/**
* read %v4:x.x.x.x/y or %v6:xxxxxxxxx/yy
* or %v4:!x.x.x.x/y if dstko not NULL
*/
static bool
_read_subnet(const char *src, size_t len, ip_subnet *dst, ip_subnet *dstko,
bool *isok)
{
bool ok;
int af;
if ((len > 4) && (strncmp(src, "%v4:", 4)==0)) {
af = AF_INET;
}
else if ((len > 4) && (strncmp(src, "%v6:", 4)==0)) {
af = AF_INET6;
}
else {
return FALSE;
}
ok = (src[4] == '!') ? FALSE : TRUE;
src += ok ? 4 : 5;
len -= ok ? 4 : 5;
if (!len) return FALSE;
if ((!ok) && (!dstko)) return FALSE;
passert ( ((ok)?(dst):(dstko))!=NULL );
if (ttosubnet(src, len, af, ((ok)?(dst):(dstko)))) {
return FALSE;
}
if (isok) *isok = ok;
return TRUE;
}
int main(int argc, char *argv[])
{
pcap_network_interface *iface = NULL;
pcap_network_interface *iface2 = NULL;
struct in6_addr iface_src2;
rpl_debug *deb = new rpl_debug(true, stdout);
inet_pton(AF_INET6, "fe80::1000:ff:fe64:6423", &iface_src2);
/* now finish setting things up with netlink */
pcap_network_interface::scan_devices(deb, false);
if(argc < 2) {
printf("usage: 30-ackdao <dao1.pcap>...\n");
exit(10);
}
iface = pcap_network_interface::setup_infile_outfile("wlan0",
argv[1],
"../OUTPUTS/30-node-A-out.pcap",
deb);
struct timeval n;
n.tv_sec = 1024*1024*1024;
n.tv_usec = 1024;
iface->set_fake_time(n);
iface->set_debug(deb);
iface->set_if_index(1);
iface->set_if_addr(iface_src2);
printf("iface1[%d]: %s\n", iface->get_if_index(), iface->get_if_name());
const char *prefixstr = "2001:db8:1::/48";
ip_subnet prefix;
dag_network *dn = iface->find_or_make_dag_by_dagid("ripple");
err_t e = ttosubnet(prefixstr, strlen(prefixstr),
AF_INET6, &prefix);
dn->set_prefix(prefix);
dn->addselfprefix(iface);
dn->set_active();
dn->set_debug(deb);
printf("Processing input file1\n");
iface->process_pcap();
for(int i=2; i < argc; i++) {
iface->setup_infile(argv[i]);
printf("Processing input file%d\n", i);
iface->process_pcap();
}
exit(0);
}
int main(int argc, char *argv[])
{
ip_subnet s;
char buf[100];
char buf2[100];
const char *oops;
size_t n;
int af;
char *p;
if (argc < 2) {
fprintf(stderr, "Usage: %s [-6] addr/mask\n", argv[0]);
fprintf(stderr, " or: %s -r\n", argv[0]);
exit(2);
}
if (strcmp(argv[1], "-r") == 0) {
regress();
fprintf(stderr, "regress() returned?!?\n");
exit(1);
}
af = AF_INET;
p = argv[1];
if (strcmp(argv[1], "-6") == 0) {
af = AF_INET6;
p = argv[2];
} else if (strchr(argv[1], ':') != NULL)
af = AF_INET6;
oops = ttosubnet(p, 0, af, &s);
if (oops != NULL) {
fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops);
exit(1);
}
n = subnettot(&s, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
fprintf(stderr, "%s: reverse conversion of ", argv[0]);
(void) addrtot(&s.addr, 0, buf2, sizeof(buf2));
fprintf(stderr, "%s/", buf2);
fprintf(stderr, "%d", s.maskbits);
fprintf(stderr, " failed: need %ld bytes, have only %ld\n",
(long)n, (long)sizeof(buf));
exit(1);
}
printf("%s\n", buf);
exit(0);
}
int main(int argc, char *argv[])
{
pcap_network_interface *iface = NULL;
pcap_network_interface *iface2 = NULL;
struct in6_addr iface_src2;
rpl_debug *deb = new rpl_debug(true, stderr);
inet_pton(AF_INET6, "fe80::1000:ff:fe64:6423", &iface_src2);
/* now finish setting things up with netlink */
pcap_network_interface::scan_devices(deb, false);
iface = pcap_network_interface::setup_infile_outfile("wlan0", "../INPUTS/dio-E-eth1d.pcap", "/dev/null", deb);
iface->set_debug(deb);
iface->set_if_index(1);
iface->set_if_addr(iface_src2);
iface2 = (pcap_network_interface *)network_interface::find_by_name("wlan0");
if(!iface2) {
printf("Did not find if: wlan0\n");
exit(10);
}
printf("iface1[%d]: %s\n", iface->get_if_index(), iface->get_if_name());
printf("iface2[%d]: %s\n", iface2->get_if_index(), iface2->get_if_name());
const char *prefixstr = "2001:db8:1::/48";
ip_subnet prefix;
/* must reflect DODAGID in packet */
dag_network *dn = iface->find_or_make_dag_by_instanceid(1, "ripple");
err_t e = ttosubnet(prefixstr, strlen(prefixstr),
AF_INET6, &prefix);
dn->set_prefix(prefix);
dn->set_active();
dn->set_grounded(true);
dn->set_dagrank(1);
printf("Processing input file\n");
iface->process_pcap();
exit(0);
}
/*
* To do this we need to have a dag created with a prefix,
* and this has to be attached to an interface.
*
* We create the body that ICMPv6 should send out.
*/
static void t1(rpl_debug *deb)
{
pcap_network_interface::scan_devices(deb, false);
pcap_network_interface *my_if = (pcap_network_interface *)network_interface::find_by_name("wlan0");
assert(my_if!=NULL);
dagid_t dag1name;
memset(dag1name, 0, DAGID_LEN);
dag1name[0]='T';
dag1name[1]='1';
//class dag_network dag1(dag1name);
my_if->set_pcap_out("../OUTPUTS/15-dao.pcap", DLT_EN10MB);
unsigned char buf[2048];
ip_subnet out;
/* this is who *I* am, this is what will be announced in the DAO */
ttosubnet("2001:db8::abcd:0002/128",0, AF_INET6, &out);
/* make a new dn */
class dag_network *dn1 = new dag_network(1, dag1name, deb);
dn1->set_active();
struct in6_addr announced;
int result = inet_pton(AF_INET6, "2001:db8:abcd::", &announced);
assert(result==1);
/* who announced this prefix, this is where the DAO will go. */
rpl_node announced_from("fe80::216:3eff:fe22:4455", dn1, deb);
assert(!announced_from.isself());
assert(announced_from.validP());
/* set the prefix for this network */
prefix_node pvia1(deb, announced, 64);
deb->verbose("add a prefix to the dn\n");
dn1->add_prefix(announced_from, my_if, pvia1.get_prefix());
/* build a DAO, send it. */
my_if->send_dao(announced_from, *dn1);
}
/** Read a subnet (IPv4/IPv6)
* read %v4:x.x.x.x/y or %v6:xxxxxxxxx/yy
* or %v4:!x.x.x.x/y if dstko not NULL
*
* @param src String in format (see above)
* @param len Length of src string
* @param dst IP Subnet Destination
* @param dstko IP Subnet
* @param isok Boolean
* @return bool If the format string is valid.
*/
static bool _read_subnet(const char *src, size_t len, ip_subnet *dst,
ip_subnet *dstko,
bool *isok)
{
bool ok;
int af;
/* workaround for typo "%4:" instead of "%v4:" introduced in old libreswan release*/
int offset = 0;
if ((len > 4) && (strncmp(src, "%v4:", 4) == 0)) {
af = AF_INET;
} else if ((len > 4) && (strncmp(src, "%v6:", 4) == 0)) {
af = AF_INET6;
} else if ((len > 4) && (strncmp(src, "%4:", 3) == 0)) {
af = AF_INET;
offset = -1;
loglog(RC_LOG_SERIOUS,
"fixup for bad virtual_private entry '%s', please fix your virtual_private line!",
src);
} else {
return FALSE;
}
ok = (src[4 + offset] == '!') ? FALSE : TRUE;
src += ok ? (4 + offset) : (5 + offset);
len -= ok ? (4 + offset) : (5 + offset);
if (!len)
return FALSE;
if ((!ok) && (!dstko))
return FALSE;
passert( ((ok) ? (dst) : (dstko)) != NULL );
if (ttosubnet(src, len, af, ((ok) ? (dst) : (dstko)))) {
loglog(RC_LOG_SERIOUS, "fail in ttosubnet ?");
return FALSE;
}
if (isok)
*isok = ok;
return TRUE;
}
/*
* Read a subnet (IPv4/IPv6)
* inclusion form: %v4:x.x.x.x/y or %v6:xxxxxxxxx/yy
* exclusion form: %v4:!x.x.x.x/y or %v6:xxxxxxxxx/yy
*
* @param src String in format (see above)
* @param len Length of src string
* @param dst out: IP Subnet * Destination
* @param dstexcl out: IP Subnet * for ! form (required iff ! is to be accepted)
* @param isincl out: bool * inclusive form or not
* @return bool If the format string is valid.
*/
static bool read_subnet(const char *src, size_t len,
ip_subnet *dst,
ip_subnet *dstexcl,
bool *isincl)
{
bool incl = TRUE;
int af = AF_UNSPEC; /* AF_UNSPEC means "guess from form" */
int pl = 0;
err_t ugh;
/*
* Note: len might not be sufficient for each of these strncmp calls
* but that's OK because the character in src[len] is either ',' or '\0'
* so the result will be a non-match, safely and correctly.
*/
if (startswith(src, "%v4:")) {
pl = 4;
af = AF_INET;
} else if (startswith(src, "%v6:")) {
pl = 4;
af = AF_INET6;
}
if (src[pl] == '!') {
pl++;
if (dstexcl == NULL)
return FALSE;
incl = FALSE;
}
src += pl;
len -= pl;
ugh = ttosubnet(src, len, af, incl ? dst : dstexcl);
if (ugh != NULL) {
loglog(RC_LOG_SERIOUS, "virtual-private entry not proper subnet: %s", ugh);
return FALSE;
}
if (isincl != NULL)
*isincl = incl;
return TRUE;
}
void
regress(void)
{
struct rtab *r;
int status = 0;
ip_subnet s;
char in[100];
char buf[100];
const char *oops;
size_t n;
int af;
for (r = rtab; r->input != NULL; r++) {
af = (r->family == 4) ? AF_INET : AF_INET6;
strcpy(in, r->input);
printf("Testing `%s' ... ",in);
oops = ttosubnet(in, 0, af, &s);
if (oops != NULL && r->output == NULL ) { /* Error was expected, do nothing */
printf("OK (%s)\n",oops);
}
if (oops == NULL && r->output != NULL ) { /* No error, no error expected */
printf("OK\n");
}
if (oops == NULL && r->output == NULL ) { /* If no errors, but we expected one */
printf("`%s' ttosubnet succeeded unexpectedly\n", r->input);
status = 1;
}
if (oops != NULL && r->output != NULL ) { /* Error occurred, but we didn't expect one */
printf("`%s' ttosubnet failed: %s\n", r->input, oops);
status = 1;
n = subnetporttot(&s, 0, buf, sizeof(buf));
if (n > sizeof(buf)) {
printf("`%s' subnettot failed: need %ld\n", r->input, (long)n);
} else if (strcmp(r->output, buf) != 0) {
printf("`%s' gave `%s', expected `%s'\n", r->input, buf, r->output);
}
}
}
exit(status);
}
int
main(int argc, char **argv)
{
/* int fd; */
char *endptr;
/* int ret; */
int c;
const char* error_s;
int error = 0;
char ipaddr_txt[ADDRTOT_BUF];
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
struct sadb_msg *pfkey_msg;
ip_address pfkey_address_s_ska;
/*struct sockaddr_in pfkey_address_d_ska;*/
ip_address pfkey_address_sflow_ska;
ip_address pfkey_address_dflow_ska;
ip_address pfkey_address_smask_ska;
ip_address pfkey_address_dmask_ska;
int transport_proto = 0;
int src_port = 0;
int dst_port = 0;
ip_said said;
ip_subnet s_subnet, d_subnet;
int eroute_af = 0;
int said_af = 0;
int sa_flags=0;
int argcount = argc;
progname = argv[0];
memset(&pfkey_address_s_ska, 0, sizeof(ip_address));
memset(&pfkey_address_sflow_ska, 0, sizeof(ip_address));
memset(&pfkey_address_dflow_ska, 0, sizeof(ip_address));
memset(&pfkey_address_smask_ska, 0, sizeof(ip_address));
memset(&pfkey_address_dmask_ska, 0, sizeof(ip_address));
memset(&said, 0, sizeof(ip_said));
memset(&s_subnet, 0, sizeof(ip_subnet));
memset(&d_subnet, 0, sizeof(ip_subnet));
eroute_af_opt = said_af_opt = edst_opt = spi_opt = proto_opt = said_opt = dst_opt = src_opt = NULL;
while((c = getopt_long(argc, argv, ""/*"acdD:e:i:hprs:S:f:vl:+:g"*/, longopts, 0)) != EOF) {
switch(c) {
case 'g':
debug = 1;
pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
argcount--;
break;
case 'a':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_SETEROUTE;
break;
case 'A':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_INEROUTE;
break;
case 'r':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_REPLACEROUTE;
break;
case 'E':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--replacein', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_INREPLACEROUTE;
break;
case 'c':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_CLREROUTE;
break;
case 'd':
if(action_type) {
fprintf(stderr, "%s: Only one of '--add', '--addin', '--replace', '--clear', or '--del' options permitted.\n",
progname);
exit(1);
}
action_type = EMT_DELEROUTE;
break;
case 'e':
if(said_opt) {
fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(edst_opt) {
fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit (1);
}
error_s = ttoaddr(optarg, 0, said_af, &said.dst);
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n",
progname, error_s, optarg);
exit (1);
}
edst_opt = optarg;
break;
case 'h':
case '?':
usage(progname);
exit(1);
case 's':
if(said_opt) {
fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(spi_opt) {
fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit (1);
}
said.spi = htonl(strtoul(optarg, &endptr, 0));
if(!(endptr == optarg + strlen(optarg))) {
fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n",
progname, optarg);
exit (1);
}
if(ntohl(said.spi) < 0x100) {
fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n",
progname, optarg, ntohl(said.spi));
exit(1);
}
spi_opt = optarg;
break;
case 'p':
if(said_opt) {
fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(proto_opt) {
fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit (1);
}
#if 0
if(said.proto) {
fprintf(stderr, "%s: Warning, PROTO parameter redefined:%s\n",
progname, optarg);
exit (1);
}
#endif
if(!strcmp(optarg, "ah"))
said.proto = SA_AH;
if(!strcmp(optarg, "esp"))
said.proto = SA_ESP;
if(!strcmp(optarg, "tun"))
said.proto = SA_IPIP;
if(!strcmp(optarg, "comp"))
said.proto = SA_COMP;
if(said.proto == 0) {
fprintf(stderr, "%s: Invalid PROTO parameter: %s\n",
progname, optarg);
exit (1);
}
proto_opt = optarg;
break;
case 'I':
if(said_opt) {
fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit (1);
}
if(proto_opt) {
fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit (1);
}
if(edst_opt) {
fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit (1);
}
if(spi_opt) {
fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit (1);
}
if(said_af_opt) {
fprintf(stderr, "%s: Error, address family parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, said_af_opt);
exit (1);
}
error_s = ttosa(optarg, 0, &said);
if(error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
progname, error_s, optarg);
exit (1);
} else if(ntohl(said.spi) < 0x100){
fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than or equal to 0x100.\n",
progname, optarg, said.spi);
exit(1);
}
said_af = addrtypeof(&said.dst);
said_opt = optarg;
break;
case 'v':
fprintf(stdout, "%s %s\n", me, ipsec_version_code());
fprintf(stdout, "See `ipsec --copyright' for copyright information.\n");
exit(1);
case 'D':
if(dst_opt) {
fprintf(stderr, "%s: Error, --dst parameter redefined:%s, already defined as:%s\n",
progname, optarg, dst_opt);
exit (1);
}
error_s = ttosubnet(optarg, 0, eroute_af, &d_subnet);
if (error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --dst argument: %s\n",
progname, error_s, optarg);
exit (1);
}
dst_opt = optarg;
break;
case 'S':
if(src_opt) {
fprintf(stderr, "%s: Error, --src parameter redefined:%s, already defined as:%s\n",
progname, optarg, src_opt);
exit (1);
}
error_s = ttosubnet(optarg, 0, eroute_af, &s_subnet);
if (error_s != NULL) {
fprintf(stderr, "%s: Error, %s converting --src argument: %s\n",
progname, error_s, optarg);
exit (1);
}
src_opt = optarg;
break;
case 'P':
if (transport_proto_opt) {
fprintf(stderr, "%s: Error, --transport-proto"
" parameter redefined:%s, "
"already defined as:%s\n",
progname, optarg,
transport_proto_opt);
exit(1);
}
transport_proto_opt = optarg;
break;
case 'Q':
if (src_port_opt) {
fprintf(stderr, "%s: Error, --src-port"
" parameter redefined:%s, "
"already defined as:%s\n",
progname, optarg, src_port_opt);
exit(1);
}
src_port_opt = optarg;
break;
case 'R':
if (dst_port_opt) {
fprintf(stderr, "%s: Error, --dst-port"
" parameter redefined:%s, "
"already defined as:%s\n",
progname, optarg, dst_port_opt);
exit(1);
}
dst_port_opt = optarg;
break;
case 'l':
progname = malloc(strlen(argv[0])
+ 10 /* update this when changing the sprintf() */
+ strlen(optarg));
sprintf(progname, "%s --label %s",
argv[0],
optarg);
argcount -= 2;
break;
case 'i': /* specifies the address family of the SAID, stored in said_af */
if(said_af_opt) {
fprintf(stderr, "%s: Error, address family of SAID redefined:%s, already defined as:%s\n",
progname, optarg, said_af_opt);
exit (1);
}
if(!strcmp(optarg, "inet"))
said_af = AF_INET;
if(!strcmp(optarg, "inet6"))
said_af = AF_INET6;
if(said_af == 0) {
fprintf(stderr, "%s: Invalid address family parameter for SAID: %s\n",
progname, optarg);
exit (1);
}
said_af_opt = optarg;
break;
case 'f': /* specifies the address family of the eroute, stored in eroute_af */
if(eroute_af_opt) {
fprintf(stderr, "%s: Error, address family of eroute redefined:%s, already defined as:%s\n",
progname, optarg, eroute_af_opt);
exit (1);
}
if(!strcmp(optarg, "inet"))
eroute_af = AF_INET;
if(!strcmp(optarg, "inet6"))
eroute_af = AF_INET6;
if(eroute_af == 0) {
fprintf(stderr, "%s: Invalid address family parameter for eroute: %s\n",
progname, optarg);
exit (1);
}
eroute_af_opt = optarg;
break;
case '+': /* optionsfrom */
optionsfrom(optarg, &argc, &argv, optind, stderr);
/* no return on error */
break;
default:
break;
}
}
if(debug) {
fprintf(stdout, "%s: DEBUG: argc=%d\n", progname, argc);
}
if(argcount == 1) {
struct stat sts;
if ( ((stat ("/proc/net/pfkey", &sts)) == 0) ) {
fprintf(stderr, "%s: NETKEY does not support eroute table.\n",progname);
exit(1);
}
else {
int ret = 1;
if ((stat ("/proc/net/ipsec_eroute", &sts)) != 0) {
fprintf(stderr, "%s: No eroute table - no IPsec support in kernel (are the modules loaded?)\n", progname);
} else {
ret = system("cat /proc/net/ipsec_eroute");
ret = ret != -1 && WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
}
exit(ret);
}
}
/* Sanity checks */
if(debug) {
fprintf(stdout, "%s: DEBUG: action_type=%d\n", progname, action_type);
}
if (transport_proto_opt != 0) {
struct protoent * proto = getprotobyname(transport_proto_opt);
if (proto != 0) {
transport_proto = proto->p_proto;
} else {
transport_proto = strtoul(transport_proto_opt, &endptr, 0);
if ((*endptr != '\0')
|| (transport_proto == 0 && endptr == transport_proto_opt)) {
fprintf(stderr, "%s: Invalid character in --transport-proto parameter: %s\n",
progname, transport_proto_opt);
exit (1);
}
if (transport_proto > 255) {
fprintf(stderr, "%s: --transport-proto parameter: %s must be in the range 0 to 255 inclusive\n",
progname, transport_proto_opt);
exit (1);
}
}
}
if (src_port_opt != 0 || dst_port_opt != 0) {
switch (transport_proto) {
case IPPROTO_UDP:
case IPPROTO_TCP:
break;
default:
fprintf(stderr, "%s: --transport-proto with either UDP or TCP must be specified if --src-port or --dst-port is used\n", progname);
exit(1);
}
}
if (src_port_opt) {
struct servent * ent = getservbyname(src_port_opt, 0);
if (ent != 0) {
src_port = ent->s_port;
} else {
src_port = strtoul(src_port_opt, &endptr, 0);
if ((*endptr != '\0')
|| (src_port == 0 && endptr == src_port_opt)) {
fprintf(stderr, "%s: Invalid character in --src-port parameter: %s\n",
progname, src_port_opt);
exit (1);
}
if (src_port > 65535) {
fprintf(stderr, "%s: --src-port parameter: %s must be in the range 0 to 65535 inclusive\n",
progname, src_port_opt);
}
src_port = htons(src_port);
}
}
if (dst_port_opt) {
struct servent * ent = getservbyname(dst_port_opt, 0);
if (ent != 0) {
dst_port = ent->s_port;
} else {
dst_port = strtoul(dst_port_opt, &endptr, 0);
if ((*endptr != '\0')
|| (dst_port == 0 && endptr == dst_port_opt)) {
fprintf(stderr, "%s: Invalid character in --dst-port parameter: %s\n",
progname, dst_port_opt);
exit (1);
}
if (dst_port > 65535) {
fprintf(stderr, "%s: --dst-port parameter: %s must be in the range 0 to 65535 inclusive\n",
progname, dst_port_opt);
}
dst_port = htons(dst_port);
}
}
switch(action_type) {
case EMT_SETEROUTE:
case EMT_REPLACEROUTE:
case EMT_INEROUTE:
case EMT_INREPLACEROUTE:
if(!(said_af_opt && edst_opt && spi_opt && proto_opt) && !(said_opt)) {
fprintf(stderr, "%s: add and addin options must have SA specified.\n",
progname);
exit(1);
}
case EMT_DELEROUTE:
if(!src_opt) {
fprintf(stderr, "%s: Error -- %s option '--src' is required.\n",
progname, (action_type == EMT_SETEROUTE) ? "add" : "del");
exit(1);
}
if(!dst_opt) {
fprintf(stderr, "%s: Error -- %s option '--dst' is required.\n",
progname, (action_type == EMT_SETEROUTE) ? "add" : "del");
exit(1);
}
case EMT_CLREROUTE:
break;
default:
fprintf(stderr, "%s: exactly one of '--add', '--addin', '--replace', '--del' or '--clear' options must be specified.\n"
"Try %s --help' for usage information.\n",
progname, progname);
exit(1);
}
pfkey_sock = pfkey_open_sock_with_error();
if(pfkey_sock == -1) {
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: PFKEYv2 socket successfully openned=%d.\n", progname, pfkey_sock);
}
/* Build an SADB_X_ADDFLOW or SADB_X_DELFLOW message to send down. */
/* It needs <base, SA, address(SD), flow(SD), mask(SD)> minimum. */
pfkey_extensions_init(extensions);
if((error = pfkey_msg_hdr_build(&extensions[0],
(action_type == EMT_SETEROUTE
|| action_type == EMT_REPLACEROUTE
|| action_type == EMT_INREPLACEROUTE
|| action_type == EMT_INEROUTE)
? SADB_X_ADDFLOW : SADB_X_DELFLOW,
proto2satype(said.proto),
0,
++pfkey_seq,
getpid()))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_msg_hdr_build successfull.\n", progname);
}
switch(action_type) {
case EMT_CLREROUTE:
sa_flags = SADB_X_SAFLAGS_CLEARFLOW;
goto sa_build;
case EMT_REPLACEROUTE:
sa_flags = SADB_X_SAFLAGS_REPLACEFLOW;
goto sa_build;
case EMT_INREPLACEROUTE:
sa_flags = SADB_X_SAFLAGS_REPLACEFLOW | SADB_X_SAFLAGS_INFLOW;
goto sa_build;
case EMT_INEROUTE:
sa_flags = SADB_X_SAFLAGS_INFLOW;
goto sa_build;
case EMT_SETEROUTE:
sa_build:
if((error = pfkey_sa_build(&extensions[SADB_EXT_SA],
SADB_EXT_SA,
said.spi, /* in network order */
0,
0,
0,
0,
sa_flags))) {
fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_sa_build successful.\n", progname);
}
default:
break;
}
switch(action_type) {
case EMT_SETEROUTE:
case EMT_REPLACEROUTE:
case EMT_INEROUTE:
case EMT_INREPLACEROUTE:
anyaddr(said_af, &pfkey_address_s_ska);
if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
SADB_EXT_ADDRESS_SRC,
0,
0,
sockaddrof(&pfkey_address_s_ska)))) {
addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src.\n", progname);
}
if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
SADB_EXT_ADDRESS_DST,
0,
0,
sockaddrof(&said.dst)))) {
addrtot(&said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst.\n", progname);
}
default:
break;
}
switch(action_type) {
case EMT_SETEROUTE:
case EMT_REPLACEROUTE:
case EMT_INEROUTE:
case EMT_INREPLACEROUTE:
case EMT_DELEROUTE:
networkof(&s_subnet, &pfkey_address_sflow_ska); /* src flow */
add_port(eroute_af, &pfkey_address_sflow_ska, src_port);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_FLOW],
SADB_X_EXT_ADDRESS_SRC_FLOW,
0,
0,
sockaddrof(&pfkey_address_sflow_ska)))) {
addrtot(&pfkey_address_sflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_sflow extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src flow.\n", progname);
}
networkof(&d_subnet, &pfkey_address_dflow_ska); /* dst flow */
add_port(eroute_af, &pfkey_address_dflow_ska, dst_port);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_FLOW],
SADB_X_EXT_ADDRESS_DST_FLOW,
0,
0,
sockaddrof(&pfkey_address_dflow_ska)))) {
addrtot(&pfkey_address_dflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_dflow extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst flow.\n", progname);
}
maskof(&s_subnet, &pfkey_address_smask_ska); /* src mask */
add_port(eroute_af, &pfkey_address_smask_ska, src_port ? ~0:0);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_MASK],
SADB_X_EXT_ADDRESS_SRC_MASK,
0,
0,
sockaddrof(&pfkey_address_smask_ska)))) {
addrtot(&pfkey_address_smask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_smask extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src mask.\n", progname);
}
maskof(&d_subnet, &pfkey_address_dmask_ska); /* dst mask */
add_port(eroute_af, &pfkey_address_dmask_ska, dst_port ? ~0:0);
if((error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_MASK],
SADB_X_EXT_ADDRESS_DST_MASK,
0,
0,
sockaddrof(&pfkey_address_dmask_ska)))) {
addrtot(&pfkey_address_dmask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
fprintf(stderr, "%s: Trouble building address_dmask extension (%s), error=%d.\n",
progname, ipaddr_txt, error);
pfkey_extensions_free(extensions);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst mask.\n", progname);
}
}
if (transport_proto != 0) {
if ((error = pfkey_x_protocol_build(&extensions[SADB_X_EXT_PROTOCOL],
transport_proto))) {
fprintf(stderr, "%s: Trouble building transport"
" protocol extension, error=%d.\n",
progname, error);
exit(1);
}
}
if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey_msg_build successful.\n", progname);
}
if((error = write(pfkey_sock,
pfkey_msg,
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
(ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n",
progname, error, errno);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
switch(errno) {
case EINVAL:
fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
break;
case ENXIO:
if((action_type == EMT_SETEROUTE) ||
(action_type == EMT_REPLACEROUTE)) {
fprintf(stderr, "Invalid mask.\n");
break;
}
if(action_type == EMT_DELEROUTE) {
fprintf(stderr, "Mask not found.\n");
break;
}
case EFAULT:
if((action_type == EMT_SETEROUTE) ||
(action_type == EMT_REPLACEROUTE)) {
fprintf(stderr, "Invalid address.\n");
break;
}
if(action_type == EMT_DELEROUTE) {
fprintf(stderr, "Address not found.\n");
break;
}
case EACCES:
fprintf(stderr, "access denied. ");
if(getuid() == 0) {
fprintf(stderr, "Check permissions. Should be 600.\n");
} else {
fprintf(stderr, "You must be root to open this file.\n");
}
break;
case EUNATCH:
fprintf(stderr, "KLIPS not loaded.\n");
break;
case EBUSY:
fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
fprintf(stderr, "No device?!?\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr, "eroute already in use. Delete old one first.\n");
break;
case ENOENT:
if(action_type == EMT_INEROUTE || action_type == EMT_INREPLACEROUTE) {
fprintf(stderr, "non-existant IPIP SA.\n");
break;
}
fprintf(stderr, "eroute doesn't exist. Can't delete.\n");
break;
case ENOSPC:
fprintf(stderr, "no room in kernel SAref table. Cannot process request.\n");
break;
case ESPIPE:
fprintf(stderr, "kernel SAref table internal error. Cannot process request.\n");
break;
default:
fprintf(stderr, "Unknown socket write error %d. Please report as much detail as possible to development team.\n", errno);
}
/* fprintf(stderr, "%s: socket write returned errno %d\n",
progname, errno);*/
exit(1);
}
if(debug) {
fprintf(stdout, "%s: DEBUG: pfkey write successful.\n", progname);
}
if(pfkey_msg) {
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
}
(void) close(pfkey_sock); /* close the socket */
if(debug) {
fprintf(stdout, "%s: DEBUG: write ok\n", progname);
}
exit(0);
}
static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
kw_list_t *kw, char *conn_name, starter_config_t *cfg)
{
err_t ugh = NULL;
bool assigned = FALSE;
bool has_port_wildcard; /* set if port is %any */
char *name = kw->entry->name;
char *value = kw->value;
if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
goto err;
/* post processing of some keywords that were assigned automatically */
switch (token)
{
case KW_SUBNET:
if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
|| (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
{
/* used by pluto only */
end->has_virt = TRUE;
}
else
{
ip_subnet net;
char *pos;
int len = 0;
end->has_client = TRUE;
conn->tunnel_addr_family = ip_version(value);
pos = strchr(value, ',');
if (pos)
{
len = pos - value;
}
ugh = ttosubnet(value, len, ip_version(value), &net);
if (ugh != NULL)
{
plog("# bad subnet: %s=%s [%s]", name, value, ugh);
goto err;
}
}
break;
case KW_SOURCEIP:
if (end->has_natip)
{
plog("# natip and sourceip cannot be defined at the same time");
goto err;
}
if (value[0] == '%')
{
if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
streq(value, "%config") || streq(value, "%cfg"))
{
/* request ip via config payload */
free(end->sourceip);
end->sourceip = NULL;
end->sourceip_mask = 1;
}
else
{ /* %poolname, strip %, serve ip requests */
free(end->sourceip);
end->sourceip = clone_str(value+1);
end->sourceip_mask = 0;
}
end->modecfg = TRUE;
}
else
{
char *pos;
ip_address addr;
ip_subnet net;
conn->tunnel_addr_family = ip_version(value);
pos = strchr(value, '/');
if (pos)
{ /* CIDR notation, address pool */
ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
if (ugh != NULL)
{
plog("# bad subnet: %s=%s [%s]", name, value, ugh);
goto err;
}
*pos = '\0';
free(end->sourceip);
end->sourceip = clone_str(value);
end->sourceip_mask = atoi(pos + 1);
}
else
{ /* fixed srcip */
ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
goto err;
}
end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
32 : 128;
}
}
conn->policy |= POLICY_TUNNEL;
break;
case KW_SENDCERT:
if (end->sendcert == CERT_YES_SEND)
{
end->sendcert = CERT_ALWAYS_SEND;
}
else if (end->sendcert == CERT_NO_SEND)
{
end->sendcert = CERT_NEVER_SEND;
}
break;
default:
break;
}
if (assigned)
return;
/* individual processing of keywords that were not assigned automatically */
switch (token)
{
case KW_HOST:
if (streq(value, "%defaultroute"))
{
if (cfg->defaultroute.defined)
{
end->addr = cfg->defaultroute.addr;
end->nexthop = cfg->defaultroute.nexthop;
}
else if (!cfg->defaultroute.supported)
{
plog("%%defaultroute not supported, fallback to %%any");
}
else
{
plog("# default route not known: %s=%s", name, value);
goto err;
}
}
else if (streq(value, "%any") || streq(value, "%any4"))
{
anyaddr(conn->addr_family, &end->addr);
}
else if (streq(value, "%any6"))
{
conn->addr_family = AF_INET6;
anyaddr(conn->addr_family, &end->addr);
}
else if (streq(value, "%group"))
{
ip_address any;
conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
anyaddr(conn->addr_family, &end->addr);
anyaddr(conn->tunnel_addr_family, &any);
end->has_client = TRUE;
}
else
{
/* check for allow_any prefix */
if (value[0] == '%')
{
end->allow_any = TRUE;
value++;
}
conn->addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
if (streq(ugh, "does not look numeric and name lookup failed"))
{
end->dns_failed = TRUE;
anyaddr(conn->addr_family, &end->addr);
}
else
{
goto err;
}
}
}
break;
case KW_NEXTHOP:
if (streq(value, "%defaultroute"))
{
if (cfg->defaultroute.defined)
{
end->nexthop = cfg->defaultroute.nexthop;
}
else
{
plog("# default route not known: %s=%s", name, value);
goto err;
}
}
else if (streq(value, "%direct"))
{
ugh = anyaddr(conn->addr_family, &end->nexthop);
}
else
{
conn->addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
}
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
goto err;
}
break;
case KW_SUBNETWITHIN:
{
ip_subnet net;
end->has_client = TRUE;
end->has_client_wildcard = TRUE;
conn->tunnel_addr_family = ip_version(value);
ugh = ttosubnet(value, 0, ip_version(value), &net);
if (ugh != NULL)
{
plog("# bad subnet: %s=%s [%s]", name, value, ugh);
goto err;
}
end->subnet = clone_str(value);
break;
}
case KW_PROTOPORT:
ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
end->has_port_wildcard = has_port_wildcard;
break;
case KW_NATIP:
if (end->sourceip)
{
plog("# natip and sourceip cannot be defined at the same time");
goto err;
}
if (streq(value, "%defaultroute"))
{
char buf[64];
if (cfg->defaultroute.defined)
{
addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
end->sourceip = clone_str(buf);
}
else
{
plog("# default route not known: %s=%s", name, value);
goto err;
}
}
else
{
ip_address addr;
conn->tunnel_addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
if (ugh != NULL)
{
plog("# bad addr: %s=%s [%s]", name, value, ugh);
goto err;
}
end->sourceip = clone_str(value);
}
end->has_natip = TRUE;
conn->policy |= POLICY_TUNNEL;
break;
default:
break;
}
return;
err:
plog(" bad argument value in conn '%s'", conn_name);
cfg->err++;
}
static bool validate_end(struct ub_ctx *dnsctx ,
#endif
struct starter_conn *conn_st,
struct starter_end *end,
const char *leftright,
bool resolvip UNUSED,
err_t *perr)
{
err_t er = NULL;
char *err_str = NULL;
int family = conn_st->options[KBF_CONNADDRFAMILY];
bool err = FALSE;
# define ERR_FOUND(...) { err |= error_append(&err_str, __VA_ARGS__); }
if (!end->options_set[KNCF_IP])
conn_st->state = STATE_INCOMPLETE;
end->addrtype = end->options[KNCF_IP];
end->addr_family = family;
/* validate the KSCF_IP/KNCF_IP */
switch (end->addrtype) {
case KH_ANY:
anyaddr(family, &(end->addr));
break;
case KH_IFACE:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_IFACE", leftright);
break;
case KH_IPADDR:
assert(end->strings[KSCF_IP] != NULL);
if (end->strings[KSCF_IP][0] == '%') {
pfree(end->iface);
end->iface = clone_str(end->strings[KSCF_IP] + 1, "KH_IPADDR end->iface");
if (!starter_iface_find(end->iface, family,
&end->addr,
&end->nexthop))
conn_st->state = STATE_INVALID;
/* not numeric, so set the type to the iface type */
end->addrtype = KH_IFACE;
break;
}
er = ttoaddr_num(end->strings[KNCF_IP], 0, family,
&(end->addr));
if (er != NULL) {
/* not numeric, so set the type to the string type */
end->addrtype = KH_IPHOSTNAME;
}
if (end->id == NULL) {
ipstr_buf b;
end->id = clone_str(ipstr(&end->addr, &b), "end if");
}
break;
case KH_OPPO:
conn_st->policy |= POLICY_OPPORTUNISTIC;
break;
case KH_OPPOGROUP:
conn_st->policy |= POLICY_OPPORTUNISTIC | POLICY_GROUP;
break;
case KH_GROUP:
conn_st->policy |= POLICY_GROUP;
break;
case KH_IPHOSTNAME:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_IPHOSTNAME", leftright);
break;
case KH_DEFAULTROUTE:
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_DEFAULTROUTE", leftright);
break;
case KH_NOTSET:
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_NOTSET", leftright);
break;
}
/* validate the KSCF_SUBNET */
if (end->strings_set[KSCF_SUBNET]) {
char *value = end->strings[KSCF_SUBNET];
if (end->strings_set[KSCF_ADDRESSPOOL]) {
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=", leftright,
leftright);
}
if (startswith(value, "vhost:") || startswith(value, "vnet:")) {
er = NULL;
end->virt = clone_str(value, "validate_end item");
} else {
end->has_client = TRUE;
er = ttosubnet(value, 0, family, &(end->subnet));
}
if (er != NULL)
ERR_FOUND("bad subnet %ssubnet=%s [%s]", leftright,
value, er);
}
/* set nexthop address to something consistent, by default */
anyaddr(family, &end->nexthop);
anyaddr(addrtypeof(&end->addr), &end->nexthop);
/* validate the KSCF_NEXTHOP */
if (end->strings_set[KSCF_NEXTHOP]) {
char *value = end->strings[KSCF_NEXTHOP];
if (strcaseeq(value, "%defaultroute")) {
end->nexttype = KH_DEFAULTROUTE;
} else {
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->nexthop)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->nexthop)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %snexthop value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->nexthop)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->nexthop)))
ERR_FOUND("bad value for %snexthop=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family,
&(end->nexthop));
if (er != NULL)
ERR_FOUND("bad value for %snexthop=%s [%s]",
leftright, value,
er);
#endif
}
end->nexttype = KH_IPADDR;
}
} else {
#if 0
if (conn_st->policy & POLICY_OPPORTUNISTIC)
end->nexttype = KH_DEFAULTROUTE;
#endif
anyaddr(family, &end->nexthop);
if (end->addrtype == KH_DEFAULTROUTE) {
end->nexttype = KH_DEFAULTROUTE;
}
}
/* validate the KSCF_ID */
if (end->strings_set[KSCF_ID]) {
char *value = end->strings[KSCF_ID];
pfreeany(end->id);
end->id = clone_str(value, "end->id");
}
if (end->options_set[KSCF_RSAKEY1]) {
end->rsakey1_type = end->options[KSCF_RSAKEY1];
end->rsakey2_type = end->options[KSCF_RSAKEY2];
switch (end->options[KSCF_RSAKEY1]) {
case PUBKEY_DNS:
case PUBKEY_DNSONDEMAND:
end->key_from_DNS_on_demand = TRUE;
break;
default:
end->key_from_DNS_on_demand = FALSE;
/* validate the KSCF_RSAKEY1/RSAKEY2 */
if (end->strings[KSCF_RSAKEY1] != NULL) {
char *value = end->strings[KSCF_RSAKEY1];
pfreeany(end->rsakey1);
end->rsakey1 = (unsigned char *)clone_str(value,"end->rsakey1");
}
if (end->strings[KSCF_RSAKEY2] != NULL) {
char *value = end->strings[KSCF_RSAKEY2];
pfreeany(end->rsakey2);
end->rsakey2 = (unsigned char *)clone_str(value,"end->rsakey2");
}
}
}
/* validate the KSCF_SOURCEIP, if any, and if set,
* set the subnet to same value, if not set.
*/
if (end->strings_set[KSCF_SOURCEIP]) {
char *value = end->strings[KSCF_SOURCEIP];
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->sourceip)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->sourceip)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %ssourceip value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->sourceip)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->sourceip)))
ERR_FOUND("bad value for %ssourceip=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad addr %ssourceip=%s [%s]",
leftright, value, er);
#endif
} else {
er = tnatoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad numerical addr %ssourceip=%s [%s]",
leftright, value, er);
}
if (!end->has_client) {
starter_log(LOG_LEVEL_INFO,
"%ssourceip= used but not %ssubnet= defined, defaulting %ssubnet to %s",
leftright, leftright, leftright, value);
er = addrtosubnet(&end->sourceip, &end->subnet);
if (er != NULL) {
ERR_FOUND("attempt to default %ssubnet from %s failed: %s",
leftright, value, er);
}
end->has_client = TRUE;
end->has_client_wildcard = FALSE;
}
}
/* copy certificate path name */
if (end->strings_set[KSCF_CERT])
end->cert = clone_str(end->strings[KSCF_CERT], "KSCF_CERT");
if (end->strings_set[KSCF_CA])
end->ca = clone_str(end->strings[KSCF_CA], "KSCF_CA");
if (end->strings_set[KSCF_UPDOWN])
end->updown = clone_str(end->strings[KSCF_UPDOWN], "KSCF_UPDOWN");
if (end->strings_set[KSCF_PROTOPORT]) {
err_t ugh;
char *value = end->strings[KSCF_PROTOPORT];
ugh = ttoprotoport(value, 0, &end->protocol, &end->port,
&end->has_port_wildcard);
if (ugh != NULL)
ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value,
ugh);
}
if (end->strings_set[KSCF_ADDRESSPOOL]) {
char *addresspool = end->strings[KSCF_ADDRESSPOOL];
if (end->strings_set[KSCF_SUBNET])
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=",
leftright, leftright);
starter_log(LOG_LEVEL_DEBUG,
"connection's %saddresspool set to: %s",
leftright, end->strings[KSCF_ADDRESSPOOL] );
er = ttorange(addresspool, 0, AF_INET, &end->pool_range, TRUE);
if (er != NULL)
ERR_FOUND("bad %saddresspool=%s [%s]", leftright,
addresspool, er);
}
if (end->options_set[KNCF_XAUTHSERVER] ||
end->options_set[KNCF_XAUTHCLIENT])
conn_st->policy |= POLICY_XAUTH;
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
KSCF_ESPAUTHKEY --- todo (manual keying)
KSCF_SOURCEIP = 16,
KSCF_MAX = 19
*/
if (err)
*perr = err_str;
return err;
# undef ERR_FOUND
}
/**
* Validate that yes in fact we are one side of the tunnel
*
* The function checks that IP addresses are valid, nexthops are
* present (if needed) as well as policies, and sets the leftID
* from the left= if it isn't set.
*
* @param conn_st a connection definition
* @param end a connection end
* @param left boolean (are we 'left'? 1 = yes, 0 = no)
* @param perr pointer to char containing error value
* @return bool TRUE if failed
*/
static bool validate_end(struct starter_conn *conn_st
, struct starter_end *end
, bool left
, bool resolvip UNUSED
, err_t *perr)
{
err_t er = NULL;
char *err_str = NULL;
const char *leftright=(left ? "left" : "right");
int family = conn_st->options[KBF_CONNADDRFAMILY];
bool err = FALSE;
#define ERR_FOUND(args...) do { err += error_append(&err_str, ##args); } while(0)
if(!end->options_set[KNCF_IP]) {
conn_st->state = STATE_INCOMPLETE;
}
end->addrtype=end->options[KNCF_IP];
end->addr_family = family;
/* validate the KSCF_IP/KNCF_IP */
switch(end->addrtype) {
case KH_ANY:
anyaddr(family, &(end->addr));
break;
case KH_IFACE:
/* generally, this doesn't show up at this stage */
break;
case KH_IPADDR:
/* right=/left= */
assert(end->strings[KSCF_IP] != NULL);
if (end->strings[KSCF_IP][0]=='%') {
if (end->iface) pfree(end->iface);
end->iface = clone_str(end->strings[KSCF_IP] + 1, "KH_IPADDR end->iface");
if (starter_iface_find(end->iface, family, &(end->addr),
&(end->nexthop)) == -1) {
conn_st->state = STATE_INVALID;
}
/* not numeric, so set the type to the iface type */
end->addrtype = KH_IFACE;
break;
}
er = ttoaddr_num(end->strings[KNCF_IP], 0, family, &(end->addr));
if(er) {
/* not numeric, so set the type to the string type */
end->addrtype = KH_IPHOSTNAME;
}
if(end->id == NULL) {
char idbuf[ADDRTOT_BUF];
addrtot(&end->addr, 0, idbuf, sizeof(idbuf));
end->id= clone_str(idbuf, "end id");
}
break;
case KH_OPPO:
conn_st->policy |= POLICY_OPPO;
break;
case KH_OPPOGROUP:
conn_st->policy |= POLICY_OPPO|POLICY_GROUP;
break;
case KH_GROUP:
conn_st->policy |= POLICY_GROUP;
break;
case KH_IPHOSTNAME:
/* XXX */
break;
case KH_DEFAULTROUTE:
break;
case KH_NOTSET:
break;
}
/* validate the KSCF_SUBNET */
if(end->strings_set[KSCF_SUBNET])
{
char *value = end->strings[KSCF_SUBNET];
if ( ((strlen(value)>=6) && (strncmp(value,"vhost:",6)==0)) ||
((strlen(value)>=5) && (strncmp(value,"vnet:",5)==0)) ) {
er = NULL;
end->virt = clone_str(value, "end->virt");
}
else {
end->has_client = TRUE;
er = ttosubnet(value, 0, 0, &(end->subnet));
}
if (er) ERR_FOUND("bad subnet %ssubnet=%s [%s] family=%s", leftright, value, er, family2str(family));
}
/* set nexthop address to something consistent, by default */
anyaddr(family, &end->nexthop);
anyaddr(addrtypeof(&end->addr), &end->nexthop);
/* validate the KSCF_NEXTHOP */
if(end->strings_set[KSCF_NEXTHOP])
{
char *value = end->strings[KSCF_NEXTHOP];
if(strcasecmp(value, "%defaultroute")==0) {
end->nexttype=KH_DEFAULTROUTE;
} else {
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->nexthop)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->nexthop)) != NULL) {
er = ttoaddr(value, 0, family, &(end->nexthop));
if (er) ERR_FOUND("bad addr %snexthop=%s [%s]", leftright, value, er);
}
end->nexttype = KH_IPADDR;
}
} else {
if (end->addrtype == KH_DEFAULTROUTE) {
end->nexttype = KH_DEFAULTROUTE;
}
anyaddr(family, &end->nexthop);
}
/* validate the KSCF_ID */
if(end->strings_set[KSCF_ID])
{
char *value = end->strings[KSCF_ID];
pfreeany(end->id);
end->id = clone_str(value, "end->id");
}
if(end->options_set[KSCF_RSAKEY1]) {
end->rsakey1_type = end->options[KSCF_RSAKEY1];
end->rsakey2_type = end->options[KSCF_RSAKEY2];
switch(end->rsakey1_type) {
case PUBKEY_DNS:
case PUBKEY_DNSONDEMAND:
end->key_from_DNS_on_demand = TRUE;
break;
default:
end->key_from_DNS_on_demand = FALSE;
/* validate the KSCF_RSAKEY1/RSAKEY2 */
if(end->strings[KSCF_RSAKEY1] != NULL)
{
char *value = end->strings[KSCF_RSAKEY1];
pfreeany(end->rsakey1);
end->rsakey1 = (unsigned char *)clone_str(value,"end->rsakey1");
}
if(end->strings[KSCF_RSAKEY2] != NULL)
{
char *value = end->strings[KSCF_RSAKEY2];
pfreeany(end->rsakey2);
end->rsakey2 = (unsigned char *)clone_str(value,"end->rsakey2");
}
}
}
/* validate the KSCF_SOURCEIP, if any, and if set,
* set the subnet to same value, if not set.
*/
if(end->strings_set[KSCF_SOURCEIP])
{
char *value = end->strings[KSCF_SOURCEIP];
if (tnatoaddr(value, strlen(value), AF_INET, &(end->sourceip)) != NULL
&& tnatoaddr(value, strlen(value), AF_INET6, &(end->sourceip)) != NULL) {
er = ttoaddr(value, 0, 0, &(end->sourceip));
if (er) ERR_FOUND("bad addr %ssourceip=%s [%s]", leftright, value, er);
} else {
er = tnatoaddr(value, 0, 0, &(end->sourceip));
if (er) ERR_FOUND("bad numerical addr %ssourceip=%s [%s]", leftright, value, er);
}
if(!end->has_client) {
starter_log(LOG_LEVEL_INFO, "defaulting %ssubnet to %s\n", leftright, value);
er = addrtosubnet(&end->sourceip, &end->subnet);
if (er) ERR_FOUND("attempt to default %ssubnet from %s failed: %s", leftright, value, er);
end->has_client = TRUE;
end->has_client_wildcard = FALSE;
}
}
/* copy certificate path name */
if(end->strings_set[KSCF_CERT]) {
end->cert = clone_str(end->strings[KSCF_CERT], "KSCF_CERT");
}
if(end->strings_set[KSCF_CA]) {
end->ca = clone_str(end->strings[KSCF_CA], "KSCF_CA");
}
if(end->strings_set[KSCF_UPDOWN]) {
end->updown = clone_str(end->strings[KSCF_UPDOWN], "KSCF_UPDOWN");
}
if(end->strings_set[KSCF_PROTOPORT]) {
err_t ugh;
char *value = end->strings[KSCF_PROTOPORT];
ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &end->has_port_wildcard);
if (ugh) ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value, ugh);
}
if (end->options_set[KNCF_XAUTHSERVER] ||
end->options_set[KNCF_XAUTHCLIENT]) {
conn_st->policy |= POLICY_XAUTH;
}
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
KSCF_ESPAUTHKEY --- todo (manual keying)
KSCF_SOURCEIP = 16,
KSCF_MAX = 19
*/
if(err) *perr = err_str;
return err;
# undef ERR_FOUND
}
int main(int argc, char *argv[])
{
int c;
const char *datafilename;
FILE *datafile;
char *outfile = NULL;
char *prefixvalue = NULL;
char *targetaddr = NULL;
unsigned char icmp_body[2048];
unsigned int icmp_len = 0;
unsigned int verbose=0;
unsigned int fakesend=0;
struct option longoptions[]={
{"debug", 0, NULL, 'v'},
{"verbose", 0, NULL, 'v'},
{"fake", 0, NULL, 'T'},
{"testing", 0, NULL, 'T'},
{"prefix", 1, NULL, 'p'},
{"target", 1, NULL, 'a'},
{"sequence", 1, NULL, 'S'},
{"instance", 1, NULL, 'I'},
{"dagid", 1, NULL, 'G'},
{"daoack", 0, NULL, 'K'},
{"datafile", 1, NULL, 'd'},
{"dest", 1, NULL, 't'},
{"myid", 1, NULL, 'M'},
{"ack-request",0,NULL,'A'},
{"iface", 1, NULL, 'i'},
{"outpcap", 1, NULL, 'O'},
{0,0,0,0},
};
class rpl_debug *deb = new rpl_debug(verbose, stderr);
class network_interface *iface = NULL;
class dag_network *dn = NULL;
class pcap_network_interface *piface = NULL;
struct in6_addr target, *dest = NULL;
struct in6_addr myid;
prefix_node *dag_me = NULL;
rpl_node *destnode = NULL;
bool initted = false;
bool ackreq = false;
bool daoack = false;
memset(icmp_body, 0, sizeof(icmp_body));
while((c=getopt_long(argc, argv, "AD:G:I:KO:R:S:Ta:d:i:h?p:t:v", longoptions, NULL))!=EOF){
switch(c) {
case 'A':
ackreq=true; /* XXX todo */
break;
case 'd':
datafilename=optarg;
if(datafilename[0]=='-' && datafilename[1]=='\0') {
datafile = stdin;
datafilename="<stdin>";
} else {
datafile = fopen(datafilename, "r");
}
if(!datafile) {
perror(datafilename);
exit(1);
}
icmp_len = read_hex_values(datafile, icmp_body);
break;
case 'i':
if(!initted) {
if(fakesend) {
fprintf(stderr, "Using faked interfaces\n");
pcap_network_interface::scan_devices(deb, false);
} else {
network_interface::scan_devices(deb, false);
}
initted = true;
}
if(outfile == NULL) {
fprintf(stderr, "Must specify pcap outfile (-O)\n");
usage();
exit(2);
}
iface = network_interface::find_by_name(optarg);
if(iface && fakesend) {
if(iface->faked()) {
piface = (pcap_network_interface *)iface;
piface->set_pcap_out(outfile, DLT_EN10MB);
} else {
fprintf(stderr, "interface %s is not faked\n", optarg);
exit(1);
}
}
break;
case 'T':
if(initted) {
fprintf(stderr, "--fake MUST be first argument\n");
exit(16);
}
fakesend=1;
break;
case 'O':
outfile=optarg;
break;
case 'G':
if(!iface) {
fprintf(stderr, "--dagid must follow --interface argument\n");
usage();
exit(17);
}
dn = iface->find_or_make_dag_by_dagid(optarg);
break;
case 'K':
daoack = true;
break;
case 'R':
check_dag(dn);
dn->set_dagrank(atoi(optarg));
break;
case 'S':
check_dag(dn);
dn->set_sequence(atoi(optarg));
break;
case 'I':
check_dag(dn);
dn->set_instanceid(atoi(optarg));
break;
case 'a':
{
char *targetvalue = optarg;
ip_subnet targetaddr;
err_t e = ttosubnet(targetvalue, strlen(targetvalue),
AF_INET6, &targetaddr);
check_dag(dn);
if(!dest) {
fprintf(stderr, "destination must be set before target addresses\n");
usage();
}
if(dag_me == NULL) {
fprintf(stderr, "myid must be set before target addresses\n");
usage();
}
dn->add_childnode(destnode, iface, targetaddr);
}
break;
case 'p':
prefixvalue = optarg;
{
ip_subnet prefix;
err_t e = ttosubnet(prefixvalue, strlen(prefixvalue),
AF_INET6, &prefix);
if(e!=NULL) {
fprintf(stderr, "Invalid prefix: %s\n",prefixvalue);
usage();
}
check_dag(dn);
dn->set_prefix(prefix);
}
break;
case 't':
if(inet_pton(AF_INET6, optarg, &target)!=1) {
fprintf(stderr, "Invalid ipv6 address: %s\n", optarg);
usage();
}
dest = ⌖
destnode = new rpl_node(target, dn, deb);
break;
case 'M':
if(inet_pton(AF_INET6, optarg, &myid)!=1) {
fprintf(stderr, "Invalid ipv6 address in --myid: %s\n", optarg);
usage();
}
dag_me = new prefix_node(deb, myid, 128);
check_dag(dn);
dn->dag_me = dag_me;
break;
case 'v':
verbose++;
deb = new rpl_debug(verbose, stderr);
break;
case '?':
case 'h':
default:
usage();
break;
}
}
if(datafilename!=NULL && icmp_len > 0) {
/* nothing for now */
} else if(daoack) {
icmp_len = dn->build_daoack(icmp_body, sizeof(icmp_body));
} else if(prefixvalue) {
fprintf(stderr, "building DAO\n");
icmp_len = dn->build_dao(icmp_body, sizeof(icmp_body));
} else {
fprintf(stderr, "either a prefix is needed to send a DAO, or --daoack\n");
usage();
}
if(icmp_len == 0) {
fprintf(stderr, "length of generated packet is 0, none sent\n");
if(!prefixvalue) {
fprintf(stderr, "No prefix value set\n");
}
usage();
exit(1);
}
if(verbose) {
printf("Sending ICMP of length: %u\n", icmp_len);
if(icmp_len > 0) {
hexdump(icmp_body, 0, icmp_len);
}
}
if(iface != NULL && icmp_len > 0) {
if(piface != NULL) {
piface->send_raw_icmp(dest, icmp_body, icmp_len);
} else {
iface->send_raw_icmp(dest, icmp_body, icmp_len);
}
}
exit(0);
}
int main(int argc, char **argv)
{
int lockfd;
bool restore_vrf_pluto = 0;
/*此开关必须放在所有动态内存分配之前*/
leak_detective=0;
debug_info_control* dic=alloc_bytes(sizeof(debug_info_control), "malloc debug_info_control in main");
openswan_passert_fail = passert_fail;
/*设备类型初始化*/
ipsec_device_type_init();
{
u32 pseudo_start_pluto = 0;
for (;;)
{
#define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "start", no_argument, NULL, 'B' },
{ "quit", no_argument, NULL, 'D' },
{ "user", no_argument, NULL, 'u' },
{ "krl", no_argument, NULL, 'K' },
{ "debug-nat", no_argument, NULL, '5' },
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-xauth", no_argument, NULL, DBG_XAUTH+ DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "debug-ifchange", no_argument, NULL, DBG_IF_CHANGE + DBG_OFFSET },
{ "log-openinfo", no_argument, NULL, 'i' },
{ "log-openwar", no_argument, NULL, 'w' },
{ "log-openerr", no_argument, NULL, 'r' },
{ "log-openuserlog", no_argument, NULL, 'e' },
{ "log-openradiuslog", no_argument, NULL, 'c' },
{ "log-openpri", no_argument, NULL, 'p' },
{ "log-opensyserr", no_argument, NULL, 'q' },
{ "log-closeall", no_argument, NULL, 'a' },
{ "debug-connection", required_argument, NULL, 'O' },
{ "debug-host", required_argument, NULL, 'H' },
{ "debug-stop", no_argument, NULL, 'S' },
{ "counter", no_argument, NULL, 'b' },
{ "isa-counter", no_argument, NULL, 'x' },
{ "krc", no_argument, NULL, 'E'},
{ "kss", required_argument, NULL, 'F'},
{ "kpc", no_argument, NULL, 'G'},
{ "kprt", required_argument, NULL, 'L'},
{ "kspi", required_argument, NULL, 'M' },
{ "kdst", required_argument, NULL, 'P' },
{ "kdnet", required_argument, NULL, 'R' },
{ "kid", required_argument, NULL, 'Q' },
{ "restore-vrf", no_argument, NULL, 'V' },
{ 0,0,0,0 }
};
int c = getopt_long(argc, argv, "", long_opts, NULL);
ip_address dst_tmp;
ip_subnet subnet_tmp;
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break;
case 'h':
usage(NULL);
break;
case 'v':
{
const char **sp = ipsec_copyright_notice();
printf("%s%s\n", ipsec_version_string(),compile_time_interop_options);
for (; *sp != NULL; sp++)
{
puts(*sp);
}
}
exit(0);
break;
case 'i':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_INFO;
continue;
case 'w':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_WARNING;
continue;
case 'r':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_ERROR;
continue;
case 'e':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_USER_LOG;
continue;
case 'c':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_RADIUS_LOG;
continue;
case 'p':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_PRIVATE;
continue;
case 'q':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info |= IPSEC_LOGLEVEL_SYSERROR;
continue;
case 'a':
dic->public_info.log_falg = 1;
dic->public_info.log_level_info=IPSEC_LOGLEVEL_CLOSE;
continue;
case 'B':
dic->com_type=IPSEC_DEBUG_STAR_HANDLE;
continue;
case 'D':
dic->com_type=IPSEC_DEBUG_QUIT_HANDLE;
continue;
case 'u':
dic->com_type=IPSEC_DEBUG_USER_HANDLE;
continue;
case 'K':
dic->com_type=IPSEC_DEBUG_KERNEL_HANDLE;
continue;
case 'N': /* --debug-none */
dic->public_info.public_info_flag=1;
dic->public_info.public_info_value=DBG_NONE;
continue;
case 'A': /* --debug-all */
dic->public_info.public_info_flag=1;
dic->public_info.public_info_value=DBG_ALL;
continue;
case 'O':
if(optarg != NULL)
{
strcpy(dic->child_info.child_info_optarg,optarg);
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_CON_NAME;
}
else
{
return 0;
}
break;
case 'H':
if(optarg != NULL)
{
strcpy(dic->child_info.child_info_optarg,optarg);
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_HOST;
}
else
{
return 0;
}
break;
case 'S':
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_STOP;
break;
case 'b':
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_PRINT_COUNTER;
break;
case 'x':
dic->child_info.child_info_type=IPSEC_CHILD_DEBUG_INFO_PRINT_ISA_COUNTER;
break;
case 'E':
pseudo_start_pluto = 1;
dic->kernel_info.flag= IPSEC_RESET_COUNTER;
continue;
case 'F':
pseudo_start_pluto = 1;
dic->kernel_info.flag = IPSEC_SET_DEBUG_SIP;
dic->kernel_info.sip =inet_addr(optarg);
continue;
case 'G':
pseudo_start_pluto = 1;
dic->kernel_info.flag = IPSEC_DUMP_COUNTER;
continue;
case 'L':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
if_get_index_by_name(optarg, (s32*)(&dic->kernel_info.ifindex));
continue;
case 'M':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
dic->kernel_info.spi = (u32)chartoint(optarg,strlen(optarg));
if((int)dic->kernel_info.spi < 0)
{
fprintf(stderr,"%s IS ERROR INPUT(For Example:0x123...)\n",optarg);
pfree(dic);
return 0;
}
continue;
case 'P':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
if(ttoaddr(optarg, 0, AF_INET, &dst_tmp))
{
fprintf(stderr,"you must input right IP\n");
pfree(dic);
return 0;
}
else{
dic->kernel_info.dsc.a4 = dst_tmp.u.v4.sin_addr.s_addr;
continue;
}
case 'R':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
if(ttosubnet(optarg, 0, AF_INET, &subnet_tmp))
{
fprintf(stderr,"you must input right subnet\n");
pfree(dic);
return 0;
}
else{
dic->kernel_info.net.a4 = subnet_tmp.addr.u.v4.sin_addr.s_addr;
continue;
}
case 'Q':
pseudo_start_pluto = 1;
dic->kernel_info.flag=IPSEC_PRINT_INTERFACE_TEMP;
dic->kernel_info.connid = atoi(optarg);
continue;
case 'V':
{
restore_vrf_pluto = 1;
}
continue;
default:
if (c >= DBG_OFFSET)
{
dic->public_info.public_info_flag=1;
dic->public_info.public_info_value |= c - DBG_OFFSET;
}
continue;
bad_case(c);
}
break;
}
/**
if(restore_vrf_pluto)
{
ipsec_restore_vrf_pluto();
}
**/
ipsec_restore_vrf_pluto();
{
u32 err;
conplat_syscall(MODULEID_OSBASIC, OSBASIC_GET_VRF_ID, &g_ipsec_vrf_id, sizeof(g_ipsec_vrf_id), (s32*)(&err));
if(err != 0)
{
g_ipsec_vrf_id = 0;
}
sprintf(pluto_lock + strlen(pluto_lock), "_%d", g_ipsec_vrf_id);
sprintf(ctl_addr.sun_path+ strlen(ctl_addr.sun_path), "_%d", g_ipsec_vrf_id);
sprintf(ws_ctl_addr.sun_path+ strlen(ws_ctl_addr.sun_path), "_%d", g_ipsec_vrf_id);
}
switch(dic->com_type)
{
case IPSEC_DEBUG_STAR_HANDLE:
if(dic->public_info.public_info_flag)
{
cur_debugging = dic->public_info.public_info_value;
}
if(dic->public_info.log_falg)
{
g_log_level = dic->public_info.log_level_info;
}
break;
case IPSEC_DEBUG_USER_HANDLE:
send_connection_debug(dic, IPSEC_DEBUG_USER_HANDLE);
pfree(dic);
return 0;
case IPSEC_DEBUG_KERNEL_HANDLE:
if(pseudo_start_pluto == 1)
{
u32 syscall_result = 0;
if((dic->kernel_info.flag==IPSEC_PRINT_INTERFACE_TEMP)&&(0 == dic->kernel_info.ifindex))
{
fprintf(stderr,"you must input the if name\n");
pfree(dic);
return 0;
}
conplat_syscall(MODULEID_IPSEC_POLICY, IPSEC_MODULE_DEBUG_PART, (void *)(&dic->kernel_info), sizeof(struct ipsec_user_debug_info), (s32 *)(&syscall_result));
if(g_ipsec_device_is_dpx)
{
(u32)conplat_syscall(FW_MODULEID_IPSEC | FW_BOARD, IPSEC_MODULE_DEBUG_PART, (void *)(&dic->kernel_info), sizeof(struct ipsec_user_debug_info), (s32 *)(&syscall_result));
}
}
else
{
fprintf(stderr,"after --kernel ,you must input the right command\n");
}
pfree(dic);
return 0;
case IPSEC_DEBUG_QUIT_HANDLE:
send_connection_debug(dic, IPSEC_DEBUG_QUIT_HANDLE);
pfree(dic);
return 0;
default:
fprintf(stderr,"you must input --start --quit --user or --kernel\n");
exit(0);
}
pfree(dic);
}
if (optind != argc)
{
usage("unexpected argument");
}
//如果你想再重启设备后默认打开调试开关
#if 0
cur_debugging = DBG_ALL;
#endif
lockfd = create_lock();
g_log_level |= ws_get_log_level(); //获得显示级别
g_ipsec_multiout = ws_get_multiOut(); //获取多接口转发标志位
if(g_ipsec_multiout)
{
int res;
conplat_syscall(MODULEID_IPSEC_POLICY, IPSEC_MODULE_MULTI_OUT, &(g_ipsec_multiout), sizeof(g_ipsec_multiout), &res);
}
ipsec_restore_tunnel_ipsec();
ipsec_init_lv2_switch();
ipsec_init_route_mode();
ipsec_init_user_syn();
ipsec_init_compress_enable();
ipsec_init_udp_checksum_switch();
ipsec_init_cookie();
ipsec_esp_alg_init();
init_vendorid();
//daemon之前销毁缓冲池中的数据库句柄,使用make_daemon不用加此函数
sqlite3_clear_buffer_ex();
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",errno, strerror(e));
exit_pluto(1);
}
}
/** Close everything but and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
{
close(i);
}
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
{
IPSEC_abort();
}
if (dup2(0, 1) != 1)
{
IPSEC_abort();
}
}
init_constants();
init_pluto_vendorid();
ipsec_version_code();
ipsec_get_slot_bit(); // 需要放在ipsec_template_delete_all 前面
ipsec_template_delete_all();
ipsec_enable_flag(1);
ipsec_init_nat_traversal();
init_rnd_pool();
init_states();
init_connections();//添加到elist链中phase2 pending timer
init_crypto();
ipsec_drv_rsa_para_init(); //初始化使用硬件模幂运算时的固定参数
load_oswcrypto();
init_demux();
/* loading X.509 CA certificates */
load_authcerts("CA cert", "/config/sys/certificate/cacerts", AUTH_CA);
/* loading X.509 CRLs */
load_crls();
fflush(stderr);
fflush(stdout);
IPSEC_dbg("listening for IKE messages");
init_ws_ctl_socket();
/*初始化dpdns守护进程*/
ipsec_dpdns_init_helper();
/*读取DPVPN相关配置并初始化*/
//ipsec_dpvpn_init_cfg();
/*该操作放在操作数据库之后的主进程处理不能再数据操作*/
sqlite3_clear_buffer_ex();
/*初始化子进程*/
ipsec_child_init_helpers();
ipsec_main_call_server();
return -1; /* Shouldn't ever reach this */
}
bool dag_network::set_interface_filter(const char *filter)
{
ip_subnet i6;
ttosubnet(filter, 0, AF_INET6, &i6);
set_interface_filter(i6);
}
