pluto: Removed no_klips flag (--noklips option).
This commit is contained in:
parent
eeca1b0466
commit
a0cbce9e7c
|
@ -536,7 +536,7 @@ void check_orientations(void)
|
|||
for (hp = host_pairs; hp != NULL; hp = hp->next)
|
||||
{
|
||||
if (sameaddr(&hp->him.addr, &i->addr)
|
||||
&& (!no_klips || hp->him.port == pluto_port))
|
||||
&& hp->him.port == pluto_port)
|
||||
{
|
||||
/* bad news: the whole chain of connections
|
||||
* hanging off this host pair has both sides
|
||||
|
@ -1884,7 +1884,7 @@ bool orient(connection_t *c)
|
|||
{
|
||||
/* check if this interface matches this end */
|
||||
if (sameaddr(&sr->this.host_addr, &p->addr)
|
||||
&& (!no_klips || sr->this.host_port == pluto_port))
|
||||
&& sr->this.host_port == pluto_port)
|
||||
{
|
||||
if (oriented(*c))
|
||||
{
|
||||
|
@ -1903,7 +1903,7 @@ bool orient(connection_t *c)
|
|||
|
||||
/* done with this interface if it doesn't match that end */
|
||||
if (!(sameaddr(&sr->that.host_addr, &p->addr)
|
||||
&& (!no_klips || sr->that.host_port == pluto_port)))
|
||||
&& sr->that.host_port == pluto_port))
|
||||
break;
|
||||
|
||||
/* swap ends and try again.
|
||||
|
|
|
@ -142,8 +142,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
|
|||
static void set_text_said(char *text_said, const ip_address *dst,
|
||||
ipsec_spi_t spi, int proto);
|
||||
|
||||
bool no_klips = FALSE; /* don't actually use KLIPS */
|
||||
|
||||
/**
|
||||
* Default IPsec SA config (e.g. to install trap policies).
|
||||
*/
|
||||
|
@ -526,8 +524,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
|
||||
, verb, verb_suffix, cmd));
|
||||
|
||||
if (!no_klips)
|
||||
{
|
||||
/* invoke the script, catching stderr and stdout
|
||||
* It may be of concern that some file descriptors will
|
||||
* be inherited. For the ones under our control, we
|
||||
|
@ -605,7 +601,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
return FALSE;
|
||||
}
|
||||
}
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
@ -648,8 +643,7 @@ static enum routability could_route(connection_t *c)
|
|||
}
|
||||
|
||||
/* if routing would affect IKE messages, reject */
|
||||
if (!no_klips
|
||||
&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
|
||||
if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
|
||||
&& c->spd.this.host_port != IKE_UDP_PORT
|
||||
&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
|
||||
{
|
||||
|
|
|
@ -14,7 +14,6 @@
|
|||
|
||||
#include "connections.h"
|
||||
|
||||
extern bool no_klips; /* don't actually use KLIPS */
|
||||
extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */
|
||||
|
||||
/* Declare eroute things early enough for uses.
|
||||
|
|
|
@ -238,8 +238,6 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
|
|||
pfkey_msg->sadb_msg_seq, description, text_said);
|
||||
DBG_dump(NULL, (void *) pfkey_msg, len));
|
||||
|
||||
if (!no_klips)
|
||||
{
|
||||
ssize_t r = write(pfkeyfd, pfkey_msg, len);
|
||||
|
||||
if (r != (ssize_t)len)
|
||||
|
@ -291,8 +289,7 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
|
|||
loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
|
||||
" message for %s %s was of wrong type (%s)",
|
||||
sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
|
||||
description, text_said,
|
||||
sparse_val_show(pfkey_type_names,
|
||||
description, text_said, sparse_val_show(pfkey_type_names,
|
||||
bp->msg.sadb_msg_type));
|
||||
success = FALSE;
|
||||
}
|
||||
|
@ -309,7 +306,6 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
|
|||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
pfkey_extensions_free(extensions);
|
||||
pfkey_msg_free(&pfkey_msg);
|
||||
return success;
|
||||
|
|
|
@ -15,7 +15,6 @@ ipsec pluto
|
|||
\fIfilename\fP]
|
||||
[\-\-nofork]
|
||||
[\-\-stderrlog]
|
||||
[\-\-noklips]
|
||||
[\-\-uniqueids]
|
||||
[\fB\-\-interface\fP \fIinterfacename\fP]
|
||||
[\-\-ikeport\ \c
|
||||
|
@ -1264,9 +1263,6 @@ disable ``daemon fork'' (default is to fork). In addition, after the
|
|||
lock file and control socket are created, print the line ``Pluto
|
||||
initialized'' to standard out.
|
||||
.TP
|
||||
\fB\-\-noklips\fP
|
||||
don't actually implement negotiated IPsec SAs
|
||||
.TP
|
||||
\fB\-\-uniqueids\fP
|
||||
if this option has been selected, whenever a new ISAKMP SA is
|
||||
established, any connection with the same Peer ID but a different
|
||||
|
@ -1277,12 +1273,6 @@ then regained at another IP address.
|
|||
\fB\-\-stderrlog\fP
|
||||
log goes to standard out {default is to use \fIsyslogd\fP(8))
|
||||
.LP
|
||||
For example
|
||||
.TP
|
||||
pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
|
||||
.LP
|
||||
lets one test \fBpluto\fP without using the superuser account.
|
||||
.LP
|
||||
\fBpluto\fP is willing to produce a prodigious amount of debugging
|
||||
information. To do so, it must be compiled with \-DDEBUG. There are
|
||||
several classes of debugging output, and \fBpluto\fP may be directed to
|
||||
|
|
|
@ -96,7 +96,6 @@ static void usage(const char *mess)
|
|||
" \\\n\t"
|
||||
"[--nofork]"
|
||||
" [--stderrlog]"
|
||||
" [--noklips]"
|
||||
" [--nocrsend]"
|
||||
" \\\n\t"
|
||||
"[--strictcrlpolicy]"
|
||||
|
@ -300,7 +299,6 @@ int main(int argc, char **argv)
|
|||
{ "optionsfrom", required_argument, NULL, '+' },
|
||||
{ "nofork", no_argument, NULL, 'd' },
|
||||
{ "stderrlog", no_argument, NULL, 'e' },
|
||||
{ "noklips", no_argument, NULL, 'n' },
|
||||
{ "nocrsend", no_argument, NULL, 'c' },
|
||||
{ "strictcrlpolicy", no_argument, NULL, 'r' },
|
||||
{ "crlcheckinterval", required_argument, NULL, 'x'},
|
||||
|
@ -402,10 +400,6 @@ int main(int argc, char **argv)
|
|||
log_to_stderr_desired = TRUE;
|
||||
continue;
|
||||
|
||||
case 'n': /* --noklips */
|
||||
no_klips = TRUE;
|
||||
continue;
|
||||
|
||||
case 'c': /* --nocrsend */
|
||||
no_cr_send = TRUE;
|
||||
continue;
|
||||
|
|
|
@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
|
|||
for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
|
||||
{
|
||||
struct raw_iface *v = NULL; /* matching ipsecX interface */
|
||||
struct raw_iface fake_v;
|
||||
bool after = FALSE; /* has vfp passed ifp on the list? */
|
||||
bool bad = FALSE;
|
||||
struct raw_iface *vfp;
|
||||
|
@ -610,26 +609,12 @@ process_raw_ifaces(struct raw_iface *rifaces)
|
|||
|
||||
/* what if we didn't find a virtual interface? */
|
||||
if (v == NULL)
|
||||
{
|
||||
if (no_klips)
|
||||
{
|
||||
/* kludge for testing: invent a virtual device */
|
||||
static const char fvp[] = "virtual";
|
||||
fake_v = *ifp;
|
||||
passert(sizeof(fake_v.name) > sizeof(fvp));
|
||||
strcpy(fake_v.name, fvp);
|
||||
addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
|
||||
, sizeof(fake_v.name) - (sizeof(fvp) - 1));
|
||||
v = &fake_v;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
|
||||
, ifp->name, ip_str(&ifp->addr)));
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
/* We've got all we need; see if this is a new thing:
|
||||
* search old interfaces list.
|
||||
|
|
Loading…
Reference in New Issue