
1368 traffic_selector_t *dst_ts,
1369 policy_dir_t direction, u_int32_t *use_time)
1370 {
1371 unsigned char request[BUFFER_SIZE];
1372 struct nlmsghdr *response;
1373 struct nlmsghdr *hdr;
1374 struct xfrm_userpolicy_id *policy_id;
1375 struct xfrm_userpolicy_info *policy;
1376
1377 memset(&request, 0, sizeof(request));
1378 status_t status = SUCCESS;
1379
1380 DBG2(DBG_KNL, "querying policy");
1381
1382 hdr = (struct nlmsghdr*)request;
1383 hdr->nlmsg_flags = NLM_F_REQUEST;
1384 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1385 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1386
1387 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1388 policy_id->sel = ts2selector(src_ts, dst_ts);
1389 policy_id->dir = direction;
1390
1391 if (send_message(this, hdr, &response, this->xfrm_socket) != SUCCESS)
1392 {
1393 DBG1(DBG_KNL, "netlink communication failed");
1394 return FAILED;
1395 }
1396 else if (response->nlmsg_type == NLMSG_ERROR)
1397 {
1398 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an error: %s",
1399 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
1400 free(response);
1401 return FAILED;
1402 }
1403 else if (response->nlmsg_type != XFRM_MSG_NEWPOLICY)
1404 {
1405 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an unknown reply");
1406 free(response);
1407 return FAILED;
1408 }
1409 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)))
1410 {
1411 DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an invalid reply");
1412 free(response);
1413 return FAILED;
1414 }
1415
1416 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(response);
1417
1418 *use_time = (time_t)policy->curlft.use_time;
1419
1420 free(response);
1421 return status;
1422 }
1423
1424 /**
1425 * Implementation of kernel_interface_t.del_policy.
1426 */
1427 static status_t del_policy(private_kernel_interface_t *this,
1428 traffic_selector_t *src_ts,
1429 traffic_selector_t *dst_ts,
1430 policy_dir_t direction)
1431 {
1432 kernel_policy_t *current, policy, *to_delete = NULL;
1433 rt_refcount_t *route;
1434 unsigned char request[BUFFER_SIZE];
1435 struct nlmsghdr *response;
1436 struct nlmsghdr *hdr;
1437 struct xfrm_userpolicy_id *policy_id;
1438 iterator_t *iterator;
1439
1440 DBG2(DBG_KNL, "deleting policy");
1441
1442 /* create a policy */
1443 memset(&policy, 0, sizeof(kernel_policy_t));
1444 policy.sel = ts2selector(src_ts, dst_ts);
1445 policy.direction = direction;
1446
1447 /* find the policy */
1448 pthread_mutex_lock(&this->pol_mutex);
1449 iterator = this->policies->create_iterator(this->policies, TRUE);
1450 while (iterator->iterate(iterator, (void**)&current))
1451 {
1452 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
1453 policy.direction == current->direction)
1454 {
1455 to_delete = current;
1456 if (--to_delete->refcount > 0)
1457 {
1458 /* is used by more SAs, keep in kernel */
1459 DBG2(DBG_KNL, "is used by other SAs, not removed");
1460 iterator->destroy(iterator);
1461 pthread_mutex_unlock(&this->pol_mutex);
1462 return SUCCESS;
1463 }
1464 /* remove if last reference */
1465 iterator->remove(iterator);
1466 break;
1467 }
1468 }
1469 iterator->destroy(iterator);
1470 pthread_mutex_unlock(&this->pol_mutex);
1471 if (!to_delete)
1472 {
1473 DBG1(DBG_KNL, "no such policy found");
1474 return NOT_FOUND;
1475 }
1476
1477 memset(&request, 0, sizeof(request));
1478
1479 hdr = (struct nlmsghdr*)request;
1480 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1481 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1482 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1483
1484 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1485 policy_id->sel = to_delete->sel;
1486 policy_id->dir = direction;
1487
1488 route = to_delete->route;
1489 free(to_delete);
1490
1491 if (send_message(this, hdr, &response, this->xfrm_socket) != SUCCESS)
1492 {
1493 DBG1(DBG_KNL, "netlink communication failed");
1494 return FAILED;
1495 }
1496 else if (response->nlmsg_type != NLMSG_ERROR)
1497 {
1498 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY not acknowledged");
1499 free(response);
1500 return FAILED;
1501 }
1502 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
1503 {
1504 DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY got an error: %s",
1505 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
1506 free(response);
1507 return FAILED;
1508 }
1509
1510 if (route)
1511 {
1512 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
1513 {
1514 DBG1(DBG_KNL, "error uninstalling route");
1515 }
1516 rt_refcount_destroy(route);
1517 }
1518
1519 free(response);
1520 return SUCCESS;
1521 }
1522
1523 /**
1524 * Sends an RT_NETLINK request to the kernel.
1525 */
1526 static status_t send_rtrequest(private_kernel_interface_t *this, struct nlmsghdr *hdr)
1527 {
1528 struct nlmsghdr *response;
1529
1530 if (send_message(this, hdr, &response, this->rt_socket) != SUCCESS)
1531 {
1532 DBG1(DBG_KNL, "netlink communication failed");
1533 return FAILED;
1534 }
1535 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
1536 {
1537 DBG1(DBG_KNL, "netlink request got an error: %s (%d)",
1538 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error),
1539 -((struct nlmsgerr*)NLMSG_DATA(response))->error);
1540 free(response);
1541 return FAILED;
1542 }
1543
1544 free(response);
1545 return SUCCESS;
1546 }
1547
1548 /**
1549 * Creates an rtattr and adds it to the netlink message.
1550 */
1551 static status_t add_rtattr(struct nlmsghdr *hdr, int max_len,
1552 int rta_type, void *data, int data_len)
1553 {
1554 struct rtattr *rta;
1555
1556 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data_len) > max_len)
1557 {
1558 DBG1(DBG_KNL, "netlink message exceeded bound of %d", max_len);
1559 return FAILED;
1560 }
1561
1562 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
1563
1564 rta->rta_type = rta_type;
1565 rta->rta_len = RTA_LENGTH(data_len);
1566 memcpy(RTA_DATA(rta), data, data_len);
1567
1568 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
1569 return SUCCESS;
1570 }
1571
1572 /**
1573 * Manages the creation and deletion of ip addresses on an interface.
1574 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1575 */
1576 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1577 int flags, int if_index, host_t *ip)
1578 {
1579 unsigned char request[BUFFER_SIZE];
1580 struct nlmsghdr *hdr;
1581 struct ifaddrmsg *msg;
1582 chunk_t chunk;
1583
1584 DBG2(DBG_KNL, "adding virtual IP %H to interface %d", ip, if_index);
1585
1586 memset(&request, 0, sizeof(request));
1587
1588 chunk = ip->get_address(ip);
1589
1590 hdr = (struct nlmsghdr*)request;
1591 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1592 hdr->nlmsg_type = nlmsg_type;
1593 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1594
1595 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1596 msg->ifa_family = ip->get_family(ip);
1597 msg->ifa_flags = 0;
1598 msg->ifa_prefixlen = 8 * chunk.len;
1599 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1600 msg->ifa_index = if_index;
1601
1602 if (add_rtattr(hdr, sizeof(request), IFA_LOCAL,
1603 chunk.ptr, chunk.len) != SUCCESS)
1604 {
1605 return FAILED;
1606 }
1607
1608 return send_rtrequest(this, hdr);
1609 }
1610
1611 /**
1612 * send a netlink message and wait for a reply
1613 */
1614 static status_t netlink_send(int socket, struct nlmsghdr *in,
1615 struct nlmsghdr **out, size_t *out_len)
1616 {
1617 int len, addr_len;
1618 struct sockaddr_nl addr;
1619 chunk_t result = chunk_empty, tmp;
1620 struct nlmsghdr *msg, peek;
1621
1622 static int seq = 200;
1623 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
1624
1625
1626 pthread_mutex_lock(&mutex);
1627
1628 in->nlmsg_seq = ++seq;
1629 in->nlmsg_pid = getpid();
1630
1631 memset(&addr, 0, sizeof(addr));
1632 addr.nl_family = AF_NETLINK;
1633 addr.nl_pid = 0;
1634 addr.nl_groups = 0;
1635
1636 while (TRUE)
1637 {
1638 len = sendto(socket, in, in->nlmsg_len, 0,
1639 (struct sockaddr*)&addr, sizeof(addr));
1640
1641 if (len != in->nlmsg_len)
1642 {
1643 if (errno == EINTR)
1644 {
1645 /* interrupted, try again */
1646 continue;
1647 }
1648 pthread_mutex_unlock(&mutex);
1649 DBG1(DBG_KNL, "error sending to netlink socket: %m");
1650 return FAILED;
1651 }
1652 break;
1653 }
1654
1655 for(;;)
1656 {
1657 tmp = chunk_alloca(2048);
1658 msg = (struct nlmsghdr*)tmp.ptr;
1659
1660 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
1661 (struct sockaddr*)&addr, &addr_len);
1662 if (len < 0)
1663 {
1664 if (errno == EINTR)
1665 {
1666 /* interrupted, try again */
1667 continue;
1668 }
1669 DBG1(DBG_IKE, "error reading from netlink socket: %m");
1670 pthread_mutex_unlock(&mutex);
1671 return FAILED;
1672 }
1673 if (!NLMSG_OK(msg, len))
1674 {
1675 DBG1(DBG_IKE, "received corrupted netlink message");
1676 pthread_mutex_unlock(&mutex);
1677 return FAILED;
1678 }
1679 if (msg->nlmsg_seq != seq)
1680 {
1681 DBG1(DBG_IKE, "received invalid netlink sequence number");
1682 if (msg->nlmsg_seq < seq)
1683 {
1684 continue;
1685 }
1686 pthread_mutex_unlock(&mutex);
1687 return FAILED;
1688 }
1689
1690 tmp.len = len;
1691 result = chunk_cata("cc", result, tmp);
1692
1693 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
1694 * numbers to detect multi header messages */
1695 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
1696 (struct sockaddr*)&addr, &addr_len);
1697
1698 if (len == sizeof(peek) && peek.nlmsg_seq == seq)
1699 {
1700 /* seems to be multipart */
1701 continue;
1702 }
1703 break;
1704 }
1705
1706 *out_len = result.len;
1707 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
1708
1709 pthread_mutex_unlock(&mutex);
1710
1711 return SUCCESS;
1712 }
1713
1714 static int get_iface(private_kernel_interface_t *this, host_t* ip)
1715 {
1716 unsigned char request[BUFFER_SIZE];
1717 struct nlmsghdr *hdr, *tofree;
1718 struct rtgenmsg *msg;
1719 int ifindex = 0;
1720 size_t len;
1721 chunk_t target, current;
1722
1723 memset(&request, 0, sizeof(request));
1724
1725 hdr = (struct nlmsghdr*)request;
1726 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1727 hdr->nlmsg_type = RTM_GETADDR;
1728 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1729
1730 msg = (struct rtgenmsg*)NLMSG_DATA(hdr);
1731 msg->rtgen_family = AF_UNSPEC;
1732
1733 target = ip->get_address(ip);
1734
1735 if (netlink_send(this->rt_socket, hdr, &hdr, &len) == SUCCESS)
1736 {
1737 tofree = hdr;
1738 while (NLMSG_OK(hdr, len))
1739 {
1740 switch (hdr->nlmsg_type)
1741 {
1742 case RTM_NEWADDR:
1743 {
1744 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
1745 struct rtattr *rta = IFA_RTA(msg);
1746 size_t rtasize = IFA_PAYLOAD (hdr);
1747
1748 while(RTA_OK(rta, rtasize))
1749 {
1750 if (rta->rta_type == IFA_ADDRESS)
1751 {
1752 current.len = rta->rta_len - 4;
1753 current.ptr = RTA_DATA(rta);
1754 if (chunk_equals(current, target))
1755 {
1756 ifindex = msg->ifa_index;
1757 break;
1758 }
1759 }
1760 rta = RTA_NEXT(rta, rtasize);
1761 }
1762 hdr = NLMSG_NEXT(hdr, len);
1763 continue;
1764 }
1765 default:
1766 hdr = NLMSG_NEXT(hdr, len);
1767 continue;
1768 case NLMSG_DONE:
1769 break;
1770 }
1771 break;
1772 }
1773 free(tofree);
1774 }
1775 else
1776 {
1777 DBG1(DBG_IKE, "unable to get interface address for %H", ip);
1778 }
1779 return ifindex;
1780 }
1781
1782 /**
1783 * Manages source routes in the routing table.
1784 * By setting the appropriate nlmsg_type, the route will be set or unset.
1785 */
1786 static status_t manage_srcroute(private_kernel_interface_t *this,
1787 int nlmsg_type, int flags, rt_refcount_t *route)
1788 {
1789 struct nlmsghdr *hdr;
1790 struct rtmsg *msg;
1791 unsigned char request[BUFFER_SIZE];
1792 chunk_t src;
1793
1794 /* if route is 0.0.0.0/0, we can't install it, as it would
1795 * overwrite the default route. Instead, we add two routes:
1796 * 0.0.0.0/1 and 128.0.0.0/1 */
1797 if (route->prefixlen == 0)
1798 {
1799 rt_refcount_t half;
1800 status_t status;
1801
1802 half.dst_net = chunk_alloca(route->dst_net.len);
1803 memset(half.dst_net.ptr, 0, half.dst_net.len);
1804 half.src_ip = route->src_ip;
1805 half.if_index = route->if_index;
1806 half.prefixlen = 1;
1807
1808 status = manage_srcroute(this, nlmsg_type, flags, &half);
1809 half.dst_net.ptr[0] |= 0x80;
1810 status = manage_srcroute(this, nlmsg_type, flags, &half);
1811 return status;
1812 }
1813
1814 memset(&request, 0, sizeof(request));
1815
1816 hdr = (struct nlmsghdr*)request;
1817 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1818 hdr->nlmsg_type = nlmsg_type;
1819 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1820
1821 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1822 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1823 msg->rtm_dst_len = route->prefixlen;
1824 msg->rtm_table = RT_TABLE_MAIN;
1825 msg->rtm_protocol = RTPROT_STATIC;
1826 msg->rtm_type = RTN_UNICAST;
1827 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1828
1829 if (add_rtattr(hdr, sizeof(request), RTA_DST,
1830 route->dst_net.ptr, route->dst_net.len) != SUCCESS)
1831 {
1832 return FAILED;
1833 }
1834
1835 src = route->src_ip->get_address(route->src_ip);
1836 if (add_rtattr(hdr, sizeof(request), RTA_PREFSRC,
1837 src.ptr, src.len) != SUCCESS)
1838 {
1839 return FAILED;
1840 }
1841
1842 if (add_rtattr(hdr, sizeof(request), RTA_OIF,
1843 &route->if_index, sizeof(route->if_index)) != SUCCESS)
1844 {
1845 return FAILED;
1846 }
1847
1848 return send_rtrequest(this, hdr);
1849 }
1850
1851 /**
1852 * destroy an rt_refcount object
1853 */
1854 static void rt_refcount_destroy(rt_refcount_t *this)
1855 {
1856 this->src_ip->destroy(this->src_ip);
1857 chunk_free(&this->dst_net);
1858 free(this);
1859 }
1860
1861 /**
1862 * destroy a vip_refcount object
1863 */
1864 static void vip_refcount_destroy(vip_refcount_t *this)
1865 {
1866 this->ip->destroy(this->ip);
1867 free(this);
1868 }
1869
1870 /**
1871 * Implementation of kernel_interface_t.add_ip.
1872 */
1873 static status_t add_ip(private_kernel_interface_t *this,
1874 host_t *virtual_ip, host_t *iface_ip)
1875 {
1876 int targetif;
1877 vip_refcount_t *listed;
1878 iterator_t *iterator;
1879
1880 DBG2(DBG_KNL, "adding ip addr: %H", virtual_ip);
1881
1882 targetif = get_iface(this, iface_ip);
1883 if (targetif == 0)
1884 {
1885 return FAILED;
1886 }
1887
1888 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1889 iterator = this->vips->create_iterator_locked(this->vips, &(this->vip_mutex));
1890 while (iterator->iterate(iterator, (void**)&listed))
1891 {
1892 if (listed->if_index == targetif &&
1893 virtual_ip->ip_equals(virtual_ip, listed->ip))
1894 {
1895 listed->refcount++;
1896 iterator->destroy(iterator);
1897 return SUCCESS;
1898 }
1899 }
1900 iterator->destroy(iterator);
1901
1902 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1903 targetif, virtual_ip) == SUCCESS)
1904 {
1905 listed = malloc_thing(vip_refcount_t);
1906 listed->ip = virtual_ip->clone(virtual_ip);
1907 listed->if_index = targetif;
1908 listed->refcount = 1;
1909 this->vips->insert_last(this->vips, listed);
1910 return SUCCESS;
1911 }
1912
1913 return FAILED;
1914 }
1915
1916 /**
1917 * Implementation of kernel_interface_t.del_ip.
1918 */
1919 static status_t del_ip(private_kernel_interface_t *this,
1920 host_t *virtual_ip, host_t *iface_ip)
1921 {
1922 int targetif;
1923 vip_refcount_t *listed;
1924 iterator_t *iterator;
1925
1926 DBG2(DBG_KNL, "deleting ip addr: %H", virtual_ip);
1927
1928 targetif = get_iface(this, iface_ip);
1929 if (targetif == 0)
1930 {
1931 return FAILED;
1932 }
1933
1934 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1935 iterator = this->vips->create_iterator_locked(this->vips, &(this->vip_mutex));
1936 while (iterator->iterate(iterator, (void**)&listed))
1937 {
1938 if (listed->if_index == targetif &&
1939 virtual_ip->ip_equals(virtual_ip, listed->ip))
1940 {
1941 listed->refcount--;
1942 if (listed->refcount == 0)
1943 {
1944 iterator->remove(iterator);
1945 vip_refcount_destroy(listed);
1946 iterator->destroy(iterator);
1947 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1948 }
1949 iterator->destroy(iterator);
1950 return SUCCESS;
1951 }
1952 }
1953 iterator->destroy(iterator);
1954
1955 return FAILED;
1956 }
1957
1958 /**
1959 * Implementation of kernel_interface_t.destroy.
1960 */
1961 static void destroy(private_kernel_interface_t *this)
1962 {
1963 pthread_cancel(this->xfrm_thread);
1964 pthread_join(this->xfrm_thread, NULL);
1965 pthread_cancel(this->rt_thread);
1966 pthread_join(this->rt_thread, NULL);
1967 close(this->xfrm_socket);
1968 close(this->rt_socket);
1969 this->vips->destroy_function(this->vips, (void*)vip_refcount_destroy);
1970 this->responses->destroy(this->responses);
1971 this->policies->destroy(this->policies);
1972 free(this);
1973 }
1974
1975 /*
1976 * Described in header.
1977 */
1978 kernel_interface_t *kernel_interface_create()
1979 {
1980 struct sockaddr_nl addr_xfrm;
1981 struct sockaddr_nl addr_rt;
1982 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
1983
1984 /* public functions */
1985 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1986 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
1987 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
1988 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
1989 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1990 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
1991 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1992 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1993 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
1994 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
1995 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
1996
1997 /* private members */
1998 this->pid = getpid();
1999 this->responses = linked_list_create();
2000 this->vips = linked_list_create();
2001 this->policies = linked_list_create();
2002 pthread_mutex_init(&(this->rep_mutex),NULL);
2003 pthread_mutex_init(&(this->pol_mutex),NULL);
2004 pthread_mutex_init(&(this->vip_mutex),NULL);
2005 pthread_cond_init(&(this->condvar),NULL);
2006 this->seq = 0;
2007
2008 /* open xfrm netlink socket */
2009 this->xfrm_socket = socket(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2010 if (this->xfrm_socket <= 0)
2011 {
2012 DBG1(DBG_KNL, "Unable to create xfrm netlink socket");
2013 goto kill;
2014 }
2015
2016 /* bind the xfrm socket and reqister for ACQUIRE & EXPIRE */
2017 addr_xfrm.nl_family = AF_NETLINK;
2018 addr_xfrm.nl_pid = 0;
2019 addr_xfrm.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
2020 if (bind(this->xfrm_socket, (struct sockaddr*)&addr_xfrm, sizeof(addr_xfrm)))
2021 {
2022 DBG1(DBG_KNL, "Unable to bind xfrm netlink socket");
2023 goto kill_xfrm;
2024 }
2025
2026 if (pthread_create(&this->xfrm_thread, NULL,
2027 (void*(*)(void*))receive_xfrm_messages, this))
2028 {
2029 DBG1(DBG_KNL, "Unable to create xfrm netlink thread");
2030 goto kill_xfrm;
2031 }
2032
2033 /* open rt netlink socket */
2034 this->rt_socket = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2035 if (this->rt_socket <= 0)
2036 {
2037 DBG1(DBG_KNL, "Unable to create rt netlink socket");
2038 goto kill_xfrm_all;
2039 }
2040
2041 /* bind the socket_rt */
2042 addr_rt.nl_family = AF_NETLINK;
2043 addr_rt.nl_pid = 0;
2044 addr_rt.nl_groups = 0;
2045 if (bind(this->rt_socket, (struct sockaddr*)&addr_rt, sizeof(addr_rt)))
2046 {
2047 DBG1(DBG_KNL, "Unable to bind rt netlink socket");
2048 goto kill_rt;
2049 }
2050
2051 if (pthread_create(&this->rt_thread, NULL,
2052 (void*(*)(void*))receive_rt_messages, this))
2053 {
2054 DBG1(DBG_KNL, "Unable to create rt netlink thread");
2055 goto kill_rt;
2056 }
2057
2058 return &this->public;
2059
2060 kill_rt:
2061 close(this->rt_socket);
2062 kill_xfrm_all:
2063 pthread_cancel(this->xfrm_thread);
2064 pthread_join(this->xfrm_thread, NULL);
2065 kill_xfrm:
2066 close(this->xfrm_socket);
2067 kill:
2068 this->responses->destroy(this->responses);
2069 this->policies->destroy(this->policies);
2070 this->vips->destroy(this->vips);
2071 free(this);
2072 charon->kill(charon, "Unable to create kernel_interface");
2073 return NULL;
2074 }
2075
2076 /* vim: set ts=4 sw=4 noet: */
2077