static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol) { const xfrm_address_t *srcx, *dstx; ip_address src, dst; unsigned family; unsigned transport_proto; err_t ugh = NULL; srcx = &pol->sel.saddr; dstx = &pol->sel.daddr; family = pol->sel.family; transport_proto = pol->sel.proto; if ((ugh = xfrm_to_ip_address(family, srcx, &src)) || (ugh = xfrm_to_ip_address(family, dstx, &dst))) { openswan_log("XFRM_MSG_POLEXPIRE message from kernel malformed: %s", ugh); return; } replace_bare_shunt(&src, &dst , BOTTOM_PRIO , SPI_PASS , FALSE , transport_proto , "delete expired bare shunt"); }
static void cannot_oppo(struct connection *c , struct find_oppo_bundle *b , err_t ughmsg) { char pcb[ADDRTOT_BUF]; char ocb[ADDRTOT_BUF]; addrtot(&b->peer_client, 0, pcb, sizeof(pcb)); addrtot(&b->our_client, 0, ocb, sizeof(ocb)); DBG(DBG_OPPO, openswan_log("Can not opportunistically initiate for %s to %s: %s" , ocb, pcb, ughmsg)); whack_log(RC_OPPOFAILURE , "Can not opportunistically initiate for %s to %s: %s" , ocb, pcb, ughmsg); if (c != NULL && c->policy_next != NULL) { /* there is some policy that comes afterwards */ struct spd_route *shunt_spd; struct connection *nc = c->policy_next; struct state *st; passert(c->kind == CK_TEMPLATE); passert(nc->kind == CK_PERMANENT); DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt" , ocb, pcb, nc->name)); /* * okay, here we need add to the "next" policy, which is ought * to be an instance. * We will add another entry to the spd_route list for the specific * situation that we have. */ shunt_spd = clone_thing(nc->spd, "shunt eroute policy"); shunt_spd->next = nc->spd.next; nc->spd.next = shunt_spd; happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client)); if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr)) shunt_spd->that.has_client = FALSE; /* * override the tunnel destination with the one from the secondaried * policy */ shunt_spd->that.host_addr = nc->spd.that.host_addr; /* now, lookup the state, and poke it up. */ st = state_with_serialno(nc->newest_ipsec_sa); /* XXX what to do if the IPSEC SA has died? */ passert(st != NULL); /* link the new connection instance to the state's list of * connections */ DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s" , nc->newest_ipsec_sa , ocb, pcb)); #ifdef DEBUG if (DBGP(DBG_OPPO | DBG_CONTROLMORE)) { char state_buf[LOG_WIDTH]; char state_buf2[LOG_WIDTH]; const time_t n = now(); fmt_state(st, n, state_buf, sizeof(state_buf) , state_buf2, sizeof(state_buf2)); DBG_log("cannot_oppo, failure SA1: %s", state_buf); DBG_log("cannot_oppo, failure SA2: %s", state_buf2); } #endif /* DEBUG */ if (!route_and_eroute(c, shunt_spd, st)) { whack_log(RC_OPPOFAILURE , "failed to instantiate shunt policy %s for %s to %s" , c->name , ocb, pcb); } return; } /* * NETKEY default for level param in tmpl is required, so no traffic will * transmitted until an SA is fully up */ if (b->held && kern_interface != USE_NETKEY) { int failure_shunt = b->failure_shunt; /* Replace HOLD with b->failure_shunt. * If no failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE. */ if (failure_shunt == 0) { DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; removing spurious hold shunt" , ocb, pcb)); } (void) replace_bare_shunt(&b->our_client, &b->peer_client , b->policy_prio , failure_shunt , failure_shunt != 0 , b->transport_proto , ughmsg); } }