removed IPSECPOLICY compile option
[strongswan.git] / src / pluto / server.c
1 /* get-next-event loop
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * RCSID $Id: server.c,v 1.9 2005/09/09 14:15:35 as Exp $
16 */
17
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <stddef.h>
21 #include <string.h>
22 #include <errno.h>
23 #include <signal.h>
24 #include <ctype.h>
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #include <sys/socket.h>
28 #include <sys/un.h>
29 #ifdef SOLARIS
30 # include <sys/sockio.h> /* for Solaris 2.6: defines SIOCGIFCONF */
31 #endif
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
34 #include <sys/time.h>
35 #include <netdb.h>
36 #include <unistd.h>
37 #include <fcntl.h>
38 #include <net/if.h>
39 #include <sys/ioctl.h>
40 #include <resolv.h>
41 #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
42 #include <sys/queue.h>
43
44 #include <freeswan.h>
45
46 #include "constants.h"
47 #include "defs.h"
48 #include "state.h"
49 #include "connections.h"
50 #include "kernel.h"
51 #include "log.h"
52 #include "server.h"
53 #include "timer.h"
54 #include "packet.h"
55 #include "demux.h" /* needs packet.h */
56 #include "rcv_whack.h"
57 #include "keys.h"
58 #include "adns.h" /* needs <resolv.h> */
59 #include "dnskey.h" /* needs keys.h and adns.h */
60 #include "whack.h" /* for RC_LOG_SERIOUS */
61
62 #include <pfkeyv2.h>
63 #include <pfkey.h>
64 #include "kameipsec.h"
65 #include "nat_traversal.h"
66
67 /*
68 * Server main loop and socket initialization routines.
69 */
70
71 static const int on = TRUE; /* by-reference parameter; constant, we hope */
72
73 /* control (whack) socket */
74 int ctl_fd = NULL_FD; /* file descriptor of control (whack) socket */
75 struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
76
77 /* info (showpolicy) socket */
78 int policy_fd = NULL_FD;
79 struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
80
81 /* Initialize the control socket.
82 * Note: this is called very early, so little infrastructure is available.
83 * It is important that the socket is created before the original
84 * Pluto process returns.
85 */
86 err_t
87 init_ctl_socket(void)
88 {
89 err_t failed = NULL;
90
91 delete_ctl_socket(); /* preventative medicine */
92 ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
93 if (ctl_fd == -1)
94 failed = "create";
95 else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
96 failed = "fcntl FD+CLOEXEC";
97 else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
98 failed = "setsockopt";
99 else
100 {
101 /* to keep control socket secure, use umask */
102 mode_t ou = umask(~S_IRWXU);
103
104 if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
105 , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
106 failed = "bind";
107 umask(ou);
108 }
109
110 /* 5 is a haphazardly chosen limit for the backlog.
111 * Rumour has it that this is the max on BSD systems.
112 */
113 if (failed == NULL && listen(ctl_fd, 5) < 0)
114 failed = "listen() on";
115
116 return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
117 , failed, errno, strerror(errno));
118 }
119
120 void
121 delete_ctl_socket(void)
122 {
123 /* Is noting failure useful? Not when used as preventative medicine. */
124 unlink(ctl_addr.sun_path);
125 }
126
127 bool listening = FALSE; /* should we pay attention to IKE messages? */
128
129 struct iface *interfaces = NULL; /* public interfaces */
130
131 /* Initialize the interface sockets. */
132
133 static void
134 mark_ifaces_dead(void)
135 {
136 struct iface *p;
137
138 for (p = interfaces; p != NULL; p = p->next)
139 p->change = IFN_DELETE;
140 }
141
142 static void
143 free_dead_ifaces(void)
144 {
145 struct iface *p;
146 bool some_dead = FALSE
147 , some_new = FALSE;
148
149 for (p = interfaces; p != NULL; p = p->next)
150 {
151 if (p->change == IFN_DELETE)
152 {
153 plog("shutting down interface %s/%s %s"
154 , p->vname, p->rname, ip_str(&p->addr));
155 some_dead = TRUE;
156 }
157 else if (p->change == IFN_ADD)
158 {
159 some_new = TRUE;
160 }
161 }
162
163 if (some_dead)
164 {
165 struct iface **pp;
166
167 release_dead_interfaces();
168 for (pp = &interfaces; (p = *pp) != NULL; )
169 {
170 if (p->change == IFN_DELETE)
171 {
172 *pp = p->next; /* advance *pp */
173 pfree(p->vname);
174 pfree(p->rname);
175 close(p->fd);
176 pfree(p);
177 }
178 else
179 {
180 pp = &p->next; /* advance pp */
181 }
182 }
183 }
184
185 /* this must be done after the release_dead_interfaces
186 * in case some to the newly unoriented connections can
187 * become oriented here.
188 */
189 if (some_dead || some_new)
190 check_orientations();
191 }
192
193 void
194 free_ifaces(void)
195 {
196 mark_ifaces_dead();
197 free_dead_ifaces();
198 }
199
200 struct raw_iface {
201 ip_address addr;
202 char name[IFNAMSIZ + 20]; /* what would be a safe size? */
203 struct raw_iface *next;
204 };
205
206 /* Called to handle --interface <ifname>
207 * Semantics: if specified, only these (real) interfaces are considered.
208 */
209 static const char *pluto_ifn[10];
210 static int pluto_ifn_roof = 0;
211
212 bool
213 use_interface(const char *rifn)
214 {
215 if (pluto_ifn_roof >= (int)elemsof(pluto_ifn))
216 {
217 return FALSE;
218 }
219 else
220 {
221 pluto_ifn[pluto_ifn_roof++] = rifn;
222 return TRUE;
223 }
224 }
225
226 #ifndef IPSECDEVPREFIX
227 # define IPSECDEVPREFIX "ipsec"
228 #endif
229
230 static struct raw_iface *
231 find_raw_ifaces4(void)
232 {
233 int j; /* index into buf */
234 struct ifconf ifconf;
235 struct ifreq buf[300]; /* for list of interfaces -- arbitrary limit */
236 struct raw_iface *rifaces = NULL;
237 int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
238
239 /* get list of interfaces with assigned IPv4 addresses from system */
240
241 if (master_sock == -1)
242 exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
243
244 if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
245 , (const void *)&on, sizeof(on)) < 0)
246 exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
247
248 /* bind the socket */
249 {
250 ip_address any;
251
252 happy(anyaddr(AF_INET, &any));
253 setportof(htons(pluto_port), &any);
254 if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
255 exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
256 }
257
258 /* Get local interfaces. See netdevice(7). */
259 ifconf.ifc_len = sizeof(buf);
260 ifconf.ifc_buf = (void *) buf;
261 zero(buf);
262
263 if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
264 exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
265
266 /* Add an entry to rifaces for each interesting interface. */
267 for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
268 {
269 struct raw_iface ri;
270 const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
271 struct ifreq auxinfo;
272
273 /* ignore all but AF_INET interfaces */
274 if (rs->sin_family != AF_INET)
275 continue; /* not interesting */
276
277 /* build a NUL-terminated copy of the rname field */
278 memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
279 ri.name[IFNAMSIZ] = '\0';
280
281 /* ignore if our interface names were specified, and this isn't one */
282 if (pluto_ifn_roof != 0)
283 {
284 int i;
285
286 for (i = 0; i != pluto_ifn_roof; i++)
287 if (streq(ri.name, pluto_ifn[i]))
288 break;
289 if (i == pluto_ifn_roof)
290 continue; /* not found -- skip */
291 }
292
293 /* Find out stuff about this interface. See netdevice(7). */
294 zero(&auxinfo); /* paranoia */
295 memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
296 if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
297 exit_log_errno((e
298 , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
299 , ri.name));
300 if (!(auxinfo.ifr_flags & IFF_UP))
301 continue; /* ignore an interface that isn't UP */
302
303 /* ignore unconfigured interfaces */
304 if (rs->sin_addr.s_addr == 0)
305 continue;
306
307 happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
308 , AF_INET, &ri.addr));
309
310 DBG(DBG_CONTROL, DBG_log("found %s with address %s"
311 , ri.name, ip_str(&ri.addr)));
312 ri.next = rifaces;
313 rifaces = clone_thing(ri, "struct raw_iface");
314 }
315
316 close(master_sock);
317
318 return rifaces;
319 }
320
321 static struct raw_iface *
322 find_raw_ifaces6(void)
323 {
324
325 /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
326 *
327 * Documentation of format?
328 * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
329 * linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
330 *
331 * Sample from Gerhard's laptop:
332 * 00000000000000000000000000000001 01 80 10 80 lo
333 * 30490009000000000000000000010002 02 40 00 80 ipsec0
334 * 30490009000000000000000000010002 07 40 00 80 eth0
335 * fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
336 * fe80000000000000025004fffefd5484 07 0a 20 80 eth0
337 *
338 * Each line contains:
339 * - IPv6 address: 16 bytes, in hex, no punctuation
340 * - ifindex: 1 byte, in hex
341 * - prefix_len: 1 byte, in hex
342 * - scope (e.g. global, link local): 1 byte, in hex
343 * - flags: 1 byte, in hex
344 * - device name: string, followed by '\n'
345 */
346 struct raw_iface *rifaces = NULL;
347 static const char proc_name[] = "/proc/net/if_inet6";
348 FILE *proc_sock = fopen(proc_name, "r");
349
350 if (proc_sock == NULL)
351 {
352 DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
353 }
354 else
355 {
356 for (;;)
357 {
358 struct raw_iface ri;
359 unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
360 char sb[8*5]; /* IPv6 address as string-with-colons */
361 unsigned int if_idx; /* proc field, not used */
362 unsigned int plen; /* proc field, not used */
363 unsigned int scope; /* proc field, used to exclude link-local */
364 unsigned int dad_status; /* proc field, not used */
365 /* ??? I hate and distrust scanf -- DHR */
366 int r = fscanf(proc_sock
367 , "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
368 " %02x %02x %02x %02x %20s\n"
369 , xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
370 , &if_idx, &plen, &scope, &dad_status, ri.name);
371
372 /* ??? we should diagnose any problems */
373 if (r != 13)
374 break;
375
376 /* ignore addresses with link local scope.
377 * From linux-2.4.9-13/include/net/ipv6.h:
378 * IPV6_ADDR_LINKLOCAL 0x0020U
379 * IPV6_ADDR_SCOPE_MASK 0x00f0U
380 */
381 if ((scope & 0x00f0U) == 0x0020U)
382 continue;
383
384 snprintf(sb, sizeof(sb)
385 , "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
386 , xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
387
388 happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
389
390 if (!isunspecaddr(&ri.addr))
391 {
392 DBG(DBG_CONTROL
393 , DBG_log("found %s with address %s"
394 , ri.name, sb));
395 ri.next = rifaces;
396 rifaces = clone_thing(ri, "struct raw_iface");
397 }
398 }
399 fclose(proc_sock);
400 }
401
402 return rifaces;
403 }
404
405 #if 1
406 static int
407 create_socket(struct raw_iface *ifp, const char *v_name, int port)
408 {
409 int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
410 int fcntl_flags;
411
412 if (fd < 0)
413 {
414 log_errno((e, "socket() in process_raw_ifaces()"));
415 return -1;
416 }
417
418 #if 1
419 /* Set socket Nonblocking */
420 if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
421 if (!(fcntl_flags & O_NONBLOCK)) {
422 fcntl_flags |= O_NONBLOCK;
423 fcntl(fd, F_SETFL, fcntl_flags);
424 }
425 }
426 #endif
427
428 if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
429 {
430 log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
431 close(fd);
432 return -1;
433 }
434
435 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
436 , (const void *)&on, sizeof(on)) < 0)
437 {
438 log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
439 close(fd);
440 return -1;
441 }
442
443 /* To improve error reporting. See ip(7). */
444 #if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
445 if (setsockopt(fd, SOL_IP, IP_RECVERR
446 , (const void *)&on, sizeof(on)) < 0)
447 {
448 log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
449 close(fd);
450 return -1;
451 }
452 #endif
453
454 /* With IPv6, there is no fragmentation after
455 * it leaves our interface. PMTU discovery
456 * is mandatory but doesn't work well with IKE (why?).
457 * So we must set the IPV6_USE_MIN_MTU option.
458 * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
459 */
460 #ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
461 if (addrtypeof(&ifp->addr) == AF_INET6
462 && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
463 , (const void *)&on, sizeof(on)) < 0)
464 {
465 log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
466 close(fd);
467 return -1;
468 }
469 #endif
470
471 #if defined(linux) && defined(KERNEL26_SUPPORT)
472 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
473 {
474 struct sadb_x_policy policy;
475 int level, opt;
476
477 policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
478 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
479 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
480 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
481 policy.sadb_x_policy_reserved = 0;
482 policy.sadb_x_policy_id = 0;
483 policy.sadb_x_policy_reserved2 = 0;
484
485 if (addrtypeof(&ifp->addr) == AF_INET6)
486 {
487 level = IPPROTO_IPV6;
488 opt = IPV6_IPSEC_POLICY;
489 }
490 else
491 {
492 level = IPPROTO_IP;
493 opt = IP_IPSEC_POLICY;
494 }
495
496 if (setsockopt(fd, level, opt
497 , &policy, sizeof(policy)) < 0)
498 {
499 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
500 close(fd);
501 return -1;
502 }
503
504 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
505
506 if (setsockopt(fd, level, opt
507 , &policy, sizeof(policy)) < 0)
508 {
509 log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
510 close(fd);
511 return -1;
512 }
513 }
514 #endif
515
516 setportof(htons(port), &ifp->addr);
517 if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
518 {
519 log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
520 , ifp->name, v_name
521 , ip_str(&ifp->addr), (unsigned) port));
522 close(fd);
523 return -1;
524 }
525 setportof(htons(pluto_port), &ifp->addr);
526 return fd;
527 }
528 #endif
529
530 static void
531 process_raw_ifaces(struct raw_iface *rifaces)
532 {
533 struct raw_iface *ifp;
534
535 /* Find all virtual/real interface pairs.
536 * For each real interface...
537 */
538 for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
539 {
540 struct raw_iface *v = NULL; /* matching ipsecX interface */
541 struct raw_iface fake_v;
542 bool after = FALSE; /* has vfp passed ifp on the list? */
543 bool bad = FALSE;
544 struct raw_iface *vfp;
545
546 /* ignore if virtual (ipsec*) interface */
547 if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
548 continue;
549
550 for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
551 {
552 if (vfp == ifp)
553 {
554 after = TRUE;
555 }
556 else if (sameaddr(&ifp->addr, &vfp->addr))
557 {
558 /* Different entries with matching IP addresses.
559 * Many interesting cases.
560 */
561 if (strncmp(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
562 {
563 if (v != NULL && !streq(v->name, vfp->name))
564 {
565 loglog(RC_LOG_SERIOUS
566 , "ipsec interfaces %s and %s share same address %s"
567 , v->name, vfp->name, ip_str(&ifp->addr));
568 bad = TRUE;
569 }
570 else
571 {
572 v = vfp; /* current winner */
573 }
574 }
575 else
576 {
577 /* ugh: a second real interface with the same IP address
578 * "after" allows us to avoid double reporting.
579 */
580 #if defined(linux) && defined(KERNEL26_SUPPORT)
581 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
582 {
583 if (after)
584 {
585 bad = TRUE;
586 break;
587 }
588 continue;
589 }
590 #endif
591 if (after)
592 {
593 loglog(RC_LOG_SERIOUS
594 , "IP interfaces %s and %s share address %s!"
595 , ifp->name, vfp->name, ip_str(&ifp->addr));
596 }
597 bad = TRUE;
598 }
599 }
600 }
601
602 if (bad)
603 continue;
604
605 #if defined(linux) && defined(KERNEL26_SUPPORT)
606 if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
607 {
608 v = ifp;
609 goto add_entry;
610 }
611 #endif
612
613 /* what if we didn't find a virtual interface? */
614 if (v == NULL)
615 {
616 if (no_klips)
617 {
618 /* kludge for testing: invent a virtual device */
619 static const char fvp[] = "virtual";
620 fake_v = *ifp;
621 passert(sizeof(fake_v.name) > sizeof(fvp));
622 strcpy(fake_v.name, fvp);
623 addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
624 , sizeof(fake_v.name) - (sizeof(fvp) - 1));
625 v = &fake_v;
626 }
627 else
628 {
629 DBG(DBG_CONTROL,
630 DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
631 , ifp->name, ip_str(&ifp->addr)));
632 continue;
633 }
634 }
635
636 /* We've got all we need; see if this is a new thing:
637 * search old interfaces list.
638 */
639 #if defined(linux) && defined(KERNEL26_SUPPORT)
640 add_entry:
641 #endif
642 {
643 struct iface **p = &interfaces;
644
645 for (;;)
646 {
647 struct iface *q = *p;
648
649 /* search is over if at end of list */
650 if (q == NULL)
651 {
652 /* matches nothing -- create a new entry */
653 int fd = create_socket(ifp, v->name, pluto_port);
654
655 if (fd < 0)
656 break;
657
658 if (nat_traversal_support_non_ike
659 && addrtypeof(&ifp->addr) == AF_INET)
660 {
661 nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
662 }
663
664 q = alloc_thing(struct iface, "struct iface");
665 q->rname = clone_str(ifp->name, "real device name");
666 q->vname = clone_str(v->name, "virtual device name");
667 q->addr = ifp->addr;
668 q->fd = fd;
669 q->next = interfaces;
670 q->change = IFN_ADD;
671 interfaces = q;
672 plog("adding interface %s/%s %s:%d"
673 , q->vname, q->rname, ip_str(&q->addr), pluto_port);
674
675 if (nat_traversal_support_port_floating
676 && addrtypeof(&ifp->addr) == AF_INET)
677 {
678 fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
679 if (fd < 0)
680 break;
681 nat_traversal_espinudp_socket(fd,
682 ESPINUDP_WITH_NON_ESP);
683 q = alloc_thing(struct iface, "struct iface");
684 q->rname = clone_str(ifp->name, "real device name");
685 q->vname = clone_str(v->name, "virtual device name");
686 q->addr = ifp->addr;
687 setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
688 q->fd = fd;
689 q->next = interfaces;
690 q->change = IFN_ADD;
691 q->ike_float = TRUE;
692 interfaces = q;
693 plog("adding interface %s/%s %s:%d",
694 q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
695 }
696 break;
697 }
698
699 /* search over if matching old entry found */
700 if (streq(q->rname, ifp->name)
701 && streq(q->vname, v->name)
702 && sameaddr(&q->addr, &ifp->addr))
703 {
704 /* matches -- rejuvinate old entry */
705 q->change = IFN_KEEP;
706
707 /* look for other interfaces to keep (due to NAT-T) */
708 for (q = q->next ; q ; q = q->next)
709 {
710 if (streq(q->rname, ifp->name)
711 && streq(q->vname, v->name)
712 && sameaddr(&q->addr, &ifp->addr))
713 {
714 q->change = IFN_KEEP;
715 }
716 }
717 break;
718 }
719
720 /* try again */
721 p = &q->next;
722 } /* for (;;) */
723 }
724 }
725
726 /* delete the raw interfaces list */
727 while (rifaces != NULL)
728 {
729 struct raw_iface *t = rifaces;
730
731 rifaces = t->next;
732 pfree(t);
733 }
734 }
735
736 void
737 find_ifaces(void)
738 {
739 mark_ifaces_dead();
740 process_raw_ifaces(find_raw_ifaces4());
741 process_raw_ifaces(find_raw_ifaces6());
742
743 free_dead_ifaces(); /* ditch remaining old entries */
744
745 if (interfaces == NULL)
746 loglog(RC_LOG_SERIOUS, "no public interfaces found");
747 }
748
749 void
750 show_ifaces_status(void)
751 {
752 struct iface *p;
753
754 for (p = interfaces; p != NULL; p = p->next)
755 whack_log(RC_COMMENT, "interface %s/%s %s:%d"
756 , p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
757 }
758
759 void
760 show_debug_status(void)
761 {
762 #ifdef DEBUG
763 whack_log(RC_COMMENT, "debug %s"
764 , bitnamesof(debug_bit_names, cur_debugging));
765 #endif
766 }
767
768 static volatile sig_atomic_t sighupflag = FALSE;
769
770 static void
771 huphandler(int sig UNUSED)
772 {
773 sighupflag = TRUE;
774 }
775
776 static volatile sig_atomic_t sigtermflag = FALSE;
777
778 static void
779 termhandler(int sig UNUSED)
780 {
781 sigtermflag = TRUE;
782 }
783
784 /* call_server listens for incoming ISAKMP packets and Whack messages,
785 * and handles timer events.
786 */
787 void
788 call_server(void)
789 {
790 struct iface *ifp;
791
792 /* catch SIGHUP and SIGTERM */
793 {
794 int r;
795 struct sigaction act;
796
797 act.sa_handler = &huphandler;
798 sigemptyset(&act.sa_mask);
799 act.sa_flags = 0; /* no SA_ONESHOT, no SA_RESTART, no nothing */
800 r = sigaction(SIGHUP, &act, NULL);
801 passert(r == 0);
802
803 act.sa_handler = &termhandler;
804 r = sigaction(SIGTERM, &act, NULL);
805 passert(r == 0);
806 }
807
808 for (;;)
809 {
810 fd_set readfds;
811 fd_set writefds;
812 int ndes;
813
814 /* wait for next interesting thing */
815
816 for (;;)
817 {
818 long next_time = next_event(); /* time to any pending timer event */
819 int maxfd = ctl_fd;
820
821 if (sigtermflag)
822 exit_pluto(0);
823
824 if (sighupflag)
825 {
826 /* Ignorant folks think poking any daemon with SIGHUP
827 * is polite. We catch it and tell them otherwise.
828 * There is one use: unsticking a hung recvfrom.
829 * This sticking happens sometimes -- kernel bug?
830 */
831 sighupflag = FALSE;
832 plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
833 }
834
835 FD_ZERO(&readfds);
836 FD_ZERO(&writefds);
837 FD_SET(ctl_fd, &readfds);
838
839 /* the only write file-descriptor of interest */
840 if (adns_qfd != NULL_FD && unsent_ADNS_queries)
841 {
842 if (maxfd < adns_qfd)
843 maxfd = adns_qfd;
844 FD_SET(adns_qfd, &writefds);
845 }
846
847 if (adns_afd != NULL_FD)
848 {
849 if (maxfd < adns_afd)
850 maxfd = adns_afd;
851 FD_SET(adns_afd, &readfds);
852 }
853
854 #ifdef KLIPS
855 if (!no_klips)
856 {
857 int fd = *kernel_ops->async_fdp;
858
859 if (kernel_ops->process_queue)
860 kernel_ops->process_queue();
861 if (maxfd < fd)
862 maxfd = fd;
863 passert(!FD_ISSET(fd, &readfds));
864 FD_SET(fd, &readfds);
865 }
866 #endif
867
868 if (listening)
869 {
870 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
871 {
872 if (maxfd < ifp->fd)
873 maxfd = ifp->fd;
874 passert(!FD_ISSET(ifp->fd, &readfds));
875 FD_SET(ifp->fd, &readfds);
876 }
877 }
878
879 if (next_time == -1)
880 {
881 /* select without timer */
882
883 ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
884 }
885 else if (next_time == 0)
886 {
887 /* timer without select: there is a timer event pending,
888 * and it should fire now so don't bother to do the select.
889 */
890 ndes = 0; /* signify timer expiration */
891 }
892 else
893 {
894 /* select with timer */
895
896 struct timeval tm;
897
898 tm.tv_sec = next_time;
899 tm.tv_usec = 0;
900 ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
901 }
902
903 if (ndes != -1)
904 break; /* success */
905
906 if (errno != EINTR)
907 exit_log_errno((e, "select() failed in call_server()"));
908
909 /* retry if terminated by signal */
910 }
911
912 /* figure out what is interesting */
913
914 if (ndes == 0)
915 {
916 /* timer event */
917
918 DBG(DBG_CONTROL,
919 DBG_log(BLANK_FORMAT);
920 DBG_log("*time to handle event"));
921
922 handle_timer_event();
923 passert(GLOBALS_ARE_RESET());
924 }
925 else
926 {
927 /* at least one file descriptor is ready */
928
929 if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
930 {
931 passert(ndes > 0);
932 send_unsent_ADNS_queries();
933 passert(GLOBALS_ARE_RESET());
934 ndes--;
935 }
936
937 if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
938 {
939 passert(ndes > 0);
940 DBG(DBG_CONTROL,
941 DBG_log(BLANK_FORMAT);
942 DBG_log("*received adns message"));
943 handle_adns_answer();
944 passert(GLOBALS_ARE_RESET());
945 ndes--;
946 }
947
948 #ifdef KLIPS
949 if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
950 {
951 passert(ndes > 0);
952 DBG(DBG_CONTROL,
953 DBG_log(BLANK_FORMAT);
954 DBG_log("*received kernel message"));
955 kernel_ops->process_msg();
956 passert(GLOBALS_ARE_RESET());
957 ndes--;
958 }
959 #endif
960
961 for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
962 {
963 if (FD_ISSET(ifp->fd, &readfds))
964 {
965 /* comm_handle will print DBG_CONTROL intro,
966 * with more info than we have here.
967 */
968
969 passert(ndes > 0);
970 comm_handle(ifp);
971 passert(GLOBALS_ARE_RESET());
972 ndes--;
973 }
974 }
975
976 if (FD_ISSET(ctl_fd, &readfds))
977 {
978 passert(ndes > 0);
979 DBG(DBG_CONTROL,
980 DBG_log(BLANK_FORMAT);
981 DBG_log("*received whack message"));
982 whack_handle(ctl_fd);
983 passert(GLOBALS_ARE_RESET());
984 ndes--;
985 }
986
987 passert(ndes == 0);
988 }
989 }
990 }
991
992 /*
993 * Local Variables:
994 * c-basic-offset: 4
995 * End Variables:
996 */