strongswan.git
5 years agoandroid: Register local certificate store provider when the app is initialized
Tobias Brunner [Fri, 30 May 2014 11:45:31 +0000 (13:45 +0200)]
android: Register local certificate store provider when the app is initialized

5 years agoandroid: Add Provider for the local certificate store
Tobias Brunner [Fri, 30 May 2014 11:45:02 +0000 (13:45 +0200)]
android: Add Provider for the local certificate store

5 years agoandroid: Add KeyStoreSpi implementation that uses LocalCertificateStore
Tobias Brunner [Fri, 30 May 2014 11:30:35 +0000 (13:30 +0200)]
android: Add KeyStoreSpi implementation that uses LocalCertificateStore

5 years agoandroid: Add local certificate store
Tobias Brunner [Fri, 30 May 2014 11:28:16 +0000 (13:28 +0200)]
android: Add local certificate store

The class manages certificates stored in files within the app's
private data directory.

5 years agoandroid: Move TrustedCertificateEntry to a new package
Tobias Brunner [Fri, 30 May 2014 10:40:53 +0000 (12:40 +0200)]
android: Move TrustedCertificateEntry to a new package

5 years agoandroid: Subclass Application to provide static access to the application context
Tobias Brunner [Fri, 30 May 2014 10:35:54 +0000 (12:35 +0200)]
android: Subclass Application to provide static access to the application context

5 years agoandroid: Target latest SDK version
Tobias Brunner [Fri, 30 May 2014 10:34:46 +0000 (12:34 +0200)]
android: Target latest SDK version

5 years agoandroid: Add utility method to convert a byte array to a hex string
Tobias Brunner [Fri, 30 May 2014 09:08:35 +0000 (11:08 +0200)]
android: Add utility method to convert a byte array to a hex string

5 years agoandroid: Remove unused hash argument from getTrustedCertificates()
Tobias Brunner [Fri, 30 May 2014 09:22:19 +0000 (11:22 +0200)]
android: Remove unused hash argument from getTrustedCertificates()

5 years agoandroid: Use correct tag to define category for CREATE_SHORTCUT intent-filter
Tobias Brunner [Fri, 30 May 2014 09:03:25 +0000 (11:03 +0200)]
android: Use correct tag to define category for CREATE_SHORTCUT intent-filter

5 years agostarter: Fix memory leaks and warn if conn/ca sections are ignored due to parse errors
Tobias Brunner [Fri, 18 Jul 2014 15:12:09 +0000 (17:12 +0200)]
starter: Fix memory leaks and warn if conn/ca sections are ignored due to parse errors

5 years agoreceiver: Send a single INVALID_MAJOR_VERSION notify for IKE version > 2
Martin Willi [Thu, 17 Jul 2014 07:32:22 +0000 (09:32 +0200)]
receiver: Send a single INVALID_MAJOR_VERSION notify for IKE version > 2

We sent both a notify using IKEv1 and IKEv2. This is a little more aggressive
than required, RFC 5996 says we "SHOULD send an unauthenticated Notify
message of type INVALID_MAJOR_VERSION containing the highest (closest) version
number it supports".

Fixes #657.

5 years agoVersion bump to 5.2.1dr1
Andreas Steffen [Wed, 16 Jul 2014 13:59:56 +0000 (15:59 +0200)]
Version bump to 5.2.1dr1

5 years agoDetermine type of unsupported PA-TNC attribute in error message
Andreas Steffen [Wed, 16 Jul 2014 13:56:09 +0000 (15:56 +0200)]
Determine type of unsupported PA-TNC attribute in error message

5 years agoReplaced Tag File Path by Instance ID field
Andreas Steffen [Mon, 14 Jul 2014 18:38:11 +0000 (20:38 +0200)]
Replaced Tag File Path by Instance ID field

This update reflects the latest changes in the TCG TNC
SWID Messages and Attributes for IF-M specification

6 years agoman: Document where left|rightsigkey searches for public key files
Tobias Brunner [Mon, 14 Jul 2014 08:53:11 +0000 (10:53 +0200)]
man: Document where left|rightsigkey searches for public key files

6 years agoswanctl: Fix the swanctl.conf cacerts option name in the manpage and template
Martin Willi [Mon, 14 Jul 2014 07:18:47 +0000 (09:18 +0200)]
swanctl: Fix the swanctl.conf cacerts option name in the manpage and template

6 years agoUpdated URL to swidGenerator in recipe 5.2.0
Andreas Steffen [Wed, 9 Jul 2014 13:08:18 +0000 (15:08 +0200)]
Updated URL to swidGenerator in recipe

6 years agodumm: Undefine _GNU_SOURCE before including <ruby.h>, as it usually redefines it
Martin Willi [Wed, 9 Jul 2014 08:53:36 +0000 (10:53 +0200)]
dumm: Undefine _GNU_SOURCE before including <ruby.h>, as it usually redefines it

6 years agoVersion bump to 5.2.0
Andreas Steffen [Tue, 8 Jul 2014 13:24:22 +0000 (15:24 +0200)]
Version bump to 5.2.0

6 years agoNEWS: Updated URL to swidGenerator
Tobias Brunner [Mon, 7 Jul 2014 14:19:56 +0000 (16:19 +0200)]
NEWS: Updated URL to swidGenerator

6 years agosettings: Allow spaces in time settings before the optional unit
Martin Willi [Mon, 7 Jul 2014 13:53:49 +0000 (15:53 +0200)]
settings: Allow spaces in time settings before the optional unit

6 years agosettings: Be more strict in converting settings to specific data types
Martin Willi [Mon, 7 Jul 2014 13:49:04 +0000 (15:49 +0200)]
settings: Be more strict in converting settings to specific data types

As the behavior was inconsistent for empty strings or strings with characters
appended to a number, testing the code failed on some platforms. The new rules
are more strict, returning the default if additional characters or an empty
string was found for a setting.

6 years agoutils: Undefine mem{cpy,move,set} if set before defining them
Martin Willi [Mon, 7 Jul 2014 12:48:11 +0000 (14:48 +0200)]
utils: Undefine mem{cpy,move,set} if set before defining them

Some platforms, such as OS X, use macros for these functions. Undefine them
to avoid compiler warnings.

6 years agoenumerator: Enumerate glob(3) matches using gl_pathc
Martin Willi [Mon, 7 Jul 2014 13:27:19 +0000 (15:27 +0200)]
enumerator: Enumerate glob(3) matches using gl_pathc

While glob should return a NULL terminated gl_pathv when having no matches,
at least on OS X this is not true when using GLOB_DOOFFS. Rely on the
number of matches returned in gl_pathc, which seems to be more reliable in
error cases.

6 years agoxauth-pam: Add workaround for null-terminated passwords
Tobias Brunner [Mon, 7 Jul 2014 09:12:30 +0000 (11:12 +0200)]
xauth-pam: Add workaround for null-terminated passwords

Fixes #631.

6 years agokernel-netlink: Rename algorithm identifier from cast128 to cast5
Martin Willi [Fri, 4 Jul 2014 08:14:13 +0000 (10:14 +0200)]
kernel-netlink: Rename algorithm identifier from cast128 to cast5

Even if the XFRM identifier was named cast128 in the kernel before 2.6.31, it
actually never worked, because there is no such crypto algorithm.

The identifier has been changed to cast5 in
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=245acb87
to make it work, so we should use that.

Fixes #633.

6 years agowinhttp: Do not use countof() on pointer argument
Tobias Brunner [Wed, 2 Jul 2014 10:08:16 +0000 (12:08 +0200)]
winhttp: Do not use countof() on pointer argument

6 years agooptionsfrom: Properly handle errors when determining file size
Tobias Brunner [Wed, 2 Jul 2014 10:03:36 +0000 (12:03 +0200)]
optionsfrom: Properly handle errors when determining file size

6 years agowindows: Fix off-by-one error in strerror_s_extended()
Tobias Brunner [Wed, 2 Jul 2014 09:59:01 +0000 (11:59 +0200)]
windows: Fix off-by-one error in strerror_s_extended()

6 years agowindows: accept() socket handle could theoretically be 0
Tobias Brunner [Wed, 2 Jul 2014 09:54:40 +0000 (11:54 +0200)]
windows: accept() socket handle could theoretically be 0

6 years agowindows: Close correct socket when opening second socket fails in socketpair()
Tobias Brunner [Wed, 2 Jul 2014 09:51:37 +0000 (11:51 +0200)]
windows: Close correct socket when opening second socket fails in socketpair()

6 years agowindows: Make sure the string returned from ReadConsole() is null terminated
Tobias Brunner [Wed, 2 Jul 2014 09:49:34 +0000 (11:49 +0200)]
windows: Make sure the string returned from ReadConsole() is null terminated

6 years agowindows: Remove useless assignment in put_thread()
Tobias Brunner [Wed, 2 Jul 2014 09:41:14 +0000 (11:41 +0200)]
windows: Remove useless assignment in put_thread()

6 years agobacktrace: Remove name checks after SymFromAddr() calls
Tobias Brunner [Wed, 2 Jul 2014 09:31:56 +0000 (11:31 +0200)]
backtrace: Remove name checks after SymFromAddr() calls

The Name member is an array whose address is always defined.

6 years agopts: Avoid integer overflow when reading file names in the old IMA format
Tobias Brunner [Tue, 1 Jul 2014 10:37:25 +0000 (12:37 +0200)]
pts: Avoid integer overflow when reading file names in the old IMA format

6 years agoimv-attestation: Avoid memory leak when skipping unsupported work items
Tobias Brunner [Tue, 1 Jul 2014 10:31:07 +0000 (12:31 +0200)]
imv-attestation: Avoid memory leak when skipping unsupported work items

6 years agopts: Use memchr(3) instead of strchr(3) to extract hash algorithm name
Tobias Brunner [Tue, 1 Jul 2014 10:26:15 +0000 (12:26 +0200)]
pts: Use memchr(3) instead of strchr(3) to extract hash algorithm name

The string read with read(2) might not be null terminated.

6 years agoswid: fgets(3) returns a pointer to the read string or NULL
Tobias Brunner [Tue, 1 Jul 2014 10:13:13 +0000 (12:13 +0200)]
swid: fgets(3) returns a pointer to the read string or NULL

6 years agoparser-helper: Ensure file_next() does not remove the sentinel item
Tobias Brunner [Mon, 30 Jun 2014 13:23:22 +0000 (15:23 +0200)]
parser-helper: Ensure file_next() does not remove the sentinel item

6 years agogcrypt: Use predefined pthread locking functions instead of custom hooks
Martin Willi [Tue, 1 Jul 2014 08:33:25 +0000 (10:33 +0200)]
gcrypt: Use predefined pthread locking functions instead of custom hooks

Starting with libgcrypt 1.6, it seems that custom locking functions are not
supported anymore. Instead, the user has to select from one of the pre-defined
set of locking functions.

Given that we have a proper threading abstraction API with optional profiling
on all platforms, this is somewhat annoying. However, there does not seem to be
a way to use custom functions, and we have no other choice than using the
provided macro magic to support all libgcrypt versions.

Fixes #630.

6 years agoman: Document replay_window ipsec.conf option
Tobias Brunner [Mon, 30 Jun 2014 12:49:21 +0000 (14:49 +0200)]
man: Document replay_window ipsec.conf option

6 years agostroke: Don't log unspecified options of conn and ca sections
Tobias Brunner [Wed, 25 Jun 2014 15:53:10 +0000 (17:53 +0200)]
stroke: Don't log unspecified options of conn and ca sections

6 years agoutils: Helper macros to define overloaded macros based on number of arguments
Tobias Brunner [Wed, 25 Jun 2014 15:44:14 +0000 (17:44 +0200)]
utils: Helper macros to define overloaded macros based on number of arguments

6 years agopki: Document --online option for pki --verify and all exit codes
Tobias Brunner [Fri, 27 Jun 2014 14:12:26 +0000 (16:12 +0200)]
pki: Document --online option for pki --verify and all exit codes

6 years agoconf: Document load-tester.crl option
Tobias Brunner [Fri, 27 Jun 2014 13:41:21 +0000 (15:41 +0200)]
conf: Document load-tester.crl option

6 years agoconf: Document charon.*-scripts options
Tobias Brunner [Fri, 27 Jun 2014 13:37:39 +0000 (15:37 +0200)]
conf: Document charon.*-scripts options

6 years agoconf: Document swanctl options
Tobias Brunner [Fri, 27 Jun 2014 13:47:34 +0000 (15:47 +0200)]
conf: Document swanctl options

6 years agoconf: Document aikgen options
Tobias Brunner [Fri, 27 Jun 2014 13:32:19 +0000 (15:32 +0200)]
conf: Document aikgen options

6 years agoautoconf: Replace --disable-tools option with --disable-scepclient
Tobias Brunner [Fri, 27 Jun 2014 13:26:53 +0000 (15:26 +0200)]
autoconf: Replace --disable-tools option with --disable-scepclient

Since using a separate option for pki this was the only tool that was still
enabled by that option.

6 years agochecksum: Fix checksum generation for pki if tools are disabled
Tobias Brunner [Fri, 27 Jun 2014 13:20:25 +0000 (15:20 +0200)]
checksum: Fix checksum generation for pki if tools are disabled

6 years agodoc: Remove obsolete architecture description and empty known bugs list
Tobias Brunner [Tue, 24 Jun 2014 16:28:26 +0000 (18:28 +0200)]
doc: Remove obsolete architecture description and empty known bugs list

6 years agoapidoc: Include *.md and files from the complete source directory (not only src)
Tobias Brunner [Tue, 24 Jun 2014 16:27:40 +0000 (18:27 +0200)]
apidoc: Include *.md and files from the complete source directory (not only src)

6 years agoConverted existing README to Markdown
Tobias Brunner [Tue, 24 Jun 2014 16:24:57 +0000 (18:24 +0200)]
Converted existing README to Markdown

6 years agoMove README to README.md so it gets evaluated as Markdown
Tobias Brunner [Tue, 24 Jun 2014 15:29:00 +0000 (17:29 +0200)]
Move README to README.md so it gets evaluated as Markdown

6 years agoswid: Fix parameter documentation in Doxygen comments
Tobias Brunner [Tue, 24 Jun 2014 14:15:48 +0000 (16:15 +0200)]
swid: Fix parameter documentation in Doxygen comments

6 years agowindows: Fix parameter name in Doxygen comment
Tobias Brunner [Tue, 24 Jun 2014 14:14:38 +0000 (16:14 +0200)]
windows: Fix parameter name in Doxygen comment

6 years agoenum: Replace þ with p in Doxygen comments
Tobias Brunner [Tue, 24 Jun 2014 14:13:57 +0000 (16:13 +0200)]
enum: Replace þ with p in Doxygen comments

6 years agolibvici: Add missing argument to Doxygen comment
Tobias Brunner [Tue, 24 Jun 2014 14:10:56 +0000 (16:10 +0200)]
libvici: Add missing argument to Doxygen comment

6 years agostarter: Add starter group and fix formatting of conf_parser_section_t enum
Tobias Brunner [Tue, 24 Jun 2014 14:10:14 +0000 (16:10 +0200)]
starter: Add starter group and fix formatting of conf_parser_section_t enum

Make use of the Markdown support in recent Doxygen versions.

6 years agoswanctl: Fix Doxygen group assignment
Tobias Brunner [Tue, 24 Jun 2014 14:09:09 +0000 (16:09 +0200)]
swanctl: Fix Doxygen group assignment

6 years agoapidoc: Updated Doxyfile.in
Tobias Brunner [Tue, 24 Jun 2014 14:03:16 +0000 (16:03 +0200)]
apidoc: Updated Doxyfile.in

6 years agoFixed some typos
Tobias Brunner [Tue, 24 Jun 2014 13:57:15 +0000 (15:57 +0200)]
Fixed some typos

6 years agoUpdate KVM test framework to 3.15 guest kernel 5.2.0rc1
Andreas Steffen [Fri, 27 Jun 2014 08:07:27 +0000 (10:07 +0200)]
Update KVM test framework to 3.15 guest kernel

6 years agoAdded Android 4.4.4 to IMV database
Andreas Steffen [Fri, 27 Jun 2014 06:27:23 +0000 (08:27 +0200)]
Added Android 4.4.4 to IMV database

6 years agotesting: Add sql/shunt-policies-nat-rw scenario
Tobias Brunner [Thu, 26 Jun 2014 16:11:23 +0000 (18:11 +0200)]
testing: Add sql/shunt-policies-nat-rw scenario

6 years agotesting: Add pfkey/shunt-policies-nat-rw scenario
Tobias Brunner [Thu, 26 Jun 2014 13:46:39 +0000 (15:46 +0200)]
testing: Add pfkey/shunt-policies-nat-rw scenario

6 years agokernel-pfkey: Use address in TS to determine interface for shunt routes
Tobias Brunner [Thu, 26 Jun 2014 14:38:28 +0000 (16:38 +0200)]
kernel-pfkey: Use address in TS to determine interface for shunt routes

6 years agokernel-pfkey: Use subnet and prefix when determining nexthop for shunt policy routes
Tobias Brunner [Thu, 26 Jun 2014 13:44:54 +0000 (15:44 +0200)]
kernel-pfkey: Use subnet and prefix when determining nexthop for shunt policy routes

This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.

6 years agokernel-pfkey: Install routes for shunt policies
Tobias Brunner [Thu, 26 Jun 2014 13:44:32 +0000 (15:44 +0200)]
kernel-pfkey: Install routes for shunt policies

6 years agotesting: Remove obsolete shunt-policies scenarios
Tobias Brunner [Thu, 26 Jun 2014 13:22:20 +0000 (15:22 +0200)]
testing: Remove obsolete shunt-policies scenarios

6 years agostarter: Ingore %default conn and ca sections
Tobias Brunner [Thu, 26 Jun 2014 10:23:05 +0000 (12:23 +0200)]
starter: Ingore %default conn and ca sections

6 years agoUpdated build-database.sh to 3.13.0-30-generic Ubuntu kernel
Andreas Steffen [Thu, 26 Jun 2014 09:09:25 +0000 (11:09 +0200)]
Updated build-database.sh to 3.13.0-30-generic Ubuntu kernel

6 years agoUpdated description of TNC scenarios concerning RFC 7171 PT-EAP support
Andreas Steffen [Thu, 26 Jun 2014 07:47:03 +0000 (09:47 +0200)]
Updated description of TNC scenarios concerning RFC 7171 PT-EAP support

6 years agoRemoved django.db from swid scenarios
Andreas Steffen [Thu, 26 Jun 2014 07:45:54 +0000 (09:45 +0200)]
Removed django.db from swid scenarios

6 years agoupdown: Force subnet address to be numeric
Tobias Brunner [Mon, 16 Jun 2014 13:34:05 +0000 (15:34 +0200)]
updown: Force subnet address to be numeric

6 years agowindows: Include <sys/stat.h> explicitly before overloading memset()/memcpy()
Martin Willi [Wed, 25 Jun 2014 14:06:59 +0000 (16:06 +0200)]
windows: Include <sys/stat.h> explicitly before overloading memset()/memcpy()

fstat() in newer MinGWs is defined as non-static inline. With our new static
inline memset()/memcpy() overloads, this raises a warning. To avoid it,
explicitly include <sys/stat.h> once before defining these overloads.

6 years agoeap-radius: Increase buffer for accounting attributes to maximum attribute size
Martin Willi [Wed, 25 Jun 2014 11:09:20 +0000 (13:09 +0200)]
eap-radius: Increase buffer for accounting attributes to maximum attribute size

Fixes #624.

6 years agokernel-netlink: Cast IPv6 address blobs to the proper type
Tobias Brunner [Tue, 24 Jun 2014 13:43:49 +0000 (15:43 +0200)]
kernel-netlink: Cast IPv6 address blobs to the proper type

On Android these macros are defined as functions.

6 years agoandroid: Define HAVE_DLADDR as plugin loader checks for it
Tobias Brunner [Thu, 5 Jun 2014 08:17:09 +0000 (10:17 +0200)]
android: Define HAVE_DLADDR as plugin loader checks for it

6 years agoandroid: Update Android.mk files to match changes due to the Windows port
Tobias Brunner [Tue, 24 Jun 2014 13:33:17 +0000 (15:33 +0200)]
android: Update Android.mk files to match changes due to the Windows port

Makes them easier to compare to the original Makefile.am.

6 years agocharon: Set CLOEXEC flag on daemon PID file and /dev/(u)random source FDs
Martin Willi [Tue, 24 Jun 2014 12:43:38 +0000 (14:43 +0200)]
charon: Set CLOEXEC flag on daemon PID file and /dev/(u)random source FDs

On Fedora, SELinux complains about these open file descriptors when the
updown script invokes iptables. While it seems difficult to set the flag
on all file descriptors, this at least fixes those covered by the SELinux
policy.

As these two cases are in code executed while the daemon is still single
threaded, we avoid the use of atomic but not fully portable fdopen("e") or
open(O_CLOEXEC) calls.

Fixes #519.

6 years agoutils: Add wrappers for memcpy(3), memmove(3) and memset(3)
Tobias Brunner [Tue, 24 Jun 2014 12:52:42 +0000 (14:52 +0200)]
utils: Add wrappers for memcpy(3), memmove(3) and memset(3)

These wrappers guarantee that calls to these functions are noops if the
number of bytes is 0, as calling them with NULL pointers is undefined
according to the C standard, even if the number of bytes is 0 (most
implementations probably ignore the pointers anyway in this case, but
lets make sure).

6 years agopki: Also check for MAX_COMMANDS when building getopt_long arguments
Tobias Brunner [Fri, 20 Jun 2014 15:55:48 +0000 (17:55 +0200)]
pki: Also check for MAX_COMMANDS when building getopt_long arguments

Completes 87e53819a6 and 0a8c399a21.

6 years agoAuxiliary swid_tagstats table boosts performance
Andreas Steffen [Mon, 23 Jun 2014 11:32:50 +0000 (13:32 +0200)]
Auxiliary swid_tagstats table boosts performance

6 years agoMerge branch 'algorithm-order'
Tobias Brunner [Fri, 20 Jun 2014 14:22:15 +0000 (16:22 +0200)]
Merge branch 'algorithm-order'

Restores the behavior we had before 2e22333fb (except for RNGs), that is,
algorithms are stored in the registration order again.  Which is not optimal
as we must rely on plugins to register them in a sensible order, but ordering
them by identifier definitely caused weaker algorithms to be proposed first
in the default proposal, which was even worse.

6 years agounit-tests: Add tests for DH factory
Tobias Brunner [Wed, 18 Jun 2014 15:25:47 +0000 (17:25 +0200)]
unit-tests: Add tests for DH factory

6 years agocrypto-factory: Only sort RNGs by algorithm identifier
Tobias Brunner [Fri, 20 Jun 2014 07:07:05 +0000 (09:07 +0200)]
crypto-factory: Only sort RNGs by algorithm identifier

Others remain in the order in which they were added, grouped by
algorithm identifier and sorted by benchmarking speed, if provided.

6 years agounit-tests: Add test for crypto_factory_t's rng_create method
Tobias Brunner [Tue, 6 May 2014 17:56:17 +0000 (19:56 +0200)]
unit-tests: Add test for crypto_factory_t's rng_create method

6 years agokernel-netlink: Install virtual IPv6 addresses as deprecated
Tobias Brunner [Fri, 20 Jun 2014 06:51:07 +0000 (08:51 +0200)]
kernel-netlink: Install virtual IPv6 addresses as deprecated

This should prevent the kernel's IPv6 source address selection algorithm
from using this address unless it is forced to by our source route.
This is helpful if split tunneling is used.

Fixes #598.

6 years agovici: Install libvici in ipseclibdir like we do with other libraries
Tobias Brunner [Thu, 19 Jun 2014 12:41:37 +0000 (14:41 +0200)]
vici: Install libvici in ipseclibdir like we do with other libraries

6 years agoMerge branch 'shunt-policies-routes'
Tobias Brunner [Thu, 19 Jun 2014 12:33:50 +0000 (14:33 +0200)]
Merge branch 'shunt-policies-routes'

Fixes #599.

6 years agokernel-netlink: Pass prefix when looking up next hop for shunt policies
Tobias Brunner [Wed, 18 Jun 2014 08:10:25 +0000 (10:10 +0200)]
kernel-netlink: Pass prefix when looking up next hop for shunt policies

6 years agokernel-netlink: Add support for destination prefix when determining next hop
Tobias Brunner [Wed, 18 Jun 2014 07:58:01 +0000 (09:58 +0200)]
kernel-netlink: Add support for destination prefix when determining next hop

6 years agokernel-interface: Add destination prefix to get_nexthop()
Tobias Brunner [Wed, 18 Jun 2014 07:55:39 +0000 (09:55 +0200)]
kernel-interface: Add destination prefix to get_nexthop()

This allows to determine the next hop to reach a subnet, for instance, when
installing routes for shunt policies.

6 years agoMerge branch 'passthrough-policies-priority'
Tobias Brunner [Thu, 19 Jun 2014 12:24:48 +0000 (14:24 +0200)]
Merge branch 'passthrough-policies-priority'

Introduces a new priority class for policies, which allows us to install
passthrough policies with a strictly higher priority than IPsec
policies, which was not the case previously depending on the traffic
selectors.

6 years agotesting: Add ikev2/shunt-policies-nat-rw scenario
Tobias Brunner [Thu, 19 Jun 2014 11:37:05 +0000 (13:37 +0200)]
testing: Add ikev2/shunt-policies-nat-rw scenario

6 years agotesting: Remove ikev2/shunt-policies scenario
Tobias Brunner [Thu, 19 Jun 2014 11:38:49 +0000 (13:38 +0200)]
testing: Remove ikev2/shunt-policies scenario

This scenario doesn't really apply anymore (especially its use of drop
policies).

6 years agoshunt-manager: Install passthrough policies with highest priority
Tobias Brunner [Tue, 13 May 2014 10:20:27 +0000 (12:20 +0200)]
shunt-manager: Install passthrough policies with highest priority

This avoids conflicts with regular IPsec policies.

Similarly, use the lowest priority for drop policies.

6 years agolibipsec: Add support for new policy priority class
Tobias Brunner [Tue, 13 May 2014 10:20:02 +0000 (12:20 +0200)]
libipsec: Add support for new policy priority class