Removed strayed code fragment
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
index 2b7bbe4..8a7883c 100644 (file)
 #include <sys/types.h>
 #include <sys/socket.h>
 
+#ifdef __FreeBSD__
+#include <limits.h> /* for LONG_MAX */
+#endif
+
 #ifdef HAVE_NET_PFKEYV2_H
 #include <net/pfkeyv2.h>
 #else
 #endif
 
 #ifdef HAVE_NATT
-#ifdef HAVE_NETINET_UDP_H
-#include <netinet/udp.h>
-#else
+#ifdef HAVE_LINUX_UDP_H
 #include <linux/udp.h>
-#endif /*HAVE_NETINET_UDP_H*/
+#else
+#include <netinet/udp.h>
+#endif /*HAVE_LINUX_UDP_H*/
 #endif /*HAVE_NATT*/
 
 #include <unistd.h>
-#include <pthread.h>
+#include <time.h>
 #include <errno.h>
 
 #include "kernel_pfkey_ipsec.h"
 
 #include <daemon.h>
 #include <utils/host.h>
-#include <utils/mutex.h>
+#include <threading/thread.h>
+#include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
 #include <processing/jobs/acquire_job.h>
 #include <processing/jobs/migrate_job.h>
@@ -89,7 +94,7 @@
 #define IP_IPSEC_POLICY 16
 #endif
 
-/* missing on uclibc */
+/** missing on uclibc */
 #ifndef IPV6_IPSEC_POLICY
 #define IPV6_IPSEC_POLICY 34
 #endif
 #define PRIO_LOW 3000
 #define PRIO_HIGH 2000
 
+#ifdef __APPLE__
+/** from xnu/bsd/net/pfkeyv2.h */
+#define SADB_X_EXT_NATT 0x002
+       struct sadb_sa_2 {
+               struct sadb_sa  sa;
+               u_int16_t               sadb_sa_natt_port;
+               u_int16_t               sadb_reserved0;
+               u_int32_t               sadb_reserved1;
+       };
+#endif
+
 /** buffer size for PF_KEY messages */
 #define PFKEY_BUFFER_SIZE 4096
 
@@ -136,42 +152,42 @@ struct private_kernel_pfkey_ipsec_t
         * Public part of the kernel_pfkey_t object.
         */
        kernel_pfkey_ipsec_t public;
-       
+
        /**
         * mutex to lock access to various lists
         */
        mutex_t *mutex;
-       
+
        /**
         * List of installed policies (policy_entry_t)
         */
        linked_list_t *policies;
-       
+
        /**
         * whether to install routes along policies
         */
        bool install_routes;
-       
+
        /**
         * job receiving PF_KEY events
         */
        callback_job_t *job;
-       
+
        /**
         * mutex to lock access to the PF_KEY socket
         */
        mutex_t *mutex_pfkey;
-       
+
        /**
         * PF_KEY socket to communicate with the kernel
         */
        int socket;
-       
+
        /**
         * PF_KEY socket to receive acquire and expire events
         */
        int socket_events;
-       
+
        /**
         * sequence number for messages sent to the kernel
         */
@@ -186,10 +202,10 @@ typedef struct route_entry_t route_entry_t;
 struct route_entry_t {
        /** Name of the interface the route is bound to */
        char *if_name;
-       
+
        /** Source ip of the route */
        host_t *src_ip;
-       
+
        /** gateway for this route */
        host_t *gateway;
 
@@ -218,16 +234,16 @@ typedef struct policy_entry_t policy_entry_t;
  * installed kernel policy.
  */
 struct policy_entry_t {
-       
+
        /** reqid of this policy */
        u_int32_t reqid;
-       
+
        /** index assigned by the kernel */
        u_int32_t index;
-       
+
        /** direction of this policy: in, out, forward */
        u_int8_t direction;
-       
+
        /** parameters of installed policy */
        struct {
                /** subnet and port */
@@ -237,10 +253,10 @@ struct policy_entry_t {
                /** protocol */
                u_int8_t proto;
        } src, dst;
-       
+
        /** associated route installed for this policy */
        route_entry_t *route;
-       
+
        /** by how many CHILD_SA's this policy is used */
        u_int refcount;
 };
@@ -257,15 +273,15 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
        policy->direction = dir;
        policy->route = NULL;
        policy->refcount = 0;
-       
+
        src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
        dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-       
+
        /* src or dest proto may be "any" (0), use more restrictive one */
        policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
        policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
        policy->dst.proto = policy->src.proto;
-       
+
        return policy;
 }
 
@@ -313,7 +329,7 @@ struct pfkey_msg_t
         * PF_KEY message base
         */
        struct sadb_msg *msg;
-       
+
        /**
         * PF_KEY message extensions
         */
@@ -442,7 +458,7 @@ static u_int8_t mode2kernel(ipsec_mode_t mode)
                        return IPSEC_MODE_TRANSPORT;
                case MODE_TUNNEL:
                        return IPSEC_MODE_TUNNEL;
-#ifdef IPSEC_MODE_BEET
+#ifdef HAVE_IPSEC_MODE_BEET
                case MODE_BEET:
                        return IPSEC_MODE_BEET;
 #endif
@@ -462,12 +478,12 @@ static u_int8_t dir2kernel(policy_dir_t dir)
                        return IPSEC_DIR_INBOUND;
                case POLICY_OUT:
                        return IPSEC_DIR_OUTBOUND;
-#ifdef IPSEC_DIR_FWD
+#ifdef HAVE_IPSEC_DIR_FWD
                case POLICY_FWD:
                        return IPSEC_DIR_FWD;
 #endif
                default:
-                       return dir;
+                       return IPSEC_DIR_INVALID;
        }
 }
 
@@ -483,7 +499,7 @@ static policy_dir_t kernel2dir(u_int8_t  dir)
                        return POLICY_IN;
                case IPSEC_DIR_OUTBOUND:
                        return POLICY_OUT;
-#ifdef IPSEC_DIR_FWD
+#ifdef HAVE_IPSEC_DIR_FWD
                case IPSEC_DIR_FWD:
                        return POLICY_FWD;
 #endif
@@ -503,7 +519,7 @@ struct kernel_algorithm_t {
         * Identifier specified in IKEv2
         */
        int ikev2;
-       
+
        /**
         * Identifier as defined in pfkeyv2.h
         */
@@ -637,19 +653,19 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
 {
        struct sadb_x_nat_t_type* nat_type;
        struct sadb_x_nat_t_port* nat_port;
-       
+
        nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
        nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
        nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
        nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
        PFKEY_EXT_ADD(msg, nat_type);
-       
+
        nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
        nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
        nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
        nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
        PFKEY_EXT_ADD(msg, nat_port);
-       
+
        nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
        nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
        nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
@@ -667,8 +683,8 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
        host_t *host;
 
        /* The Linux 2.6 kernel does not set the protocol and port information
-     * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
-     */
+        * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
+        */
        host = host_create_from_sockaddr((sockaddr_t*)&address[1])      ;
        ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
                                address->sadb_address_proto, host->get_port(host));
@@ -682,18 +698,18 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
 {
        struct sadb_ext* ext;
        size_t len;
-       
+
        memset(out, 0, sizeof(pfkey_msg_t));
        out->msg = msg;
-       
+
        len = msg->sadb_msg_len;
        len -= PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-       
+
        while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
        {
-               DBG2(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
+               DBG3(DBG_KNL, "  %N", sadb_ext_type_names, ext->sadb_ext_type);
                if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
                        ext->sadb_ext_len > len)
                {
@@ -701,20 +717,20 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
                                                   sadb_ext_type_names, ext->sadb_ext_type);
                        break;
                }
-               
+
                if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
                {
                        DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
                        break;
                }
-               
+
                if (out->ext[ext->sadb_ext_type])
                {
                        DBG1(DBG_KNL, "duplicate %N extension",
                                                   sadb_ext_type_names, ext->sadb_ext_type);
                        break;
                }
-               
+
                out->ext[ext->sadb_ext_type] = ext;
                ext = PFKEY_EXT_NEXT_LEN(ext, len);
        }
@@ -724,7 +740,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
                DBG1(DBG_KNL, "PF_KEY message length is invalid");
                return FAILED;
        }
-       
+
        return SUCCESS;
 }
 
@@ -737,9 +753,11 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
        unsigned char buf[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg;
        int in_len, len;
-       
+
        this->mutex_pfkey->lock(this->mutex_pfkey);
 
+       /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
+        * in particular the behavior in response to an SADB_ACQUIRE. */
        in->sadb_msg_seq = ++this->seq;
        in->sadb_msg_pid = getpid();
 
@@ -762,13 +780,13 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
                }
                break;
        }
-       
+
        while (TRUE)
        {
                msg = (struct sadb_msg*)buf;
-               
+
                len = recv(socket, buf, sizeof(buf), 0);
-               
+
                if (len < 0)
                {
                        if (errno == EINTR)
@@ -801,14 +819,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
                }
                if (msg->sadb_msg_seq != this->seq)
                {
-                       DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
-                                       "was %d expected %d", msg->sadb_msg_seq, this->seq);
-                       if (msg->sadb_msg_seq < this->seq)
+                       DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
+                                "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
+                       if (msg->sadb_msg_seq == 0)
+                       {
+                               /* FreeBSD and Mac OS X do this for the response to
+                                * SADB_X_SPDGET (but not for the response to SADB_GET).
+                                * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
+                       }
+                       else if (msg->sadb_msg_seq < this->seq)
                        {
                                continue;
                        }
-                       this->mutex_pfkey->unlock(this->mutex_pfkey);
-                       return FAILED;
+                       else
+                       {
+                               this->mutex_pfkey->unlock(this->mutex_pfkey);
+                               return FAILED;
+                       }
                }
                if (msg->sadb_msg_type != in->sadb_msg_type)
                {
@@ -818,13 +845,13 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
                }
                break;
        }
-       
+
        *out_len = len;
        *out = (struct sadb_msg*)malloc(len);
        memcpy(*out, buf, len);
-       
+
        this->mutex_pfkey->unlock(this->mutex_pfkey);
-       
+
        return SUCCESS;
 }
 
@@ -847,7 +874,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
        traffic_selector_t *src_ts, *dst_ts;
        policy_entry_t *policy;
        job_t *job;
-       
+
        switch (msg->sadb_msg_satype)
        {
                case SADB_SATYPE_UNSPEC:
@@ -859,13 +886,13 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
                        return;
        }
        DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-       
+
        if (parse_pfkey_message(msg, &response) != SUCCESS)
        {
                DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
                return;
        }
-       
+
        index = response.x_policy->sadb_x_policy_id;
        this->mutex->lock(this->mutex);
        if (this->policies->find_first(this->policies,
@@ -881,7 +908,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
        src_ts = sadb_address2ts(response.src);
        dst_ts = sadb_address2ts(response.dst);
        this->mutex->unlock(this->mutex);
-       
+
        DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
                                   src_ts, dst_ts, reqid);
        job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
@@ -898,27 +925,27 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
        u_int32_t spi, reqid;
        bool hard;
        job_t *job;
-       
+
        DBG2(DBG_KNL, "received an SADB_EXPIRE");
-       
+
        if (parse_pfkey_message(msg, &response) != SUCCESS)
        {
                DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
                return;
        }
-       
+
        protocol = proto_satype2ike(msg->sadb_msg_satype);
        spi = response.sa->sadb_sa_spi;
        reqid = response.x_sa2->sadb_x_sa2_reqid;
        hard = response.lft_hard != NULL;
-       
+
        if (protocol != PROTO_ESP && protocol != PROTO_AH)
        {
                DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
                                          "which is not a CHILD_SA", ntohl(spi), reqid);
                return;
        }
-       
+
        DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
                 hard ? "delete" : "rekey",  protocol_id_names,
                 protocol, ntohl(spi), reqid);
@@ -958,7 +985,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
        dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
        DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
                                         policy_dir_names, dir);
-       
+
        /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
        if (response.x_kmaddress)
        {
@@ -973,7 +1000,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
                remote = host_create_from_sockaddr(remote_addr);
                DBG2(DBG_KNL, "  kmaddress: %H...%H", local, remote);
        }
-       
+
        if (src_ts && dst_ts && local && remote)
        {
                DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
@@ -1002,24 +1029,24 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
        u_int32_t spi, reqid;
        host_t *host;
        job_t *job;
-       
+
        DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-       
+
        if (parse_pfkey_message(msg, &response) != SUCCESS)
        {
                DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
                return;
        }
-       
+
        if (!response.x_sa2)
        {
                DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
                return;
        }
-       
+
        spi = response.sa->sadb_sa_spi;
        reqid = response.x_sa2->sadb_x_sa2_reqid;
-       
+
        if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
        {
                sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
@@ -1057,12 +1084,13 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 {
        unsigned char buf[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg = (struct sadb_msg*)buf;
-       int len, oldstate;
-       
-       pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+       int len;
+       bool oldstate;
+
+       oldstate = thread_cancelability(TRUE);
        len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
-       pthread_setcancelstate(oldstate, NULL);
-       
+       thread_cancelability(oldstate);
+
        if (len < 0)
        {
                switch (errno)
@@ -1079,7 +1107,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
                                return JOB_REQUEUE_FAIR;
                }
        }
-       
+
        if (len < sizeof(struct sadb_msg) ||
                msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
        {
@@ -1095,7 +1123,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
                DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
                return JOB_REQUEUE_DIRECT;
        }
-       
+
        switch (msg->sadb_msg_type)
        {
                case SADB_ACQUIRE:
@@ -1117,17 +1145,13 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
                default:
                        break;
        }
-       
+
        return JOB_REQUEUE_DIRECT;
 }
 
-/**
- * Implementation of kernel_interface_t.get_spi.
- */
-static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
-                                               host_t *src, host_t *dst,
-                                               protocol_id_t protocol, u_int32_t reqid,
-                                               u_int32_t *spi)
+METHOD(kernel_ipsec_t, get_spi, status_t,
+       private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+       protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1136,31 +1160,31 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
        pfkey_msg_t response;
        u_int32_t received_spi = 0;
        size_t len;
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = SADB_GETSPI;
        msg->sadb_msg_satype = proto_ike2satype(protocol);
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
        sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
        sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
        sa2->sadb_x_sa2_reqid = reqid;
        PFKEY_EXT_ADD(msg, sa2);
-       
+
        add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
        add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-       
+
        range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
        range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
        range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
        range->sadb_spirange_min = 0xc0000000;
        range->sadb_spirange_max = 0xcFFFFFFF;
        PFKEY_EXT_ADD(msg, range);
-       
+
        if (pfkey_send(this, msg, &out, &len) == SUCCESS)
        {
                if (out->sadb_msg_errno)
@@ -1174,37 +1198,29 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
                }
                free(out);
        }
-       
+
        if (received_spi == 0)
        {
                return FAILED;
        }
-       
+
        *spi = received_spi;
        return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.get_cpi.
- */
-static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
-                                               host_t *src, host_t *dst,
-                                               u_int32_t reqid, u_int16_t *cpi)
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+       private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+       u_int32_t reqid, u_int16_t *cpi)
 {
        return FAILED;
 }
 
-/**
- * Implementation of kernel_interface_t.add_sa.
- */
-static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
-                                          host_t *src, host_t *dst, u_int32_t spi,
-                                          protocol_id_t protocol, u_int32_t reqid,
-                                          u_int64_t expire_soft, u_int64_t expire_hard,
-                                          u_int16_t enc_alg, chunk_t enc_key,
-                                          u_int16_t int_alg, chunk_t int_key,
-                                          ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-                                          bool encap, bool inbound)
+METHOD(kernel_ipsec_t, add_sa, status_t,
+       private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
+       protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime,
+       u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key,
+       ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
+       bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1213,48 +1229,69 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
        struct sadb_lifetime *lft;
        struct sadb_key *key;
        size_t len;
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
        msg->sadb_msg_satype = proto_ike2satype(protocol);
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
-       sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+
+#ifdef __APPLE__
+       if (encap)
+       {
+               struct sadb_sa_2 *sa_2;
+               sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+               sa_2->sadb_sa_natt_port = dst->get_port(dst);
+               sa = &sa_2->sa;
+               sa->sadb_sa_flags |= SADB_X_EXT_NATT;
+               len = sizeof(struct sadb_sa_2);
+       }
+       else
+#endif
+       {
+               sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+               len = sizeof(struct sadb_sa);
+       }
        sa->sadb_sa_exttype = SADB_EXT_SA;
-       sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+       sa->sadb_sa_len = PFKEY_LEN(len);
        sa->sadb_sa_spi = spi;
        sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
        sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
        sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
        PFKEY_EXT_ADD(msg, sa);
-       
+
        sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
        sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
        sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
        sa2->sadb_x_sa2_mode = mode2kernel(mode);
        sa2->sadb_x_sa2_reqid = reqid;
        PFKEY_EXT_ADD(msg, sa2);
-       
+
        add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
        add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-       
+
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-       lft->sadb_lifetime_addtime = expire_soft;
+       lft->sadb_lifetime_allocations = lifetime->packets.rekey;
+       lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
+       lft->sadb_lifetime_addtime = lifetime->time.rekey;
+       lft->sadb_lifetime_usetime = 0; /* we only use addtime */
        PFKEY_EXT_ADD(msg, lft);
-       
+
        lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
        lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
        lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
-       lft->sadb_lifetime_addtime = expire_hard;
+       lft->sadb_lifetime_allocations = lifetime->packets.life;
+       lft->sadb_lifetime_bytes = lifetime->bytes.life;
+       lft->sadb_lifetime_addtime = lifetime->time.life;
+       lft->sadb_lifetime_usetime = 0; /* we only use addtime */
        PFKEY_EXT_ADD(msg, lft);
-       
+
        if (enc_alg != ENCR_UNDEFINED)
        {
                if (!sa->sadb_sa_encrypt)
@@ -1265,16 +1302,16 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
                }
                DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
                         encryption_algorithm_names, enc_alg, enc_key.len * 8);
-               
+
                key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
                key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
                key->sadb_key_bits = enc_key.len * 8;
                key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
                memcpy(key + 1, enc_key.ptr, enc_key.len);
-               
+
                PFKEY_EXT_ADD(msg, key);
        }
-       
+
        if (int_alg != AUTH_UNDEFINED)
        {
                if (!sa->sadb_sa_auth)
@@ -1285,16 +1322,16 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
                }
                DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
                         integrity_algorithm_names, int_alg, int_key.len * 8);
-               
+
                key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
                key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
                key->sadb_key_bits = int_key.len * 8;
                key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
                memcpy(key + 1, int_key.ptr, int_key.len);
-               
+
                PFKEY_EXT_ADD(msg, key);
        }
-       
+
        if (ipcomp != IPCOMP_NONE)
        {
                /*TODO*/
@@ -1306,7 +1343,7 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
                add_encap_ext(msg, src, dst);
        }
 #endif /*HAVE_NATT*/
-       
+
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
@@ -1319,26 +1356,22 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
                free(out);
                return FAILED;
        }
-       
+
        free(out);
        return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.update_sa.
- */
-static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
-                                                 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
-                                                 host_t *src, host_t *dst,
-                                                 host_t *new_src, host_t *new_dst,
-                                                 bool encap, bool new_encap)
+METHOD(kernel_ipsec_t, update_sa, status_t,
+       private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+       u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
+       bool encap, bool new_encap)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
        struct sadb_sa *sa;
        pfkey_msg_t response;
        size_t len;
-       
+
        /* we can't update the SA if any of the ip addresses have changed.
         * that's because we can't use SADB_UPDATE and by deleting and readding the
         * SA the sequence numbers would get lost */
@@ -1349,28 +1382,28 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
                                " are not supported", ntohl(spi));
                return NOT_SUPPORTED;
        }
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = SADB_GET;
        msg->sadb_msg_satype = proto_ike2satype(protocol);
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
        sa->sadb_sa_exttype = SADB_EXT_SA;
        sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
        sa->sadb_sa_spi = spi;
        PFKEY_EXT_ADD(msg, sa);
-       
+
        /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
         * it is not used for anything. */
        add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
        add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-       
+
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
@@ -1391,32 +1424,46 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
                free(out);
                return FAILED;
        }
-       
+
        DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
                 ntohl(spi), src, dst, new_src, new_dst);
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = SADB_UPDATE;
        msg->sadb_msg_satype = proto_ike2satype(protocol);
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
+#ifdef __APPLE__
+       {
+               struct sadb_sa_2 *sa_2;
+               sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+               sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
+               memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
+               if (encap)
+               {
+                       sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
+                       sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
+               }
+       }
+#else
        PFKEY_EXT_COPY(msg, response.sa);
+#endif
        PFKEY_EXT_COPY(msg, response.x_sa2);
-       
+
        PFKEY_EXT_COPY(msg, response.src);
        PFKEY_EXT_COPY(msg, response.dst);
-       
+
        PFKEY_EXT_COPY(msg, response.lft_soft);
        PFKEY_EXT_COPY(msg, response.lft_hard);
-       
+
        if (response.key_encr)
        {
                PFKEY_EXT_COPY(msg, response.key_encr);
        }
-       
+
        if (response.key_auth)
        {
                PFKEY_EXT_COPY(msg, response.key_auth);
@@ -1428,9 +1475,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
                add_encap_ext(msg, new_src, new_dst);
        }
 #endif /*HAVE_NATT*/
-       
+
        free(out);
-       
+
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
@@ -1444,42 +1491,97 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
                return FAILED;
        }
        free(out);
-       
+
        return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.del_sa.
- */
-static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
-                                          host_t *dst, u_int32_t spi, protocol_id_t protocol,
-                                          u_int16_t cpi)
+METHOD(kernel_ipsec_t, query_sa, status_t,
+       private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+       u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
        struct sadb_sa *sa;
+       pfkey_msg_t response;
        size_t len;
-       
+
        memset(&request, 0, sizeof(request));
-       
+
+       DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+       msg = (struct sadb_msg*)request;
+       msg->sadb_msg_version = PF_KEY_V2;
+       msg->sadb_msg_type = SADB_GET;
+       msg->sadb_msg_satype = proto_ike2satype(protocol);
+       msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+       sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+       sa->sadb_sa_exttype = SADB_EXT_SA;
+       sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+       sa->sadb_sa_spi = spi;
+       PFKEY_EXT_ADD(msg, sa);
+
+       /* the Linux Kernel doesn't care for the src address, but other systems do
+        * (e.g. FreeBSD)
+        */
+       add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+       add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+       if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+       {
+               DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+               return FAILED;
+       }
+       else if (out->sadb_msg_errno)
+       {
+               DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+                               ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+               free(out);
+               return FAILED;
+       }
+       else if (parse_pfkey_message(out, &response) != SUCCESS)
+       {
+               DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+               free(out);
+               return FAILED;
+       }
+       *bytes = response.lft_current->sadb_lifetime_bytes;
+
+       free(out);
+       return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+       private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+       u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+{
+       unsigned char request[PFKEY_BUFFER_SIZE];
+       struct sadb_msg *msg, *out;
+       struct sadb_sa *sa;
+       size_t len;
+
+       memset(&request, 0, sizeof(request));
+
        DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = SADB_DELETE;
        msg->sadb_msg_satype = proto_ike2satype(protocol);
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
        sa->sadb_sa_exttype = SADB_EXT_SA;
        sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
        sa->sadb_sa_spi = spi;
        PFKEY_EXT_ADD(msg, sa);
-       
-       /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+
+       /* the Linux Kernel doesn't care for the src address, but other systems do
+        * (e.g. FreeBSD)
+        */
        add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
        add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-       
+
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
@@ -1492,23 +1594,18 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
                free(out);
                return FAILED;
        }
-       
+
        DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
        free(out);
        return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.add_policy.
- */
-static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
-                                                  host_t *src, host_t *dst,
-                                                  traffic_selector_t *src_ts,
-                                                  traffic_selector_t *dst_ts,
-                                                  policy_dir_t direction, u_int32_t spi,
-                                                  protocol_id_t protocol, u_int32_t reqid,
-                                                  ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-                                                  bool routed)
+METHOD(kernel_ipsec_t, add_policy, status_t,
+       private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
+       traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+       policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
+       u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+       bool routed)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1517,10 +1614,16 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
        policy_entry_t *policy, *found = NULL;
        pfkey_msg_t response;
        size_t len;
-       
+
+       if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+       {
+               /* FWD policies are not supported on all platforms */
+               return SUCCESS;
+       }
+
        /* create a policy */
        policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
-       
+
        /* find a matching policy */
        this->mutex->lock(this->mutex);
        if (this->policies->find_first(this->policies,
@@ -1540,18 +1643,18 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                this->policies->insert_last(this->policies, policy);
                policy->refcount = 1;
        }
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
                                   policy_dir_names, direction);
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
        msg->sadb_msg_satype = 0;
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
        pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
        pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
@@ -1565,7 +1668,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
        pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
        pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
 #endif
-       
+
        /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
        req = (struct sadb_x_ipsecrequest*)(pol + 1);
        req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
@@ -1585,17 +1688,29 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
                req->sadb_x_ipsecrequest_len += sl * 2;
        }
-       
+
        pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
        PFKEY_EXT_ADD(msg, pol);
-       
+
        add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
                                 policy->src.mask);
        add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
                                 policy->dst.mask);
-       
+
+#ifdef __FreeBSD__
+       {       /* on FreeBSD a lifetime has to be defined to be able to later query
+                * the current use time. */
+               struct sadb_lifetime *lft;
+               lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+               lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+               lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+               lft->sadb_lifetime_addtime = LONG_MAX;
+               PFKEY_EXT_ADD(msg, lft);
+       }
+#endif
+
        this->mutex->unlock(this->mutex);
-       
+
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
@@ -1617,9 +1732,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                free(out);
                return FAILED;
        }
-       
+
        this->mutex->lock(this->mutex);
-       
+
        /* we try to find the policy again and update the kernel index */
        if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
        {
@@ -1631,7 +1746,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
        }
        policy->index = response.x_policy->sadb_x_policy_id;
        free(out);
-       
+
        /* install a route, if:
         * - we are NOT updating a policy
         * - this is a forward policy (to just get one for each child)
@@ -1644,7 +1759,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                this->install_routes)
        {
                route_entry_t *route = malloc_thing(route_entry_t);
-               
+
                if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
                                dst_ts, &route->src_ip) == SUCCESS)
                {
@@ -1655,7 +1770,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                                                                        charon->kernel_interface, dst);
                        route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
                        route->prefixlen = policy->src.mask;
-                       
+
                        switch (charon->kernel_interface->add_route(charon->kernel_interface,
                                        route->dst_net, route->prefixlen, route->gateway,
                                        route->src_ip, route->if_name))
@@ -1679,19 +1794,15 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                        free(route);
                }
        }
-       
+
        this->mutex->unlock(this->mutex);
-       
+
        return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.query_policy.
- */
-static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
-                                                        traffic_selector_t *src_ts,
-                                                        traffic_selector_t *dst_ts,
-                                                        policy_dir_t direction, u_int32_t *use_time)
+METHOD(kernel_ipsec_t, query_policy, status_t,
+       private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
+       traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1699,13 +1810,19 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
        policy_entry_t *policy, *found = NULL;
        pfkey_msg_t response;
        size_t len;
-       
+
+       if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+       {
+               /* FWD policies are not supported on all platforms */
+               return NOT_FOUND;
+       }
+
        DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
                                   policy_dir_names, direction);
 
        /* create a policy */
        policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-       
+
        /* find a matching policy */
        this->mutex->lock(this->mutex);
        if (this->policies->find_first(this->policies,
@@ -1719,15 +1836,15 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
        }
        policy_entry_destroy(policy);
        policy = found;
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = SADB_X_SPDGET;
        msg->sadb_msg_satype = 0;
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
        pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
        pol->sadb_x_policy_id = policy->index;
@@ -1735,14 +1852,14 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
        pol->sadb_x_policy_dir = dir2kernel(direction);
        pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
        PFKEY_EXT_ADD(msg, pol);
-       
+
        add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
                                 policy->src.mask);
        add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
                                 policy->dst.mask);
-       
+
        this->mutex->unlock(this->mutex);
-       
+
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
@@ -1764,21 +1881,31 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
                free(out);
                return FAILED;
        }
-       
-       *use_time = response.lft_current->sadb_lifetime_usetime;
-       
+       else if (response.lft_current == NULL)
+       {
+               DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+                        "use time", src_ts, dst_ts, policy_dir_names, direction);
+               free(out);
+               return FAILED;
+       }
+       /* we need the monotonic time, but the kernel returns system time. */
+       if (response.lft_current->sadb_lifetime_usetime)
+       {
+               *use_time = time_monotonic(NULL) -
+                                       (time(NULL) - response.lft_current->sadb_lifetime_usetime);
+       }
+       else
+       {
+               *use_time = 0;
+       }
        free(out);
-       
+
        return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.del_policy.
- */
-static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
-                                                  traffic_selector_t *src_ts,
-                                                  traffic_selector_t *dst_ts,
-                                                  policy_dir_t direction, bool unrouted)
+METHOD(kernel_ipsec_t, del_policy, status_t,
+       private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
+       traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1786,13 +1913,19 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
        policy_entry_t *policy, *found = NULL;
        route_entry_t *route;
        size_t len;
-       
+
+       if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+       {
+               /* FWD policies are not supported on all platforms */
+               return SUCCESS;
+       }
+
        DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
                                   policy_dir_names, direction);
-       
+
        /* create a policy */
        policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-       
+
        /* find a matching policy */
        this->mutex->lock(this->mutex);
        if (this->policies->find_first(this->policies,
@@ -1820,31 +1953,31 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
                return NOT_FOUND;
        }
        this->mutex->unlock(this->mutex);
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = SADB_X_SPDDELETE;
        msg->sadb_msg_satype = 0;
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
        pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
        pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
        pol->sadb_x_policy_dir = dir2kernel(direction);
        pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
        PFKEY_EXT_ADD(msg, pol);
-       
+
        add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
                                 policy->src.mask);
        add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
                                 policy->dst.mask);
-       
+
        route = policy->route;
        policy->route = NULL;
        policy_entry_destroy(policy);
-       
+
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
@@ -1860,7 +1993,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
                return FAILED;
        }
        free(out);
-       
+
        if (route)
        {
                if (charon->kernel_interface->del_route(charon->kernel_interface,
@@ -1873,27 +2006,28 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
                }
                route_entry_destroy(route);
        }
-       
+
        return SUCCESS;
 }
 
 /**
  * Register a socket for AQUIRE/EXPIRE messages
  */
-static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
+static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
+                                                                         u_int8_t satype)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
        size_t len;
-       
+
        memset(&request, 0, sizeof(request));
-       
+
        msg = (struct sadb_msg*)request;
        msg->sadb_msg_version = PF_KEY_V2;
        msg->sadb_msg_type = SADB_REGISTER;
        msg->sadb_msg_satype = satype;
        msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-       
+
        if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to register PF_KEY socket");
@@ -1910,77 +2044,71 @@ static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8
        return SUCCESS;
 }
 
-/**
- * Implementation of kernel_interface_t.destroy.
- */
-static void destroy(private_kernel_pfkey_ipsec_t *this)
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+       private_kernel_pfkey_ipsec_t *this, int fd, int family)
 {
-       this->job->cancel(this->job);
-       close(this->socket);
-       close(this->socket_events);
-       this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
-       this->mutex->destroy(this->mutex);
-       this->mutex_pfkey->destroy(this->mutex_pfkey);
-       free(this);
-}
+       struct sadb_x_policy policy;
+       u_int sol, ipsec_policy;
 
-/**
- * Add bypass policies for IKE on the sockets of charon
- */
-static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
-{
-       int fd, family, port;
-       enumerator_t *sockets;
-       bool status = TRUE;
-       
-       sockets = charon->socket->create_enumerator(charon->socket);
-       while (sockets->enumerate(sockets, &fd, &family, &port))
-       {
-               struct sadb_x_policy policy;
-               u_int sol, ipsec_policy;
-               
-               switch (family)
-               {
-                       case AF_INET:
-                       {
-                               sol = SOL_IP;
-                               ipsec_policy = IP_IPSEC_POLICY;
-                               break;
-                       }
-                       case AF_INET6:
-                       {
-                               sol = SOL_IPV6;
-                               ipsec_policy = IPV6_IPSEC_POLICY;
-                               break;
-                       }
-                       default:
-                               continue;
-               }
-               
-               memset(&policy, 0, sizeof(policy));
-               policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
-               policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-               policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-               
-               policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-               if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+       switch (family)
+       {
+               case AF_INET:
                {
-                       DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-                                strerror(errno));
-                       status = FALSE;
+                       sol = SOL_IP;
+                       ipsec_policy = IP_IPSEC_POLICY;
                        break;
                }
-               policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-               if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+               case AF_INET6:
                {
-                       DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-                                strerror(errno));
-                       status = FALSE;
+                       sol = SOL_IPV6;
+                       ipsec_policy = IPV6_IPSEC_POLICY;
                        break;
                }
+               default:
+                       return FALSE;
+       }
+
+       memset(&policy, 0, sizeof(policy));
+       policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+       policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+       policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+
+       policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+       if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+       {
+               DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+                        strerror(errno));
+               return FALSE;
+       }
+       policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+       if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+       {
+               DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+                        strerror(errno));
+               return FALSE;
+       }
+       return TRUE;
+}
+
+METHOD(kernel_ipsec_t, destroy, void,
+       private_kernel_pfkey_ipsec_t *this)
+{
+       if (this->job)
+       {
+               this->job->cancel(this->job);
+       }
+       if (this->socket > 0)
+       {
+               close(this->socket);
+       }
+       if (this->socket_events > 0)
+       {
+               close(this->socket_events);
        }
-       sockets->destroy(sockets);
-       return status;
+       this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+       this->mutex->destroy(this->mutex);
+       this->mutex_pfkey->destroy(this->mutex_pfkey);
+       free(this);
 }
 
 /*
@@ -1988,58 +2116,60 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
  */
 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 {
-       private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
-       
-       /* public functions */
-       this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-       this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
-       this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
-       this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
-       this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
-       this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
-       this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-       
-       this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-
-       /* private members */
-       this->policies = linked_list_create();
-       this->mutex = mutex_create(MUTEX_DEFAULT);
-       this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
-       this->install_routes = lib->settings->get_bool(lib->settings,
-                                                                                               "charon.install_routes", TRUE);
-       this->seq = 0;
-       
+       private_kernel_pfkey_ipsec_t *this;
+
+       INIT(this,
+               .public.interface = {
+                       .get_spi = _get_spi,
+                       .get_cpi = _get_cpi,
+                       .add_sa  = _add_sa,
+                       .update_sa = _update_sa,
+                       .query_sa = _query_sa,
+                       .del_sa = _del_sa,
+                       .add_policy = _add_policy,
+                       .query_policy = _query_policy,
+                       .del_policy = _del_policy,
+                       .bypass_socket = _bypass_socket,
+                       .destroy = _destroy,
+               },
+               .policies = linked_list_create(),
+               .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+               .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
+               .install_routes = lib->settings->get_bool(lib->settings,
+                                                                                               "charon.install_routes", TRUE),
+       );
+
        /* create a PF_KEY socket to communicate with the kernel */
        this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
        if (this->socket <= 0)
        {
-               charon->kill(charon, "unable to create PF_KEY socket");
+               DBG1(DBG_KNL, "unable to create PF_KEY socket");
+               destroy(this);
+               return NULL;
        }
-       
+
        /* create a PF_KEY socket for ACQUIRE & EXPIRE */
        this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
        if (this->socket_events <= 0)
        {
-               charon->kill(charon, "unable to create PF_KEY event socket");
-       }
-       
-       /* add bypass policies on the sockets used by charon */
-       if (!add_bypass_policies(this))
-       {
-               charon->kill(charon, "unable to add bypass policies on sockets");
+               DBG1(DBG_KNL, "unable to create PF_KEY event socket");
+               destroy(this);
+               return NULL;
        }
-       
+
        /* register the event socket */
        if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
                register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
        {
-               charon->kill(charon, "unable to register PF_KEY event socket");
+               DBG1(DBG_KNL, "unable to register PF_KEY event socket");
+               destroy(this);
+               return NULL;
        }
-       
+
        this->job = callback_job_create((callback_job_cb_t)receive_events,
                                                                        this, NULL, NULL);
        charon->processor->queue_job(charon->processor, (job_t*)this->job);
-       
+
        return &this->public;
 }
+