9452b8f847a64eef8aeec566097a9f8d9dd985f5
[strongswan.git] / src / libhydra / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2008-2013 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 * Copyright (C) 2010 Martin Willi
5 * Copyright (C) 2010 revosec AG
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /*
19 * Copyright (c) 2012 Nanoteq Pty Ltd
20 *
21 * Permission is hereby granted, free of charge, to any person obtaining a copy
22 * of this software and associated documentation files (the "Software"), to deal
23 * in the Software without restriction, including without limitation the rights
24 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
25 * copies of the Software, and to permit persons to whom the Software is
26 * furnished to do so, subject to the following conditions:
27 *
28 * The above copyright notice and this permission notice shall be included in
29 * all copies or substantial portions of the Software.
30 *
31 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
32 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
33 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
34 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
36 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
37 * THE SOFTWARE.
38 */
39
40 #include "kernel_interface.h"
41
42 #include <hydra.h>
43 #include <utils/debug.h>
44 #include <threading/mutex.h>
45 #include <collections/linked_list.h>
46 #include <collections/hashtable.h>
47 #include <collections/array.h>
48
49 typedef struct private_kernel_interface_t private_kernel_interface_t;
50
51 typedef struct kernel_algorithm_t kernel_algorithm_t;
52
53 /**
54 * Mapping of IKE algorithms to kernel-specific algorithm identifiers
55 */
56 struct kernel_algorithm_t {
57
58 /**
59 * Transform type of the algorithm
60 */
61 transform_type_t type;
62
63 /**
64 * Identifier specified in IKE
65 */
66 u_int16_t ike;
67
68 /**
69 * Identifier as defined in pfkeyv2.h
70 */
71 u_int16_t kernel;
72
73 /**
74 * Name of the algorithm in linux crypto API
75 */
76 char *name;
77 };
78
79 /**
80 * Private data of a kernel_interface_t object.
81 */
82 struct private_kernel_interface_t {
83
84 /**
85 * Public part of kernel_interface_t object.
86 */
87 kernel_interface_t public;
88
89 /**
90 * Registered IPsec constructor
91 */
92 kernel_ipsec_constructor_t ipsec_constructor;
93
94 /**
95 * Registered net constructor
96 */
97 kernel_net_constructor_t net_constructor;
98
99 /**
100 * ipsec interface
101 */
102 kernel_ipsec_t *ipsec;
103
104 /**
105 * network interface
106 */
107 kernel_net_t *net;
108
109 /**
110 * mutex for listeners
111 */
112 mutex_t *mutex;
113
114 /**
115 * list of registered listeners
116 */
117 linked_list_t *listeners;
118
119 /**
120 * Reqid entries indexed by reqids
121 */
122 hashtable_t *reqids;
123
124 /**
125 * Reqid entries indexed by traffic selectors
126 */
127 hashtable_t *reqids_by_ts;
128
129 /**
130 * mutex for algorithm mappings
131 */
132 mutex_t *mutex_algs;
133
134 /**
135 * List of algorithm mappings (kernel_algorithm_t*)
136 */
137 linked_list_t *algorithms;
138
139 /**
140 * List of interface names to include or exclude (char*), NULL if interfaces
141 * are not filtered
142 */
143 linked_list_t *ifaces_filter;
144
145 /**
146 * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider
147 * only those listed there
148 */
149 bool ifaces_exclude;
150 };
151
152 METHOD(kernel_interface_t, get_features, kernel_feature_t,
153 private_kernel_interface_t *this)
154 {
155 kernel_feature_t features = 0;
156
157 if (this->ipsec && this->ipsec->get_features)
158 {
159 features |= this->ipsec->get_features(this->ipsec);
160 }
161 if (this->net && this->net->get_features)
162 {
163 features |= this->net->get_features(this->net);
164 }
165 return features;
166 }
167
168 METHOD(kernel_interface_t, get_spi, status_t,
169 private_kernel_interface_t *this, host_t *src, host_t *dst,
170 u_int8_t protocol, u_int32_t *spi)
171 {
172 if (!this->ipsec)
173 {
174 return NOT_SUPPORTED;
175 }
176 return this->ipsec->get_spi(this->ipsec, src, dst, protocol, spi);
177 }
178
179 METHOD(kernel_interface_t, get_cpi, status_t,
180 private_kernel_interface_t *this, host_t *src, host_t *dst,
181 u_int16_t *cpi)
182 {
183 if (!this->ipsec)
184 {
185 return NOT_SUPPORTED;
186 }
187 return this->ipsec->get_cpi(this->ipsec, src, dst, cpi);
188 }
189
190 /**
191 * Reqid mapping entry
192 */
193 typedef struct {
194 /** allocated reqid */
195 u_int32_t reqid;
196 /** references to this entry */
197 u_int refs;
198 /** inbound mark used for SA */
199 mark_t mark_in;
200 /** outbound mark used for SA */
201 mark_t mark_out;
202 /** local traffic selectors */
203 array_t *local;
204 /** remote traffic selectors */
205 array_t *remote;
206 } reqid_entry_t;
207
208 /**
209 * Destroy a reqid mapping entry
210 */
211 static void reqid_entry_destroy(reqid_entry_t *entry)
212 {
213 array_destroy_offset(entry->local, offsetof(traffic_selector_t, destroy));
214 array_destroy_offset(entry->remote, offsetof(traffic_selector_t, destroy));
215 free(entry);
216 }
217
218 /**
219 * Hashtable hash function for reqid entries using reqid as key
220 */
221 static u_int hash_reqid(reqid_entry_t *entry)
222 {
223 return chunk_hash_inc(chunk_from_thing(entry->reqid),
224 chunk_hash_inc(chunk_from_thing(entry->mark_in),
225 chunk_hash(chunk_from_thing(entry->mark_out))));
226 }
227
228 /**
229 * Hashtable equals function for reqid entries using reqid as key
230 */
231 static bool equals_reqid(reqid_entry_t *a, reqid_entry_t *b)
232 {
233 return a->reqid == b->reqid &&
234 a->mark_in.value == b->mark_in.value &&
235 a->mark_in.mask == b->mark_in.mask &&
236 a->mark_out.value == b->mark_out.value &&
237 a->mark_out.mask == b->mark_out.mask;
238 }
239
240 /**
241 * Hash an array of traffic selectors
242 */
243 static u_int hash_ts_array(array_t *array, u_int hash)
244 {
245 enumerator_t *enumerator;
246 traffic_selector_t *ts;
247
248 enumerator = array_create_enumerator(array);
249 while (enumerator->enumerate(enumerator, &ts))
250 {
251 hash = ts->hash(ts, hash);
252 }
253 enumerator->destroy(enumerator);
254
255 return hash;
256 }
257
258 /**
259 * Hashtable hash function for reqid entries using traffic selectors as key
260 */
261 static u_int hash_reqid_by_ts(reqid_entry_t *entry)
262 {
263 return hash_ts_array(entry->local, hash_ts_array(entry->remote, 0));
264 }
265
266 /**
267 * Compare two array with traffic selectors for equality
268 */
269 static bool ts_array_equals(array_t *a, array_t *b)
270 {
271 traffic_selector_t *tsa, *tsb;
272 enumerator_t *ae, *be;
273 bool equal = TRUE;
274
275 if (array_count(a) != array_count(b))
276 {
277 return FALSE;
278 }
279
280 ae = array_create_enumerator(a);
281 be = array_create_enumerator(b);
282 while (equal && ae->enumerate(ae, &tsa) && be->enumerate(be, &tsb))
283 {
284 equal = tsa->equals(tsa, tsb);
285 }
286 ae->destroy(ae);
287 be->destroy(be);
288
289 return equal;
290 }
291
292 /**
293 * Check if mark b matches to a, optionally with reqid match
294 */
295 static bool mark_matches(mark_t a, mark_t b, u_int32_t reqid)
296 {
297 if (a.value == b.value)
298 {
299 return TRUE;
300 }
301 if (a.value == MARK_REQID && b.value == reqid)
302 {
303 return TRUE;
304 }
305 return FALSE;
306 }
307
308 /**
309 * Hashtable equals function for reqid entries using traffic selectors as key
310 */
311 static bool equals_reqid_by_ts(reqid_entry_t *a, reqid_entry_t *b)
312 {
313 if (ts_array_equals(a->local, b->local) &&
314 ts_array_equals(a->remote, b->remote) &&
315 a->mark_in.mask == b->mark_in.mask &&
316 a->mark_out.mask == b->mark_out.mask)
317 {
318 if (mark_matches(a->mark_in, b->mark_in, a->reqid) &&
319 mark_matches(a->mark_out, b->mark_out, a->reqid))
320 {
321 return TRUE;
322 }
323 if (mark_matches(b->mark_in, a->mark_in, b->reqid) &&
324 mark_matches(b->mark_out, a->mark_out, b->reqid))
325 {
326 return TRUE;
327 }
328 }
329 return FALSE;
330 }
331
332 /**
333 * Create an array from copied traffic selector list items
334 */
335 static array_t *array_from_ts_list(linked_list_t *list)
336 {
337 enumerator_t *enumerator;
338 traffic_selector_t *ts;
339 array_t *array;
340
341 array = array_create(0, 0);
342
343 enumerator = list->create_enumerator(list);
344 while (enumerator->enumerate(enumerator, &ts))
345 {
346 array_insert(array, ARRAY_TAIL, ts->clone(ts));
347 }
348 enumerator->destroy(enumerator);
349
350 return array;
351 }
352
353 METHOD(kernel_interface_t, alloc_reqid, status_t,
354 private_kernel_interface_t *this,
355 linked_list_t *local_ts, linked_list_t *remote_ts,
356 mark_t *mark_in, mark_t *mark_out, u_int32_t *reqid)
357 {
358 static u_int32_t counter = 0;
359 reqid_entry_t *entry = NULL, *tmpl;
360 status_t status = SUCCESS;
361
362 INIT(tmpl,
363 .local = array_from_ts_list(local_ts),
364 .remote = array_from_ts_list(remote_ts),
365 .mark_in = *mark_in,
366 .mark_out = *mark_out,
367 .reqid = *reqid,
368 );
369
370 this->mutex->lock(this->mutex);
371 if (tmpl->reqid)
372 {
373 /* search by reqid if given */
374 if (tmpl->mark_in.value == MARK_REQID)
375 {
376 tmpl->mark_in.value = tmpl->reqid;
377 }
378 if (tmpl->mark_out.value == MARK_REQID)
379 {
380 tmpl->mark_out.value = tmpl->reqid;
381 }
382 entry = this->reqids->get(this->reqids, tmpl);
383 }
384 if (entry)
385 {
386 /* we don't require a traffic selector match for explicit reqids,
387 * as we wan't to reuse a reqid for trap-triggered policies that
388 * got narrowed during negotiation. */
389 reqid_entry_destroy(tmpl);
390 }
391 else
392 {
393 /* search by traffic selectors. We do the search with MARK_REQID
394 * wildcards (if any), and update the marks if we find any match */
395 entry = this->reqids_by_ts->get(this->reqids_by_ts, tmpl);
396 if (entry)
397 {
398 reqid_entry_destroy(tmpl);
399 }
400 else
401 {
402 /* none found, create a new entry, allocating a reqid */
403 entry = tmpl;
404 entry->reqid = ++counter;
405 if (entry->mark_in.value == MARK_REQID)
406 {
407 entry->mark_in.value = entry->reqid;
408 }
409 if (entry->mark_out.value == MARK_REQID)
410 {
411 entry->mark_out.value = entry->reqid;
412 }
413 this->reqids_by_ts->put(this->reqids_by_ts, entry, entry);
414 this->reqids->put(this->reqids, entry, entry);
415 }
416 *reqid = entry->reqid;
417 }
418 *mark_in = entry->mark_in;
419 *mark_out = entry->mark_out;
420 entry->refs++;
421 this->mutex->unlock(this->mutex);
422
423 return status;
424 }
425
426 METHOD(kernel_interface_t, release_reqid, status_t,
427 private_kernel_interface_t *this, u_int32_t reqid,
428 mark_t mark_in, mark_t mark_out)
429 {
430 reqid_entry_t *entry, tmpl = {
431 .reqid = reqid,
432 .mark_in = mark_in,
433 .mark_out = mark_out,
434 };
435
436 this->mutex->lock(this->mutex);
437 entry = this->reqids->remove(this->reqids, &tmpl);
438 if (entry)
439 {
440 if (--entry->refs == 0)
441 {
442 entry = this->reqids_by_ts->remove(this->reqids_by_ts, entry);
443 if (entry)
444 {
445 reqid_entry_destroy(entry);
446 }
447 }
448 else
449 {
450 this->reqids->put(this->reqids, entry, entry);
451 }
452 }
453 this->mutex->unlock(this->mutex);
454
455 if (entry)
456 {
457 return SUCCESS;
458 }
459 return NOT_FOUND;
460 }
461
462 METHOD(kernel_interface_t, add_sa, status_t,
463 private_kernel_interface_t *this, host_t *src, host_t *dst,
464 u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
465 u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
466 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
467 u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
468 bool initiator, bool encap, bool esn, bool inbound,
469 linked_list_t *src_ts, linked_list_t *dst_ts)
470 {
471 if (!this->ipsec)
472 {
473 return NOT_SUPPORTED;
474 }
475 return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
476 mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
477 ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
478 src_ts, dst_ts);
479 }
480
481 METHOD(kernel_interface_t, update_sa, status_t,
482 private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol,
483 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
484 bool encap, bool new_encap, mark_t mark)
485 {
486 if (!this->ipsec)
487 {
488 return NOT_SUPPORTED;
489 }
490 return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
491 new_src, new_dst, encap, new_encap, mark);
492 }
493
494 METHOD(kernel_interface_t, query_sa, status_t,
495 private_kernel_interface_t *this, host_t *src, host_t *dst,
496 u_int32_t spi, u_int8_t protocol, mark_t mark,
497 u_int64_t *bytes, u_int64_t *packets, time_t *time)
498 {
499 if (!this->ipsec)
500 {
501 return NOT_SUPPORTED;
502 }
503 return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark,
504 bytes, packets, time);
505 }
506
507 METHOD(kernel_interface_t, del_sa, status_t,
508 private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
509 u_int8_t protocol, u_int16_t cpi, mark_t mark)
510 {
511 if (!this->ipsec)
512 {
513 return NOT_SUPPORTED;
514 }
515 return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark);
516 }
517
518 METHOD(kernel_interface_t, flush_sas, status_t,
519 private_kernel_interface_t *this)
520 {
521 if (!this->ipsec)
522 {
523 return NOT_SUPPORTED;
524 }
525 return this->ipsec->flush_sas(this->ipsec);
526 }
527
528 METHOD(kernel_interface_t, add_policy, status_t,
529 private_kernel_interface_t *this, host_t *src, host_t *dst,
530 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
531 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
532 mark_t mark, policy_priority_t priority)
533 {
534 if (!this->ipsec)
535 {
536 return NOT_SUPPORTED;
537 }
538 return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
539 direction, type, sa, mark, priority);
540 }
541
542 METHOD(kernel_interface_t, query_policy, status_t,
543 private_kernel_interface_t *this, traffic_selector_t *src_ts,
544 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
545 time_t *use_time)
546 {
547 if (!this->ipsec)
548 {
549 return NOT_SUPPORTED;
550 }
551 return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts,
552 direction, mark, use_time);
553 }
554
555 METHOD(kernel_interface_t, del_policy, status_t,
556 private_kernel_interface_t *this, traffic_selector_t *src_ts,
557 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
558 mark_t mark, policy_priority_t priority)
559 {
560 if (!this->ipsec)
561 {
562 return NOT_SUPPORTED;
563 }
564 return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts,
565 direction, reqid, mark, priority);
566 }
567
568 METHOD(kernel_interface_t, flush_policies, status_t,
569 private_kernel_interface_t *this)
570 {
571 if (!this->ipsec)
572 {
573 return NOT_SUPPORTED;
574 }
575 return this->ipsec->flush_policies(this->ipsec);
576 }
577
578 METHOD(kernel_interface_t, get_source_addr, host_t*,
579 private_kernel_interface_t *this, host_t *dest, host_t *src)
580 {
581 if (!this->net)
582 {
583 return NULL;
584 }
585 return this->net->get_source_addr(this->net, dest, src);
586 }
587
588 METHOD(kernel_interface_t, get_nexthop, host_t*,
589 private_kernel_interface_t *this, host_t *dest, int prefix, host_t *src)
590 {
591 if (!this->net)
592 {
593 return NULL;
594 }
595 return this->net->get_nexthop(this->net, dest, prefix, src);
596 }
597
598 METHOD(kernel_interface_t, get_interface, bool,
599 private_kernel_interface_t *this, host_t *host, char **name)
600 {
601 if (!this->net)
602 {
603 return NULL;
604 }
605 return this->net->get_interface(this->net, host, name);
606 }
607
608 METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
609 private_kernel_interface_t *this, kernel_address_type_t which)
610 {
611 if (!this->net)
612 {
613 return enumerator_create_empty();
614 }
615 return this->net->create_address_enumerator(this->net, which);
616 }
617
618 METHOD(kernel_interface_t, add_ip, status_t,
619 private_kernel_interface_t *this, host_t *virtual_ip, int prefix,
620 char *iface)
621 {
622 if (!this->net)
623 {
624 return NOT_SUPPORTED;
625 }
626 return this->net->add_ip(this->net, virtual_ip, prefix, iface);
627 }
628
629 METHOD(kernel_interface_t, del_ip, status_t,
630 private_kernel_interface_t *this, host_t *virtual_ip, int prefix, bool wait)
631 {
632 if (!this->net)
633 {
634 return NOT_SUPPORTED;
635 }
636 return this->net->del_ip(this->net, virtual_ip, prefix, wait);
637 }
638
639 METHOD(kernel_interface_t, add_route, status_t,
640 private_kernel_interface_t *this, chunk_t dst_net,
641 u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
642 {
643 if (!this->net)
644 {
645 return NOT_SUPPORTED;
646 }
647 return this->net->add_route(this->net, dst_net, prefixlen, gateway,
648 src_ip, if_name);
649 }
650
651 METHOD(kernel_interface_t, del_route, status_t,
652 private_kernel_interface_t *this, chunk_t dst_net,
653 u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
654 {
655 if (!this->net)
656 {
657 return NOT_SUPPORTED;
658 }
659 return this->net->del_route(this->net, dst_net, prefixlen, gateway,
660 src_ip, if_name);
661 }
662
663 METHOD(kernel_interface_t, bypass_socket, bool,
664 private_kernel_interface_t *this, int fd, int family)
665 {
666 if (!this->ipsec)
667 {
668 return FALSE;
669 }
670 return this->ipsec->bypass_socket(this->ipsec, fd, family);
671 }
672
673 METHOD(kernel_interface_t, enable_udp_decap, bool,
674 private_kernel_interface_t *this, int fd, int family, u_int16_t port)
675 {
676 if (!this->ipsec)
677 {
678 return FALSE;
679 }
680 return this->ipsec->enable_udp_decap(this->ipsec, fd, family, port);
681 }
682
683 METHOD(kernel_interface_t, is_interface_usable, bool,
684 private_kernel_interface_t *this, const char *iface)
685 {
686 status_t expected;
687
688 if (!this->ifaces_filter)
689 {
690 return TRUE;
691 }
692 expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS;
693 return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq,
694 NULL, iface) == expected;
695 }
696
697 METHOD(kernel_interface_t, all_interfaces_usable, bool,
698 private_kernel_interface_t *this)
699 {
700 return this->ifaces_filter == NULL;
701 }
702
703 METHOD(kernel_interface_t, get_address_by_ts, status_t,
704 private_kernel_interface_t *this, traffic_selector_t *ts,
705 host_t **ip, bool *vip)
706 {
707 enumerator_t *addrs;
708 host_t *host;
709 int family;
710 bool found = FALSE;
711
712 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
713
714 /* if we have a family which includes localhost, we do not
715 * search for an IP, we use the default */
716 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
717
718 if (family == AF_INET)
719 {
720 host = host_create_from_string("127.0.0.1", 0);
721 }
722 else
723 {
724 host = host_create_from_string("::1", 0);
725 }
726
727 if (ts->includes(ts, host))
728 {
729 *ip = host_create_any(family);
730 host->destroy(host);
731 DBG2(DBG_KNL, "using host %H", *ip);
732 return SUCCESS;
733 }
734 host->destroy(host);
735
736 /* try virtual IPs only first (on all interfaces) */
737 addrs = create_address_enumerator(this,
738 ADDR_TYPE_ALL ^ ADDR_TYPE_REGULAR);
739 while (addrs->enumerate(addrs, (void**)&host))
740 {
741 if (ts->includes(ts, host))
742 {
743 found = TRUE;
744 *ip = host->clone(host);
745 if (vip)
746 {
747 *vip = TRUE;
748 }
749 break;
750 }
751 }
752 addrs->destroy(addrs);
753
754 if (!found)
755 { /* then try the regular addresses (on all interfaces) */
756 addrs = create_address_enumerator(this,
757 ADDR_TYPE_ALL ^ ADDR_TYPE_VIRTUAL);
758 while (addrs->enumerate(addrs, (void**)&host))
759 {
760 if (ts->includes(ts, host))
761 {
762 found = TRUE;
763 *ip = host->clone(host);
764 if (vip)
765 {
766 *vip = FALSE;
767 }
768 break;
769 }
770 }
771 addrs->destroy(addrs);
772 }
773
774 if (!found)
775 {
776 DBG2(DBG_KNL, "no local address found in traffic selector %R", ts);
777 return FAILED;
778 }
779
780 DBG2(DBG_KNL, "using host %H", *ip);
781 return SUCCESS;
782 }
783
784
785 METHOD(kernel_interface_t, add_ipsec_interface, void,
786 private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
787 {
788 if (!this->ipsec)
789 {
790 this->ipsec_constructor = constructor;
791 this->ipsec = constructor();
792 }
793 }
794
795 METHOD(kernel_interface_t, remove_ipsec_interface, void,
796 private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor)
797 {
798 if (constructor == this->ipsec_constructor && this->ipsec)
799 {
800 this->ipsec->destroy(this->ipsec);
801 this->ipsec = NULL;
802 }
803 }
804
805 METHOD(kernel_interface_t, add_net_interface, void,
806 private_kernel_interface_t *this, kernel_net_constructor_t constructor)
807 {
808 if (!this->net)
809 {
810 this->net_constructor = constructor;
811 this->net = constructor();
812 }
813 }
814
815 METHOD(kernel_interface_t, remove_net_interface, void,
816 private_kernel_interface_t *this, kernel_net_constructor_t constructor)
817 {
818 if (constructor == this->net_constructor && this->net)
819 {
820 this->net->destroy(this->net);
821 this->net = NULL;
822 }
823 }
824
825 METHOD(kernel_interface_t, add_listener, void,
826 private_kernel_interface_t *this, kernel_listener_t *listener)
827 {
828 this->mutex->lock(this->mutex);
829 this->listeners->insert_last(this->listeners, listener);
830 this->mutex->unlock(this->mutex);
831 }
832
833 METHOD(kernel_interface_t, remove_listener, void,
834 private_kernel_interface_t *this, kernel_listener_t *listener)
835 {
836 this->mutex->lock(this->mutex);
837 this->listeners->remove(this->listeners, listener, NULL);
838 this->mutex->unlock(this->mutex);
839 }
840
841 METHOD(kernel_interface_t, acquire, void,
842 private_kernel_interface_t *this, u_int32_t reqid,
843 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
844 {
845 kernel_listener_t *listener;
846 enumerator_t *enumerator;
847 this->mutex->lock(this->mutex);
848 enumerator = this->listeners->create_enumerator(this->listeners);
849 while (enumerator->enumerate(enumerator, &listener))
850 {
851 if (listener->acquire &&
852 !listener->acquire(listener, reqid, src_ts, dst_ts))
853 {
854 this->listeners->remove_at(this->listeners, enumerator);
855 }
856 }
857 enumerator->destroy(enumerator);
858 this->mutex->unlock(this->mutex);
859 }
860
861 METHOD(kernel_interface_t, expire, void,
862 private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol,
863 u_int32_t spi, bool hard)
864 {
865 kernel_listener_t *listener;
866 enumerator_t *enumerator;
867 this->mutex->lock(this->mutex);
868 enumerator = this->listeners->create_enumerator(this->listeners);
869 while (enumerator->enumerate(enumerator, &listener))
870 {
871 if (listener->expire &&
872 !listener->expire(listener, reqid, protocol, spi, hard))
873 {
874 this->listeners->remove_at(this->listeners, enumerator);
875 }
876 }
877 enumerator->destroy(enumerator);
878 this->mutex->unlock(this->mutex);
879 }
880
881 METHOD(kernel_interface_t, mapping, void,
882 private_kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
883 host_t *remote)
884 {
885 kernel_listener_t *listener;
886 enumerator_t *enumerator;
887 this->mutex->lock(this->mutex);
888 enumerator = this->listeners->create_enumerator(this->listeners);
889 while (enumerator->enumerate(enumerator, &listener))
890 {
891 if (listener->mapping &&
892 !listener->mapping(listener, reqid, spi, remote))
893 {
894 this->listeners->remove_at(this->listeners, enumerator);
895 }
896 }
897 enumerator->destroy(enumerator);
898 this->mutex->unlock(this->mutex);
899 }
900
901 METHOD(kernel_interface_t, migrate, void,
902 private_kernel_interface_t *this, u_int32_t reqid,
903 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
904 policy_dir_t direction, host_t *local, host_t *remote)
905 {
906 kernel_listener_t *listener;
907 enumerator_t *enumerator;
908 this->mutex->lock(this->mutex);
909 enumerator = this->listeners->create_enumerator(this->listeners);
910 while (enumerator->enumerate(enumerator, &listener))
911 {
912 if (listener->migrate &&
913 !listener->migrate(listener, reqid, src_ts, dst_ts, direction,
914 local, remote))
915 {
916 this->listeners->remove_at(this->listeners, enumerator);
917 }
918 }
919 enumerator->destroy(enumerator);
920 this->mutex->unlock(this->mutex);
921 }
922
923 static bool call_roam(kernel_listener_t *listener, bool *roam)
924 {
925 return listener->roam && !listener->roam(listener, *roam);
926 }
927
928 METHOD(kernel_interface_t, roam, void,
929 private_kernel_interface_t *this, bool address)
930 {
931 this->mutex->lock(this->mutex);
932 this->listeners->remove(this->listeners, &address, (void*)call_roam);
933 this->mutex->unlock(this->mutex);
934 }
935
936 METHOD(kernel_interface_t, tun, void,
937 private_kernel_interface_t *this, tun_device_t *tun, bool created)
938 {
939 kernel_listener_t *listener;
940 enumerator_t *enumerator;
941 this->mutex->lock(this->mutex);
942 enumerator = this->listeners->create_enumerator(this->listeners);
943 while (enumerator->enumerate(enumerator, &listener))
944 {
945 if (listener->tun &&
946 !listener->tun(listener, tun, created))
947 {
948 this->listeners->remove_at(this->listeners, enumerator);
949 }
950 }
951 enumerator->destroy(enumerator);
952 this->mutex->unlock(this->mutex);
953 }
954
955 METHOD(kernel_interface_t, register_algorithm, void,
956 private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
957 u_int16_t kernel_id, char *kernel_name)
958 {
959 kernel_algorithm_t *algorithm;
960
961 INIT(algorithm,
962 .type = type,
963 .ike = alg_id,
964 .kernel = kernel_id,
965 .name = strdup(kernel_name),
966 );
967
968 this->mutex_algs->lock(this->mutex_algs);
969 this->algorithms->insert_first(this->algorithms, algorithm);
970 this->mutex_algs->unlock(this->mutex_algs);
971 }
972
973 METHOD(kernel_interface_t, lookup_algorithm, bool,
974 private_kernel_interface_t *this, u_int16_t alg_id, transform_type_t type,
975 u_int16_t *kernel_id, char **kernel_name)
976 {
977 kernel_algorithm_t *algorithm;
978 enumerator_t *enumerator;
979 bool found = FALSE;
980
981 this->mutex_algs->lock(this->mutex_algs);
982 enumerator = this->algorithms->create_enumerator(this->algorithms);
983 while (enumerator->enumerate(enumerator, &algorithm))
984 {
985 if (algorithm->type == type && algorithm->ike == alg_id)
986 {
987 if (kernel_id)
988 {
989 *kernel_id = algorithm->kernel;
990 }
991 if (kernel_name)
992 {
993 *kernel_name = algorithm->name;
994 }
995 found = TRUE;
996 break;
997 }
998 }
999 enumerator->destroy(enumerator);
1000 this->mutex_algs->unlock(this->mutex_algs);
1001 return found;
1002 }
1003
1004 METHOD(kernel_interface_t, destroy, void,
1005 private_kernel_interface_t *this)
1006 {
1007 kernel_algorithm_t *algorithm;
1008
1009 while (this->algorithms->remove_first(this->algorithms,
1010 (void**)&algorithm) == SUCCESS)
1011 {
1012 free(algorithm->name);
1013 free(algorithm);
1014 }
1015 this->algorithms->destroy(this->algorithms);
1016 this->mutex_algs->destroy(this->mutex_algs);
1017 DESTROY_IF(this->ipsec);
1018 DESTROY_IF(this->net);
1019 DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
1020 this->reqids->destroy(this->reqids);
1021 this->reqids_by_ts->destroy(this->reqids_by_ts);
1022 this->listeners->destroy(this->listeners);
1023 this->mutex->destroy(this->mutex);
1024 free(this);
1025 }
1026
1027 /*
1028 * Described in header-file
1029 */
1030 kernel_interface_t *kernel_interface_create()
1031 {
1032 private_kernel_interface_t *this;
1033 char *ifaces;
1034
1035 INIT(this,
1036 .public = {
1037 .get_features = _get_features,
1038 .get_spi = _get_spi,
1039 .get_cpi = _get_cpi,
1040 .alloc_reqid = _alloc_reqid,
1041 .release_reqid = _release_reqid,
1042 .add_sa = _add_sa,
1043 .update_sa = _update_sa,
1044 .query_sa = _query_sa,
1045 .del_sa = _del_sa,
1046 .flush_sas = _flush_sas,
1047 .add_policy = _add_policy,
1048 .query_policy = _query_policy,
1049 .del_policy = _del_policy,
1050 .flush_policies = _flush_policies,
1051 .get_source_addr = _get_source_addr,
1052 .get_nexthop = _get_nexthop,
1053 .get_interface = _get_interface,
1054 .create_address_enumerator = _create_address_enumerator,
1055 .add_ip = _add_ip,
1056 .del_ip = _del_ip,
1057 .add_route = _add_route,
1058 .del_route = _del_route,
1059 .bypass_socket = _bypass_socket,
1060 .enable_udp_decap = _enable_udp_decap,
1061
1062 .is_interface_usable = _is_interface_usable,
1063 .all_interfaces_usable = _all_interfaces_usable,
1064 .get_address_by_ts = _get_address_by_ts,
1065 .add_ipsec_interface = _add_ipsec_interface,
1066 .remove_ipsec_interface = _remove_ipsec_interface,
1067 .add_net_interface = _add_net_interface,
1068 .remove_net_interface = _remove_net_interface,
1069
1070 .add_listener = _add_listener,
1071 .remove_listener = _remove_listener,
1072 .register_algorithm = _register_algorithm,
1073 .lookup_algorithm = _lookup_algorithm,
1074 .acquire = _acquire,
1075 .expire = _expire,
1076 .mapping = _mapping,
1077 .migrate = _migrate,
1078 .roam = _roam,
1079 .tun = _tun,
1080 .destroy = _destroy,
1081 },
1082 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1083 .listeners = linked_list_create(),
1084 .mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT),
1085 .algorithms = linked_list_create(),
1086 .reqids = hashtable_create((hashtable_hash_t)hash_reqid,
1087 (hashtable_equals_t)equals_reqid, 8),
1088 .reqids_by_ts = hashtable_create((hashtable_hash_t)hash_reqid_by_ts,
1089 (hashtable_equals_t)equals_reqid_by_ts, 8),
1090 );
1091
1092 ifaces = lib->settings->get_str(lib->settings,
1093 "%s.interfaces_use", NULL, lib->ns);
1094 if (!ifaces)
1095 {
1096 this->ifaces_exclude = TRUE;
1097 ifaces = lib->settings->get_str(lib->settings,
1098 "%s.interfaces_ignore", NULL, lib->ns);
1099 }
1100 if (ifaces)
1101 {
1102 enumerator_t *enumerator;
1103 char *iface;
1104
1105 enumerator = enumerator_create_token(ifaces, ",", " ");
1106 while (enumerator->enumerate(enumerator, &iface))
1107 {
1108 if (!this->ifaces_filter)
1109 {
1110 this->ifaces_filter = linked_list_create();
1111 }
1112 this->ifaces_filter->insert_last(this->ifaces_filter,
1113 strdup(iface));
1114 }
1115 enumerator->destroy(enumerator);
1116 }
1117
1118 return &this->public;
1119 }