diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/pluto/constants.c | 1 | ||||
| -rw-r--r-- | src/pluto/constants.h | 3 | ||||
| -rw-r--r-- | src/pluto/kernel.c | 327 | ||||
| -rw-r--r-- | src/pluto/kernel.h | 2 | ||||
| -rw-r--r-- | src/pluto/timer.c | 7 |
5 files changed, 0 insertions, 340 deletions
diff --git a/src/pluto/constants.c b/src/pluto/constants.c index aaaa1d2af..391864d3d 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -77,7 +77,6 @@ ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART, ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY, "EVENT_NULL", "EVENT_REINIT_SECRET", - "EVENT_SHUNT_SCAN", "EVENT_SO_DISCARD", "EVENT_RETRANSMIT", "EVENT_SA_REPLACE", diff --git a/src/pluto/constants.h b/src/pluto/constants.h index 7e8d22b27..e58828f2d 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -246,9 +246,6 @@ extern enum_name_t *timer_event_names; enum event_type { EVENT_NULL, /* non-event */ EVENT_REINIT_SECRET, /* Refresh cookie secret */ -#ifdef KLIPS - EVENT_SHUNT_SCAN, /* scan shunt eroutes known to kernel */ -#endif EVENT_SO_DISCARD, /* discard unfinished state object */ EVENT_RETRANSMIT, /* Retransmit packet */ EVENT_SA_REPLACE, /* SA replacement event */ diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index 572261076..47b349b29 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1343,328 +1343,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr, , null_proto_info, op, opname) && ok; } - -/* - * This is only called when s is a likely SAID with trailing protocol i.e. - * it has the form :- - * - * %<keyword>:p - * <ip-proto><spi>@a.b.c.d:p - * - * The task here is to remove the ":p" part so that the rest can be read - * by another routine. - */ -static const char *read_proto(const char * s, size_t * len, int * transport_proto) -{ - const char * p; - const char * ugh; - unsigned long proto; - size_t l; - - l = *len; - p = memchr(s, ':', l); - if (p == 0) - { - *transport_proto = 0; - return 0; - } - ugh = ttoul(p+1, l-((p-s)+1), 10, &proto); - if (ugh != 0) - { - return ugh; - } - if (proto > 65535) - { - return "protocol number is too large, legal range is 0-65535"; - } - *len = p-s; - *transport_proto = proto; - return 0; -} - - -/* scan /proc/net/ipsec_eroute every once in a while, looking for: - * - * - %hold shunts of which Pluto isn't aware. This situation could - * be caused by lost ACQUIRE messages. When found, they will - * added to orphan_holds. This in turn will lead to Opportunistic - * initiation. - * - * - other kinds of shunts that haven't been used recently. These will be - * deleted. They represent OE failures. - * - * - recording recent uses of tunnel eroutes so that rekeying decisions - * can be made for OE connections. - * - * Here are some sample lines: - * 10 10.3.2.1.0/24 -> 0.0.0.0/0 => %trap - * 259 10.3.2.1.115/32 -> 10.19.75.161/32 => tun0x1002@10.19.75.145 - * 71 10.44.73.97/32 -> 0.0.0.0/0 => %trap - * 4119 10.44.73.97/32 -> 10.114.121.41/32 => %pass - * Newer versions of KLIPS start each line with a 32-bit packet count. - * If available, the count is used to detect whether a %pass shunt is in use. - * - * NOTE: execution time is quadratic in the number of eroutes since the - * searching for each is sequential. If this becomes a problem, faster - * searches could be implemented (hash or radix tree, for example). - */ -void scan_proc_shunts(void) -{ - static const char procname[] = "/proc/net/ipsec_eroute"; - FILE *f; - time_t nw = now(); - int lino; - struct eroute_info *expired = NULL; - - event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL); - - DBG(DBG_CONTROL, - DBG_log("scanning for shunt eroutes") - ) - - /* free any leftover entries: they will be refreshed if still current */ - while (orphaned_holds != NULL) - { - struct eroute_info *p = orphaned_holds; - - orphaned_holds = p->next; - free(orphaned_holds); - } - - /* decode the /proc file. Don't do anything strenuous to it - * (certainly no PF_KEY stuff) to minimize the chance that it - * might change underfoot. - */ - - f = fopen(procname, "r"); - if (f == NULL) - { - return; - } - - /* for each line... */ - for (lino = 1; ; lino++) - { - unsigned char buf[1024]; /* should be big enough */ - chunk_t field[10]; /* 10 is loose upper bound */ - chunk_t *ff = NULL; /* fixed fields (excluding optional count) */ - int fi; - struct eroute_info eri; - char *cp; - err_t context = "" - , ugh = NULL; - - cp = fgets(buf, sizeof(buf), f); - if (cp == NULL) - { - break; - } - - /* break out each field - * Note: if there are too many fields, just stop; - * it will be diagnosed a little later. - */ - for (fi = 0; fi < (int)countof(field); fi++) - { - static const char sep[] = " \t\n"; /* field-separating whitespace */ - size_t w; - - cp += strspn(cp, sep); /* find start of field */ - w = strcspn(cp, sep); /* find width of field */ - field[fi] = chunk_create(cp, w); - cp += w; - if (w == 0) - { - break; - } - } - - /* This odd do-hickey is to share error reporting code. - * A break will get to that common code. The setting - * of "ugh" and "context" parameterize it. - */ - do { - /* Old entries have no packet count; new ones do. - * check if things are as they should be. - */ - if (fi == 5) - { - ff = &field[0]; /* old form, with no count */ - } - else if (fi == 6) - { - ff = &field[1]; /* new form, with count */ - } - else - { - ugh = "has wrong number of fields"; - break; - } - - if (ff[1].len != 2 - || strncmp(ff[1].ptr, "->", 2) != 0 - || ff[3].len != 2 - || strncmp(ff[3].ptr, "=>", 2) != 0) - { - ugh = "is missing -> or =>"; - break; - } - - /* actually digest fields of interest */ - - /* packet count */ - - eri.count = 0; - if (ff != field) - { - context = "count field is malformed: "; - ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count); - if (ugh != NULL) - { - break; - } - } - - /* our client */ - - context = "source subnet field malformed: "; - ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours); - if (ugh != NULL) - { - break; - } - - /* his client */ - - context = "destination subnet field malformed: "; - ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his); - if (ugh != NULL) - { - break; - } - - /* SAID */ - - context = "SA ID field malformed: "; - ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto); - if (ugh != NULL) - { - break; - } - ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said); - } while (FALSE); - - if (ugh != NULL) - { - plog("INTERNAL ERROR: %s line %d %s%s" - , procname, lino, context, ugh); - continue; /* ignore rest of line */ - } - - /* Now we have decoded eroute, let's consider it. - * For shunt eroutes: - * - * %hold: if not known, add to orphaned_holds list for initiation - * because ACQUIRE might have been lost. - * - * %pass, %drop, %reject: determine if idle; if so, blast it away. - * Can occur bare (if DNS provided insufficient information) - * or with a connection (failure context). - * Could even be installed by ipsec manual. - * - * %trap: always welcome. - * - * For other eroutes: find state and record count change - */ - if (eri.said.proto == SA_INT) - { - /* shunt eroute */ - switch (ntohl(eri.said.spi)) - { - case SPI_HOLD: - if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL - && shunt_owner(&eri.ours, &eri.his) == NULL) - { - int ourport = ntohs(portof(&eri.ours.addr)); - int hisport = ntohs(portof(&eri.his.addr)); - char ourst[SUBNETTOT_BUF]; - char hist[SUBNETTOT_BUF]; - char sat[SATOT_BUF]; - - subnettot(&eri.ours, 0, ourst, sizeof(ourst)); - subnettot(&eri.his, 0, hist, sizeof(hist)); - satot(&eri.said, 0, sat, sizeof(sat)); - - DBG(DBG_CONTROL, - DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d" - , ourst, ourport, hist, hisport, sat, eri.transport_proto) - ) - eri.next = orphaned_holds; - orphaned_holds = clone_thing(eri); - } - break; - - case SPI_PASS: - case SPI_DROP: - case SPI_REJECT: - /* nothing sensible to do if we don't have counts */ - if (ff != field) - { - struct bare_shunt **bs_pp - = bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto); - - if (bs_pp != NULL) - { - struct bare_shunt *bs = *bs_pp; - - if (eri.count != bs->count) - { - bs->count = eri.count; - bs->last_activity = nw; - } - else if (nw - bs->last_activity > SHUNT_PATIENCE) - { - eri.next = expired; - expired = clone_thing(eri); - } - } - } - break; - - case SPI_TRAP: - break; - - default: - bad_case(ntohl(eri.said.spi)); - } - } - else - { - /* regular (non-shunt) eroute */ - state_eroute_usage(&eri.ours, &eri.his, eri.count, nw); - } - } /* for each line */ - fclose(f); - - /* Now that we've finished processing the /proc file, - * it is safe to delete the expired %pass shunts. - */ - while (expired != NULL) - { - struct eroute_info *p = expired; - ip_address src, dst; - - networkof(&p->ours, &src); - networkof(&p->his, &dst); - (void) replace_bare_shunt(&src, &dst - , BOTTOM_PRIO /* not used because we are deleting. This value is a filler */ - , SPI_PASS /* not used because we are deleting. This value is a filler */ - , FALSE, p->transport_proto, "delete expired bare shunts"); - expired = p->next; - free(p); - } -} - static bool del_spi(ipsec_spi_t spi, int proto, const ip_address *src, const ip_address *dest) { @@ -2371,11 +2049,6 @@ void init_kernel(void) /* register SA types that we can negotiate */ can_do_IPcomp = FALSE; /* until we get a response from KLIPS */ kernel_ops->pfkey_register(); - - if (!kernel_ops->policy_lifetime) - { - event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL); - } #endif } diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h index 06850abfd..26efd0013 100644 --- a/src/pluto/kernel.h +++ b/src/pluto/kernel.h @@ -152,8 +152,6 @@ extern void record_and_initiate_opportunistic(const ip_subnet * extern void init_kernel(void); -extern void scan_proc_shunts(void); - extern bool trap_connection(struct connection *c); extern void unroute_connection(struct connection *c); diff --git a/src/pluto/timer.c b/src/pluto/timer.c index b112d67f6..c1ad55f5e 100644 --- a/src/pluto/timer.c +++ b/src/pluto/timer.c @@ -233,13 +233,6 @@ void handle_timer_event(void) init_secret(); break; -#ifdef KLIPS - case EVENT_SHUNT_SCAN: - passert(st == NULL); - scan_proc_shunts(); - break; -#endif - case EVENT_LOG_DAILY: daily_log_event(); break; |