include Makefile.inc
# directories visited by all recursion
-SUBDIRS=lib programs linux
+SUBDIRS=lib src linux
# declaration for make's benefit
.PHONY: programs install clean distclean \
-IPSECVERSION=2.7.0
+IPSECVERSION=4.0.0
+++ /dev/null
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999 Henry Spencer.
-# Copyright (C) 1999, 2000, 2001 Richard Guy Briggs
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.8 2006/04/17 11:04:45 as Exp $
-
-FREESWANSRCDIR=..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-SUBDIRS=pluto _copyright _updown _updown_espmark ipsec starter openac scepclient
-
-ifeq ($(USE_IKEV2),true)
-SUBDIRS+=charon
-endif
-
-def:
- @echo "Please read doc/intro.html or INSTALL before running make"
- @false
-
-# programs
-
-cleanall distclean mostlyclean realclean install programs checkprograms check clean spotless install_file_list:
- @for d in $(SUBDIRS) ; \
- do \
- (cd $$d && $(MAKE) FREESWANSRCDIR=$(FREESWANSRCDIR)/.. $@ ) || exit 1;\
- done; \
-
+++ /dev/null
-
-include ${FREESWANSRCDIR}/Makefile.ver
-
-CFLAGS+=$(USERCOMPILE) -I${KLIPSINC}
-
-CFLAGS+= -Wall
-#CFLAGS+= -Wconversion
-#CFLAGS+= -Wmissing-prototypes
-CFLAGS+= -Wpointer-arith
-CFLAGS+= -Wcast-qual
-#CFLAGS+= -Wmissing-declarations
-CFLAGS+= -Wstrict-prototypes
-#CFLAGS+= -pedantic
-#CFLAGS+= -W
-#CFLAGS+= -Wwrite-strings
-CFLAGS+= -Wbad-function-cast
-
-# die if there are any warnings
-ifndef WERROR
-WERROR:= -Werror
-endif
-
-#CFLAGS+= ${WERROR}
-
-ifneq ($(LD_LIBRARY_PATH),)
-LDFLAGS=-L$(LD_LIBRARY_PATH)
-endif
-
-MANDIR8=$(MANTREE)/man8
-MANDIR5=$(MANTREE)/man5
-
-ifndef PROGRAMDIR
-PROGRAMDIR=${LIBEXECDIR}
-endif
-
-ifndef MANPROGPREFIX
-MANPROGPREFIX=ipsec_
-endif
-
-ifndef CONFDSUBDIR
-CONFDSUBDIR=.
-endif
-
-all: $(PROGRAM)
-
-programs: all
-
-ifneq ($(PROGRAM),check)
-check: $(PROGRAM)
-endif
-
-
-ifneq ($(NOINSTALL),true)
-
-install:: $(PROGRAM) $(CONFFILES) $(EXTRA8MAN) $(EXTRA5MAN) $(EXTRA5PROC) $(LIBFILES) $(CONFDFILES)
- @mkdir -p $(PROGRAMDIR) $(MANDIR8) $(MANDIR5) $(LIBDIR) $(CONFDIR) $(CONFDDIR) $(CONFDDIR)/$(CONFDSUBDIR) $(EXAMPLECONFDIR)
- @if [ -n "$(PROGRAM)" ]; then $(INSTALL) $(INSTBINFLAGS) $(PROGRAM) $(PROGRAMDIR); fi
- @$(foreach f, $(addsuffix .8, $(PROGRAM)), \
- $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/$(MANPROGPREFIX)$f || exit 1; \
- )
- @$(foreach f, $(EXTRA8MAN), \
- $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/ipsec_$f || exit 1; \
- )
- @$(foreach f, $(EXTRA5MAN), \
- $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/$f || exit 1 ;\
- )
- @$(foreach f, $(EXTRA5PROC), \
- $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/ipsec_$f || exit 1 ;\
- )
- @$(foreach f, $(LIBFILES), \
- $(INSTALL) $(INSTCONFFLAGS) $f $(LIBDIR)/$f || exit 1 ;\
- )
- @$(foreach f, $(CONFFILES), \
- if [ ! -f $(CONFDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDIR)/$f || exit 1; fi;\
- $(INSTALL) $(INSTCONFFLAGS) $f $(EXAMPLECONFDIR)/$f-sample || exit 1; \
- )
- @$(foreach f, $(CONFDFILES), \
- if [ ! -f $(CONFDDIR)/$(CONFDSUBDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDDIR)/$(CONFDSUBDIR)/$f || exit 1; fi;\
- )
-
-install_file_list::
- @if [ -n "$(PROGRAM)" ]; then echo $(PROGRAMDIR)/$(PROGRAM); fi
- @$(foreach f, $(addsuffix .8, $(PROGRAM)), \
- echo $(MANDIR8)/${MANPROGPREFIX}$f; \
- )
- @$(foreach f, $(EXTRA8MAN), \
- echo $(MANDIR8)/ipsec_$f; \
- )
- @$(foreach f, $(EXTRA5MAN), \
- echo $(MANDIR5)/$f;\
- )
- @$(foreach f, $(EXTRA5PROC), \
- echo $(MANDIR5)/ipsec_$f; \
- )
- @$(foreach f, $(LIBFILES), \
- echo $(LIBDIR)/$f;\
- )
- @$(foreach f, $(CONFFILES), \
- echo $(CONFDIR)/$f;\
- echo $(EXAMPLECONFDIR)/$f-sample;\
- )
- @$(foreach f, $(CONFDFILES), \
- echo $(CONFDDIR)/${CONFDSUBDIR}/$f;\
- )
-
-endif
-
-# cancel the rule that compiles directly
-%: %.c
-
-%: %.o $(OBJS)
- $(CC) $(CFLAGS) -o $@ $@.o ${OBJS} $(LDFLAGS) $(LIBS)
-
-%: %.in ${FREESWANSRCDIR}/Makefile.inc ${FREESWANSRCDIR}/Makefile.ver
- cat $< | sed -e "s/xxx/$(IPSECVERSION)/" \
- -e "s:@IPSEC_DIR@:$(FINALBINDIR):" \
- -e "s:@IPSEC_EXECDIR@:$(FINALLIBEXECDIR):" \
- -e "s:@IPSEC_SBINDIR@:$(FINALSBINDIR):" \
- -e "s:@IPSEC_LIBDIR@:$(FINALLIBDIR):" \
- -e "s:@FINALCONFDIR@:$(FINALCONFDIR):" \
- -e "s:@EXAMPLECONFDIR@:$(EXAMPLECONFDIR):" \
- -e "s:@FINALDOCDIR@:$(FINALDOCDIR):" \
- -e "s:@FINALEXAMPLECONFDIR@:$(FINALEXAMPLECONFDIR):" \
- -e "s:@MODULE_GOO_LIST@:$(MODULE_GOO_LIST):" \
- -e "s:@IPSEC_CONFS@:$(FINALCONFDIR):" \
- -e "s:@IPSEC_CONFDDIR@:$(FINALCONFDDIR):" \
- -e "s:@USE_IPROUTE2@:$(USE_IPROUTE2):" \
- -e "s:@IPSEC_FIREWALLTYPE@:$(IPSEC_FIREWALLTYPE):" \
- | cat >$@
- if [ -x $< ]; then chmod +x $@; fi
- if [ "${PROGRAM}.in" = $< ]; then chmod +x $@; fi
-
-cleanall: clean
-
-distclean: clean
-
-mostlyclean: clean
-
-realclean: clean
-
-clean::
-ifneq ($(strip $(PROGRAM)),)
- @if [ -r $(PROGRAM).in ]; then rm -f $(PROGRAM); fi
- @if [ -r $(PROGRAM).c ]; then rm -f $(PROGRAM); fi
- @if [ -n "$(OBJS)" ]; then rm -f $(PROGRAM); fi
-endif
- @rm -f *.o
-
-checkprograms:
-
+++ /dev/null
-_copyright
+++ /dev/null
-# Makefile for miscelaneous programs
-# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_copyright
-PROGRAMDIR=${LIBDIR}
-LIBS=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1 2004/03/15 20:35:27 as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3 2002/08/02 16:01:07 mcr
-# moved user visible programs to $PREFIX/libexec, while moving
-# private files to $PREFIX/lib.
-#
-# Revision 1.2 2002/06/02 22:02:14 mcr
-# changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# kernel sense.)
-#
-# Revision 1.1 2002/04/24 07:55:32 mcr
-# #include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
+++ /dev/null
-.TH _COPYRIGHT 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _copyright.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _copyright \- prints FreeSWAN copyright
-.SH DESCRIPTION
-.I _copyright
-outputs the FreeSWAN copyright, and version numbers for "ipsec --copyright"
-.SH "SEE ALSO"
-ipsec(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael Richardson. Program written by Henry Spencer.
-.\"
-.\" $Log: _copyright.8,v $
-.\" Revision 1.1 2004/03/15 20:35:27 as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2 2002/04/29 22:39:31 mcr
-.\" added basic man page for all internal commands.
-.\"
-.\" Revision 1.1 2002/04/26 01:21:43 mcr
-.\" while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" MCR has decided that it is not okay for each program subdir to have
-.\" some subset (determined with -f) of possible files.
-.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
+++ /dev/null
-/*
- * copyright reporter
- * (just avoids having the info in more than one place in the source)
- * Copyright (C) 2001 Henry Spencer.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: _copyright.c,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-
-#include <sys/types.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <freeswan.h>
-
-char usage[] = "Usage: ipsec _copyright";
-struct option opts[] = {
- {"help", 0, NULL, 'h',},
- {"version", 0, NULL, 'v',},
- {0, 0, NULL, 0, },
-};
-
-char me[] = "ipsec _copyright"; /* for messages */
-
-int
-main(int argc, char *argv[])
-{
- int opt;
- extern int optind;
- int errflg = 0;
- const char *version = ipsec_version_code();
- const char **notice = ipsec_copyright_notice();
- const char **co;
-
- while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
- switch (opt) {
- case 'h': /* help */
- printf("%s\n", usage);
- exit(0);
- break;
- case 'v': /* version */
- printf("%s %s\n", me, version);
- exit(0);
- break;
- case '?':
- default:
- errflg = 1;
- break;
- }
- if (errflg || optind != argc) {
- fprintf(stderr, "%s\n", usage);
- exit(2);
- }
-
- for (co = notice; *co != NULL; co++)
- printf("%s\n", *co);
- exit(0);
-}
+++ /dev/null
-_updown
-_updown.in
+++ /dev/null
-# Makefile for miscelaneous programs
-# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_updown
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
+++ /dev/null
-.TH _UPDOWN 8 "27 Apr 2006"
-.\"
-.\" RCSID $Id: _updown.8,v 1.2 2006/04/17 06:48:49 as Exp $
-.\"
-.SH NAME
-ipsec _updown \- route and firewall manipulation script
-.SH SYNOPSIS
-.I _updown
-is invoked by pluto when it has brought up a new connection. This script
-is used to insert the appropriate routing entries for IPsec operation.
-It can also be used to insert and delete dynamic iptables firewall rules.
-The interface to the script is documented in the pluto man page.
-.SH "SEE ALSO"
-ipsec(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program written by Henry Spencer. Extended
-for the Linux strongSwan project <http://www.strongswan.org/> by Andreas
-Steffen.
+++ /dev/null
-#! /bin/sh
-# iproute2 version, default updown script
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _updown.in,v 1.2 2006/04/17 15:06:29 as Exp $
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communicaÂ
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_REQID
-# is the requid of the ESP policy
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
-# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client subÂ
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
-#
-
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice -/var/log/vpn
-#
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
- exit 2
- ;;
-1.*) ;;
-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
- exit 2
- ;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-iptables:iptables) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
- parms="$PLUTO_PEER_CLIENT"
-
- parms2=
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- if [ -f /etc/sysconfig/defaultsource ]
- then
- . /etc/sysconfig/defaultsource
- fi
-
- if [ -f /etc/conf.d/defaultsource ]
- then
- . /etc/conf.d/defaultsource
- fi
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- parms3=
- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
- then
- addsource
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
-up-host:)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-host:)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-up-host:iptables)
- # connection to me, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- #
- # log IPsec host connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-down-host:iptables)
- # connection to me, with (left/right)firewall=yes, going down
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- #
- # log IPsec host connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-up-client:iptables)
- # connection to client subnet, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # log IPsec client connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-down-client:iptables)
- # connection to client subnet, with (left/right)firewall=yes, going down
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # log IPsec client connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-#
-# IPv6
-#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
-up-host-v6:*)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-host-v6:*)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-up-client-v6:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-client-v6:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-# Makefile for miscelaneous programs
-# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2005/04/07 21:34:19 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_updown_espmark
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
+++ /dev/null
-.TH _UPDOWN_ESPMARK 8 "7 Apr 2005"
-.\"
-.\" RCSID $Id: _updown_espmark.8,v 1.1 2005/04/07 21:34:19 as Exp $
-.\"
-.SH NAME
-ipsec _updown_espmark \- manages routes and firewall rules
-.SH SYNOPSIS
-.I _updown_espmark
-is invoked by pluto when it has brought up a new connection. This script
-is used to insert the appropriate routing and iptables firewall entries for
-IPsec operation. The incoming ESP traffic must be marked by a static rule
-in the mangle table. The default value for the mark is 50.
-The interface to the script is documented in the pluto man page.
-.SH "SEE ALSO"
-ipsec(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux strongSwan project <http://www.strongswan.org/>
-by Andreas Steffen. Original program written by Henry Spencer.
+++ /dev/null
-#! /bin/sh
-# iproute2 version, default updown script
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005 Andreas Steffen <andreas.steffen@strongsec.com>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _updown_espmark.in,v 1.4 2005/09/14 14:33:05 as Exp $
-
-
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# FreeS/WAN use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communicaÂ
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
-# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client subÂ
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
-#
-
-# logging of VPN connections
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice -/var/log/vpn
-#
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
- exit 2
- ;;
-1.*) ;;
-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
- exit 2
- ;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
- parms="$PLUTO_PEER_CLIENT"
-
- parms2=
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- if [ -f /etc/sysconfig/defaultsource ]
- then
- . /etc/sysconfig/defaultsource
- fi
-
- if [ -f /etc/conf.d/defaultsource ]
- then
- . /etc/conf.d/defaultsource
- fi
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- parms3=
- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
- then
- addsource
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# define ESP mark
-ESP_MARK=50
-
-# add the following static rule to the INPUT chain in the mangle table
-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
-
-# NAT traversal via UDP encapsulation is supported with the rule
-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
-
-# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- CHECK_MARK=""
-else
- CHECK_MARK="-m mark --mark $ESP_MARK"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
-up-host:*)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- ;;
-down-host:*)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $CHECK_MARK -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $CHECK_MARK -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- ;;
-up-client:ipfwadm)
- # connection to client subnet, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
- -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
- ;;
-down-client:ipfwadm)
- # connection to client subnet, with (left/right)firewall=yes, going down
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
- -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
- ;;
-#
-# IPv6
-#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
-up-host-v6:*)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-host-v6:*)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-up-client-v6:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-client-v6:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-# Doxyfile 1.4.1-KDevelop
-
-#---------------------------------------------------------------------------
-# Project related configuration options
-#---------------------------------------------------------------------------
-PROJECT_NAME = "charon"
-PROJECT_NUMBER = 1.0
-OUTPUT_DIRECTORY = doc/api
-CREATE_SUBDIRS = NO
-OUTPUT_LANGUAGE = English
-USE_WINDOWS_ENCODING = NO
-BRIEF_MEMBER_DESC = YES
-REPEAT_BRIEF = YES
-ABBREVIATE_BRIEF =
-ALWAYS_DETAILED_SEC = NO
-INLINE_INHERITED_MEMB = NO
-FULL_PATH_NAMES = YES
-STRIP_FROM_PATH =
-STRIP_FROM_INC_PATH =
-SHORT_NAMES = NO
-JAVADOC_AUTOBRIEF = YES
-MULTILINE_CPP_IS_BRIEF = NO
-DETAILS_AT_TOP = YES
-INHERIT_DOCS = YES
-DISTRIBUTE_GROUP_DOC = NO
-TAB_SIZE = 1
-ALIASES =
-OPTIMIZE_OUTPUT_FOR_C = NO
-OPTIMIZE_OUTPUT_JAVA = NO
-SUBGROUPING = YES
-#---------------------------------------------------------------------------
-# Build related configuration options
-#---------------------------------------------------------------------------
-EXTRACT_ALL = NO
-EXTRACT_PRIVATE = NO
-EXTRACT_STATIC = NO
-EXTRACT_LOCAL_CLASSES = NO
-EXTRACT_LOCAL_METHODS = NO
-HIDE_UNDOC_MEMBERS = NO
-HIDE_UNDOC_CLASSES = NO
-HIDE_FRIEND_COMPOUNDS = NO
-HIDE_IN_BODY_DOCS = NO
-INTERNAL_DOCS = NO
-CASE_SENSE_NAMES = YES
-HIDE_SCOPE_NAMES = NO
-SHOW_INCLUDE_FILES = YES
-INLINE_INFO = YES
-SORT_MEMBER_DOCS = YES
-SORT_BRIEF_DOCS = NO
-SORT_BY_SCOPE_NAME = NO
-GENERATE_TODOLIST = YES
-GENERATE_TESTLIST = NO
-GENERATE_BUGLIST = YES
-GENERATE_DEPRECATEDLIST = YES
-ENABLED_SECTIONS =
-MAX_INITIALIZER_LINES = 30
-SHOW_USED_FILES = YES
-SHOW_DIRECTORIES = NO
-FILE_VERSION_FILTER =
-#---------------------------------------------------------------------------
-# configuration options related to warning and progress messages
-#---------------------------------------------------------------------------
-QUIET = NO
-WARNINGS = YES
-WARN_IF_UNDOCUMENTED = YES
-WARN_IF_DOC_ERROR = YES
-WARN_NO_PARAMDOC = NO
-WARN_FORMAT = "$file:$line: $text"
-WARN_LOGFILE =
-#---------------------------------------------------------------------------
-# configuration options related to the input files
-#---------------------------------------------------------------------------
-INPUT = ./
-FILE_PATTERNS = *.h *.txt
-RECURSIVE = YES
-EXCLUDE =
-EXCLUDE_SYMLINKS = NO
-EXCLUDE_PATTERNS =
-EXAMPLE_PATH =
-EXAMPLE_PATTERNS =
-EXAMPLE_RECURSIVE = NO
-IMAGE_PATH =
-INPUT_FILTER =
-FILTER_PATTERNS =
-FILTER_SOURCE_FILES = NO
-#---------------------------------------------------------------------------
-# configuration options related to source browsing
-#---------------------------------------------------------------------------
-SOURCE_BROWSER = NO
-INLINE_SOURCES = NO
-STRIP_CODE_COMMENTS = NO
-REFERENCED_BY_RELATION = NO
-REFERENCES_RELATION = NO
-VERBATIM_HEADERS = YES
-#---------------------------------------------------------------------------
-# configuration options related to the alphabetical class index
-#---------------------------------------------------------------------------
-ALPHABETICAL_INDEX = NO
-COLS_IN_ALPHA_INDEX = 5
-IGNORE_PREFIX =
-#---------------------------------------------------------------------------
-# configuration options related to the HTML output
-#---------------------------------------------------------------------------
-GENERATE_HTML = YES
-HTML_OUTPUT = .
-HTML_FILE_EXTENSION = .html
-HTML_HEADER =
-HTML_FOOTER =
-HTML_STYLESHEET =
-HTML_ALIGN_MEMBERS = YES
-GENERATE_HTMLHELP = NO
-CHM_FILE =
-HHC_LOCATION =
-GENERATE_CHI = NO
-BINARY_TOC = NO
-TOC_EXPAND = NO
-DISABLE_INDEX = YES
-ENUM_VALUES_PER_LINE = 1
-GENERATE_TREEVIEW = YES
-TREEVIEW_WIDTH = 250
-#---------------------------------------------------------------------------
-# configuration options related to the LaTeX output
-#---------------------------------------------------------------------------
-GENERATE_LATEX = NO
-LATEX_OUTPUT = latex
-LATEX_CMD_NAME = latex
-MAKEINDEX_CMD_NAME = makeindex
-COMPACT_LATEX = NO
-PAPER_TYPE = a4wide
-EXTRA_PACKAGES =
-LATEX_HEADER =
-PDF_HYPERLINKS = NO
-USE_PDFLATEX = NO
-LATEX_BATCHMODE = NO
-LATEX_HIDE_INDICES = NO
-#---------------------------------------------------------------------------
-# configuration options related to the RTF output
-#---------------------------------------------------------------------------
-GENERATE_RTF = NO
-RTF_OUTPUT = rtf
-COMPACT_RTF = NO
-RTF_HYPERLINKS = NO
-RTF_STYLESHEET_FILE =
-RTF_EXTENSIONS_FILE =
-#---------------------------------------------------------------------------
-# configuration options related to the man page output
-#---------------------------------------------------------------------------
-GENERATE_MAN = NO
-MAN_OUTPUT = man
-MAN_EXTENSION = .3
-MAN_LINKS = YES
-#---------------------------------------------------------------------------
-# configuration options related to the XML output
-#---------------------------------------------------------------------------
-GENERATE_XML = NO
-XML_OUTPUT = xml
-XML_SCHEMA =
-XML_DTD =
-XML_PROGRAMLISTING = YES
-#---------------------------------------------------------------------------
-# configuration options for the AutoGen Definitions output
-#---------------------------------------------------------------------------
-GENERATE_AUTOGEN_DEF = NO
-#---------------------------------------------------------------------------
-# configuration options related to the Perl module output
-#---------------------------------------------------------------------------
-GENERATE_PERLMOD = NO
-PERLMOD_LATEX = NO
-PERLMOD_PRETTY = YES
-PERLMOD_MAKEVAR_PREFIX =
-#---------------------------------------------------------------------------
-# Configuration options related to the preprocessor
-#---------------------------------------------------------------------------
-ENABLE_PREPROCESSING = YES
-MACRO_EXPANSION = YES
-EXPAND_ONLY_PREDEF = NO
-SEARCH_INCLUDES = YES
-INCLUDE_PATH =
-INCLUDE_FILE_PATTERNS =
-PREDEFINED = LEAK_DETECTIVE
-EXPAND_AS_DEFINED =
-SKIP_FUNCTION_MACROS = YES
-#---------------------------------------------------------------------------
-# Configuration::additions related to external references
-#---------------------------------------------------------------------------
-TAGFILES =
-GENERATE_TAGFILE =
-ALLEXTERNALS = NO
-EXTERNAL_GROUPS = YES
-PERL_PATH = /usr/bin/perl
-#---------------------------------------------------------------------------
-# Configuration options related to the dot tool
-#---------------------------------------------------------------------------
-CLASS_DIAGRAMS = YES
-HIDE_UNDOC_RELATIONS = YES
-HAVE_DOT = NO
-CLASS_GRAPH = YES
-COLLABORATION_GRAPH = YES
-GROUP_GRAPHS = YES
-UML_LOOK = NO
-TEMPLATE_RELATIONS = NO
-INCLUDE_GRAPH = YES
-INCLUDED_BY_GRAPH = YES
-CALL_GRAPH = NO
-GRAPHICAL_HIERARCHY = YES
-DIRECTORY_GRAPH = YES
-DOT_IMAGE_FORMAT = png
-DOT_PATH =
-DOTFILE_DIRS =
-MAX_DOT_GRAPH_WIDTH = 1024
-MAX_DOT_GRAPH_HEIGHT = 1024
-MAX_DOT_GRAPH_DEPTH = 0
-DOT_TRANSPARENT = NO
-DOT_MULTI_TARGETS = NO
-GENERATE_LEGEND = YES
-DOT_CLEANUP = YES
-#---------------------------------------------------------------------------
-# Configuration::additions related to the search engine
-#---------------------------------------------------------------------------
-SEARCHENGINE = NO
+++ /dev/null
-# Copyright (C) 2005 Jan Hutter, Martin Willi
-# Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-
-FREESWANSRCDIR=../..
-# include strongswan Makefile, if charon sits in its tree
-ifeq ($(shell ls $(FREESWANSRCDIR)/Makefile.inc 2>&1), ../../Makefile.inc)
- include ${FREESWANSRCDIR}/Makefile.inc
-else
-# Defaults if not using strongswan defines
- USE_LEAK_DETECTIVE?=false
- INSTALL=install
- INSTBINFLAGS=-b --suffix=.old
- LIBEXECDIR=/usr/local/libexec/ipsec
- SHAREDLIBDIR=/usr/local/lib
-endif
-
-
-BUILD_DIR= ./bin/
-
-BINNAMECHARON= $(BUILD_DIR)charon
-BINNAMESTROKE= $(BUILD_DIR)stroke
-BINNAMETEST= $(BUILD_DIR)run_tests
-BINNAMELIB= $(BUILD_DIR)libstrongswan.so
-
-MAIN_DIR= ./
-
-CFLAGS= -Icharon -Ilib -Istroke -fPIC -Wall -g
-ifeq ($(USE_LEAK_DETECTIVE),true)
- CFLAGS+= -DLEAK_DETECTIVE
-endif
-
-# objects is extended by each included Makefile
-CHARON_OBJS=
-LIB_OBJS=
-TEST_OBJS=
-
-all : programs
-
-include $(MAIN_DIR)charon/Makefile.charon
-include $(MAIN_DIR)lib/Makefile.lib
-include $(MAIN_DIR)stroke/Makefile.stroke
-include $(MAIN_DIR)testing/Makefile.testcases
-
-programs : $(BINNAMECHARON) $(BINNAMESTROKE)
-
-test : $(BINNAMETEST)
- LD_LIBRARY_PATH=$(BUILD_DIR) $(BINNAMETEST)
-
-run : $(BINNAMECHARON)
- LD_LIBRARY_PATH=$(BUILD_DIR) $(BINNAMECHARON)
-
-apidoc :
- doxygen Doxyfile
-
-build_dir:
- mkdir -p $(BUILD_DIR)
-
-$(BINNAMELIB) : build_dir $(LIB_OBJS)
- $(CC) -lpthread -ldl -lgmp -shared $(LIB_OBJS) -o $@
-
-$(BINNAMECHARON) : build_dir $(CHARON_OBJS) $(BINNAMELIB) $(BUILD_DIR)daemon.o
- $(CC) -L./bin -lstrongswan $(CHARON_OBJS) $(BUILD_DIR)daemon.o -o $@
-
-$(BINNAMETEST) : build_dir $(CHARON_OBJS) $(TEST_OBJS) $(BINNAMELIB) $(BUILD_DIR)testcases.o
- $(CC) -L./bin -lstrongswan $(LDFLAGS) $(CHARON_OBJS) $(TEST_OBJS) $(BUILD_DIR)testcases.o -o $@
-
-$(BINNAMESTROKE) : build_dir $(BINNAMELIB) $(BUILD_DIR)stroke.o
- $(CC) $(LDFLAGS) $(CFLAGS) $(BUILD_DIR)stroke.o -o $@
-
-install : $(BINNAMECHARON) $(BINNAMESTROKE)
- $(INSTALL) $(INSTBINFLAGS) $(BINNAMECHARON) $(BINNAMESTROKE) $(LIBEXECDIR)
- $(INSTALL) $(INSTBINFLAGS) $(BINNAMELIB) $(SHAREDLIBDIR)
-
-install_file_list:
- @echo $(LIBEXECDIR)/charon
- @echo $(LIBEXECDIR)/stroke
- @echo $(SHAREDLIBDIR)/libstrongswan.so
-
-clean :
- rm -fR $(BUILD_DIR)
-
-cleanall: clean
-
-distclean: clean
-
-mostlyclean: clean
-
-realclean: clean
+++ /dev/null
-<?xml version = '1.0'?>
-<kdevelop>
- <general>
- <author>Martin Willi</author>
- <email>martin@strongswan.org</email>
- <version>$VERSION$</version>
- <projectmanagement>KDevCustomProject</projectmanagement>
- <primarylanguage>C</primarylanguage>
- <ignoreparts/>
- </general>
- <kdevcustomproject>
- <run>
- <mainprogram>Source</mainprogram>
- <directoryradio>executable</directoryradio>
- </run>
- <general>
- <activedir/>
- </general>
- </kdevcustomproject>
- <kdevdebugger>
- <general>
- <dbgshell/>
- </general>
- </kdevdebugger>
- <kdevdoctreeview>
- <ignoretocs>
- <toc>ada</toc>
- <toc>ada_bugs_gcc</toc>
- <toc>bash</toc>
- <toc>bash_bugs</toc>
- <toc>clanlib</toc>
- <toc>fortran_bugs_gcc</toc>
- <toc>gnome1</toc>
- <toc>gnustep</toc>
- <toc>gtk</toc>
- <toc>gtk_bugs</toc>
- <toc>haskell</toc>
- <toc>haskell_bugs_ghc</toc>
- <toc>java_bugs_gcc</toc>
- <toc>java_bugs_sun</toc>
- <toc>kde2book</toc>
- <toc>libstdc++</toc>
- <toc>opengl</toc>
- <toc>pascal_bugs_fp</toc>
- <toc>php</toc>
- <toc>php_bugs</toc>
- <toc>perl</toc>
- <toc>perl_bugs</toc>
- <toc>python</toc>
- <toc>python_bugs</toc>
- <toc>qt-kdev3</toc>
- <toc>ruby</toc>
- <toc>ruby_bugs</toc>
- <toc>sdl</toc>
- <toc>stl</toc>
- <toc>sw</toc>
- <toc>w3c-dom-level2-html</toc>
- <toc>w3c-svg</toc>
- <toc>w3c-uaag10</toc>
- <toc>wxwidgets_bugs</toc>
- </ignoretocs>
- <ignoreqt_xml>
- <toc>Guide to the Qt Translation Tools</toc>
- <toc>Qt Assistant Manual</toc>
- <toc>Qt Designer Manual</toc>
- <toc>Qt Reference Documentation</toc>
- <toc>qmake User Guide</toc>
- </ignoreqt_xml>
- <ignoredoxygen>
- <toc>KDE Libraries (Doxygen)</toc>
- </ignoredoxygen>
- </kdevdoctreeview>
- <kdevfilecreate>
- <filetypes/>
- <useglobaltypes>
- <type ext="c" />
- <type ext="h" />
- </useglobaltypes>
- </kdevfilecreate>
- <kdevcppsupport>
- <references/>
- <codecompletion>
- <includeGlobalFunctions>true</includeGlobalFunctions>
- <includeTypes>true</includeTypes>
- <includeEnums>true</includeEnums>
- <includeTypedefs>false</includeTypedefs>
- <automaticCodeCompletion>true</automaticCodeCompletion>
- <automaticArgumentsHint>true</automaticArgumentsHint>
- <automaticHeaderCompletion>true</automaticHeaderCompletion>
- <codeCompletionDelay>250</codeCompletionDelay>
- <argumentsHintDelay>400</argumentsHintDelay>
- <headerCompletionDelay>250</headerCompletionDelay>
- </codecompletion>
- </kdevcppsupport>
- <kdevfileview>
- <groups>
- <hidenonprojectfiles>false</hidenonprojectfiles>
- <hidenonlocation>false</hidenonlocation>
- </groups>
- <tree>
- <hidepatterns>*.o,*.lo,CVS</hidepatterns>
- <hidenonprojectfiles>false</hidenonprojectfiles>
- </tree>
- </kdevfileview>
-</kdevelop>
+++ /dev/null
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-CHARON_DIR= $(MAIN_DIR)charon/
-
-$(BUILD_DIR)daemon.o : $(CHARON_DIR)daemon.c $(CHARON_DIR)daemon.h
- $(CC) $(CFLAGS) -c -o $@ $<
-
-
-include $(CHARON_DIR)network/Makefile.network
-include $(CHARON_DIR)config/Makefile.config
-include $(CHARON_DIR)encoding/Makefile.encoding
-include $(CHARON_DIR)queues/Makefile.queues
-include $(CHARON_DIR)sa/Makefile.sa
-include $(CHARON_DIR)threads/Makefile.threads
\ No newline at end of file
+++ /dev/null
-# Copyright (C) 2005 Jan Hutter, Martin Willi
-# Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-
-CONFIG_DIR= $(CHARON_DIR)config/
-
-
-CHARON_OBJS+= $(BUILD_DIR)traffic_selector.o
-$(BUILD_DIR)traffic_selector.o : $(CONFIG_DIR)traffic_selector.c $(CONFIG_DIR)traffic_selector.h
- $(CC) $(CFLAGS) -c -o $@ $<
-
-CHARON_OBJS+= $(BUILD_DIR)proposal.o
-$(BUILD_DIR)proposal.o : $(CONFIG_DIR)proposal.c $(CONFIG_DIR)proposal.h
- $(CC) $(CFLAGS) -c -o $@ $<
-
-CHARON_OBJS+= $(BUILD_DIR)configuration.o
-$(BUILD_DIR)configuration.o : $(CONFIG_DIR)configuration.c $(CONFIG_DIR)configuration.h
- $(CC) $(CFLAGS) -c -o $@ $<
-
-include $(CONFIG_DIR)connections/Makefile.connections
-include $(CONFIG_DIR)credentials/Makefile.credentials
-include $(CONFIG_DIR)policies/Makefile.policies
\ No newline at end of file
+++ /dev/null
-/**
- * @file configuration.c
- *
- * @brief Implementation of configuration_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-
-#include "configuration.h"
-
-#include <types.h>
-
-/**
- * First retransmit timeout in milliseconds.
- * Timeout value is increasing in each retransmit round.
- */
-#define RETRANSMIT_TIMEOUT 3000
-
-/**
- * Timeout in milliseconds after that a half open IKE_SA gets deleted.
- */
-#define HALF_OPEN_IKE_SA_TIMEOUT 30000
-
-/**
- * Max retransmit count.
- * 0 for infinite. The max time a half open IKE_SA is alive is set by
- * RETRANSMIT_TIMEOUT.
- */
-#define MAX_RETRANSMIT_COUNT 0
-
-
-typedef struct private_configuration_t private_configuration_t;
-
-/**
- * Private data of an configuration_t object.
- */
-struct private_configuration_t {
-
- /**
- * Public part of configuration_t object.
- */
- configuration_t public;
-
-};
-
-/**
- * Implementation of configuration_t.get_retransmit_timeout.
- */
-static status_t get_retransmit_timeout (private_configuration_t *this, u_int32_t retransmit_count, u_int32_t *timeout)
-{
- int new_timeout = RETRANSMIT_TIMEOUT, i;
- if (retransmit_count > MAX_RETRANSMIT_COUNT && MAX_RETRANSMIT_COUNT != 0)
- {
- return FAILED;
- }
-
- for (i = 0; i < retransmit_count; i++)
- {
- new_timeout *= 2;
- }
-
- *timeout = new_timeout;
-
- return SUCCESS;
-}
-
-/**
- * Implementation of configuration_t.get_half_open_ike_sa_timeout.
- */
-static u_int32_t get_half_open_ike_sa_timeout (private_configuration_t *this)
-{
- return HALF_OPEN_IKE_SA_TIMEOUT;
-}
-
-/**
- * Implementation of configuration_t.destroy.
- */
-static void destroy(private_configuration_t *this)
-{
- free(this);
-}
-
-/*
- * Described in header-file
- */
-configuration_t *configuration_create()
-{
- private_configuration_t *this = malloc_thing(private_configuration_t);
-
- /* public functions */
- this->public.destroy = (void(*)(configuration_t*))destroy;
- this->public.get_retransmit_timeout = (status_t (*) (configuration_t *, u_int32_t retransmit_count, u_int32_t *timeout))get_retransmit_timeout;
- this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t *)) get_half_open_ike_sa_timeout;
-
- return (&this->public);
-}
+++ /dev/null
-/**
- * @file configuration.h
- *
- * @brief Interface configuration_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef CONFIGURATION_H_
-#define CONFIGURATION_H_
-
-#include <types.h>
-
-
-typedef struct configuration_t configuration_t;
-
-/**
- * @brief The interface for various daemon related configs.
- *
- * @b Constructors:
- * - configuration_create()
- *
- * @ingroup config
- */
-struct configuration_t {
-
- /**
- * @brief Returns the retransmit timeout.
- *
- * The timeout values are managed by the configuration, so
- * another backoff algorithm may be implemented here.
- *
- * @param this calling object
- * @param retransmit_count number of times a message was retransmitted so far
- * @param[out] timeout the new retransmit timeout in milliseconds
- *
- * @return
- * - FAILED, if the message should not be retransmitted
- * - SUCCESS
- */
- status_t (*get_retransmit_timeout) (configuration_t *this, u_int32_t retransmit_count, u_int32_t *timeout);
-
- /**
- * @brief Returns the timeout for an half open IKE_SA in ms.
- *
- * Half open means that the IKE_SA is still in one of the following states:
- * - INITIATOR_INIT
- * - RESPONDER_INIT
- * - IKE_SA_INIT_REQUESTED
- * - IKE_SA_INIT_RESPONDED
- * - IKE_AUTH_REQUESTED
- *
- * @param this calling object
- * @return timeout in milliseconds (ms)
- */
- u_int32_t (*get_half_open_ike_sa_timeout) (configuration_t *this);
-
- /**
- * @brief Destroys a configuration_t object.
- *
- * @param this calling object
- */
- void (*destroy) (configuration_t *this);
-};
-
-/**
- * @brief Creates a configuration backend.
- *
- * @return static_configuration_t object
- *
- * @ingroup config
- */
-configuration_t *configuration_create();
-
-#endif /*CONFIGURATION_H_*/
+++ /dev/null
-# Copyright (C) 2006 Martin Willi
-# Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-
-CONNECTIONS_DIR= $(CONFIG_DIR)connections/
-
-
-CHARON_OBJS+= $(BUILD_DIR)connection.o
-$(BUILD_DIR)connection.o : $(CONNECTIONS_DIR)connection.c $(CONNECTIONS_DIR)connection.h
- $(CC) $(CFLAGS) -c -o $@ $<
-
-CHARON_OBJS+= $(BUILD_DIR)local_connection_store.o
-$(BUILD_DIR)local_connection_store.o : $(CONNECTIONS_DIR)local_connection_store.c $(CONNECTIONS_DIR)local_connection_store.h
- $(CC) $(CFLAGS) -c -o $@ $<
\ No newline at end of file
+++ /dev/null
-/**
- * @file connection.c
- *
- * @brief Implementation of connection_t.
- *
- */
-
-/*
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "connection.h"
-
-#include <utils/linked_list.h>
-#include <utils/logger.h>
-
-/**
- * String mappings for auth_method_t.
- */
-mapping_t auth_method_m[] = {
- {RSA_DIGITAL_SIGNATURE, "RSA"},
- {SHARED_KEY_MESSAGE_INTEGRITY_CODE, "SHARED_KEY"},
- {DSS_DIGITAL_SIGNATURE, "DSS"},
- {MAPPING_END, NULL}
-};
-
-
-typedef struct private_connection_t private_connection_t;
-
-/**
- * Private data of an connection_t object
- */
-struct private_connection_t {
-
- /**
- * Public part
- */
- connection_t public;
-
- /**
- * Name of the connection
- */
- char *name;
-
- /**
- * ID of us
- */
- identification_t *my_id;
-
- /**
- * ID of remote peer
- */
- identification_t *other_id;
-
- /**
- * Host information of my host.
- */
- host_t *my_host;
-
- /**
- * Host information of other host.
- */
- host_t *other_host;
-
- /**
- * Method to use for own authentication data
- */
- auth_method_t auth_method;
-
- /**
- * Supported proposals
- */
- linked_list_t *proposals;
-};
-
-/**
- * Implementation of connection_t.get_name.
- */
-static char *get_name (private_connection_t *this)
-{
- return this->name;
-}
-
-/**
- * Implementation of connection_t.get_my_id.
- */
-static identification_t *get_my_id (private_connection_t *this)
-{
- return this->my_id;
-}
-
-/**
- * Implementation of connection_t.get_other_id.
- */
-static identification_t *get_other_id(private_connection_t *this)
-{
- return this->other_id;
-}
-
-/**
- * Implementation of connection_t.update_my_id
- */
-static void update_my_id(private_connection_t *this, identification_t *my_id)
-{
- this->my_id->destroy(this->my_id);
- this->my_id = my_id;
-}
-
-/**
- * Implementation of connection_t.update_other_id
- */
-static void update_other_id(private_connection_t *this, identification_t *other_id)
-{
- this->other_id->destroy(this->other_id);
- this->other_id = other_id;
-}
-
-/**
- * Implementation of connection_t.get_my_host.
- */
-static host_t * get_my_host (private_connection_t *this)
-{
- return this->my_host;
-}
-
-/**
- * Implementation of connection_t.update_my_host.
- */
-static void update_my_host(private_connection_t *this, host_t *my_host)
-{
- this->my_host->destroy(this->my_host);
- this->my_host = my_host;
-}
-
-/**
- * Implementation of connection_t.update_other_host.
- */
-static void update_other_host(private_connection_t *this, host_t *other_host)
-{
- this->other_host->destroy(this->other_host);
- this->other_host = other_host;
-}
-
-/**
- * Implementation of connection_t.get_other_host.
- */
-static host_t * get_other_host (private_connection_t *this)
-{
- return this->other_host;
-}
-
-/**
- * Implementation of connection_t.get_proposals.
- */
-static linked_list_t* get_proposals (private_connection_t *this)
-{
- return this->proposals;
-}
-
-/**
- * Implementation of connection_t.select_proposal.
- */
-static proposal_t *select_proposal(private_connection_t *this, linked_list_t *proposals)
-{
- iterator_t *stored_iter, *supplied_iter;
- proposal_t *stored, *supplied, *selected;
-
- stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
- supplied_iter = proposals->create_iterator(proposals, TRUE);
-
- /* compare all stored proposals with all supplied. Stored ones are preferred. */
- while (stored_iter->has_next(stored_iter))
- {
- supplied_iter->reset(supplied_iter);
- stored_iter->current(stored_iter, (void**)&stored);
-
- while (supplied_iter->has_next(supplied_iter))
- {
- supplied_iter->current(supplied_iter, (void**)&supplied);
- selected = stored->select(stored, supplied);
- if (selected)
- {
- /* they match, return */
- stored_iter->destroy(stored_iter);
- supplied_iter->destroy(supplied_iter);
- return selected;
- }
- }
- }
-
- /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
- stored_iter->destroy(stored_iter);
- supplied_iter->destroy(supplied_iter);
-
- return NULL;
-}
-
-/**
- * Implementation of connection_t.add_proposal.
- */
-static void add_proposal (private_connection_t *this, proposal_t *proposal)
-{
- this->proposals->insert_last(this->proposals, proposal);
-}
-
-/**
- * Implementation of connection_t.auth_method_t.
- */
-static auth_method_t get_auth_method(private_connection_t *this)
-{
- return this->auth_method;
-}
-
-/**
- * Implementation of connection_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_connection_t *this)
-{
- iterator_t *iterator;
- proposal_t *proposal;
- algorithm_t *algo;
-
- iterator = this->proposals->create_iterator(this->proposals, TRUE);
- while (iterator->has_next(iterator))
- {
- iterator->current(iterator, (void**)&proposal);
- proposal->get_algorithm(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo);
- if (algo)
- {
- iterator->destroy(iterator);
- return algo->algorithm;
- }
- }
- iterator->destroy(iterator);
- return MODP_UNDEFINED;
-}
-
-/**
- * Implementation of connection_t.check_dh_group.
- */
-static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh_group)
-{
- iterator_t *prop_iter, *alg_iter;
- proposal_t *proposal;
- algorithm_t *algo;
-
- prop_iter = this->proposals->create_iterator(this->proposals, TRUE);
- while (prop_iter->has_next(prop_iter))
- {
- prop_iter->current(prop_iter, (void**)&proposal);
- alg_iter = proposal->create_algorithm_iterator(proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP);
- while (alg_iter->has_next(alg_iter))
- {
- alg_iter->current(alg_iter, (void**)&algo);
- if (algo->algorithm == dh_group)
- {
- prop_iter->destroy(prop_iter);
- alg_iter->destroy(alg_iter);
- return TRUE;
- }
- }
- }
- prop_iter->destroy(prop_iter);
- alg_iter->destroy(alg_iter);
- return FALSE;
-}
-
-/**
- * Implementation of connection_t.clone.
- */
-static connection_t *clone(private_connection_t *this)
-{
- iterator_t *iterator;
- proposal_t *proposal;
- private_connection_t *clone = (private_connection_t*)connection_create(
- this->name,
- this->my_host->clone(this->my_host),
- this->other_host->clone(this->other_host),
- this->my_id->clone(this->my_id),
- this->other_id->clone(this->other_id),
- this->auth_method);
-
- /* clone all proposals */
- iterator = this->proposals->create_iterator(this->proposals, TRUE);
- while (iterator->has_next(iterator))
- {
- iterator->current(iterator, (void**)&proposal);
- proposal = proposal->clone(proposal);
- clone->proposals->insert_last(clone->proposals, (void*)proposal);
- }
- iterator->destroy(iterator);
-
- return &clone->public;
-}
-
-/**
- * Implementation of connection_t.destroy.
- */
-static void destroy (private_connection_t *this)
-{
- proposal_t *proposal;
-
- while (this->proposals->remove_last(this->proposals, (void**)&proposal) == SUCCESS)
- {
- proposal->destroy(proposal);
- }
- this->proposals->destroy(this->proposals);
-
- this->my_host->destroy(this->my_host);
- this->other_host->destroy(this->other_host);
- this->my_id->destroy(this->my_id);
- this->other_id->destroy(this->other_id);
- free(this->name);
- free(this);
-}
-
-/**
- * Described in header.
- */
-connection_t * connection_create(char *name, host_t *my_host, host_t *other_host, identification_t *my_id, identification_t *other_id, auth_method_t auth_method)
-{
- private_connection_t *this = malloc_thing(private_connection_t);
-
- /* public functions */
- this->public.get_name = (char*(*)(connection_t*))get_name;
- this->public.get_my_id = (identification_t*(*)(connection_t*))get_my_id;
- this->public.get_other_id = (identification_t*(*)(connection_t*))get_other_id;
- this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
- this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host;
- this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host;
- this->public.update_my_id = (void(*)(connection_t*,identification_t*))update_my_id;
- this->public.update_other_id = (void(*)(connection_t*,identification_t*))update_other_id;
- this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host;
- this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals;
- this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal;
- this->public.add_proposal = (void(*)(connection_t*, proposal_t*)) add_proposal;
- this->public.get_auth_method = (auth_method_t(*)(connection_t*)) get_auth_method;
- this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group;
- this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group;
- this->public.clone = (connection_t*(*)(connection_t*))clone;
- this->public.destroy = (void(*)(connection_t*))destroy;
-
- /* private variables */
- this->name = strdup(name);
- this->my_host = my_host;
- this->other_host = other_host;
- this->my_id = my_id;
- this->other_id = other_id;
- this->auth_method = auth_method;
-
- this->proposals = linked_list_create();
-
- return (&this->public);
-}
+++ /dev/null
-/**
- * @file connection.h
- *
- * @brief Interface of connection_t.
- *
- */
-
-/*
- * Copyright (C) 2005 Jan Hutter, Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef CONNECTION_H_
-#define CONNECTION_H_
-
-#include <types.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <config/proposal.h>
-#include <crypto/diffie_hellman.h>
-
-
-typedef enum auth_method_t auth_method_t;
-
-/**
- * AUTH Method to use.
- *
- * @ingroup config
- */
-enum auth_method_t {
- /**
- * Computed as specified in section 2.15 of RFC using
- * an RSA private key over a PKCS#1 padded hash.
- */
- RSA_DIGITAL_SIGNATURE = 1,
-
- /**
- * Computed as specified in section 2.15 of RFC using the
- * shared key associated with the identity in the ID payload
- * and the negotiated prf function
- */
- SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2,
-
- /**
- * Computed as specified in section 2.15 of RFC using a
- * DSS private key over a SHA-1 hash.
- */
- DSS_DIGITAL_SIGNATURE = 3,
-};
-
-/**
- * string mappings for auth method.
- *
- * @ingroup config
- */
-extern mapping_t auth_method_m[];
-
-
-typedef struct connection_t connection_t;
-
-/**
- * @brief A connection_t defines the rules to set up an IKE_SA.
- *
- *
- * @b Constructors:
- * - connection_create()
- *
- * @ingroup config
- */
-struct connection_t {
-
- /**
- * @brief Get my ID for this connection.
- *
- * Object is NOT getting cloned.
- *
- * @param this calling object
- * @return host information as identification_t object
- */
- identification_t *(*get_my_id) (connection_t *this);
-
- /**
- * @brief Get others ID for this connection.
- *
- * Object is NOT getting cloned.
- *
- * @param this calling object
- * @return host information as identification_t object
- */
- identification_t *(*get_other_id) (connection_t *this);
-
- /**
- * @brief Get my address as host_t object.
- *
- * Object is NOT getting cloned.
- *
- * @param this calling object
- * @return host information as host_t object
- */
- host_t *(*get_my_host) (connection_t *this);
-
- /**
- * @brief Get others address as host_t object.
- *
- * Object is NOT getting cloned.
- *
- * @param this calling object
- * @return host information as host_t object
- */
- host_t *(*get_other_host) (connection_t *this);
-
- /**
- * @brief Update address of my host.
- *
- * It may be necessary to uptdate own address, as it
- * is set to the default route (0.0.0.0) in some cases.
- * Old host is destroyed, new one NOT cloned.
- *
- * @param this calling object
- * @param my_host new host to set as my_host
- */
- void (*update_my_host) (connection_t *this, host_t *my_host);
-
- /**
- * @brief Update address of remote host.
- *
- * It may be necessary to uptdate remote address, as a
- * connection may define %any (0.0.0.0) or a subnet.
- * Old host is destroyed, new one NOT cloned.
- *
- * @param this calling object
- * @param my_host new host to set as other_host
- */
- void (*update_other_host) (connection_t *this, host_t *other_host);
-
- /**
- * @brief Update own ID.
- *
- * It may be necessary to uptdate own ID, as it
- * is set to %any or to e.g. *@strongswan.org in
- * some cases.
- * Old ID is destroyed, new one NOT cloned.
- *
- * @param this calling object
- * @param my_id new ID to set as my_id
- */
- void (*update_my_id) (connection_t *this, identification_t *my_id);
-
- /**
- * @brief Update others ID.
- *
- * It may be necessary to uptdate others ID, as it
- * is set to %any or to e.g. *@strongswan.org in
- * some cases.
- * Old ID is destroyed, new one NOT cloned.
- *
- * @param this calling object
- * @param other_id new ID to set as other_id
- */
- void (*update_other_id) (connection_t *this, identification_t *other_id);
-
- /**
- * @brief Returns a list of all supported proposals.
- *
- * Returned list is still owned by connection and MUST NOT
- * modified or destroyed.
- *
- * @param this calling object
- * @return list containing all the proposals
- */
- linked_list_t *(*get_proposals) (connection_t *this);
-
- /**
- * @brief Adds a proposal to the list.
- *
- * The first added proposal has the highest priority, the last
- * added the lowest.
- *
- * @param this calling object
- * @param proposal proposal to add
- */
- void (*add_proposal) (connection_t *this, proposal_t *proposal);
-
- /**
- * @brief Select a proposed from suggested proposals.
- *
- * Returned proposal must be destroyed after usage.
- *
- * @param this calling object
- * @param proposals list of proposals to select from
- * @return selected proposal, or NULL if none matches.
- */
- proposal_t *(*select_proposal) (connection_t *this, linked_list_t *proposals);
-
- /**
- * @brief Get the authentication method to use
- *
- * @param this calling object
- * @return authentication method
- */
- auth_method_t (*get_auth_method) (connection_t *this);
-
- /**
- * @brief Get the connection name.
- *
- * Name must not be freed, since it points to
- * internal data.
- *
- * @param this calling object
- * @return name of the connection
- */
- char* (*get_name) (connection_t *this);
-
- /**
- * @brief Get the DH group to use for connection initialization.
- *
- * @param this calling object
- * @return dh group to use for initialization
- */
- diffie_hellman_group_t (*get_dh_group) (connection_t *this);
-
- /**
- * @brief Check if a suggested dh group is acceptable.
- *
- * If we guess a wrong DH group for IKE_SA_INIT, the other
- * peer will send us a offer. But is this acceptable for us?
- *
- * @param this calling object
- * @return TRUE if group acceptable
- */
- bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
-
- /**
- * @brief Clone a connection_t object.
- *
- * @param this connection to clone
- * @return clone of it
- */
- connection_t *(*clone) (connection_t *this);
-
- /**
- * @brief Destroys a connection_t object.
- *
- * @param this calling object
- */
- void (*destroy) (connection_t *this);
-};
-
-/**
- * @brief Creates a connection_t object.
- *
- * Supplied hosts/IDs become owned by connection, so
- * do not modify or destroy them after a call to
- * connection_create(). Name gets cloned internally.
- *
- * @param name connection identifier
- * @param my_host host_t representing local address
- * @param other_host host_t representing remote address
- * @param my_id identification_t for me
- * @param other_id identification_t for other
- * @param auth_method Authentication method to use for our(!) auth data
- * @return connection_t object.
- *
- * @ingroup config
- */
-connection_t * connection_create(char *name,
- host_t *my_host, host_t *other_host,
- identification_t *my_id,
- identification_t *other_id,
- auth_method_t auth_method);
-
-#endif /* CONNECTION_H_ */
+++ /dev/null
-/**
- * @file connection_store.h
- *
- * @brief Interface connection_store_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef CONNECTION_STORE_H_
-#define CONNECTION_STORE_H_
-
-#include <types.h>
-#include <config/connections/connection.h>
-
-
-typedef struct connection_store_t connection_store_t;
-
-/**
- * @brief The interface for a store of connection_t's.
- *
- * @b Constructors:
- * - stroke_create()
- *
- * @ingroup config
- */
-struct connection_store_t {
-
- /**
- * @brief Returns a connection definition identified by two IDs.
- *
- * This call is useful to get a connection which is identified by IDs
- * rather than addresses, e.g. for connection setup on user request.
- * The returned connection gets created/cloned and therefore must
- * be destroyed after usage.
- *
- * @param this calling object
- * @param my_id own ID of connection
- * @param other_id others ID of connection
- * @return
- * - connection_t, if found
- * - NULL otherwise
- */
- connection_t *(*get_connection_by_ids) (connection_store_t *this, identification_t *my_id, identification_t *other_id);
-
- /**
- * @brief Returns a connection definition identified by two hosts.
- *
- * This call is usefull to get a connection identified by addresses.
- * It may be used after kernel request for traffic protection.
- * The returned connection gets created/cloned and therefore must
- * be destroyed after usage.
- *
- * @param this calling object
- * @param my_id own address of connection
- * @param other_id others address of connection
- * @return
- * - connection_t, if found
- * - NULL otherwise
- */
- connection_t *(*get_connection_by_hosts) (connection_store_t *this, host_t *my_host, host_t *other_host);
-
- /**
- * @brief Returns a connection identified by its name.
- *
- * This call is usefull to get a connection identified its
- * name, as on an connection setup.
- *
- * @param this calling object
- * @param name name of the connection to get
- * @return
- * - connection_t, if found
- * - NULL otherwise
- */
- connection_t *(*get_connection_by_name) (connection_store_t *this, char *name);
-
- /**
- * @brief Add a connection to the store.
- *
- * After a successful call, the connection is owned by the store and may
- * not be manipulated nor destroyed.
- *
- * @param this calling object
- * @param connection connection to add
- * @return
- * - SUCCESS, or
- * - FAILED
- */
- status_t (*add_connection) (connection_store_t *this, connection_t *connection);
-
- /**
- * @brief Destroys a connection_store_t object.
- *
- * @param this calling object
- */
- void (*destroy) (connection_store_t *this);
-};
-
-#endif /* CONNECTION_STORE_H_ */
+++ /dev/null
-/**
- * @file local_connection_store.c
- *
- * @brief Implementation of local_connection_store_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "local_connection_store.h"
-
-#include <utils/linked_list.h>
-#include <utils/logger_manager.h>
-
-
-typedef struct private_local_connection_store_t private_local_connection_store_t;
-
-/**
- * Private data of an local_connection_store_t object
- */
-struct private_local_connection_store_t {
-
- /**
- * Public part
- */
- local_connection_store_t public;
-
- /**
- * stored connection
- */
- linked_list_t *connections;
-
- /**
- * Assigned logger
- */
- logger_t *logger;
-};
-
-
-/**
- * Implementation of connection_store_t.get_connection_by_hosts.
- */
-static connection_t *get_connection_by_hosts(private_local_connection_store_t *this, host_t *my_host, host_t *other_host)
-{
- iterator_t *iterator;
- connection_t *current, *found = NULL;
-
- this->logger->log(this->logger, CONTROL|LEVEL1, "getting config for hosts %s - %s",
- my_host->get_address(my_host), other_host->get_address(other_host));
-
- iterator = this->connections->create_iterator(this->connections, TRUE);
- while (iterator->has_next(iterator))
- {
- host_t *config_my_host, *config_other_host;
- &n