diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c index 81832ec0d5..762fc57dd1 100644 --- a/src/charon/control/controller.c +++ b/src/charon/control/controller.c @@ -170,15 +170,12 @@ static bool listener_child_state(interface_listener_t *this, ike_sa_t *ike_sa, { switch (state) { - case CHILD_ROUTED: case CHILD_INSTALLED: this->status = SUCCESS; return FALSE; case CHILD_DESTROYING: switch (child_sa->get_state(child_sa)) { - case CHILD_ROUTED: - /* has been unrouted */ case CHILD_DELETING: /* proper delete */ this->status = SUCCESS; @@ -423,126 +420,6 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid, return job.listener.status; } -/** - * execute function for route - */ -static status_t route_execute(interface_job_t *job) -{ - interface_listener_t *listener = &job->listener; - ike_sa_t *ike_sa = listener->ike_sa; - - charon->bus->set_sa(charon->bus, ike_sa); - if (ike_sa->route(ike_sa, listener->child_cfg) != DESTROY_ME) - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return SUCCESS; - } - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); - return FAILED; -} - -/** - * Implementation of controller_t.route. - */ -static status_t route(controller_t *this, - peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, - controller_cb_t callback, void *param) -{ - ike_sa_t *ike_sa; - interface_job_t job = { - .listener = { - .public = { - .log = (void*)listener_log, - .ike_state_change = (void*)listener_ike_state, - .child_state_change = (void*)listener_child_state, - }, - .callback = callback, - .param = param, - .status = FAILED, - .peer_cfg = peer_cfg, - .child_cfg = child_cfg, - }, - .public = { - .execute = (void*)route_execute, - .destroy = (void*)recheckin, - }, - }; - - ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, - peer_cfg); - if (ike_sa->get_peer_cfg(ike_sa) == NULL) - { - ike_sa->set_peer_cfg(ike_sa, peer_cfg); - } - job.listener.ike_sa = ike_sa; - if (callback == NULL) - { - return route_execute(&job); - } - charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job); - return job.listener.status; -} - -/** - * execute function for unroute - */ -static status_t unroute_execute(interface_job_t *job) -{ - interface_listener_t *listener = &job->listener; - ike_sa_t *ike_sa = listener->ike_sa; - - charon->bus->set_sa(charon->bus, ike_sa); - if (ike_sa->unroute(ike_sa, listener->id) != DESTROY_ME) - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return SUCCESS; - } - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); - return SUCCESS; -} - -/** - * Implementation of controller_t.unroute. - */ -static status_t unroute(controller_t *this, u_int32_t reqid, - controller_cb_t callback, void *param) -{ - ike_sa_t *ike_sa; - interface_job_t job = { - .listener = { - .public = { - .log = (void*)listener_log, - .ike_state_change = (void*)listener_ike_state, - .child_state_change = (void*)listener_child_state, - }, - .callback = callback, - .param = param, - .status = FAILED, - .id = reqid, - }, - .public = { - .execute = (void*)unroute_execute, - .destroy = (void*)recheckin, - }, - }; - - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - reqid, TRUE); - if (ike_sa == NULL) - { - DBG1(DBG_IKE, "unable to unroute, CHILD_SA with ID %d not found", reqid); - return NOT_FOUND; - } - job.listener.ike_sa = ike_sa; - - if (callback == NULL) - { - return unroute_execute(&job); - } - charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job); - return job.listener.status; -} - /** * See header */ @@ -571,8 +448,6 @@ controller_t *controller_create(void) this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate; this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike; this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child; - this->public.route = (status_t(*)(controller_t*,peer_cfg_t*, child_cfg_t*,controller_cb_t,void*))route; - this->public.unroute = (status_t(*)(controller_t*,u_int32_t,controller_cb_t,void*))unroute; this->public.destroy = (void (*)(controller_t*))destroy; return &this->public; diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h index 05d9a81155..3c928d2eae 100644 --- a/src/charon/control/controller.h +++ b/src/charon/control/controller.h @@ -123,38 +123,6 @@ struct controller_t { status_t (*terminate_child)(controller_t *this, u_int32_t reqid, controller_cb_t callback, void *param); - /** - * Route a CHILD_SA (install triggering policies). - * - * @param peer_cfg peer_cfg to use for IKE_SA setup, if triggered - * @param child_cfg child_cfg to route - * @param cb logging callback - * @param param parameter to include in each call of cb - * @return - * - SUCCESS, if CHILD_SA routed - * - FAILED, if routing failed - * - NEED_MORE, if callback returned FALSE - */ - status_t (*route)(controller_t *this, - peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, - controller_cb_t callback, void *param); - - /** - * Unroute a routed CHILD_SA (uninstall triggering policies). - * - * Only the route is removed, not the CHILD_SAs the route triggered. - * - * @param reqid reqid of the CHILD_SA to unroute - * @param cb logging callback - * @param param parameter to include in each call of cb - * @return - * - SUCCESS, if CHILD_SA terminated - * - NOT_FOUND, if no such CHILD_SA routed - * - NEED_MORE, if callback returned FALSE - */ - status_t (*unroute)(controller_t *this, u_int32_t reqid, - controller_cb_t callback, void *param); - /** * Destroy a controller_t instance. */ diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 126011e0b3..1e950210da 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -1105,7 +1105,8 @@ static void resolve_hosts(private_ike_sa_t *this) /** * Initiates a CHILD_SA using the appropriate reqid */ -static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid) +static status_t initiate_with_reqid(private_ike_sa_t *this, + child_cfg_t *child_cfg, u_int32_t reqid) { task_t *task; @@ -1198,168 +1199,6 @@ static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg) return initiate_with_reqid(this, child_cfg, 0); } -/** - * Implementation of ike_sa_t.acquire. - */ -static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) -{ - child_cfg_t *child_cfg; - iterator_t *iterator; - child_sa_t *current, *child_sa = NULL; - - switch (this->state) - { - case IKE_DELETING: - DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: " - "IKE_SA is deleting", reqid); - return FAILED; - case IKE_PASSIVE: - /* do not process acquires if passive */ - return FAILED; - default: - break; - } - - /* find CHILD_SA */ - iterator = this->child_sas->create_iterator(this->child_sas, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (current->get_reqid(current) == reqid) - { - child_sa = current; - break; - } - } - iterator->destroy(iterator); - if (!child_sa) - { - DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: " - "CHILD_SA not found", reqid); - return FAILED; - } - - child_cfg = child_sa->get_config(child_sa); - child_cfg->get_ref(child_cfg); - - return initiate_with_reqid(this, child_cfg, reqid); -} - -/** - * Implementation of ike_sa_t.route. - */ -static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg) -{ - child_sa_t *child_sa; - iterator_t *iterator; - linked_list_t *my_ts, *other_ts; - host_t *me, *other; - status_t status; - - /* check if not already routed*/ - iterator = this->child_sas->create_iterator(this->child_sas, TRUE); - while (iterator->iterate(iterator, (void**)&child_sa)) - { - if (child_sa->get_state(child_sa) == CHILD_ROUTED && - streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg))) - { - iterator->destroy(iterator); - DBG1(DBG_IKE, "routing CHILD_SA failed: already routed"); - return FAILED; - } - } - iterator->destroy(iterator); - - switch (this->state) - { - case IKE_DELETING: - case IKE_REKEYING: - DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N", - ike_sa_state_names, this->state); - return FAILED; - case IKE_CREATED: - case IKE_CONNECTING: - case IKE_ESTABLISHED: - case IKE_PASSIVE: - default: - break; - } - - resolve_hosts(this); - - /* install kernel policies */ - child_sa = child_sa_create(this->my_host, this->other_host, - child_cfg, 0, FALSE); - me = this->my_host; - if (this->my_virtual_ip) - { - me = this->my_virtual_ip; - } - other = this->other_host; - if (this->other_virtual_ip) - { - other = this->other_virtual_ip; - } - - my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me); - other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other); - - child_sa->set_mode(child_sa, child_cfg->get_mode(child_cfg)); - status = child_sa->add_policies(child_sa, my_ts, other_ts); - - my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); - other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); - if (status == SUCCESS) - { - this->child_sas->insert_last(this->child_sas, child_sa); - DBG1(DBG_IKE, "CHILD_SA routed"); - } - else - { - child_sa->destroy(child_sa); - DBG1(DBG_IKE, "routing CHILD_SA failed"); - } - return status; -} - -/** - * Implementation of ike_sa_t.unroute. - */ -static status_t unroute(private_ike_sa_t *this, u_int32_t reqid) -{ - iterator_t *iterator; - child_sa_t *child_sa; - bool found = FALSE; - - /* find CHILD_SA in ROUTED state */ - iterator = this->child_sas->create_iterator(this->child_sas, TRUE); - while (iterator->iterate(iterator, (void**)&child_sa)) - { - if (child_sa->get_state(child_sa) == CHILD_ROUTED && - child_sa->get_reqid(child_sa) == reqid) - { - iterator->remove(iterator); - DBG1(DBG_IKE, "CHILD_SA unrouted"); - child_sa->destroy(child_sa); - found = TRUE; - break; - } - } - iterator->destroy(iterator); - - if (!found) - { - DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid); - return FAILED; - } - /* if we are not established, and we have no more routed childs, remove whole SA */ - if (this->state == IKE_CREATED && - this->child_sas->get_count(this->child_sas) == 0) - { - return DESTROY_ME; - } - return SUCCESS; -} - /** * Implementation of ike_sa_t.process_message. */ @@ -1434,14 +1273,10 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) else { host_t *me, *other; - private_ike_sa_t *new; - iterator_t *iterator; - child_sa_t *child; - bool has_routed = FALSE; me = message->get_destination(message); other = message->get_source(message); - + /* if this IKE_SA is virgin, we check for a config */ if (this->ike_cfg == NULL) { @@ -1471,51 +1306,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) update_hosts(this, me, other); } } - status = this->task_manager->process_message(this->task_manager, message); - if (status != DESTROY_ME) - { - return status; - } - /* if IKE_SA gets closed for any reasons, reroute routed children */ - iterator = this->child_sas->create_iterator(this->child_sas, TRUE); - while (iterator->iterate(iterator, (void**)&child)) - { - if (child->get_state(child) == CHILD_ROUTED) - { - has_routed = TRUE; - break; - } - } - iterator->destroy(iterator); - if (!has_routed) - { - return status; - } - /* move routed children to a new IKE_SA, apply connection info */ - new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new( - charon->ike_sa_manager, TRUE); - set_peer_cfg(new, this->peer_cfg); - new->other_host->destroy(new->other_host); - new->other_host = this->other_host->clone(this->other_host); - if (!has_condition(this, COND_NAT_THERE)) - { - new->other_host->set_port(new->other_host, IKEV2_UDP_PORT); - } - if (this->my_virtual_ip) - { - set_virtual_ip(new, TRUE, this->my_virtual_ip); - } - iterator = this->child_sas->create_iterator(this->child_sas, TRUE); - while (iterator->iterate(iterator, (void**)&child)) - { - if (child->get_state(child) == CHILD_ROUTED) - { - route(new, child->get_config(child)); - } - } - iterator->destroy(iterator); - charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public); - return status; + return this->task_manager->process_message(this->task_manager, message); } } @@ -1850,7 +1641,8 @@ static status_t reestablish(private_ike_sa_t *this) status = new->initiate(new, child_cfg); break; case ACTION_ROUTE: - status = new->route(new, child_cfg); + charon->traps->install(charon->traps, + this->peer_cfg, child_cfg); break; default: continue; @@ -2206,9 +1998,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic; this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message; this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate; - this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route; - this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute; - this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire; this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg; this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg; this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg; diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index 29c91683f0..2272e10311 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -608,43 +608,6 @@ struct ike_sa_t { * - DESTROY_ME if initialization failed */ status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg); - - /** - * Route a policy in the kernel. - * - * Installs the policies in the kernel. If traffic matches, - * the kernel requests connection setup from the IKE_SA via acquire(). - * - * @param child_cfg child config to route - * @return - * - SUCCESS if routed successfully - * - FAILED if routing failed - */ - status_t (*route) (ike_sa_t *this, child_cfg_t *child_cfg); - - /** - * Unroute a policy in the kernel previously routed. - * - * @param reqid reqid of CHILD_SA to unroute - * @return - * - SUCCESS if route removed - * - NOT_FOUND if CHILD_SA not found - * - DESTROY_ME if last CHILD_SA was unrouted - */ - status_t (*unroute) (ike_sa_t *this, u_int32_t reqid); - - /** - * Acquire connection setup for an installed kernel policy. - * - * If an installed policy raises an acquire, the kernel calls - * this function to establish the CHILD_SA (and maybe the IKE_SA). - * - * @param reqid reqid of the CHILD_SA the policy belongs to. - * @return - * - SUCCESS if initialization started - * - DESTROY_ME if initialization failed - */ - status_t (*acquire) (ike_sa_t *this, u_int32_t reqid); /** * Initiates the deletion of an IKE_SA.