synonym for
.BR lifetime .
.TP
-.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
+.BR left " = <ip address> | <fqdn> | " %any
(required)
the IP address of the left participant's public-network interface
or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-
The value
.B %any
for the local endpoint signifies an address to be filled in (by automatic
different from the default additionally requires a socket implementation that
listens to this port.
.TP
-.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
+.BR leftnexthop " = %direct | <ip address> | <fqdn>"
this parameter is usually not needed any more because the NETKEY IPsec stack
does not require explicit routing entries for the traffic to be tunneled. If
.B leftsourceip
LOCAL_SRC_FILES := \
parser.c lexer.c ipsec-parser.h netkey.c args.h netkey.h \
starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
+starterstroke.h invokepluto.h confread.h args.c \
keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
invokecharon.h klips.c klips.h
starter_SOURCES = \
parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \
starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
+starterstroke.h invokepluto.h confread.h args.c \
keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
invokecharon.h klips.c klips.h
#include "confread.h"
#include "args.h"
-#include "interfaces.h"
#include "cmp.h"
#define VARCMP(obj) if (c1->obj != c2->obj) return FALSE
return cmp_args(KW_PLUTO_FIRST, KW_PLUTO_LAST, (char *)c1, (char *)c2);
}
-
-bool
-starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2)
-{
- if ((d1 == NULL) || (d2 == NULL))
- return FALSE;
- return memcmp(d1, d2, sizeof(defaultroute_t)) == 0;
-}
#ifndef _STARTER_CMP_H_
#define _STARTER_CMP_H_
-#include "interfaces.h"
-
extern bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2);
extern bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2);
extern bool starter_cmp_klips(starter_config_t *c1, starter_config_t *c2);
extern bool starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2);
-extern bool starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2);
#endif
#include "confread.h"
#include "args.h"
#include "files.h"
-#include "interfaces.h"
/* strings containing a colon are interpreted as an IPv6 address */
#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6)
case KW_HOST:
free(end->host);
end->host = NULL;
- if (streq(value, "%defaultroute"))
- {
- if (cfg->defaultroute.defined)
- {
- end->addr = cfg->defaultroute.addr;
- end->nexthop = cfg->defaultroute.nexthop;
- }
- else if (!cfg->defaultroute.supported)
- {
- DBG1(DBG_APP, "%%defaultroute not supported, fallback to %%any");
- }
- else
- {
- DBG1(DBG_APP, "# default route not known: %s=%s", name, value);
- goto err;
- }
- }
- else if (streq(value, "%any") || streq(value, "%any4"))
+ if (streq(value, "%any") || streq(value, "%any4"))
{
anyaddr(conn->addr_family, &end->addr);
}
switch (token)
{
case KW_NEXTHOP:
- if (streq(value, "%defaultroute"))
- {
- if (cfg->defaultroute.defined)
- {
- end->nexthop = cfg->defaultroute.nexthop;
- }
- else
- {
- DBG1(DBG_APP, "# default route not known: %s=%s", name, value);
- goto err;
- }
- }
- else if (streq(value, "%direct"))
+ if (streq(value, "%direct"))
{
ugh = anyaddr(conn->addr_family, &end->nexthop);
}
end->has_port_wildcard = has_port_wildcard;
break;
case KW_NATIP:
+ {
+ ip_address addr;
if (end->sourceip)
{
DBG1(DBG_APP, "# natip and sourceip cannot be defined at the same time");
goto err;
}
- if (streq(value, "%defaultroute"))
- {
- char buf[64];
-
- if (cfg->defaultroute.defined)
- {
- addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
- end->sourceip = clone_str(buf);
- }
- else
- {
- DBG1(DBG_APP, "# default route not known: %s=%s", name, value);
- goto err;
- }
- }
- else
+ conn->tunnel_addr_family = ip_version(value);
+ ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
+ if (ugh != NULL)
{
- ip_address addr;
-
- conn->tunnel_addr_family = ip_version(value);
- ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
- if (ugh != NULL)
- {
- DBG1(DBG_APP, "# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- end->sourceip = clone_str(value);
+ DBG1(DBG_APP, "# bad addr: %s=%s [%s]", name, value, ugh);
+ goto err;
}
+ end->sourceip = clone_str(value);
end->has_natip = TRUE;
conn->policy |= POLICY_TUNNEL;
break;
+ }
default:
break;
}
/* set default values */
default_values(cfg);
- /* determine default route */
- get_defaultroute(&cfg->defaultroute);
-
/* load config setup section */
load_setup(cfg, cfgp);
#ifndef _IPSEC_CONFREAD_H_
#define _IPSEC_CONFREAD_H_
-#ifndef _FREESWAN_H
#include <freeswan.h>
-#endif
+#include "../pluto/constants.h"
#include "ipsec-parser.h"
-#include "interfaces.h"
typedef enum {
STARTUP_NO,
bool hidetos;
} setup;
- /* information about the default route */
- defaultroute_t defaultroute;
-
/* number of encountered parsing errors */
u_int err;
u_int non_fatal_err;
+++ /dev/null
-/* strongSwan IPsec interfaces management
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- * 2009 Heiko Hund - Astaro AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <freeswan.h>
-
-#include <debug.h>
-#include <constants.h>
-#include <defs.h>
-
-#include "interfaces.h"
-#include "files.h"
-
-#ifdef START_PLUTO
-
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <linux/rtnetlink.h>
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>
-#endif
-
-/*
- * Get the default route information via rtnetlink
- */
-void
-get_defaultroute(defaultroute_t *defaultroute)
-{
- union {
- struct {
- struct nlmsghdr nh;
- struct rtmsg rt;
- } m;
- char buf[4096];
- } rtu;
-
- struct nlmsghdr *nh;
- uint32_t best_metric = ~0;
- ssize_t msglen;
- int fd;
-
- memset(&rtu, 0, sizeof(rtu));
- rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
- rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
- rtu.m.nh.nlmsg_type = RTM_GETROUTE;
- rtu.m.rt.rtm_family = AF_INET;
- rtu.m.rt.rtm_table = RT_TABLE_UNSPEC;
- rtu.m.rt.rtm_protocol = RTPROT_UNSPEC;
- rtu.m.rt.rtm_type = RTN_UNICAST;
-
- fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
- if (fd == -1)
- {
- DBG1(DBG_APP, "could not create rtnetlink socket");
- return;
- }
-
- if (send(fd, &rtu, rtu.m.nh.nlmsg_len, 0) == -1)
- {
- DBG1(DBG_APP, "could not write to rtnetlink socket");
- close(fd);
- return;
- }
-
- msglen = recv(fd, &rtu, sizeof(rtu), MSG_WAITALL);
- if (msglen == -1)
- {
- DBG1(DBG_APP, "could not read from rtnetlink socket");
- close(fd);
- return;
- }
-
- close(fd);
-
- for (nh = &rtu.m.nh; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen))
- {
- struct rtmsg *rt;
- struct rtattr *rta;
- uint32_t rtalen, metric = 0;
- struct in_addr gw = { .s_addr = INADDR_ANY };
- int iface_idx = -1;
-
- if (nh->nlmsg_type == NLMSG_ERROR)
- {
- DBG1(DBG_APP, "error from rtnetlink");
- return;
- }
-
- if (nh->nlmsg_type == NLMSG_DONE)
- break;
-
- rt = NLMSG_DATA(nh);
- if ( rt->rtm_dst_len != 0
- || (rt->rtm_table != RT_TABLE_MAIN
- && rt->rtm_table != RT_TABLE_DEFAULT) )
- continue;
-
- rta = RTM_RTA(rt);
- rtalen = RTM_PAYLOAD(nh);
- while ( RTA_OK(rta, rtalen) )
- {
- switch (rta->rta_type)
- {
- case RTA_GATEWAY:
- gw = *(struct in_addr *) RTA_DATA(rta);
- break;
- case RTA_OIF:
- iface_idx = *(int *) RTA_DATA(rta);
- break;
- case RTA_PRIORITY:
- metric = *(uint32_t *) RTA_DATA(rta);
- break;
- }
- rta = RTA_NEXT(rta, rtalen);
- }
-
- if (metric < best_metric
- && iface_idx != -1)
- {
- struct ifreq req;
-
- fd = socket(AF_INET, SOCK_DGRAM, 0);
- if (fd < 0)
- {
- DBG1(DBG_APP, "could not open AF_INET socket");
- break;
- }
- memset(&req, 0, sizeof(req));
- req.ifr_ifindex = iface_idx;
- if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
- ioctl(fd, SIOCGIFADDR, &req) < 0)
- {
- DBG1(DBG_APP, "could not read interface data, ignoring route");
- close(fd);
- break;
- }
-
- strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ);
- defaultroute->iface[IFNAMSIZ-1] = '\0';
- defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr);
- defaultroute->nexthop.u.v4.sin_family = AF_INET;
-
- if (gw.s_addr == INADDR_ANY)
- {
- if (ioctl(fd, SIOCGIFDSTADDR, &req) < 0 ||
- ((struct sockaddr_in*) &req.ifr_dstaddr)->sin_addr.s_addr == INADDR_ANY)
- {
- DBG2(DBG_APP, "Ignoring default route to device %s because we can't get it's destination",
- req.ifr_name);
- close(fd);
- break;
- }
-
- defaultroute->nexthop.u.v4 = *((struct sockaddr_in *) &req.ifr_dstaddr);
- }
- else
- defaultroute->nexthop.u.v4.sin_addr = gw;
-
- close(fd);
-
- {
- char addr[20];
- char nexthop[20];
- addrtot(&defaultroute->addr, 0, addr, sizeof(addr));
- addrtot(&defaultroute->nexthop, 0, nexthop, sizeof(nexthop));
-
- DBG2(DBG_APP,
- ( !defaultroute->defined
- ? "Default route found: iface=%s, addr=%s, nexthop=%s"
- : "Better default route: iface=%s, addr=%s, nexthop=%s"
- ), defaultroute->iface, addr, nexthop
- );
- }
-
- best_metric = metric;
- defaultroute->defined = TRUE;
- }
- }
- defaultroute->supported = TRUE;
-
- if (!defaultroute->defined)
- DBG1(DBG_APP, "no default route - cannot cope with %%defaultroute!!!");
-}
-
-#else /* !START_PLUTO */
-
-/**
- * Pluto disabled, fall back to %any
- */
-void
-get_defaultroute(defaultroute_t *defaultroute)
-{
- defaultroute->supported = FALSE;
-}
-#endif /* START_PLUTO */
-
+++ /dev/null
-/* strongSwan IPsec interfaces management
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_INTERFACES_H_
-#define _STARTER_INTERFACES_H_
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <net/if.h>
-
-#include "../pluto/constants.h"
-
-typedef struct {
- bool defined;
- bool supported;
- char iface[IFNAMSIZ];
- ip_address addr;
- ip_address nexthop;
-} defaultroute_t;
-
-extern void get_defaultroute(defaultroute_t *defaultroute);
-
-
-#endif /* _STARTER_INTERFACES_H_ */
-
#include "netkey.h"
#include "klips.h"
#include "cmp.h"
-#include "interfaces.h"
#ifndef LOG_AUTHPRIV
#define LOG_AUTHPRIV LOG_AUTH
if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
{
/* Switch to new config. New conn will be loaded below */
- if (!starter_cmp_defaultroute(&new_cfg->defaultroute
- , &cfg->defaultroute))
- {
- _action_ |= FLAG_ACTION_LISTEN;
- }
-
if (!starter_cmp_pluto(cfg, new_cfg))
{
DBG1(DBG_APP, "Pluto has changed");
projects / thirdparty / strongswan.git / commitdiff
