kernel-libipsec: Track policies and automatically install routes
authorTobias Brunner <tobias@strongswan.org>
Tue, 11 Jun 2013 16:53:28 +0000 (18:53 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 21 Jun 2013 15:03:20 +0000 (17:03 +0200)
The routes direct traffic matching the remote traffic selector to the
TUN device.

If the remote traffic selector includes the IKE peer a very specific route
is installed to allow IKE traffic.

src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c

index c7fc56b..efa519a 100644 (file)
@@ -18,6 +18,7 @@
 #include <ipsec.h>
 #include <hydra.h>
 #include <networking/tun_device.h>
+#include <threading/mutex.h>
 #include <utils/debug.h>
 
 typedef struct private_kernel_libipsec_ipsec_t private_kernel_libipsec_ipsec_t;
@@ -38,9 +39,174 @@ struct private_kernel_libipsec_ipsec_t {
         * TUN device
         */
        tun_device_t *tun;
+
+       /**
+        * Mutex to lock access to various lists
+        */
+       mutex_t *mutex;
+
+       /**
+        * List of installed policies (policy_entry_t)
+        */
+       linked_list_t *policies;
+
+       /**
+        * List of exclude routes (exclude_route_t)
+        */
+       linked_list_t *excludes;
+};
+
+typedef struct exclude_route_t exclude_route_t;
+
+/**
+ * Exclude route definition
+ */
+struct exclude_route_t {
+       /** Destination address to exclude */
+       host_t *dst;
+       /** Source address for route */
+       host_t *src;
+       /** Nexthop exclude has been installed */
+       host_t *gtw;
+       /** References to this route */
+       int refs;
 };
 
 /**
+ * Clean up an exclude route entry
+ */
+static void exclude_route_destroy(exclude_route_t *this)
+{
+       this->dst->destroy(this->dst);
+       this->src->destroy(this->src);
+       this->gtw->destroy(this->gtw);
+       free(this);
+}
+
+/**
+ * Find an exclude route entry by destination address
+ */
+static bool exclude_route_match(exclude_route_t *current,
+                                                               host_t *dst)
+{
+       return dst->ip_equals(dst, current->dst);
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * Installed routing entry
+ */
+struct route_entry_t {
+       /** Name of the interface the route is bound to */
+       char *if_name;
+       /** Source ip of the route */
+       host_t *src_ip;
+       /** Destination net */
+       chunk_t dst_net;
+       /** Destination net prefixlen */
+       u_int8_t prefixlen;
+       /** Reference to exclude route, if any */
+       exclude_route_t *exclude;
+};
+
+/**
+ * Destroy a route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+       free(this->if_name);
+       DESTROY_IF(this->src_ip);
+       chunk_free(&this->dst_net);
+       free(this);
+}
+
+/**
+ * Compare two route_entry_t objects
+ */
+static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
+{
+       return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
+                  a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
+                  chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * Installed policy
+ */
+struct policy_entry_t {
+       /** Direction of this policy: in, out, forward */
+       u_int8_t direction;
+       /** Parameters of installed policy */
+       struct {
+               /** Subnet and port */
+               host_t *net;
+               /** Subnet mask */
+               u_int8_t mask;
+               /** Protocol */
+               u_int8_t proto;
+       } src, dst;
+       /** Associated route installed for this policy */
+       route_entry_t *route;
+       /** References to this policy */
+       int refs;
+};
+
+/**
+ * Create a policy_entry_t object
+ */
+static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
+                                                                                  traffic_selector_t *dst_ts,
+                                                                                  policy_dir_t dir)
+{
+       policy_entry_t *this;
+       INIT(this,
+               .direction = dir,
+       );
+
+       src_ts->to_subnet(src_ts, &this->src.net, &this->src.mask);
+       dst_ts->to_subnet(dst_ts, &this->dst.net, &this->dst.mask);
+
+       /* src or dest proto may be "any" (0), use more restrictive one */
+       this->src.proto = max(src_ts->get_protocol(src_ts),
+                                                 dst_ts->get_protocol(dst_ts));
+       this->src.proto = this->src.proto ? this->src.proto : 0;
+       this->dst.proto = this->src.proto;
+       return this;
+}
+
+/**
+ * Destroy a policy_entry_t object
+ */
+static void policy_entry_destroy(policy_entry_t *this)
+{
+       if (this->route)
+       {
+               route_entry_destroy(this->route);
+       }
+       DESTROY_IF(this->src.net);
+       DESTROY_IF(this->dst.net);
+       free(this);
+}
+
+/**
+ * Compare two policy_entry_t objects
+ */
+static inline bool policy_entry_equals(policy_entry_t *a,
+                                                                          policy_entry_t *b)
+{
+       return a->direction == b->direction &&
+                  a->src.proto == b->src.proto &&
+                  a->dst.proto == b->dst.proto &&
+                  a->src.mask == b->src.mask &&
+                  a->dst.mask == b->dst.mask &&
+                  a->src.net->equals(a->src.net, b->src.net) &&
+                  a->dst.net->equals(a->dst.net, b->dst.net);
+}
+
+/**
  * Expiration callback
  */
 static void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard)
@@ -106,14 +272,229 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
        return ipsec->sas->flush_sas(ipsec->sas);
 }
 
+/**
+ * Add an explicit exclude route to a routing entry
+ */
+static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
+                                                         route_entry_t *route, host_t *src, host_t *dst)
+{
+       exclude_route_t *exclude;
+       host_t *gtw;
+
+       if (this->excludes->find_first(this->excludes,
+                                                                 (linked_list_match_t)exclude_route_match,
+                                                                 (void**)&exclude, dst) == SUCCESS)
+       {
+               route->exclude = exclude;
+               exclude->refs++;
+       }
+
+       if (!route->exclude)
+       {
+               DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
+               gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
+                                                                                                  dst, NULL);
+               if (gtw)
+               {
+                       char *if_name = NULL;
+
+                       if (hydra->kernel_interface->get_interface(
+                                                                       hydra->kernel_interface, src, &if_name) &&
+                               hydra->kernel_interface->add_route(hydra->kernel_interface,
+                                                                       dst->get_address(dst),
+                                                                       dst->get_family(dst) == AF_INET ? 32 : 128,
+                                                                       gtw, src, if_name) == SUCCESS)
+                       {
+                               INIT(exclude,
+                                       .dst = dst->clone(dst),
+                                       .src = src->clone(src),
+                                       .gtw = gtw->clone(gtw),
+                                       .refs = 1,
+                               );
+                               route->exclude = exclude;
+                               this->excludes->insert_last(this->excludes, exclude);
+                       }
+                       else
+                       {
+                               DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
+                       }
+                       gtw->destroy(gtw);
+                       free(if_name);
+               }
+               else
+               {
+                       DBG1(DBG_KNL, "gateway lookup for %H failed", dst);
+               }
+       }
+}
+
+/**
+ * Remove an exclude route attached to a routing entry
+ */
+static void remove_exclude_route(private_kernel_libipsec_ipsec_t *this,
+                                                                route_entry_t *route)
+{
+       char *if_name = NULL;
+       host_t *dst;
+
+       if (!route->exclude || --route->exclude->refs > 0)
+       {
+               return;
+       }
+       this->excludes->remove(this->excludes, route->exclude, NULL);
+
+       dst = route->exclude->dst;
+       DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
+                dst, route->exclude->src);
+       if (hydra->kernel_interface->get_interface(
+                                                                       hydra->kernel_interface,
+                                                                       route->exclude->src, &if_name) &&
+               hydra->kernel_interface->del_route(hydra->kernel_interface,
+                                                                       dst->get_address(dst),
+                                                                       dst->get_family(dst) == AF_INET ? 32 : 128,
+                                                                       route->exclude->gtw, route->exclude->src,
+                                                                       if_name) != SUCCESS)
+       {
+               DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
+       }
+       exclude_route_destroy(route->exclude);
+       route->exclude = NULL;
+       free(if_name);
+}
+
+/**
+ * Install a route for the given policy
+ *
+ * this->mutex is released by this function
+ */
+static bool install_route(private_kernel_libipsec_ipsec_t *this,
+       host_t *src, host_t *dst, traffic_selector_t *src_ts,
+       traffic_selector_t *dst_ts, policy_entry_t *policy)
+{
+       route_entry_t *route, *old;
+       host_t *src_ip;
+       bool is_virtual;
+
+       if (policy->direction != POLICY_OUT)
+       {
+               this->mutex->unlock(this->mutex);
+               return TRUE;
+       }
+
+       if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+                                                                       src_ts, &src_ip, &is_virtual) != SUCCESS)
+       {
+               this->mutex->unlock(this->mutex);
+               return FALSE;
+       }
+
+       INIT(route,
+               .if_name = strdup(this->tun->get_name(this->tun)),
+               .src_ip = src_ip,
+               .dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net)),
+               .prefixlen = policy->dst.mask,
+       );
+
+       if (policy->route)
+       {
+               old = policy->route;
+
+               if (route_entry_equals(old, route))
+               {       /* such a route already exists */
+                       route_entry_destroy(route);
+                       this->mutex->unlock(this->mutex);
+                       return TRUE;
+               }
+               /* uninstall previously installed route */
+               if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+                                                                       old->dst_net, old->prefixlen, NULL,
+                                                                       old->src_ip, old->if_name) != SUCCESS)
+               {
+                       DBG1(DBG_KNL, "error uninstalling route installed with policy "
+                                "%R === %R %N", src_ts, dst_ts, policy_dir_names,
+                                policy->direction);
+               }
+               route_entry_destroy(old);
+               policy->route = NULL;
+       }
+
+       /* if remote traffic selector covers the IKE peer, add an exclude route */
+       if (dst_ts->includes(dst_ts, dst))
+       {
+               /* add exclude route for peer */
+               add_exclude_route(this, route, src, dst);
+       }
+
+       DBG2(DBG_KNL, "installing route: %R src %H dev %s",
+                dst_ts, route->src_ip, route->if_name);
+
+       switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
+                                                       route->dst_net, route->prefixlen, NULL,
+                                                       route->src_ip, route->if_name))
+       {
+               case ALREADY_DONE:
+                       /* route exists, do not uninstall */
+                       remove_exclude_route(this, route);
+                       route_entry_destroy(route);
+                       this->mutex->unlock(this->mutex);
+                       return TRUE;
+               case SUCCESS:
+                       /* cache the installed route */
+                       policy->route = route;
+                       this->mutex->unlock(this->mutex);
+                       return TRUE;
+               default:
+                       DBG1(DBG_KNL, "installing route failed: %R src %H dev %s",
+                                dst_ts, route->src_ip, route->if_name);
+                       remove_exclude_route(this, route);
+                       route_entry_destroy(route);
+                       this->mutex->unlock(this->mutex);
+                       return FALSE;
+       }
+}
+
 METHOD(kernel_ipsec_t, add_policy, status_t,
        private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
        traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
        policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
        policy_priority_t priority)
 {
-       return ipsec->policies->add_policy(ipsec->policies, src, dst, src_ts,
-                                                                          dst_ts, direction, type, sa, mark, priority);
+       policy_entry_t *policy, *found = NULL;
+       status_t status;
+
+       if (type != POLICY_IPSEC)
+       {
+               return SUCCESS;
+       }
+
+       status = ipsec->policies->add_policy(ipsec->policies, src, dst, src_ts,
+                                                               dst_ts, direction, type, sa, mark, priority);
+       if (status != SUCCESS)
+       {
+               return status;
+       }
+       /* we track policies in order to install routes */
+       policy = create_policy_entry(src_ts, dst_ts, direction);
+
+       this->mutex->lock(this->mutex);
+       if (this->policies->find_first(this->policies,
+                                                                 (linked_list_match_t)policy_entry_equals,
+                                                                 (void**)&found, policy) == SUCCESS)
+       {
+               policy_entry_destroy(policy);
+               policy = found;
+       }
+       else
+       {       /* use the new one, if we have no such policy */
+               this->policies->insert_last(this->policies, policy);
+       }
+       policy->refs++;
+
+       if (!install_route(this, src, dst, src_ts, dst_ts, policy))
+       {
+               return FAILED;
+       }
+       return SUCCESS;
 }
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
@@ -129,19 +510,82 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
        traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
        mark_t mark, policy_priority_t priority)
 {
-       return ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
-                                                                          direction, reqid, mark, priority);
+       policy_entry_t *policy, *found = NULL;
+       status_t status;
+
+       status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
+                                                                                direction, reqid, mark, priority);
+
+       policy = create_policy_entry(src_ts, dst_ts, direction);
+
+       this->mutex->lock(this->mutex);
+       if (this->policies->find_first(this->policies,
+                                                                 (linked_list_match_t)policy_entry_equals,
+                                                                 (void**)&found, policy) != SUCCESS)
+       {
+               policy_entry_destroy(policy);
+               this->mutex->unlock(this->mutex);
+               return status;
+       }
+       policy_entry_destroy(policy);
+       policy = found;
+
+       if (--policy->refs > 0)
+       {       /* policy is still in use */
+               this->mutex->unlock(this->mutex);
+               return status;
+       }
+
+       if (policy->route)
+       {
+               route_entry_t *route = policy->route;
+
+               if (hydra->kernel_interface->del_route(hydra->kernel_interface,
+                               route->dst_net, route->prefixlen, NULL, route->src_ip,
+                               route->if_name) != SUCCESS)
+               {
+                       DBG1(DBG_KNL, "error uninstalling route installed with "
+                                                 "policy %R === %R %N", src_ts, dst_ts,
+                                                  policy_dir_names, direction);
+               }
+               remove_exclude_route(this, route);
+       }
+       this->policies->remove(this->policies, policy, NULL);
+       policy_entry_destroy(policy);
+       this->mutex->unlock(this->mutex);
+       return status;
 }
 
 METHOD(kernel_ipsec_t, flush_policies, status_t,
        private_kernel_libipsec_ipsec_t *this)
 {
-       return ipsec->policies->flush_policies(ipsec->policies);
+       policy_entry_t *pol;
+       status_t status;
+
+       status = ipsec->policies->flush_policies(ipsec->policies);
+
+       this->mutex->lock(this->mutex);
+       while (this->policies->remove_first(this->policies, (void*)&pol) == SUCCESS)
+       {
+               if (pol->route)
+               {
+                       route_entry_t *route = pol->route;
+
+                       hydra->kernel_interface->del_route(hydra->kernel_interface,
+                                       route->dst_net, route->prefixlen, NULL, route->src_ip,
+                                       route->if_name);
+                       remove_exclude_route(this, route);
+               }
+               policy_entry_destroy(pol);
+       }
+       this->mutex->unlock(this->mutex);
+       return status;
 }
 
 METHOD(kernel_ipsec_t, bypass_socket, bool,
        private_kernel_libipsec_ipsec_t *this, int fd, int family)
 {
+       /* we use exclude routes for this */
        return NOT_SUPPORTED;
 }
 
@@ -155,6 +599,9 @@ METHOD(kernel_ipsec_t, destroy, void,
        private_kernel_libipsec_ipsec_t *this)
 {
        ipsec->events->unregister_listener(ipsec->events, &this->ipsec_listener);
+       this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
+       this->excludes->destroy(this->excludes);
+       this->mutex->destroy(this->mutex);
        free(this);
 }
 
@@ -188,6 +635,9 @@ kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create()
                        .expire = expire,
                },
                .tun = lib->get(lib, "kernel-libipsec-tun"),
+               .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+               .policies = linked_list_create(),
+               .excludes = linked_list_create(),
        );
 
        ipsec->events->register_listener(ipsec->events, &this->ipsec_listener);