err_t ipsec_policy_init(void)
{
struct sockaddr_un sn;
if(policy_query_socket != -1) {
return NULL;
}
policy_query_socket = safe_socket(PF_UNIX, SOCK_STREAM, 0);
if(policy_query_socket == -1) {
return "failed to open policy socket";
}
/* now connect it */
sn.sun_family = AF_UNIX;
strcpy(sn.sun_path, IPSEC_POLICY_SOCKET);
if(connect(policy_query_socket, (struct sockaddr *)&sn, sizeof(sn)) != 0) {
int saveerrno = errno;
close(policy_query_socket);
policy_query_socket=-1;
errno = saveerrno;
return "failed to connect policy socket";
}
/* okay, I think we are done */
return NULL;
}
int open_udp_sock(unsigned short port)
{
struct sockaddr_in s;
int one;
int fd;
fd = safe_socket(PF_INET, SOCK_DGRAM, 0);
if(fd == -1) {
perror("socket");
exit(10);
}
memset(&s, 0, sizeof(struct sockaddr_in));
s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr.s_addr = INADDR_ANY;
if(bind(fd, (struct sockaddr *)&s, sizeof(struct sockaddr_in))==-1) {
perror("bind");
exit(11);
}
one = 1;
#if !(defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)))
if(setsockopt(fd, SOL_IP, IP_IPSEC_REFINFO, &one, sizeof(one)) != 0) {
perror("setsockopt recvref");
exit(12);
}
#endif
return fd;
}
int starter_ifaces_load (char **ifaces, unsigned int omtu, int nat_t)
{
char *tmp_phys, *phys;
unsigned int n;
char **i;
int sock;
int j, found;
int ret = 0;
starter_log(LOG_LEVEL_DEBUG, "starter_ifaces_load()");
sock = safe_socket(AF_INET, SOCK_DGRAM, 0);
if (sock < 0) return -1;
for (j=0; j<N_IPSEC_IF; j++) {
found = 0;
for (i=ifaces; i && *i; i++) {
if ((valid_str(*i, &n, &tmp_phys)) && (tmp_phys) &&
(n>=0) && (n<N_IPSEC_IF)) {
if (n==j) {
if (found) {
starter_log(LOG_LEVEL_ERR,
"ignoring duplicate entry for interface ipsec%d",
j);
}
else {
found++;
phys = starter_find_physical_iface(sock, tmp_phys);
if (phys) {
ret += _iface_up (sock, &(_ipsec_if[n]), phys,
omtu, nat_t);
}
else {
ret += _iface_down (sock, &(_ipsec_if[n]));
}
}
}
}
else if (j==0) {
/**
* Only log in the first loop
*/
starter_log(LOG_LEVEL_ERR, "ignoring invalid interface '%s'",
*i);
}
}
if (!found)
ret += _iface_down (sock, &(_ipsec_if[j]));
}
close(sock);
return ret; /* = number of changes - 'whack --listen' if > 0 */
}
void starter_ifaces_clear (void)
{
int sock;
unsigned int i;
sock = safe_socket(AF_INET, SOCK_DGRAM, 0);
if (sock < 0) return;
for (i=0; i<N_IPSEC_IF; i++) {
_iface_down (sock, &(_ipsec_if[i]));
}
}
int starter_iface_find(char *iface, int af, ip_address *dst, ip_address *nh)
{
char *phys;
struct ifreq req;
struct sockaddr_in *sa = (struct sockaddr_in *)(&req.ifr_addr);
int sock;
if (!iface) return -1;
sock = safe_socket(af, SOCK_DGRAM, 0);
if (sock < 0) return -1;
phys = starter_find_physical_iface(sock, iface);
if (!phys) goto failed;
strncpy(req.ifr_name, phys, IFNAMSIZ);
if (ioctl(sock, SIOCGIFFLAGS, &req)!=0) goto failed;
if (!(req.ifr_flags & IFF_UP)) goto failed;
if ((req.ifr_flags & IFF_POINTOPOINT) && (nh) &&
(ioctl(sock, SIOCGIFDSTADDR, &req)==0)) {
if (sa->sin_family == af) {
initaddr((const void *)&sa->sin_addr,
sizeof(struct in_addr), af, nh);
}
}
if ((dst) && (ioctl(sock, SIOCGIFADDR, &req)==0)) {
if (sa->sin_family == af) {
initaddr((const void *)&sa->sin_addr,
sizeof(struct in_addr), af, dst);
}
}
close(sock);
return 0;
failed:
close(sock);
return -1;
}
/*******************************************************************************
函数名称: init_ws_ctl_socket
功能描述: 初始化web_services control套接字
输入参数:
输出参数: 无
返 回 值 : err_t:返回错误信息,成功返回NULL
--------------------------------------------------------------------------------
最近一次修改记录 :
修改作者: tiangu
修改目的: 创建新函数
修改日期: 2010-4-20
*******************************************************************************/
err_t init_ws_ctl_socket(void)
{
err_t failed = NULL;
delete_ws_ctl_socket(); /* preventative medicine */
ws_ctl_fd = safe_socket(AF_UNIX, SOCK_STREAM, 0);
int size = offsetof(struct sockaddr_un, sun_path) + strlen(ws_ctl_addr.sun_path);
if (ws_ctl_fd == -1)
{
failed = "create";
}
else if (setsockopt(ws_ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
{
failed = "setsockopt";
}
else
{
mode_t ou = umask(0);
if (bind(ws_ctl_fd, (struct sockaddr *)&ws_ctl_addr, size) < 0)
{
failed = "bind";
}
umask(ou);
}
if (failed == NULL && listen(ws_ctl_fd, 5) < 0)
{
failed = "listen() on";
}
return failed == NULL? NULL : builddiag("could not %s ws_ctl socket: %d %s"
, failed, errno, strerror(errno));
}
int main(int argc, char **argv)
{
struct sockaddr_in from, to, in;
char buf[TESTLEN];
char *destip = DESTIP;
int port = DEF_PORT;
int n, server_socket, client_socket, fl, tl, pid;
if (argc > 1) destip = argv[1];
if (argc > 2) port = atoi(argv[2]);
in.sin_family = AF_INET;
#ifdef NEED_SIN_LEN
in.sin_len = sizeof( struct sockaddr_in );
#endif
in.sin_addr.s_addr = INADDR_ANY;
in.sin_port = htons(port);
fl = tl = sizeof(struct sockaddr_in);
memset(&from, 0, sizeof(from));
memset(&to, 0, sizeof(to));
switch(pid = fork()) {
case -1:
perror("fork");
return 0;
case 0:
/* child */
usleep(100000);
goto client;
}
/* parent: server */
server_socket = safe_socket(PF_INET, SOCK_DGRAM, 0);
if (udpfromto_init(server_socket) != 0) {
perror("udpfromto_init\n");
waitpid(pid, NULL, WNOHANG);
return 0;
}
if (bind(server_socket, (struct sockaddr *)&in, sizeof(in)) < 0) {
perror("server: bind");
waitpid(pid, NULL, WNOHANG);
return 0;
}
printf("server: waiting for packets on INADDR_ANY:%d\n", port);
if ((n = recvfromto(server_socket, buf, sizeof(buf), 0,
(struct sockaddr *)&from, &fl,
(struct sockaddr *)&to, &tl)) < 0) {
perror("server: recvfromto");
waitpid(pid, NULL, WNOHANG);
return 0;
}
printf("server: received a packet of %d bytes [%s] ", n, buf);
printf("(src ip:port %s:%d ",
inet_ntoa(from.sin_addr), ntohs(from.sin_port));
printf(" dst ip:port %s:%d)\n",
inet_ntoa(to.sin_addr), ntohs(to.sin_port));
printf("server: replying from address packet was received on to source address\n");
if ((n = sendfromto(server_socket, buf, n, 0,
(struct sockaddr *)&to, tl,
(struct sockaddr *)&from, fl)) < 0) {
perror("server: sendfromto");
}
waitpid(pid, NULL, 0);
return 0;
client:
close(server_socket);
client_socket = safe_socket(PF_INET, SOCK_DGRAM, 0);
if (udpfromto_init(client_socket) != 0) {
perror("udpfromto_init");
_exit(0);
}
/* bind client on different port */
in.sin_port = htons(port+1);
if (bind(client_socket, (struct sockaddr *)&in, sizeof(in)) < 0) {
perror("client: bind");
_exit(0);
}
in.sin_port = htons(port);
in.sin_addr.s_addr = inet_addr(destip);
printf("client: sending packet to %s:%d\n", destip, port);
if (sendto(client_socket, TESTSTRING, TESTLEN, 0,
(struct sockaddr *)&in, sizeof(in)) < 0) {
perror("client: sendto");
_exit(0);
}
printf("client: waiting for reply from server on INADDR_ANY:%d\n", port+1);
if ((n = recvfromto(client_socket, buf, sizeof(buf), 0,
(struct sockaddr *)&from, &fl,
(struct sockaddr *)&to, &tl)) < 0) {
perror("client: recvfromto");
_exit(0);
}
printf("client: received a packet of %d bytes [%s] ", n, buf);
printf("(src ip:port %s:%d",
inet_ntoa(from.sin_addr), ntohs(from.sin_port));
printf(" dst ip:port %s:%d)\n",
inet_ntoa(to.sin_addr), ntohs(to.sin_port));
_exit(0);
}
int main(int argc, char *argv[])
{
struct ifreq ifr;
zero(&ifr);
program_name = argv[0];
s = safe_socket(AF_INET, SOCK_DGRAM, 0);
if (s == -1) {
fprintf(stderr, "%s: Socket creation failed:%s ",
program_name, strerror(errno));
exit(1);
}
/* if (ioctl(fd, SIOCDEVPRIVATE, &ifr) >= 0) { */
if (ioctl(s, shc->cf_cmd, &ifr) == -1) {
if (shc->cf_cmd == IPSEC_SET_DEV) {
fprintf(stderr,
"%s: Socket ioctl failed on attach -- ",
program_name);
switch (errno) {
case EINVAL:
fprintf(stderr,
"Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr,
"No such device. Is the virtual device valid? Is the ipsec module linked into the kernel or loaded as a module?\n");
break;
case ENXIO:
fprintf(stderr,
"No such device. Is the physical device valid?\n");
break;
case EBUSY:
fprintf(stderr,
"Device busy. Virtual device %s is already attached to a physical device -- Use detach first.\n",
ifr.ifr_name);
break;
default:
fprintf(stderr, "Unknown socket error %d.\n",
errno);
}
exit(1);
}
if (shc->cf_cmd == IPSEC_DEL_DEV) {
fprintf(stderr,
"%s: Socket ioctl failed on detach -- ",
program_name);
switch (errno) {
case EINVAL:
fprintf(stderr,
"Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr,
"No such device. Is the virtual device valid? The ipsec module may not be linked into the kernel or loaded as a module.\n");
break;
case ENXIO:
fprintf(stderr,
"Device requested is not linked to any physical device.\n");
break;
default:
fprintf(stderr, "Unknown socket error %d.\n",
errno);
}
exit(1);
}
if (shc->cf_cmd == IPSEC_CLR_DEV) {
fprintf(stderr, "%s: Socket ioctl failed on clear -- ",
program_name);
switch (errno) {
case EINVAL:
fprintf(stderr,
"Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr,
"Failed. Is the ipsec module linked into the kernel or loaded as a module?.\n");
break;
default:
fprintf(stderr, "Unknown socket error %d.\n",
errno);
}
exit(1);
}
}
exit(0);
}
int main(int argc, char *argv[])
{
int opt;
ssize_t readlen;
unsigned char pfkey_buf[256];
struct sadb_msg *msg;
int fork_after_register;
char *pidfilename;
char *infilename;
char *outfilename;
static int ah_register;
static int esp_register;
static int ipip_register;
static int ipcomp_register;
static struct option long_options[] =
{
{ "help", no_argument, 0, 'h' },
{ "daemon", required_argument, 0, 'f' },
{ "dumpfile", required_argument, 0, 'd' },
{ "encodefile", required_argument, 0, 'e' },
{ "ah", no_argument, &ah_register, 1 },
{ "esp", no_argument, &esp_register, 1 },
{ "ipip", no_argument, &ipip_register, 1 },
{ "ipcomp", no_argument, &ipcomp_register, 1 },
};
ah_register = 0;
esp_register = 0;
ipip_register = 0;
ipcomp_register = 0;
dienow = 0;
fork_after_register = 0;
pidfilename = NULL;
infilename = NULL;
outfilename = NULL;
progname = argv[0];
if (strrchr(progname, '/'))
progname = strrchr(progname, '/') + 1;
while ((opt = getopt_long(argc, argv, "hd:e:f:",
long_options, NULL)) != EOF) {
switch (opt) {
case 'f':
pidfilename = optarg;
fork_after_register = 1;
break;
case 'd':
infilename = optarg;
break;
case 'e':
outfilename = optarg;
break;
case 'h':
Usage();
break;
case '0':
/* it was a long option with a flag */
break;
}
}
if (infilename == NULL &&
outfilename == NULL) {
if ((pfkey_sock =
safe_socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
fprintf(stderr,
"%s: failed to open PF_KEY family socket: %s\n",
progname, strerror(errno));
exit(1);
}
if (ah_register == 0 &&
esp_register == 0 &&
ipip_register == 0 &&
ipcomp_register == 0) {
ah_register = 1;
esp_register = 1;
ipip_register = 1;
ipcomp_register = 1;
}
if (ah_register)
pfkey_register(K_SADB_SATYPE_AH);
if (esp_register)
pfkey_register(K_SADB_SATYPE_ESP);
if (ipip_register)
pfkey_register(K_SADB_X_SATYPE_IPIP);
if (ipcomp_register)
pfkey_register(K_SADB_X_SATYPE_COMP);
if (fork_after_register) {
/*
* to aid in regression testing, we offer to register
* everything first, and then we fork. As part of this
* we write the PID of the new process to a file
* provided.
*/
int pid;
FILE *pidfile;
fflush(stdout);
fflush(stderr);
pid = fork();
if (pid != 0) {
/* in parent! */
exit(0);
}
if ((pidfile = fopen(pidfilename, "w")) == NULL) {
perror(pidfilename);
} else {
fprintf(pidfile, "%d", getpid());
fclose(pidfile);
}
}
} else if (infilename != NULL) {
pfkey_sock = open(infilename, O_RDONLY);
if (pfkey_sock < 0) {
fprintf(stderr, "%s: failed to open %s: %s\n",
progname, infilename, strerror(errno));
exit(1);
}
} else if (outfilename != NULL) {
/* call encoder */
exit(1);
}
signal(SIGINT, controlC);
signal(SIGTERM, controlC);
while ((readlen =
read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) {
msg = (struct sadb_msg *)pfkey_buf;
/* first, see if we got enough for an sadb_msg */
if ((size_t)readlen < sizeof(struct sadb_msg)) {
printf("%s: runt packet of size: %d (<%lu)\n",
progname, (int)readlen,
(unsigned long)sizeof(struct sadb_msg));
continue;
}
/* okay, we got enough for a message, print it out */
printf(
"\npfkey v%d msg. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
msg->sadb_msg_version,
msg->sadb_msg_type,
pfkey_v2_sadb_type_string(msg->sadb_msg_type),
msg->sadb_msg_seq,
msg->sadb_msg_len,
msg->sadb_msg_pid,
msg->sadb_msg_errno,
msg->sadb_msg_satype,
satype2name(msg->sadb_msg_satype));
if ((size_t)readlen != msg->sadb_msg_len *
IPSEC_PFKEYv2_ALIGN) {
printf(
"%s: packet size read from socket=%d doesn't equal sadb_msg_len %d * %u; message not decoded\n",
progname,
(int) readlen,
msg->sadb_msg_len,
(int) IPSEC_PFKEYv2_ALIGN);
continue;
}
pfkey_print(msg, stdout);
}
printf("%s: exited normally\n", progname);
exit(0);
}
struct raw_iface *
find_raw_ifaces4(void)
{
static const int on = TRUE; /* by-reference parameter; constant, we hope */
int j; /* index into buf */
static int num=64; /* number of interfaces */
struct ifconf ifconf;
struct ifreq *buf; /* for list of interfaces -- arbitrary limit */
struct raw_iface *rifaces = NULL;
int master_sock = safe_socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
/* get list of interfaces with assigned IPv4 addresses from system */
if (master_sock == -1)
exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
, (const void *)&on, sizeof(on)) < 0)
exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
/* bind the socket */
{
ip_address any;
happy(anyaddr(AF_INET, &any));
setportof(htons(pluto_port), &any);
if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
}
buf = NULL;
/* a million interfaces is probably the maximum, ever... */
while(num < (1024*1024)) {
/* Get local interfaces. See netdevice(7). */
ifconf.ifc_len = num * sizeof(struct ifreq);
buf = (void *) realloc(buf, ifconf.ifc_len);
if (!buf)
exit_log_errno((e, "realloc of %d in find_raw_ifaces4()",
ifconf.ifc_len));
memset(buf, 0, num*sizeof(struct ifreq));
ifconf.ifc_buf = (void *) buf;
if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
/* if we got back less than we asked for, we have them all */
if (ifconf.ifc_len < (int)(sizeof(struct ifreq) * num))
break;
/* try again and ask for more this time */
num *= 2;
}
/* Add an entry to rifaces for each interesting interface. */
for (j = 0; (j+1) * sizeof(struct ifreq) <= (size_t)ifconf.ifc_len; j++)
{
struct raw_iface ri;
const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
struct ifreq auxinfo;
/* ignore all but AF_INET interfaces */
if (rs->sin_family != AF_INET)
continue; /* not interesting */
/* build a NUL-terminated copy of the rname field */
memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
ri.name[IFNAMSIZ] = '\0';
/* ignore if our interface names were specified, and this isn't one */
if (pluto_ifn_roof != 0)
{
int i;
for (i = 0; i != pluto_ifn_roof; i++)
if (streq(ri.name, pluto_ifn[i]))
break;
if (i == pluto_ifn_roof)
continue; /* not found -- skip */
}
/* Find out stuff about this interface. See netdevice(7). */
zero(&auxinfo); /* paranoia */
memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
exit_log_errno((e
, "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
, ri.name));
if (!(auxinfo.ifr_flags & IFF_UP))
{
DBG(DBG_CONTROL, DBG_log("Ignored interface %s - it is not up"
, ri.name));
continue; /* ignore an interface that isn't UP */
}
if (auxinfo.ifr_flags & IFF_SLAVE)
{
DBG(DBG_CONTROL, DBG_log("Ignored interface %s - it is a slave interface"
, ri.name));
continue; /* ignore slave interfaces; they share IPs with their master */
}
/* ignore unconfigured interfaces */
if (rs->sin_addr.s_addr == 0)
{
DBG(DBG_CONTROL, DBG_log("Ignored interface %s - it is unconfigured"
, ri.name));
continue;
}
happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
, AF_INET, &ri.addr));
DBG(DBG_CONTROL, DBG_log("found %s with address %s"
, ri.name, ip_str(&ri.addr)));
ri.next = rifaces;
rifaces = clone_thing(ri, "struct raw_iface");
}
close(master_sock);
return rifaces;
}
int
main(int argc, char **argv)
{
/* int fd; */
unsigned char action = 0;
int c;
int error = 0;
int argcount = argc;
int em_db_tn, em_db_nl, em_db_xf, em_db_er, em_db_sp;
int em_db_rj, em_db_es, em_db_ah, em_db_rx, em_db_ky;
int em_db_gz, em_db_vb;
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
struct sadb_msg *pfkey_msg;
em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
em_db_gz=em_db_vb=0;
program_name = argv[0];
while((c = getopt_long(argc, argv, ""/*"s:c:anhvl:+:d"*/, longopts, 0)) != EOF) {
switch(c) {
case 'd':
pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
argcount--;
break;
case 's':
if(action) {
fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
program_name);
exit(1);
}
action = 's';
em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
em_db_gz=em_db_vb=0;
if(strcmp(optarg, "all") == 0) {
em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
em_db_gz=-1;
em_db_vb= 0;
} else if(strcmp(optarg, "tunnel") == 0) {
em_db_tn = -1L;
} else if(strcmp(optarg, "tncfg") == 0) {
em_db_tn = DB_TN_REVEC;
} else if(strcmp(optarg, "xmit") == 0
|| strcmp(optarg, "tunnel-xmit") == 0) {
em_db_tn = DB_TN_XMIT;
} else if(strcmp(optarg, "netlink") == 0) {
em_db_nl = -1L;
} else if(strcmp(optarg, "xform") == 0) {
em_db_xf = -1L;
} else if(strcmp(optarg, "eroute") == 0) {
em_db_er = -1L;
} else if(strcmp(optarg, "spi") == 0) {
em_db_sp = -1L;
} else if(strcmp(optarg, "radij") == 0) {
em_db_rj = -1L;
} else if(strcmp(optarg, "esp") == 0) {
em_db_es = -1L;
} else if(strcmp(optarg, "ah") == 0) {
em_db_ah = -1L;
} else if(strcmp(optarg, "rcv") == 0) {
em_db_rx = -1L;
} else if(strcmp(optarg, "pfkey") == 0) {
em_db_ky = -1L;
} else if(strcmp(optarg, "comp") == 0) {
em_db_gz = -1L;
} else if(strcmp(optarg, "verbose") == 0) {
em_db_vb = -1L;
} else {
fprintf(stdout, "%s: unknown set argument '%s'\n",
program_name, optarg);
usage(program_name);
}
em_db_nl |= 1 << (sizeof(em_db_nl) * 8 -1);
break;
case 'c':
if(action) {
fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
program_name);
exit(1);
}
em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
em_db_gz=em_db_vb=-1;
action = 'c';
if(strcmp(optarg, "all") == 0) {
em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
em_db_gz=em_db_vb=0;
} else if(strcmp(optarg, "tunnel") == 0) {
em_db_tn = 0;
} else if(strcmp(optarg, "tunnel-xmit") == 0
|| strcmp(optarg, "xmit") == 0) {
em_db_tn = ~DB_TN_XMIT;
} else if(strcmp(optarg, "netlink") == 0) {
em_db_nl = 0;
} else if(strcmp(optarg, "xform") == 0) {
em_db_xf = 0;
} else if(strcmp(optarg, "eroute") == 0) {
em_db_er = 0;
} else if(strcmp(optarg, "spi") == 0) {
em_db_sp = 0;
} else if(strcmp(optarg, "radij") == 0) {
em_db_rj = 0;
} else if(strcmp(optarg, "esp") == 0) {
em_db_es = 0;
} else if(strcmp(optarg, "ah") == 0) {
em_db_ah = 0;
} else if(strcmp(optarg, "rcv") == 0) {
em_db_rx = 0;
} else if(strcmp(optarg, "pfkey") == 0) {
em_db_ky = 0;
} else if(strcmp(optarg, "comp") == 0) {
em_db_gz = 0;
} else if(strcmp(optarg, "verbose") == 0) {
em_db_vb = 0;
} else {
fprintf(stdout, "%s: unknown clear argument '%s'\n",
program_name, optarg);
usage(program_name);
}
em_db_nl &= ~(1 << (sizeof(em_db_nl) * 8 -1));
break;
case 'a':
if(action) {
fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
program_name);
exit(1);
}
action = 'a';
em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
em_db_gz=-1;
em_db_vb= 0;
break;
case 'n':
if(action) {
fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
program_name);
exit(1);
}
action = 'n';
em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
em_db_gz=em_db_vb=0;
break;
case 'h':
case '?':
usage(program_name);
exit(1);
case 'v':
fprintf(stdout, "klipsdebug (Openswan %s) \n",
ipsec_version_code());
fputs(copyright, stdout);
exit(0);
case 'l':
program_name = malloc(strlen(argv[0])
+ 10 /* update this when changing the sprintf() */
+ strlen(optarg));
sprintf(program_name, "%s --label %s",
argv[0],
optarg);
argcount -= 2;
break;
case '+': /* optionsfrom */
optionsfrom(optarg, &argc, &argv, optind, stderr);
/* no return on error */
break;
default:
fprintf(stdout, "%s: unknown option '%s'\n",
program_name, argv[optind]);
break;
}
}
if(argcount == 1) {
int ret = system("cat /proc/net/ipsec_klipsdebug");
exit(ret != -1 && WIFEXITED(ret) ? WEXITSTATUS(ret) : 1);
}
if(!action) {
usage(program_name);
}
if((pfkey_sock = safe_socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
program_name);
switch(errno) {
case ENOENT:
fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n");
break;
case EACCES:
fprintf(stderr, "access denied. ");
if(getuid() == 0) {
fprintf(stderr, "Check permissions. Should be 600.\n");
} else {
fprintf(stderr, "You must be root to open this file.\n");
}
break;
case EUNATCH:
fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
break;
case EBUSY:
fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case EINVAL:
fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr, "SA already in use. Delete old one first.\n");
break;
case ENXIO:
fprintf(stderr, "SA does not exist. Cannot delete.\n");
break;
case EAFNOSUPPORT:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
break;
default:
fprintf(stderr, "Unknown file open error %d. Please report as much detail as possible to development team.\n", errno);
}
exit(1);
}
pfkey_extensions_init(extensions);
if((error = pfkey_msg_hdr_build(&extensions[0],
SADB_X_DEBUG,
0,
0,
++pfkey_seq,
getpid()))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
program_name, error);
pfkey_extensions_free(extensions);
exit(1);
}
if((error = pfkey_x_debug_build(&extensions[SADB_X_EXT_DEBUG],
em_db_tn,
em_db_nl,
em_db_xf,
em_db_er,
em_db_sp,
em_db_rj,
em_db_es,
em_db_ah,
em_db_rx,
em_db_ky,
em_db_gz,
em_db_vb))) {
fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
program_name, error);
pfkey_extensions_free(extensions);
exit(1);
}
if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
program_name, error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if((error = write(pfkey_sock,
pfkey_msg,
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
(ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
fprintf(stderr,
"%s: pfkey write failed, tried to write %u octets, returning %d with errno=%d.\n",
program_name,
(unsigned)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN),
error,
errno);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
switch(errno) {
case EACCES:
fprintf(stderr, "access denied. ");
if(getuid() == 0) {
fprintf(stderr, "Check permissions. Should be 600.\n");
} else {
fprintf(stderr, "You must be root to open this file.\n");
}
break;
case EUNATCH:
fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
break;
case EBUSY:
fprintf(stderr, "KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case EINVAL:
fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
fprintf(stderr, "No device?!?\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr, "Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr, "SA already in use. Delete old one first.\n");
break;
case ENOENT:
fprintf(stderr, "device does not exist. See FreeS/WAN installation procedure.\n");
break;
case ENXIO:
fprintf(stderr, "SA does not exist. Cannot delete.\n");
break;
case ENOSPC:
fprintf(stderr, "no room in kernel SAref table. Cannot process request.\n");
break;
case ESPIPE:
fprintf(stderr, "kernel SAref table internal error. Cannot process request.\n");
break;
default:
fprintf(stderr, "Unknown socket write error %d. Please report as much detail as possible to development team.\n", errno);
}
exit(1);
}
if(pfkey_msg) {
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
}
(void) close(pfkey_sock); /* close the socket */
exit(0);
}
struct raw_iface *find_raw_ifaces4(void)
{
static const int on = TRUE; /* by-reference parameter; constant, we hope */
int j; /* index into buf */
struct ifconf ifconf;
struct ifreq *buf = NULL; /* for list of interfaces -- arbitrary limit */
struct ifreq *bp; /* cursor into buf */
struct raw_iface *rifaces = NULL;
int master_sock = safe_socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
/*
* Current upper bound on number of interfaces.
* Tricky: because this is a static, we won't have to start from
* 64 in subsequent calls.
*/
static int num = 64; /* number of interfaces */
/* get list of interfaces with assigned IPv4 addresses from system */
if (master_sock == -1)
exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR,
(const void *)&on, sizeof(on)) < 0)
exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
/* bind the socket */
{
ip_address any;
happy(anyaddr(AF_INET, &any));
setportof(htons(pluto_port), &any);
if (bind(master_sock, sockaddrof(&any),
sockaddrlenof(&any)) < 0)
exit_log_errno((e,
"bind() failed in find_raw_ifaces4()"));
}
/* a million interfaces is probably the maximum, ever... */
for (; num < (1024 * 1024); num *= 2) {
/* Get num local interfaces. See netdevice(7). */
ifconf.ifc_len = num * sizeof(struct ifreq);
buf = realloc(buf, ifconf.ifc_len);
if (buf == NULL) {
exit_log_errno((e,
"realloc of %d in find_raw_ifaces4()",
ifconf.ifc_len));
}
memset(buf, 0xDF, ifconf.ifc_len); /* stomp */
ifconf.ifc_buf = (void *) buf;
if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
exit_log_errno((e,
"ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
/* if we got back less than we asked for, we have them all */
if (ifconf.ifc_len < (int)(sizeof(struct ifreq) * num))
break;
}
/* Add an entry to rifaces for each interesting interface.
On Apple, the size of struct ifreq depends on the contents of
the union. See if.h */
for (bp = buf, j = 0;
bp < (unsigned char *)buf + (size_t)ifconf.ifc_len;
bp = (struct ifreq *)
((unsigned char *)bp +_SIZEOF_ADDR_IFREQ(*bp)),
j++) {
struct raw_iface ri;
const struct sockaddr_in *rs =
(struct sockaddr_in *) &bp->ifr_addr;
struct ifreq auxinfo;
/* ignore all but AF_INET interfaces */
if (rs->sin_family != AF_INET)
continue; /* not interesting */
/* build a NUL-terminated copy of the rname field */
memcpy(ri.name, bp->ifr_name, IFNAMSIZ);
ri.name[IFNAMSIZ] = '\0';
/* ignore if our interface names were specified, and this isn't one */
if (pluto_ifn_roof != 0) {
int i;
for (i = 0; i != pluto_ifn_roof; i++)
if (streq(ri.name, pluto_ifn[i]))
break;
if (i == pluto_ifn_roof)
continue; /* not found -- skip */
}
/* Find out stuff about this interface. See netdevice(7). */
zero(&auxinfo); /* paranoia */
memcpy(auxinfo.ifr_name, bp->ifr_name, IFNAMSIZ);
if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1) {
exit_log_errno((e,
"ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()",
ri.name));
}
if (!(auxinfo.ifr_flags & IFF_UP))
continue; /* ignore an interface that isn't UP */
/* ignore unconfigured interfaces */
if (rs->sin_addr.s_addr == 0)
continue;
happy(initaddr((const void *)&rs->sin_addr,
sizeof(struct in_addr),
AF_INET, &ri.addr));
DBG(DBG_CONTROL, {
ipstr_buf b;
DBG_log("found %s with address %s",
ri.name, ipstr(&ri.addr, &b));
});
ri.next = rifaces;
rifaces = clone_thing(ri, "struct raw_iface");
}
int
main(int argc, char **argv)
{
char *foo;
const char *errstr;
int s;
int listen_only;
int lport,dport;
int afamily;
int pfamily;
int c;
int numSenders, numReceived;
int natt;
int waitTime;
int verbose;
ip_address laddr, raddr;
char *afam = "";
progname = argv[0];
afamily=AF_INET;
pfamily=PF_INET;
lport=500;
dport=500;
waitTime=3*1000;
verbose=0;
natt=0;
listen_only=0;
bzero(&laddr, sizeof(laddr));
while((c = getopt_long(argc, argv, "hVvsp:b:46E:w:", long_opts, 0))!=EOF) {
switch (c) {
case 'h': /* --help */
help();
return 0; /* GNU coding standards say to stop here */
case 'V': /* --version */
fprintf(stderr, "Openswan %s\n", ipsec_version_code());
return 0; /* GNU coding standards say to stop here */
case 'v': /* --label <string> */
verbose++;
continue;
case 'T':
natt++;
break;
case 'E':
exchange_number=strtol(optarg, &foo, 0);
if(optarg==foo || exchange_number < 1 || exchange_number>255) {
fprintf(stderr, "Invalid exchange number '%s' (should be 1<=x<255)\n",
optarg);
exit(1);
}
continue;
case 's':
listen_only++;
continue;
case 'p':
lport=strtol(optarg, &foo, 0);
if(optarg==foo || lport <0 || lport>65535) {
fprintf(stderr, "Invalid port number '%s' (should be 0<=x<65536)\n",
optarg);
exit(1);
}
fprintf(stderr, "setting source port to %u\n", lport);
continue;
case 'w':
/* convert msec to sec */
waitTime=strtol(optarg, &foo, 0)*500;
if(optarg==foo || waitTime < 0) {
fprintf(stderr, "Invalid waittime number '%s' (should be 0<=x)\n",
optarg);
exit(1);
}
continue;
case 'b':
errstr = ttoaddr(optarg, strlen(optarg), afamily, &laddr);
if(errstr!=NULL) {
fprintf(stderr, "Invalid local address '%s': %s\n",
optarg, errstr);
exit(1);
}
continue;
case '4':
afamily=AF_INET;
pfamily=PF_INET;
afam = "IPv4";
continue;
case '6':
afamily=AF_INET6;
pfamily=PF_INET6;
afam = "IPv6";
continue;
default:
help();
}
}
s=safe_socket(pfamily, SOCK_DGRAM, IPPROTO_UDP);
if(s < 0) {
perror("socket");
exit(3);
}
switch(afamily) {
case AF_INET:
laddr.u.v4.sin_family= AF_INET;
laddr.u.v4.sin_port = htons(lport);
if(bind(s, (struct sockaddr *)&laddr.u.v4, sizeof(laddr.u.v4)) < 0) {
fprintf(stderr, "warning, unable to bind v4 socket port %u: %s"
, lport, strerror(errno));
}
break;
case AF_INET6:
laddr.u.v6.sin6_family= AF_INET6;
laddr.u.v6.sin6_port = htons(lport);
if(bind(s, (struct sockaddr *)&laddr.u.v6, sizeof(laddr.u.v6)) < 0) {
fprintf(stderr, "warning, unable to bind v6 socket to port %u: %s"
, lport, strerror(errno));
}
break;
}
if(natt) {
int r;
/* only support RFC method */
int type = ESPINUDP_WITH_NON_ESP;
r = setsockopt(s, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
if ((r<0) && (errno == ENOPROTOOPT)) {
fprintf(stderr,
"NAT-Traversal: ESPINUDP(%d) not supported by kernel for family %s"
, type, afam);
}
}
numSenders = 0;
if(!listen_only) {
while(optind < argc) {
char *port;
char *host;
char namebuf[128];
host = argv[optind];
port = strchr(host, '/');
dport=500;
if(port) {
*port='\0';
port++;
dport= strtol(port, &foo, 0);
if(port==foo || dport < 0 || dport > 65535) {
fprintf(stderr, "Invalid port number '%s' "
"(should be 0<=x<65536)\n",
port);
exit(1);
}
}
errstr = ttoaddr(host, strlen(host),
afamily, &raddr);
if(errstr!=NULL) {
fprintf(stderr, "Invalid remote address '%s': %s\n",
host, errstr);
exit(1);
}
addrtot(&raddr, 0, namebuf, sizeof(namebuf));
printf("Sending packet to %s/%d\n", namebuf, dport);
send_ping(afamily, s, &raddr, dport);
numSenders++;
optind++;
}
}
numReceived=0;
/* really should catch ^C and print stats on exit */
while(numSenders > 0 || listen_only) {
struct pollfd ready;
int n;
ready.fd = s;
ready.events = POLLIN;
n = poll(&ready, 1, waitTime);
if(n < 0) {
if(errno != EINTR) {
perror("poll");
exit(1);
}
}
if(n == 0 && !listen_only) {
break;
}
if(n == 1) {
numReceived++;
receive_ping(afamily, s, listen_only, natt);
}
}
printf("%d packets sent, %d packets received. %d%% packet loss\n",
numSenders,
numReceived,
numSenders > 0 ? 100-numReceived*100/numSenders : 0);
exit(numSenders - numReceived);
}
int
main(int argc, char *argv[])
{
struct ifreq ifr;
struct ipsectunnelconf shc;
int s;
int c;
int argcount = argc;
int createdelete = 0;
char virtname[64];
struct stat sts;
memset(&ifr, 0, sizeof(ifr));
memset(&shc, 0, sizeof(shc));
virtname[0]='\0';
progname = argv[0];
tool_init_log();
while((c = getopt_long_only(argc, argv, ""/*"adchvV:P:l:+:"*/, longopts, 0)) != EOF) {
switch(c) {
case 'g':
debug = 1;
argcount--;
break;
case 'a':
check_conflict(shc.cf_cmd, createdelete);
shc.cf_cmd = IPSEC_SET_DEV;
break;
case 'd':
check_conflict(shc.cf_cmd, createdelete);
shc.cf_cmd = IPSEC_DEL_DEV;
break;
case 'c':
check_conflict(shc.cf_cmd, createdelete);
shc.cf_cmd = IPSEC_CLR_DEV;
break;
case 'h':
usage(progname);
break;
case 'v':
if(optarg) {
fprintf(stderr, "%s: warning; '-v' and '--version' options don't expect arguments, arg '%s' found, perhaps unintended.\n",
progname, optarg);
}
fprintf(stdout, "%s, use ipsec --version instead\n", progname);
exit(1);
break;
case 'C':
check_conflict(shc.cf_cmd, createdelete);
createdelete = SADB_X_PLUMBIF;
strncat(virtname, optarg, sizeof(virtname)-1);
break;
case 'D':
check_conflict(shc.cf_cmd, createdelete);
createdelete = SADB_X_UNPLUMBIF;
strncat(virtname, optarg, sizeof(virtname)-1);
break;
case 'V':
strncpy(ifr.ifr_name, optarg, sizeof(ifr.ifr_name));
break;
case 'P':
strncpy(shc.cf_name, optarg, sizeof(shc.cf_name));
break;
case 'l':
progname = malloc(strlen(argv[0])
+ 10 /* update this when changing the sprintf() */
+ strlen(optarg));
sprintf(progname, "%s --label %s",
argv[0],
optarg);
argcount -= 2;
break;
case '+': /* optionsfrom */
optionsfrom(optarg, &argc, &argv, optind, stderr);
/* no return on error */
break;
default:
usage(progname);
break;
}
}
if ( ((stat ("/proc/net/pfkey", &sts)) == 0) ) {
fprintf(stderr, "%s: NETKEY does not support virtual interfaces.\n",progname);
exit(1);
}
if(argcount == 1) {
int ret = 1;
if ((stat ("/proc/net/ipsec_tncfg", &sts)) != 0) {
fprintf(stderr, "%s: No tncfg - no IPsec support in kernel (are the modules loaded?)\n", progname);
} else {
ret = system("cat /proc/net/ipsec_tncfg");
ret = ret != -1 && WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
}
exit(ret);
}
/* overlay our struct ipsectunnel onto ifr.ifr_ifru union (hope it fits!) */
if (sizeof(ifr.ifr_ifru) < sizeof(shc)) {
fprintf(stderr, "%s: Internal error: struct ipsectunnelconf won't fit inside struct ifreq\n",
progname);
exit(1);
}
memcpy(&ifr.ifr_ifru.ifru_newname, &shc, sizeof(shc));
/* are we creating/deleting a virtual (mastXXX/ipsecXXX) interface? */
if(createdelete) {
exit(createdelete_virtual(createdelete, virtname));
}
switch(shc.cf_cmd) {
case IPSEC_SET_DEV:
if(!shc.cf_name[0]) {
fprintf(stderr, "%s: physical I/F parameter missing.\n",
progname);
exit(1);
}
case IPSEC_DEL_DEV:
if(!ifr.ifr_name[0]) {
fprintf(stderr, "%s: virtual I/F parameter missing.\n",
progname);
exit(1);
}
break;
case IPSEC_CLR_DEV:
strncpy(ifr.ifr_name, "ipsec0", sizeof(ifr.ifr_name));
break;
default:
fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n"
"Try %s --help' for usage information.\n",
progname, progname);
exit(1);
}
s=safe_socket(AF_INET, SOCK_DGRAM,0);
if(s==-1)
{
fprintf(stderr, "%s: Socket creation failed -- ", progname);
switch(errno)
{
case EACCES:
if(getuid()==0)
fprintf(stderr, "Root denied permission!?!\n");
else
fprintf(stderr, "Run as root user.\n");
break;
case EPROTONOSUPPORT:
fprintf(stderr, "Internet Protocol not enabled");
break;
case EMFILE:
case ENFILE:
case ENOBUFS:
fprintf(stderr, "Insufficient system resources.\n");
break;
case ENODEV:
fprintf(stderr, "No such device. Is the virtual device valid? Is the ipsec module linked into the kernel or loaded as a module?\n");
break;
default:
fprintf(stderr, "Unknown socket error %d.\n", errno);
}
exit(1);
}
if(ioctl(s, shc.cf_cmd, &ifr)==-1)
{
switch (shc.cf_cmd)
{
case IPSEC_SET_DEV:
fprintf(stderr, "%s: Socket ioctl failed on attach -- ", progname);
switch(errno)
{
case EINVAL:
fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr, "No such device. Is the virtual device valid? Is the ipsec module linked into the kernel or loaded as a module?\n");
break;
case ENXIO:
fprintf(stderr, "No such device. Is the physical device valid?\n");
break;
case EBUSY:
fprintf(stderr, "Device busy. Virtual device %s is already attached to a physical device -- Use detach first.\n",
ifr.ifr_name);
break;
default:
fprintf(stderr, "Unknown socket error %d.\n", errno);
}
exit(1);
case IPSEC_DEL_DEV:
fprintf(stderr, "%s: Socket ioctl failed on detach -- ", progname);
switch(errno)
{
case EINVAL:
fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr, "No such device. Is the virtual device valid? The ipsec module may not be linked into the kernel or loaded as a module.\n");
break;
case ENXIO:
fprintf(stderr, "Device requested is not linked to any physical device.\n");
break;
default:
fprintf(stderr, "Unknown socket error %d.\n", errno);
}
exit(1);
case IPSEC_CLR_DEV:
fprintf(stderr, "%s: Socket ioctl failed on clear -- ", progname);
switch(errno)
{
case EINVAL:
fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr, "Failed. Is the ipsec module linked into the kernel or loaded as a module?.\n");
break;
default:
fprintf(stderr, "Unknown socket error %d.\n", errno);
}
exit(1);
default:
fprintf(stderr, "%s: Socket ioctl failed on unknown operation %u -- %s", progname, (unsigned) shc.cf_cmd, strerror(errno));
exit(1);
}
}
exit(0);
}
int pfkey_open_sock_with_error(void)
{
int pfkey_sock = -1;
if ((pfkey_sock = safe_socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
fprintf(stderr,
"%s: Trouble opening PF_KEY family socket with error: ",
progname);
switch (errno) {
case ENOENT:
fprintf(stderr,
"device does not exist. See Libreswan installation procedure.\n");
break;
case EACCES:
fprintf(stderr, "access denied. ");
if (getuid() == 0)
fprintf(stderr,
"Check permissions. Should be 600.\n");
else
fprintf(stderr,
"You must be root to open this file.\n");
break;
#ifdef EUNATCH
case EUNATCH:
fprintf(stderr,
"Netlink not enabled OR KLIPS not loaded.\n");
break;
#endif
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
break;
case EBUSY:
fprintf(stderr,
"KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case EINVAL:
fprintf(stderr,
"Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr,
"Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr,
"SA already in use. Delete old one first.\n");
break;
case ENXIO:
fprintf(stderr,
"SA does not exist. Cannot delete.\n");
break;
case EAFNOSUPPORT:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
break;
default:
fprintf(stderr,
"Unknown file open error %d. Please report as much detail as possible to development team.\n",
errno);
}
exit(1);
}
return pfkey_sock;
}
