removed NAT_TRAVERSAL and VIRTUAL_IP compile options
[strongswan.git] / src / pluto / server.c
1 /* get-next-event loop
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id: server.c,v 1.9 2005/09/09 14:15:35 as Exp $
16 */
17
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <stddef.h>
21 #include <string.h>
22 #include <errno.h>
23 #include <signal.h>
24 #include <ctype.h>
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #include <sys/socket.h>
28 #include <sys/un.h>
29 #ifdef SOLARIS
30 # include <sys/sockio.h> /* for Solaris 2.6: defines SIOCGIFCONF */
31 #endif
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
34 #include <sys/time.h>
35 #include <netdb.h>
36 #include <unistd.h>
37 #include <fcntl.h>
38 #include <net/if.h>
39 #include <sys/ioctl.h>
40 #include <resolv.h>
41 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
42 #include <sys/queue.h>
43
44 #include <freeswan.h>
45
46 #include "constants.h"
47 #include "defs.h"
48 #include "state.h"
49 #include "connections.h"
50 #include "kernel.h"
51 #include "log.h"
52 #include "server.h"
53 #include "timer.h"
54 #include "packet.h"
55 #include "demux.h" /* needs packet.h */
56 #include "rcv_whack.h"
57 #include "keys.h"
58 #include "adns.h" /* needs <resolv.h> */
59 #include "dnskey.h" /* needs keys.h and adns.h */
60 #include "whack.h" /* for RC_LOG_SERIOUS */
61
62 #include <pfkeyv2.h>
63 #include <pfkey.h>
64 #include "kameipsec.h"
65 #include "nat_traversal.h"
66
67 /*
68 * Server main loop and socket initialization routines.
69 */
70
71 static const int on = TRUE; /* by-reference parameter; constant, we hope */
72
73 /* control (whack) socket */
74 int ctl_fd = NULL_FD; /* file descriptor of control (whack) socket */
75 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
76
77 /* info (showpolicy) socket */
78 int policy_fd = NULL_FD;
79 struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
80
81 /* Initialize the control socket.
82 * Note: this is called very early, so little infrastructure is available.
83 * It is important that the socket is created before the original
84 * Pluto process returns.
85 */
86 err_t
87 init_ctl_socket(void)
88 {
89 err_t failed = NULL;
90
91 delete_ctl_socket(); /* preventative medicine */
92 ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
93 if (ctl_fd == -1)
94 failed = "create";
95 else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
96 failed = "fcntl FD+CLOEXEC";
97 else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
98 failed = "setsockopt";
99 else
100 {
101 /* to keep control socket secure, use umask */
102 mode_t ou = umask(~S_IRWXU);
103
104 if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
105 , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
106 failed = "bind";
107 umask(ou);
108 }
109
110 /* 5 is a haphazardly chosen limit for the backlog.
111 * Rumour has it that this is the max on BSD systems.
112 */
113 if (failed == NULL && listen(ctl_fd, 5) < 0)
114 failed = "listen() on";
115
116 return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
117 , failed, errno, strerror(errno));
118 }
119
120 void
121 delete_ctl_socket(void)
122 {
123 /* Is noting failure useful? Not when used as preventative medicine. */
124 unlink(ctl_addr.sun_path);
125 }
126
127 #ifdef IPSECPOLICY
128 /* Initialize the info socket.
129 */
130 err_t
131 init_info_socket(void)
132 {
133 err_t failed = NULL;
134
135 delete_info_socket(); /* preventative medicine */
136 info_fd = socket(AF_UNIX, SOCK_STREAM, 0);
137 if (info_fd == -1)
138 failed = "create";
139 else if (fcntl(info_fd, F_SETFD, FD_CLOEXEC) == -1)
140 failed = "fcntl FD+CLOEXEC";
141 else if (setsockopt(info_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
142 failed = "setsockopt";
143 else
144 {
145 /* this socket should be openable by all proceses */
146 mode_t ou = umask(0);
147
148 if (bind(info_fd, (struct sockaddr *)&info_addr
149 , offsetof(struct sockaddr_un, sun_path) + strlen(info_addr.sun_path)) < 0)
150 failed = "bind";
151 umask(ou);
152 }
153
154 /* 64 might be big enough, and the system may limit us anyway.
155 */
156 if (failed == NULL && listen(info_fd, 64) < 0)
157 failed = "listen() on";
158
159 return failed == NULL? NULL : builddiag("could not %s info socket: %d %s"
160 , failed, errno, strerror(errno));
161 }
162
163 void
164 delete_info_socket(void)
165 {
166 unlink(info_addr.sun_path);
167 }
168 #endif /* IPSECPOLICY */
169
170
171 bool listening = FALSE; /* should we pay attention to IKE messages? */
172
173 struct iface *interfaces = NULL; /* public interfaces */
174
175 /* Initialize the interface sockets. */
176
177 static void
178 mark_ifaces_dead(void)
179 {
180 struct iface *p;
181
182 for (p = interfaces; p != NULL; p = p->next)
183 p->change = IFN_DELETE;
184 }
185
186 static void
187 free_dead_ifaces(void)
188 {
189 struct iface *p;
190 bool some_dead = FALSE
191 , some_new = FALSE;
192
193 for (p = interfaces; p != NULL; p = p->next)
194 {
195 if (p->change == IFN_DELETE)
196 {
197 plog("shutting down interface %s/%s %s"
198 , p->vname, p->rname, ip_str(&p->addr));
199 some_dead = TRUE;
200 }
201 else if (p->change == IFN_ADD)
202 {
203 some_new = TRUE;
204 }
205 }
206
207 if (some_dead)
208 {
209 struct iface **pp;
210
211 release_dead_interfaces();
212 for (pp = &interfaces; (p = *pp) != NULL; )
213 {
214 if (p->change == IFN_DELETE)
215 {
216 *pp = p->next; /* advance *pp */
217 pfree(p->vname);
218 pfree(p->rname);
219 close(p->fd);
220 pfree(p);
221 }
222 else
223 {
224 pp = &p->next; /* advance pp */
225 }
226 }
227 }
228
229 /* this must be done after the release_dead_interfaces
230 * in case some to the newly unoriented connections can
231 * become oriented here.
232 */
233 if (some_dead || some_new)
234 check_orientations();
235 }
236
237 void
238 free_ifaces(void)
239 {
240 mark_ifaces_dead();
241 free_dead_ifaces();
242 }
243
244 struct raw_iface {
245 ip_address addr;
246 char name[IFNAMSIZ + 20]; /* what would be a safe size? */
247 struct raw_iface *next;
248 };
249
250 /* Called to handle --interface <ifname>
251 * Semantics: if specified, only these (real) interfaces are considered.
252 */
253 static const char *pluto_ifn[10];
254 static int pluto_ifn_roof = 0;
255
256 bool
257 use_interface(const char *rifn)
258 {
259 if (pluto_ifn_roof >= (int)elemsof(pluto_ifn))
260 {
261 return FALSE;
262 }
263 else
264 {
265 pluto_ifn[pluto_ifn_roof++] = rifn;
266 return TRUE;
267 }
268 }
269
270 #ifndef IPSECDEVPREFIX
271 # define IPSECDEVPREFIX "ipsec"
272 #endif
273
274 static struct raw_iface *
275 find_raw_ifaces4(void)
276 {
277 int j; /* index into buf */
278 struct ifconf ifconf;
279 struct ifreq buf[300]; /* for list of interfaces -- arbitrary limit */
280 struct raw_iface *rifaces = NULL;
281 int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
282
283 /* get list of interfaces with assigned IPv4 addresses from system */
284
285 if (master_sock == -1)
286 exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
287
288 if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
289 , (const void *)&on, sizeof(on)) < 0)
290 exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
291
292 /* bind the socket */
293 {
294 ip_address any;
295
296 happy(anyaddr(AF_INET, &any));
297 setportof(htons(pluto_port), &any);
298 if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
299 exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
300 }
301
302 /* Get local interfaces. See netdevice(7). */
303 ifconf.ifc_len = sizeof(buf);
304 ifconf.ifc_buf = (void *) buf;
305 zero(buf);
306
307 if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
308 exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
309
310 /* Add an entry to rifaces for each interesting interface. */
311 for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
312 {
313 struct raw_iface ri;
314 const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
315 struct ifreq auxinfo;
316
317 /* ignore all but AF_INET interfaces */
318 if (rs->sin_family != AF_INET)
319 continue; /* not interesting */
320
321 /* build a NUL-terminated copy of the rname field */
322 memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
323 ri.name[IFNAMSIZ] = '\0';
324
325 /* ignore if our interface names were specified, and this isn't one */
326 if (pluto_ifn_roof != 0)
327 {
328 int i;
329
330 for (i = 0; i != pluto_ifn_roof; i++)
331 if (streq(ri.name, pluto_ifn[i]))
332 break;
333 if (i == pluto_ifn_roof)
334 continue; /* not found -- skip */
335 }
336
337 /* Find out stuff about this interface. See netdevice(7). */
338 zero(&auxinfo); /* paranoia */
339 memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
340 if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
341 exit_log_errno((e
342 , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
343 , ri.name));
344 if (!(auxinfo.ifr_flags & IFF_UP))
345 continue; /* ignore an interface that isn't UP */
346
347 /* ignore unconfigured interfaces */
348 if (rs->sin_addr.s_addr == 0)
349 continue;
350
351 happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
352 , AF_INET, &ri.addr));
353
354 DBG(DBG_CONTROL, DBG_log("found %s with address %s"
355 , ri.name, ip_str(&ri.addr)));
356 ri.next = rifaces;
357 rifaces = clone_thing(ri, "struct raw_iface");
358 }
359
360 close(master_sock);
361
362 return rifaces;
363 }
364
365 static struct raw_iface *
366 find_raw_ifaces6(void)
367 {
368
369 /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
370 *
371 * Documentation of format?
372 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
373 * linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
374 *
375 * Sample from Gerhard's laptop:
376 * 00000000000000000000000000000001 01 80 10 80 lo
377 * 30490009000000000000000000010002 02 40 00 80 ipsec0
378 * 30490009000000000000000000010002 07 40 00 80 eth0
379 * fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
380 * fe80000000000000025004fffefd5484 07 0a 20 80 eth0
381 *
382 * Each line contains:
383 * - IPv6 address: 16 bytes, in hex, no punctuation
384 * - ifindex: 1 byte, in hex
385 * - prefix_len: 1 byte, in hex
386 * - scope (e.g. global, link local): 1 byte, in hex
387 * - flags: 1 byte, in hex
388 * - device name: string, followed by '\n'
389 */
390 struct raw_iface *rifaces = NULL;
391 static const char proc_name[] = "/proc/net/if_inet6";
392 FILE *proc_sock = fopen(proc_name, "r");
393
394 if (proc_sock == NULL)
395 {
396 DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
397 }
398 else
399 {
400 for (;;)
401 {
402 struct raw_iface ri;
403 unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
404 char sb[8*5]; /* IPv6 address as string-with-colons */
405 unsigned int if_idx; /* proc field, not used */
406 unsigned int plen; /* proc field, not used */
407 unsigned int scope; /* proc field, used to exclude link-local */
408 unsigned int dad_status; /* proc field, not used */
409 /* ??? I hate and distrust scanf -- DHR */
410 int r = fscanf(proc_sock
411 , "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
412 " %02x %02x %02x %02x %20s\n"
413 , xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
414 , &if_idx, &plen, &scope, &dad_status, ri.name);
415
416 /* ??? we should diagnose any problems */
417 if (r != 13)
418 break;
419
420 /* ignore addresses with link local scope.
421 * From linux-2.4.9-13/include/net/ipv6.h:
422 * IPV6_ADDR_LINKLOCAL 0x0020U
423 * IPV6_ADDR_SCOPE_MASK 0x00f0U
424 */
425 if ((scope & 0x00f0U) == 0x0020U)
426 continue;
427
428 snprintf(sb, sizeof(sb)
429 , "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
430 , xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
431
432 happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
433
434 if (!isunspecaddr(&ri.addr))
435 {
436 DBG(DBG_CONTROL
437 , DBG_log("found %s with address %s"
438 , ri.name, sb));
439 ri.next = rifaces;
440 rifaces = clone_thing(ri, "struct raw_iface");
441 }
442 }
443 fclose(proc_sock);
444 }
445
446 return rifaces;
447 }
448
449 #if 1
450 static int
451 create_socket(struct raw_iface *ifp, const char *v_name, int port)
452 {
453 int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
454 int fcntl_flags;
455
456 if (fd < 0)
457 {
458 log_errno((e, "socket() in process_raw_ifaces()"));
459 return -1;
460 }
461
462 #if 1
463 /* Set socket Nonblocking */
464 if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
465 if (!(fcntl_flags & O_NONBLOCK)) {
466 fcntl_flags |= O_NONBLOCK;
467 fcntl(fd, F_SETFL, fcntl_flags);
468 }
469 }
470 #endif
471
472 if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
473 {
474 log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
475 close(fd);
476 return -1;
477 }
478
479 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
480 , (const void *)&on, sizeof(on)) < 0)
481 {
482 log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
483 close(fd);
484 return -1;
485 }
486
487 /* To improve error reporting. See ip(7). */
488 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
489 if (setsockopt(fd, SOL_IP, IP_RECVERR
490 , (const void *)&on, sizeof(on)) < 0)
491 {
492 log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
493 close(fd);
494 return -1;
495 }
496 #endif
497
498 /* With IPv6, there is no fragmentation after
499 * it leaves our interface. PMTU discovery
500 * is mandatory but doesn't work well with IKE (why?).
501 * So we must set the IPV6_USE_MIN_MTU option.
502 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
503 */
504 #ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
505 if (addrtypeof(&ifp->addr) == AF_INET6
506 && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
507 , (const void *)&on, sizeof(on)) < 0)
508 {
509 log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
510 close(fd);
511 return -1;
512 }
513 #endif
514
515 #if defined(linux) && defined(KERNEL26_SUPPORT)
516 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
517 {
518 struct sadb_x_policy policy;
519 int level, opt;
520
521 policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
522 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
523 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
524 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
525 policy.sadb_x_policy_reserved = 0;
526 policy.sadb_x_policy_id = 0;
527 policy.sadb_x_policy_reserved2 = 0;
528
529 if (addrtypeof(&ifp->addr) == AF_INET6)
530 {
531 level = IPPROTO_IPV6;
532 opt = IPV6_IPSEC_POLICY;
533 }
534 else
535 {
536 level = IPPROTO_IP;
537 opt = IP_IPSEC_POLICY;
538 }
539
540 if (setsockopt(fd, level, opt
541 , &policy, sizeof(policy)) < 0)
542 {
543 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
544 close(fd);
545 return -1;
546 }
547
548 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
549
550 if (setsockopt(fd, level, opt
551 , &policy, sizeof(policy)) < 0)
552 {
553 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
554 close(fd);
555 return -1;
556 }
557 }
558 #endif
559
560 setportof(htons(port), &ifp->addr);
561 if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
562 {
563 log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
564 , ifp->name, v_name
565 , ip_str(&ifp->addr), (unsigned) port));
566 close(fd);
567 return -1;
568 }
569 setportof(htons(pluto_port), &ifp->addr);
570 return fd;
571 }
572 #endif
573
574 static void
575 process_raw_ifaces(struct raw_iface *rifaces)
576 {
577 struct raw_iface *ifp;
578
579 /* Find all virtual/real interface pairs.
580 * For each real interface...
581 */
582 for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
583 {
584 struct raw_iface *v = NULL; /* matching ipsecX interface */
585 struct raw_iface fake_v;
586 bool after = FALSE; /* has vfp passed ifp on the list? */
587 bool bad = FALSE;
588 struct raw_iface *vfp;
589
590 /* ignore if virtual (ipsec*) interface */
591 if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
592 continue;
593
594 for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
595 {
596 if (vfp == ifp)
597 {
598 after = TRUE;
599 }
600 else if (sameaddr(&ifp->addr, &vfp->addr))
601 {
602 /* Different entries with matching IP addresses.
603 * Many interesting cases.
604 */
605 if (strncmp(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
606 {
607 if (v != NULL && !streq(v->name, vfp->name))
608 {
609 loglog(RC_LOG_SERIOUS
610 , "ipsec interfaces %s and %s share same address %s"
611 , v->name, vfp->name, ip_str(&ifp->addr));
612 bad = TRUE;
613 }
614 else
615 {
616 v = vfp; /* current winner */
617 }
618 }
619 else
620 {
621 /* ugh: a second real interface with the same IP address
622 * "after" allows us to avoid double reporting.
623 */
624 #if defined(linux) && defined(KERNEL26_SUPPORT)
625 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
626 {
627 if (after)
628 {
629 bad = TRUE;
630 break;
631 }
632 continue;
633 }
634 #endif
635 if (after)
636 {
637 loglog(RC_LOG_SERIOUS
638 , "IP interfaces %s and %s share address %s!"
639 , ifp->name, vfp->name, ip_str(&ifp->addr));
640 }
641 bad = TRUE;
642 }
643 }
644 }
645
646 if (bad)
647 continue;
648
649 #if defined(linux) && defined(KERNEL26_SUPPORT)
650 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
651 {
652 v = ifp;
653 goto add_entry;
654 }
655 #endif
656
657 /* what if we didn't find a virtual interface? */
658 if (v == NULL)
659 {
660 if (no_klips)
661 {
662 /* kludge for testing: invent a virtual device */
663 static const char fvp[] = "virtual";
664 fake_v = *ifp;
665 passert(sizeof(fake_v.name) > sizeof(fvp));
666 strcpy(fake_v.name, fvp);
667 addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
668 , sizeof(fake_v.name) - (sizeof(fvp) - 1));
669 v = &fake_v;
670 }
671 else
672 {
673 DBG(DBG_CONTROL,
674 DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
675 , ifp->name, ip_str(&ifp->addr)));
676 continue;
677 }
678 }
679
680 /* We've got all we need; see if this is a new thing:
681 * search old interfaces list.
682 */
683 #if defined(linux) && defined(KERNEL26_SUPPORT)
684 add_entry:
685 #endif
686 {
687 struct iface **p = &interfaces;
688
689 for (;;)
690 {
691 struct iface *q = *p;
692
693 /* search is over if at end of list */
694 if (q == NULL)
695 {
696 /* matches nothing -- create a new entry */
697 int fd = create_socket(ifp, v->name, pluto_port);
698
699 if (fd < 0)
700 break;
701
702 if (nat_traversal_support_non_ike
703 && addrtypeof(&ifp->addr) == AF_INET)
704 {
705 nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
706 }
707
708 q = alloc_thing(struct iface, "struct iface");
709 q->rname = clone_str(ifp->name, "real device name");
710 q->vname = clone_str(v->name, "virtual device name");
711 q->addr = ifp->addr;
712 q->fd = fd;
713 q->next = interfaces;
714 q->change = IFN_ADD;
715 interfaces = q;
716 plog("adding interface %s/%s %s:%d"
717 , q->vname, q->rname, ip_str(&q->addr), pluto_port);
718
719 if (nat_traversal_support_port_floating
720 && addrtypeof(&ifp->addr) == AF_INET)
721 {
722 fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
723 if (fd < 0)
724 break;
725 nat_traversal_espinudp_socket(fd,
726 ESPINUDP_WITH_NON_ESP);
727 q = alloc_thing(struct iface, "struct iface");
728 q->rname = clone_str(ifp->name, "real device name");
729 q->vname = clone_str(v->name, "virtual device name");
730 q->addr = ifp->addr;
731 setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
732 q->fd = fd;
733 q->next = interfaces;
734 q->change = IFN_ADD;
735 q->ike_float = TRUE;
736 interfaces = q;
737 plog("adding interface %s/%s %s:%d",
738 q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
739 }
740 break;
741 }
742
743 /* search over if matching old entry found */
744 if (streq(q->rname, ifp->name)
745 && streq(q->vname, v->name)
746 && sameaddr(&q->addr, &ifp->addr))
747 {
748 /* matches -- rejuvinate old entry */
749 q->change = IFN_KEEP;
750
751 /* look for other interfaces to keep (due to NAT-T) */
752 for (q = q->next ; q ; q = q->next)
753 {
754 if (streq(q->rname, ifp->name)
755 && streq(q->vname, v->name)
756 && sameaddr(&q->addr, &ifp->addr))
757 {
758 q->change = IFN_KEEP;
759 }
760 }
761 break;
762 }
763
764 /* try again */
765 p = &q->next;
766 } /* for (;;) */
767 }
768 }
769
770 /* delete the raw interfaces list */
771 while (rifaces != NULL)
772 {
773 struct raw_iface *t = rifaces;
774
775 rifaces = t->next;
776 pfree(t);
777 }
778 }
779
780 void
781 find_ifaces(void)
782 {
783 mark_ifaces_dead();
784 process_raw_ifaces(find_raw_ifaces4());
785 process_raw_ifaces(find_raw_ifaces6());
786
787 free_dead_ifaces(); /* ditch remaining old entries */
788
789 if (interfaces == NULL)
790 loglog(RC_LOG_SERIOUS, "no public interfaces found");
791 }
792
793 void
794 show_ifaces_status(void)
795 {
796 struct iface *p;
797
798 for (p = interfaces; p != NULL; p = p->next)
799 whack_log(RC_COMMENT, "interface %s/%s %s:%d"
800 , p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
801 }
802
803 void
804 show_debug_status(void)
805 {
806 #ifdef DEBUG
807 whack_log(RC_COMMENT, "debug %s"
808 , bitnamesof(debug_bit_names, cur_debugging));
809 #endif
810 }
811
812 static volatile sig_atomic_t sighupflag = FALSE;
813
814 static void
815 huphandler(int sig UNUSED)
816 {
817 sighupflag = TRUE;
818 }
819
820 static volatile sig_atomic_t sigtermflag = FALSE;
821
822 static void
823 termhandler(int sig UNUSED)
824 {
825 sigtermflag = TRUE;
826 }
827
828 /* call_server listens for incoming ISAKMP packets and Whack messages,
829 * and handles timer events.
830 */
831 void
832 call_server(void)
833 {
834 struct iface *ifp;
835
836 /* catch SIGHUP and SIGTERM */
837 {
838 int r;
839 struct sigaction act;
840
841 act.sa_handler = &huphandler;
842 sigemptyset(&act.sa_mask);
843 act.sa_flags = 0; /* no SA_ONESHOT, no SA_RESTART, no nothing */
844 r = sigaction(SIGHUP, &act, NULL);
845 passert(r == 0);
846
847 act.sa_handler = &termhandler;
848 r = sigaction(SIGTERM, &act, NULL);
849 passert(r == 0);
850 }
851
852 for (;;)
853 {
854 fd_set readfds;
855 fd_set writefds;
856 int ndes;
857
858 /* wait for next interesting thing */
859
860 for (;;)
861 {
862 long next_time = next_event(); /* time to any pending timer event */
863 int maxfd = ctl_fd;
864
865 if (sigtermflag)
866 exit_pluto(0);
867
868 if (sighupflag)
869 {
870 /* Ignorant folks think poking any daemon with SIGHUP
871 * is polite. We catch it and tell them otherwise.
872 * There is one use: unsticking a hung recvfrom.
873 * This sticking happens sometimes -- kernel bug?
874 */
875 sighupflag = FALSE;
876 plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
877 }
878
879 FD_ZERO(&readfds);
880 FD_ZERO(&writefds);
881 FD_SET(ctl_fd, &readfds);
882 #ifdef IPSECPOLICY
883 FD_SET(info_fd, &readfds);
884 if (maxfd < info_fd)
885 maxfd = info_fd;
886 #endif
887
888 /* the only write file-descriptor of interest */
889 if (adns_qfd != NULL_FD && unsent_ADNS_queries)
890 {
891 if (maxfd < adns_qfd)
892 maxfd = adns_qfd;
893 FD_SET(adns_qfd, &writefds);
894 }
895
896 if (adns_afd != NULL_FD)
897 {
898 if (maxfd < adns_afd)
899 maxfd = adns_afd;
900 FD_SET(adns_afd, &readfds);
901 }
902
903 #ifdef KLIPS
904 if (!no_klips)
905 {
906 int fd = *kernel_ops->async_fdp;
907
908 if (kernel_ops->process_queue)
909 kernel_ops->process_queue();
910 if (maxfd < fd)
911 maxfd = fd;
912 passert(!FD_ISSET(fd, &readfds));
913 FD_SET(fd, &readfds);
914 }
915 #endif
916
917 if (listening)
918 {
919 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
920 {
921 if (maxfd < ifp->fd)
922 maxfd = ifp->fd;
923 passert(!FD_ISSET(ifp->fd, &readfds));
924 FD_SET(ifp->fd, &readfds);
925 }
926 }
927
928 if (next_time == -1)
929 {
930 /* select without timer */
931
932 ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
933 }
934 else if (next_time == 0)
935 {
936 /* timer without select: there is a timer event pending,
937 * and it should fire now so don't bother to do the select.
938 */
939 ndes = 0; /* signify timer expiration */
940 }
941 else
942 {
943 /* select with timer */
944
945 struct timeval tm;
946
947 tm.tv_sec = next_time;
948 tm.tv_usec = 0;
949 ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
950 }
951
952 if (ndes != -1)
953 break; /* success */
954
955 if (errno != EINTR)
956 exit_log_errno((e, "select() failed in call_server()"));
957
958 /* retry if terminated by signal */
959 }
960
961 /* figure out what is interesting */
962
963 if (ndes == 0)
964 {
965 /* timer event */
966
967 DBG(DBG_CONTROL,
968 DBG_log(BLANK_FORMAT);
969 DBG_log("*time to handle event"));
970
971 handle_timer_event();
972 passert(GLOBALS_ARE_RESET());
973 }
974 else
975 {
976 /* at least one file descriptor is ready */
977
978 if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
979 {
980 passert(ndes > 0);
981 send_unsent_ADNS_queries();
982 passert(GLOBALS_ARE_RESET());
983 ndes--;
984 }
985
986 if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
987 {
988 passert(ndes > 0);
989 DBG(DBG_CONTROL,
990 DBG_log(BLANK_FORMAT);
991 DBG_log("*received adns message"));
992 handle_adns_answer();
993 passert(GLOBALS_ARE_RESET());
994 ndes--;
995 }
996
997 #ifdef KLIPS
998 if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
999 {
1000 passert(ndes > 0);
1001 DBG(DBG_CONTROL,
1002 DBG_log(BLANK_FORMAT);
1003 DBG_log("*received kernel message"));
1004 kernel_ops->process_msg();
1005 passert(GLOBALS_ARE_RESET());
1006 ndes--;
1007 }
1008 #endif
1009
1010 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
1011 {
1012 if (FD_ISSET(ifp->fd, &readfds))
1013 {
1014 /* comm_handle will print DBG_CONTROL intro,
1015 * with more info than we have here.
1016 */
1017
1018 passert(ndes > 0);
1019 comm_handle(ifp);
1020 passert(GLOBALS_ARE_RESET());
1021 ndes--;
1022 }
1023 }
1024
1025 if (FD_ISSET(ctl_fd, &readfds))
1026 {
1027 passert(ndes > 0);
1028 DBG(DBG_CONTROL,
1029 DBG_log(BLANK_FORMAT);
1030 DBG_log("*received whack message"));
1031 whack_handle(ctl_fd);
1032 passert(GLOBALS_ARE_RESET());
1033 ndes--;
1034 }
1035
1036 #ifdef IPSECPOLICY
1037 if (FD_ISSET(info_fd, &readfds))
1038 {
1039 passert(ndes > 0);
1040 DBG(DBG_CONTROL,
1041 DBG_log(BLANK_FORMAT);
1042 DBG_log("*received info message"));
1043 info_handle(info_fd);
1044 passert(GLOBALS_ARE_RESET());
1045 ndes--;
1046 }
1047 #endif
1048
1049 passert(ndes == 0);
1050 }
1051 }
1052 }
1053
1054 /*
1055 * Local Variables:
1056 * c-basic-offset: 4
1057 * End Variables:
1058 */