Tobias Brunner [Mon, 29 Aug 2016 14:39:18 +0000 (16:39 +0200)]
kernel-netlink: Pass zero mark to kernel if mask is set
The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark. So to match only unmarked packets we
have to be able to set 0/0xffffffff.
kernel-netlink: Support configuring XFRM policy hashing thresholds
If the number of flows over a gateway exceeds the flow cache size of the Linux
kernel, policy lookup gets very expensive. Policies covering more than a single
address don't get hash-indexed by default, which results in wasting most of
the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use.
Starting with several hundred policies the overhead gets inacceptable.
Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet
to perform indexed lookup. With correctly chosen netbits, this can completely
eliminate the performance impact of policy lookups, freeing the resources
for ESP crypto.
WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a
NULL pointer dereference if a socket policy is installed while hash thresholds
are changed. And because the hashtable rebuild triggered by the threshold
change that causes this is scheduled it might also happen if the socket
policies are seemingly installed after setting the thresholds.
The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when
rebuilding hash tables") - is included since 4.8 (and might get backported).
As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled
to replace the socket policies that allow IKE traffic with port specific
bypass policies.
This makes the FWD policies in the out direction optional (disabled by
default). They may be enabled (e.g. if conflicting drop policies are
used) via the policies_fwd_out swanctl.conf option.
Tobias Brunner [Thu, 18 Aug 2016 13:09:08 +0000 (15:09 +0200)]
child-sa: Only install outbound FWD policies if explicitly configured
They are only required if drop policies would otherwise prevent
forwarding traffic. This reduces the number of policies and avoids
conflicts e.g. with SPD hash thresholds.
In case an external thread calls into our code and logs messages, a thread
object is allocated that will never be released. Even if we try to clean
up the object via thread value destructor there is no guarantee that the
thread actually terminates before we check for leaks, which seems to be the
case for the Ada Tasking threads.
leak-detective: Whitelist some glib/libsoup functions
Some of these are pretty broad, so maybe an alternative option is to
not use the soup plugin in the openssl-ikev2/rw-suite-b* scenarios. But
the plugin is not tested anywhere else so lets go with this for now.
When fresh CRLs are released with a high update frequency (e.g.
every 24 hours) or OCSP is used then the certificate cache gets
quickly filled with stale CRLs or OCSP responses. The new VICI
flush-certs command allows to flush e.g. cached CRLs or OCSP
responses only. Without the type argument all kind of certificates
(e.g. also received end entity and intermediate CA certificates)
are purged.
This might be helpful to get the complete picture of the installed
rules. `-c` is currently not used as the counters that are added in
front of every rule make the output quite hard to read and the counters
are already provided in the accompanying `iptables -v -L` output.
Tobias Brunner [Wed, 24 Aug 2016 09:34:36 +0000 (11:34 +0200)]
ikev2: (Re-)Queue tasks used to establish an IKE_SA in reset()
Some tasks might get removed immediately once the IKE_SA_INIT response has
been handled even if there were notifies that require a restart of the
IKE_SA (e.g. COOKIE or INVALID_KE_PAYLOAD). Such a task is ike_vendor,
which caused vendor IDs not to get sent in a retry. This change ensures
all required tasks are queued after the reset, which some callers did
already anyway.
This updates the auth dialog so that passwords are properly retrieved
(e.g. for the nm-applet). It also adds support for external UI mode and
properly handles secret flags.
Lubomir Rintel [Wed, 21 Oct 2015 11:06:42 +0000 (13:06 +0200)]
nm: Bump minor version to 1.4.0
This is probably a good idea to do to signal there's significant changes in
dependencies to the distro package maintainers with libnm port and associated
changes.
Lubomir Rintel [Wed, 21 Oct 2015 09:29:25 +0000 (11:29 +0200)]
nm: Replace libgnomeui with libnma for password dialog
libgnomeui is long deprecated.
There's one functional difference: the choice to save the passwords is gone.
The password flags and saved password should be set in the preferences dialog,
but this commit does not fix that.
Lubomir Rintel [Tue, 29 Mar 2016 18:07:04 +0000 (20:07 +0200)]
nm: Add a widget for setting a password
It was only possible to set the password from the authentication dialog,
which is not ideal; as it requires a connection attempt.
This adds an input entry along with a primary icon from libnma/libnm-gtk
which allows selecting the backend and flags for the password (system, session
agent, always ask or empty).
Lubomir Rintel [Wed, 21 Oct 2015 08:36:54 +0000 (10:36 +0200)]
nm: Build two plugin binaries from the single source
They're both the same now. We'll port the new one to libnm in follow-up commits.
NetworkManager 1.2 (which is currently versioned as 1.1.0) is going to bring
some new ABI while still supporting the old one. There's new VPN service and
UI plugin APIs in libnm.
There's one difficulty though -- the connection editor 1.2 will be linked
against libnm and a new libnma library it will provide (as opposed to
libnm-glib and libnm-gtk), thus will be incapable of loading of property
plugins that are linked with the old libraries (due to glib type system
limitations).
However, we must not break support for other connection editors (GNOME control
center, older versions of nm-connection-editor, etc.) therefore we need
to build two versions of the property plugin. NetworkManager 1.2's libnm will
provide a shim that makes it easy.
Lubomir Rintel [Fri, 23 Oct 2015 09:29:42 +0000 (11:29 +0200)]
nm: Install the .name file into /usr/lib/NetworkManager/VPN
It's the preferred location for system-provided plugins.
A compatible file in /etc is still kept. Also, the compatibility /etc
file needs to use a full path due to a bug in GNOME Shell.
The full path to a arch-dependent file in a supposedly arch-independent
file is a sin and a multilib violation in some distributions. However.
some pre-release versions of NetworkManager-1.2 as shipped by
distributions require a full path. Let's keep a configure-time option
for that.
nm: Don't do <deny send_interface="..." /> in dbus service file
It does more than intended; apart from denying messages to that
particular interface it also denies all messages non-qualified with an
interface globally. This blocks messages completely unrelated to
strongSwan's VPN plugin, such as NetworkManager communication with the
VPN plugins.
From the dbus-daemon manual:
Be careful with send_interface/receive_interface, because the
interface field in messages is optional. In particular, do NOT
specify <deny send_interface="org.foo.Bar"/>! This will cause
no-interface messages to be blocked for all services, which is
almost certainly not what you intended. Always use rules of the form:
We can just safely remove those rules, since we're sufficiently
protected by the send_destination matches and method calls are
disallowed by default anyway.
Tobias Brunner [Tue, 30 Aug 2016 13:30:49 +0000 (15:30 +0200)]
testing: Try to properly abort a test run after CTRL-C
The run is aborted after the current scenario. Depending on which
command was interrupted it might be necessary to press CTRL-C multiple
times (e.g. if a later command depends on the interrupted one).
This should fix HTML files and get us some proper console output after
the run.
testing: Mount and serve testresults from the host
This avoids having to copy testresults, makes results of cancelled runs
browsable (runs may actually be followed live) and preserves old results
when rebuilding guest images (e.g. when using the build-strongswan script).
The number of consecutive test runs without any intermittent rebuild of the
guest images is also not limited by the image size anymore.
projects / thirdparty / strongswan.git / log
