removing svn keyword $Id$ from all files
[strongswan.git] / src / pluto / server.c
1 /* get-next-event loop
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <stddef.h>
19 #include <string.h>
20 #include <errno.h>
21 #include <signal.h>
22 #include <ctype.h>
23 #include <sys/types.h>
24 #include <sys/stat.h>
25 #include <sys/socket.h>
26 #include <sys/un.h>
27 #ifdef SOLARIS
28 # include <sys/sockio.h> /* for Solaris 2.6: defines SIOCGIFCONF */
29 #endif
30 #include <netinet/in.h>
31 #include <arpa/inet.h>
32 #include <sys/time.h>
33 #include <netdb.h>
34 #include <unistd.h>
35 #include <fcntl.h>
36 #include <net/if.h>
37 #include <sys/ioctl.h>
38 #include <resolv.h>
39 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
40 #include <sys/queue.h>
41
42 #include <freeswan.h>
43
44 #include "constants.h"
45 #include "defs.h"
46 #include "state.h"
47 #include "connections.h"
48 #include "kernel.h"
49 #include "log.h"
50 #include "server.h"
51 #include "timer.h"
52 #include "packet.h"
53 #include "demux.h" /* needs packet.h */
54 #include "rcv_whack.h"
55 #include "keys.h"
56 #include "adns.h" /* needs <resolv.h> */
57 #include "dnskey.h" /* needs keys.h and adns.h */
58 #include "whack.h" /* for RC_LOG_SERIOUS */
59
60 #include <pfkeyv2.h>
61 #include <pfkey.h>
62 #include "kameipsec.h"
63 #include "nat_traversal.h"
64
65 /*
66 * Server main loop and socket initialization routines.
67 */
68
69 static const int on = TRUE; /* by-reference parameter; constant, we hope */
70
71 /* control (whack) socket */
72 int ctl_fd = NULL_FD; /* file descriptor of control (whack) socket */
73 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
74
75 /* info (showpolicy) socket */
76 int policy_fd = NULL_FD;
77 struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
78
79 /* Initialize the control socket.
80 * Note: this is called very early, so little infrastructure is available.
81 * It is important that the socket is created before the original
82 * Pluto process returns.
83 */
84 err_t
85 init_ctl_socket(void)
86 {
87 err_t failed = NULL;
88
89 delete_ctl_socket(); /* preventative medicine */
90 ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
91 if (ctl_fd == -1)
92 failed = "create";
93 else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
94 failed = "fcntl FD+CLOEXEC";
95 else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
96 failed = "setsockopt";
97 else
98 {
99 /* to keep control socket secure, use umask */
100 mode_t ou = umask(~S_IRWXU);
101
102 if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
103 , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
104 failed = "bind";
105 umask(ou);
106 }
107
108 /* 5 is a haphazardly chosen limit for the backlog.
109 * Rumour has it that this is the max on BSD systems.
110 */
111 if (failed == NULL && listen(ctl_fd, 5) < 0)
112 failed = "listen() on";
113
114 return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
115 , failed, errno, strerror(errno));
116 }
117
118 void
119 delete_ctl_socket(void)
120 {
121 /* Is noting failure useful? Not when used as preventative medicine. */
122 unlink(ctl_addr.sun_path);
123 }
124
125 bool listening = FALSE; /* should we pay attention to IKE messages? */
126
127 struct iface *interfaces = NULL; /* public interfaces */
128
129 /* Initialize the interface sockets. */
130
131 static void
132 mark_ifaces_dead(void)
133 {
134 struct iface *p;
135
136 for (p = interfaces; p != NULL; p = p->next)
137 p->change = IFN_DELETE;
138 }
139
140 static void
141 free_dead_ifaces(void)
142 {
143 struct iface *p;
144 bool some_dead = FALSE
145 , some_new = FALSE;
146
147 for (p = interfaces; p != NULL; p = p->next)
148 {
149 if (p->change == IFN_DELETE)
150 {
151 plog("shutting down interface %s/%s %s"
152 , p->vname, p->rname, ip_str(&p->addr));
153 some_dead = TRUE;
154 }
155 else if (p->change == IFN_ADD)
156 {
157 some_new = TRUE;
158 }
159 }
160
161 if (some_dead)
162 {
163 struct iface **pp;
164
165 release_dead_interfaces();
166 for (pp = &interfaces; (p = *pp) != NULL; )
167 {
168 if (p->change == IFN_DELETE)
169 {
170 *pp = p->next; /* advance *pp */
171 free(p->vname);
172 free(p->rname);
173 close(p->fd);
174 free(p);
175 }
176 else
177 {
178 pp = &p->next; /* advance pp */
179 }
180 }
181 }
182
183 /* this must be done after the release_dead_interfaces
184 * in case some to the newly unoriented connections can
185 * become oriented here.
186 */
187 if (some_dead || some_new)
188 check_orientations();
189 }
190
191 void
192 free_ifaces(void)
193 {
194 mark_ifaces_dead();
195 free_dead_ifaces();
196 }
197
198 struct raw_iface {
199 ip_address addr;
200 char name[IFNAMSIZ + 20]; /* what would be a safe size? */
201 struct raw_iface *next;
202 };
203
204 /* Called to handle --interface <ifname>
205 * Semantics: if specified, only these (real) interfaces are considered.
206 */
207 static const char *pluto_ifn[10];
208 static int pluto_ifn_roof = 0;
209
210 bool
211 use_interface(const char *rifn)
212 {
213 if (pluto_ifn_roof >= (int)countof(pluto_ifn))
214 {
215 return FALSE;
216 }
217 else
218 {
219 pluto_ifn[pluto_ifn_roof++] = rifn;
220 return TRUE;
221 }
222 }
223
224 #ifndef IPSECDEVPREFIX
225 # define IPSECDEVPREFIX "ipsec"
226 #endif
227
228 static struct raw_iface *
229 find_raw_ifaces4(void)
230 {
231 int j; /* index into buf */
232 struct ifconf ifconf;
233 struct ifreq buf[300]; /* for list of interfaces -- arbitrary limit */
234 struct raw_iface *rifaces = NULL;
235 int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
236
237 /* get list of interfaces with assigned IPv4 addresses from system */
238
239 if (master_sock == -1)
240 exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
241
242 if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
243 , (const void *)&on, sizeof(on)) < 0)
244 exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
245
246 /* bind the socket */
247 {
248 ip_address any;
249
250 happy(anyaddr(AF_INET, &any));
251 setportof(htons(pluto_port), &any);
252 if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
253 exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
254 }
255
256 /* Get local interfaces. See netdevice(7). */
257 ifconf.ifc_len = sizeof(buf);
258 ifconf.ifc_buf = (void *) buf;
259 zero(buf);
260
261 if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
262 exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
263
264 /* Add an entry to rifaces for each interesting interface. */
265 for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
266 {
267 struct raw_iface ri;
268 const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
269 struct ifreq auxinfo;
270
271 /* ignore all but AF_INET interfaces */
272 if (rs->sin_family != AF_INET)
273 continue; /* not interesting */
274
275 /* build a NUL-terminated copy of the rname field */
276 memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
277 ri.name[IFNAMSIZ] = '\0';
278
279 /* ignore if our interface names were specified, and this isn't one */
280 if (pluto_ifn_roof != 0)
281 {
282 int i;
283
284 for (i = 0; i != pluto_ifn_roof; i++)
285 if (streq(ri.name, pluto_ifn[i]))
286 break;
287 if (i == pluto_ifn_roof)
288 continue; /* not found -- skip */
289 }
290
291 /* Find out stuff about this interface. See netdevice(7). */
292 zero(&auxinfo); /* paranoia */
293 memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
294 if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
295 exit_log_errno((e
296 , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
297 , ri.name));
298 if (!(auxinfo.ifr_flags & IFF_UP))
299 continue; /* ignore an interface that isn't UP */
300
301 /* ignore unconfigured interfaces */
302 if (rs->sin_addr.s_addr == 0)
303 continue;
304
305 happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
306 , AF_INET, &ri.addr));
307
308 DBG(DBG_CONTROL, DBG_log("found %s with address %s"
309 , ri.name, ip_str(&ri.addr)));
310 ri.next = rifaces;
311 rifaces = clone_thing(ri);
312 }
313
314 close(master_sock);
315
316 return rifaces;
317 }
318
319 static struct raw_iface *
320 find_raw_ifaces6(void)
321 {
322
323 /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
324 *
325 * Documentation of format?
326 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
327 * linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
328 *
329 * Sample from Gerhard's laptop:
330 * 00000000000000000000000000000001 01 80 10 80 lo
331 * 30490009000000000000000000010002 02 40 00 80 ipsec0
332 * 30490009000000000000000000010002 07 40 00 80 eth0
333 * fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
334 * fe80000000000000025004fffefd5484 07 0a 20 80 eth0
335 *
336 * Each line contains:
337 * - IPv6 address: 16 bytes, in hex, no punctuation
338 * - ifindex: 1 byte, in hex
339 * - prefix_len: 1 byte, in hex
340 * - scope (e.g. global, link local): 1 byte, in hex
341 * - flags: 1 byte, in hex
342 * - device name: string, followed by '\n'
343 */
344 struct raw_iface *rifaces = NULL;
345 static const char proc_name[] = "/proc/net/if_inet6";
346 FILE *proc_sock = fopen(proc_name, "r");
347
348 if (proc_sock == NULL)
349 {
350 DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
351 }
352 else
353 {
354 for (;;)
355 {
356 struct raw_iface ri;
357 unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
358 char sb[8*5]; /* IPv6 address as string-with-colons */
359 unsigned int if_idx; /* proc field, not used */
360 unsigned int plen; /* proc field, not used */
361 unsigned int scope; /* proc field, used to exclude link-local */
362 unsigned int dad_status; /* proc field, not used */
363 /* ??? I hate and distrust scanf -- DHR */
364 int r = fscanf(proc_sock
365 , "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
366 " %02x %02x %02x %02x %20s\n"
367 , xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
368 , &if_idx, &plen, &scope, &dad_status, ri.name);
369
370 /* ??? we should diagnose any problems */
371 if (r != 13)
372 break;
373
374 /* ignore addresses with link local scope.
375 * From linux-2.4.9-13/include/net/ipv6.h:
376 * IPV6_ADDR_LINKLOCAL 0x0020U
377 * IPV6_ADDR_SCOPE_MASK 0x00f0U
378 */
379 if ((scope & 0x00f0U) == 0x0020U)
380 continue;
381
382 snprintf(sb, sizeof(sb)
383 , "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
384 , xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
385
386 happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
387
388 if (!isunspecaddr(&ri.addr))
389 {
390 DBG(DBG_CONTROL
391 , DBG_log("found %s with address %s"
392 , ri.name, sb));
393 ri.next = rifaces;
394 rifaces = clone_thing(ri);
395 }
396 }
397 fclose(proc_sock);
398 }
399
400 return rifaces;
401 }
402
403 #if 1
404 static int
405 create_socket(struct raw_iface *ifp, const char *v_name, int port)
406 {
407 int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
408 int fcntl_flags;
409
410 if (fd < 0)
411 {
412 log_errno((e, "socket() in process_raw_ifaces()"));
413 return -1;
414 }
415
416 #if 1
417 /* Set socket Nonblocking */
418 if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
419 if (!(fcntl_flags & O_NONBLOCK)) {
420 fcntl_flags |= O_NONBLOCK;
421 fcntl(fd, F_SETFL, fcntl_flags);
422 }
423 }
424 #endif
425
426 if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
427 {
428 log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
429 close(fd);
430 return -1;
431 }
432
433 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
434 , (const void *)&on, sizeof(on)) < 0)
435 {
436 log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
437 close(fd);
438 return -1;
439 }
440
441 /* To improve error reporting. See ip(7). */
442 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
443 if (setsockopt(fd, SOL_IP, IP_RECVERR
444 , (const void *)&on, sizeof(on)) < 0)
445 {
446 log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
447 close(fd);
448 return -1;
449 }
450 #endif
451
452 /* With IPv6, there is no fragmentation after
453 * it leaves our interface. PMTU discovery
454 * is mandatory but doesn't work well with IKE (why?).
455 * So we must set the IPV6_USE_MIN_MTU option.
456 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
457 */
458 #ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
459 if (addrtypeof(&ifp->addr) == AF_INET6
460 && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
461 , (const void *)&on, sizeof(on)) < 0)
462 {
463 log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
464 close(fd);
465 return -1;
466 }
467 #endif
468
469 #if defined(linux) && defined(KERNEL26_SUPPORT)
470 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
471 {
472 struct sadb_x_policy policy;
473 int level, opt;
474
475 policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
476 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
477 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
478 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
479 policy.sadb_x_policy_reserved = 0;
480 policy.sadb_x_policy_id = 0;
481 policy.sadb_x_policy_reserved2 = 0;
482
483 if (addrtypeof(&ifp->addr) == AF_INET6)
484 {
485 level = IPPROTO_IPV6;
486 opt = IPV6_IPSEC_POLICY;
487 }
488 else
489 {
490 level = IPPROTO_IP;
491 opt = IP_IPSEC_POLICY;
492 }
493
494 if (setsockopt(fd, level, opt
495 , &policy, sizeof(policy)) < 0)
496 {
497 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
498 close(fd);
499 return -1;
500 }
501
502 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
503
504 if (setsockopt(fd, level, opt
505 , &policy, sizeof(policy)) < 0)
506 {
507 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
508 close(fd);
509 return -1;
510 }
511 }
512 #endif
513
514 setportof(htons(port), &ifp->addr);
515 if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
516 {
517 log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
518 , ifp->name, v_name
519 , ip_str(&ifp->addr), (unsigned) port));
520 close(fd);
521 return -1;
522 }
523 setportof(htons(pluto_port), &ifp->addr);
524 return fd;
525 }
526 #endif
527
528 static void
529 process_raw_ifaces(struct raw_iface *rifaces)
530 {
531 struct raw_iface *ifp;
532
533 /* Find all virtual/real interface pairs.
534 * For each real interface...
535 */
536 for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
537 {
538 struct raw_iface *v = NULL; /* matching ipsecX interface */
539 struct raw_iface fake_v;
540 bool after = FALSE; /* has vfp passed ifp on the list? */
541 bool bad = FALSE;
542 struct raw_iface *vfp;
543
544 /* ignore if virtual (ipsec*) interface */
545 if (strneq(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1))
546 {
547 continue;
548 }
549
550 for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
551 {
552 if (vfp == ifp)
553 {
554 after = TRUE;
555 }
556 else if (sameaddr(&ifp->addr, &vfp->addr))
557 {
558 /* Different entries with matching IP addresses.
559 * Many interesting cases.
560 */
561 if (strneq(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1))
562 {
563 if (v != NULL && !streq(v->name, vfp->name))
564 {
565 loglog(RC_LOG_SERIOUS
566 , "ipsec interfaces %s and %s share same address %s"
567 , v->name, vfp->name, ip_str(&ifp->addr));
568 bad = TRUE;
569 }
570 else
571 {
572 v = vfp; /* current winner */
573 }
574 }
575 else
576 {
577 /* ugh: a second real interface with the same IP address
578 * "after" allows us to avoid double reporting.
579 */
580 #if defined(linux) && defined(KERNEL26_SUPPORT)
581 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
582 {
583 if (after)
584 {
585 bad = TRUE;
586 break;
587 }
588 continue;
589 }
590 #endif
591 if (after)
592 {
593 loglog(RC_LOG_SERIOUS
594 , "IP interfaces %s and %s share address %s!"
595 , ifp->name, vfp->name, ip_str(&ifp->addr));
596 }
597 bad = TRUE;
598 }
599 }
600 }
601
602 if (bad)
603 continue;
604
605 #if defined(linux) && defined(KERNEL26_SUPPORT)
606 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
607 {
608 v = ifp;
609 goto add_entry;
610 }
611 #endif
612
613 /* what if we didn't find a virtual interface? */
614 if (v == NULL)
615 {
616 if (no_klips)
617 {
618 /* kludge for testing: invent a virtual device */
619 static const char fvp[] = "virtual";
620 fake_v = *ifp;
621 passert(sizeof(fake_v.name) > sizeof(fvp));
622 strcpy(fake_v.name, fvp);
623 addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
624 , sizeof(fake_v.name) - (sizeof(fvp) - 1));
625 v = &fake_v;
626 }
627 else
628 {
629 DBG(DBG_CONTROL,
630 DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
631 , ifp->name, ip_str(&ifp->addr)));
632 continue;
633 }
634 }
635
636 /* We've got all we need; see if this is a new thing:
637 * search old interfaces list.
638 */
639 #if defined(linux) && defined(KERNEL26_SUPPORT)
640 add_entry:
641 #endif
642 {
643 struct iface **p = &interfaces;
644
645 for (;;)
646 {
647 struct iface *q = *p;
648
649 /* search is over if at end of list */
650 if (q == NULL)
651 {
652 /* matches nothing -- create a new entry */
653 int fd = create_socket(ifp, v->name, pluto_port);
654
655 if (fd < 0)
656 break;
657
658 if (nat_traversal_support_non_ike
659 && addrtypeof(&ifp->addr) == AF_INET)
660 {
661 nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
662 }
663
664 q = malloc_thing(struct iface);
665 zero(q);
666 q->rname = clone_str(ifp->name);
667 q->vname = clone_str(v->name);
668 q->addr = ifp->addr;
669 q->fd = fd;
670 q->next = interfaces;
671 q->change = IFN_ADD;
672 interfaces = q;
673 plog("adding interface %s/%s %s:%d"
674 , q->vname, q->rname, ip_str(&q->addr), pluto_port);
675
676 if (nat_traversal_support_port_floating
677 && addrtypeof(&ifp->addr) == AF_INET)
678 {
679 fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
680 if (fd < 0)
681 break;
682 nat_traversal_espinudp_socket(fd,
683 ESPINUDP_WITH_NON_ESP);
684 q = malloc_thing(struct iface);
685 zero(q);
686 q->rname = clone_str(ifp->name);
687 q->vname = clone_str(v->name);
688 q->addr = ifp->addr;
689 setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
690 q->fd = fd;
691 q->next = interfaces;
692 q->change = IFN_ADD;
693 q->ike_float = TRUE;
694 interfaces = q;
695 plog("adding interface %s/%s %s:%d",
696 q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
697 }
698 break;
699 }
700
701 /* search over if matching old entry found */
702 if (streq(q->rname, ifp->name)
703 && streq(q->vname, v->name)
704 && sameaddr(&q->addr, &ifp->addr))
705 {
706 /* matches -- rejuvinate old entry */
707 q->change = IFN_KEEP;
708
709 /* look for other interfaces to keep (due to NAT-T) */
710 for (q = q->next ; q ; q = q->next)
711 {
712 if (streq(q->rname, ifp->name)
713 && streq(q->vname, v->name)
714 && sameaddr(&q->addr, &ifp->addr))
715 {
716 q->change = IFN_KEEP;
717 }
718 }
719 break;
720 }
721
722 /* try again */
723 p = &q->next;
724 } /* for (;;) */
725 }
726 }
727
728 /* delete the raw interfaces list */
729 while (rifaces != NULL)
730 {
731 struct raw_iface *t = rifaces;
732
733 rifaces = t->next;
734 free(t);
735 }
736 }
737
738 void
739 find_ifaces(void)
740 {
741 mark_ifaces_dead();
742 process_raw_ifaces(find_raw_ifaces4());
743 process_raw_ifaces(find_raw_ifaces6());
744
745 free_dead_ifaces(); /* ditch remaining old entries */
746
747 if (interfaces == NULL)
748 loglog(RC_LOG_SERIOUS, "no public interfaces found");
749 }
750
751 void
752 show_ifaces_status(void)
753 {
754 struct iface *p;
755
756 for (p = interfaces; p != NULL; p = p->next)
757 whack_log(RC_COMMENT, "interface %s/%s %s:%d"
758 , p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
759 }
760
761 void
762 show_debug_status(void)
763 {
764 #ifdef DEBUG
765 whack_log(RC_COMMENT, "debug %s"
766 , bitnamesof(debug_bit_names, cur_debugging));
767 #endif
768 }
769
770 static volatile sig_atomic_t sighupflag = FALSE;
771
772 static void
773 huphandler(int sig UNUSED)
774 {
775 sighupflag = TRUE;
776 }
777
778 static volatile sig_atomic_t sigtermflag = FALSE;
779
780 static void
781 termhandler(int sig UNUSED)
782 {
783 sigtermflag = TRUE;
784 }
785
786 /* call_server listens for incoming ISAKMP packets and Whack messages,
787 * and handles timer events.
788 */
789 void
790 call_server(void)
791 {
792 struct iface *ifp;
793
794 /* catch SIGHUP and SIGTERM */
795 {
796 int r;
797 struct sigaction act;
798
799 act.sa_handler = &huphandler;
800 sigemptyset(&act.sa_mask);
801 act.sa_flags = 0; /* no SA_ONESHOT, no SA_RESTART, no nothing */
802 r = sigaction(SIGHUP, &act, NULL);
803 passert(r == 0);
804
805 act.sa_handler = &termhandler;
806 r = sigaction(SIGTERM, &act, NULL);
807 passert(r == 0);
808 }
809
810 for (;;)
811 {
812 fd_set readfds;
813 fd_set writefds;
814 int ndes;
815
816 /* wait for next interesting thing */
817
818 for (;;)
819 {
820 long next_time = next_event(); /* time to any pending timer event */
821 int maxfd = ctl_fd;
822
823 if (sigtermflag)
824 exit_pluto(0);
825
826 if (sighupflag)
827 {
828 /* Ignorant folks think poking any daemon with SIGHUP
829 * is polite. We catch it and tell them otherwise.
830 * There is one use: unsticking a hung recvfrom.
831 * This sticking happens sometimes -- kernel bug?
832 */
833 sighupflag = FALSE;
834 plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
835 }
836
837 FD_ZERO(&readfds);
838 FD_ZERO(&writefds);
839 FD_SET(ctl_fd, &readfds);
840
841 /* the only write file-descriptor of interest */
842 if (adns_qfd != NULL_FD && unsent_ADNS_queries)
843 {
844 if (maxfd < adns_qfd)
845 maxfd = adns_qfd;
846 FD_SET(adns_qfd, &writefds);
847 }
848
849 if (adns_afd != NULL_FD)
850 {
851 if (maxfd < adns_afd)
852 maxfd = adns_afd;
853 FD_SET(adns_afd, &readfds);
854 }
855
856 #ifdef KLIPS
857 if (!no_klips)
858 {
859 int fd = *kernel_ops->async_fdp;
860
861 if (kernel_ops->process_queue)
862 kernel_ops->process_queue();
863 if (maxfd < fd)
864 maxfd = fd;
865 passert(!FD_ISSET(fd, &readfds));
866 FD_SET(fd, &readfds);
867 }
868 #endif
869
870 if (listening)
871 {
872 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
873 {
874 if (maxfd < ifp->fd)
875 maxfd = ifp->fd;
876 passert(!FD_ISSET(ifp->fd, &readfds));
877 FD_SET(ifp->fd, &readfds);
878 }
879 }
880
881 if (next_time == -1)
882 {
883 /* select without timer */
884
885 ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
886 }
887 else if (next_time == 0)
888 {
889 /* timer without select: there is a timer event pending,
890 * and it should fire now so don't bother to do the select.
891 */
892 ndes = 0; /* signify timer expiration */
893 }
894 else
895 {
896 /* select with timer */
897
898 struct timeval tm;
899
900 tm.tv_sec = next_time;
901 tm.tv_usec = 0;
902 ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
903 }
904
905 if (ndes != -1)
906 break; /* success */
907
908 if (errno != EINTR)
909 exit_log_errno((e, "select() failed in call_server()"));
910
911 /* retry if terminated by signal */
912 }
913
914 /* figure out what is interesting */
915
916 if (ndes == 0)
917 {
918 /* timer event */
919
920 DBG(DBG_CONTROL,
921 DBG_log(BLANK_FORMAT);
922 DBG_log("*time to handle event"));
923
924 handle_timer_event();
925 passert(GLOBALS_ARE_RESET());
926 }
927 else
928 {
929 /* at least one file descriptor is ready */
930
931 if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
932 {
933 passert(ndes > 0);
934 send_unsent_ADNS_queries();
935 passert(GLOBALS_ARE_RESET());
936 ndes--;
937 }
938
939 if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
940 {
941 passert(ndes > 0);
942 DBG(DBG_CONTROL,
943 DBG_log(BLANK_FORMAT);
944 DBG_log("*received adns message"));
945 handle_adns_answer();
946 passert(GLOBALS_ARE_RESET());
947 ndes--;
948 }
949
950 #ifdef KLIPS
951 if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
952 {
953 passert(ndes > 0);
954 DBG(DBG_CONTROL,
955 DBG_log(BLANK_FORMAT);
956 DBG_log("*received kernel message"));
957 kernel_ops->process_msg();
958 passert(GLOBALS_ARE_RESET());
959 ndes--;
960 }
961 #endif
962
963 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
964 {
965 if (FD_ISSET(ifp->fd, &readfds))
966 {
967 /* comm_handle will print DBG_CONTROL intro,
968 * with more info than we have here.
969 */
970
971 passert(ndes > 0);
972 comm_handle(ifp);
973 passert(GLOBALS_ARE_RESET());
974 ndes--;
975 }
976 }
977
978 if (FD_ISSET(ctl_fd, &readfds))
979 {
980 passert(ndes > 0);
981 DBG(DBG_CONTROL,
982 DBG_log(BLANK_FORMAT);
983 DBG_log("*received whack message"));
984 whack_handle(ctl_fd);
985 passert(GLOBALS_ARE_RESET());
986 ndes--;
987 }
988
989 passert(ndes == 0);
990 }
991 }
992 }
993
994 /*
995 * Local Variables:
996 * c-basic-offset: 4
997 * End Variables:
998 */