6 years agoAdd --enable-coverage configure option
Tobias Brunner [Wed, 27 Mar 2013 10:03:56 +0000 (11:03 +0100)]
Add --enable-coverage configure option

This configure flag enables lcov [1] coverage generation and is intended
to be used with unit tests (--enable-unit-tests is implied).

A html coverage report can be generated by issuing the following command
in the toplevel build directory:

make coverage

[1] -

Based on a patch by Adrian-Ken Rueegsegger.

6 years agoUse proper type for enumerator_t/linked_list_t tests
Tobias Brunner [Wed, 27 Mar 2013 10:24:14 +0000 (11:24 +0100)]
Use proper type for enumerator_t/linked_list_t tests

Worked with -O2 but not with -O0.

6 years agoConverted test for recursive mutex_t
Tobias Brunner [Wed, 27 Mar 2013 08:16:59 +0000 (09:16 +0100)]
Converted test for recursive mutex_t

6 years agoRandomly allocate chunk_hash() key during first use
Tobias Brunner [Tue, 26 Mar 2013 18:25:55 +0000 (19:25 +0100)]
Randomly allocate chunk_hash() key during first use

This avoids hash flooding attacks.

6 years agoReplace chunk_hash() with output from chunk_mac()
Tobias Brunner [Tue, 26 Mar 2013 18:24:24 +0000 (19:24 +0100)]
Replace chunk_hash() with output from chunk_mac()

The quality is way better, the calculation is a bit slower though.

The key is statically initialized to zero, which will be changed later
to prevent hash flooding.

6 years agoAdding chunk_mac() which calculates a 64-bit MAC using SipHash-2-4
Tobias Brunner [Tue, 26 Mar 2013 17:18:52 +0000 (18:18 +0100)]
Adding chunk_mac() which calculates a 64-bit MAC using SipHash-2-4

6 years agoConverted tests for chunk_t
Tobias Brunner [Tue, 26 Mar 2013 15:39:44 +0000 (16:39 +0100)]
Converted tests for chunk_t

6 years agoConverted and added tests for hashtable_t
Tobias Brunner [Tue, 26 Mar 2013 15:38:27 +0000 (16:38 +0100)]
Converted and added tests for hashtable_t

6 years agoConverted tests for identification_t
Tobias Brunner [Tue, 26 Mar 2013 13:52:33 +0000 (14:52 +0100)]
Converted tests for identification_t

6 years agoRemove obsolete enumerator/linked_list tests in unit_tester plugin
Tobias Brunner [Tue, 26 Mar 2013 12:13:33 +0000 (13:13 +0100)]
Remove obsolete enumerator/linked_list tests in unit_tester plugin

6 years agoAdd tests combining linked_list_t and enumerators
Tobias Brunner [Tue, 26 Mar 2013 12:07:23 +0000 (13:07 +0100)]
Add tests combining linked_list_t and enumerators

6 years agoSome minor Doxygen fixes for linked_list_t
Tobias Brunner [Tue, 26 Mar 2013 11:36:51 +0000 (12:36 +0100)]
Some minor Doxygen fixes for linked_list_t

6 years agoAdd basic tests for linked_list_t
Tobias Brunner [Tue, 26 Mar 2013 11:18:44 +0000 (12:18 +0100)]
Add basic tests for linked_list_t

6 years agoRedirect test runner output to stderr
Tobias Brunner [Tue, 26 Mar 2013 09:49:08 +0000 (10:49 +0100)]
Redirect test runner output to stderr

This allows redirecting stdout of 'make check' to /dev/null.

6 years agoAdd tests for enumerator_t
Tobias Brunner [Tue, 26 Mar 2013 09:41:54 +0000 (10:41 +0100)]
Add tests for enumerator_t

6 years agoAdd test runner for unit tests in libstrongswan
Tobias Brunner [Tue, 26 Mar 2013 09:21:32 +0000 (10:21 +0100)]
Add test runner for unit tests in libstrongswan

6 years agotesting: Increase base image size so there is space for test results on winnetou
Tobias Brunner [Tue, 11 Jun 2013 09:01:26 +0000 (11:01 +0200)]
testing: Increase base image size so there is space for test results on winnetou

6 years agotesting: Ignore errors when searching for imcv log entries in daemon.log
Tobias Brunner [Mon, 10 Jun 2013 16:52:32 +0000 (18:52 +0200)]
testing: Ignore errors when searching for imcv log entries in daemon.log

6 years agoAdded missing string for full-length HMAC-SHA512 signer
Tobias Brunner [Mon, 10 Jun 2013 09:48:18 +0000 (11:48 +0200)]
Added missing string for full-length HMAC-SHA512 signer

6 years agoattr: Fix handling of invalid IPs listed after valid ones
Tobias Brunner [Wed, 5 Jun 2013 15:10:45 +0000 (17:10 +0200)]
attr: Fix handling of invalid IPs listed after valid ones

Invalid IPs listed after a valid one resulted in an attribute
of the same type but with invalid data.

6 years agoattr: fix a compiler warning that family is used uninitialized (seen with -Os)
Martin Willi [Wed, 5 Jun 2013 13:20:37 +0000 (15:20 +0200)]
attr: fix a compiler warning that family is used uninitialized (seen with -Os)

6 years agoStrictly memwipe_check() for magic only in the affected buffer
Martin Willi [Wed, 5 Jun 2013 12:37:05 +0000 (14:37 +0200)]
Strictly memwipe_check() for magic only in the affected buffer

Passing back the buffer address we memwipe() is not ideal, as it could, in
theory, change the behavior of the compiler and not-optimize memwipe(). But
as checking a larger stack is very difficult for different architectures
and compilers, we do it nonetheless for now.

6 years agoAllow memwipe() to be called with NULL argument
Tobias Brunner [Mon, 27 May 2013 16:41:16 +0000 (18:41 +0200)]
Allow memwipe() to be called with NULL argument

6 years agokernel-netlink: add outer addresses to policy when using BEET mode
Michael Rossberg [Wed, 22 May 2013 07:55:46 +0000 (09:55 +0200)]
kernel-netlink: add outer addresses to policy when using BEET mode

6 years agoopenssl: add support for IP addr blocks in X.509 certificates
Michael Rossberg [Wed, 22 May 2013 07:51:10 +0000 (09:51 +0200)]
openssl: add support for IP addr blocks in X.509 certificates

6 years agoMake plugins in standalone libimcv configurable
Andreas Steffen [Fri, 24 May 2013 10:56:21 +0000 (12:56 +0200)]
Make plugins in standalone libimcv configurable

6 years agohost-resolver: don't try to resolve a plain v4 address to an IPv6 address
Volker RĂ¼melin [Sun, 21 Apr 2013 13:10:39 +0000 (15:10 +0200)]
host-resolver: don't try to resolve a plain v4 address to an IPv6 address

Suppress 'Address family for hostname not supported' errors if a IPv6
client connects in a mixed IPv4/IPv6 environment.

6 years agotraffic-selector: inet_pton is successful only if it returns 1
Martin Willi [Thu, 16 May 2013 08:59:33 +0000 (10:59 +0200)]
traffic-selector: inet_pton is successful only if it returns 1

6 years agoupdown: pass IKE_SA unique ID in PLUTO_UNIQUEID
Emanuil Hristov [Wed, 17 Apr 2013 09:44:34 +0000 (12:44 +0300)]
updown: pass IKE_SA unique ID in PLUTO_UNIQUEID

6 years agocapabilities: leak-detective using dlsym() does not need CAP_SYS_NICE anymore
Martin Willi [Wed, 8 May 2013 12:58:59 +0000 (14:58 +0200)]
capabilities: leak-detective using dlsym() does not need CAP_SYS_NICE anymore

6 years agocapabilities: initialize supplementary groups only when doing a setuid()
Martin Willi [Wed, 8 May 2013 12:58:28 +0000 (14:58 +0200)]
capabilities: initialize supplementary groups only when doing a setuid()

6 years agoaf-alg: fix number of signers after adding untruncated HMAC-SHA-512 (1f2a34d6)
Martin Willi [Wed, 15 May 2013 14:42:03 +0000 (16:42 +0200)]
af-alg: fix number of signers after adding untruncated HMAC-SHA-512 (1f2a34d6)

6 years agoRaise LOCAL_AUTH_FAILED alert after receiving AUTHENTICATION_FAILURE
Martin Willi [Wed, 8 May 2013 09:03:33 +0000 (11:03 +0200)]

6 years agotesting: Set terminal title when logging in via SSH
Tobias Brunner [Wed, 15 May 2013 08:32:41 +0000 (10:32 +0200)]
testing: Set terminal title when logging in via SSH

Since we always log in as root use a simpler command prompt. And don't
store duplicate commands in the bash command history.

6 years agoopenssl: Only warn about unavailable FIPS mode if the user requested it
Tobias Brunner [Wed, 8 May 2013 13:23:14 +0000 (15:23 +0200)]
openssl: Only warn about unavailable FIPS mode if the user requested it

6 years agoMerge branch 'charon-cmd-pkcs12'
Tobias Brunner [Wed, 8 May 2013 13:19:38 +0000 (15:19 +0200)]
Merge branch 'charon-cmd-pkcs12'

Adds support for PKCS#12 files in charon-cmd and ipsec.secrets.

Also fixes the cleanup of the OpenSSL library in the openssl plugin.

6 years agostroke: Add second password if provided
Tobias Brunner [Wed, 17 Apr 2013 15:32:37 +0000 (17:32 +0200)]
stroke: Add second password if provided

6 years agoLoad pkcs7 plugin in charon (and while we are at it in nm)
Tobias Brunner [Wed, 17 Apr 2013 15:13:28 +0000 (17:13 +0200)]
Load pkcs7 plugin in charon (and while we are at it in nm)

6 years agostroke: Fail silently if another builder calls PW callback after giving up
Tobias Brunner [Wed, 17 Apr 2013 14:03:05 +0000 (16:03 +0200)]
stroke: Fail silently if another builder calls PW callback after giving up

Also reduced the number of tries to 3.

6 years agostroke: Cache passwords so the user is not prompted multiple times for the same password
Tobias Brunner [Wed, 17 Apr 2013 13:54:23 +0000 (15:54 +0200)]
stroke: Cache passwords so the user is not prompted multiple times for the same password

To verify/decrypt a PKCS#12 container a password might be needed
multiple times.  If it was entered correctly we don't want to bother the
user again with another password prompt.
The passwords for MAC creation and encryption could be different so the
user might be prompted multiple times after all.

6 years agostroke: Fix prompt and error messages in passphrase callback
Tobias Brunner [Wed, 17 Apr 2013 13:51:11 +0000 (15:51 +0200)]
stroke: Fix prompt and error messages in passphrase callback

6 years agostroke: Load credentials from PKCS#12 files (P12 token)
Tobias Brunner [Wed, 17 Apr 2013 11:49:13 +0000 (13:49 +0200)]
stroke: Load credentials from PKCS#12 files (P12 token)

6 years agoopenssl: Cleanup thread specific error buffer
Tobias Brunner [Wed, 17 Apr 2013 11:16:20 +0000 (13:16 +0200)]
openssl: Cleanup thread specific error buffer

6 years agoopenssl: Don't use deprecated CRYPTO_set_id_callback() with OpenSSL >= 1.0.0
Tobias Brunner [Wed, 17 Apr 2013 11:00:51 +0000 (13:00 +0200)]
openssl: Don't use deprecated CRYPTO_set_id_callback() with OpenSSL >= 1.0.0

6 years agoopenssl: Add PKCS#12 parsing via OpenSSL
Tobias Brunner [Wed, 17 Apr 2013 09:43:06 +0000 (11:43 +0200)]
openssl: Add PKCS#12 parsing via OpenSSL

6 years agoopenssl: Properly cleanup OpenSSL library
Tobias Brunner [Wed, 17 Apr 2013 09:35:18 +0000 (11:35 +0200)]
openssl: Properly cleanup OpenSSL library

6 years agocharon-cmd: Add support for PKCS#12 files
Tobias Brunner [Fri, 12 Apr 2013 17:30:03 +0000 (19:30 +0200)]
charon-cmd: Add support for PKCS#12 files

6 years agoPEM plugin loads PKCS#12 containers from (DER-encoded) files
Tobias Brunner [Fri, 12 Apr 2013 17:00:15 +0000 (19:00 +0200)]
PEM plugin loads PKCS#12 containers from (DER-encoded) files

It is not actually able to handle PEM encoded PKCS#12 files produced
by OpenSSL.

6 years agoRemove pluto specific certificate types
Tobias Brunner [Fri, 12 Apr 2013 16:41:26 +0000 (18:41 +0200)]
Remove pluto specific certificate types

6 years agocharon-cmd: match_me/match_other are optional in callback credentials
Tobias Brunner [Fri, 12 Apr 2013 17:32:01 +0000 (19:32 +0200)]
charon-cmd: match_me/match_other are optional in callback credentials

6 years agocharon-cmd: Request password for private keys
Tobias Brunner [Fri, 12 Apr 2013 16:28:17 +0000 (18:28 +0200)]
charon-cmd: Request password for private keys

6 years agoAdd support for untruncated HMAC-SHA-512
Tobias Brunner [Fri, 12 Apr 2013 10:48:04 +0000 (12:48 +0200)]
Add support for untruncated HMAC-SHA-512

6 years agoAlso support 128-bit RC2
Tobias Brunner [Fri, 12 Apr 2013 10:10:22 +0000 (12:10 +0200)]
Also support 128-bit RC2

6 years agoAdd pkcs12 plugin which adds support for decoding PKCS#12 containers
Tobias Brunner [Fri, 12 Apr 2013 09:59:01 +0000 (11:59 +0200)]
Add pkcs12 plugin which adds support for decoding PKCS#12 containers

6 years agoFunction added to convert a hash algorithm to an HMAC integrity algorithm
Tobias Brunner [Thu, 11 Apr 2013 17:41:48 +0000 (19:41 +0200)]
Function added to convert a hash algorithm to an HMAC integrity algorithm

6 years agoSupport the PKCS#5/PKCS#12 encryption scheme used by OpenSSL for private keys
Tobias Brunner [Thu, 11 Apr 2013 17:39:32 +0000 (19:39 +0200)]
Support the PKCS#5/PKCS#12 encryption scheme used by OpenSSL for private keys

6 years agoRegister PKCS#8 builder for KEY_ANY
Tobias Brunner [Thu, 11 Apr 2013 15:54:45 +0000 (17:54 +0200)]
Register PKCS#8 builder for KEY_ANY

6 years agoAdd support for PKCS#7/CMS encrypted-data
Tobias Brunner [Thu, 11 Apr 2013 14:19:16 +0000 (16:19 +0200)]
Add support for PKCS#7/CMS encrypted-data

6 years agoMove PKCS#12 key derivation to a separate file
Tobias Brunner [Thu, 11 Apr 2013 13:02:28 +0000 (15:02 +0200)]
Move PKCS#12 key derivation to a separate file

6 years agoPKCS#5 wrapper can decrypt PKCS#12-like schemes
Tobias Brunner [Thu, 11 Apr 2013 11:27:02 +0000 (13:27 +0200)]
PKCS#5 wrapper can decrypt PKCS#12-like schemes

6 years agoAdd test vectors for RC2
Tobias Brunner [Wed, 10 Apr 2013 17:26:05 +0000 (19:26 +0200)]
Add test vectors for RC2

6 years agoFix cleanup in crypto_tester if a crypter fails
Tobias Brunner [Wed, 10 Apr 2013 17:25:26 +0000 (19:25 +0200)]
Fix cleanup in crypto_tester if a crypter fails

6 years agoAdd implementation of the RC2 block cipher (RFC 2268)
Tobias Brunner [Wed, 10 Apr 2013 17:24:09 +0000 (19:24 +0200)]
Add implementation of the RC2 block cipher (RFC 2268)

6 years agoExtract function to convert ASN.1 INTEGER object to u_int64_t
Tobias Brunner [Mon, 8 Apr 2013 16:31:34 +0000 (18:31 +0200)]
Extract function to convert ASN.1 INTEGER object to u_int64_t

6 years agoExtract PKCS#5 handling from pkcs8 plugin to separate helper class
Tobias Brunner [Mon, 8 Apr 2013 16:13:03 +0000 (18:13 +0200)]
Extract PKCS#5 handling from pkcs8 plugin to separate helper class

6 years agoMerge branch 'charon-cmd-agent'
Tobias Brunner [Wed, 8 May 2013 12:35:05 +0000 (14:35 +0200)]
Merge branch 'charon-cmd-agent'

Adds support for authentication via ssh-agent to charon-cmd (RSA and ECDSA keys
are currently supported).

The new sshkey plugin parses SSH public keys in RFC 4253 format.

SSH public keys can be configured with the left|rightsigkey ipsec.conf option,
which replaces left|rightrsasigkey and takes a public key in one of three
formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix, not the
full RR, only the actual RSA key), or PKCS#1 (the default, no prefix).
As before the keys are either encoded in hex (0x) or base64 (0s).
left|rightsigkey also accepts the path to a file containing a PEM or DER
encoded public key.

6 years agocharon-cmd: Changed formatting of optional arguments in usage information
Tobias Brunner [Tue, 7 May 2013 13:05:12 +0000 (15:05 +0200)]
charon-cmd: Changed formatting of optional arguments in usage information

Optional arguments have to be specified with = after the option.

6 years agocharon-cmd: --agent optionally takes the path to an ssh-agent socket
Tobias Brunner [Tue, 7 May 2013 13:04:02 +0000 (15:04 +0200)]
charon-cmd: --agent optionally takes the path to an ssh-agent socket

If not given it is read from the SSH_AUTH_SOCK environment variable.

6 years agocharon-cmd: Stop processing options if an argument is missing or an option not recognized
Tobias Brunner [Tue, 7 May 2013 12:53:27 +0000 (14:53 +0200)]
charon-cmd: Stop processing options if an argument is missing or an option not recognized

6 years agocharon-cmd: Properly initialize options with no additional lines
Tobias Brunner [Tue, 7 May 2013 12:08:20 +0000 (14:08 +0200)]
charon-cmd: Properly initialize options with no additional lines

6 years agoagent: Use sshkey plugin to parse keys, adds support for ECDSA
Tobias Brunner [Mon, 1 Apr 2013 17:47:23 +0000 (19:47 +0200)]
agent: Use sshkey plugin to parse keys, adds support for ECDSA

6 years agosshkey: Add support for ECDSA keys
Tobias Brunner [Mon, 1 Apr 2013 16:16:17 +0000 (18:16 +0200)]
sshkey: Add support for ECDSA keys

6 years agoLoad any type (RSA/ECDSA) of public key via left|rightsigkey
Tobias Brunner [Mon, 1 Apr 2013 14:42:53 +0000 (16:42 +0200)]
Load any type (RSA/ECDSA) of public key via left|rightsigkey

6 years agoleft|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly
Tobias Brunner [Mon, 1 Apr 2013 14:28:28 +0000 (16:28 +0200)]
left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly

The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.

6 years agosshkey: Added builder for SSHKEY RSA keys
Tobias Brunner [Mon, 1 Apr 2013 14:02:00 +0000 (16:02 +0200)]
sshkey: Added builder for SSHKEY RSA keys

6 years agoAdd sshkey plugin stub that will parse RFC 4253 public keys
Tobias Brunner [Mon, 1 Apr 2013 13:20:39 +0000 (15:20 +0200)]
Add sshkey plugin stub that will parse RFC 4253 public keys

6 years agoTry to load raw keys from ipsec.conf as PKCS#1 blob first
Tobias Brunner [Mon, 1 Apr 2013 11:51:37 +0000 (13:51 +0200)]
Try to load raw keys from ipsec.conf as PKCS#1 blob first

The DNSKEY builder is quite eager and parses pretty much anything
as RSA key, so this has to be done before.

6 years agocharon-cmd: Add --agent option to authenticate using ssh-agent(1)
Tobias Brunner [Mon, 1 Apr 2013 12:51:09 +0000 (14:51 +0200)]
charon-cmd: Add --agent option to authenticate using ssh-agent(1)

The socket path is read from the SSH_AUTH_SOCK environment variable.
So using this with sudo might require the -E command line (or an appropriate
sudoers config) to preserve the environment.

6 years agocharon-cmd: Use loose matching of gateway identity
Tobias Brunner [Mon, 1 Apr 2013 12:48:02 +0000 (14:48 +0200)]
charon-cmd: Use loose matching of gateway identity

6 years agocharon-cmd: Load pubkey plugin to load raw keys
Tobias Brunner [Mon, 1 Apr 2013 12:47:09 +0000 (14:47 +0200)]
charon-cmd: Load pubkey plugin to load raw keys

6 years agotesting: Don't run tests when building tkm
Tobias Brunner [Tue, 7 May 2013 08:19:37 +0000 (10:19 +0200)]
testing: Don't run tests when building tkm

The problem with XML/Ada described in 9c2aba27 actually occurs when
running the tests here.

Really fixes #336.

6 years agotesting: Don't run tests when building tkm-rpc
Tobias Brunner [Mon, 6 May 2013 15:21:30 +0000 (17:21 +0200)]
testing: Don't run tests when building tkm-rpc

There are issues with some versions of the XML/Ada library on i386,
blocking the build of the testing environment when these tests are run.
TKM tests won't work in such a case but at least make-testing does not
block with this patch.

Fixes #336.

6 years agoMerge branch 'tun-vip'
Martin Willi [Mon, 6 May 2013 15:04:36 +0000 (17:04 +0200)]
Merge branch 'tun-vip'

Beside some OS X love, this merge introduces virtual IP and route installation
support on the pfkey/pfroute kernel interfaces.

Each virtual IP gets installed on a dedicated TUN device. As Linux-like source
routes are not supported, routes for the negotiated traffic selectors get
installed using the TUN device.

To prevent IKE packets from using those routes, special exclude routes get
installed to the IKE gateway. This works for most road-warrior deployments, but
certainly does not for some more exotic configurations, such as those using
virtual-IP-to-host. Mobility is not yet supported, either.

6 years agokernel-pfroute: allow only one thread to do a route look up simultaneously
Martin Willi [Mon, 6 May 2013 14:40:19 +0000 (16:40 +0200)]
kernel-pfroute: allow only one thread to do a route look up simultaneously

Otherwise we mess up the sequence number another thread is waiting for.

6 years agokernel-interface: query SAD for last use time if SPD query didn't yield one
Martin Willi [Sun, 21 Apr 2013 15:05:08 +0000 (17:05 +0200)]
kernel-interface: query SAD for last use time if SPD query didn't yield one

6 years agochild-sa: query SAD/SPD just for what we actually need to update statistics
Martin Willi [Sun, 21 Apr 2013 14:50:17 +0000 (16:50 +0200)]
child-sa: query SAD/SPD just for what we actually need to update statistics

6 years agokernel-pfkey: be less verbose about unexpected sequence numbers
Martin Willi [Sat, 20 Apr 2013 18:54:03 +0000 (20:54 +0200)]
kernel-pfkey: be less verbose about unexpected sequence numbers

6 years agokernel-pfkey: install exclude routes if kernel-net requires them
Martin Willi [Sat, 20 Apr 2013 11:29:20 +0000 (13:29 +0200)]
kernel-pfkey: install exclude routes if kernel-net requires them

6 years agokernel-pfroute: add a feature flag requesting "exclude" routes
Martin Willi [Sat, 20 Apr 2013 10:28:05 +0000 (12:28 +0200)]
kernel-pfroute: add a feature flag requesting "exclude" routes

If routes installed along with policies covering the peer address affect local
IKE/ESP packets, they won't get routed correctly. To work around this issue,
the kernel interface can install "exclude" routes for the IKE peer. Not all
networking backends require this workaround, hence we export a flag for it
if it is required.

6 years agokernel-pfroute: remove unused interface address refcounting
Martin Willi [Fri, 19 Apr 2013 14:58:06 +0000 (16:58 +0200)]
kernel-pfroute: remove unused interface address refcounting

6 years agokernel-pfroute: mark IPs installed on tun device as virtual
Martin Willi [Fri, 19 Apr 2013 14:55:38 +0000 (16:55 +0200)]
kernel-pfroute: mark IPs installed on tun device as virtual

6 years agokernel-pfroute: install virtual IPs using dedicated tun devices
Martin Willi [Fri, 19 Apr 2013 13:53:45 +0000 (15:53 +0200)]
kernel-pfroute: install virtual IPs using dedicated tun devices

6 years agokernel-pfkey: when installing a route for a virtual IP, use its interface
Martin Willi [Fri, 19 Apr 2013 12:27:31 +0000 (14:27 +0200)]
kernel-pfkey: when installing a route for a virtual IP, use its interface

When installing a route over a tun device for a virtual IP, the route must
be set over the tun, not the IKE interface.

6 years agokernel-interface: get_address_by_ts() can tell if a returned IP is virtual
Martin Willi [Fri, 19 Apr 2013 12:22:45 +0000 (14:22 +0200)]
kernel-interface: get_address_by_ts() can tell if a returned IP is virtual

6 years agokernel-interface: support enumeration of virtual-only IPs
Martin Willi [Fri, 19 Apr 2013 12:52:29 +0000 (14:52 +0200)]
kernel-interface: support enumeration of virtual-only IPs

6 years agokernel-pfkey: refactor route installation to a dedicate function
Martin Willi [Fri, 19 Apr 2013 12:17:22 +0000 (14:17 +0200)]
kernel-pfkey: refactor route installation to a dedicate function

6 years agokernel-pfroute: split /0 routes to avoid conflict with default route
Martin Willi [Fri, 19 Apr 2013 10:17:25 +0000 (12:17 +0200)]
kernel-pfroute: split /0 routes to avoid conflict with default route

6 years agokernel-pfkey: check if we have a gateway before comparing them
Martin Willi [Fri, 19 Apr 2013 10:16:12 +0000 (12:16 +0200)]
kernel-pfkey: check if we have a gateway before comparing them

6 years agokernel-pfkey: install route along with input, not forward policies
Martin Willi [Fri, 19 Apr 2013 08:42:23 +0000 (10:42 +0200)]
kernel-pfkey: install route along with input, not forward policies

As forwarding policies are not available on all systems (OS X), using the
forward policy to attach the route is a bad pick. Using input policies allows
OS X to install routes.

6 years agokernel-pfroute: rescan address list for an interface if its state changes
Martin Willi [Fri, 19 Apr 2013 08:47:34 +0000 (10:47 +0200)]
kernel-pfroute: rescan address list for an interface if its state changes

It seems that we don't get address notifications if the interface is down
on OS X.