pluto: Removed no_klips flag (--noklips option).

2010-08-16 15:53:56 +02:00 · 2010-08-16 15:53:56 +02:00 · a0cbce9e7c
parent eeca1b0466
commit a0cbce9e7c
7 changed files with 132 additions and 174 deletions
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@ -536,7 +536,7 @@ void check_orientations(void)
 				for (hp = host_pairs; hp != NULL; hp = hp->next)
 				{
 					if (sameaddr(&hp->him.addr, &i->addr)
-					&& (!no_klips || hp->him.port == pluto_port))
+						&& hp->him.port == pluto_port)
 					{
 						/* bad news: the whole chain of connections
 						 * hanging off this host pair has both sides
@ -1884,7 +1884,7 @@ bool orient(connection_t *c)
 				{
 					/* check if this interface matches this end */
 					if (sameaddr(&sr->this.host_addr, &p->addr)
-					&& (!no_klips || sr->this.host_port == pluto_port))
+						&& sr->this.host_port == pluto_port)
 					{
 						if (oriented(*c))
 						{
@ -1903,7 +1903,7 @@ bool orient(connection_t *c)

 					/* done with this interface if it doesn't match that end */
 					if (!(sameaddr(&sr->that.host_addr, &p->addr)
-					&& (!no_klips || sr->that.host_port == pluto_port)))
+						&& sr->that.host_port == pluto_port))
 						break;

 					/* swap ends and try again.
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@ -142,8 +142,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 static void set_text_said(char *text_said, const ip_address *dst,
 						  ipsec_spi_t spi, int proto);

-bool no_klips = FALSE;  /* don't actually use KLIPS */
-
 /**
 * Default IPsec SA config (e.g. to install trap policies).
 */
@ -526,8 +524,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 	DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
 		, verb, verb_suffix, cmd));

-	if (!no_klips)
-	{
 	/* invoke the script, catching stderr and stdout
 	 * It may be of concern that some file descriptors will
 	 * be inherited.  For the ones under our control, we
@ -605,7 +601,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			return FALSE;
 		}
 	}
-	}
 	return TRUE;
 }

@ -648,8 +643,7 @@ static enum routability could_route(connection_t *c)
 	}

 	/* if routing would affect IKE messages, reject */
-	if (!no_klips
-	&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+	if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
 	 && c->spd.this.host_port != IKE_UDP_PORT
 	 && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
 	{
--- a/src/pluto/kernel.h
+++ b/src/pluto/kernel.h
@ -14,7 +14,6 @@

 #include "connections.h"

-extern bool no_klips;   /* don't actually use KLIPS */
 extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */

 /* Declare eroute things early enough for uses.
--- a/src/pluto/kernel_pfkey.c
+++ b/src/pluto/kernel_pfkey.c
@ -238,8 +238,6 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
 					pfkey_msg->sadb_msg_seq, description, text_said);
 			DBG_dump(NULL, (void *) pfkey_msg, len));

-		if (!no_klips)
-		{
 		ssize_t r = write(pfkeyfd, pfkey_msg, len);

 		if (r != (ssize_t)len)
@ -291,8 +289,7 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
 				loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
 					   " message for %s %s was of wrong type (%s)",
 					   sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
-						description, text_said,
-						sparse_val_show(pfkey_type_names,
+					   description, text_said, sparse_val_show(pfkey_type_names,
 							bp->msg.sadb_msg_type));
 				success = FALSE;
 			}
@ -309,7 +306,6 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
 			}
 		}
 	}
-	}
 	pfkey_extensions_free(extensions);
 	pfkey_msg_free(&pfkey_msg);
 	return success;
--- a/src/pluto/pluto.8
+++ b/src/pluto/pluto.8
@ -15,7 +15,6 @@ ipsec pluto
 \fIfilename\fP]
 [\-\-nofork]
 [\-\-stderrlog]
-[\-\-noklips]
 [\-\-uniqueids]
 [\fB\-\-interface\fP \fIinterfacename\fP]
 [\-\-ikeport\ \c
@ -1264,9 +1263,6 @@ disable ``daemon fork'' (default is to fork).  In addition, after the
 lock file and control socket are created, print the line ``Pluto
 initialized'' to standard out.
 .TP
-\fB\-\-noklips\fP
-don't actually implement negotiated IPsec SAs
-.TP
 \fB\-\-uniqueids\fP
 if this option has been selected, whenever a new ISAKMP SA is
 established, any connection with the same Peer ID but a different
@ -1277,12 +1273,6 @@ then regained at another IP address.
 \fB\-\-stderrlog\fP
 log goes to standard out {default is to use \fIsyslogd\fP(8))
 .LP
-For example
-.TP
-pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
-.LP
-lets one test \fBpluto\fP without using the superuser account.
-.LP
 \fBpluto\fP is willing to produce a prodigious amount of debugging
 information.  To do so, it must be compiled with \-DDEBUG.  There are
 several classes of debugging output, and \fBpluto\fP may be directed to
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@ -96,7 +96,6 @@ static void usage(const char *mess)
 			" \\\n\t"
 			"[--nofork]"
 			" [--stderrlog]"
-			" [--noklips]"
 			" [--nocrsend]"
 			" \\\n\t"
 			"[--strictcrlpolicy]"
@ -300,7 +299,6 @@ int main(int argc, char **argv)
 			{ "optionsfrom", required_argument, NULL, '+' },
 			{ "nofork", no_argument, NULL, 'd' },
 			{ "stderrlog", no_argument, NULL, 'e' },
-			{ "noklips", no_argument, NULL, 'n' },
 			{ "nocrsend", no_argument, NULL, 'c' },
 			{ "strictcrlpolicy", no_argument, NULL, 'r' },
 			{ "crlcheckinterval", required_argument, NULL, 'x'},
@ -402,10 +400,6 @@ int main(int argc, char **argv)
 			log_to_stderr_desired = TRUE;
 			continue;

-		case 'n':       /* --noklips */
-			no_klips = TRUE;
-			continue;
-
 		case 'c':       /* --nocrsend */
 			no_cr_send = TRUE;
 			continue;
--- a/src/pluto/server.c
+++ b/src/pluto/server.c
@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 	for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
 	{
 		struct raw_iface *v = NULL;     /* matching ipsecX interface */
-		struct raw_iface fake_v;
 		bool after = FALSE; /* has vfp passed ifp on the list? */
 		bool bad = FALSE;
 		struct raw_iface *vfp;
@ -610,26 +609,12 @@ process_raw_ifaces(struct raw_iface *rifaces)

 		/* what if we didn't find a virtual interface? */
 		if (v == NULL)
-		{
-			if (no_klips)
-			{
-				/* kludge for testing: invent a virtual device */
-				static const char fvp[] = "virtual";
-				fake_v = *ifp;
-				passert(sizeof(fake_v.name) > sizeof(fvp));
-				strcpy(fake_v.name, fvp);
-				addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
-					, sizeof(fake_v.name) - (sizeof(fvp) - 1));
-				v = &fake_v;
-			}
-			else
 		{
 			DBG(DBG_CONTROL,
 				DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
 					, ifp->name, ip_str(&ifp->addr)));
 			continue;
 		}
-		}

 		/* We've got all we need; see if this is a new thing:
 		 * search old interfaces list.