ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

pluto: Removed no_klips flag (--noklips option).

This commit is contained in:
Tobias Brunner 2010-08-16 15:53:56 +02:00
parent eeca1b0466
commit a0cbce9e7c
7 changed files with 132 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/pluto/connections.c
View File

@ -536,7 +536,7 @@ void check_orientations(void)
for (hp = host_pairs; hp != NULL; hp = hp->next)
{
if (sameaddr(&hp->him.addr, &i->addr)
&& (!no_klips || hp->him.port == pluto_port))
&& hp->him.port == pluto_port)
{
/* bad news: the whole chain of connections
* hanging off this host pair has both sides
@ -1884,7 +1884,7 @@ bool orient(connection_t *c)
{
/* check if this interface matches this end */
if (sameaddr(&sr->this.host_addr, &p->addr)
&& (!no_klips || sr->this.host_port == pluto_port))
&& sr->this.host_port == pluto_port)
{
if (oriented(*c))
{
@ -1903,7 +1903,7 @@ bool orient(connection_t *c)
/* done with this interface if it doesn't match that end */
if (!(sameaddr(&sr->that.host_addr, &p->addr)
&& (!no_klips || sr->that.host_port == pluto_port)))
&& sr->that.host_port == pluto_port))
break;
/* swap ends and try again.

140
src/pluto/kernel.c
View File

@ -142,8 +142,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
static void set_text_said(char *text_said, const ip_address *dst,
ipsec_spi_t spi, int proto);
bool no_klips = FALSE; /* don't actually use KLIPS */
/**
* Default IPsec SA config (e.g. to install trap policies).
*/
@ -526,85 +524,82 @@ static bool do_command(connection_t *c, struct spd_route *sr,
DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
, verb, verb_suffix, cmd));
if (!no_klips)
/* invoke the script, catching stderr and stdout
* It may be of concern that some file descriptors will
* be inherited. For the ones under our control, we
* have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
* Any used by library routines (perhaps the resolver or syslog)
* will remain.
*/
FILE *f = popen(cmd, "r");
if (f == NULL)
{
/* invoke the script, catching stderr and stdout
* It may be of concern that some file descriptors will
* be inherited. For the ones under our control, we
* have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
* Any used by library routines (perhaps the resolver or syslog)
* will remain.
*/
FILE *f = popen(cmd, "r");
loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
return FALSE;
}
if (f == NULL)
/* log any output */
for (;;)
{
/* if response doesn't fit in this buffer, it will be folded */
char resp[256];
if (fgets(resp, sizeof(resp), f) == NULL)
{
loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
return FALSE;
}
/* log any output */
for (;;)
{
/* if response doesn't fit in this buffer, it will be folded */
char resp[256];
if (fgets(resp, sizeof(resp), f) == NULL)
if (ferror(f))
{
if (ferror(f))
{
log_errno((e, "fgets failed on output of %s%s command"
, verb, verb_suffix));
return FALSE;
}
else
{
passert(feof(f));
break;
}
}
else
{
char *e = resp + strlen(resp);
if (e > resp && e[-1] == '\n')
e[-1] = '\0'; /* trim trailing '\n' */
plog("%s%s output: %s", verb, verb_suffix, resp);
}
}
/* report on and react to return code */
{
int r = pclose(f);
if (r == -1)
{
log_errno((e, "pclose failed for %s%s command"
log_errno((e, "fgets failed on output of %s%s command"
, verb, verb_suffix));
return FALSE;
}
else if (WIFEXITED(r))
{
if (WEXITSTATUS(r) != 0)
{
loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
, verb, verb_suffix, WEXITSTATUS(r));
return FALSE;
}
}
else if (WIFSIGNALED(r))
{
loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
, verb, verb_suffix, WTERMSIG(r));
return FALSE;
}
else
{
loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
, verb, verb_suffix, r);
passert(feof(f));
break;
}
}
else
{
char *e = resp + strlen(resp);
if (e > resp && e[-1] == '\n')
e[-1] = '\0'; /* trim trailing '\n' */
plog("%s%s output: %s", verb, verb_suffix, resp);
}
}
/* report on and react to return code */
{
int r = pclose(f);
if (r == -1)
{
log_errno((e, "pclose failed for %s%s command"
, verb, verb_suffix));
return FALSE;
}
else if (WIFEXITED(r))
{
if (WEXITSTATUS(r) != 0)
{
loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
, verb, verb_suffix, WEXITSTATUS(r));
return FALSE;
}
}
else if (WIFSIGNALED(r))
{
loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
, verb, verb_suffix, WTERMSIG(r));
return FALSE;
}
else
{
loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
, verb, verb_suffix, r);
return FALSE;
}
}
return TRUE;
}
@ -648,10 +643,9 @@ static enum routability could_route(connection_t *c)
}
/* if routing would affect IKE messages, reject */
if (!no_klips
&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
&& c->spd.this.host_port != IKE_UDP_PORT
&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
&& c->spd.this.host_port != IKE_UDP_PORT
&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
{
loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
return route_impossible;

1
src/pluto/kernel.h
View File

@ -14,7 +14,6 @@
#include "connections.h"
extern bool no_klips; /* don't actually use KLIPS */
extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */
/* Declare eroute things early enough for uses.

120
src/pluto/kernel_pfkey.c
View File

@ -238,75 +238,71 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
pfkey_msg->sadb_msg_seq, description, text_said);
DBG_dump(NULL, (void *) pfkey_msg, len));
if (!no_klips)
ssize_t r = write(pfkeyfd, pfkey_msg, len);
if (r != (ssize_t)len)
{
ssize_t r = write(pfkeyfd, pfkey_msg, len);
if (r != (ssize_t)len)
if (r < 0)
{
if (r < 0)
{
log_errno((e, "pfkey write() of %s message %u for %s %s"
" failed", sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
description, text_said));
}
else
{
loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
" %u for %s %s truncated: %ld instead of %ld",
sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
description, text_said, (long)r, (long)len);
}
success = FALSE;
/* if we were compiled with debugging, but we haven't already
* dumped the command, do so.
*/
#ifdef DEBUG
if ((cur_debugging & DBG_KERNEL) == 0)
DBG_dump(NULL, (void *) pfkey_msg, len);
#endif
log_errno((e, "pfkey write() of %s message %u for %s %s"
" failed", sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
description, text_said));
}
else
{
/* Check response from kernel.
* It ought to be an echo, perhaps with additional info.
* If the caller wants it, response will point to space.
*/
pfkey_buf b;
pfkey_buf *bp = response != NULL? response : &b;
loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
" %u for %s %s truncated: %ld instead of %ld",
sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
description, text_said, (long)r, (long)len);
}
success = FALSE;
if (!pfkey_get_response(bp,
((struct sadb_msg *)extensions[0])->sadb_msg_seq))
{
loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
" message for %s %s", sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), description, text_said);
success = FALSE;
}
else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
{
loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
" message for %s %s was of wrong type (%s)",
sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
description, text_said,
sparse_val_show(pfkey_type_names,
bp->msg.sadb_msg_type));
success = FALSE;
}
else if (response == NULL && bp->msg.sadb_msg_errno != 0)
{
/* Kernel is signalling a problem */
loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
" included errno %u: %s",
sparse_val_show(pfkey_type_names,
/* if we were compiled with debugging, but we haven't already
* dumped the command, do so.
*/
#ifdef DEBUG
if ((cur_debugging & DBG_KERNEL) == 0)
DBG_dump(NULL, (void *) pfkey_msg, len);
#endif
}
else
{
/* Check response from kernel.
* It ought to be an echo, perhaps with additional info.
* If the caller wants it, response will point to space.
*/
pfkey_buf b;
pfkey_buf *bp = response != NULL? response : &b;
if (!pfkey_get_response(bp,
((struct sadb_msg *)extensions[0])->sadb_msg_seq))
{
loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
" message for %s %s", sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), description, text_said);
success = FALSE;
}
else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
{
loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
" message for %s %s was of wrong type (%s)",
sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
description, text_said, sparse_val_show(pfkey_type_names,
bp->msg.sadb_msg_type));
success = FALSE;
}
else if (response == NULL && bp->msg.sadb_msg_errno != 0)
{
/* Kernel is signalling a problem */
loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
" included errno %u: %s",
sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), description, text_said,
(unsigned) bp->msg.sadb_msg_errno,
strerror(bp->msg.sadb_msg_errno));
success = FALSE;
}
(unsigned) bp->msg.sadb_msg_errno,
strerror(bp->msg.sadb_msg_errno));
success = FALSE;
}
}
}

10
src/pluto/pluto.8
View File

@ -15,7 +15,6 @@ ipsec pluto
\fIfilename\fP]
[\-\-nofork]
[\-\-stderrlog]
[\-\-noklips]
[\-\-uniqueids]
[\fB\-\-interface\fP \fIinterfacename\fP]
[\-\-ikeport\ \c
@ -1264,9 +1263,6 @@ disable ``daemon fork'' (default is to fork). In addition, after the
lock file and control socket are created, print the line ``Pluto
initialized'' to standard out.
.TP
\fB\-\-noklips\fP
don't actually implement negotiated IPsec SAs
.TP
\fB\-\-uniqueids\fP
if this option has been selected, whenever a new ISAKMP SA is
established, any connection with the same Peer ID but a different
@ -1277,12 +1273,6 @@ then regained at another IP address.
\fB\-\-stderrlog\fP
log goes to standard out {default is to use \fIsyslogd\fP(8))
.LP
For example
.TP
pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
.LP
lets one test \fBpluto\fP without using the superuser account.
.LP
\fBpluto\fP is willing to produce a prodigious amount of debugging
information. To do so, it must be compiled with \-DDEBUG. There are
several classes of debugging output, and \fBpluto\fP may be directed to

6
src/pluto/plutomain.c
View File

@ -96,7 +96,6 @@ static void usage(const char *mess)
" \\\n\t"
"[--nofork]"
" [--stderrlog]"
" [--noklips]"
" [--nocrsend]"
" \\\n\t"
"[--strictcrlpolicy]"
@ -300,7 +299,6 @@ int main(int argc, char **argv)
{ "optionsfrom", required_argument, NULL, '+' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "noklips", no_argument, NULL, 'n' },
{ "nocrsend", no_argument, NULL, 'c' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
@ -402,10 +400,6 @@ int main(int argc, char **argv)
log_to_stderr_desired = TRUE;
continue;
case 'n': /* --noklips */
no_klips = TRUE;
continue;
case 'c': /* --nocrsend */
no_cr_send = TRUE;
continue;

23
src/pluto/server.c
View File

@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
{
struct raw_iface *v = NULL; /* matching ipsecX interface */
struct raw_iface fake_v;
bool after = FALSE; /* has vfp passed ifp on the list? */
bool bad = FALSE;
struct raw_iface *vfp;
@ -611,24 +610,10 @@ process_raw_ifaces(struct raw_iface *rifaces)
/* what if we didn't find a virtual interface? */
if (v == NULL)
{
if (no_klips)
{
/* kludge for testing: invent a virtual device */
static const char fvp[] = "virtual";
fake_v = *ifp;
passert(sizeof(fake_v.name) > sizeof(fvp));
strcpy(fake_v.name, fvp);
addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
, sizeof(fake_v.name) - (sizeof(fvp) - 1));
v = &fake_v;
}
else
{
DBG(DBG_CONTROL,
DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
, ifp->name, ip_str(&ifp->addr)));
continue;
}
DBG(DBG_CONTROL,
DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
, ifp->name, ip_str(&ifp->addr)));
continue;
}
/* We've got all we need; see if this is a new thing: