pluto: Removed no_klips flag (--noklips option).
authorTobias Brunner <tobias@strongswan.org>
Mon, 16 Aug 2010 13:53:56 +0000 (15:53 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 2 Sep 2010 17:04:24 +0000 (19:04 +0200)
src/pluto/connections.c
src/pluto/kernel.c
src/pluto/kernel.h
src/pluto/kernel_pfkey.c
src/pluto/pluto.8
src/pluto/plutomain.c
src/pluto/server.c

index 83a24b6..6924b0d 100644 (file)
@@ -536,7 +536,7 @@ void check_orientations(void)
                                for (hp = host_pairs; hp != NULL; hp = hp->next)
                                {
                                        if (sameaddr(&hp->him.addr, &i->addr)
-                                       && (!no_klips || hp->him.port == pluto_port))
+                                               && hp->him.port == pluto_port)
                                        {
                                                /* bad news: the whole chain of connections
                                                 * hanging off this host pair has both sides
@@ -1884,7 +1884,7 @@ bool orient(connection_t *c)
                                {
                                        /* check if this interface matches this end */
                                        if (sameaddr(&sr->this.host_addr, &p->addr)
-                                       && (!no_klips || sr->this.host_port == pluto_port))
+                                               && sr->this.host_port == pluto_port)
                                        {
                                                if (oriented(*c))
                                                {
@@ -1903,7 +1903,7 @@ bool orient(connection_t *c)
 
                                        /* done with this interface if it doesn't match that end */
                                        if (!(sameaddr(&sr->that.host_addr, &p->addr)
-                                       && (!no_klips || sr->that.host_port == pluto_port)))
+                                               && sr->that.host_port == pluto_port))
                                                break;
 
                                        /* swap ends and try again.
index 56fbf77..5918f99 100644 (file)
@@ -142,8 +142,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 static void set_text_said(char *text_said, const ip_address *dst,
                                                  ipsec_spi_t spi, int proto);
 
-bool no_klips = FALSE;  /* don't actually use KLIPS */
-
 /**
  * Default IPsec SA config (e.g. to install trap policies).
  */
@@ -526,85 +524,82 @@ static bool do_command(connection_t *c, struct spd_route *sr,
        DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
                , verb, verb_suffix, cmd));
 
-       if (!no_klips)
+       /* invoke the script, catching stderr and stdout
+        * It may be of concern that some file descriptors will
+        * be inherited.  For the ones under our control, we
+        * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+        * Any used by library routines (perhaps the resolver or syslog)
+        * will remain.
+        */
+       FILE *f = popen(cmd, "r");
+
+       if (f == NULL)
        {
-               /* invoke the script, catching stderr and stdout
-                * It may be of concern that some file descriptors will
-                * be inherited.  For the ones under our control, we
-                * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
-                * Any used by library routines (perhaps the resolver or syslog)
-                * will remain.
-                */
-               FILE *f = popen(cmd, "r");
+               loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+               return FALSE;
+       }
 
-               if (f == NULL)
-               {
-                       loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
-                       return FALSE;
-               }
+       /* log any output */
+       for (;;)
+       {
+               /* if response doesn't fit in this buffer, it will be folded */
+               char resp[256];
 
-               /* log any output */
-               for (;;)
+               if (fgets(resp, sizeof(resp), f) == NULL)
                {
-                       /* if response doesn't fit in this buffer, it will be folded */
-                       char resp[256];
-
-                       if (fgets(resp, sizeof(resp), f) == NULL)
+                       if (ferror(f))
                        {
-                               if (ferror(f))
-                               {
-                                       log_errno((e, "fgets failed on output of %s%s command"
-                                               , verb, verb_suffix));
-                                       return FALSE;
-                               }
-                               else
-                               {
-                                       passert(feof(f));
-                                       break;
-                               }
+                               log_errno((e, "fgets failed on output of %s%s command"
+                                       , verb, verb_suffix));
+                               return FALSE;
                        }
                        else
                        {
-                               char *e = resp + strlen(resp);
-
-                               if (e > resp && e[-1] == '\n')
-                                       e[-1] = '\0';       /* trim trailing '\n' */
-                               plog("%s%s output: %s", verb, verb_suffix, resp);
+                               passert(feof(f));
+                               break;
                        }
                }
-
-               /* report on and react to return code */
+               else
                {
-                       int r = pclose(f);
+                       char *e = resp + strlen(resp);
 
-                       if (r == -1)
-                       {
-                               log_errno((e, "pclose failed for %s%s command"
-                                       , verb, verb_suffix));
-                               return FALSE;
-                       }
-                       else if (WIFEXITED(r))
-                       {
-                               if (WEXITSTATUS(r) != 0)
-                               {
-                                       loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
-                                               , verb, verb_suffix, WEXITSTATUS(r));
-                                       return FALSE;
-                               }
-                       }
-                       else if (WIFSIGNALED(r))
-                       {
-                               loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
-                                       , verb, verb_suffix, WTERMSIG(r));
-                               return FALSE;
-                       }
-                       else
+                       if (e > resp && e[-1] == '\n')
+                               e[-1] = '\0';       /* trim trailing '\n' */
+                       plog("%s%s output: %s", verb, verb_suffix, resp);
+               }
+       }
+
+       /* report on and react to return code */
+       {
+               int r = pclose(f);
+
+               if (r == -1)
+               {
+                       log_errno((e, "pclose failed for %s%s command"
+                               , verb, verb_suffix));
+                       return FALSE;
+               }
+               else if (WIFEXITED(r))
+               {
+                       if (WEXITSTATUS(r) != 0)
                        {
-                               loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
-                                       , verb, verb_suffix, r);
+                               loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+                                       , verb, verb_suffix, WEXITSTATUS(r));
                                return FALSE;
                        }
                }
+               else if (WIFSIGNALED(r))
+               {
+                       loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+                               , verb, verb_suffix, WTERMSIG(r));
+                       return FALSE;
+               }
+               else
+               {
+                       loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+                               , verb, verb_suffix, r);
+                       return FALSE;
+               }
        }
        return TRUE;
 }
@@ -648,10 +643,9 @@ static enum routability could_route(connection_t *c)
        }
 
        /* if routing would affect IKE messages, reject */
-       if (!no_klips
-       && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-       && c->spd.this.host_port != IKE_UDP_PORT
-       && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
+       if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+        && c->spd.this.host_port != IKE_UDP_PORT
+        && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
        {
                loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
                return route_impossible;
index f7d3d4d..97599b0 100644 (file)
@@ -14,7 +14,6 @@
 
 #include "connections.h"
 
-extern bool no_klips;   /* don't actually use KLIPS */
 extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 
 /* Declare eroute things early enough for uses.
index de75eb2..77fff2f 100644 (file)
@@ -238,75 +238,71 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
                                        pfkey_msg->sadb_msg_seq, description, text_said);
                        DBG_dump(NULL, (void *) pfkey_msg, len));
 
-               if (!no_klips)
-               {
-                       ssize_t r = write(pfkeyfd, pfkey_msg, len);
+               ssize_t r = write(pfkeyfd, pfkey_msg, len);
 
-                       if (r != (ssize_t)len)
+               if (r != (ssize_t)len)
+               {
+                       if (r < 0)
                        {
-                               if (r < 0)
-                               {
-                                       log_errno((e, "pfkey write() of %s message %u for %s %s"
-                                               " failed", sparse_val_show(pfkey_type_names,
-                                               pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
-                                               description, text_said));
-                               }
-                               else
-                               {
-                                       loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
-                                               " %u for %s %s truncated: %ld instead of %ld",
-                                               sparse_val_show(pfkey_type_names,
-                                               pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+                               log_errno((e, "pfkey write() of %s message %u for %s %s"
+                                                 " failed", sparse_val_show(pfkey_type_names,
+                                                       pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+                                                 description, text_said));
+                       }
+                       else
+                       {
+                               loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
+                                          " %u for %s %s truncated: %ld instead of %ld",
+                                          sparse_val_show(pfkey_type_names,
+                                                       pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
                                                description, text_said, (long)r, (long)len);
-                               }
-                               success = FALSE;
+                       }
+                       success = FALSE;
 
-                               /* if we were compiled with debugging, but we haven't already
-                                * dumped the command, do so.
-                                */
+                       /* if we were compiled with debugging, but we haven't already
+                        * dumped the command, do so.
+                        */
 #ifdef DEBUG
-                               if ((cur_debugging & DBG_KERNEL) == 0)
-                                       DBG_dump(NULL, (void *) pfkey_msg, len);
+                       if ((cur_debugging & DBG_KERNEL) == 0)
+                               DBG_dump(NULL, (void *) pfkey_msg, len);
 #endif
+               }
+               else
+               {
+                       /* Check response from kernel.
+                        * It ought to be an echo, perhaps with additional info.
+                        * If the caller wants it, response will point to space.
+                        */
+                       pfkey_buf b;
+                       pfkey_buf *bp = response != NULL? response : &b;
+
+                       if (!pfkey_get_response(bp,
+                                               ((struct sadb_msg *)extensions[0])->sadb_msg_seq))
+                       {
+                               loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
+                                          " message for %s %s", sparse_val_show(pfkey_type_names,
+                                                       pfkey_msg->sadb_msg_type), description, text_said);
+                               success = FALSE;
                        }
-                       else
+                       else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
                        {
-                               /* Check response from kernel.
-                                * It ought to be an echo, perhaps with additional info.
-                                * If the caller wants it, response will point to space.
-                                */
-                               pfkey_buf b;
-                               pfkey_buf *bp = response != NULL? response : &b;
-
-                               if (!pfkey_get_response(bp,
-                                                       ((struct sadb_msg *)extensions[0])->sadb_msg_seq))
-                               {
-                                       loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
-                                               " message for %s %s", sparse_val_show(pfkey_type_names,
-                                               pfkey_msg->sadb_msg_type), description, text_said);
-                                       success = FALSE;
-                               }
-                               else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
-                               {
-                                       loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
-                                               " message for %s %s was of wrong type (%s)",
-                                               sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
-                                               description, text_said,
-                                               sparse_val_show(pfkey_type_names,
-                                               bp->msg.sadb_msg_type));
-                                       success = FALSE;
-                               }
-                               else if (response == NULL && bp->msg.sadb_msg_errno != 0)
-                               {
-                                       /* Kernel is signalling a problem */
-                                       loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
-                                               " included errno %u: %s",
-                                               sparse_val_show(pfkey_type_names,
+                               loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
+                                          " message for %s %s was of wrong type (%s)",
+                                          sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
+                                          description, text_said, sparse_val_show(pfkey_type_names,
+                                                       bp->msg.sadb_msg_type));
+                               success = FALSE;
+                       }
+                       else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+                       {
+                               /* Kernel is signalling a problem */
+                               loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
+                                          " included errno %u: %s",
+                                          sparse_val_show(pfkey_type_names,
                                                        pfkey_msg->sadb_msg_type), description, text_said,
-                                               (unsigned) bp->msg.sadb_msg_errno,
-                                               strerror(bp->msg.sadb_msg_errno));
-                                       success = FALSE;
-                               }
+                                          (unsigned) bp->msg.sadb_msg_errno,
+                                          strerror(bp->msg.sadb_msg_errno));
+                               success = FALSE;
                        }
                }
        }
index 990c698..58cb150 100644 (file)
@@ -15,7 +15,6 @@ ipsec pluto
 \fIfilename\fP]
 [\-\-nofork]
 [\-\-stderrlog]
-[\-\-noklips]
 [\-\-uniqueids]
 [\fB\-\-interface\fP \fIinterfacename\fP]
 [\-\-ikeport\ \c
@@ -1264,9 +1263,6 @@ disable ``daemon fork'' (default is to fork).  In addition, after the
 lock file and control socket are created, print the line ``Pluto
 initialized'' to standard out.
 .TP
-\fB\-\-noklips\fP
-don't actually implement negotiated IPsec SAs
-.TP
 \fB\-\-uniqueids\fP
 if this option has been selected, whenever a new ISAKMP SA is
 established, any connection with the same Peer ID but a different
@@ -1277,12 +1273,6 @@ then regained at another IP address.
 \fB\-\-stderrlog\fP
 log goes to standard out {default is to use \fIsyslogd\fP(8))
 .LP
-For example
-.TP
-pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
-.LP
-lets one test \fBpluto\fP without using the superuser account.
-.LP
 \fBpluto\fP is willing to produce a prodigious amount of debugging
 information.  To do so, it must be compiled with \-DDEBUG.  There are
 several classes of debugging output, and \fBpluto\fP may be directed to
index e4aad76..627176c 100644 (file)
@@ -96,7 +96,6 @@ static void usage(const char *mess)
                        " \\\n\t"
                        "[--nofork]"
                        " [--stderrlog]"
-                       " [--noklips]"
                        " [--nocrsend]"
                        " \\\n\t"
                        "[--strictcrlpolicy]"
@@ -300,7 +299,6 @@ int main(int argc, char **argv)
                        { "optionsfrom", required_argument, NULL, '+' },
                        { "nofork", no_argument, NULL, 'd' },
                        { "stderrlog", no_argument, NULL, 'e' },
-                       { "noklips", no_argument, NULL, 'n' },
                        { "nocrsend", no_argument, NULL, 'c' },
                        { "strictcrlpolicy", no_argument, NULL, 'r' },
                        { "crlcheckinterval", required_argument, NULL, 'x'},
@@ -402,10 +400,6 @@ int main(int argc, char **argv)
                        log_to_stderr_desired = TRUE;
                        continue;
 
-               case 'n':       /* --noklips */
-                       no_klips = TRUE;
-                       continue;
-
                case 'c':       /* --nocrsend */
                        no_cr_send = TRUE;
                        continue;
index 64697af..4d07843 100644 (file)
@@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
        for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
        {
                struct raw_iface *v = NULL;     /* matching ipsecX interface */
-               struct raw_iface fake_v;
                bool after = FALSE; /* has vfp passed ifp on the list? */
                bool bad = FALSE;
                struct raw_iface *vfp;
@@ -611,24 +610,10 @@ process_raw_ifaces(struct raw_iface *rifaces)
                /* what if we didn't find a virtual interface? */
                if (v == NULL)
                {
-                       if (no_klips)
-                       {
-                               /* kludge for testing: invent a virtual device */
-                               static const char fvp[] = "virtual";
-                               fake_v = *ifp;
-                               passert(sizeof(fake_v.name) > sizeof(fvp));
-                               strcpy(fake_v.name, fvp);
-                               addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
-                                       , sizeof(fake_v.name) - (sizeof(fvp) - 1));
-                               v = &fake_v;
-                       }
-                       else
-                       {
-                               DBG(DBG_CONTROL,
-                                               DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
-                                                       , ifp->name, ip_str(&ifp->addr)));
-                               continue;
-                       }
+                       DBG(DBG_CONTROL,
+                               DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
+                                       , ifp->name, ip_str(&ifp->addr)));
+                       continue;
                }
 
                /* We've got all we need; see if this is a new thing: