2 * Copyright (C) 2006-2010 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 #include <sys/types.h>
22 #include <sys/socket.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
40 #include <threading/thread.h>
41 #include <threading/mutex.h>
42 #include <utils/hashtable.h>
43 #include <processing/jobs/callback_job.h>
45 /** required for Linux 2.6.26 kernel and later */
46 #ifndef XFRM_STATE_AF_UNSPEC
47 #define XFRM_STATE_AF_UNSPEC 32
50 /** from linux/in.h */
51 #ifndef IP_XFRM_POLICY
52 #define IP_XFRM_POLICY 17
55 /* missing on uclibc */
56 #ifndef IPV6_XFRM_POLICY
57 #define IPV6_XFRM_POLICY 34
58 #endif /*IPV6_XFRM_POLICY*/
60 /** default priority of installed policies */
62 #define PRIO_HIGH 2000
65 * map the limit for bytes and packets to XFRM_INF per default
67 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
70 * Create ORable bitfield of XFRM NL groups
72 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
75 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
76 * 'usual' netlink data x like 'struct xfrm_usersa_info'
78 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
80 * returns a pointer to the next rtattr following rta.
81 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
83 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
85 * returns the total size of attached rta data
86 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
88 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
90 typedef struct kernel_algorithm_t kernel_algorithm_t
;
93 * Mapping of IKEv2 kernel identifier to linux crypto API names
95 struct kernel_algorithm_t
{
97 * Identifier specified in IKEv2
102 * Name of the algorithm in linux crypto API
107 ENUM(xfrm_msg_names
, XFRM_MSG_NEWSA
, XFRM_MSG_MAPPING
,
111 "XFRM_MSG_NEWPOLICY",
112 "XFRM_MSG_DELPOLICY",
113 "XFRM_MSG_GETPOLICY",
117 "XFRM_MSG_UPDPOLICY",
119 "XFRM_MSG_POLEXPIRE",
121 "XFRM_MSG_FLUSHPOLICY",
126 "XFRM_MSG_NEWSADINFO",
127 "XFRM_MSG_GETSADINFO",
128 "XFRM_MSG_NEWSPDINFO",
129 "XFRM_MSG_GETSPDINFO",
133 ENUM(xfrm_attr_type_names
, XFRMA_UNSPEC
, XFRMA_KMADDRESS
,
145 "XFRMA_REPLAY_THRESH",
146 "XFRMA_ETIMER_THRESH",
156 #define END_OF_LIST -1
159 * Algorithms for encryption
161 static kernel_algorithm_t encryption_algs
[] = {
162 /* {ENCR_DES_IV64, "***" }, */
164 {ENCR_3DES
, "des3_ede" },
165 /* {ENCR_RC5, "***" }, */
166 /* {ENCR_IDEA, "***" }, */
167 {ENCR_CAST
, "cast128" },
168 {ENCR_BLOWFISH
, "blowfish" },
169 /* {ENCR_3IDEA, "***" }, */
170 /* {ENCR_DES_IV32, "***" }, */
171 {ENCR_NULL
, "cipher_null" },
172 {ENCR_AES_CBC
, "aes" },
173 {ENCR_AES_CTR
, "rfc3686(ctr(aes))" },
174 {ENCR_AES_CCM_ICV8
, "rfc4309(ccm(aes))" },
175 {ENCR_AES_CCM_ICV12
, "rfc4309(ccm(aes))" },
176 {ENCR_AES_CCM_ICV16
, "rfc4309(ccm(aes))" },
177 {ENCR_AES_GCM_ICV8
, "rfc4106(gcm(aes))" },
178 {ENCR_AES_GCM_ICV12
, "rfc4106(gcm(aes))" },
179 {ENCR_AES_GCM_ICV16
, "rfc4106(gcm(aes))" },
180 {ENCR_NULL_AUTH_AES_GMAC
, "rfc4543(gcm(aes))" },
181 {ENCR_CAMELLIA_CBC
, "cbc(camellia)" },
182 /* {ENCR_CAMELLIA_CTR, "***" }, */
183 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
184 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
185 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
186 {ENCR_SERPENT_CBC
, "serpent" },
187 {ENCR_TWOFISH_CBC
, "twofish" },
192 * Algorithms for integrity protection
194 static kernel_algorithm_t integrity_algs
[] = {
195 {AUTH_HMAC_MD5_96
, "md5" },
196 {AUTH_HMAC_SHA1_96
, "sha1" },
197 {AUTH_HMAC_SHA2_256_96
, "sha256" },
198 {AUTH_HMAC_SHA2_256_128
, "hmac(sha256)" },
199 {AUTH_HMAC_SHA2_384_192
, "hmac(sha384)" },
200 {AUTH_HMAC_SHA2_512_256
, "hmac(sha512)" },
201 /* {AUTH_DES_MAC, "***" }, */
202 /* {AUTH_KPDK_MD5, "***" }, */
203 {AUTH_AES_XCBC_96
, "xcbc(aes)" },
208 * Algorithms for IPComp
210 static kernel_algorithm_t compression_algs
[] = {
211 /* {IPCOMP_OUI, "***" }, */
212 {IPCOMP_DEFLATE
, "deflate" },
213 {IPCOMP_LZS
, "lzs" },
214 {IPCOMP_LZJH
, "lzjh" },
219 * Look up a kernel algorithm name and its key size
221 static char* lookup_algorithm(kernel_algorithm_t
*list
, int ikev2
)
223 while (list
->ikev2
!= END_OF_LIST
)
225 if (list
->ikev2
== ikev2
)
234 typedef struct route_entry_t route_entry_t
;
237 * installed routing entry
239 struct route_entry_t
{
240 /** Name of the interface the route is bound to */
243 /** Source ip of the route */
246 /** gateway for this route */
249 /** Destination net */
252 /** Destination net prefixlen */
257 * destroy an route_entry_t object
259 static void route_entry_destroy(route_entry_t
*this)
262 this->src_ip
->destroy(this->src_ip
);
263 DESTROY_IF(this->gateway
);
264 chunk_free(&this->dst_net
);
268 typedef struct policy_entry_t policy_entry_t
;
271 * installed kernel policy.
273 struct policy_entry_t
{
275 /** direction of this policy: in, out, forward */
278 /** parameters of installed policy */
279 struct xfrm_selector sel
;
284 /** associated route installed for this policy */
285 route_entry_t
*route
;
287 /** by how many CHILD_SA's this policy is used */
292 * Hash function for policy_entry_t objects
294 static u_int
policy_hash(policy_entry_t
*key
)
296 chunk_t chunk
= chunk_create((void*)&key
->sel
,
297 sizeof(struct xfrm_selector
) + sizeof(u_int32_t
));
298 return chunk_hash(chunk
);
302 * Equality function for policy_entry_t objects
304 static bool policy_equals(policy_entry_t
*key
, policy_entry_t
*other_key
)
306 return memeq(&key
->sel
, &other_key
->sel
,
307 sizeof(struct xfrm_selector
) + sizeof(u_int32_t
)) &&
308 key
->direction
== other_key
->direction
;
311 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t
;
314 * Private variables and functions of kernel_netlink class.
316 struct private_kernel_netlink_ipsec_t
{
318 * Public part of the kernel_netlink_t object.
320 kernel_netlink_ipsec_t
public;
323 * mutex to lock access to various lists
328 * Hash table of installed policies (policy_entry_t)
330 hashtable_t
*policies
;
333 * job receiving netlink events
338 * Netlink xfrm socket (IPsec)
340 netlink_socket_t
*socket_xfrm
;
343 * netlink xfrm socket to receive acquire and expire events
345 int socket_xfrm_events
;
348 * whether to install routes along policies
354 * convert the general ipsec mode to the one defined in xfrm.h
356 static u_int8_t
mode2kernel(ipsec_mode_t mode
)
361 return XFRM_MODE_TRANSPORT
;
363 return XFRM_MODE_TUNNEL
;
365 return XFRM_MODE_BEET
;
372 * convert a host_t to a struct xfrm_address
374 static void host2xfrm(host_t
*host
, xfrm_address_t
*xfrm
)
376 chunk_t chunk
= host
->get_address(host
);
377 memcpy(xfrm
, chunk
.ptr
, min(chunk
.len
, sizeof(xfrm_address_t
)));
381 * convert a struct xfrm_address to a host_t
383 static host_t
* xfrm2host(int family
, xfrm_address_t
*xfrm
, u_int16_t port
)
390 chunk
= chunk_create((u_char
*)&xfrm
->a4
, sizeof(xfrm
->a4
));
393 chunk
= chunk_create((u_char
*)&xfrm
->a6
, sizeof(xfrm
->a6
));
398 return host_create_from_chunk(family
, chunk
, ntohs(port
));
402 * convert a traffic selector address range to subnet and its mask.
404 static void ts2subnet(traffic_selector_t
* ts
,
405 xfrm_address_t
*net
, u_int8_t
*mask
)
410 ts
->to_subnet(ts
, &net_host
, mask
);
411 net_chunk
= net_host
->get_address(net_host
);
412 memcpy(net
, net_chunk
.ptr
, net_chunk
.len
);
413 net_host
->destroy(net_host
);
417 * convert a traffic selector port range to port/portmask
419 static void ts2ports(traffic_selector_t
* ts
,
420 u_int16_t
*port
, u_int16_t
*mask
)
422 /* linux does not seem to accept complex portmasks. Only
423 * any or a specific port is allowed. We set to any, if we have
424 * a port range, or to a specific, if we have one port only.
428 from
= ts
->get_from_port(ts
);
429 to
= ts
->get_to_port(ts
);
444 * convert a pair of traffic_selectors to a xfrm_selector
446 static struct xfrm_selector
ts2selector(traffic_selector_t
*src
,
447 traffic_selector_t
*dst
)
449 struct xfrm_selector sel
;
451 memset(&sel
, 0, sizeof(sel
));
452 sel
.family
= (src
->get_type(src
) == TS_IPV4_ADDR_RANGE
) ? AF_INET
: AF_INET6
;
453 /* src or dest proto may be "any" (0), use more restrictive one */
454 sel
.proto
= max(src
->get_protocol(src
), dst
->get_protocol(dst
));
455 ts2subnet(dst
, &sel
.daddr
, &sel
.prefixlen_d
);
456 ts2subnet(src
, &sel
.saddr
, &sel
.prefixlen_s
);
457 ts2ports(dst
, &sel
.dport
, &sel
.dport_mask
);
458 ts2ports(src
, &sel
.sport
, &sel
.sport_mask
);
466 * convert a xfrm_selector to a src|dst traffic_selector
468 static traffic_selector_t
* selector2ts(struct xfrm_selector
*sel
, bool src
)
477 addr
= (u_char
*)&sel
->saddr
;
478 prefixlen
= sel
->prefixlen_s
;
481 port
= htons(sel
->sport
);
486 addr
= (u_char
*)&sel
->daddr
;
487 prefixlen
= sel
->prefixlen_d
;
490 port
= htons(sel
->dport
);
494 /* The Linux 2.6 kernel does not set the selector's family field,
495 * so as a kludge we additionally test the prefix length.
497 if (sel
->family
== AF_INET
|| sel
->prefixlen_s
== 32)
499 host
= host_create_from_chunk(AF_INET
, chunk_create(addr
, 4), 0);
501 else if (sel
->family
== AF_INET6
|| sel
->prefixlen_s
== 128)
503 host
= host_create_from_chunk(AF_INET6
, chunk_create(addr
, 16), 0);
508 return traffic_selector_create_from_subnet(host
, prefixlen
,
515 * process a XFRM_MSG_ACQUIRE from kernel
517 static void process_acquire(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
521 traffic_selector_t
*src_ts
, *dst_ts
;
522 struct xfrm_user_acquire
*acquire
;
526 acquire
= (struct xfrm_user_acquire
*)NLMSG_DATA(hdr
);
527 rta
= XFRM_RTA(hdr
, struct xfrm_user_acquire
);
528 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_user_acquire
);
530 DBG2(DBG_KNL
, "received a XFRM_MSG_ACQUIRE");
532 while (RTA_OK(rta
, rtasize
))
534 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
536 if (rta
->rta_type
== XFRMA_TMPL
)
538 struct xfrm_user_tmpl
* tmpl
;
540 tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rta
);
542 proto
= tmpl
->id
.proto
;
544 rta
= RTA_NEXT(rta
, rtasize
);
553 /* acquire for AH/ESP only, not for IPCOMP */
556 src_ts
= selector2ts(&acquire
->sel
, TRUE
);
557 dst_ts
= selector2ts(&acquire
->sel
, FALSE
);
559 hydra
->kernel_interface
->acquire(hydra
->kernel_interface
, reqid
, src_ts
,
564 * process a XFRM_MSG_EXPIRE from kernel
566 static void process_expire(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
569 u_int32_t spi
, reqid
;
570 struct xfrm_user_expire
*expire
;
572 expire
= (struct xfrm_user_expire
*)NLMSG_DATA(hdr
);
573 protocol
= expire
->state
.id
.proto
;
574 spi
= expire
->state
.id
.spi
;
575 reqid
= expire
->state
.reqid
;
577 DBG2(DBG_KNL
, "received a XFRM_MSG_EXPIRE");
579 if (protocol
!= IPPROTO_ESP
&& protocol
!= IPPROTO_AH
)
581 DBG2(DBG_KNL
, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
582 "reqid {%u} which is not a CHILD_SA", ntohl(spi
), reqid
);
586 hydra
->kernel_interface
->expire(hydra
->kernel_interface
, reqid
, protocol
,
587 spi
, expire
->hard
!= 0);
591 * process a XFRM_MSG_MIGRATE from kernel
593 static void process_migrate(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
595 traffic_selector_t
*src_ts
, *dst_ts
;
596 host_t
*local
= NULL
, *remote
= NULL
;
597 host_t
*old_src
= NULL
, *old_dst
= NULL
;
598 host_t
*new_src
= NULL
, *new_dst
= NULL
;
599 struct xfrm_userpolicy_id
*policy_id
;
605 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
606 rta
= XFRM_RTA(hdr
, struct xfrm_userpolicy_id
);
607 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_userpolicy_id
);
609 DBG2(DBG_KNL
, "received a XFRM_MSG_MIGRATE");
611 src_ts
= selector2ts(&policy_id
->sel
, TRUE
);
612 dst_ts
= selector2ts(&policy_id
->sel
, FALSE
);
613 dir
= (policy_dir_t
)policy_id
->dir
;
615 DBG2(DBG_KNL
, " policy: %R === %R %N", src_ts
, dst_ts
, policy_dir_names
);
617 while (RTA_OK(rta
, rtasize
))
619 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
620 if (rta
->rta_type
== XFRMA_KMADDRESS
)
622 struct xfrm_user_kmaddress
*kmaddress
;
624 kmaddress
= (struct xfrm_user_kmaddress
*)RTA_DATA(rta
);
625 local
= xfrm2host(kmaddress
->family
, &kmaddress
->local
, 0);
626 remote
= xfrm2host(kmaddress
->family
, &kmaddress
->remote
, 0);
627 DBG2(DBG_KNL
, " kmaddress: %H...%H", local
, remote
);
629 else if (rta
->rta_type
== XFRMA_MIGRATE
)
631 struct xfrm_user_migrate
*migrate
;
633 migrate
= (struct xfrm_user_migrate
*)RTA_DATA(rta
);
634 old_src
= xfrm2host(migrate
->old_family
, &migrate
->old_saddr
, 0);
635 old_dst
= xfrm2host(migrate
->old_family
, &migrate
->old_daddr
, 0);
636 new_src
= xfrm2host(migrate
->new_family
, &migrate
->new_saddr
, 0);
637 new_dst
= xfrm2host(migrate
->new_family
, &migrate
->new_daddr
, 0);
638 reqid
= migrate
->reqid
;
639 DBG2(DBG_KNL
, " migrate %H...%H to %H...%H, reqid {%u}",
640 old_src
, old_dst
, new_src
, new_dst
, reqid
);
646 rta
= RTA_NEXT(rta
, rtasize
);
649 if (src_ts
&& dst_ts
&& local
&& remote
)
651 hydra
->kernel_interface
->migrate(hydra
->kernel_interface
, reqid
,
652 src_ts
, dst_ts
, dir
, local
, remote
);
664 * process a XFRM_MSG_MAPPING from kernel
666 static void process_mapping(private_kernel_netlink_ipsec_t
*this,
667 struct nlmsghdr
*hdr
)
669 u_int32_t spi
, reqid
;
670 struct xfrm_user_mapping
*mapping
;
673 mapping
= (struct xfrm_user_mapping
*)NLMSG_DATA(hdr
);
674 spi
= mapping
->id
.spi
;
675 reqid
= mapping
->reqid
;
677 DBG2(DBG_KNL
, "received a XFRM_MSG_MAPPING");
679 if (mapping
->id
.proto
== IPPROTO_ESP
)
681 host
= xfrm2host(mapping
->id
.family
, &mapping
->new_saddr
,
685 hydra
->kernel_interface
->mapping(hydra
->kernel_interface
, reqid
,
692 * Receives events from kernel
694 static job_requeue_t
receive_events(private_kernel_netlink_ipsec_t
*this)
697 struct nlmsghdr
*hdr
= (struct nlmsghdr
*)response
;
698 struct sockaddr_nl addr
;
699 socklen_t addr_len
= sizeof(addr
);
703 oldstate
= thread_cancelability(TRUE
);
704 len
= recvfrom(this->socket_xfrm_events
, response
, sizeof(response
), 0,
705 (struct sockaddr
*)&addr
, &addr_len
);
706 thread_cancelability(oldstate
);
713 /* interrupted, try again */
714 return JOB_REQUEUE_DIRECT
;
716 /* no data ready, select again */
717 return JOB_REQUEUE_DIRECT
;
719 DBG1(DBG_KNL
, "unable to receive from xfrm event socket");
721 return JOB_REQUEUE_FAIR
;
725 if (addr
.nl_pid
!= 0)
726 { /* not from kernel. not interested, try another one */
727 return JOB_REQUEUE_DIRECT
;
730 while (NLMSG_OK(hdr
, len
))
732 switch (hdr
->nlmsg_type
)
734 case XFRM_MSG_ACQUIRE
:
735 process_acquire(this, hdr
);
737 case XFRM_MSG_EXPIRE
:
738 process_expire(this, hdr
);
740 case XFRM_MSG_MIGRATE
:
741 process_migrate(this, hdr
);
743 case XFRM_MSG_MAPPING
:
744 process_mapping(this, hdr
);
747 DBG1(DBG_KNL
, "received unknown event from xfrm event socket: %d", hdr
->nlmsg_type
);
750 hdr
= NLMSG_NEXT(hdr
, len
);
752 return JOB_REQUEUE_DIRECT
;
756 * Get an SPI for a specific protocol from the kernel.
758 static status_t
get_spi_internal(private_kernel_netlink_ipsec_t
*this,
759 host_t
*src
, host_t
*dst
, u_int8_t proto
, u_int32_t min
, u_int32_t max
,
760 u_int32_t reqid
, u_int32_t
*spi
)
762 netlink_buf_t request
;
763 struct nlmsghdr
*hdr
, *out
;
764 struct xfrm_userspi_info
*userspi
;
765 u_int32_t received_spi
= 0;
768 memset(&request
, 0, sizeof(request
));
770 hdr
= (struct nlmsghdr
*)request
;
771 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
772 hdr
->nlmsg_type
= XFRM_MSG_ALLOCSPI
;
773 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userspi_info
));
775 userspi
= (struct xfrm_userspi_info
*)NLMSG_DATA(hdr
);
776 host2xfrm(src
, &userspi
->info
.saddr
);
777 host2xfrm(dst
, &userspi
->info
.id
.daddr
);
778 userspi
->info
.id
.proto
= proto
;
779 userspi
->info
.mode
= XFRM_MODE_TUNNEL
;
780 userspi
->info
.reqid
= reqid
;
781 userspi
->info
.family
= src
->get_family(src
);
785 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
788 while (NLMSG_OK(hdr
, len
))
790 switch (hdr
->nlmsg_type
)
794 struct xfrm_usersa_info
* usersa
= NLMSG_DATA(hdr
);
795 received_spi
= usersa
->id
.spi
;
800 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
802 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
803 strerror(-err
->error
), -err
->error
);
807 hdr
= NLMSG_NEXT(hdr
, len
);
817 if (received_spi
== 0)
826 METHOD(kernel_ipsec_t
, get_spi
, status_t
,
827 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
828 u_int8_t protocol
, u_int32_t reqid
, u_int32_t
*spi
)
830 DBG2(DBG_KNL
, "getting SPI for reqid {%u}", reqid
);
832 if (get_spi_internal(this, src
, dst
, protocol
,
833 0xc0000000, 0xcFFFFFFF, reqid
, spi
) != SUCCESS
)
835 DBG1(DBG_KNL
, "unable to get SPI for reqid {%u}", reqid
);
839 DBG2(DBG_KNL
, "got SPI %.8x for reqid {%u}", ntohl(*spi
), reqid
);
844 METHOD(kernel_ipsec_t
, get_cpi
, status_t
,
845 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
846 u_int32_t reqid
, u_int16_t
*cpi
)
848 u_int32_t received_spi
= 0;
850 DBG2(DBG_KNL
, "getting CPI for reqid {%u}", reqid
);
852 if (get_spi_internal(this, src
, dst
,
853 IPPROTO_COMP
, 0x100, 0xEFFF, reqid
, &received_spi
) != SUCCESS
)
855 DBG1(DBG_KNL
, "unable to get CPI for reqid {%u}", reqid
);
859 *cpi
= htons((u_int16_t
)ntohl(received_spi
));
861 DBG2(DBG_KNL
, "got CPI %.4x for reqid {%u}", ntohs(*cpi
), reqid
);
866 METHOD(kernel_ipsec_t
, add_sa
, status_t
,
867 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
868 u_int32_t spi
, u_int8_t protocol
, u_int32_t reqid
, mark_t mark
,
869 lifetime_cfg_t
*lifetime
, u_int16_t enc_alg
, chunk_t enc_key
,
870 u_int16_t int_alg
, chunk_t int_key
, ipsec_mode_t mode
, u_int16_t ipcomp
,
871 u_int16_t cpi
, bool encap
, bool inbound
,
872 traffic_selector_t
* src_ts
, traffic_selector_t
* dst_ts
)
874 netlink_buf_t request
;
876 struct nlmsghdr
*hdr
;
877 struct xfrm_usersa_info
*sa
;
878 u_int16_t icv_size
= 64;
880 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
881 * we are in the recursive call below */
882 if (ipcomp
!= IPCOMP_NONE
&& cpi
!= 0)
884 lifetime_cfg_t lft
= {{0,0,0},{0,0,0},{0,0,0}};
885 add_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, reqid
, mark
,
886 &lft
, ENCR_UNDEFINED
, chunk_empty
, AUTH_UNDEFINED
, chunk_empty
,
887 mode
, ipcomp
, 0, FALSE
, inbound
, NULL
, NULL
);
888 ipcomp
= IPCOMP_NONE
;
889 /* use transport mode ESP SA, IPComp uses tunnel mode */
890 mode
= MODE_TRANSPORT
;
893 memset(&request
, 0, sizeof(request
));
897 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u} "
898 "(mark %u/0x%8x)", ntohl(spi
), reqid
, mark
.value
, mark
.mask
);
902 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u}",
905 hdr
= (struct nlmsghdr
*)request
;
906 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
907 hdr
->nlmsg_type
= inbound ? XFRM_MSG_UPDSA
: XFRM_MSG_NEWSA
;
908 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
910 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
911 host2xfrm(src
, &sa
->saddr
);
912 host2xfrm(dst
, &sa
->id
.daddr
);
914 sa
->id
.proto
= protocol
;
915 sa
->family
= src
->get_family(src
);
916 sa
->mode
= mode2kernel(mode
);
920 sa
->flags
|= XFRM_STATE_AF_UNSPEC
;
925 sa
->sel
= ts2selector(src_ts
, dst_ts
);
932 sa
->replay_window
= (protocol
== IPPROTO_COMP
) ?
0 : 32;
934 sa
->lft
.soft_byte_limit
= XFRM_LIMIT(lifetime
->bytes
.rekey
);
935 sa
->lft
.hard_byte_limit
= XFRM_LIMIT(lifetime
->bytes
.life
);
936 sa
->lft
.soft_packet_limit
= XFRM_LIMIT(lifetime
->packets
.rekey
);
937 sa
->lft
.hard_packet_limit
= XFRM_LIMIT(lifetime
->packets
.life
);
938 /* we use lifetimes since added, not since used */
939 sa
->lft
.soft_add_expires_seconds
= lifetime
->time
.rekey
;
940 sa
->lft
.hard_add_expires_seconds
= lifetime
->time
.life
;
941 sa
->lft
.soft_use_expires_seconds
= 0;
942 sa
->lft
.hard_use_expires_seconds
= 0;
944 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
951 case ENCR_AES_CCM_ICV16
:
952 case ENCR_AES_GCM_ICV16
:
953 case ENCR_NULL_AUTH_AES_GMAC
:
954 case ENCR_CAMELLIA_CCM_ICV16
:
957 case ENCR_AES_CCM_ICV12
:
958 case ENCR_AES_GCM_ICV12
:
959 case ENCR_CAMELLIA_CCM_ICV12
:
962 case ENCR_AES_CCM_ICV8
:
963 case ENCR_AES_GCM_ICV8
:
964 case ENCR_CAMELLIA_CCM_ICV8
:
966 struct xfrm_algo_aead
*algo
;
968 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
);
969 if (alg_name
== NULL
)
971 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
972 encryption_algorithm_names
, enc_alg
);
975 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
976 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
978 rthdr
->rta_type
= XFRMA_ALG_AEAD
;
979 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo_aead
) + enc_key
.len
);
980 hdr
->nlmsg_len
+= rthdr
->rta_len
;
981 if (hdr
->nlmsg_len
> sizeof(request
))
986 algo
= (struct xfrm_algo_aead
*)RTA_DATA(rthdr
);
987 algo
->alg_key_len
= enc_key
.len
* 8;
988 algo
->alg_icv_len
= icv_size
;
989 strcpy(algo
->alg_name
, alg_name
);
990 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
992 rthdr
= XFRM_RTA_NEXT(rthdr
);
997 struct xfrm_algo
*algo
;
999 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
);
1000 if (alg_name
== NULL
)
1002 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1003 encryption_algorithm_names
, enc_alg
);
1006 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1007 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
1009 rthdr
->rta_type
= XFRMA_ALG_CRYPT
;
1010 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + enc_key
.len
);
1011 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1012 if (hdr
->nlmsg_len
> sizeof(request
))
1017 algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1018 algo
->alg_key_len
= enc_key
.len
* 8;
1019 strcpy(algo
->alg_name
, alg_name
);
1020 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
1022 rthdr
= XFRM_RTA_NEXT(rthdr
);
1026 if (int_alg
!= AUTH_UNDEFINED
)
1028 alg_name
= lookup_algorithm(integrity_algs
, int_alg
);
1029 if (alg_name
== NULL
)
1031 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1032 integrity_algorithm_names
, int_alg
);
1035 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1036 integrity_algorithm_names
, int_alg
, int_key
.len
* 8);
1038 if (int_alg
== AUTH_HMAC_SHA2_256_128
)
1040 struct xfrm_algo_auth
* algo
;
1042 /* the kernel uses SHA256 with 96 bit truncation by default,
1043 * use specified truncation size supported by newer kernels */
1044 rthdr
->rta_type
= XFRMA_ALG_AUTH_TRUNC
;
1045 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo_auth
) + int_key
.len
);
1047 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1048 if (hdr
->nlmsg_len
> sizeof(request
))
1053 algo
= (struct xfrm_algo_auth
*)RTA_DATA(rthdr
);
1054 algo
->alg_key_len
= int_key
.len
* 8;
1055 algo
->alg_trunc_len
= 128;
1056 strcpy(algo
->alg_name
, alg_name
);
1057 memcpy(algo
->alg_key
, int_key
.ptr
, int_key
.len
);
1061 struct xfrm_algo
* algo
;
1063 rthdr
->rta_type
= XFRMA_ALG_AUTH
;
1064 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + int_key
.len
);
1066 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1067 if (hdr
->nlmsg_len
> sizeof(request
))
1072 algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1073 algo
->alg_key_len
= int_key
.len
* 8;
1074 strcpy(algo
->alg_name
, alg_name
);
1075 memcpy(algo
->alg_key
, int_key
.ptr
, int_key
.len
);
1077 rthdr
= XFRM_RTA_NEXT(rthdr
);
1080 if (ipcomp
!= IPCOMP_NONE
)
1082 rthdr
->rta_type
= XFRMA_ALG_COMP
;
1083 alg_name
= lookup_algorithm(compression_algs
, ipcomp
);
1084 if (alg_name
== NULL
)
1086 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1087 ipcomp_transform_names
, ipcomp
);
1090 DBG2(DBG_KNL
, " using compression algorithm %N",
1091 ipcomp_transform_names
, ipcomp
);
1093 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
));
1094 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1095 if (hdr
->nlmsg_len
> sizeof(request
))
1100 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1101 algo
->alg_key_len
= 0;
1102 strcpy(algo
->alg_name
, alg_name
);
1104 rthdr
= XFRM_RTA_NEXT(rthdr
);
1109 struct xfrm_encap_tmpl
*tmpl
;
1111 rthdr
->rta_type
= XFRMA_ENCAP
;
1112 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1114 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1115 if (hdr
->nlmsg_len
> sizeof(request
))
1120 tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rthdr
);
1121 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1122 tmpl
->encap_sport
= htons(src
->get_port(src
));
1123 tmpl
->encap_dport
= htons(dst
->get_port(dst
));
1124 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1125 /* encap_oa could probably be derived from the
1126 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1127 * pluto does the same as we do here but it uses encap_oa in the
1128 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1129 * the kernel ignores it anyway
1130 * -> does that mean that NAT-T encap doesn't work in transport mode?
1131 * No. The reason the kernel ignores NAT-OA is that it recomputes
1132 * (or, rather, just ignores) the checksum. If packets pass
1133 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1134 rthdr
= XFRM_RTA_NEXT(rthdr
);
1139 struct xfrm_mark
*mrk
;
1141 rthdr
->rta_type
= XFRMA_MARK
;
1142 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_mark
));
1144 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1145 if (hdr
->nlmsg_len
> sizeof(request
))
1150 mrk
= (struct xfrm_mark
*)RTA_DATA(rthdr
);
1151 mrk
->v
= mark
.value
;
1153 rthdr
= XFRM_RTA_NEXT(rthdr
);
1156 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1160 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x "
1161 "(mark %u/0x%8x)", ntohl(spi
), mark
.value
, mark
.mask
);
1165 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x", ntohl(spi
));
1173 * Get the replay state (i.e. sequence numbers) of an SA.
1175 static status_t
get_replay_state(private_kernel_netlink_ipsec_t
*this,
1176 u_int32_t spi
, u_int8_t protocol
, host_t
*dst
,
1177 struct xfrm_replay_state
*replay
)
1179 netlink_buf_t request
;
1180 struct nlmsghdr
*hdr
, *out
= NULL
;
1181 struct xfrm_aevent_id
*out_aevent
= NULL
, *aevent_id
;
1186 memset(&request
, 0, sizeof(request
));
1188 DBG2(DBG_KNL
, "querying replay state from SAD entry with SPI %.8x", ntohl(spi
));
1190 hdr
= (struct nlmsghdr
*)request
;
1191 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1192 hdr
->nlmsg_type
= XFRM_MSG_GETAE
;
1193 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_aevent_id
));
1195 aevent_id
= (struct xfrm_aevent_id
*)NLMSG_DATA(hdr
);
1196 aevent_id
->flags
= XFRM_AE_RVAL
;
1198 host2xfrm(dst
, &aevent_id
->sa_id
.daddr
);
1199 aevent_id
->sa_id
.spi
= spi
;
1200 aevent_id
->sa_id
.proto
= protocol
;
1201 aevent_id
->sa_id
.family
= dst
->get_family(dst
);
1203 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1206 while (NLMSG_OK(hdr
, len
))
1208 switch (hdr
->nlmsg_type
)
1210 case XFRM_MSG_NEWAE
:
1212 out_aevent
= NLMSG_DATA(hdr
);
1217 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1218 DBG1(DBG_KNL
, "querying replay state from SAD entry failed: %s (%d)",
1219 strerror(-err
->error
), -err
->error
);
1223 hdr
= NLMSG_NEXT(hdr
, len
);
1232 if (out_aevent
== NULL
)
1234 DBG1(DBG_KNL
, "unable to query replay state from SAD entry with SPI %.8x",
1240 rta
= XFRM_RTA(out
, struct xfrm_aevent_id
);
1241 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_aevent_id
);
1242 while(RTA_OK(rta
, rtasize
))
1244 if (rta
->rta_type
== XFRMA_REPLAY_VAL
&&
1245 RTA_PAYLOAD(rta
) == sizeof(struct xfrm_replay_state
))
1247 memcpy(replay
, RTA_DATA(rta
), RTA_PAYLOAD(rta
));
1251 rta
= RTA_NEXT(rta
, rtasize
);
1254 DBG1(DBG_KNL
, "unable to query replay state from SAD entry with SPI %.8x",
1260 METHOD(kernel_ipsec_t
, query_sa
, status_t
,
1261 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1262 u_int32_t spi
, u_int8_t protocol
, mark_t mark
, u_int64_t
*bytes
)
1264 netlink_buf_t request
;
1265 struct nlmsghdr
*out
= NULL
, *hdr
;
1266 struct xfrm_usersa_id
*sa_id
;
1267 struct xfrm_usersa_info
*sa
= NULL
;
1270 memset(&request
, 0, sizeof(request
));
1274 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x (mark %u/0x%8x)",
1275 ntohl(spi
), mark
.value
, mark
.mask
);
1279 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x", ntohl(spi
));
1281 hdr
= (struct nlmsghdr
*)request
;
1282 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1283 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1284 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1286 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1287 host2xfrm(dst
, &sa_id
->daddr
);
1289 sa_id
->proto
= protocol
;
1290 sa_id
->family
= dst
->get_family(dst
);
1294 struct xfrm_mark
*mrk
;
1295 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_id
);
1297 rthdr
->rta_type
= XFRMA_MARK
;
1298 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_mark
));
1299 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1300 if (hdr
->nlmsg_len
> sizeof(request
))
1305 mrk
= (struct xfrm_mark
*)RTA_DATA(rthdr
);
1306 mrk
->v
= mark
.value
;
1310 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1313 while (NLMSG_OK(hdr
, len
))
1315 switch (hdr
->nlmsg_type
)
1317 case XFRM_MSG_NEWSA
:
1319 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
1324 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1328 DBG1(DBG_KNL
, "querying SAD entry with SPI %.8x "
1329 "(mark %u/0x%8x) failed: %s (%d)",
1330 ntohl(spi
), mark
.value
, mark
.mask
,
1331 strerror(-err
->error
), -err
->error
);
1335 DBG1(DBG_KNL
, "querying SAD entry with SPI %.8x "
1336 "failed: %s (%d)", ntohl(spi
),
1337 strerror(-err
->error
), -err
->error
);
1342 hdr
= NLMSG_NEXT(hdr
, len
);
1353 DBG2(DBG_KNL
, "unable to query SAD entry with SPI %.8x", ntohl(spi
));
1357 *bytes
= sa
->curlft
.bytes
;
1363 METHOD(kernel_ipsec_t
, del_sa
, status_t
,
1364 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1365 u_int32_t spi
, u_int8_t protocol
, u_int16_t cpi
, mark_t mark
)
1367 netlink_buf_t request
;
1368 struct nlmsghdr
*hdr
;
1369 struct xfrm_usersa_id
*sa_id
;
1371 /* if IPComp was used, we first delete the additional IPComp SA */
1374 del_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0, mark
);
1377 memset(&request
, 0, sizeof(request
));
1381 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)",
1382 ntohl(spi
), mark
.value
, mark
.mask
);
1386 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x", ntohl(spi
));
1388 hdr
= (struct nlmsghdr
*)request
;
1389 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1390 hdr
->nlmsg_type
= XFRM_MSG_DELSA
;
1391 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1393 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1394 host2xfrm(dst
, &sa_id
->daddr
);
1396 sa_id
->proto
= protocol
;
1397 sa_id
->family
= dst
->get_family(dst
);
1401 struct xfrm_mark
*mrk
;
1402 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_id
);
1404 rthdr
->rta_type
= XFRMA_MARK
;
1405 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_mark
));
1406 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1407 if (hdr
->nlmsg_len
> sizeof(request
))
1412 mrk
= (struct xfrm_mark
*)RTA_DATA(rthdr
);
1413 mrk
->v
= mark
.value
;
1417 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1421 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x "
1422 "(mark %u/0x%8x)", ntohl(spi
), mark
.value
, mark
.mask
);
1426 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x", ntohl(spi
));
1432 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)",
1433 ntohl(spi
), mark
.value
, mark
.mask
);
1437 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x", ntohl(spi
));
1442 METHOD(kernel_ipsec_t
, update_sa
, status_t
,
1443 private_kernel_netlink_ipsec_t
*this, u_int32_t spi
, u_int8_t protocol
,
1444 u_int16_t cpi
, host_t
*src
, host_t
*dst
, host_t
*new_src
, host_t
*new_dst
,
1445 bool old_encap
, bool new_encap
, mark_t mark
)
1447 netlink_buf_t request
;
1449 struct nlmsghdr
*hdr
, *out
= NULL
;
1450 struct xfrm_usersa_id
*sa_id
;
1451 struct xfrm_usersa_info
*out_sa
= NULL
, *sa
;
1455 struct xfrm_encap_tmpl
* tmpl
= NULL
;
1456 bool got_replay_state
= FALSE
;
1457 struct xfrm_replay_state replay
;
1459 /* if IPComp is used, we first update the IPComp SA */
1462 update_sa(this, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0,
1463 src
, dst
, new_src
, new_dst
, FALSE
, FALSE
, mark
);
1466 memset(&request
, 0, sizeof(request
));
1468 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x for update", ntohl(spi
));
1470 /* query the existing SA first */
1471 hdr
= (struct nlmsghdr
*)request
;
1472 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1473 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1474 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1476 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1477 host2xfrm(dst
, &sa_id
->daddr
);
1479 sa_id
->proto
= protocol
;
1480 sa_id
->family
= dst
->get_family(dst
);
1482 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1485 while (NLMSG_OK(hdr
, len
))
1487 switch (hdr
->nlmsg_type
)
1489 case XFRM_MSG_NEWSA
:
1491 out_sa
= NLMSG_DATA(hdr
);
1496 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1497 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1498 strerror(-err
->error
), -err
->error
);
1502 hdr
= NLMSG_NEXT(hdr
, len
);
1512 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1517 /* try to get the replay state */
1518 if (get_replay_state(this, spi
, protocol
, dst
, &replay
) == SUCCESS
)
1520 got_replay_state
= TRUE
;
1523 /* delete the old SA (without affecting the IPComp SA) */
1524 if (del_sa(this, src
, dst
, spi
, protocol
, 0, mark
) != SUCCESS
)
1526 DBG1(DBG_KNL
, "unable to delete old SAD entry with SPI %.8x", ntohl(spi
));
1531 DBG2(DBG_KNL
, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1532 ntohl(spi
), src
, dst
, new_src
, new_dst
);
1533 /* copy over the SA from out to request */
1534 hdr
= (struct nlmsghdr
*)request
;
1535 memcpy(hdr
, out
, min(out
->nlmsg_len
, sizeof(request
)));
1536 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1537 hdr
->nlmsg_type
= XFRM_MSG_NEWSA
;
1538 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1539 sa
= NLMSG_DATA(hdr
);
1540 sa
->family
= new_dst
->get_family(new_dst
);
1542 if (!src
->ip_equals(src
, new_src
))
1544 host2xfrm(new_src
, &sa
->saddr
);
1546 if (!dst
->ip_equals(dst
, new_dst
))
1548 host2xfrm(new_dst
, &sa
->id
.daddr
);
1551 rta
= XFRM_RTA(out
, struct xfrm_usersa_info
);
1552 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_usersa_info
);
1553 pos
= (u_char
*)XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1554 while(RTA_OK(rta
, rtasize
))
1556 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1557 if (rta
->rta_type
!= XFRMA_ENCAP
|| new_encap
)
1559 if (rta
->rta_type
== XFRMA_ENCAP
)
1560 { /* update encap tmpl */
1561 tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rta
);
1562 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1563 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1565 memcpy(pos
, rta
, rta
->rta_len
);
1566 pos
+= RTA_ALIGN(rta
->rta_len
);
1567 hdr
->nlmsg_len
+= RTA_ALIGN(rta
->rta_len
);
1569 rta
= RTA_NEXT(rta
, rtasize
);
1572 rta
= (struct rtattr
*)pos
;
1573 if (tmpl
== NULL
&& new_encap
)
1574 { /* add tmpl if we are enabling it */
1575 rta
->rta_type
= XFRMA_ENCAP
;
1576 rta
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1578 hdr
->nlmsg_len
+= rta
->rta_len
;
1579 if (hdr
->nlmsg_len
> sizeof(request
))
1584 tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rta
);
1585 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1586 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1587 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1588 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1590 rta
= XFRM_RTA_NEXT(rta
);
1593 if (got_replay_state
)
1594 { /* copy the replay data if available */
1595 rta
->rta_type
= XFRMA_REPLAY_VAL
;
1596 rta
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_replay_state
));
1598 hdr
->nlmsg_len
+= rta
->rta_len
;
1599 if (hdr
->nlmsg_len
> sizeof(request
))
1603 memcpy(RTA_DATA(rta
), &replay
, sizeof(replay
));
1605 rta
= XFRM_RTA_NEXT(rta
);
1608 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1610 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1619 METHOD(kernel_ipsec_t
, add_policy
, status_t
,
1620 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1621 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
,
1622 policy_dir_t direction
, policy_type_t type
, ipsec_sa_cfg_t
*sa
,
1623 mark_t mark
, bool routed
)
1625 policy_entry_t
*current
, *policy
;
1627 netlink_buf_t request
;
1628 struct xfrm_userpolicy_info
*policy_info
;
1629 struct nlmsghdr
*hdr
;
1632 /* create a policy */
1633 policy
= malloc_thing(policy_entry_t
);
1634 memset(policy
, 0, sizeof(policy_entry_t
));
1635 policy
->sel
= ts2selector(src_ts
, dst_ts
);
1636 policy
->mark
= mark
.value
& mark
.mask
;
1637 policy
->direction
= direction
;
1639 /* find the policy, which matches EXACTLY */
1640 this->mutex
->lock(this->mutex
);
1641 current
= this->policies
->get(this->policies
, policy
);
1644 /* use existing policy */
1645 current
->refcount
++;
1648 DBG2(DBG_KNL
, "policy %R === %R %N (mark %u/0x%8x) "
1649 "already exists, increasing refcount",
1650 src_ts
, dst_ts
, policy_dir_names
, direction
,
1651 mark
.value
, mark
.mask
);
1655 DBG2(DBG_KNL
, "policy %R === %R %N "
1656 "already exists, increasing refcount",
1657 src_ts
, dst_ts
, policy_dir_names
, direction
);
1664 { /* apply the new one, if we have no such policy */
1665 this->policies
->put(this->policies
, policy
, policy
);
1666 policy
->refcount
= 1;
1671 DBG2(DBG_KNL
, "adding policy %R === %R %N (mark %u/0x%8x)",
1672 src_ts
, dst_ts
, policy_dir_names
, direction
,
1673 mark
.value
, mark
.mask
);
1677 DBG2(DBG_KNL
, "adding policy %R === %R %N",
1678 src_ts
, dst_ts
, policy_dir_names
, direction
);
1681 memset(&request
, 0, sizeof(request
));
1682 hdr
= (struct nlmsghdr
*)request
;
1683 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1684 hdr
->nlmsg_type
= found ? XFRM_MSG_UPDPOLICY
: XFRM_MSG_NEWPOLICY
;
1685 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info
));
1687 policy_info
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
1688 policy_info
->sel
= policy
->sel
;
1689 policy_info
->dir
= policy
->direction
;
1690 /* calculate priority based on source selector size, small size = high prio */
1691 policy_info
->priority
= routed ? PRIO_LOW
: PRIO_HIGH
;
1692 policy_info
->priority
-= policy
->sel
.prefixlen_s
* 10;
1693 policy_info
->priority
-= policy
->sel
.proto ?
2 : 0;
1694 policy_info
->priority
-= policy
->sel
.sport_mask ?
1 : 0;
1695 policy_info
->action
= type
!= POLICY_DROP ? XFRM_POLICY_ALLOW
1696 : XFRM_POLICY_BLOCK
;
1697 policy_info
->share
= XFRM_SHARE_ANY
;
1698 this->mutex
->unlock(this->mutex
);
1700 /* policies don't expire */
1701 policy_info
->lft
.soft_byte_limit
= XFRM_INF
;
1702 policy_info
->lft
.soft_packet_limit
= XFRM_INF
;
1703 policy_info
->lft
.hard_byte_limit
= XFRM_INF
;
1704 policy_info
->lft
.hard_packet_limit
= XFRM_INF
;
1705 policy_info
->lft
.soft_add_expires_seconds
= 0;
1706 policy_info
->lft
.hard_add_expires_seconds
= 0;
1707 policy_info
->lft
.soft_use_expires_seconds
= 0;
1708 policy_info
->lft
.hard_use_expires_seconds
= 0;
1710 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_info
);
1712 if (type
== POLICY_IPSEC
)
1714 struct xfrm_user_tmpl
*tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rthdr
);
1719 { IPPROTO_COMP
, sa
->ipcomp
.transform
!= IPCOMP_NONE
},
1720 { IPPROTO_ESP
, sa
->esp
.use
},
1721 { IPPROTO_AH
, sa
->ah
.use
},
1723 ipsec_mode_t proto_mode
= sa
->mode
;
1725 rthdr
->rta_type
= XFRMA_TMPL
;
1726 rthdr
->rta_len
= 0; /* actual length is set below */
1728 for (i
= 0; i
< countof(protos
); i
++)
1735 rthdr
->rta_len
+= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1736 hdr
->nlmsg_len
+= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1737 if (hdr
->nlmsg_len
> sizeof(request
))
1742 tmpl
->reqid
= sa
->reqid
;
1743 tmpl
->id
.proto
= protos
[i
].proto
;
1744 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
1745 tmpl
->mode
= mode2kernel(proto_mode
);
1746 tmpl
->optional
= protos
[i
].proto
== IPPROTO_COMP
&&
1747 direction
!= POLICY_OUT
;
1748 tmpl
->family
= src
->get_family(src
);
1750 if (proto_mode
== MODE_TUNNEL
)
1751 { /* only for tunnel mode */
1752 host2xfrm(src
, &tmpl
->saddr
);
1753 host2xfrm(dst
, &tmpl
->id
.daddr
);
1758 /* use transport mode for other SAs */
1759 proto_mode
= MODE_TRANSPORT
;
1762 rthdr
= XFRM_RTA_NEXT(rthdr
);
1767 struct xfrm_mark
*mrk
;
1769 rthdr
->rta_type
= XFRMA_MARK
;
1770 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_mark
));
1772 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1773 if (hdr
->nlmsg_len
> sizeof(request
))
1778 mrk
= (struct xfrm_mark
*)RTA_DATA(rthdr
);
1779 mrk
->v
= mark
.value
;
1783 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1785 DBG1(DBG_KNL
, "unable to add policy %R === %R %N", src_ts
, dst_ts
,
1786 policy_dir_names
, direction
);
1790 /* install a route, if:
1791 * - we are NOT updating a policy
1792 * - this is a forward policy (to just get one for each child)
1793 * - we are in tunnel/BEET mode
1794 * - routing is not disabled via strongswan.conf
1796 if (policy
->route
== NULL
&& direction
== POLICY_FWD
&&
1797 sa
->mode
!= MODE_TRANSPORT
&& this->install_routes
)
1799 route_entry_t
*route
= malloc_thing(route_entry_t
);
1801 if (hydra
->kernel_interface
->get_address_by_ts(hydra
->kernel_interface
,
1802 dst_ts
, &route
->src_ip
) == SUCCESS
)
1804 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1805 route
->gateway
= hydra
->kernel_interface
->get_nexthop(
1806 hydra
->kernel_interface
, src
);
1807 /* install route via outgoing interface */
1808 route
->if_name
= hydra
->kernel_interface
->get_interface(
1809 hydra
->kernel_interface
, dst
);
1810 route
->dst_net
= chunk_alloc(policy
->sel
.family
== AF_INET ?
4 : 16);
1811 memcpy(route
->dst_net
.ptr
, &policy
->sel
.saddr
, route
->dst_net
.len
);
1812 route
->prefixlen
= policy
->sel
.prefixlen_s
;
1816 switch (hydra
->kernel_interface
->add_route(
1817 hydra
->kernel_interface
, route
->dst_net
,
1818 route
->prefixlen
, route
->gateway
,
1819 route
->src_ip
, route
->if_name
))
1822 DBG1(DBG_KNL
, "unable to install source route for %H",
1826 /* route exists, do not uninstall */
1827 route_entry_destroy(route
);
1830 /* cache the installed route */
1831 policy
->route
= route
;
1837 route_entry_destroy(route
);
1848 METHOD(kernel_ipsec_t
, query_policy
, status_t
,
1849 private_kernel_netlink_ipsec_t
*this, traffic_selector_t
*src_ts
,
1850 traffic_selector_t
*dst_ts
, policy_dir_t direction
, mark_t mark
,
1851 u_int32_t
*use_time
)
1853 netlink_buf_t request
;
1854 struct nlmsghdr
*out
= NULL
, *hdr
;
1855 struct xfrm_userpolicy_id
*policy_id
;
1856 struct xfrm_userpolicy_info
*policy
= NULL
;
1859 memset(&request
, 0, sizeof(request
));
1863 DBG2(DBG_KNL
, "querying policy %R === %R %N (mark %u/0x%8x)",
1864 src_ts
, dst_ts
, policy_dir_names
, direction
,
1865 mark
.value
, mark
.mask
);
1869 DBG2(DBG_KNL
, "querying policy %R === %R %N", src_ts
, dst_ts
,
1870 policy_dir_names
, direction
);
1872 hdr
= (struct nlmsghdr
*)request
;
1873 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1874 hdr
->nlmsg_type
= XFRM_MSG_GETPOLICY
;
1875 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
1877 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
1878 policy_id
->sel
= ts2selector(src_ts
, dst_ts
);
1879 policy_id
->dir
= direction
;
1883 struct xfrm_mark
*mrk
;
1884 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_id
);
1886 rthdr
->rta_type
= XFRMA_MARK
;
1887 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_mark
));
1889 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1890 if (hdr
->nlmsg_len
> sizeof(request
))
1895 mrk
= (struct xfrm_mark
*)RTA_DATA(rthdr
);
1896 mrk
->v
= mark
.value
;
1900 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1903 while (NLMSG_OK(hdr
, len
))
1905 switch (hdr
->nlmsg_type
)
1907 case XFRM_MSG_NEWPOLICY
:
1909 policy
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
1914 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1915 DBG1(DBG_KNL
, "querying policy failed: %s (%d)",
1916 strerror(-err
->error
), -err
->error
);
1920 hdr
= NLMSG_NEXT(hdr
, len
);
1931 DBG2(DBG_KNL
, "unable to query policy %R === %R %N", src_ts
, dst_ts
,
1932 policy_dir_names
, direction
);
1937 if (policy
->curlft
.use_time
)
1939 /* we need the monotonic time, but the kernel returns system time. */
1940 *use_time
= time_monotonic(NULL
) - (time(NULL
) - policy
->curlft
.use_time
);
1951 METHOD(kernel_ipsec_t
, del_policy
, status_t
,
1952 private_kernel_netlink_ipsec_t
*this, traffic_selector_t
*src_ts
,
1953 traffic_selector_t
*dst_ts
, policy_dir_t direction
, mark_t mark
,
1956 policy_entry_t
*current
, policy
, *to_delete
= NULL
;
1957 route_entry_t
*route
;
1958 netlink_buf_t request
;
1959 struct nlmsghdr
*hdr
;
1960 struct xfrm_userpolicy_id
*policy_id
;
1964 DBG2(DBG_KNL
, "deleting policy %R === %R %N (mark %u/0x%8x)",
1965 src_ts
, dst_ts
, policy_dir_names
, direction
,
1966 mark
.value
, mark
.mask
);
1970 DBG2(DBG_KNL
, "deleting policy %R === %R %N",
1971 src_ts
, dst_ts
, policy_dir_names
, direction
);
1974 /* create a policy */
1975 memset(&policy
, 0, sizeof(policy_entry_t
));
1976 policy
.sel
= ts2selector(src_ts
, dst_ts
);
1977 policy
.mark
= mark
.value
& mark
.mask
;
1978 policy
.direction
= direction
;
1980 /* find the policy */
1981 this->mutex
->lock(this->mutex
);
1982 current
= this->policies
->get(this->policies
, &policy
);
1985 to_delete
= current
;
1986 if (--to_delete
->refcount
> 0)
1988 /* is used by more SAs, keep in kernel */
1989 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
1990 this->mutex
->unlock(this->mutex
);
1993 /* remove if last reference */
1994 this->policies
->remove(this->policies
, to_delete
);
1996 this->mutex
->unlock(this->mutex
);
2001 DBG1(DBG_KNL
, "deleting policy %R === %R %N (mark %u/0x%8x) "
2002 "failed, not found", src_ts
, dst_ts
, policy_dir_names
,
2003 direction
, mark
.value
, mark
.mask
);
2007 DBG1(DBG_KNL
, "deleting policy %R === %R %N failed, not found",
2008 src_ts
, dst_ts
, policy_dir_names
, direction
);
2013 memset(&request
, 0, sizeof(request
));
2015 hdr
= (struct nlmsghdr
*)request
;
2016 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2017 hdr
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
2018 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2020 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2021 policy_id
->sel
= to_delete
->sel
;
2022 policy_id
->dir
= direction
;
2026 struct xfrm_mark
*mrk
;
2027 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_id
);
2029 rthdr
->rta_type
= XFRMA_MARK
;
2030 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_mark
));
2031 hdr
->nlmsg_len
+= rthdr
->rta_len
;
2032 if (hdr
->nlmsg_len
> sizeof(request
))
2037 mrk
= (struct xfrm_mark
*)RTA_DATA(rthdr
);
2038 mrk
->v
= mark
.value
;
2042 route
= to_delete
->route
;
2045 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
2049 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N "
2050 "(mark %u/0x%8x)", src_ts
, dst_ts
, policy_dir_names
,
2051 direction
, mark
.value
, mark
.mask
);
2055 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N",
2056 src_ts
, dst_ts
, policy_dir_names
, direction
);
2063 if (hydra
->kernel_interface
->del_route(hydra
->kernel_interface
,
2064 route
->dst_net
, route
->prefixlen
, route
->gateway
,
2065 route
->src_ip
, route
->if_name
) != SUCCESS
)
2067 DBG1(DBG_KNL
, "error uninstalling route installed with "
2068 "policy %R === %R %N", src_ts
, dst_ts
,
2069 policy_dir_names
, direction
);
2071 route_entry_destroy(route
);
2076 METHOD(kernel_ipsec_t
, bypass_socket
, bool,
2077 private_kernel_netlink_ipsec_t
*this, int fd
, int family
)
2079 struct xfrm_userpolicy_info policy
;
2080 u_int sol
, ipsec_policy
;
2086 ipsec_policy
= IP_XFRM_POLICY
;
2090 ipsec_policy
= IPV6_XFRM_POLICY
;
2096 memset(&policy
, 0, sizeof(policy
));
2097 policy
.action
= XFRM_POLICY_ALLOW
;
2098 policy
.sel
.family
= family
;
2100 policy
.dir
= XFRM_POLICY_OUT
;
2101 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
2103 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
2107 policy
.dir
= XFRM_POLICY_IN
;
2108 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
2110 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
2117 METHOD(kernel_ipsec_t
, destroy
, void,
2118 private_kernel_netlink_ipsec_t
*this)
2120 enumerator_t
*enumerator
;
2121 policy_entry_t
*policy
;
2125 this->job
->cancel(this->job
);
2127 if (this->socket_xfrm_events
> 0)
2129 close(this->socket_xfrm_events
);
2131 DESTROY_IF(this->socket_xfrm
);
2132 enumerator
= this->policies
->create_enumerator(this->policies
);
2133 while (enumerator
->enumerate(enumerator
, &policy
, &policy
))
2137 enumerator
->destroy(enumerator
);
2138 this->policies
->destroy(this->policies
);
2139 this->mutex
->destroy(this->mutex
);
2144 * Described in header.
2146 kernel_netlink_ipsec_t
*kernel_netlink_ipsec_create()
2148 private_kernel_netlink_ipsec_t
*this;
2149 struct sockaddr_nl addr
;
2155 .get_spi
= _get_spi
,
2156 .get_cpi
= _get_cpi
,
2158 .update_sa
= _update_sa
,
2159 .query_sa
= _query_sa
,
2161 .add_policy
= _add_policy
,
2162 .query_policy
= _query_policy
,
2163 .del_policy
= _del_policy
,
2164 .bypass_socket
= _bypass_socket
,
2165 .destroy
= _destroy
,
2168 .policies
= hashtable_create((hashtable_hash_t
)policy_hash
,
2169 (hashtable_equals_t
)policy_equals
, 32),
2170 .mutex
= mutex_create(MUTEX_TYPE_DEFAULT
),
2171 .install_routes
= lib
->settings
->get_bool(lib
->settings
,
2172 "%s.install_routes", TRUE
,
2176 if (streq(hydra
->daemon
, "pluto"))
2177 { /* no routes for pluto, they are installed via updown script */
2178 this->install_routes
= FALSE
;
2181 /* disable lifetimes for allocated SPIs in kernel */
2182 fd
= open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY
);
2185 ignore_result(write(fd
, "165", 3));
2189 this->socket_xfrm
= netlink_socket_create(NETLINK_XFRM
);
2190 if (!this->socket_xfrm
)
2196 memset(&addr
, 0, sizeof(addr
));
2197 addr
.nl_family
= AF_NETLINK
;
2199 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2200 this->socket_xfrm_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2201 if (this->socket_xfrm_events
<= 0)
2203 DBG1(DBG_KNL
, "unable to create XFRM event socket");
2207 addr
.nl_groups
= XFRMNLGRP(ACQUIRE
) | XFRMNLGRP(EXPIRE
) |
2208 XFRMNLGRP(MIGRATE
) | XFRMNLGRP(MAPPING
);
2209 if (bind(this->socket_xfrm_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2211 DBG1(DBG_KNL
, "unable to bind XFRM event socket");
2215 this->job
= callback_job_create((callback_job_cb_t
)receive_events
,
2217 lib
->processor
->queue_job(lib
->processor
, (job_t
*)this->job
);
2219 return &this->public;