2 * Copyright (C) 2006-2013 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 #include <sys/types.h>
22 #include <sys/socket.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
39 #include <utils/debug.h>
40 #include <threading/mutex.h>
41 #include <collections/hashtable.h>
42 #include <collections/linked_list.h>
44 /** Required for Linux 2.6.26 kernel and later */
45 #ifndef XFRM_STATE_AF_UNSPEC
46 #define XFRM_STATE_AF_UNSPEC 32
49 /** From linux/in.h */
50 #ifndef IP_XFRM_POLICY
51 #define IP_XFRM_POLICY 17
54 /** Missing on uclibc */
55 #ifndef IPV6_XFRM_POLICY
56 #define IPV6_XFRM_POLICY 34
57 #endif /*IPV6_XFRM_POLICY*/
59 /* from linux/udp.h */
64 #ifndef UDP_ENCAP_ESPINUDP
65 #define UDP_ENCAP_ESPINUDP 2
68 /* this is not defined on some platforms */
70 #define SOL_UDP IPPROTO_UDP
73 /** Default priority of installed policies */
76 /** Default replay window size, if not set using charon.replay_window */
77 #define DEFAULT_REPLAY_WINDOW 32
79 /** Default lifetime of an acquire XFRM state (in seconds) */
80 #define DEFAULT_ACQUIRE_LIFETIME 165
83 * Map the limit for bytes and packets to XFRM_INF by default
85 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
88 * Create ORable bitfield of XFRM NL groups
90 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
93 * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the
94 * 'usual' netlink data x like 'struct xfrm_usersa_info'
96 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
97 NLMSG_ALIGN(sizeof(x))))
99 * Returns the total size of attached rta data
100 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
102 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
104 typedef struct kernel_algorithm_t kernel_algorithm_t
;
107 * Mapping of IKEv2 kernel identifier to linux crypto API names
109 struct kernel_algorithm_t
{
111 * Identifier specified in IKEv2
116 * Name of the algorithm in linux crypto API
121 ENUM(xfrm_msg_names
, XFRM_MSG_NEWSA
, XFRM_MSG_MAPPING
,
125 "XFRM_MSG_NEWPOLICY",
126 "XFRM_MSG_DELPOLICY",
127 "XFRM_MSG_GETPOLICY",
131 "XFRM_MSG_UPDPOLICY",
133 "XFRM_MSG_POLEXPIRE",
135 "XFRM_MSG_FLUSHPOLICY",
140 "XFRM_MSG_NEWSADINFO",
141 "XFRM_MSG_GETSADINFO",
142 "XFRM_MSG_NEWSPDINFO",
143 "XFRM_MSG_GETSPDINFO",
147 ENUM(xfrm_attr_type_names
, XFRMA_UNSPEC
, XFRMA_REPLAY_ESN_VAL
,
159 "XFRMA_REPLAY_THRESH",
160 "XFRMA_ETIMER_THRESH",
168 "XFRMA_ALG_AUTH_TRUNC",
171 "XFRMA_REPLAY_ESN_VAL",
175 * Algorithms for encryption
177 static kernel_algorithm_t encryption_algs
[] = {
178 /* {ENCR_DES_IV64, "***" }, */
180 {ENCR_3DES
, "des3_ede" },
181 /* {ENCR_RC5, "***" }, */
182 /* {ENCR_IDEA, "***" }, */
183 {ENCR_CAST
, "cast128" },
184 {ENCR_BLOWFISH
, "blowfish" },
185 /* {ENCR_3IDEA, "***" }, */
186 /* {ENCR_DES_IV32, "***" }, */
187 {ENCR_NULL
, "cipher_null" },
188 {ENCR_AES_CBC
, "aes" },
189 {ENCR_AES_CTR
, "rfc3686(ctr(aes))" },
190 {ENCR_AES_CCM_ICV8
, "rfc4309(ccm(aes))" },
191 {ENCR_AES_CCM_ICV12
, "rfc4309(ccm(aes))" },
192 {ENCR_AES_CCM_ICV16
, "rfc4309(ccm(aes))" },
193 {ENCR_AES_GCM_ICV8
, "rfc4106(gcm(aes))" },
194 {ENCR_AES_GCM_ICV12
, "rfc4106(gcm(aes))" },
195 {ENCR_AES_GCM_ICV16
, "rfc4106(gcm(aes))" },
196 {ENCR_NULL_AUTH_AES_GMAC
, "rfc4543(gcm(aes))" },
197 {ENCR_CAMELLIA_CBC
, "cbc(camellia)" },
198 /* {ENCR_CAMELLIA_CTR, "***" }, */
199 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
200 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
201 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
202 {ENCR_SERPENT_CBC
, "serpent" },
203 {ENCR_TWOFISH_CBC
, "twofish" },
207 * Algorithms for integrity protection
209 static kernel_algorithm_t integrity_algs
[] = {
210 {AUTH_HMAC_MD5_96
, "md5" },
211 {AUTH_HMAC_MD5_128
, "hmac(md5)" },
212 {AUTH_HMAC_SHA1_96
, "sha1" },
213 {AUTH_HMAC_SHA1_160
, "hmac(sha1)" },
214 {AUTH_HMAC_SHA2_256_96
, "sha256" },
215 {AUTH_HMAC_SHA2_256_128
, "hmac(sha256)" },
216 {AUTH_HMAC_SHA2_384_192
, "hmac(sha384)" },
217 {AUTH_HMAC_SHA2_512_256
, "hmac(sha512)" },
218 /* {AUTH_DES_MAC, "***" }, */
219 /* {AUTH_KPDK_MD5, "***" }, */
220 {AUTH_AES_XCBC_96
, "xcbc(aes)" },
224 * Algorithms for IPComp
226 static kernel_algorithm_t compression_algs
[] = {
227 /* {IPCOMP_OUI, "***" }, */
228 {IPCOMP_DEFLATE
, "deflate" },
229 {IPCOMP_LZS
, "lzs" },
230 {IPCOMP_LZJH
, "lzjh" },
234 * Look up a kernel algorithm name and its key size
236 static char* lookup_algorithm(transform_type_t type
, int ikev2
)
238 kernel_algorithm_t
*list
;
244 case ENCRYPTION_ALGORITHM
:
245 list
= encryption_algs
;
246 count
= countof(encryption_algs
);
248 case INTEGRITY_ALGORITHM
:
249 list
= integrity_algs
;
250 count
= countof(integrity_algs
);
252 case COMPRESSION_ALGORITHM
:
253 list
= compression_algs
;
254 count
= countof(compression_algs
);
259 for (i
= 0; i
< count
; i
++)
261 if (list
[i
].ikev2
== ikev2
)
266 if (hydra
->kernel_interface
->lookup_algorithm(hydra
->kernel_interface
,
267 ikev2
, type
, NULL
, &name
))
274 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t
;
277 * Private variables and functions of kernel_netlink class.
279 struct private_kernel_netlink_ipsec_t
{
281 * Public part of the kernel_netlink_t object
283 kernel_netlink_ipsec_t
public;
286 * Mutex to lock access to installed policies
291 * Hash table of installed policies (policy_entry_t)
293 hashtable_t
*policies
;
296 * Hash table of IPsec SAs using policies (ipsec_sa_t)
301 * Netlink xfrm socket (IPsec)
303 netlink_socket_t
*socket_xfrm
;
306 * Netlink xfrm socket to receive acquire and expire events
308 int socket_xfrm_events
;
311 * Whether to install routes along policies
316 * Whether to track the history of a policy
321 * Size of the replay window, in packets (= bits)
323 u_int32_t replay_window
;
326 * Size of the replay window bitmap, in number of __u32 blocks
328 u_int32_t replay_bmp
;
331 typedef struct route_entry_t route_entry_t
;
334 * Installed routing entry
336 struct route_entry_t
{
337 /** Name of the interface the route is bound to */
340 /** Source ip of the route */
343 /** Gateway for this route */
346 /** Destination net */
349 /** Destination net prefixlen */
354 * Destroy a route_entry_t object
356 static void route_entry_destroy(route_entry_t
*this)
359 this->src_ip
->destroy(this->src_ip
);
360 DESTROY_IF(this->gateway
);
361 chunk_free(&this->dst_net
);
366 * Compare two route_entry_t objects
368 static bool route_entry_equals(route_entry_t
*a
, route_entry_t
*b
)
370 return a
->if_name
&& b
->if_name
&& streq(a
->if_name
, b
->if_name
) &&
371 a
->src_ip
->ip_equals(a
->src_ip
, b
->src_ip
) &&
372 a
->gateway
->ip_equals(a
->gateway
, b
->gateway
) &&
373 chunk_equals(a
->dst_net
, b
->dst_net
) && a
->prefixlen
== b
->prefixlen
;
376 typedef struct ipsec_sa_t ipsec_sa_t
;
379 * IPsec SA assigned to a policy.
382 /** Source address of this SA */
385 /** Destination address of this SA */
391 /** Description of this SA */
394 /** Reference count for this SA */
399 * Hash function for ipsec_sa_t objects
401 static u_int
ipsec_sa_hash(ipsec_sa_t
*sa
)
403 return chunk_hash_inc(sa
->src
->get_address(sa
->src
),
404 chunk_hash_inc(sa
->dst
->get_address(sa
->dst
),
405 chunk_hash_inc(chunk_from_thing(sa
->mark
),
406 chunk_hash(chunk_from_thing(sa
->cfg
)))));
410 * Equality function for ipsec_sa_t objects
412 static bool ipsec_sa_equals(ipsec_sa_t
*sa
, ipsec_sa_t
*other_sa
)
414 return sa
->src
->ip_equals(sa
->src
, other_sa
->src
) &&
415 sa
->dst
->ip_equals(sa
->dst
, other_sa
->dst
) &&
416 memeq(&sa
->mark
, &other_sa
->mark
, sizeof(mark_t
)) &&
417 memeq(&sa
->cfg
, &other_sa
->cfg
, sizeof(ipsec_sa_cfg_t
));
421 * Allocate or reference an IPsec SA object
423 static ipsec_sa_t
*ipsec_sa_create(private_kernel_netlink_ipsec_t
*this,
424 host_t
*src
, host_t
*dst
, mark_t mark
,
427 ipsec_sa_t
*sa
, *found
;
434 found
= this->sas
->get(this->sas
, sa
);
437 sa
->src
= src
->clone(src
);
438 sa
->dst
= dst
->clone(dst
);
439 this->sas
->put(this->sas
, sa
, sa
);
446 ref_get(&sa
->refcount
);
451 * Release and destroy an IPsec SA object
453 static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t
*this,
456 if (ref_put(&sa
->refcount
))
458 this->sas
->remove(this->sas
, sa
);
465 typedef struct policy_sa_t policy_sa_t
;
466 typedef struct policy_sa_fwd_t policy_sa_fwd_t
;
469 * Mapping between a policy and an IPsec SA.
472 /** Priority assigned to the policy when installed with this SA */
475 /** Type of the policy */
483 * For forward policies we also cache the traffic selectors in order to install
486 struct policy_sa_fwd_t
{
487 /** Generic interface */
490 /** Source traffic selector of this policy */
491 traffic_selector_t
*src_ts
;
493 /** Destination traffic selector of this policy */
494 traffic_selector_t
*dst_ts
;
498 * Create a policy_sa(_fwd)_t object
500 static policy_sa_t
*policy_sa_create(private_kernel_netlink_ipsec_t
*this,
501 policy_dir_t dir
, policy_type_t type
, host_t
*src
, host_t
*dst
,
502 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
, mark_t mark
,
507 if (dir
== POLICY_FWD
)
509 policy_sa_fwd_t
*fwd
;
511 .src_ts
= src_ts
->clone(src_ts
),
512 .dst_ts
= dst_ts
->clone(dst_ts
),
514 policy
= &fwd
->generic
;
518 INIT(policy
, .priority
= 0);
521 policy
->sa
= ipsec_sa_create(this, src
, dst
, mark
, cfg
);
526 * Destroy a policy_sa(_fwd)_t object
528 static void policy_sa_destroy(policy_sa_t
*policy
, policy_dir_t
*dir
,
529 private_kernel_netlink_ipsec_t
*this)
531 if (*dir
== POLICY_FWD
)
533 policy_sa_fwd_t
*fwd
= (policy_sa_fwd_t
*)policy
;
534 fwd
->src_ts
->destroy(fwd
->src_ts
);
535 fwd
->dst_ts
->destroy(fwd
->dst_ts
);
537 ipsec_sa_destroy(this, policy
->sa
);
541 typedef struct policy_entry_t policy_entry_t
;
544 * Installed kernel policy.
546 struct policy_entry_t
{
548 /** Direction of this policy: in, out, forward */
551 /** Parameters of installed policy */
552 struct xfrm_selector sel
;
557 /** Associated route installed for this policy */
558 route_entry_t
*route
;
560 /** List of SAs this policy is used by, ordered by priority */
561 linked_list_t
*used_by
;
563 /** reqid for this policy */
568 * Destroy a policy_entry_t object
570 static void policy_entry_destroy(private_kernel_netlink_ipsec_t
*this,
571 policy_entry_t
*policy
)
575 route_entry_destroy(policy
->route
);
579 policy
->used_by
->invoke_function(policy
->used_by
,
580 (linked_list_invoke_t
)policy_sa_destroy
,
581 &policy
->direction
, this);
582 policy
->used_by
->destroy(policy
->used_by
);
588 * Hash function for policy_entry_t objects
590 static u_int
policy_hash(policy_entry_t
*key
)
592 chunk_t chunk
= chunk_from_thing(key
->sel
);
593 return chunk_hash_inc(chunk
, chunk_hash(chunk_from_thing(key
->mark
)));
597 * Equality function for policy_entry_t objects
599 static bool policy_equals(policy_entry_t
*key
, policy_entry_t
*other_key
)
601 return memeq(&key
->sel
, &other_key
->sel
, sizeof(struct xfrm_selector
)) &&
602 key
->mark
== other_key
->mark
&&
603 key
->direction
== other_key
->direction
;
607 * Calculate the priority of a policy
609 static inline u_int32_t
get_priority(policy_entry_t
*policy
,
610 policy_priority_t prio
)
612 u_int32_t priority
= PRIO_BASE
;
615 case POLICY_PRIORITY_FALLBACK
:
618 case POLICY_PRIORITY_ROUTED
:
621 case POLICY_PRIORITY_DEFAULT
:
624 /* calculate priority based on selector size, small size = high prio */
625 priority
-= policy
->sel
.prefixlen_s
;
626 priority
-= policy
->sel
.prefixlen_d
;
627 priority
<<= 2; /* make some room for the two flags */
628 priority
+= policy
->sel
.sport_mask
|| policy
->sel
.dport_mask
? 0 : 2;
629 priority
+= policy
->sel
.proto
? 0 : 1;
634 * Return the length of the ESN bitmap
636 static inline size_t esn_bmp_len(private_kernel_netlink_ipsec_t
*this)
638 return this->replay_bmp
* sizeof(u_int32_t
);
642 * Convert the general ipsec mode to the one defined in xfrm.h
644 static u_int8_t
mode2kernel(ipsec_mode_t mode
)
649 return XFRM_MODE_TRANSPORT
;
651 return XFRM_MODE_TUNNEL
;
653 return XFRM_MODE_BEET
;
660 * Convert a host_t to a struct xfrm_address
662 static void host2xfrm(host_t
*host
, xfrm_address_t
*xfrm
)
664 chunk_t chunk
= host
->get_address(host
);
665 memcpy(xfrm
, chunk
.ptr
, min(chunk
.len
, sizeof(xfrm_address_t
)));
669 * Convert a struct xfrm_address to a host_t
671 static host_t
* xfrm2host(int family
, xfrm_address_t
*xfrm
, u_int16_t port
)
678 chunk
= chunk_create((u_char
*)&xfrm
->a4
, sizeof(xfrm
->a4
));
681 chunk
= chunk_create((u_char
*)&xfrm
->a6
, sizeof(xfrm
->a6
));
686 return host_create_from_chunk(family
, chunk
, ntohs(port
));
690 * Convert a traffic selector address range to subnet and its mask.
692 static void ts2subnet(traffic_selector_t
* ts
,
693 xfrm_address_t
*net
, u_int8_t
*mask
)
698 ts
->to_subnet(ts
, &net_host
, mask
);
699 net_chunk
= net_host
->get_address(net_host
);
700 memcpy(net
, net_chunk
.ptr
, net_chunk
.len
);
701 net_host
->destroy(net_host
);
705 * Convert a traffic selector port range to port/portmask
707 static void ts2ports(traffic_selector_t
* ts
,
708 u_int16_t
*port
, u_int16_t
*mask
)
710 /* Linux does not seem to accept complex portmasks. Only
711 * any or a specific port is allowed. We set to any, if we have
712 * a port range, or to a specific, if we have one port only.
716 from
= ts
->get_from_port(ts
);
717 to
= ts
->get_to_port(ts
);
732 * Convert a pair of traffic_selectors to an xfrm_selector
734 static struct xfrm_selector
ts2selector(traffic_selector_t
*src
,
735 traffic_selector_t
*dst
)
737 struct xfrm_selector sel
;
739 memset(&sel
, 0, sizeof(sel
));
740 sel
.family
= (src
->get_type(src
) == TS_IPV4_ADDR_RANGE
) ? AF_INET
: AF_INET6
;
741 /* src or dest proto may be "any" (0), use more restrictive one */
742 sel
.proto
= max(src
->get_protocol(src
), dst
->get_protocol(dst
));
743 ts2subnet(dst
, &sel
.daddr
, &sel
.prefixlen_d
);
744 ts2subnet(src
, &sel
.saddr
, &sel
.prefixlen_s
);
745 ts2ports(dst
, &sel
.dport
, &sel
.dport_mask
);
746 ts2ports(src
, &sel
.sport
, &sel
.sport_mask
);
747 if ((sel
.proto
== IPPROTO_ICMP
|| sel
.proto
== IPPROTO_ICMPV6
) &&
748 (sel
.dport
|| sel
.sport
))
750 /* the ICMP type is encoded in the most significant 8 bits and the ICMP
751 * code in the least significant 8 bits of the port. via XFRM we have
752 * to pass the ICMP type and code in the source and destination port
753 * fields, respectively. the port is in network byte order. */
754 u_int16_t port
= max(sel
.dport
, sel
.sport
);
755 sel
.sport
= htons(port
& 0xff);
756 sel
.dport
= htons(port
>> 8);
765 * Convert an xfrm_selector to a src|dst traffic_selector
767 static traffic_selector_t
* selector2ts(struct xfrm_selector
*sel
, bool src
)
776 addr
= (u_char
*)&sel
->saddr
;
777 prefixlen
= sel
->prefixlen_s
;
780 port
= ntohs(sel
->sport
);
785 addr
= (u_char
*)&sel
->daddr
;
786 prefixlen
= sel
->prefixlen_d
;
789 port
= ntohs(sel
->dport
);
792 if (sel
->proto
== IPPROTO_ICMP
|| sel
->proto
== IPPROTO_ICMPV6
)
793 { /* convert ICMP[v6] message type and code as supplied by the kernel in
794 * source and destination ports (both in network order) */
795 port
= (sel
->sport
>> 8) | (sel
->dport
& 0xff00);
798 /* The Linux 2.6 kernel does not set the selector's family field,
799 * so as a kludge we additionally test the prefix length.
801 if (sel
->family
== AF_INET
|| sel
->prefixlen_s
== 32)
803 host
= host_create_from_chunk(AF_INET
, chunk_create(addr
, 4), 0);
805 else if (sel
->family
== AF_INET6
|| sel
->prefixlen_s
== 128)
807 host
= host_create_from_chunk(AF_INET6
, chunk_create(addr
, 16), 0);
812 return traffic_selector_create_from_subnet(host
, prefixlen
,
813 sel
->proto
, port
, port
?: 65535);
819 * Process a XFRM_MSG_ACQUIRE from kernel
821 static void process_acquire(private_kernel_netlink_ipsec_t
*this,
822 struct nlmsghdr
*hdr
)
824 struct xfrm_user_acquire
*acquire
;
827 traffic_selector_t
*src_ts
, *dst_ts
;
831 acquire
= (struct xfrm_user_acquire
*)NLMSG_DATA(hdr
);
832 rta
= XFRM_RTA(hdr
, struct xfrm_user_acquire
);
833 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_user_acquire
);
835 DBG2(DBG_KNL
, "received a XFRM_MSG_ACQUIRE");
837 while (RTA_OK(rta
, rtasize
))
839 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
841 if (rta
->rta_type
== XFRMA_TMPL
)
843 struct xfrm_user_tmpl
* tmpl
;
844 tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rta
);
846 proto
= tmpl
->id
.proto
;
848 rta
= RTA_NEXT(rta
, rtasize
);
857 /* acquire for AH/ESP only, not for IPCOMP */
860 src_ts
= selector2ts(&acquire
->sel
, TRUE
);
861 dst_ts
= selector2ts(&acquire
->sel
, FALSE
);
863 hydra
->kernel_interface
->acquire(hydra
->kernel_interface
, reqid
, src_ts
,
868 * Process a XFRM_MSG_EXPIRE from kernel
870 static void process_expire(private_kernel_netlink_ipsec_t
*this,
871 struct nlmsghdr
*hdr
)
873 struct xfrm_user_expire
*expire
;
874 u_int32_t spi
, reqid
;
877 expire
= (struct xfrm_user_expire
*)NLMSG_DATA(hdr
);
878 protocol
= expire
->state
.id
.proto
;
879 spi
= expire
->state
.id
.spi
;
880 reqid
= expire
->state
.reqid
;
882 DBG2(DBG_KNL
, "received a XFRM_MSG_EXPIRE");
884 if (protocol
!= IPPROTO_ESP
&& protocol
!= IPPROTO_AH
)
886 DBG2(DBG_KNL
, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
887 "reqid {%u} which is not a CHILD_SA", ntohl(spi
), reqid
);
891 hydra
->kernel_interface
->expire(hydra
->kernel_interface
, reqid
, protocol
,
892 spi
, expire
->hard
!= 0);
896 * Process a XFRM_MSG_MIGRATE from kernel
898 static void process_migrate(private_kernel_netlink_ipsec_t
*this,
899 struct nlmsghdr
*hdr
)
901 struct xfrm_userpolicy_id
*policy_id
;
904 traffic_selector_t
*src_ts
, *dst_ts
;
905 host_t
*local
= NULL
, *remote
= NULL
;
906 host_t
*old_src
= NULL
, *old_dst
= NULL
;
907 host_t
*new_src
= NULL
, *new_dst
= NULL
;
911 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
912 rta
= XFRM_RTA(hdr
, struct xfrm_userpolicy_id
);
913 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_userpolicy_id
);
915 DBG2(DBG_KNL
, "received a XFRM_MSG_MIGRATE");
917 src_ts
= selector2ts(&policy_id
->sel
, TRUE
);
918 dst_ts
= selector2ts(&policy_id
->sel
, FALSE
);
919 dir
= (policy_dir_t
)policy_id
->dir
;
921 DBG2(DBG_KNL
, " policy: %R === %R %N", src_ts
, dst_ts
, policy_dir_names
);
923 while (RTA_OK(rta
, rtasize
))
925 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
926 if (rta
->rta_type
== XFRMA_KMADDRESS
)
928 struct xfrm_user_kmaddress
*kmaddress
;
930 kmaddress
= (struct xfrm_user_kmaddress
*)RTA_DATA(rta
);
931 local
= xfrm2host(kmaddress
->family
, &kmaddress
->local
, 0);
932 remote
= xfrm2host(kmaddress
->family
, &kmaddress
->remote
, 0);
933 DBG2(DBG_KNL
, " kmaddress: %H...%H", local
, remote
);
935 else if (rta
->rta_type
== XFRMA_MIGRATE
)
937 struct xfrm_user_migrate
*migrate
;
939 migrate
= (struct xfrm_user_migrate
*)RTA_DATA(rta
);
940 old_src
= xfrm2host(migrate
->old_family
, &migrate
->old_saddr
, 0);
941 old_dst
= xfrm2host(migrate
->old_family
, &migrate
->old_daddr
, 0);
942 new_src
= xfrm2host(migrate
->new_family
, &migrate
->new_saddr
, 0);
943 new_dst
= xfrm2host(migrate
->new_family
, &migrate
->new_daddr
, 0);
944 reqid
= migrate
->reqid
;
945 DBG2(DBG_KNL
, " migrate %H...%H to %H...%H, reqid {%u}",
946 old_src
, old_dst
, new_src
, new_dst
, reqid
);
952 rta
= RTA_NEXT(rta
, rtasize
);
955 if (src_ts
&& dst_ts
&& local
&& remote
)
957 hydra
->kernel_interface
->migrate(hydra
->kernel_interface
, reqid
,
958 src_ts
, dst_ts
, dir
, local
, remote
);
970 * Process a XFRM_MSG_MAPPING from kernel
972 static void process_mapping(private_kernel_netlink_ipsec_t
*this,
973 struct nlmsghdr
*hdr
)
975 struct xfrm_user_mapping
*mapping
;
976 u_int32_t spi
, reqid
;
978 mapping
= (struct xfrm_user_mapping
*)NLMSG_DATA(hdr
);
979 spi
= mapping
->id
.spi
;
980 reqid
= mapping
->reqid
;
982 DBG2(DBG_KNL
, "received a XFRM_MSG_MAPPING");
984 if (mapping
->id
.proto
== IPPROTO_ESP
)
987 host
= xfrm2host(mapping
->id
.family
, &mapping
->new_saddr
,
991 hydra
->kernel_interface
->mapping(hydra
->kernel_interface
, reqid
,
998 * Receives events from kernel
1000 static bool receive_events(private_kernel_netlink_ipsec_t
*this, int fd
,
1001 watcher_event_t event
)
1003 char response
[1024];
1004 struct nlmsghdr
*hdr
= (struct nlmsghdr
*)response
;
1005 struct sockaddr_nl addr
;
1006 socklen_t addr_len
= sizeof(addr
);
1009 len
= recvfrom(this->socket_xfrm_events
, response
, sizeof(response
),
1010 MSG_DONTWAIT
, (struct sockaddr
*)&addr
, &addr_len
);
1016 /* interrupted, try again */
1019 /* no data ready, select again */
1022 DBG1(DBG_KNL
, "unable to receive from xfrm event socket");
1028 if (addr
.nl_pid
!= 0)
1029 { /* not from kernel. not interested, try another one */
1033 while (NLMSG_OK(hdr
, len
))
1035 switch (hdr
->nlmsg_type
)
1037 case XFRM_MSG_ACQUIRE
:
1038 process_acquire(this, hdr
);
1040 case XFRM_MSG_EXPIRE
:
1041 process_expire(this, hdr
);
1043 case XFRM_MSG_MIGRATE
:
1044 process_migrate(this, hdr
);
1046 case XFRM_MSG_MAPPING
:
1047 process_mapping(this, hdr
);
1050 DBG1(DBG_KNL
, "received unknown event from xfrm event "
1051 "socket: %d", hdr
->nlmsg_type
);
1054 hdr
= NLMSG_NEXT(hdr
, len
);
1059 METHOD(kernel_ipsec_t
, get_features
, kernel_feature_t
,
1060 private_kernel_netlink_ipsec_t
*this)
1062 return KERNEL_ESP_V3_TFC
;
1066 * Get an SPI for a specific protocol from the kernel.
1068 static status_t
get_spi_internal(private_kernel_netlink_ipsec_t
*this,
1069 host_t
*src
, host_t
*dst
, u_int8_t proto
, u_int32_t min
, u_int32_t max
,
1070 u_int32_t reqid
, u_int32_t
*spi
)
1072 netlink_buf_t request
;
1073 struct nlmsghdr
*hdr
, *out
;
1074 struct xfrm_userspi_info
*userspi
;
1075 u_int32_t received_spi
= 0;
1078 memset(&request
, 0, sizeof(request
));
1080 hdr
= (struct nlmsghdr
*)request
;
1081 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1082 hdr
->nlmsg_type
= XFRM_MSG_ALLOCSPI
;
1083 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userspi_info
));
1085 userspi
= (struct xfrm_userspi_info
*)NLMSG_DATA(hdr
);
1086 host2xfrm(src
, &userspi
->info
.saddr
);
1087 host2xfrm(dst
, &userspi
->info
.id
.daddr
);
1088 userspi
->info
.id
.proto
= proto
;
1089 userspi
->info
.mode
= XFRM_MODE_TUNNEL
;
1090 userspi
->info
.reqid
= reqid
;
1091 userspi
->info
.family
= src
->get_family(src
);
1095 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1098 while (NLMSG_OK(hdr
, len
))
1100 switch (hdr
->nlmsg_type
)
1102 case XFRM_MSG_NEWSA
:
1104 struct xfrm_usersa_info
* usersa
= NLMSG_DATA(hdr
);
1105 received_spi
= usersa
->id
.spi
;
1110 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1111 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
1112 strerror(-err
->error
), -err
->error
);
1116 hdr
= NLMSG_NEXT(hdr
, len
);
1126 if (received_spi
== 0)
1131 *spi
= received_spi
;
1135 METHOD(kernel_ipsec_t
, get_spi
, status_t
,
1136 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1137 u_int8_t protocol
, u_int32_t reqid
, u_int32_t
*spi
)
1139 DBG2(DBG_KNL
, "getting SPI for reqid {%u}", reqid
);
1141 if (get_spi_internal(this, src
, dst
, protocol
,
1142 0xc0000000, 0xcFFFFFFF, reqid
, spi
) != SUCCESS
)
1144 DBG1(DBG_KNL
, "unable to get SPI for reqid {%u}", reqid
);
1148 DBG2(DBG_KNL
, "got SPI %.8x for reqid {%u}", ntohl(*spi
), reqid
);
1152 METHOD(kernel_ipsec_t
, get_cpi
, status_t
,
1153 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1154 u_int32_t reqid
, u_int16_t
*cpi
)
1156 u_int32_t received_spi
= 0;
1158 DBG2(DBG_KNL
, "getting CPI for reqid {%u}", reqid
);
1160 if (get_spi_internal(this, src
, dst
, IPPROTO_COMP
,
1161 0x100, 0xEFFF, reqid
, &received_spi
) != SUCCESS
)
1163 DBG1(DBG_KNL
, "unable to get CPI for reqid {%u}", reqid
);
1167 *cpi
= htons((u_int16_t
)ntohl(received_spi
));
1169 DBG2(DBG_KNL
, "got CPI %.4x for reqid {%u}", ntohs(*cpi
), reqid
);
1174 * Add a XFRM mark to message if required
1176 static bool add_mark(struct nlmsghdr
*hdr
, int buflen
, mark_t mark
)
1180 struct xfrm_mark
*xmrk
;
1182 xmrk
= netlink_reserve(hdr
, buflen
, XFRMA_MARK
, sizeof(*xmrk
));
1187 xmrk
->v
= mark
.value
;
1188 xmrk
->m
= mark
.mask
;
1193 METHOD(kernel_ipsec_t
, add_sa
, status_t
,
1194 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1195 u_int32_t spi
, u_int8_t protocol
, u_int32_t reqid
, mark_t mark
,
1196 u_int32_t tfc
, lifetime_cfg_t
*lifetime
, u_int16_t enc_alg
, chunk_t enc_key
,
1197 u_int16_t int_alg
, chunk_t int_key
, ipsec_mode_t mode
, u_int16_t ipcomp
,
1198 u_int16_t cpi
, bool initiator
, bool encap
, bool esn
, bool inbound
,
1199 traffic_selector_t
* src_ts
, traffic_selector_t
* dst_ts
)
1201 netlink_buf_t request
;
1203 struct nlmsghdr
*hdr
;
1204 struct xfrm_usersa_info
*sa
;
1205 u_int16_t icv_size
= 64;
1206 ipsec_mode_t original_mode
= mode
;
1207 status_t status
= FAILED
;
1209 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1210 * we are in the recursive call below */
1211 if (ipcomp
!= IPCOMP_NONE
&& cpi
!= 0)
1213 lifetime_cfg_t lft
= {{0,0,0},{0,0,0},{0,0,0}};
1214 add_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, reqid
, mark
,
1215 tfc
, &lft
, ENCR_UNDEFINED
, chunk_empty
, AUTH_UNDEFINED
,
1216 chunk_empty
, mode
, ipcomp
, 0, initiator
, FALSE
, FALSE
, inbound
,
1218 ipcomp
= IPCOMP_NONE
;
1219 /* use transport mode ESP SA, IPComp uses tunnel mode */
1220 mode
= MODE_TRANSPORT
;
1223 memset(&request
, 0, sizeof(request
));
1225 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u} (mark "
1226 "%u/0x%08x)", ntohl(spi
), reqid
, mark
.value
, mark
.mask
);
1228 hdr
= (struct nlmsghdr
*)request
;
1229 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1230 hdr
->nlmsg_type
= inbound
? XFRM_MSG_UPDSA
: XFRM_MSG_NEWSA
;
1231 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1233 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
1234 host2xfrm(src
, &sa
->saddr
);
1235 host2xfrm(dst
, &sa
->id
.daddr
);
1237 sa
->id
.proto
= protocol
;
1238 sa
->family
= src
->get_family(src
);
1239 sa
->mode
= mode2kernel(mode
);
1243 sa
->flags
|= XFRM_STATE_AF_UNSPEC
;
1246 case MODE_TRANSPORT
:
1247 if (original_mode
== MODE_TUNNEL
)
1248 { /* don't install selectors for switched SAs. because only one
1249 * selector can be installed other traffic would get dropped */
1252 if (src_ts
&& dst_ts
)
1254 sa
->sel
= ts2selector(src_ts
, dst_ts
);
1255 /* don't install proto/port on SA. This would break
1256 * potential secondary SAs for the same address using a
1257 * different prot/port. */
1259 sa
->sel
.dport
= sa
->sel
.dport_mask
= 0;
1260 sa
->sel
.sport
= sa
->sel
.sport_mask
= 0;
1268 sa
->lft
.soft_byte_limit
= XFRM_LIMIT(lifetime
->bytes
.rekey
);
1269 sa
->lft
.hard_byte_limit
= XFRM_LIMIT(lifetime
->bytes
.life
);
1270 sa
->lft
.soft_packet_limit
= XFRM_LIMIT(lifetime
->packets
.rekey
);
1271 sa
->lft
.hard_packet_limit
= XFRM_LIMIT(lifetime
->packets
.life
);
1272 /* we use lifetimes since added, not since used */
1273 sa
->lft
.soft_add_expires_seconds
= lifetime
->time
.rekey
;
1274 sa
->lft
.hard_add_expires_seconds
= lifetime
->time
.life
;
1275 sa
->lft
.soft_use_expires_seconds
= 0;
1276 sa
->lft
.hard_use_expires_seconds
= 0;
1280 case ENCR_UNDEFINED
:
1283 case ENCR_AES_CCM_ICV16
:
1284 case ENCR_AES_GCM_ICV16
:
1285 case ENCR_NULL_AUTH_AES_GMAC
:
1286 case ENCR_CAMELLIA_CCM_ICV16
:
1289 case ENCR_AES_CCM_ICV12
:
1290 case ENCR_AES_GCM_ICV12
:
1291 case ENCR_CAMELLIA_CCM_ICV12
:
1294 case ENCR_AES_CCM_ICV8
:
1295 case ENCR_AES_GCM_ICV8
:
1296 case ENCR_CAMELLIA_CCM_ICV8
:
1298 struct xfrm_algo_aead
*algo
;
1300 alg_name
= lookup_algorithm(ENCRYPTION_ALGORITHM
, enc_alg
);
1301 if (alg_name
== NULL
)
1303 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1304 encryption_algorithm_names
, enc_alg
);
1307 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1308 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
1310 algo
= netlink_reserve(hdr
, sizeof(request
), XFRMA_ALG_AEAD
,
1311 sizeof(*algo
) + enc_key
.len
);
1316 algo
->alg_key_len
= enc_key
.len
* 8;
1317 algo
->alg_icv_len
= icv_size
;
1318 strncpy(algo
->alg_name
, alg_name
, sizeof(algo
->alg_name
));
1319 algo
->alg_name
[sizeof(algo
->alg_name
) - 1] = '\0';
1320 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
1325 struct xfrm_algo
*algo
;
1327 alg_name
= lookup_algorithm(ENCRYPTION_ALGORITHM
, enc_alg
);
1328 if (alg_name
== NULL
)
1330 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1331 encryption_algorithm_names
, enc_alg
);
1334 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1335 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
1337 algo
= netlink_reserve(hdr
, sizeof(request
), XFRMA_ALG_CRYPT
,
1338 sizeof(*algo
) + enc_key
.len
);
1343 algo
->alg_key_len
= enc_key
.len
* 8;
1344 strncpy(algo
->alg_name
, alg_name
, sizeof(algo
->alg_name
));
1345 algo
->alg_name
[sizeof(algo
->alg_name
) - 1] = '\0';
1346 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
1350 if (int_alg
!= AUTH_UNDEFINED
)
1352 u_int trunc_len
= 0;
1354 alg_name
= lookup_algorithm(INTEGRITY_ALGORITHM
, int_alg
);
1355 if (alg_name
== NULL
)
1357 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1358 integrity_algorithm_names
, int_alg
);
1361 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1362 integrity_algorithm_names
, int_alg
, int_key
.len
* 8);
1366 case AUTH_HMAC_MD5_128
:
1367 case AUTH_HMAC_SHA2_256_128
:
1370 case AUTH_HMAC_SHA1_160
:
1379 struct xfrm_algo_auth
* algo
;
1381 /* the kernel uses SHA256 with 96 bit truncation by default,
1382 * use specified truncation size supported by newer kernels.
1383 * also use this for untruncated MD5 and SHA1. */
1384 algo
= netlink_reserve(hdr
, sizeof(request
), XFRMA_ALG_AUTH_TRUNC
,
1385 sizeof(*algo
) + int_key
.len
);
1390 algo
->alg_key_len
= int_key
.len
* 8;
1391 algo
->alg_trunc_len
= trunc_len
;
1392 strncpy(algo
->alg_name
, alg_name
, sizeof(algo
->alg_name
));
1393 algo
->alg_name
[sizeof(algo
->alg_name
) - 1] = '\0';
1394 memcpy(algo
->alg_key
, int_key
.ptr
, int_key
.len
);
1398 struct xfrm_algo
* algo
;
1400 algo
= netlink_reserve(hdr
, sizeof(request
), XFRMA_ALG_AUTH
,
1401 sizeof(*algo
) + int_key
.len
);
1406 algo
->alg_key_len
= int_key
.len
* 8;
1407 strncpy(algo
->alg_name
, alg_name
, sizeof(algo
->alg_name
));
1408 algo
->alg_name
[sizeof(algo
->alg_name
) - 1] = '\0';
1409 memcpy(algo
->alg_key
, int_key
.ptr
, int_key
.len
);
1413 if (ipcomp
!= IPCOMP_NONE
)
1415 struct xfrm_algo
* algo
;
1417 alg_name
= lookup_algorithm(COMPRESSION_ALGORITHM
, ipcomp
);
1418 if (alg_name
== NULL
)
1420 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1421 ipcomp_transform_names
, ipcomp
);
1424 DBG2(DBG_KNL
, " using compression algorithm %N",
1425 ipcomp_transform_names
, ipcomp
);
1427 algo
= netlink_reserve(hdr
, sizeof(request
), XFRMA_ALG_COMP
,
1433 algo
->alg_key_len
= 0;
1434 strncpy(algo
->alg_name
, alg_name
, sizeof(algo
->alg_name
));
1435 algo
->alg_name
[sizeof(algo
->alg_name
) - 1] = '\0';
1440 struct xfrm_encap_tmpl
*tmpl
;
1442 tmpl
= netlink_reserve(hdr
, sizeof(request
), XFRMA_ENCAP
, sizeof(*tmpl
));
1447 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1448 tmpl
->encap_sport
= htons(src
->get_port(src
));
1449 tmpl
->encap_dport
= htons(dst
->get_port(dst
));
1450 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1451 /* encap_oa could probably be derived from the
1452 * traffic selectors [rfc4306, p39]. In the netlink kernel
1453 * implementation pluto does the same as we do here but it uses
1454 * encap_oa in the pfkey implementation.
1455 * BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores
1457 * -> does that mean that NAT-T encap doesn't work in transport mode?
1458 * No. The reason the kernel ignores NAT-OA is that it recomputes
1459 * (or, rather, just ignores) the checksum. If packets pass the IPsec
1460 * checks it marks them "checksum ok" so OA isn't needed. */
1463 if (!add_mark(hdr
, sizeof(request
), mark
))
1468 if (tfc
&& protocol
== IPPROTO_ESP
&& mode
== MODE_TUNNEL
)
1469 { /* the kernel supports TFC padding only for tunnel mode ESP SAs */
1472 tfcpad
= netlink_reserve(hdr
, sizeof(request
), XFRMA_TFCPAD
,
1481 if (protocol
!= IPPROTO_COMP
)
1483 if (esn
|| this->replay_window
> DEFAULT_REPLAY_WINDOW
)
1485 /* for ESN or larger replay windows we need the new
1486 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
1487 struct xfrm_replay_state_esn
*replay
;
1489 replay
= netlink_reserve(hdr
, sizeof(request
), XFRMA_REPLAY_ESN_VAL
,
1490 sizeof(*replay
) + esn_bmp_len(this));
1495 /* bmp_len contains number uf __u32's */
1496 replay
->bmp_len
= this->replay_bmp
;
1497 replay
->replay_window
= this->replay_window
;
1498 DBG2(DBG_KNL
, " using replay window of %u packets",
1499 this->replay_window
);
1503 DBG2(DBG_KNL
, " using extended sequence numbers (ESN)");
1504 sa
->flags
|= XFRM_STATE_ESN
;
1509 DBG2(DBG_KNL
, " using replay window of %u packets",
1510 this->replay_window
);
1511 sa
->replay_window
= this->replay_window
;
1515 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1519 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x "
1520 "(mark %u/0x%08x)", ntohl(spi
), mark
.value
, mark
.mask
);
1524 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x", ntohl(spi
));
1532 memwipe(request
, sizeof(request
));
1537 * Get the ESN replay state (i.e. sequence numbers) of an SA.
1539 * Allocates into one the replay state structure we get from the kernel.
1541 static void get_replay_state(private_kernel_netlink_ipsec_t
*this,
1542 u_int32_t spi
, u_int8_t protocol
,
1543 host_t
*dst
, mark_t mark
,
1544 struct xfrm_replay_state_esn
**replay_esn
,
1545 struct xfrm_replay_state
**replay
)
1547 netlink_buf_t request
;
1548 struct nlmsghdr
*hdr
, *out
= NULL
;
1549 struct xfrm_aevent_id
*out_aevent
= NULL
, *aevent_id
;
1554 memset(&request
, 0, sizeof(request
));
1556 DBG2(DBG_KNL
, "querying replay state from SAD entry with SPI %.8x",
1559 hdr
= (struct nlmsghdr
*)request
;
1560 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1561 hdr
->nlmsg_type
= XFRM_MSG_GETAE
;
1562 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_aevent_id
));
1564 aevent_id
= (struct xfrm_aevent_id
*)NLMSG_DATA(hdr
);
1565 aevent_id
->flags
= XFRM_AE_RVAL
;
1567 host2xfrm(dst
, &aevent_id
->sa_id
.daddr
);
1568 aevent_id
->sa_id
.spi
= spi
;
1569 aevent_id
->sa_id
.proto
= protocol
;
1570 aevent_id
->sa_id
.family
= dst
->get_family(dst
);
1572 if (!add_mark(hdr
, sizeof(request
), mark
))
1577 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1580 while (NLMSG_OK(hdr
, len
))
1582 switch (hdr
->nlmsg_type
)
1584 case XFRM_MSG_NEWAE
:
1586 out_aevent
= NLMSG_DATA(hdr
);
1591 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1592 DBG1(DBG_KNL
, "querying replay state from SAD entry "
1593 "failed: %s (%d)", strerror(-err
->error
),
1598 hdr
= NLMSG_NEXT(hdr
, len
);
1609 rta
= XFRM_RTA(out
, struct xfrm_aevent_id
);
1610 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_aevent_id
);
1611 while (RTA_OK(rta
, rtasize
))
1613 if (rta
->rta_type
== XFRMA_REPLAY_VAL
&&
1614 RTA_PAYLOAD(rta
) == sizeof(**replay
))
1616 *replay
= malloc(RTA_PAYLOAD(rta
));
1617 memcpy(*replay
, RTA_DATA(rta
), RTA_PAYLOAD(rta
));
1620 if (rta
->rta_type
== XFRMA_REPLAY_ESN_VAL
&&
1621 RTA_PAYLOAD(rta
) >= sizeof(**replay_esn
) + esn_bmp_len(this))
1623 *replay_esn
= malloc(RTA_PAYLOAD(rta
));
1624 memcpy(*replay_esn
, RTA_DATA(rta
), RTA_PAYLOAD(rta
));
1627 rta
= RTA_NEXT(rta
, rtasize
);
1633 METHOD(kernel_ipsec_t
, query_sa
, status_t
,
1634 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1635 u_int32_t spi
, u_int8_t protocol
, mark_t mark
,
1636 u_int64_t
*bytes
, u_int64_t
*packets
, time_t *time
)
1638 netlink_buf_t request
;
1639 struct nlmsghdr
*out
= NULL
, *hdr
;
1640 struct xfrm_usersa_id
*sa_id
;
1641 struct xfrm_usersa_info
*sa
= NULL
;
1642 status_t status
= FAILED
;
1645 memset(&request
, 0, sizeof(request
));
1647 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x (mark %u/0x%08x)",
1648 ntohl(spi
), mark
.value
, mark
.mask
);
1650 hdr
= (struct nlmsghdr
*)request
;
1651 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1652 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1653 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1655 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1656 host2xfrm(dst
, &sa_id
->daddr
);
1658 sa_id
->proto
= protocol
;
1659 sa_id
->family
= dst
->get_family(dst
);
1661 if (!add_mark(hdr
, sizeof(request
), mark
))
1666 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1669 while (NLMSG_OK(hdr
, len
))
1671 switch (hdr
->nlmsg_type
)
1673 case XFRM_MSG_NEWSA
:
1675 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
1680 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1684 DBG1(DBG_KNL
, "querying SAD entry with SPI %.8x "
1685 "(mark %u/0x%08x) failed: %s (%d)",
1686 ntohl(spi
), mark
.value
, mark
.mask
,
1687 strerror(-err
->error
), -err
->error
);
1691 DBG1(DBG_KNL
, "querying SAD entry with SPI %.8x "
1692 "failed: %s (%d)", ntohl(spi
),
1693 strerror(-err
->error
), -err
->error
);
1698 hdr
= NLMSG_NEXT(hdr
, len
);
1709 DBG2(DBG_KNL
, "unable to query SAD entry with SPI %.8x", ntohl(spi
));
1715 *bytes
= sa
->curlft
.bytes
;
1719 *packets
= sa
->curlft
.packets
;
1722 { /* curlft contains an "use" time, but that contains a timestamp
1723 * of the first use, not the last. Last use time must be queried
1724 * on the policy on Linux */
1734 METHOD(kernel_ipsec_t
, del_sa
, status_t
,
1735 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1736 u_int32_t spi
, u_int8_t protocol
, u_int16_t cpi
, mark_t mark
)
1738 netlink_buf_t request
;
1739 struct nlmsghdr
*hdr
;
1740 struct xfrm_usersa_id
*sa_id
;
1742 /* if IPComp was used, we first delete the additional IPComp SA */
1745 del_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0, mark
);
1748 memset(&request
, 0, sizeof(request
));
1750 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x (mark %u/0x%08x)",
1751 ntohl(spi
), mark
.value
, mark
.mask
);
1753 hdr
= (struct nlmsghdr
*)request
;
1754 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1755 hdr
->nlmsg_type
= XFRM_MSG_DELSA
;
1756 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1758 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1759 host2xfrm(dst
, &sa_id
->daddr
);
1761 sa_id
->proto
= protocol
;
1762 sa_id
->family
= dst
->get_family(dst
);
1764 if (!add_mark(hdr
, sizeof(request
), mark
))
1769 switch (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
))
1772 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x (mark %u/0x%08x)",
1773 ntohl(spi
), mark
.value
, mark
.mask
);
1780 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x "
1781 "(mark %u/0x%08x)", ntohl(spi
), mark
.value
, mark
.mask
);
1785 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x",
1792 METHOD(kernel_ipsec_t
, update_sa
, status_t
,
1793 private_kernel_netlink_ipsec_t
*this, u_int32_t spi
, u_int8_t protocol
,
1794 u_int16_t cpi
, host_t
*src
, host_t
*dst
, host_t
*new_src
, host_t
*new_dst
,
1795 bool old_encap
, bool new_encap
, mark_t mark
)
1797 netlink_buf_t request
;
1798 struct nlmsghdr
*hdr
, *out
= NULL
;
1799 struct xfrm_usersa_id
*sa_id
;
1800 struct xfrm_usersa_info
*out_sa
= NULL
, *sa
;
1804 struct xfrm_encap_tmpl
* tmpl
= NULL
;
1805 struct xfrm_replay_state
*replay
= NULL
;
1806 struct xfrm_replay_state_esn
*replay_esn
= NULL
;
1807 status_t status
= FAILED
;
1809 /* if IPComp is used, we first update the IPComp SA */
1812 update_sa(this, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0,
1813 src
, dst
, new_src
, new_dst
, FALSE
, FALSE
, mark
);
1816 memset(&request
, 0, sizeof(request
));
1818 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x for update", ntohl(spi
));
1820 /* query the existing SA first */
1821 hdr
= (struct nlmsghdr
*)request
;
1822 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1823 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1824 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1826 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1827 host2xfrm(dst
, &sa_id
->daddr
);
1829 sa_id
->proto
= protocol
;
1830 sa_id
->family
= dst
->get_family(dst
);
1832 if (!add_mark(hdr
, sizeof(request
), mark
))
1837 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1840 while (NLMSG_OK(hdr
, len
))
1842 switch (hdr
->nlmsg_type
)
1844 case XFRM_MSG_NEWSA
:
1846 out_sa
= NLMSG_DATA(hdr
);
1851 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1852 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1853 strerror(-err
->error
), -err
->error
);
1857 hdr
= NLMSG_NEXT(hdr
, len
);
1867 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1871 get_replay_state(this, spi
, protocol
, dst
, mark
, &replay_esn
, &replay
);
1873 /* delete the old SA (without affecting the IPComp SA) */
1874 if (del_sa(this, src
, dst
, spi
, protocol
, 0, mark
) != SUCCESS
)
1876 DBG1(DBG_KNL
, "unable to delete old SAD entry with SPI %.8x",
1881 DBG2(DBG_KNL
, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1882 ntohl(spi
), src
, dst
, new_src
, new_dst
);
1883 /* copy over the SA from out to request */
1884 hdr
= (struct nlmsghdr
*)request
;
1885 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1886 hdr
->nlmsg_type
= XFRM_MSG_NEWSA
;
1887 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1888 sa
= NLMSG_DATA(hdr
);
1889 memcpy(sa
, NLMSG_DATA(out
), sizeof(struct xfrm_usersa_info
));
1890 sa
->family
= new_dst
->get_family(new_dst
);
1892 if (!src
->ip_equals(src
, new_src
))
1894 host2xfrm(new_src
, &sa
->saddr
);
1896 if (!dst
->ip_equals(dst
, new_dst
))
1898 host2xfrm(new_dst
, &sa
->id
.daddr
);
1901 rta
= XFRM_RTA(out
, struct xfrm_usersa_info
);
1902 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_usersa_info
);
1903 while (RTA_OK(rta
, rtasize
))
1905 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1906 if (rta
->rta_type
!= XFRMA_ENCAP
|| new_encap
)
1908 if (rta
->rta_type
== XFRMA_ENCAP
)
1909 { /* update encap tmpl */
1910 tmpl
= RTA_DATA(rta
);
1911 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1912 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1914 netlink_add_attribute(hdr
, rta
->rta_type
,
1915 chunk_create(RTA_DATA(rta
), RTA_PAYLOAD(rta
)),
1918 rta
= RTA_NEXT(rta
, rtasize
);
1921 if (tmpl
== NULL
&& new_encap
)
1922 { /* add tmpl if we are enabling it */
1923 tmpl
= netlink_reserve(hdr
, sizeof(request
), XFRMA_ENCAP
, sizeof(*tmpl
));
1928 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1929 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1930 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1931 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1936 struct xfrm_replay_state_esn
*state
;
1938 state
= netlink_reserve(hdr
, sizeof(request
), XFRMA_REPLAY_ESN_VAL
,
1939 sizeof(*state
) + esn_bmp_len(this));
1944 memcpy(state
, replay_esn
, sizeof(*state
) + esn_bmp_len(this));
1948 struct xfrm_replay_state
*state
;
1950 state
= netlink_reserve(hdr
, sizeof(request
), XFRMA_REPLAY_VAL
,
1956 memcpy(state
, replay
, sizeof(*state
));
1960 DBG1(DBG_KNL
, "unable to copy replay state from old SAD entry "
1961 "with SPI %.8x", ntohl(spi
));
1964 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1966 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1975 memwipe(request
, sizeof(request
));
1981 METHOD(kernel_ipsec_t
, flush_sas
, status_t
,
1982 private_kernel_netlink_ipsec_t
*this)
1984 netlink_buf_t request
;
1985 struct nlmsghdr
*hdr
;
1986 struct xfrm_usersa_flush
*flush
;
1988 memset(&request
, 0, sizeof(request
));
1990 DBG2(DBG_KNL
, "flushing all SAD entries");
1992 hdr
= (struct nlmsghdr
*)request
;
1993 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1994 hdr
->nlmsg_type
= XFRM_MSG_FLUSHSA
;
1995 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush
));
1997 flush
= (struct xfrm_usersa_flush
*)NLMSG_DATA(hdr
);
1998 flush
->proto
= IPSEC_PROTO_ANY
;
2000 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
2002 DBG1(DBG_KNL
, "unable to flush SAD entries");
2009 * Add or update a policy in the kernel.
2011 * Note: The mutex has to be locked when entering this function
2012 * and is unlocked here in any case.
2014 static status_t
add_policy_internal(private_kernel_netlink_ipsec_t
*this,
2015 policy_entry_t
*policy
, policy_sa_t
*mapping
, bool update
)
2017 netlink_buf_t request
;
2018 policy_entry_t clone
;
2019 ipsec_sa_t
*ipsec
= mapping
->sa
;
2020 struct xfrm_userpolicy_info
*policy_info
;
2021 struct nlmsghdr
*hdr
;
2024 /* clone the policy so we are able to check it out again later */
2025 memcpy(&clone
, policy
, sizeof(policy_entry_t
));
2027 memset(&request
, 0, sizeof(request
));
2028 hdr
= (struct nlmsghdr
*)request
;
2029 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2030 hdr
->nlmsg_type
= update
? XFRM_MSG_UPDPOLICY
: XFRM_MSG_NEWPOLICY
;
2031 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info
));
2033 policy_info
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2034 policy_info
->sel
= policy
->sel
;
2035 policy_info
->dir
= policy
->direction
;
2037 /* calculate priority based on selector size, small size = high prio */
2038 policy_info
->priority
= mapping
->priority
;
2039 policy_info
->action
= mapping
->type
!= POLICY_DROP
? XFRM_POLICY_ALLOW
2040 : XFRM_POLICY_BLOCK
;
2041 policy_info
->share
= XFRM_SHARE_ANY
;
2043 /* policies don't expire */
2044 policy_info
->lft
.soft_byte_limit
= XFRM_INF
;
2045 policy_info
->lft
.soft_packet_limit
= XFRM_INF
;
2046 policy_info
->lft
.hard_byte_limit
= XFRM_INF
;
2047 policy_info
->lft
.hard_packet_limit
= XFRM_INF
;
2048 policy_info
->lft
.soft_add_expires_seconds
= 0;
2049 policy_info
->lft
.hard_add_expires_seconds
= 0;
2050 policy_info
->lft
.soft_use_expires_seconds
= 0;
2051 policy_info
->lft
.hard_use_expires_seconds
= 0;
2053 if (mapping
->type
== POLICY_IPSEC
)
2055 struct xfrm_user_tmpl
*tmpl
;
2060 { IPPROTO_COMP
, ipsec
->cfg
.ipcomp
.transform
!= IPCOMP_NONE
},
2061 { IPPROTO_ESP
, ipsec
->cfg
.esp
.use
},
2062 { IPPROTO_AH
, ipsec
->cfg
.ah
.use
},
2064 ipsec_mode_t proto_mode
= ipsec
->cfg
.mode
;
2067 for (i
= 0; i
< countof(protos
); i
++)
2074 tmpl
= netlink_reserve(hdr
, sizeof(request
), XFRMA_TMPL
,
2075 count
* sizeof(*tmpl
));
2078 this->mutex
->unlock(this->mutex
);
2082 for (i
= 0; i
< countof(protos
); i
++)
2088 tmpl
->reqid
= policy
->reqid
;
2089 tmpl
->id
.proto
= protos
[i
].proto
;
2090 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
2091 tmpl
->mode
= mode2kernel(proto_mode
);
2092 tmpl
->optional
= protos
[i
].proto
== IPPROTO_COMP
&&
2093 policy
->direction
!= POLICY_OUT
;
2094 tmpl
->family
= ipsec
->src
->get_family(ipsec
->src
);
2096 if (proto_mode
== MODE_TUNNEL
|| proto_mode
== MODE_BEET
)
2097 { /* only for tunnel mode */
2098 host2xfrm(ipsec
->src
, &tmpl
->saddr
);
2099 host2xfrm(ipsec
->dst
, &tmpl
->id
.daddr
);
2104 /* use transport mode for other SAs */
2105 proto_mode
= MODE_TRANSPORT
;
2109 if (!add_mark(hdr
, sizeof(request
), ipsec
->mark
))
2111 this->mutex
->unlock(this->mutex
);
2114 this->mutex
->unlock(this->mutex
);
2116 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
2121 /* find the policy again */
2122 this->mutex
->lock(this->mutex
);
2123 policy
= this->policies
->get(this->policies
, &clone
);
2125 policy
->used_by
->find_first(policy
->used_by
,
2126 NULL
, (void**)&mapping
) != SUCCESS
)
2127 { /* policy or mapping is already gone, ignore */
2128 this->mutex
->unlock(this->mutex
);
2132 /* install a route, if:
2133 * - this is a forward policy (to just get one for each child)
2134 * - we are in tunnel/BEET mode or install a bypass policy
2135 * - routing is not disabled via strongswan.conf
2137 if (policy
->direction
== POLICY_FWD
&& this->install_routes
&&
2138 (mapping
->type
!= POLICY_IPSEC
|| ipsec
->cfg
.mode
!= MODE_TRANSPORT
))
2140 policy_sa_fwd_t
*fwd
= (policy_sa_fwd_t
*)mapping
;
2141 route_entry_t
*route
;
2145 .prefixlen
= policy
->sel
.prefixlen_s
,
2148 if (hydra
->kernel_interface
->get_address_by_ts(hydra
->kernel_interface
,
2149 fwd
->dst_ts
, &route
->src_ip
, NULL
) == SUCCESS
)
2151 /* get the nexthop to src (src as we are in POLICY_FWD) */
2152 route
->gateway
= hydra
->kernel_interface
->get_nexthop(
2153 hydra
->kernel_interface
, ipsec
->src
,
2155 route
->dst_net
= chunk_alloc(policy
->sel
.family
== AF_INET
? 4 : 16);
2156 memcpy(route
->dst_net
.ptr
, &policy
->sel
.saddr
, route
->dst_net
.len
);
2158 /* get the interface to install the route for. If we have a local
2159 * address, use it. Otherwise (for shunt policies) use the
2160 * routes source address. */
2162 if (iface
->is_anyaddr(iface
))
2164 iface
= route
->src_ip
;
2166 /* install route via outgoing interface */
2167 if (!hydra
->kernel_interface
->get_interface(hydra
->kernel_interface
,
2168 iface
, &route
->if_name
))
2170 this->mutex
->unlock(this->mutex
);
2171 route_entry_destroy(route
);
2177 route_entry_t
*old
= policy
->route
;
2178 if (route_entry_equals(old
, route
))
2180 this->mutex
->unlock(this->mutex
);
2181 route_entry_destroy(route
);
2184 /* uninstall previously installed route */
2185 if (hydra
->kernel_interface
->del_route(hydra
->kernel_interface
,
2186 old
->dst_net
, old
->prefixlen
, old
->gateway
,
2187 old
->src_ip
, old
->if_name
) != SUCCESS
)
2189 DBG1(DBG_KNL
, "error uninstalling route installed with "
2190 "policy %R === %R %N", fwd
->src_ts
,
2191 fwd
->dst_ts
, policy_dir_names
,
2194 route_entry_destroy(old
);
2195 policy
->route
= NULL
;
2198 DBG2(DBG_KNL
, "installing route: %R via %H src %H dev %s",
2199 fwd
->src_ts
, route
->gateway
, route
->src_ip
, route
->if_name
);
2200 switch (hydra
->kernel_interface
->add_route(
2201 hydra
->kernel_interface
, route
->dst_net
,
2202 route
->prefixlen
, route
->gateway
,
2203 route
->src_ip
, route
->if_name
))
2206 DBG1(DBG_KNL
, "unable to install source route for %H",
2210 /* route exists, do not uninstall */
2211 route_entry_destroy(route
);
2214 /* cache the installed route */
2215 policy
->route
= route
;
2224 this->mutex
->unlock(this->mutex
);
2228 METHOD(kernel_ipsec_t
, add_policy
, status_t
,
2229 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
2230 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
,
2231 policy_dir_t direction
, policy_type_t type
, ipsec_sa_cfg_t
*sa
,
2232 mark_t mark
, policy_priority_t priority
)
2234 policy_entry_t
*policy
, *current
;
2235 policy_sa_t
*assigned_sa
, *current_sa
;
2236 enumerator_t
*enumerator
;
2237 bool found
= FALSE
, update
= TRUE
;
2239 /* create a policy */
2241 .sel
= ts2selector(src_ts
, dst_ts
),
2242 .mark
= mark
.value
& mark
.mask
,
2243 .direction
= direction
,
2247 /* find the policy, which matches EXACTLY */
2248 this->mutex
->lock(this->mutex
);
2249 current
= this->policies
->get(this->policies
, policy
);
2252 if (current
->reqid
!= sa
->reqid
)
2254 DBG1(DBG_CFG
, "unable to install policy %R === %R %N (mark "
2255 "%u/0x%08x) for reqid %u, the same policy for reqid %u exists",
2256 src_ts
, dst_ts
, policy_dir_names
, direction
,
2257 mark
.value
, mark
.mask
, sa
->reqid
, current
->reqid
);
2258 policy_entry_destroy(this, policy
);
2259 this->mutex
->unlock(this->mutex
);
2260 return INVALID_STATE
;
2262 /* use existing policy */
2263 DBG2(DBG_KNL
, "policy %R === %R %N (mark %u/0x%08x) "
2264 "already exists, increasing refcount",
2265 src_ts
, dst_ts
, policy_dir_names
, direction
,
2266 mark
.value
, mark
.mask
);
2267 policy_entry_destroy(this, policy
);
2272 { /* use the new one, if we have no such policy */
2273 policy
->used_by
= linked_list_create();
2274 this->policies
->put(this->policies
, policy
, policy
);
2277 /* cache the assigned IPsec SA */
2278 assigned_sa
= policy_sa_create(this, direction
, type
, src
, dst
, src_ts
,
2280 assigned_sa
->priority
= get_priority(policy
, priority
);
2282 if (this->policy_history
)
2283 { /* insert the SA according to its priority */
2284 enumerator
= policy
->used_by
->create_enumerator(policy
->used_by
);
2285 while (enumerator
->enumerate(enumerator
, (void**)¤t_sa
))
2287 if (current_sa
->priority
>= assigned_sa
->priority
)
2293 policy
->used_by
->insert_before(policy
->used_by
, enumerator
,
2295 enumerator
->destroy(enumerator
);
2298 { /* simply insert it last and only update if it is not installed yet */
2299 policy
->used_by
->insert_last(policy
->used_by
, assigned_sa
);
2304 { /* we don't update the policy if the priority is lower than that of
2305 * the currently installed one */
2306 this->mutex
->unlock(this->mutex
);
2310 DBG2(DBG_KNL
, "%s policy %R === %R %N (mark %u/0x%08x)",
2311 found
? "updating" : "adding", src_ts
, dst_ts
,
2312 policy_dir_names
, direction
, mark
.value
, mark
.mask
);
2314 if (add_policy_internal(this, policy
, assigned_sa
, found
) != SUCCESS
)
2316 DBG1(DBG_KNL
, "unable to %s policy %R === %R %N",
2317 found
? "update" : "add", src_ts
, dst_ts
,
2318 policy_dir_names
, direction
);
2324 METHOD(kernel_ipsec_t
, query_policy
, status_t
,
2325 private_kernel_netlink_ipsec_t
*this, traffic_selector_t
*src_ts
,
2326 traffic_selector_t
*dst_ts
, policy_dir_t direction
, mark_t mark
,
2329 netlink_buf_t request
;
2330 struct nlmsghdr
*out
= NULL
, *hdr
;
2331 struct xfrm_userpolicy_id
*policy_id
;
2332 struct xfrm_userpolicy_info
*policy
= NULL
;
2335 memset(&request
, 0, sizeof(request
));
2337 DBG2(DBG_KNL
, "querying policy %R === %R %N (mark %u/0x%08x)",
2338 src_ts
, dst_ts
, policy_dir_names
, direction
,
2339 mark
.value
, mark
.mask
);
2341 hdr
= (struct nlmsghdr
*)request
;
2342 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
2343 hdr
->nlmsg_type
= XFRM_MSG_GETPOLICY
;
2344 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2346 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2347 policy_id
->sel
= ts2selector(src_ts
, dst_ts
);
2348 policy_id
->dir
= direction
;
2350 if (!add_mark(hdr
, sizeof(request
), mark
))
2355 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
2358 while (NLMSG_OK(hdr
, len
))
2360 switch (hdr
->nlmsg_type
)
2362 case XFRM_MSG_NEWPOLICY
:
2364 policy
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
2369 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
2370 DBG1(DBG_KNL
, "querying policy failed: %s (%d)",
2371 strerror(-err
->error
), -err
->error
);
2375 hdr
= NLMSG_NEXT(hdr
, len
);
2386 DBG2(DBG_KNL
, "unable to query policy %R === %R %N", src_ts
, dst_ts
,
2387 policy_dir_names
, direction
);
2392 if (policy
->curlft
.use_time
)
2394 /* we need the monotonic time, but the kernel returns system time. */
2395 *use_time
= time_monotonic(NULL
) - (time(NULL
) - policy
->curlft
.use_time
);
2406 METHOD(kernel_ipsec_t
, del_policy
, status_t
,
2407 private_kernel_netlink_ipsec_t
*this, traffic_selector_t
*src_ts
,
2408 traffic_selector_t
*dst_ts
, policy_dir_t direction
, u_int32_t reqid
,
2409 mark_t mark
, policy_priority_t prio
)
2411 policy_entry_t
*current
, policy
;
2412 enumerator_t
*enumerator
;
2413 policy_sa_t
*mapping
;
2414 netlink_buf_t request
;
2415 struct nlmsghdr
*hdr
;
2416 struct xfrm_userpolicy_id
*policy_id
;
2417 bool is_installed
= TRUE
;
2420 DBG2(DBG_KNL
, "deleting policy %R === %R %N (mark %u/0x%08x)",
2421 src_ts
, dst_ts
, policy_dir_names
, direction
,
2422 mark
.value
, mark
.mask
);
2424 /* create a policy */
2425 memset(&policy
, 0, sizeof(policy_entry_t
));
2426 policy
.sel
= ts2selector(src_ts
, dst_ts
);
2427 policy
.mark
= mark
.value
& mark
.mask
;
2428 policy
.direction
= direction
;
2430 /* find the policy */
2431 this->mutex
->lock(this->mutex
);
2432 current
= this->policies
->get(this->policies
, &policy
);
2433 if (!current
|| current
->reqid
!= reqid
)
2437 DBG1(DBG_KNL
, "deleting policy %R === %R %N (mark %u/0x%08x) "
2438 "failed, not found", src_ts
, dst_ts
, policy_dir_names
,
2439 direction
, mark
.value
, mark
.mask
);
2443 DBG1(DBG_KNL
, "deleting policy %R === %R %N failed, not found",
2444 src_ts
, dst_ts
, policy_dir_names
, direction
);
2446 this->mutex
->unlock(this->mutex
);
2450 if (this->policy_history
)
2451 { /* remove mapping to SA by reqid and priority */
2452 priority
= get_priority(current
, prio
);
2453 enumerator
= current
->used_by
->create_enumerator(current
->used_by
);
2454 while (enumerator
->enumerate(enumerator
, (void**)&mapping
))
2456 if (priority
== mapping
->priority
)
2458 current
->used_by
->remove_at(current
->used_by
, enumerator
);
2459 policy_sa_destroy(mapping
, &direction
, this);
2462 is_installed
= FALSE
;
2464 enumerator
->destroy(enumerator
);
2467 { /* remove one of the SAs but don't update the policy */
2468 current
->used_by
->remove_last(current
->used_by
, (void**)&mapping
);
2469 policy_sa_destroy(mapping
, &direction
, this);
2470 is_installed
= FALSE
;
2473 if (current
->used_by
->get_count(current
->used_by
) > 0)
2474 { /* policy is used by more SAs, keep in kernel */
2475 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
2477 { /* no need to update as the policy was not installed for this SA */
2478 this->mutex
->unlock(this->mutex
);
2482 DBG2(DBG_KNL
, "updating policy %R === %R %N (mark %u/0x%08x)",
2483 src_ts
, dst_ts
, policy_dir_names
, direction
,
2484 mark
.value
, mark
.mask
);
2486 current
->used_by
->get_first(current
->used_by
, (void**)&mapping
);
2487 if (add_policy_internal(this, current
, mapping
, TRUE
) != SUCCESS
)
2489 DBG1(DBG_KNL
, "unable to update policy %R === %R %N",
2490 src_ts
, dst_ts
, policy_dir_names
, direction
);
2496 memset(&request
, 0, sizeof(request
));
2498 hdr
= (struct nlmsghdr
*)request
;
2499 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2500 hdr
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
2501 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
2503 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
2504 policy_id
->sel
= current
->sel
;
2505 policy_id
->dir
= direction
;
2507 if (!add_mark(hdr
, sizeof(request
), mark
))
2514 route_entry_t
*route
= current
->route
;
2515 if (hydra
->kernel_interface
->del_route(hydra
->kernel_interface
,
2516 route
->dst_net
, route
->prefixlen
, route
->gateway
,
2517 route
->src_ip
, route
->if_name
) != SUCCESS
)
2519 DBG1(DBG_KNL
, "error uninstalling route installed with "
2520 "policy %R === %R %N", src_ts
, dst_ts
,
2521 policy_dir_names
, direction
);
2525 this->policies
->remove(this->policies
, current
);
2526 policy_entry_destroy(this, current
);
2527 this->mutex
->unlock(this->mutex
);
2529 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
2533 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N "
2534 "(mark %u/0x%08x)", src_ts
, dst_ts
, policy_dir_names
,
2535 direction
, mark
.value
, mark
.mask
);
2539 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N",
2540 src_ts
, dst_ts
, policy_dir_names
, direction
);
2547 METHOD(kernel_ipsec_t
, flush_policies
, status_t
,
2548 private_kernel_netlink_ipsec_t
*this)
2550 netlink_buf_t request
;
2551 struct nlmsghdr
*hdr
;
2553 memset(&request
, 0, sizeof(request
));
2555 DBG2(DBG_KNL
, "flushing all policies from SPD");
2557 hdr
= (struct nlmsghdr
*)request
;
2558 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
2559 hdr
->nlmsg_type
= XFRM_MSG_FLUSHPOLICY
;
2560 hdr
->nlmsg_len
= NLMSG_LENGTH(0); /* no data associated */
2562 /* by adding an rtattr of type XFRMA_POLICY_TYPE we could restrict this
2563 * to main or sub policies (default is main) */
2565 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
2567 DBG1(DBG_KNL
, "unable to flush SPD entries");
2574 METHOD(kernel_ipsec_t
, bypass_socket
, bool,
2575 private_kernel_netlink_ipsec_t
*this, int fd
, int family
)
2577 struct xfrm_userpolicy_info policy
;
2578 u_int sol
, ipsec_policy
;
2584 ipsec_policy
= IP_XFRM_POLICY
;
2588 ipsec_policy
= IPV6_XFRM_POLICY
;
2594 memset(&policy
, 0, sizeof(policy
));
2595 policy
.action
= XFRM_POLICY_ALLOW
;
2596 policy
.sel
.family
= family
;
2598 policy
.dir
= XFRM_POLICY_OUT
;
2599 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
2601 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
2605 policy
.dir
= XFRM_POLICY_IN
;
2606 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
2608 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
2615 METHOD(kernel_ipsec_t
, enable_udp_decap
, bool,
2616 private_kernel_netlink_ipsec_t
*this, int fd
, int family
, u_int16_t port
)
2618 int type
= UDP_ENCAP_ESPINUDP
;
2620 if (setsockopt(fd
, SOL_UDP
, UDP_ENCAP
, &type
, sizeof(type
)) < 0)
2622 DBG1(DBG_KNL
, "unable to set UDP_ENCAP: %s", strerror(errno
));
2628 METHOD(kernel_ipsec_t
, destroy
, void,
2629 private_kernel_netlink_ipsec_t
*this)
2631 enumerator_t
*enumerator
;
2632 policy_entry_t
*policy
;
2634 if (this->socket_xfrm_events
> 0)
2636 lib
->watcher
->remove(lib
->watcher
, this->socket_xfrm_events
);
2637 close(this->socket_xfrm_events
);
2639 DESTROY_IF(this->socket_xfrm
);
2640 enumerator
= this->policies
->create_enumerator(this->policies
);
2641 while (enumerator
->enumerate(enumerator
, &policy
, &policy
))
2643 policy_entry_destroy(this, policy
);
2645 enumerator
->destroy(enumerator
);
2646 this->policies
->destroy(this->policies
);
2647 this->sas
->destroy(this->sas
);
2648 this->mutex
->destroy(this->mutex
);
2653 * Described in header.
2655 kernel_netlink_ipsec_t
*kernel_netlink_ipsec_create()
2657 private_kernel_netlink_ipsec_t
*this;
2658 bool register_for_events
= TRUE
;
2664 .get_features
= _get_features
,
2665 .get_spi
= _get_spi
,
2666 .get_cpi
= _get_cpi
,
2668 .update_sa
= _update_sa
,
2669 .query_sa
= _query_sa
,
2671 .flush_sas
= _flush_sas
,
2672 .add_policy
= _add_policy
,
2673 .query_policy
= _query_policy
,
2674 .del_policy
= _del_policy
,
2675 .flush_policies
= _flush_policies
,
2676 .bypass_socket
= _bypass_socket
,
2677 .enable_udp_decap
= _enable_udp_decap
,
2678 .destroy
= _destroy
,
2681 .policies
= hashtable_create((hashtable_hash_t
)policy_hash
,
2682 (hashtable_equals_t
)policy_equals
, 32),
2683 .sas
= hashtable_create((hashtable_hash_t
)ipsec_sa_hash
,
2684 (hashtable_equals_t
)ipsec_sa_equals
, 32),
2685 .mutex
= mutex_create(MUTEX_TYPE_DEFAULT
),
2686 .policy_history
= TRUE
,
2687 .install_routes
= lib
->settings
->get_bool(lib
->settings
,
2688 "%s.install_routes", TRUE
, lib
->ns
),
2689 .replay_window
= lib
->settings
->get_int(lib
->settings
,
2690 "%s.replay_window", DEFAULT_REPLAY_WINDOW
, lib
->ns
),
2693 this->replay_bmp
= (this->replay_window
+ sizeof(u_int32_t
) * 8 - 1) /
2694 (sizeof(u_int32_t
) * 8);
2696 if (streq(lib
->ns
, "starter"))
2697 { /* starter has no threads, so we do not register for kernel events */
2698 register_for_events
= FALSE
;
2701 f
= fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
2704 fprintf(f
, "%u", lib
->settings
->get_int(lib
->settings
,
2705 "%s.plugins.kernel-netlink.xfrm_acq_expires",
2706 DEFAULT_ACQUIRE_LIFETIME
, lib
->ns
));
2710 this->socket_xfrm
= netlink_socket_create(NETLINK_XFRM
);
2711 if (!this->socket_xfrm
)
2717 if (register_for_events
)
2719 struct sockaddr_nl addr
;
2721 memset(&addr
, 0, sizeof(addr
));
2722 addr
.nl_family
= AF_NETLINK
;
2724 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2725 this->socket_xfrm_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2726 if (this->socket_xfrm_events
<= 0)
2728 DBG1(DBG_KNL
, "unable to create XFRM event socket");
2732 addr
.nl_groups
= XFRMNLGRP(ACQUIRE
) | XFRMNLGRP(EXPIRE
) |
2733 XFRMNLGRP(MIGRATE
) | XFRMNLGRP(MAPPING
);
2734 if (bind(this->socket_xfrm_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2736 DBG1(DBG_KNL
, "unable to bind XFRM event socket");
2740 lib
->watcher
->add(lib
->watcher
, this->socket_xfrm_events
, WATCHER_READ
,
2741 (watcher_cb_t
)receive_events
, this);
2744 return &this->public;