89e95ade9c88832777087bb1c061470be6cb8e15
[strongswan.git] / src / libhydra / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2008-2015 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 * Copyright (C) 2010 Martin Willi
5 * Copyright (C) 2010 revosec AG
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /*
19 * Copyright (c) 2012 Nanoteq Pty Ltd
20 *
21 * Permission is hereby granted, free of charge, to any person obtaining a copy
22 * of this software and associated documentation files (the "Software"), to deal
23 * in the Software without restriction, including without limitation the rights
24 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
25 * copies of the Software, and to permit persons to whom the Software is
26 * furnished to do so, subject to the following conditions:
27 *
28 * The above copyright notice and this permission notice shall be included in
29 * all copies or substantial portions of the Software.
30 *
31 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
32 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
33 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
34 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
36 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
37 * THE SOFTWARE.
38 */
39
40 #include "kernel_interface.h"
41
42 #include <hydra.h>
43 #include <utils/debug.h>
44 #include <threading/mutex.h>
45 #include <collections/linked_list.h>
46 #include <collections/hashtable.h>
47 #include <collections/array.h>
48
49 typedef struct private_kernel_interface_t private_kernel_interface_t;
50
51 typedef struct kernel_algorithm_t kernel_algorithm_t;
52
53 /**
54 * Mapping of IKE algorithms to kernel-specific algorithm identifiers
55 */
56 struct kernel_algorithm_t {
57
58 /**
59 * Transform type of the algorithm
60 */
61 transform_type_t type;
62
63 /**
64 * Identifier specified in IKE
65 */
66 u_int16_t ike;
67
68 /**
69 * Identifier as defined in pfkeyv2.h
70 */
71 u_int16_t kernel;
72
73 /**
74 * Name of the algorithm in linux crypto API
75 */
76 char *name;
77 };
78
79 /**
80 * Private data of a kernel_interface_t object.
81 */
82 struct private_kernel_interface_t {
83
84 /**
85 * Public part of kernel_interface_t object.
86 */
87 kernel_interface_t public;
88
89 /**
90 * Registered IPsec constructor
91 */
92 kernel_ipsec_constructor_t ipsec_constructor;
93
94 /**
95 * Registered net constructor
96 */
97 kernel_net_constructor_t net_constructor;
98
99 /**
100 * ipsec interface
101 */
102 kernel_ipsec_t *ipsec;
103
104 /**
105 * network interface
106 */
107 kernel_net_t *net;
108
109 /**
110 * mutex for listeners
111 */
112 mutex_t *mutex;
113
114 /**
115 * list of registered listeners
116 */
117 linked_list_t *listeners;
118
119 /**
120 * Reqid entries indexed by reqids
121 */
122 hashtable_t *reqids;
123
124 /**
125 * Reqid entries indexed by traffic selectors
126 */
127 hashtable_t *reqids_by_ts;
128
129 /**
130 * mutex for algorithm mappings
131 */
132 mutex_t *mutex_algs;
133
134 /**
135 * List of algorithm mappings (kernel_algorithm_t*)
136 */
137 linked_list_t *algorithms;
138
139 /**
140 * List of interface names to include or exclude (char*), NULL if interfaces
141 * are not filtered
142 */
143 linked_list_t *ifaces_filter;
144
145 /**
146 * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider
147 * only those listed there
148 */
149 bool ifaces_exclude;
150 };
151
152 METHOD(kernel_interface_t, get_features, kernel_feature_t,
153 private_kernel_interface_t *this)
154 {
155 kernel_feature_t features = 0;
156
157 if (this->ipsec && this->ipsec->get_features)
158 {
159 features |= this->ipsec->get_features(this->ipsec);
160 }
161 if (this->net && this->net->get_features)
162 {
163 features |= this->net->get_features(this->net);
164 }
165 return features;
166 }
167
168 METHOD(kernel_interface_t, get_spi, status_t,
169 private_kernel_interface_t *this, host_t *src, host_t *dst,
170 u_int8_t protocol, u_int32_t *spi)
171 {
172 if (!this->ipsec)
173 {
174 return NOT_SUPPORTED;
175 }
176 return this->ipsec->get_spi(this->ipsec, src, dst, protocol, spi);
177 }
178
179 METHOD(kernel_interface_t, get_cpi, status_t,
180 private_kernel_interface_t *this, host_t *src, host_t *dst,
181 u_int16_t *cpi)
182 {
183 if (!this->ipsec)
184 {
185 return NOT_SUPPORTED;
186 }
187 return this->ipsec->get_cpi(this->ipsec, src, dst, cpi);
188 }
189
190 /**
191 * Reqid mapping entry
192 */
193 typedef struct {
194 /** allocated reqid */
195 u_int32_t reqid;
196 /** references to this entry */
197 u_int refs;
198 /** inbound mark used for SA */
199 mark_t mark_in;
200 /** outbound mark used for SA */
201 mark_t mark_out;
202 /** local traffic selectors */
203 array_t *local;
204 /** remote traffic selectors */
205 array_t *remote;
206 } reqid_entry_t;
207
208 /**
209 * Destroy a reqid mapping entry
210 */
211 static void reqid_entry_destroy(reqid_entry_t *entry)
212 {
213 array_destroy_offset(entry->local, offsetof(traffic_selector_t, destroy));
214 array_destroy_offset(entry->remote, offsetof(traffic_selector_t, destroy));
215 free(entry);
216 }
217
218 /**
219 * Hashtable hash function for reqid entries using reqid as key
220 */
221 static u_int hash_reqid(reqid_entry_t *entry)
222 {
223 return chunk_hash_inc(chunk_from_thing(entry->reqid),
224 chunk_hash_inc(chunk_from_thing(entry->mark_in),
225 chunk_hash(chunk_from_thing(entry->mark_out))));
226 }
227
228 /**
229 * Hashtable equals function for reqid entries using reqid as key
230 */
231 static bool equals_reqid(reqid_entry_t *a, reqid_entry_t *b)
232 {
233 return a->reqid == b->reqid &&
234 a->mark_in.value == b->mark_in.value &&
235 a->mark_in.mask == b->mark_in.mask &&
236 a->mark_out.value == b->mark_out.value &&
237 a->mark_out.mask == b->mark_out.mask;
238 }
239
240 /**
241 * Hash an array of traffic selectors
242 */
243 static u_int hash_ts_array(array_t *array, u_int hash)
244 {
245 enumerator_t *enumerator;
246 traffic_selector_t *ts;
247
248 enumerator = array_create_enumerator(array);
249 while (enumerator->enumerate(enumerator, &ts))
250 {
251 hash = ts->hash(ts, hash);
252 }
253 enumerator->destroy(enumerator);
254
255 return hash;
256 }
257
258 /**
259 * Hashtable hash function for reqid entries using traffic selectors as key
260 */
261 static u_int hash_reqid_by_ts(reqid_entry_t *entry)
262 {
263 return hash_ts_array(entry->local, hash_ts_array(entry->remote,
264 chunk_hash_inc(chunk_from_thing(entry->mark_in),
265 chunk_hash(chunk_from_thing(entry->mark_out)))));
266 }
267
268 /**
269 * Compare two array with traffic selectors for equality
270 */
271 static bool ts_array_equals(array_t *a, array_t *b)
272 {
273 traffic_selector_t *tsa, *tsb;
274 enumerator_t *ae, *be;
275 bool equal = TRUE;
276
277 if (array_count(a) != array_count(b))
278 {
279 return FALSE;
280 }
281
282 ae = array_create_enumerator(a);
283 be = array_create_enumerator(b);
284 while (equal && ae->enumerate(ae, &tsa) && be->enumerate(be, &tsb))
285 {
286 equal = tsa->equals(tsa, tsb);
287 }
288 ae->destroy(ae);
289 be->destroy(be);
290
291 return equal;
292 }
293
294 /**
295 * Hashtable equals function for reqid entries using traffic selectors as key
296 */
297 static bool equals_reqid_by_ts(reqid_entry_t *a, reqid_entry_t *b)
298 {
299 return ts_array_equals(a->local, b->local) &&
300 ts_array_equals(a->remote, b->remote) &&
301 a->mark_in.value == b->mark_in.value &&
302 a->mark_in.mask == b->mark_in.mask &&
303 a->mark_out.value == b->mark_out.value &&
304 a->mark_out.mask == b->mark_out.mask;
305 }
306
307 /**
308 * Create an array from copied traffic selector list items
309 */
310 static array_t *array_from_ts_list(linked_list_t *list)
311 {
312 enumerator_t *enumerator;
313 traffic_selector_t *ts;
314 array_t *array;
315
316 array = array_create(0, 0);
317
318 enumerator = list->create_enumerator(list);
319 while (enumerator->enumerate(enumerator, &ts))
320 {
321 array_insert(array, ARRAY_TAIL, ts->clone(ts));
322 }
323 enumerator->destroy(enumerator);
324
325 return array;
326 }
327
328 METHOD(kernel_interface_t, alloc_reqid, status_t,
329 private_kernel_interface_t *this,
330 linked_list_t *local_ts, linked_list_t *remote_ts,
331 mark_t mark_in, mark_t mark_out, u_int32_t *reqid)
332 {
333 static u_int32_t counter = 0;
334 reqid_entry_t *entry = NULL, *tmpl;
335 status_t status = SUCCESS;
336
337 INIT(tmpl,
338 .local = array_from_ts_list(local_ts),
339 .remote = array_from_ts_list(remote_ts),
340 .mark_in = mark_in,
341 .mark_out = mark_out,
342 .reqid = *reqid,
343 );
344
345 this->mutex->lock(this->mutex);
346 if (tmpl->reqid)
347 {
348 /* search by reqid if given */
349 entry = this->reqids->get(this->reqids, tmpl);
350 }
351 if (entry)
352 {
353 /* we don't require a traffic selector match for explicit reqids,
354 * as we wan't to reuse a reqid for trap-triggered policies that
355 * got narrowed during negotiation. */
356 reqid_entry_destroy(tmpl);
357 }
358 else
359 {
360 /* search by traffic selectors */
361 entry = this->reqids_by_ts->get(this->reqids_by_ts, tmpl);
362 if (entry)
363 {
364 reqid_entry_destroy(tmpl);
365 }
366 else
367 {
368 /* none found, create a new entry, allocating a reqid */
369 entry = tmpl;
370 entry->reqid = ++counter;
371 this->reqids_by_ts->put(this->reqids_by_ts, entry, entry);
372 this->reqids->put(this->reqids, entry, entry);
373 }
374 *reqid = entry->reqid;
375 }
376 entry->refs++;
377 this->mutex->unlock(this->mutex);
378
379 return status;
380 }
381
382 METHOD(kernel_interface_t, release_reqid, status_t,
383 private_kernel_interface_t *this, u_int32_t reqid,
384 mark_t mark_in, mark_t mark_out)
385 {
386 reqid_entry_t *entry, tmpl = {
387 .reqid = reqid,
388 .mark_in = mark_in,
389 .mark_out = mark_out,
390 };
391
392 this->mutex->lock(this->mutex);
393 entry = this->reqids->remove(this->reqids, &tmpl);
394 if (entry)
395 {
396 if (--entry->refs == 0)
397 {
398 entry = this->reqids_by_ts->remove(this->reqids_by_ts, entry);
399 if (entry)
400 {
401 reqid_entry_destroy(entry);
402 }
403 }
404 else
405 {
406 this->reqids->put(this->reqids, entry, entry);
407 }
408 }
409 this->mutex->unlock(this->mutex);
410
411 if (entry)
412 {
413 return SUCCESS;
414 }
415 return NOT_FOUND;
416 }
417
418 METHOD(kernel_interface_t, add_sa, status_t,
419 private_kernel_interface_t *this, host_t *src, host_t *dst,
420 u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
421 u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
422 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
423 u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
424 bool initiator, bool encap, bool esn, bool inbound, bool update,
425 linked_list_t *src_ts, linked_list_t *dst_ts)
426 {
427 if (!this->ipsec)
428 {
429 return NOT_SUPPORTED;
430 }
431 return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
432 mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
433 ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
434 update, src_ts, dst_ts);
435 }
436
437 METHOD(kernel_interface_t, update_sa, status_t,
438 private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol,
439 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
440 bool encap, bool new_encap, mark_t mark)
441 {
442 if (!this->ipsec)
443 {
444 return NOT_SUPPORTED;
445 }
446 return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
447 new_src, new_dst, encap, new_encap, mark);
448 }
449
450 METHOD(kernel_interface_t, query_sa, status_t,
451 private_kernel_interface_t *this, host_t *src, host_t *dst,
452 u_int32_t spi, u_int8_t protocol, mark_t mark,
453 u_int64_t *bytes, u_int64_t *packets, time_t *time)
454 {
455 if (!this->ipsec)
456 {
457 return NOT_SUPPORTED;
458 }
459 return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark,
460 bytes, packets, time);
461 }
462
463 METHOD(kernel_interface_t, del_sa, status_t,
464 private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
465 u_int8_t protocol, u_int16_t cpi, mark_t mark)
466 {
467 if (!this->ipsec)
468 {
469 return NOT_SUPPORTED;
470 }
471 return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark);
472 }
473
474 METHOD(kernel_interface_t, flush_sas, status_t,
475 private_kernel_interface_t *this)
476 {
477 if (!this->ipsec)
478 {
479 return NOT_SUPPORTED;
480 }
481 return this->ipsec->flush_sas(this->ipsec);
482 }
483
484 METHOD(kernel_interface_t, add_policy, status_t,
485 private_kernel_interface_t *this, host_t *src, host_t *dst,
486 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
487 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
488 mark_t mark, policy_priority_t priority)
489 {
490 if (!this->ipsec)
491 {
492 return NOT_SUPPORTED;
493 }
494 return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
495 direction, type, sa, mark, priority);
496 }
497
498 METHOD(kernel_interface_t, query_policy, status_t,
499 private_kernel_interface_t *this, traffic_selector_t *src_ts,
500 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
501 time_t *use_time)
502 {
503 if (!this->ipsec)
504 {
505 return NOT_SUPPORTED;
506 }
507 return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts,
508 direction, mark, use_time);
509 }
510
511 METHOD(kernel_interface_t, del_policy, status_t,
512 private_kernel_interface_t *this, host_t *src, host_t *dst,
513 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
514 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
515 mark_t mark, policy_priority_t priority)
516 {
517 if (!this->ipsec)
518 {
519 return NOT_SUPPORTED;
520 }
521 return this->ipsec->del_policy(this->ipsec, src, dst, src_ts, dst_ts,
522 direction, type, sa, mark, priority);
523 }
524
525 METHOD(kernel_interface_t, flush_policies, status_t,
526 private_kernel_interface_t *this)
527 {
528 if (!this->ipsec)
529 {
530 return NOT_SUPPORTED;
531 }
532 return this->ipsec->flush_policies(this->ipsec);
533 }
534
535 METHOD(kernel_interface_t, get_source_addr, host_t*,
536 private_kernel_interface_t *this, host_t *dest, host_t *src)
537 {
538 if (!this->net)
539 {
540 return NULL;
541 }
542 return this->net->get_source_addr(this->net, dest, src);
543 }
544
545 METHOD(kernel_interface_t, get_nexthop, host_t*,
546 private_kernel_interface_t *this, host_t *dest, int prefix, host_t *src)
547 {
548 if (!this->net)
549 {
550 return NULL;
551 }
552 return this->net->get_nexthop(this->net, dest, prefix, src);
553 }
554
555 METHOD(kernel_interface_t, get_interface, bool,
556 private_kernel_interface_t *this, host_t *host, char **name)
557 {
558 if (!this->net)
559 {
560 return NULL;
561 }
562 return this->net->get_interface(this->net, host, name);
563 }
564
565 METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
566 private_kernel_interface_t *this, kernel_address_type_t which)
567 {
568 if (!this->net)
569 {
570 return enumerator_create_empty();
571 }
572 return this->net->create_address_enumerator(this->net, which);
573 }
574
575 METHOD(kernel_interface_t, add_ip, status_t,
576 private_kernel_interface_t *this, host_t *virtual_ip, int prefix,
577 char *iface)
578 {
579 if (!this->net)
580 {
581 return NOT_SUPPORTED;
582 }
583 return this->net->add_ip(this->net, virtual_ip, prefix, iface);
584 }
585
586 METHOD(kernel_interface_t, del_ip, status_t,
587 private_kernel_interface_t *this, host_t *virtual_ip, int prefix, bool wait)
588 {
589 if (!this->net)
590 {
591 return NOT_SUPPORTED;
592 }
593 return this->net->del_ip(this->net, virtual_ip, prefix, wait);
594 }
595
596 METHOD(kernel_interface_t, add_route, status_t,
597 private_kernel_interface_t *this, chunk_t dst_net,
598 u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
599 {
600 if (!this->net)
601 {
602 return NOT_SUPPORTED;
603 }
604 return this->net->add_route(this->net, dst_net, prefixlen, gateway,
605 src_ip, if_name);
606 }
607
608 METHOD(kernel_interface_t, del_route, status_t,
609 private_kernel_interface_t *this, chunk_t dst_net,
610 u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
611 {
612 if (!this->net)
613 {
614 return NOT_SUPPORTED;
615 }
616 return this->net->del_route(this->net, dst_net, prefixlen, gateway,
617 src_ip, if_name);
618 }
619
620 METHOD(kernel_interface_t, bypass_socket, bool,
621 private_kernel_interface_t *this, int fd, int family)
622 {
623 if (!this->ipsec)
624 {
625 return FALSE;
626 }
627 return this->ipsec->bypass_socket(this->ipsec, fd, family);
628 }
629
630 METHOD(kernel_interface_t, enable_udp_decap, bool,
631 private_kernel_interface_t *this, int fd, int family, u_int16_t port)
632 {
633 if (!this->ipsec)
634 {
635 return FALSE;
636 }
637 return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port);
638 }
639
640 METHOD(kernel_interface_t, is_interface_usable, bool,
641 private_kernel_interface_t *this, const char *iface)
642 {
643 status_t expected;
644
645 if (!this->ifaces_filter)
646 {
647 return TRUE;
648 }
649 expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS;
650 return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq,
651 NULL, iface) == expected;
652 }
653
654 METHOD(kernel_interface_t, all_interfaces_usable, bool,
655 private_kernel_interface_t *this)
656 {
657 return this->ifaces_filter == NULL;
658 }
659
660 METHOD(kernel_interface_t, get_address_by_ts, status_t,
661 private_kernel_interface_t *this, traffic_selector_t *ts,
662 host_t **ip, bool *vip)
663 {
664 enumerator_t *addrs;
665 host_t *host;
666 int family;
667 bool found = FALSE;
668
669 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
670
671 /* if we have a family which includes localhost, we do not
672 * search for an IP, we use the default */
673 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
674
675 if (family == AF_INET)
676 {
677 host = host_create_from_string("127.0.0.1", 0);
678 }
679 else
680 {
681 host = host_create_from_string("::1", 0);
682 }
683
684 if (ts->includes(ts, host))
685 {
686 *ip = host_create_any(family);
687 host->destroy(host);
688 DBG2(DBG_KNL, "using host %H", *ip);
689 return SUCCESS;
690 }
691 host->destroy(host);
692
693 /* try virtual IPs only first (on all interfaces) */
694 addrs = create_address_enumerator(this,
695 ADDR_TYPE_ALL ^ ADDR_TYPE_REGULAR);
696 while (addrs->enumerate(addrs, (void**)&host))
697 {
698 if (ts->includes(ts, host))
699 {
700 found = TRUE;
701 *ip = host->clone(host);
702 if (vip)
703 {
704 *vip = TRUE;
705 }
706 break;
707 }
708 }
709 addrs->destroy(addrs);
710
711 if (!found)
712 { /* then try the regular addresses (on all interfaces) */
713 addrs = create_address_enumerator(this,
714 ADDR_TYPE_ALL ^ ADDR_TYPE_VIRTUAL);
715 while (addrs->enumerate(addrs, (void**)&host))
716 {
717 if (ts->includes(ts, host))
718 {
719 found = TRUE;
720 *ip = host->clone(host);
721 if (vip)
722 {
723 *vip = FALSE;
724 }
725 break;
726 }
727 }
728 addrs->destroy(addrs);
729 }
730
731 if (!found)
732 {
733 DBG2(DBG_KNL, "no local address found in traffic selector %R", ts);
734 return FAILED;
735 }
736
737 DBG2(DBG_KNL, "using host %H", *ip);
738 return SUCCESS;
739 }
740
741
742 METHOD(kernel_interface_t, add_ipsec_interface, bool,
743 private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
744 {
745 if (!this->ipsec)
746 {
747 this->ipsec_constructor = constructor;
748 this->ipsec = constructor();
749 return this->ipsec != NULL;
750 }
751 return FALSE;
752 }
753
754 METHOD(kernel_interface_t, remove_ipsec_interface, bool,
755 private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
756 {
757 if (constructor == this->ipsec_constructor && this->ipsec)
758 {
759 this->ipsec->destroy(this->ipsec);
760 this->ipsec = NULL;
761 return TRUE;
762 }
763 return FALSE;
764 }
765
766 METHOD(kernel_interface_t, add_net_interface, bool,
767 private_kernel_interface_t *this, kernel_net_constructor_t constructor)
768 {
769 if (!this->net)
770 {
771 this->net_constructor = constructor;
772 this->net = constructor();
773 return this->net != NULL;
774 }
775 return FALSE;
776 }
777
778 METHOD(kernel_interface_t, remove_net_interface, bool,
779 private_kernel_interface_t *this, kernel_net_constructor_t constructor)
780 {
781 if (constructor == this->net_constructor && this->net)
782 {
783 this->net->destroy(this->net);
784 this->net = NULL;
785 return TRUE;
786 }
787 return FALSE;
788 }
789
790 METHOD(kernel_interface_t, add_listener, void,
791 private_kernel_interface_t *this, kernel_listener_t *listener)
792 {
793 this->mutex->lock(this->mutex);
794 this->listeners->insert_last(this->listeners, listener);
795 this->mutex->unlock(this->mutex);
796 }
797
798 METHOD(kernel_interface_t, remove_listener, void,
799 private_kernel_interface_t *this, kernel_listener_t *listener)
800 {
801 this->mutex->lock(this->mutex);
802 this->listeners->remove(this->listeners, listener, NULL);
803 this->mutex->unlock(this->mutex);
804 }
805
806 METHOD(kernel_interface_t, acquire, void,
807 private_kernel_interface_t *this, u_int32_t reqid,
808 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
809 {
810 kernel_listener_t *listener;
811 enumerator_t *enumerator;
812 this->mutex->lock(this->mutex);
813 enumerator = this->listeners->create_enumerator(this->listeners);
814 while (enumerator->enumerate(enumerator, &listener))
815 {
816 if (listener->acquire &&
817 !listener->acquire(listener, reqid, src_ts, dst_ts))
818 {
819 this->listeners->remove_at(this->listeners, enumerator);
820 }
821 }
822 enumerator->destroy(enumerator);
823 this->mutex->unlock(this->mutex);
824 }
825
826 METHOD(kernel_interface_t, expire, void,
827 private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
828 host_t *dst, bool hard)
829 {
830 kernel_listener_t *listener;
831 enumerator_t *enumerator;
832
833 this->mutex->lock(this->mutex);
834 enumerator = this->listeners->create_enumerator(this->listeners);
835 while (enumerator->enumerate(enumerator, &listener))
836 {
837 if (listener->expire &&
838 !listener->expire(listener, protocol, spi, dst, hard))
839 {
840 this->listeners->remove_at(this->listeners, enumerator);
841 }
842 }
843 enumerator->destroy(enumerator);
844 this->mutex->unlock(this->mutex);
845 }
846
847 METHOD(kernel_interface_t, mapping, void,
848 private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
849 host_t *dst, host_t *remote)
850 {
851 kernel_listener_t *listener;
852 enumerator_t *enumerator;
853
854 this->mutex->lock(this->mutex);
855 enumerator = this->listeners->create_enumerator(this->listeners);
856 while (enumerator->enumerate(enumerator, &listener))
857 {
858 if (listener->mapping &&
859 !listener->mapping(listener, protocol, spi, dst, remote))
860 {
861 this->listeners->remove_at(this->listeners, enumerator);
862 }
863 }
864 enumerator->destroy(enumerator);
865 this->mutex->unlock(this->mutex);
866 }
867
868 METHOD(kernel_interface_t, migrate, void,
869 private_kernel_interface_t *this, u_int32_t reqid,
870 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
871 policy_dir_t direction, host_t *local, host_t *remote)
872 {
873 kernel_listener_t *listener;
874 enumerator_t *enumerator;
875 this->mutex->lock(this->mutex);
876 enumerator = this->listeners->create_enumerator(this->listeners);
877 while (enumerator->enumerate(enumerator, &listener))
878 {
879 if (listener->migrate &&
880 !listener->migrate(listener, reqid, src_ts, dst_ts, direction,
881 local, remote))
882 {
883 this->listeners->remove_at(this->listeners, enumerator);
884 }
885 }
886 enumerator->destroy(enumerator);
887 this->mutex->unlock(this->mutex);
888 }
889
890 static bool call_roam(kernel_listener_t *listener, bool *roam)
891 {
892 return listener->roam && !listener->roam(listener, *roam);
893 }
894
895 METHOD(kernel_interface_t, roam, void,
896 private_kernel_interface_t *this, bool address)
897 {
898 this->mutex->lock(this->mutex);
899 this->listeners->remove(this->listeners, &address, (void*)call_roam);
900 this->mutex->unlock(this->mutex);
901 }
902
903 METHOD(kernel_interface_t, tun, void,
904 private_kernel_interface_t *this, tun_device_t *tun, bool created)
905 {
906 kernel_listener_t *listener;
907 enumerator_t *enumerator;
908 this->mutex->lock(this->mutex);
909 enumerator = this->listeners->create_enumerator(this->listeners);
910 while (enumerator->enumerate(enumerator, &listener))
911 {
912 if (listener->tun &&
913 !listener->tun(listener, tun, created))
914 {
915 this->listeners->remove_at(this->listeners, enumerator);
916 }
917 }
918 enumerator->destroy(enumerator);
919 this->mutex->unlock(this->mutex);
920 }
921
922 METHOD(kernel_interface_t, register_algorithm, void,
923 private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
924 u_int16_t kernel_id, char *kernel_name)
925 {
926 kernel_algorithm_t *algorithm;
927
928 INIT(algorithm,
929 .type = type,
930 .ike = alg_id,
931 .kernel = kernel_id,
932 .name = strdup(kernel_name),
933 );
934
935 this->mutex_algs->lock(this->mutex_algs);
936 this->algorithms->insert_first(this->algorithms, algorithm);
937 this->mutex_algs->unlock(this->mutex_algs);
938 }
939
940 METHOD(kernel_interface_t, lookup_algorithm, bool,
941 private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
942 u_int16_t *kernel_id, char **kernel_name)
943 {
944 kernel_algorithm_t *algorithm;
945 enumerator_t *enumerator;
946 bool found = FALSE;
947
948 this->mutex_algs->lock(this->mutex_algs);
949 enumerator = this->algorithms->create_enumerator(this->algorithms);
950 while (enumerator->enumerate(enumerator, &algorithm))
951 {
952 if (algorithm->type == type && algorithm->ike == alg_id)
953 {
954 if (kernel_id)
955 {
956 *kernel_id = algorithm->kernel;
957 }
958 if (kernel_name)
959 {
960 *kernel_name = algorithm->name;
961 }
962 found = TRUE;
963 break;
964 }
965 }
966 enumerator->destroy(enumerator);
967 this->mutex_algs->unlock(this->mutex_algs);
968 return found;
969 }
970
971 METHOD(kernel_interface_t, destroy, void,
972 private_kernel_interface_t *this)
973 {
974 kernel_algorithm_t *algorithm;
975
976 while (this->algorithms->remove_first(this->algorithms,
977 (void**)&algorithm) == SUCCESS)
978 {
979 free(algorithm->name);
980 free(algorithm);
981 }
982 this->algorithms->destroy(this->algorithms);
983 this->mutex_algs->destroy(this->mutex_algs);
984 DESTROY_IF(this->ipsec);
985 DESTROY_IF(this->net);
986 DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
987 this->reqids->destroy(this->reqids);
988 this->reqids_by_ts->destroy(this->reqids_by_ts);
989 this->listeners->destroy(this->listeners);
990 this->mutex->destroy(this->mutex);
991 free(this);
992 }
993
994 /*
995 * Described in header-file
996 */
997 kernel_interface_t *kernel_interface_create()
998 {
999 private_kernel_interface_t *this;
1000 char *ifaces;
1001
1002 INIT(this,
1003 .public = {
1004 .get_features = _get_features,
1005 .get_spi = _get_spi,
1006 .get_cpi = _get_cpi,
1007 .alloc_reqid = _alloc_reqid,
1008 .release_reqid = _release_reqid,
1009 .add_sa = _add_sa,
1010 .update_sa = _update_sa,
1011 .query_sa = _query_sa,
1012 .del_sa = _del_sa,
1013 .flush_sas = _flush_sas,
1014 .add_policy = _add_policy,
1015 .query_policy = _query_policy,
1016 .del_policy = _del_policy,
1017 .flush_policies = _flush_policies,
1018 .get_source_addr = _get_source_addr,
1019 .get_nexthop = _get_nexthop,
1020 .get_interface = _get_interface,
1021 .create_address_enumerator = _create_address_enumerator,
1022 .add_ip = _add_ip,
1023 .del_ip = _del_ip,
1024 .add_route = _add_route,
1025 .del_route = _del_route,
1026 .bypass_socket = _bypass_socket,
1027 .enable_udp_decap = _enable_udp_decap,
1028
1029 .is_interface_usable = _is_interface_usable,
1030 .all_interfaces_usable = _all_interfaces_usable,
1031 .get_address_by_ts = _get_address_by_ts,
1032 .add_ipsec_interface = _add_ipsec_interface,
1033 .remove_ipsec_interface = _remove_ipsec_interface,
1034 .add_net_interface = _add_net_interface,
1035 .remove_net_interface = _remove_net_interface,
1036
1037 .add_listener = _add_listener,
1038 .remove_listener = _remove_listener,
1039 .register_algorithm = _register_algorithm,
1040 .lookup_algorithm = _lookup_algorithm,
1041 .acquire = _acquire,
1042 .expire = _expire,
1043 .mapping = _mapping,
1044 .migrate = _migrate,
1045 .roam = _roam,
1046 .tun = _tun,
1047 .destroy = _destroy,
1048 },
1049 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1050 .listeners = linked_list_create(),
1051 .mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT),
1052 .algorithms = linked_list_create(),
1053 .reqids = hashtable_create((hashtable_hash_t)hash_reqid,
1054 (hashtable_equals_t)equals_reqid, 8),
1055 .reqids_by_ts = hashtable_create((hashtable_hash_t)hash_reqid_by_ts,
1056 (hashtable_equals_t)equals_reqid_by_ts, 8),
1057 );
1058
1059 ifaces = lib->settings->get_str(lib->settings,
1060 "%s.interfaces_use", NULL, lib->ns);
1061 if (!ifaces)
1062 {
1063 this->ifaces_exclude = TRUE;
1064 ifaces = lib->settings->get_str(lib->settings,
1065 "%s.interfaces_ignore", NULL, lib->ns);
1066 }
1067 if (ifaces)
1068 {
1069 enumerator_t *enumerator;
1070 char *iface;
1071
1072 enumerator = enumerator_create_token(ifaces, ",", " ");
1073 while (enumerator->enumerate(enumerator, &iface))
1074 {
1075 if (!this->ifaces_filter)
1076 {
1077 this->ifaces_filter = linked_list_create();
1078 }
1079 this->ifaces_filter->insert_last(this->ifaces_filter,
1080 strdup(iface));
1081 }
1082 enumerator->destroy(enumerator);
1083 }
1084
1085 return &this->public;
1086 }