pluto: Removed no_klips flag (--noklips option).
This commit is contained in:
parent
eeca1b0466
commit
a0cbce9e7c
|
@ -536,7 +536,7 @@ void check_orientations(void)
|
|||
for (hp = host_pairs; hp != NULL; hp = hp->next)
|
||||
{
|
||||
if (sameaddr(&hp->him.addr, &i->addr)
|
||||
&& (!no_klips || hp->him.port == pluto_port))
|
||||
&& hp->him.port == pluto_port)
|
||||
{
|
||||
/* bad news: the whole chain of connections
|
||||
* hanging off this host pair has both sides
|
||||
|
@ -1884,7 +1884,7 @@ bool orient(connection_t *c)
|
|||
{
|
||||
/* check if this interface matches this end */
|
||||
if (sameaddr(&sr->this.host_addr, &p->addr)
|
||||
&& (!no_klips || sr->this.host_port == pluto_port))
|
||||
&& sr->this.host_port == pluto_port)
|
||||
{
|
||||
if (oriented(*c))
|
||||
{
|
||||
|
@ -1903,7 +1903,7 @@ bool orient(connection_t *c)
|
|||
|
||||
/* done with this interface if it doesn't match that end */
|
||||
if (!(sameaddr(&sr->that.host_addr, &p->addr)
|
||||
&& (!no_klips || sr->that.host_port == pluto_port)))
|
||||
&& sr->that.host_port == pluto_port))
|
||||
break;
|
||||
|
||||
/* swap ends and try again.
|
||||
|
|
|
@ -142,8 +142,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
|
|||
static void set_text_said(char *text_said, const ip_address *dst,
|
||||
ipsec_spi_t spi, int proto);
|
||||
|
||||
bool no_klips = FALSE; /* don't actually use KLIPS */
|
||||
|
||||
/**
|
||||
* Default IPsec SA config (e.g. to install trap policies).
|
||||
*/
|
||||
|
@ -526,85 +524,82 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
|
||||
, verb, verb_suffix, cmd));
|
||||
|
||||
if (!no_klips)
|
||||
/* invoke the script, catching stderr and stdout
|
||||
* It may be of concern that some file descriptors will
|
||||
* be inherited. For the ones under our control, we
|
||||
* have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
|
||||
* Any used by library routines (perhaps the resolver or syslog)
|
||||
* will remain.
|
||||
*/
|
||||
FILE *f = popen(cmd, "r");
|
||||
|
||||
if (f == NULL)
|
||||
{
|
||||
/* invoke the script, catching stderr and stdout
|
||||
* It may be of concern that some file descriptors will
|
||||
* be inherited. For the ones under our control, we
|
||||
* have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
|
||||
* Any used by library routines (perhaps the resolver or syslog)
|
||||
* will remain.
|
||||
*/
|
||||
FILE *f = popen(cmd, "r");
|
||||
loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (f == NULL)
|
||||
/* log any output */
|
||||
for (;;)
|
||||
{
|
||||
/* if response doesn't fit in this buffer, it will be folded */
|
||||
char resp[256];
|
||||
|
||||
if (fgets(resp, sizeof(resp), f) == NULL)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* log any output */
|
||||
for (;;)
|
||||
{
|
||||
/* if response doesn't fit in this buffer, it will be folded */
|
||||
char resp[256];
|
||||
|
||||
if (fgets(resp, sizeof(resp), f) == NULL)
|
||||
if (ferror(f))
|
||||
{
|
||||
if (ferror(f))
|
||||
{
|
||||
log_errno((e, "fgets failed on output of %s%s command"
|
||||
, verb, verb_suffix));
|
||||
return FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
passert(feof(f));
|
||||
break;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
char *e = resp + strlen(resp);
|
||||
|
||||
if (e > resp && e[-1] == '\n')
|
||||
e[-1] = '\0'; /* trim trailing '\n' */
|
||||
plog("%s%s output: %s", verb, verb_suffix, resp);
|
||||
}
|
||||
}
|
||||
|
||||
/* report on and react to return code */
|
||||
{
|
||||
int r = pclose(f);
|
||||
|
||||
if (r == -1)
|
||||
{
|
||||
log_errno((e, "pclose failed for %s%s command"
|
||||
log_errno((e, "fgets failed on output of %s%s command"
|
||||
, verb, verb_suffix));
|
||||
return FALSE;
|
||||
}
|
||||
else if (WIFEXITED(r))
|
||||
{
|
||||
if (WEXITSTATUS(r) != 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
|
||||
, verb, verb_suffix, WEXITSTATUS(r));
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
else if (WIFSIGNALED(r))
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
|
||||
, verb, verb_suffix, WTERMSIG(r));
|
||||
return FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
|
||||
, verb, verb_suffix, r);
|
||||
passert(feof(f));
|
||||
break;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
char *e = resp + strlen(resp);
|
||||
|
||||
if (e > resp && e[-1] == '\n')
|
||||
e[-1] = '\0'; /* trim trailing '\n' */
|
||||
plog("%s%s output: %s", verb, verb_suffix, resp);
|
||||
}
|
||||
}
|
||||
|
||||
/* report on and react to return code */
|
||||
{
|
||||
int r = pclose(f);
|
||||
|
||||
if (r == -1)
|
||||
{
|
||||
log_errno((e, "pclose failed for %s%s command"
|
||||
, verb, verb_suffix));
|
||||
return FALSE;
|
||||
}
|
||||
else if (WIFEXITED(r))
|
||||
{
|
||||
if (WEXITSTATUS(r) != 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
|
||||
, verb, verb_suffix, WEXITSTATUS(r));
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
else if (WIFSIGNALED(r))
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
|
||||
, verb, verb_suffix, WTERMSIG(r));
|
||||
return FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
|
||||
, verb, verb_suffix, r);
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -648,10 +643,9 @@ static enum routability could_route(connection_t *c)
|
|||
}
|
||||
|
||||
/* if routing would affect IKE messages, reject */
|
||||
if (!no_klips
|
||||
&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
|
||||
&& c->spd.this.host_port != IKE_UDP_PORT
|
||||
&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
|
||||
if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
|
||||
&& c->spd.this.host_port != IKE_UDP_PORT
|
||||
&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
|
||||
return route_impossible;
|
||||
|
|
|
@ -14,7 +14,6 @@
|
|||
|
||||
#include "connections.h"
|
||||
|
||||
extern bool no_klips; /* don't actually use KLIPS */
|
||||
extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */
|
||||
|
||||
/* Declare eroute things early enough for uses.
|
||||
|
|
|
@ -238,75 +238,71 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
|
|||
pfkey_msg->sadb_msg_seq, description, text_said);
|
||||
DBG_dump(NULL, (void *) pfkey_msg, len));
|
||||
|
||||
if (!no_klips)
|
||||
ssize_t r = write(pfkeyfd, pfkey_msg, len);
|
||||
|
||||
if (r != (ssize_t)len)
|
||||
{
|
||||
ssize_t r = write(pfkeyfd, pfkey_msg, len);
|
||||
|
||||
if (r != (ssize_t)len)
|
||||
if (r < 0)
|
||||
{
|
||||
if (r < 0)
|
||||
{
|
||||
log_errno((e, "pfkey write() of %s message %u for %s %s"
|
||||
" failed", sparse_val_show(pfkey_type_names,
|
||||
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
|
||||
description, text_said));
|
||||
}
|
||||
else
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
|
||||
" %u for %s %s truncated: %ld instead of %ld",
|
||||
sparse_val_show(pfkey_type_names,
|
||||
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
|
||||
description, text_said, (long)r, (long)len);
|
||||
}
|
||||
success = FALSE;
|
||||
|
||||
/* if we were compiled with debugging, but we haven't already
|
||||
* dumped the command, do so.
|
||||
*/
|
||||
#ifdef DEBUG
|
||||
if ((cur_debugging & DBG_KERNEL) == 0)
|
||||
DBG_dump(NULL, (void *) pfkey_msg, len);
|
||||
#endif
|
||||
log_errno((e, "pfkey write() of %s message %u for %s %s"
|
||||
" failed", sparse_val_show(pfkey_type_names,
|
||||
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
|
||||
description, text_said));
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Check response from kernel.
|
||||
* It ought to be an echo, perhaps with additional info.
|
||||
* If the caller wants it, response will point to space.
|
||||
*/
|
||||
pfkey_buf b;
|
||||
pfkey_buf *bp = response != NULL? response : &b;
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
|
||||
" %u for %s %s truncated: %ld instead of %ld",
|
||||
sparse_val_show(pfkey_type_names,
|
||||
pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
|
||||
description, text_said, (long)r, (long)len);
|
||||
}
|
||||
success = FALSE;
|
||||
|
||||
if (!pfkey_get_response(bp,
|
||||
((struct sadb_msg *)extensions[0])->sadb_msg_seq))
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
|
||||
" message for %s %s", sparse_val_show(pfkey_type_names,
|
||||
pfkey_msg->sadb_msg_type), description, text_said);
|
||||
success = FALSE;
|
||||
}
|
||||
else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
|
||||
" message for %s %s was of wrong type (%s)",
|
||||
sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
|
||||
description, text_said,
|
||||
sparse_val_show(pfkey_type_names,
|
||||
bp->msg.sadb_msg_type));
|
||||
success = FALSE;
|
||||
}
|
||||
else if (response == NULL && bp->msg.sadb_msg_errno != 0)
|
||||
{
|
||||
/* Kernel is signalling a problem */
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
|
||||
" included errno %u: %s",
|
||||
sparse_val_show(pfkey_type_names,
|
||||
/* if we were compiled with debugging, but we haven't already
|
||||
* dumped the command, do so.
|
||||
*/
|
||||
#ifdef DEBUG
|
||||
if ((cur_debugging & DBG_KERNEL) == 0)
|
||||
DBG_dump(NULL, (void *) pfkey_msg, len);
|
||||
#endif
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Check response from kernel.
|
||||
* It ought to be an echo, perhaps with additional info.
|
||||
* If the caller wants it, response will point to space.
|
||||
*/
|
||||
pfkey_buf b;
|
||||
pfkey_buf *bp = response != NULL? response : &b;
|
||||
|
||||
if (!pfkey_get_response(bp,
|
||||
((struct sadb_msg *)extensions[0])->sadb_msg_seq))
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
|
||||
" message for %s %s", sparse_val_show(pfkey_type_names,
|
||||
pfkey_msg->sadb_msg_type), description, text_said);
|
||||
success = FALSE;
|
||||
}
|
||||
else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
|
||||
" message for %s %s was of wrong type (%s)",
|
||||
sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
|
||||
description, text_said, sparse_val_show(pfkey_type_names,
|
||||
bp->msg.sadb_msg_type));
|
||||
success = FALSE;
|
||||
}
|
||||
else if (response == NULL && bp->msg.sadb_msg_errno != 0)
|
||||
{
|
||||
/* Kernel is signalling a problem */
|
||||
loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
|
||||
" included errno %u: %s",
|
||||
sparse_val_show(pfkey_type_names,
|
||||
pfkey_msg->sadb_msg_type), description, text_said,
|
||||
(unsigned) bp->msg.sadb_msg_errno,
|
||||
strerror(bp->msg.sadb_msg_errno));
|
||||
success = FALSE;
|
||||
}
|
||||
(unsigned) bp->msg.sadb_msg_errno,
|
||||
strerror(bp->msg.sadb_msg_errno));
|
||||
success = FALSE;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -15,7 +15,6 @@ ipsec pluto
|
|||
\fIfilename\fP]
|
||||
[\-\-nofork]
|
||||
[\-\-stderrlog]
|
||||
[\-\-noklips]
|
||||
[\-\-uniqueids]
|
||||
[\fB\-\-interface\fP \fIinterfacename\fP]
|
||||
[\-\-ikeport\ \c
|
||||
|
@ -1264,9 +1263,6 @@ disable ``daemon fork'' (default is to fork). In addition, after the
|
|||
lock file and control socket are created, print the line ``Pluto
|
||||
initialized'' to standard out.
|
||||
.TP
|
||||
\fB\-\-noklips\fP
|
||||
don't actually implement negotiated IPsec SAs
|
||||
.TP
|
||||
\fB\-\-uniqueids\fP
|
||||
if this option has been selected, whenever a new ISAKMP SA is
|
||||
established, any connection with the same Peer ID but a different
|
||||
|
@ -1277,12 +1273,6 @@ then regained at another IP address.
|
|||
\fB\-\-stderrlog\fP
|
||||
log goes to standard out {default is to use \fIsyslogd\fP(8))
|
||||
.LP
|
||||
For example
|
||||
.TP
|
||||
pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
|
||||
.LP
|
||||
lets one test \fBpluto\fP without using the superuser account.
|
||||
.LP
|
||||
\fBpluto\fP is willing to produce a prodigious amount of debugging
|
||||
information. To do so, it must be compiled with \-DDEBUG. There are
|
||||
several classes of debugging output, and \fBpluto\fP may be directed to
|
||||
|
|
|
@ -96,7 +96,6 @@ static void usage(const char *mess)
|
|||
" \\\n\t"
|
||||
"[--nofork]"
|
||||
" [--stderrlog]"
|
||||
" [--noklips]"
|
||||
" [--nocrsend]"
|
||||
" \\\n\t"
|
||||
"[--strictcrlpolicy]"
|
||||
|
@ -300,7 +299,6 @@ int main(int argc, char **argv)
|
|||
{ "optionsfrom", required_argument, NULL, '+' },
|
||||
{ "nofork", no_argument, NULL, 'd' },
|
||||
{ "stderrlog", no_argument, NULL, 'e' },
|
||||
{ "noklips", no_argument, NULL, 'n' },
|
||||
{ "nocrsend", no_argument, NULL, 'c' },
|
||||
{ "strictcrlpolicy", no_argument, NULL, 'r' },
|
||||
{ "crlcheckinterval", required_argument, NULL, 'x'},
|
||||
|
@ -402,10 +400,6 @@ int main(int argc, char **argv)
|
|||
log_to_stderr_desired = TRUE;
|
||||
continue;
|
||||
|
||||
case 'n': /* --noklips */
|
||||
no_klips = TRUE;
|
||||
continue;
|
||||
|
||||
case 'c': /* --nocrsend */
|
||||
no_cr_send = TRUE;
|
||||
continue;
|
||||
|
|
|
@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
|
|||
for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
|
||||
{
|
||||
struct raw_iface *v = NULL; /* matching ipsecX interface */
|
||||
struct raw_iface fake_v;
|
||||
bool after = FALSE; /* has vfp passed ifp on the list? */
|
||||
bool bad = FALSE;
|
||||
struct raw_iface *vfp;
|
||||
|
@ -611,24 +610,10 @@ process_raw_ifaces(struct raw_iface *rifaces)
|
|||
/* what if we didn't find a virtual interface? */
|
||||
if (v == NULL)
|
||||
{
|
||||
if (no_klips)
|
||||
{
|
||||
/* kludge for testing: invent a virtual device */
|
||||
static const char fvp[] = "virtual";
|
||||
fake_v = *ifp;
|
||||
passert(sizeof(fake_v.name) > sizeof(fvp));
|
||||
strcpy(fake_v.name, fvp);
|
||||
addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
|
||||
, sizeof(fake_v.name) - (sizeof(fvp) - 1));
|
||||
v = &fake_v;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
|
||||
, ifp->name, ip_str(&ifp->addr)));
|
||||
continue;
|
||||
}
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
|
||||
, ifp->name, ip_str(&ifp->addr)));
|
||||
continue;
|
||||
}
|
||||
|
||||
/* We've got all we need; see if this is a new thing:
|
||||
|
|
Loading…
Reference in New Issue