for (hp = host_pairs; hp != NULL; hp = hp->next)
{
if (sameaddr(&hp->him.addr, &i->addr)
- && (!no_klips || hp->him.port == pluto_port))
+ && hp->him.port == pluto_port)
{
/* bad news: the whole chain of connections
* hanging off this host pair has both sides
{
/* check if this interface matches this end */
if (sameaddr(&sr->this.host_addr, &p->addr)
- && (!no_klips || sr->this.host_port == pluto_port))
+ && sr->this.host_port == pluto_port)
{
if (oriented(*c))
{
/* done with this interface if it doesn't match that end */
if (!(sameaddr(&sr->that.host_addr, &p->addr)
- && (!no_klips || sr->that.host_port == pluto_port)))
+ && sr->that.host_port == pluto_port))
break;
/* swap ends and try again.
static void set_text_said(char *text_said, const ip_address *dst,
ipsec_spi_t spi, int proto);
-bool no_klips = FALSE; /* don't actually use KLIPS */
-
/**
* Default IPsec SA config (e.g. to install trap policies).
*/
DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
, verb, verb_suffix, cmd));
- if (!no_klips)
+ /* invoke the script, catching stderr and stdout
+ * It may be of concern that some file descriptors will
+ * be inherited. For the ones under our control, we
+ * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+ * Any used by library routines (perhaps the resolver or syslog)
+ * will remain.
+ */
+ FILE *f = popen(cmd, "r");
+
+ if (f == NULL)
{
- /* invoke the script, catching stderr and stdout
- * It may be of concern that some file descriptors will
- * be inherited. For the ones under our control, we
- * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
- * Any used by library routines (perhaps the resolver or syslog)
- * will remain.
- */
- FILE *f = popen(cmd, "r");
+ loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+ return FALSE;
+ }
- if (f == NULL)
- {
- loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
- return FALSE;
- }
+ /* log any output */
+ for (;;)
+ {
+ /* if response doesn't fit in this buffer, it will be folded */
+ char resp[256];
- /* log any output */
- for (;;)
+ if (fgets(resp, sizeof(resp), f) == NULL)
{
- /* if response doesn't fit in this buffer, it will be folded */
- char resp[256];
-
- if (fgets(resp, sizeof(resp), f) == NULL)
+ if (ferror(f))
{
- if (ferror(f))
- {
- log_errno((e, "fgets failed on output of %s%s command"
- , verb, verb_suffix));
- return FALSE;
- }
- else
- {
- passert(feof(f));
- break;
- }
+ log_errno((e, "fgets failed on output of %s%s command"
+ , verb, verb_suffix));
+ return FALSE;
}
else
{
- char *e = resp + strlen(resp);
-
- if (e > resp && e[-1] == '\n')
- e[-1] = '\0'; /* trim trailing '\n' */
- plog("%s%s output: %s", verb, verb_suffix, resp);
+ passert(feof(f));
+ break;
}
}
-
- /* report on and react to return code */
+ else
{
- int r = pclose(f);
+ char *e = resp + strlen(resp);
- if (r == -1)
- {
- log_errno((e, "pclose failed for %s%s command"
- , verb, verb_suffix));
- return FALSE;
- }
- else if (WIFEXITED(r))
- {
- if (WEXITSTATUS(r) != 0)
- {
- loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
- , verb, verb_suffix, WEXITSTATUS(r));
- return FALSE;
- }
- }
- else if (WIFSIGNALED(r))
- {
- loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
- , verb, verb_suffix, WTERMSIG(r));
- return FALSE;
- }
- else
+ if (e > resp && e[-1] == '\n')
+ e[-1] = '\0'; /* trim trailing '\n' */
+ plog("%s%s output: %s", verb, verb_suffix, resp);
+ }
+ }
+
+ /* report on and react to return code */
+ {
+ int r = pclose(f);
+
+ if (r == -1)
+ {
+ log_errno((e, "pclose failed for %s%s command"
+ , verb, verb_suffix));
+ return FALSE;
+ }
+ else if (WIFEXITED(r))
+ {
+ if (WEXITSTATUS(r) != 0)
{
- loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
- , verb, verb_suffix, r);
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+ , verb, verb_suffix, WEXITSTATUS(r));
return FALSE;
}
}
+ else if (WIFSIGNALED(r))
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+ , verb, verb_suffix, WTERMSIG(r));
+ return FALSE;
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+ , verb, verb_suffix, r);
+ return FALSE;
+ }
}
return TRUE;
}
}
/* if routing would affect IKE messages, reject */
- if (!no_klips
- && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
- && c->spd.this.host_port != IKE_UDP_PORT
- && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
+ if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+ && c->spd.this.host_port != IKE_UDP_PORT
+ && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
{
loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
return route_impossible;
#include "connections.h"
-extern bool no_klips; /* don't actually use KLIPS */
extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */
/* Declare eroute things early enough for uses.
pfkey_msg->sadb_msg_seq, description, text_said);
DBG_dump(NULL, (void *) pfkey_msg, len));
- if (!no_klips)
- {
- ssize_t r = write(pfkeyfd, pfkey_msg, len);
+ ssize_t r = write(pfkeyfd, pfkey_msg, len);
- if (r != (ssize_t)len)
+ if (r != (ssize_t)len)
+ {
+ if (r < 0)
{
- if (r < 0)
- {
- log_errno((e, "pfkey write() of %s message %u for %s %s"
- " failed", sparse_val_show(pfkey_type_names,
- pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
- description, text_said));
- }
- else
- {
- loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
- " %u for %s %s truncated: %ld instead of %ld",
- sparse_val_show(pfkey_type_names,
- pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+ log_errno((e, "pfkey write() of %s message %u for %s %s"
+ " failed", sparse_val_show(pfkey_type_names,
+ pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+ description, text_said));
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
+ " %u for %s %s truncated: %ld instead of %ld",
+ sparse_val_show(pfkey_type_names,
+ pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
description, text_said, (long)r, (long)len);
- }
- success = FALSE;
+ }
+ success = FALSE;
- /* if we were compiled with debugging, but we haven't already
- * dumped the command, do so.
- */
+ /* if we were compiled with debugging, but we haven't already
+ * dumped the command, do so.
+ */
#ifdef DEBUG
- if ((cur_debugging & DBG_KERNEL) == 0)
- DBG_dump(NULL, (void *) pfkey_msg, len);
+ if ((cur_debugging & DBG_KERNEL) == 0)
+ DBG_dump(NULL, (void *) pfkey_msg, len);
#endif
+ }
+ else
+ {
+ /* Check response from kernel.
+ * It ought to be an echo, perhaps with additional info.
+ * If the caller wants it, response will point to space.
+ */
+ pfkey_buf b;
+ pfkey_buf *bp = response != NULL? response : &b;
+
+ if (!pfkey_get_response(bp,
+ ((struct sadb_msg *)extensions[0])->sadb_msg_seq))
+ {
+ loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
+ " message for %s %s", sparse_val_show(pfkey_type_names,
+ pfkey_msg->sadb_msg_type), description, text_said);
+ success = FALSE;
}
- else
+ else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
{
- /* Check response from kernel.
- * It ought to be an echo, perhaps with additional info.
- * If the caller wants it, response will point to space.
- */
- pfkey_buf b;
- pfkey_buf *bp = response != NULL? response : &b;
-
- if (!pfkey_get_response(bp,
- ((struct sadb_msg *)extensions[0])->sadb_msg_seq))
- {
- loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
- " message for %s %s", sparse_val_show(pfkey_type_names,
- pfkey_msg->sadb_msg_type), description, text_said);
- success = FALSE;
- }
- else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
- {
- loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
- " message for %s %s was of wrong type (%s)",
- sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
- description, text_said,
- sparse_val_show(pfkey_type_names,
- bp->msg.sadb_msg_type));
- success = FALSE;
- }
- else if (response == NULL && bp->msg.sadb_msg_errno != 0)
- {
- /* Kernel is signalling a problem */
- loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
- " included errno %u: %s",
- sparse_val_show(pfkey_type_names,
+ loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
+ " message for %s %s was of wrong type (%s)",
+ sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
+ description, text_said, sparse_val_show(pfkey_type_names,
+ bp->msg.sadb_msg_type));
+ success = FALSE;
+ }
+ else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+ {
+ /* Kernel is signalling a problem */
+ loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
+ " included errno %u: %s",
+ sparse_val_show(pfkey_type_names,
pfkey_msg->sadb_msg_type), description, text_said,
- (unsigned) bp->msg.sadb_msg_errno,
- strerror(bp->msg.sadb_msg_errno));
- success = FALSE;
- }
+ (unsigned) bp->msg.sadb_msg_errno,
+ strerror(bp->msg.sadb_msg_errno));
+ success = FALSE;
}
}
}
\fIfilename\fP]
[\-\-nofork]
[\-\-stderrlog]
-[\-\-noklips]
[\-\-uniqueids]
[\fB\-\-interface\fP \fIinterfacename\fP]
[\-\-ikeport\ \c
lock file and control socket are created, print the line ``Pluto
initialized'' to standard out.
.TP
-\fB\-\-noklips\fP
-don't actually implement negotiated IPsec SAs
-.TP
\fB\-\-uniqueids\fP
if this option has been selected, whenever a new ISAKMP SA is
established, any connection with the same Peer ID but a different
\fB\-\-stderrlog\fP
log goes to standard out {default is to use \fIsyslogd\fP(8))
.LP
-For example
-.TP
-pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
-.LP
-lets one test \fBpluto\fP without using the superuser account.
-.LP
\fBpluto\fP is willing to produce a prodigious amount of debugging
information. To do so, it must be compiled with \-DDEBUG. There are
several classes of debugging output, and \fBpluto\fP may be directed to
" \\\n\t"
"[--nofork]"
" [--stderrlog]"
- " [--noklips]"
" [--nocrsend]"
" \\\n\t"
"[--strictcrlpolicy]"
{ "optionsfrom", required_argument, NULL, '+' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
- { "noklips", no_argument, NULL, 'n' },
{ "nocrsend", no_argument, NULL, 'c' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
log_to_stderr_desired = TRUE;
continue;
- case 'n': /* --noklips */
- no_klips = TRUE;
- continue;
-
case 'c': /* --nocrsend */
no_cr_send = TRUE;
continue;
for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
{
struct raw_iface *v = NULL; /* matching ipsecX interface */
- struct raw_iface fake_v;
bool after = FALSE; /* has vfp passed ifp on the list? */
bool bad = FALSE;
struct raw_iface *vfp;
/* what if we didn't find a virtual interface? */
if (v == NULL)
{
- if (no_klips)
- {
- /* kludge for testing: invent a virtual device */
- static const char fvp[] = "virtual";
- fake_v = *ifp;
- passert(sizeof(fake_v.name) > sizeof(fvp));
- strcpy(fake_v.name, fvp);
- addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
- , sizeof(fake_v.name) - (sizeof(fvp) - 1));
- v = &fake_v;
- }
- else
- {
- DBG(DBG_CONTROL,
- DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
- , ifp->name, ip_str(&ifp->addr)));
- continue;
- }
+ DBG(DBG_CONTROL,
+ DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
+ , ifp->name, ip_str(&ifp->addr)));
+ continue;
}
/* We've got all we need; see if this is a new thing:
projects / strongswan.git / commitdiff