From 774a362e87feab25f1be16fbca08269ddc7121a4 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Thu, 12 Apr 2007 20:41:31 +0000 Subject: Major new upstream release, just ran svn-upgrade for now (and wrote some debian/changelong entries). --- programs/Makefile | 46 - programs/Makefile.program | 154 - programs/_confread/.cvsignore | 7 - programs/_confread/Makefile | 27 - programs/_confread/README.conf.V2 | 103 - programs/_confread/_confread.8 | 28 - programs/_confread/_confread.in | 520 --- programs/_confread/block.in | 8 - programs/_confread/clear-or-private.in | 8 - programs/_confread/clear.in | 7 - programs/_confread/ipsec.conf.5 | 1286 ------ programs/_confread/ipsec.conf.in | 44 - programs/_confread/private-or-clear.in | 14 - programs/_confread/private.in | 6 - programs/_confread/randomize | 28 - programs/_copyright/.cvsignore | 1 - programs/_copyright/Makefile | 44 - programs/_copyright/_copyright.8 | 32 - programs/_copyright/_copyright.c | 69 - programs/_include/.cvsignore | 1 - programs/_include/Makefile | 43 - programs/_include/_include.8 | 35 - programs/_include/_include.in | 102 - programs/_keycensor/.cvsignore | 1 - programs/_keycensor/Makefile | 43 - programs/_keycensor/_keycensor.8 | 33 - programs/_keycensor/_keycensor.in | 52 - programs/_plutoload/.cvsignore | 1 - programs/_plutoload/Makefile | 43 - programs/_plutoload/_plutoload.8 | 33 - programs/_plutoload/_plutoload.in | 164 - programs/_plutorun/.cvsignore | 1 - programs/_plutorun/Makefile | 43 - programs/_plutorun/_plutorun.8 | 37 - programs/_plutorun/_plutorun.in | 281 -- programs/_realsetup/.cvsignore | 1 - programs/_realsetup/Makefile | 43 - programs/_realsetup/_realsetup.8 | 36 - programs/_realsetup/_realsetup.in | 456 --- programs/_secretcensor/.cvsignore | 1 - programs/_secretcensor/Makefile | 43 - programs/_secretcensor/_secretcensor.8 | 34 - programs/_secretcensor/_secretcensor.in | 75 - programs/_startklips/.cvsignore | 1 - programs/_startklips/Makefile | 43 - programs/_startklips/_startklips.8 | 33 - programs/_startklips/_startklips.in | 367 -- programs/_updown/.cvsignore | 2 - programs/_updown/Makefile | 22 - programs/_updown/_updown.8 | 19 - programs/_updown/_updown.in | 503 --- programs/_updown_espmark/Makefile | 22 - programs/_updown_espmark/_updown_espmark.8 | 18 - programs/_updown_espmark/_updown_espmark.in | 452 -- programs/auto/.cvsignore | 1 - programs/auto/Makefile | 21 - programs/auto/auto.8 | 481 --- programs/auto/auto.in | 660 --- programs/barf/.cvsignore | 1 - programs/barf/Makefile | 38 - programs/barf/barf.8 | 84 - programs/barf/barf.in | 296 -- programs/calcgoo/.cvsignore | 1 - programs/calcgoo/Makefile | 41 - programs/calcgoo/calcgoo.8 | 31 - programs/calcgoo/calcgoo.in | 43 - programs/eroute/.cvsignore | 1 - programs/eroute/Makefile | 52 - programs/eroute/eroute.5 | 272 -- programs/eroute/eroute.8 | 354 -- programs/eroute/eroute.c | 1044 ----- programs/examples/Makefile | 22 - programs/examples/oe.conf.in | 68 - programs/ikeping/.cvsignore | 1 - programs/ikeping/Makefile | 57 - programs/ikeping/ikeping.8 | 71 - programs/ikeping/ikeping.c | 483 --- programs/ipsec/.cvsignore | 1 - programs/ipsec/Makefile | 28 - programs/ipsec/distro.txt | 1 - programs/ipsec/ipsec.8 | 336 -- programs/ipsec/ipsec.in | 259 -- programs/klipsdebug/.cvsignore | 1 - programs/klipsdebug/Makefile | 80 - programs/klipsdebug/klipsdebug.5 | 138 - programs/klipsdebug/klipsdebug.8 | 164 - programs/klipsdebug/klipsdebug.c | 436 -- programs/look/.cvsignore | 1 - programs/look/Makefile | 38 - programs/look/look.8 | 45 - programs/look/look.in | 87 - programs/lwdnsq/.cvsignore | 4 - programs/lwdnsq/CONTRACT.txt | 106 - programs/lwdnsq/Makefile | 96 - programs/lwdnsq/cmds.c | 351 -- programs/lwdnsq/lookup.c | 632 --- programs/lwdnsq/lwdnsq.8 | 250 -- programs/lwdnsq/lwdnsq.c | 506 --- programs/lwdnsq/lwdnsq.h | 121 - programs/lwdnsq/lwdnsq.xml.in | 446 -- programs/lwdnsq/states.fig | 66 - programs/lwdnsq/states.png | Bin 6756 -> 0 bytes programs/mailkey/.cvsignore | 1 - programs/mailkey/Makefile | 41 - programs/mailkey/mailkey.8 | 47 - programs/mailkey/mailkey.in | 241 -- programs/manual/.cvsignore | 1 - programs/manual/Makefile | 38 - programs/manual/manual.8 | 267 -- programs/manual/manual.in | 637 --- programs/openac/Makefile | 162 - programs/openac/build.c | 242 -- programs/openac/build.h | 47 - programs/openac/loglite.c | 295 -- programs/openac/openac.8 | 180 - programs/openac/openac.c | 438 -- programs/pf_key/.cvsignore | 1 - programs/pf_key/Makefile | 49 - programs/pf_key/pf_key.5 | 122 - programs/pf_key/pf_key.8 | 73 - programs/pf_key/pf_key.c | 353 -- programs/pluto/.cvsignore | 3 - programs/pluto/Makefile | 1090 ----- programs/pluto/PLUTO-CONVENTIONS | 127 - programs/pluto/TODO | 129 - programs/pluto/ac.c | 1018 ----- programs/pluto/ac.h | 103 - programs/pluto/adns.c | 615 --- programs/pluto/adns.h | 75 - programs/pluto/alg/Config.ike_alg | 9 - programs/pluto/alg/Makefile | 93 - programs/pluto/alg/Makefile.ike_alg_aes | 14 - programs/pluto/alg/Makefile.ike_alg_blowfish | 13 - programs/pluto/alg/Makefile.ike_alg_serpent | 13 - programs/pluto/alg/Makefile.ike_alg_sha2 | 13 - programs/pluto/alg/Makefile.ike_alg_twofish | 13 - programs/pluto/alg/ike_alg_aes.c | 68 - programs/pluto/alg/ike_alg_blowfish.c | 52 - programs/pluto/alg/ike_alg_serpent.c | 70 - programs/pluto/alg/ike_alg_sha2.c | 634 --- programs/pluto/alg/ike_alg_twofish.c | 85 - programs/pluto/alg_info.c | 1205 ------ programs/pluto/alg_info.h | 85 - programs/pluto/asn1.c | 770 ---- programs/pluto/asn1.h | 141 - programs/pluto/ca.c | 694 ---- programs/pluto/ca.h | 70 - programs/pluto/certs.c | 287 -- programs/pluto/certs.h | 80 - programs/pluto/connections.c | 4457 -------------------- programs/pluto/connections.h | 376 -- programs/pluto/constants.c | 1356 ------ programs/pluto/constants.h | 1264 ------ programs/pluto/cookie.c | 67 - programs/pluto/cookie.h | 24 - programs/pluto/crl.c | 763 ---- programs/pluto/crl.h | 87 - programs/pluto/crypto.c | 627 --- programs/pluto/crypto.h | 108 - programs/pluto/db_ops.c | 439 -- programs/pluto/db_ops.h | 56 - programs/pluto/defs.c | 374 -- programs/pluto/defs.h | 145 - programs/pluto/demux.c | 2526 ------------ programs/pluto/demux.h | 100 - programs/pluto/dnskey.c | 1962 --------- programs/pluto/dnskey.h | 84 - programs/pluto/dsa.c | 476 --- programs/pluto/dsa.h | 32 - programs/pluto/elgamal.c | 613 --- programs/pluto/elgamal.h | 35 - programs/pluto/fetch.c | 1081 ----- programs/pluto/fetch.h | 79 - programs/pluto/foodgroups.c | 462 --- programs/pluto/foodgroups.h | 24 - programs/pluto/gcryptfix.c | 283 -- programs/pluto/gcryptfix.h | 111 - programs/pluto/id.c | 509 --- programs/pluto/id.h | 67 - programs/pluto/ike_alg.c | 592 --- programs/pluto/ike_alg.h | 94 - programs/pluto/ipsec.secrets.5 | 175 - programs/pluto/ipsec_doi.c | 5696 -------------------------- programs/pluto/ipsec_doi.h | 104 - programs/pluto/kameipsec.h | 47 - programs/pluto/kernel.c | 2999 -------------- programs/pluto/kernel.h | 200 - programs/pluto/kernel_alg.c | 775 ---- programs/pluto/kernel_alg.h | 46 - programs/pluto/kernel_netlink.c | 1221 ------ programs/pluto/kernel_netlink.h | 20 - programs/pluto/kernel_noklips.c | 126 - programs/pluto/kernel_noklips.h | 19 - programs/pluto/kernel_pfkey.c | 938 ----- programs/pluto/kernel_pfkey.h | 23 - programs/pluto/keys.c | 1516 ------- programs/pluto/keys.h | 114 - programs/pluto/lex.c | 213 - programs/pluto/lex.h | 52 - programs/pluto/linux26/netlink.h | 90 - programs/pluto/linux26/rtnetlink.h | 562 --- programs/pluto/linux26/xfrm.h | 233 -- programs/pluto/log.c | 841 ---- programs/pluto/log.h | 236 -- programs/pluto/md2.c | 237 -- programs/pluto/md2.h | 72 - programs/pluto/md5.c | 385 -- programs/pluto/md5.h | 75 - programs/pluto/modecfg.c | 1078 ----- programs/pluto/modecfg.h | 47 - programs/pluto/mp_defs.c | 70 - programs/pluto/mp_defs.h | 36 - programs/pluto/nat_traversal.c | 869 ---- programs/pluto/nat_traversal.h | 154 - programs/pluto/ocsp.c | 1568 ------- programs/pluto/ocsp.h | 85 - programs/pluto/oid.c | 197 - programs/pluto/oid.h | 78 - programs/pluto/oid.pl | 123 - programs/pluto/oid.txt | 184 - programs/pluto/packet.c | 1244 ------ programs/pluto/packet.h | 655 --- programs/pluto/pem.c | 463 --- programs/pluto/pem.h | 18 - programs/pluto/pgp.c | 647 --- programs/pluto/pgp.h | 54 - programs/pluto/pkcs1.c | 674 --- programs/pluto/pkcs1.h | 88 - programs/pluto/pkcs7.c | 862 ---- programs/pluto/pkcs7.h | 51 - programs/pluto/pluto-style.el | 4 - programs/pluto/pluto.8 | 1649 -------- programs/pluto/plutomain.c | 684 ---- programs/pluto/primegen.c | 593 --- programs/pluto/rcv_whack.c | 689 ---- programs/pluto/rcv_whack.h | 17 - programs/pluto/rnd.c | 250 -- programs/pluto/rnd.h | 21 - programs/pluto/routing.txt | 331 -- programs/pluto/rsaref/pkcs11.h | 299 -- programs/pluto/rsaref/pkcs11f.h | 912 ----- programs/pluto/rsaref/pkcs11t.h | 1685 -------- programs/pluto/rsaref/unix.h | 24 - programs/pluto/server.c | 1001 ----- programs/pluto/server.h | 60 - programs/pluto/sha1.c | 193 - programs/pluto/sha1.h | 16 - programs/pluto/smallprime.c | 122 - programs/pluto/smartcard.c | 1956 --------- programs/pluto/smartcard.h | 100 - programs/pluto/spdb.c | 2329 ----------- programs/pluto/spdb.h | 112 - programs/pluto/state.c | 1012 ----- programs/pluto/state.h | 275 -- programs/pluto/timer.c | 537 --- programs/pluto/timer.h | 34 - programs/pluto/vendor.c | 521 --- programs/pluto/vendor.h | 125 - programs/pluto/virtual.c | 338 -- programs/pluto/virtual.h | 31 - programs/pluto/whack.c | 1911 --------- programs/pluto/whack.h | 319 -- programs/pluto/x509.c | 2241 ---------- programs/pluto/x509.h | 138 - programs/pluto/xauth.c | 77 - programs/pluto/xauth.h | 41 - programs/proc/Makefile | 51 - programs/proc/trap_count.5 | 35 - programs/proc/trap_sendcount.5 | 33 - programs/proc/version.5 | 54 - programs/ranbits/.cvsignore | 1 - programs/ranbits/Makefile | 39 - programs/ranbits/ranbits.8 | 77 - programs/ranbits/ranbits.c | 146 - programs/rsasigkey/.cvsignore | 1 - programs/rsasigkey/Makefile | 39 - programs/rsasigkey/rsasigkey.8 | 259 -- programs/rsasigkey/rsasigkey.c | 573 --- programs/scepclient/Makefile | 192 - programs/scepclient/pkcs10.c | 220 - programs/scepclient/pkcs10.h | 57 - programs/scepclient/rsakey.c | 349 -- programs/scepclient/rsakey.h | 31 - programs/scepclient/scep.c | 598 --- programs/scepclient/scep.h | 93 - programs/scepclient/scepclient.8 | 288 -- programs/scepclient/scepclient.c | 1036 ----- programs/secrets/Makefile | 38 - programs/secrets/secrets.8 | 20 - programs/secrets/secrets.in | 18 - programs/send-pr/.cvsignore | 1 - programs/send-pr/Makefile | 39 - programs/send-pr/ipsec_pr.template | 54 - programs/send-pr/send-pr.8 | 291 -- programs/send-pr/send-pr.in | 643 --- programs/setup/.cvsignore | 1 - programs/setup/Makefile | 22 - programs/setup/setup.8 | 142 - programs/setup/setup.in | 162 - programs/showdefaults/.cvsignore | 1 - programs/showdefaults/Makefile | 38 - programs/showdefaults/showdefaults.8 | 34 - programs/showdefaults/showdefaults.in | 33 - programs/showhostkey/.cvsignore | 1 - programs/showhostkey/Makefile | 38 - programs/showhostkey/showhostkey.8 | 168 - programs/showhostkey/showhostkey.in | 180 - programs/showpolicy/.cvsignore | 1 - programs/showpolicy/Makefile | 38 - programs/showpolicy/showpolicy.8 | 41 - programs/showpolicy/showpolicy.c | 251 -- programs/spi/.cvsignore | 1 - programs/spi/Makefile | 69 - programs/spi/spi.5 | 213 - programs/spi/spi.8 | 525 --- programs/spi/spi.c | 1689 -------- programs/spigrp/.cvsignore | 1 - programs/spigrp/Makefile | 52 - programs/spigrp/spigrp.5 | 116 - programs/spigrp/spigrp.8 | 174 - programs/spigrp/spigrp.c | 491 --- programs/starter/Makefile | 182 - programs/starter/README | 104 - programs/starter/args.c | 623 --- programs/starter/args.h | 34 - programs/starter/cmp.c | 105 - programs/starter/cmp.h | 29 - programs/starter/confread.c | 908 ---- programs/starter/confread.h | 200 - programs/starter/exec.c | 54 - programs/starter/exec.h | 23 - programs/starter/files.h | 47 - programs/starter/interfaces.c | 582 --- programs/starter/interfaces.h | 41 - programs/starter/invokepluto.c | 286 -- programs/starter/invokepluto.h | 28 - programs/starter/keywords.c | 246 -- programs/starter/keywords.h | 169 - programs/starter/keywords.txt | 109 - programs/starter/klips.c | 134 - programs/starter/klips.h | 26 - programs/starter/netkey.c | 85 - programs/starter/netkey.h | 24 - programs/starter/parser.h | 57 - programs/starter/parser.l | 190 - programs/starter/parser.output | 351 -- programs/starter/parser.y | 283 -- programs/starter/starter.8 | 0 programs/starter/starter.c | 571 --- programs/starter/starterwhack.c | 372 -- programs/starter/starterwhack.h | 32 - programs/tncfg/.cvsignore | 1 - programs/tncfg/Makefile | 52 - programs/tncfg/tncfg.5 | 109 - programs/tncfg/tncfg.8 | 113 - programs/tncfg/tncfg.c | 393 -- 356 files changed, 107137 deletions(-) delete mode 100644 programs/Makefile delete mode 100644 programs/Makefile.program delete mode 100644 programs/_confread/.cvsignore delete mode 100644 programs/_confread/Makefile delete mode 100644 programs/_confread/README.conf.V2 delete mode 100644 programs/_confread/_confread.8 delete mode 100755 programs/_confread/_confread.in delete mode 100644 programs/_confread/block.in delete mode 100644 programs/_confread/clear-or-private.in delete mode 100644 programs/_confread/clear.in delete mode 100644 programs/_confread/ipsec.conf.5 delete mode 100644 programs/_confread/ipsec.conf.in delete mode 100644 programs/_confread/private-or-clear.in delete mode 100644 programs/_confread/private.in delete mode 100755 programs/_confread/randomize delete mode 100644 programs/_copyright/.cvsignore delete mode 100644 programs/_copyright/Makefile delete mode 100644 programs/_copyright/_copyright.8 delete mode 100644 programs/_copyright/_copyright.c delete mode 100644 programs/_include/.cvsignore delete mode 100644 programs/_include/Makefile delete mode 100644 programs/_include/_include.8 delete mode 100755 programs/_include/_include.in delete mode 100644 programs/_keycensor/.cvsignore delete mode 100644 programs/_keycensor/Makefile delete mode 100644 programs/_keycensor/_keycensor.8 delete mode 100755 programs/_keycensor/_keycensor.in delete mode 100644 programs/_plutoload/.cvsignore delete mode 100644 programs/_plutoload/Makefile delete mode 100644 programs/_plutoload/_plutoload.8 delete mode 100755 programs/_plutoload/_plutoload.in delete mode 100644 programs/_plutorun/.cvsignore delete mode 100644 programs/_plutorun/Makefile delete mode 100644 programs/_plutorun/_plutorun.8 delete mode 100755 programs/_plutorun/_plutorun.in delete mode 100644 programs/_realsetup/.cvsignore delete mode 100644 programs/_realsetup/Makefile delete mode 100644 programs/_realsetup/_realsetup.8 delete mode 100755 programs/_realsetup/_realsetup.in delete mode 100644 programs/_secretcensor/.cvsignore delete mode 100644 programs/_secretcensor/Makefile delete mode 100644 programs/_secretcensor/_secretcensor.8 delete mode 100755 programs/_secretcensor/_secretcensor.in delete mode 100644 programs/_startklips/.cvsignore delete mode 100644 programs/_startklips/Makefile delete mode 100644 programs/_startklips/_startklips.8 delete mode 100755 programs/_startklips/_startklips.in delete mode 100644 programs/_updown/.cvsignore delete mode 100644 programs/_updown/Makefile delete mode 100644 programs/_updown/_updown.8 delete mode 100755 programs/_updown/_updown.in delete mode 100644 programs/_updown_espmark/Makefile delete mode 100644 programs/_updown_espmark/_updown_espmark.8 delete mode 100644 programs/_updown_espmark/_updown_espmark.in delete mode 100644 programs/auto/.cvsignore delete mode 100644 programs/auto/Makefile delete mode 100644 programs/auto/auto.8 delete mode 100755 programs/auto/auto.in delete mode 100644 programs/barf/.cvsignore delete mode 100644 programs/barf/Makefile delete mode 100644 programs/barf/barf.8 delete mode 100755 programs/barf/barf.in delete mode 100644 programs/calcgoo/.cvsignore delete mode 100644 programs/calcgoo/Makefile delete mode 100644 programs/calcgoo/calcgoo.8 delete mode 100644 programs/calcgoo/calcgoo.in delete mode 100644 programs/eroute/.cvsignore delete mode 100644 programs/eroute/Makefile delete mode 100644 programs/eroute/eroute.5 delete mode 100644 programs/eroute/eroute.8 delete mode 100644 programs/eroute/eroute.c delete mode 100644 programs/examples/Makefile delete mode 100644 programs/examples/oe.conf.in delete mode 100644 programs/ikeping/.cvsignore delete mode 100644 programs/ikeping/Makefile delete mode 100644 programs/ikeping/ikeping.8 delete mode 100644 programs/ikeping/ikeping.c delete mode 100644 programs/ipsec/.cvsignore delete mode 100644 programs/ipsec/Makefile delete mode 100644 programs/ipsec/distro.txt delete mode 100644 programs/ipsec/ipsec.8 delete mode 100755 programs/ipsec/ipsec.in delete mode 100644 programs/klipsdebug/.cvsignore delete mode 100644 programs/klipsdebug/Makefile delete mode 100644 programs/klipsdebug/klipsdebug.5 delete mode 100644 programs/klipsdebug/klipsdebug.8 delete mode 100644 programs/klipsdebug/klipsdebug.c delete mode 100644 programs/look/.cvsignore delete mode 100644 programs/look/Makefile delete mode 100644 programs/look/look.8 delete mode 100755 programs/look/look.in delete mode 100644 programs/lwdnsq/.cvsignore delete mode 100644 programs/lwdnsq/CONTRACT.txt delete mode 100644 programs/lwdnsq/Makefile delete mode 100644 programs/lwdnsq/cmds.c delete mode 100644 programs/lwdnsq/lookup.c delete mode 100644 programs/lwdnsq/lwdnsq.8 delete mode 100644 programs/lwdnsq/lwdnsq.c delete mode 100644 programs/lwdnsq/lwdnsq.h delete mode 100644 programs/lwdnsq/lwdnsq.xml.in delete mode 100644 programs/lwdnsq/states.fig delete mode 100644 programs/lwdnsq/states.png delete mode 100644 programs/mailkey/.cvsignore delete mode 100644 programs/mailkey/Makefile delete mode 100644 programs/mailkey/mailkey.8 delete mode 100755 programs/mailkey/mailkey.in delete mode 100644 programs/manual/.cvsignore delete mode 100644 programs/manual/Makefile delete mode 100644 programs/manual/manual.8 delete mode 100755 programs/manual/manual.in delete mode 100644 programs/openac/Makefile delete mode 100644 programs/openac/build.c delete mode 100644 programs/openac/build.h delete mode 100644 programs/openac/loglite.c delete mode 100644 programs/openac/openac.8 delete mode 100755 programs/openac/openac.c delete mode 100644 programs/pf_key/.cvsignore delete mode 100644 programs/pf_key/Makefile delete mode 100644 programs/pf_key/pf_key.5 delete mode 100644 programs/pf_key/pf_key.8 delete mode 100644 programs/pf_key/pf_key.c delete mode 100644 programs/pluto/.cvsignore delete mode 100644 programs/pluto/Makefile delete mode 100644 programs/pluto/PLUTO-CONVENTIONS delete mode 100644 programs/pluto/TODO delete mode 100644 programs/pluto/ac.c delete mode 100644 programs/pluto/ac.h delete mode 100644 programs/pluto/adns.c delete mode 100644 programs/pluto/adns.h delete mode 100644 programs/pluto/alg/Config.ike_alg delete mode 100644 programs/pluto/alg/Makefile delete mode 100644 programs/pluto/alg/Makefile.ike_alg_aes delete mode 100644 programs/pluto/alg/Makefile.ike_alg_blowfish delete mode 100644 programs/pluto/alg/Makefile.ike_alg_serpent delete mode 100644 programs/pluto/alg/Makefile.ike_alg_sha2 delete mode 100644 programs/pluto/alg/Makefile.ike_alg_twofish delete mode 100644 programs/pluto/alg/ike_alg_aes.c delete mode 100644 programs/pluto/alg/ike_alg_blowfish.c delete mode 100644 programs/pluto/alg/ike_alg_serpent.c delete mode 100644 programs/pluto/alg/ike_alg_sha2.c delete mode 100644 programs/pluto/alg/ike_alg_twofish.c delete mode 100644 programs/pluto/alg_info.c delete mode 100644 programs/pluto/alg_info.h delete mode 100644 programs/pluto/asn1.c delete mode 100644 programs/pluto/asn1.h delete mode 100644 programs/pluto/ca.c delete mode 100644 programs/pluto/ca.h delete mode 100644 programs/pluto/certs.c delete mode 100644 programs/pluto/certs.h delete mode 100644 programs/pluto/connections.c delete mode 100644 programs/pluto/connections.h delete mode 100644 programs/pluto/constants.c delete mode 100644 programs/pluto/constants.h delete mode 100644 programs/pluto/cookie.c delete mode 100644 programs/pluto/cookie.h delete mode 100644 programs/pluto/crl.c delete mode 100644 programs/pluto/crl.h delete mode 100644 programs/pluto/crypto.c delete mode 100644 programs/pluto/crypto.h delete mode 100644 programs/pluto/db_ops.c delete mode 100644 programs/pluto/db_ops.h delete mode 100644 programs/pluto/defs.c delete mode 100644 programs/pluto/defs.h delete mode 100644 programs/pluto/demux.c delete mode 100644 programs/pluto/demux.h delete mode 100644 programs/pluto/dnskey.c delete mode 100644 programs/pluto/dnskey.h delete mode 100644 programs/pluto/dsa.c delete mode 100644 programs/pluto/dsa.h delete mode 100644 programs/pluto/elgamal.c delete mode 100644 programs/pluto/elgamal.h delete mode 100644 programs/pluto/fetch.c delete mode 100644 programs/pluto/fetch.h delete mode 100644 programs/pluto/foodgroups.c delete mode 100644 programs/pluto/foodgroups.h delete mode 100644 programs/pluto/gcryptfix.c delete mode 100644 programs/pluto/gcryptfix.h delete mode 100644 programs/pluto/id.c delete mode 100644 programs/pluto/id.h delete mode 100644 programs/pluto/ike_alg.c delete mode 100644 programs/pluto/ike_alg.h delete mode 100644 programs/pluto/ipsec.secrets.5 delete mode 100644 programs/pluto/ipsec_doi.c delete mode 100644 programs/pluto/ipsec_doi.h delete mode 100644 programs/pluto/kameipsec.h delete mode 100644 programs/pluto/kernel.c delete mode 100644 programs/pluto/kernel.h delete mode 100644 programs/pluto/kernel_alg.c delete mode 100644 programs/pluto/kernel_alg.h delete mode 100644 programs/pluto/kernel_netlink.c delete mode 100644 programs/pluto/kernel_netlink.h delete mode 100644 programs/pluto/kernel_noklips.c delete mode 100644 programs/pluto/kernel_noklips.h delete mode 100644 programs/pluto/kernel_pfkey.c delete mode 100644 programs/pluto/kernel_pfkey.h delete mode 100644 programs/pluto/keys.c delete mode 100644 programs/pluto/keys.h delete mode 100644 programs/pluto/lex.c delete mode 100644 programs/pluto/lex.h delete mode 100644 programs/pluto/linux26/netlink.h delete mode 100644 programs/pluto/linux26/rtnetlink.h delete mode 100644 programs/pluto/linux26/xfrm.h delete mode 100644 programs/pluto/log.c delete mode 100644 programs/pluto/log.h delete mode 100644 programs/pluto/md2.c delete mode 100644 programs/pluto/md2.h delete mode 100644 programs/pluto/md5.c delete mode 100644 programs/pluto/md5.h delete mode 100644 programs/pluto/modecfg.c delete mode 100644 programs/pluto/modecfg.h delete mode 100644 programs/pluto/mp_defs.c delete mode 100644 programs/pluto/mp_defs.h delete mode 100644 programs/pluto/nat_traversal.c delete mode 100644 programs/pluto/nat_traversal.h delete mode 100644 programs/pluto/ocsp.c delete mode 100644 programs/pluto/ocsp.h delete mode 100644 programs/pluto/oid.c delete mode 100644 programs/pluto/oid.h delete mode 100644 programs/pluto/oid.pl delete mode 100644 programs/pluto/oid.txt delete mode 100644 programs/pluto/packet.c delete mode 100644 programs/pluto/packet.h delete mode 100644 programs/pluto/pem.c delete mode 100644 programs/pluto/pem.h delete mode 100644 programs/pluto/pgp.c delete mode 100644 programs/pluto/pgp.h delete mode 100644 programs/pluto/pkcs1.c delete mode 100644 programs/pluto/pkcs1.h delete mode 100644 programs/pluto/pkcs7.c delete mode 100644 programs/pluto/pkcs7.h delete mode 100644 programs/pluto/pluto-style.el delete mode 100644 programs/pluto/pluto.8 delete mode 100644 programs/pluto/plutomain.c delete mode 100644 programs/pluto/primegen.c delete mode 100644 programs/pluto/rcv_whack.c delete mode 100644 programs/pluto/rcv_whack.h delete mode 100644 programs/pluto/rnd.c delete mode 100644 programs/pluto/rnd.h delete mode 100644 programs/pluto/routing.txt delete mode 100644 programs/pluto/rsaref/pkcs11.h delete mode 100644 programs/pluto/rsaref/pkcs11f.h delete mode 100644 programs/pluto/rsaref/pkcs11t.h delete mode 100644 programs/pluto/rsaref/unix.h delete mode 100644 programs/pluto/server.c delete mode 100644 programs/pluto/server.h delete mode 100644 programs/pluto/sha1.c delete mode 100644 programs/pluto/sha1.h delete mode 100644 programs/pluto/smallprime.c delete mode 100644 programs/pluto/smartcard.c delete mode 100644 programs/pluto/smartcard.h delete mode 100644 programs/pluto/spdb.c delete mode 100644 programs/pluto/spdb.h delete mode 100644 programs/pluto/state.c delete mode 100644 programs/pluto/state.h delete mode 100644 programs/pluto/timer.c delete mode 100644 programs/pluto/timer.h delete mode 100644 programs/pluto/vendor.c delete mode 100644 programs/pluto/vendor.h delete mode 100644 programs/pluto/virtual.c delete mode 100644 programs/pluto/virtual.h delete mode 100644 programs/pluto/whack.c delete mode 100644 programs/pluto/whack.h delete mode 100644 programs/pluto/x509.c delete mode 100644 programs/pluto/x509.h delete mode 100644 programs/pluto/xauth.c delete mode 100644 programs/pluto/xauth.h delete mode 100644 programs/proc/Makefile delete mode 100644 programs/proc/trap_count.5 delete mode 100644 programs/proc/trap_sendcount.5 delete mode 100644 programs/proc/version.5 delete mode 100644 programs/ranbits/.cvsignore delete mode 100644 programs/ranbits/Makefile delete mode 100644 programs/ranbits/ranbits.8 delete mode 100644 programs/ranbits/ranbits.c delete mode 100644 programs/rsasigkey/.cvsignore delete mode 100644 programs/rsasigkey/Makefile delete mode 100644 programs/rsasigkey/rsasigkey.8 delete mode 100644 programs/rsasigkey/rsasigkey.c delete mode 100644 programs/scepclient/Makefile delete mode 100644 programs/scepclient/pkcs10.c delete mode 100644 programs/scepclient/pkcs10.h delete mode 100644 programs/scepclient/rsakey.c delete mode 100644 programs/scepclient/rsakey.h delete mode 100644 programs/scepclient/scep.c delete mode 100644 programs/scepclient/scep.h delete mode 100644 programs/scepclient/scepclient.8 delete mode 100644 programs/scepclient/scepclient.c delete mode 100644 programs/secrets/Makefile delete mode 100644 programs/secrets/secrets.8 delete mode 100644 programs/secrets/secrets.in delete mode 100644 programs/send-pr/.cvsignore delete mode 100644 programs/send-pr/Makefile delete mode 100644 programs/send-pr/ipsec_pr.template delete mode 100644 programs/send-pr/send-pr.8 delete mode 100755 programs/send-pr/send-pr.in delete mode 100644 programs/setup/.cvsignore delete mode 100644 programs/setup/Makefile delete mode 100644 programs/setup/setup.8 delete mode 100755 programs/setup/setup.in delete mode 100644 programs/showdefaults/.cvsignore delete mode 100644 programs/showdefaults/Makefile delete mode 100644 programs/showdefaults/showdefaults.8 delete mode 100755 programs/showdefaults/showdefaults.in delete mode 100644 programs/showhostkey/.cvsignore delete mode 100644 programs/showhostkey/Makefile delete mode 100644 programs/showhostkey/showhostkey.8 delete mode 100755 programs/showhostkey/showhostkey.in delete mode 100644 programs/showpolicy/.cvsignore delete mode 100644 programs/showpolicy/Makefile delete mode 100644 programs/showpolicy/showpolicy.8 delete mode 100644 programs/showpolicy/showpolicy.c delete mode 100644 programs/spi/.cvsignore delete mode 100644 programs/spi/Makefile delete mode 100644 programs/spi/spi.5 delete mode 100644 programs/spi/spi.8 delete mode 100644 programs/spi/spi.c delete mode 100644 programs/spigrp/.cvsignore delete mode 100644 programs/spigrp/Makefile delete mode 100644 programs/spigrp/spigrp.5 delete mode 100644 programs/spigrp/spigrp.8 delete mode 100644 programs/spigrp/spigrp.c delete mode 100644 programs/starter/Makefile delete mode 100644 programs/starter/README delete mode 100644 programs/starter/args.c delete mode 100644 programs/starter/args.h delete mode 100644 programs/starter/cmp.c delete mode 100644 programs/starter/cmp.h delete mode 100644 programs/starter/confread.c delete mode 100644 programs/starter/confread.h delete mode 100644 programs/starter/exec.c delete mode 100644 programs/starter/exec.h delete mode 100644 programs/starter/files.h delete mode 100644 programs/starter/interfaces.c delete mode 100644 programs/starter/interfaces.h delete mode 100644 programs/starter/invokepluto.c delete mode 100644 programs/starter/invokepluto.h delete mode 100644 programs/starter/keywords.c delete mode 100644 programs/starter/keywords.h delete mode 100644 programs/starter/keywords.txt delete mode 100644 programs/starter/klips.c delete mode 100644 programs/starter/klips.h delete mode 100644 programs/starter/netkey.c delete mode 100644 programs/starter/netkey.h delete mode 100644 programs/starter/parser.h delete mode 100644 programs/starter/parser.l delete mode 100644 programs/starter/parser.output delete mode 100644 programs/starter/parser.y delete mode 100644 programs/starter/starter.8 delete mode 100644 programs/starter/starter.c delete mode 100644 programs/starter/starterwhack.c delete mode 100644 programs/starter/starterwhack.h delete mode 100644 programs/tncfg/.cvsignore delete mode 100644 programs/tncfg/Makefile delete mode 100644 programs/tncfg/tncfg.5 delete mode 100644 programs/tncfg/tncfg.8 delete mode 100644 programs/tncfg/tncfg.c (limited to 'programs') diff --git a/programs/Makefile b/programs/Makefile deleted file mode 100644 index dbc03f416..000000000 --- a/programs/Makefile +++ /dev/null @@ -1,46 +0,0 @@ -# Makefile for the KLIPS interface utilities -# Copyright (C) 1998, 1999 Henry Spencer. -# Copyright (C) 1999, 2000, 2001 Richard Guy Briggs -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.9 2006/08/28 11:12:36 as Exp $ - -FREESWANSRCDIR=.. -include ${FREESWANSRCDIR}/Makefile.inc - -SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto -SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun -SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark -SUBDIRS+=auto barf ipsec look manual ranbits secrets starter -SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey -SUBDIRS+=ikeping examples openac scepclient - -ifeq ($(USE_LWRES),true) -SUBDIRS+=lwdnsq -endif - -ifeq ($(USE_IPSECPOLICY),true) -SUBDIRS+=showpolicy -endif - -def: - @echo "Please read doc/intro.html or INSTALL before running make" - @false - -# programs - -cleanall distclean mostlyclean realclean install programs checkprograms check clean spotless install_file_list: - @for d in $(SUBDIRS) ; \ - do \ - (cd $$d && $(MAKE) FREESWANSRCDIR=$(FREESWANSRCDIR)/.. $@ ) || exit 1;\ - done; - diff --git a/programs/Makefile.program b/programs/Makefile.program deleted file mode 100644 index 14d2d8269..000000000 --- a/programs/Makefile.program +++ /dev/null @@ -1,154 +0,0 @@ - -include ${FREESWANSRCDIR}/Makefile.ver - -CFLAGS+=$(USERCOMPILE) -I${KLIPSINC} - -CFLAGS+= -Wall -#CFLAGS+= -Wconversion -#CFLAGS+= -Wmissing-prototypes -CFLAGS+= -Wpointer-arith -CFLAGS+= -Wcast-qual -#CFLAGS+= -Wmissing-declarations -CFLAGS+= -Wstrict-prototypes -#CFLAGS+= -pedantic -#CFLAGS+= -W -#CFLAGS+= -Wwrite-strings -CFLAGS+= -Wbad-function-cast - -# die if there are any warnings -ifndef WERROR -WERROR:= -Werror -endif - -#CFLAGS+= ${WERROR} - -ifeq ($(USE_NAT_TRAVERSAL),true) - CFLAGS+= -DNAT_TRAVERSAL -endif - -ifneq ($(LD_LIBRARY_PATH),) -LDFLAGS=-L$(LD_LIBRARY_PATH) -endif - -MANDIR8=$(MANTREE)/man8 -MANDIR5=$(MANTREE)/man5 - -ifndef PROGRAMDIR -PROGRAMDIR=${LIBEXECDIR} -endif - -ifndef MANPROGPREFIX -MANPROGPREFIX=ipsec_ -endif - -ifndef CONFDSUBDIR -CONFDSUBDIR=. -endif - -all: $(PROGRAM) - -programs: all - -ifneq ($(PROGRAM),check) -check: $(PROGRAM) -endif - - -ifneq ($(NOINSTALL),true) - -install:: $(PROGRAM) $(CONFFILES) $(EXTRA8MAN) $(EXTRA5MAN) $(EXTRA5PROC) $(LIBFILES) $(CONFDFILES) - @mkdir -p $(PROGRAMDIR) $(MANDIR8) $(MANDIR5) $(LIBDIR) $(CONFDIR) $(CONFDDIR) $(CONFDDIR)/$(CONFDSUBDIR) $(EXAMPLECONFDIR) - @if [ -n "$(PROGRAM)" ]; then $(INSTALL) $(INSTBINFLAGS) $(PROGRAM) $(PROGRAMDIR); fi - @$(foreach f, $(addsuffix .8, $(PROGRAM)), \ - $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/$(MANPROGPREFIX)$f || exit 1; \ - ) - @$(foreach f, $(EXTRA8MAN), \ - $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/ipsec_$f || exit 1; \ - ) - @$(foreach f, $(EXTRA5MAN), \ - $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/$f || exit 1 ;\ - ) - @$(foreach f, $(EXTRA5PROC), \ - $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/ipsec_$f || exit 1 ;\ - ) - @$(foreach f, $(LIBFILES), \ - $(INSTALL) $(INSTCONFFLAGS) $f $(LIBDIR)/$f || exit 1 ;\ - ) - @$(foreach f, $(CONFFILES), \ - if [ ! -f $(CONFDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDIR)/$f || exit 1; fi;\ - $(INSTALL) $(INSTCONFFLAGS) $f $(EXAMPLECONFDIR)/$f-sample || exit 1; \ - ) - @$(foreach f, $(CONFDFILES), \ - if [ ! -f $(CONFDDIR)/$(CONFDSUBDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDDIR)/$(CONFDSUBDIR)/$f || exit 1; fi;\ - ) - -install_file_list:: - @if [ -n "$(PROGRAM)" ]; then echo $(PROGRAMDIR)/$(PROGRAM); fi - @$(foreach f, $(addsuffix .8, $(PROGRAM)), \ - echo $(MANDIR8)/${MANPROGPREFIX}$f; \ - ) - @$(foreach f, $(EXTRA8MAN), \ - echo $(MANDIR8)/ipsec_$f; \ - ) - @$(foreach f, $(EXTRA5MAN), \ - echo $(MANDIR5)/$f;\ - ) - @$(foreach f, $(EXTRA5PROC), \ - echo $(MANDIR5)/ipsec_$f; \ - ) - @$(foreach f, $(LIBFILES), \ - echo $(LIBDIR)/$f;\ - ) - @$(foreach f, $(CONFFILES), \ - echo $(CONFDIR)/$f;\ - echo $(EXAMPLECONFDIR)/$f-sample;\ - ) - @$(foreach f, $(CONFDFILES), \ - echo $(CONFDDIR)/${CONFDSUBDIR}/$f;\ - ) - -endif - -# cancel the rule that compiles directly -%: %.c - -%: %.o $(OBJS) - $(CC) $(CFLAGS) -o $@ $@.o ${OBJS} $(LDFLAGS) $(LIBS) - -%: %.in ${FREESWANSRCDIR}/Makefile.inc ${FREESWANSRCDIR}/Makefile.ver - cat $< | sed -e "s/xxx/$(IPSECVERSION)/" \ - -e "s:@IPSEC_DIR@:$(FINALBINDIR):" \ - -e "s:@IPSEC_EXECDIR@:$(FINALLIBEXECDIR):" \ - -e "s:@IPSEC_SBINDIR@:$(FINALSBINDIR):" \ - -e "s:@IPSEC_LIBDIR@:$(FINALLIBDIR):" \ - -e "s:@FINALCONFDIR@:$(FINALCONFDIR):" \ - -e "s:@EXAMPLECONFDIR@:$(EXAMPLECONFDIR):" \ - -e "s:@FINALDOCDIR@:$(FINALDOCDIR):" \ - -e "s:@FINALEXAMPLECONFDIR@:$(FINALEXAMPLECONFDIR):" \ - -e "s:@MODULE_GOO_LIST@:$(MODULE_GOO_LIST):" \ - -e "s:@IPSEC_CONFS@:$(FINALCONFDIR):" \ - -e "s:@IPSEC_CONFDDIR@:$(FINALCONFDDIR):" \ - -e "s:@USE_IPROUTE2@:$(USE_IPROUTE2):" \ - -e "s:@IPSEC_FIREWALLTYPE@:$(IPSEC_FIREWALLTYPE):" \ - | cat >$@ - if [ -x $< ]; then chmod +x $@; fi - if [ "${PROGRAM}.in" = $< ]; then chmod +x $@; fi - -cleanall: clean - -distclean: clean - -mostlyclean: clean - -realclean: clean - -clean:: -ifneq ($(strip $(PROGRAM)),) - @if [ -r $(PROGRAM).in ]; then rm -f $(PROGRAM); fi - @if [ -r $(PROGRAM).c ]; then rm -f $(PROGRAM); fi - @if [ -n "$(OBJS)" ]; then rm -f $(PROGRAM); fi -endif - @rm -f *.o - -checkprograms: - diff --git a/programs/_confread/.cvsignore b/programs/_confread/.cvsignore deleted file mode 100644 index 405492384..000000000 --- a/programs/_confread/.cvsignore +++ /dev/null @@ -1,7 +0,0 @@ -_confread -ipsec.conf -block -clear -private -clear-or-private -private-or-clear diff --git a/programs/_confread/Makefile b/programs/_confread/Makefile deleted file mode 100644 index 1bdc9a3f0..000000000 --- a/programs/_confread/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.2 2004/03/31 19:23:00 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_confread -PROGRAMDIR=${LIBDIR} -EXTRA5MAN=ipsec.conf.5 -CONFFILES=ipsec.conf - -CONFDSUBDIR=policies -CONFDFILES=clear clear-or-private private-or-clear private block - -include ../Makefile.program diff --git a/programs/_confread/README.conf.V2 b/programs/_confread/README.conf.V2 deleted file mode 100644 index 244e245c5..000000000 --- a/programs/_confread/README.conf.V2 +++ /dev/null @@ -1,103 +0,0 @@ -Subject: [Design] changes to ipsec.conf -# RCSID $Id: README.conf.V2,v 1.1 2004/03/15 20:35:27 as Exp $ - -We are changing ipsec.conf for the 2.0 series of FreeS/WAN. - -OE is enabled by default. This is accomplished by automatically -defining a conn "OEself" UNLESS the sysadmin defines one with the same -name: - -conn OEself - # authby=rsasig # default - left=%defaultroute - leftrsasigkey=%dnsondemand # default - right=%opportunistic - rightrsasigkey=%dnsondemand # default - keyingtries=3 - ikelifetime=1h - keylife=1h # default - rekey=no - # disablearrivalcheck=no # default - auto=route - -This will only work if %defaultroute works. -The leftid will be the resulting IP address (won't work if -you haven't filled in the reverse DNS entry). -Unlike other conns, nothing in this implicit conn is changed by conn %default. - -We'd like a better name. A conn name starting with % cannot be -defined by the sysadmin, so that is out. Names that haven't grabbed -us: OEhost, OElocalhost, OEthishost, OEforself, OE4self. - -There is no requirement to have /etc/ipsec.conf. If you do, the first -significant line (non-blank, non-comment) must be (not indented): -version 2.0 -This signifies that the file was intended for FreeS/WAN version 2.0. - - -The following table shows most changes. "-" means that the option -doesn't exist. "Recent Boilerplate" shows the effect of the "conn -%default" in the automatically installed /etc/ipsec.conf (not -installed if you already had one). - -Option Old Default Recent Boilerplate New Default -====== =========== ================== =========== - -config setup: -interfaces "" %defaultroute %defaultroute -plutoload "" %search - [same as %search] -plutostart "" %search - [same as %search] -uniqueids no yes yes -rp_filter - - 0 -plutowait yes yes no -dump no no - [use dumpdir] -plutobackgroundload ignored ignored - -no_eroute_pass no no - [use packetdefault] - -conn %default: -keyingtries 3 0 %forever [0 means this] -disablearrivalcheck yes no no -authby secret rsasig rsasig -leftrsasigkey "" %dnsondemand %dnsondemand -rightrsasigkey "" %dnsondemand %dnsondemand -lifetime ==keylife ==keylife - [use keylife] -rekeystart ==rekeymargin ==rekeymargin - [use rekeymargin] -rekeytries ==keyingtries ==keyingtries - [use keyingtries] - -====== =========== ================== =========== -Option Old Default Recent Boilerplate New Default - - -The auto= mechanism has been extended to support manual conns. If you -specify auto=manual in a conn, an "ipsec manual" will be performed on -it at startup (ipsec setup start). - - -There is a new config setup option "rp_filter". It controls - /proc/sys/net/ipv4/conf/PHYS/rp_filter -for each PHYSical IP interface used by FreeS/WAN. Settings are: - %unchanged do not touch (but warn if wrong) - 0 set to 0; default; means: no filtering - 1 set to 1; means: loose filter - 2 set to 1; means: strict filter -0 is often necessary for FreeS/WAN to function. Some folks -want other settings. Shutting down FreeS/WAN does not restore -the original value. - -Currently ikelife defaults to 1 hour and keylife defaults to 8 hours. -There have been some rumblings that these are the wrong defaults, but -it isn't clear what would be best. Perhaps both should be closer. -Any thoughts of what these should be? Any Road Warrior or OE conn -should probably have carefully thought-out values explicitly -specified. The settings don't matter much for VPN connections. - -keyingtries=%forever is the new improved notation for keyingtries=0. -Eventually the 0 notation will be eliminated. - -Some options can now be set to %none to signify no setting. Otherwise -there would be no way for the user to override a default setting: - leftrsasigkey, rightrsasigkey [added in 1.98] - interfaces - -Hugh Redelmeier -hugh@mimosa.com voice: +1 416 482-8253 diff --git a/programs/_confread/_confread.8 b/programs/_confread/_confread.8 deleted file mode 100644 index 20d92a002..000000000 --- a/programs/_confread/_confread.8 +++ /dev/null @@ -1,28 +0,0 @@ -.TH _CONFREAD 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _confread.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _confread \- internal routing to parse config file -.SH DESCRIPTION -.I _confread -is an internal script used for parsing /etc/ipsec.conf into a canonical format. -.SH "SEE ALSO" -ipsec(8), ipsec_conf(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Program written by Henry Spencer. -.\" -.\" $Log: _confread.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.3 2002/09/16 01:28:43 dhr -.\" -.\" typo -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" -.\" diff --git a/programs/_confread/_confread.in b/programs/_confread/_confread.in deleted file mode 100755 index 4561af9fe..000000000 --- a/programs/_confread/_confread.in +++ /dev/null @@ -1,520 +0,0 @@ -#!/bin/sh -# configuration-file reader utility -# Copyright (C) 1999-2002 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _confread.in,v 1.15 2006/04/20 04:42:12 as Exp $ -# -# Extract configuration info from /etc/ipsec.conf, repackage as assignments -# to shell variables or tab-delimited fields. Success or failure is reported -# inline, as extra data, due to the vagaries of shell backquote handling. -# In the absence of --varprefix, output is tab-separated fields, like: -# = sectionname -# : parameter value -# ! status (empty for success, else complaint) -# In the presence of (say) "--varprefix IPSEC", output is like: -# IPSEC_confreadsection="sectionname" -# IPSECparameter="value" -# IPSEC_confreadstatus="status" (same empty/complaint convention) -# -# The "--search parametername" option inverts the search: instead of -# yielding the parameters of the specified name(s), it yields the names -# of sections with parameter having (one of) the -# specified value(s). In this case, --varprefix output is a list of -# names in the _confreadnames variable. Search values with -# white space in them are currently not handled properly. -# -# Typical usage: -# eval `ipsec _confread --varprefix IPSEC --type config setup` -# if test " $IPSEC_confreadstatus" != " " -# then -# echo "$0: $IPSEC_confreadstatus -- aborting" 2>&1 -# exit 1 -# fi - -# absent default config file treated as empty -config=${IPSEC_CONFS-@FINALCONFDIR@}/ipsec.conf -if test ! -f "$config" ; then config=/dev/null ; fi - -include=yes -type=conn -fieldfmt=yes -prefix= -search= -export=0 -version= -optional=0 -me="ipsec _confread" - -for dummy -do - case "$1" in - --config) config="$2" ; shift ;; - --noinclude) include= ;; - --type) type="$2" ; shift ;; - --varprefix) fieldfmt= - prefix="$2" - shift ;; - --export) export=1 ;; - --search) search="$2" ; shift ;; - --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; - --optional) optional=1 ;; - --) shift ; break ;; - -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -if test "$include" -then - ipsec _include --inband $config -else - cat $config -fi | -awk 'BEGIN { - type = "'"$type"'" - names = "'"$*"'" - prefix = "'"$prefix"'" - export = "'"$export"'" - optional = 0 + '"$optional"' - myid = "'"$IPSECmyid"'" - search = "'"$search"'" - searching = 0 - if (search != "") { - searching = 1 - searchpat = search "[ \t]*=[ \t]*" - } - fieldfmt = 0 - if ("'"$fieldfmt"'" == "yes") - fieldfmt = 1 - including = 0 - if ("'"$include"'" == "yes") - including = 1 - filename = "'"$config"'" - lineno = 0 - originalfilename = filename - if (fieldfmt) - bq = eq = "\"" - else - bq = eq = "\\\"" - failed = 0 - insection = 0 - wrongtype = 0 - indefault = 0 - outputting = 0 - sawnondefault = 0 - OFS = "\t" - o_status = "!" - o_parm = ":" - o_section = "=" - o_names = "%" - o_end = "." - n = split(names, na, " ") - if (n == 0) - fail("no section names supplied") - for (i = 1; i <= n; i++) { - if (na[i] in wanted) - fail("section " bq na[i] eq " requested more than once") - wanted[na[i]] = 1 - pending[na[i]] = 1 - if (!searching && na[i] !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/) - fail("invalid section name " bq na[i] eq) - } - - good = "also alsoflip type auto authby _plutodevel" - left = " left leftsubnet leftnexthop leftfirewall lefthostaccess leftupdown" - akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz" - akey = akey " dpdaction dpddelay dpdtimeout" - akey = akey " pfsgroup compress" - akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike" - mkey = " spibase spi esp espenckey espauthkey espreplay_window" - left = left " leftespenckey leftespauthkey leftahkey" - left = left " leftespspi leftahspi leftid leftrsasigkey leftrsasigkey2" - left = left " leftsendcert leftcert leftca leftsubnetwithin leftprotoport" - left = left " leftgroups leftsourceip" - mkey = mkey " ah ahkey ahreplay_window" - right = left - gsub(/left/, "right", right) - n = split(good left right akey mkey, g) - for (i = 1; i <= n; i++) - goodnames["conn:" g[i]] = 1 - - good = "also interfaces forwardcontrol myid" - good = good " syslog klipsdebug plutodebug plutoopts plutostderrlog" - good = good " plutorestartoncrash" - good = good " dumpdir manualstart pluto" - good = good " plutowait prepluto postpluto" - good = good " fragicmp hidetos rp_filter uniqueids" - good = good " overridemtu pkcs11module pkcs11keepstate pkcs11proxy" - good = good " nocrsend strictcrlpolicy crlcheckinterval cachecrls" - good = good " nat_traversal keep_alive force_keepalive" - good = good " disable_port_floating virtual_private" - - n = split(good, g) - for (i = 1; i <= n; i++) - goodnames["config:" g[i]] = 1 - - good = "auto cacert ldaphost ldapbase crluri crluri2 ocspuri" - good = good " strictcrlpolicy" - - n = split(good, g) - for (i = 1; i <= n; i++) - goodnames["ca:" g[i]] = 1 - - goodtypes["conn"] = 1 - goodtypes["config"] = 1 - goodtypes["ca"] = 1 - - badchars = "" - for (i = 1; i < 32; i++) - badchars = badchars sprintf("%c", i) - for (i = 127; i < 128+32; i++) - badchars = badchars sprintf("%c", i) - badchar = "[" badchars "]" - - # if searching, seen is set of sectionnames which match - # if not searching, seen is set of parameter names found - seen[""] = "" - defaults[""] = "" - usesdefault[""] = "" - orientation = 1 -} - - - -function output(code, v1, v2) { - if (code == o_parm) { - if (v2 == "") # suppress empty parameters - return - if (privatename(v1)) # and private ones - return - if (v2 ~ badchar) - fail("parameter value " bq v2 eq " contains unprintable character") - } - - if (fieldfmt) { - print code, v1, v2 - return - } - - if (code == o_status) { - v2 = v1 - v1 = "_confreadstatus" - } else if (code == o_section) { - v2 = v1 - v1 = "_confreadsection" - } else if (code == o_names) { - v2 = v1 - v1 = "_confreadnames" - } else if (code != o_parm) - return # currently no variable version of o_end - - print prefix v1 "=\"" v2 "\"" - if (export) - print "export " prefix v1 -} -function searchfound(sectionname, n, i, reflist) { - # a hit in x is a hit in everybody who refers to x too - n = split(refsto[sectionname], reflist, ";") - for (i = 1; i <= n; i++) - if (reflist[i] in seen) - fail("duplicated parameter " bq search eq) - else - seen[reflist[i]] = 1 - seen[sectionname] = 1 -} -function fail(msg) { - output(o_status, ("(" filename ", line " lineno ") " msg)) - failed = 1 - while ((getline junk) > 0) - continue - exit -} -function badname(n) { - if ((type ":" n) in goodnames) - return 0 - if (privatename(n)) - return 0 - return 1 -} -function privatename(n) { - if (n ~ /^[xX][-_]/) - return 1 - return 0 -} -function orient(n) { - if (orientation == -1) { - if (n ~ /left/) - gsub(/left/, "right", n) - else if (n ~ /right/) - gsub(/right/, "left", n) - } - return n -} -# in searching, referencing is transitive: xyz->from->to -function chainref(from, to, i, reflist, listnum) { - if (from in refsto) { - listnum = split(refsto[from], reflist, ";") - for (i = 1; i <= listnum; i++) - chainref(reflist[i], to) - } - if (to in refsto) - refsto[to] = refsto[to] ";" from - else - refsto[to] = from -} - -# start of rules - -{ - lineno++ - # lineno is now the number of this line - - # we must remember indentation because comment stripping loses it - exdented = $0 !~ /^[ \t]/ - sub(/^[ \t]+/, "") # get rid of leading white space - sub(/[ \t]+$/, "") # get rid of trailing white space -} -including && $0 ~ /^#[<>:]/ { - # _include control line - if ($1 ~ /^#[<>]$/) { - filename = $2 - lineno = $3 - 1 - } else if ($0 ~ /^#:/) { - msg = substr($0, 3) - gsub(/"/, "\\\"", msg) - fail(msg) - } - next -} -exdented { - # any non-leading-white-space line is a section end - ### but not the end of relevant stuff, might be also= sections later - ###if (insection && !indefault && !searching && outputting) - ### output(o_end) - insection = 0 - wrongtype = 0 - indefault = 0 - outputting = 0 -} -/[ \t]#/ { - # strip trailing comments including the leading whitespace - # tricky because we must respect quotes - q = 0 - for (i = 1; i <= NF; i++) { - if ($i ~ /^#/ && q % 2 == 0) { - NF = i - 1; - break - } - # using $i in gsub loses whitespace?!? - junk = $i - q += gsub(/"/, "&", junk) - } -} -$0 == "" || $0 ~ /^#/ { - # empty lines and comments are ignored - next -} -exdented && NF != 2 { - # bad section header - fail("section header " bq $0 eq " has wrong number of fields (" NF ")") -} -exdented && $1 == "version" { - version = $2 + 0 - if (version < 2.0 || 2.0 < version) - fail("we only support version 2.0 ipsec.conf files, not " bq version eq) - next -} -version == "" { - fail("we only support version 2 ipsec.conf files") -} -exdented && !($1 in goodtypes) { - # unknown section type - fail("section type " bq $1 eq " not recognized") -} -exdented && $1 != type { - # section header, but not of the type we want - insection = 1 - wrongtype = 1 - next -} -extented { - # type fits - wrongtype = 0 -} -exdented && $1 == "config" && $2 != "setup" { - fail("unknown config section " bq $2 eq) -} -exdented && $2 != "%default" { - # non-default section header of our type - sawnondefault = 1 -} -exdented && searching && $2 != "%default" { - # section header, during search - insection = 1 - sectionname = $2 - usesdefault[sectionname] = 1 # tentatively - next -} -exdented && !searching && $2 in wanted { - # one of our wanted section headers - if (!($2 in pending)) - fail("duplicate " type " section " bq $2 eq) - delete pending[$2] - tag = bq type " " $2 eq - outputting = 1 - insection = 1 - orientation = wanted[$2] - output(o_section, $2) - next -} -exdented && $2 == "%default" { - # relevant default section header - if (sawnondefault) - fail(bq $1 " %default" eq " sections must precede non-default ones") - tag = bq type " " $2 eq - indefault = 1 - next -} -exdented { - # section header, but not one we want - insection = 1 - next -} -!insection && !indefault { - # starts with white space but not in a section... oops - fail("parameter is not within a section") -} -!wrongtype && searching && $0 ~ searchpat { - # search found the right parameter name - match($0, searchpat) - rest = substr($0, RLENGTH+1) - if (rest ~ /^".*"$/) - rest = substr(rest, 2, length(rest)-2) - if (!indefault) { - if (!usesdefault[sectionname]) - fail("duplicated parameter " bq search eq) - usesdefault[sectionname] = 0 - } else if (search in defaults) - fail("duplicated parameter " bq search eq) - if (rest in wanted) { # a hit - if (indefault) - defaults[search] = rest - else - searchfound(sectionname) - } else { - # rather a kludge, but must check this somewhere - if (search == "auto" && rest !~ /^(add|route|start|ignore|manual)$/) - fail("illegal auto value " bq rest eq) - } - next -} -!searching && !outputting && !indefault { - # uninteresting line - next -} -$0 ~ /"/ && $0 !~ /^[^=]+=[ \t]*"[^"]*"$/ { - if (!searching) - fail("mismatched quotes in parameter value") - else - gsub(/"/, "", $0) -} -$0 !~ /^[a-zA-Z_][a-zA-Z0-9_-]*[ \t]*=/ { - if (searching) - next # just ignore it - fail("syntax error or illegal parameter name") -} -{ - sub(/[ \t]*=[ \t]*/, "=") # get rid of white space around = -} -$0 ~ /^(also|alsoflip)=/ { - v = orientation - if ($0 ~ /^alsoflip/) - v = -v; - if (indefault) - fail("%default section may not contain " bq "also" eq " or " bq "alsoflip" eq " parameter") - sub(/^(also|alsoflip)=/, "") - if ($0 !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/) - fail("invalid section name " bq $0 eq) - if (!searching) { - if ($0 in wanted) - fail("section " bq $0 eq " requested more than once") - wanted[$0] = v - pending[$0] = 1 - } else - chainref(sectionname, $0) - next -} -!outputting && !indefault { - # uninteresting line even for a search - next -} -{ - equal = match($0, /[=]/) - name = substr($0, 1, equal-1) - if (badname(name)) - fail("unknown parameter name " bq name eq) - value = substr($0, equal+1) - if (value ~ /^"/) - value = substr(value, 2, length(value)-2) - else if (value ~ /[ \t]/) - fail("white space within non-quoted parameter " bq name eq) -} -indefault { - if (name in defaults) - fail("duplicated default parameter " bq name eq) - defaults[name] = value - next -} -{ - name = orient(name) - if (name in seen) - fail("duplicated parameter " bq name eq) - seen[name] = 1 - output(o_parm, name, value) -} -END { - if (failed) - exit 1 - - filename = originalfilename - unseen = "" - for (i in pending) - unseen = unseen " " i - if (!optional && !searching && unseen != "") - fail("did not find " type " section(s) " bq substr(unseen, 2) eq) - if (!searching) { - for (name in defaults) - if (!(name in seen)) - output(o_parm, name, defaults[name]) - } else { - if (defaults[search] in wanted) - for (name in usesdefault) - if (usesdefault[name]) - seen[name] = 1 - delete seen[""] - if (fieldfmt) - for (name in seen) - output(o_section, name) - else { - outlist = "" - for (name in seen) - if (outlist == "") - outlist = name - else - outlist = outlist " " name - output(o_names, outlist) - } - } - output(o_status, "") -}' diff --git a/programs/_confread/block.in b/programs/_confread/block.in deleted file mode 100644 index e3a4b2dd5..000000000 --- a/programs/_confread/block.in +++ /dev/null @@ -1,8 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should never be allowed. -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: block.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# - diff --git a/programs/_confread/clear-or-private.in b/programs/_confread/clear-or-private.in deleted file mode 100644 index 800093d94..000000000 --- a/programs/_confread/clear-or-private.in +++ /dev/null @@ -1,8 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# we will communicate in the clear, or, if the other side initiates IPSEC, -# using encryption. This behaviour is also called "Opportunistic Responder". -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: clear-or-private.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# diff --git a/programs/_confread/clear.in b/programs/_confread/clear.in deleted file mode 100644 index 46e63388e..000000000 --- a/programs/_confread/clear.in +++ /dev/null @@ -1,7 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should always be in the clear. -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: clear.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# diff --git a/programs/_confread/ipsec.conf.5 b/programs/_confread/ipsec.conf.5 deleted file mode 100644 index af6fae6bd..000000000 --- a/programs/_confread/ipsec.conf.5 +++ /dev/null @@ -1,1286 +0,0 @@ -.TH IPSEC.CONF 5 "20 Jan 2006" -.\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $ -.SH NAME -ipsec.conf \- IPsec configuration and connections -.SH DESCRIPTION -The optional -.I ipsec.conf -file -specifies most configuration and control information for the -strongSwan IPsec subsystem. -(The major exception is secrets for authentication; -see -.IR ipsec.secrets (5).) -Its contents are not security-sensitive -.I unless -manual keying is being done for more than just testing, -in which case the encryption/authentication keys in the -descriptions for the manually-keyed connections are very sensitive -(and those connection descriptions -are probably best kept in a separate file, -via the include facility described below). -.PP -The file is a text file, consisting of one or more -.IR sections . -White space followed by -.B # -followed by anything to the end of the line -is a comment and is ignored, -as are empty lines which are not within a section. -.PP -A line which contains -.B include -and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. -If the file name is not a full pathname, -it is considered to be relative to the directory containing the -including file. -Such inclusions can be nested. -Only a single filename may be supplied, and it may not contain white space, -but it may include shell wildcards (see -.IR sh (1)); -for example: -.PP -.B include -.B "ipsec.*.conf" -.PP -The intention of the include facility is mostly to permit keeping -information on connections, or sets of connections, -separate from the main configuration file. -This permits such connection descriptions to be changed, -copied to the other security gateways involved, etc., -without having to constantly extract them from the configuration -file and then insert them back into it. -Note also the -.B also -parameter (described below) which permits splitting a single logical -section (e.g. a connection description) into several actual sections. -.PP -The first significant line of the file must specify the version -of this specification that it conforms to: -.PP -\fBversion 2\fP -.PP -A section -begins with a line of the form: -.PP -.I type -.I name -.PP -where -.I type -indicates what type of section follows, and -.I name -is an arbitrary name which distinguishes the section from others -of the same type. -(Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens.) -All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. -.PP -Lines within the section are generally of the form -.PP -\ \ \ \ \ \fIparameter\fB=\fIvalue\fR -.PP -(note the mandatory preceding white space). -There can be white space on either side of the -.BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. -.PP -An empty -.I value -stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. -A -.I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a -.I value -cannot itself contain a double quote, -nor may it be continued across more than one line. -.PP -Numeric values are specified to be either an ``integer'' -(a sequence of digits) or a ``decimal number'' -(sequence of digits optionally followed by `.' and another sequence of digits). -.PP -There is currently one parameter which is available in any type of -section: -.TP -.B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one -.B also -in a single section, -although it is forbidden to append the same section more than once.) -This allows, for example, keeping the encryption keys -for a connection in a separate file -from the rest of the description, by using both an -.B also -parameter and an -.B include -line. -.PP -Parameter names beginning with -.B x- -(or -.BR X- , -or -.BR x_ , -or -.BR X_ ) -are reserved for user extensions and will never be assigned meanings -by IPsec. -Parameters with such names must still observe the syntax rules -(limits on characters used in the name; -no white space in a non-quoted value; -no newlines or double quotes within the value). -All other as-yet-unused parameter names are reserved for future IPsec -improvements. -.PP -A section with name -.B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. -.PP -Currently there are three types of sections: -a -.B config -section specifies general configuration information for IPsec, a -.B conn -section specifies an IPsec connection, while a -.B ca -section specifies special properties a certification authority. -.SH "CONN SECTIONS" -A -.B conn -section contains a -.IR "connection specification" , -defining a network connection to be made using IPsec. -The name given is arbitrary, and is used to identify the connection to -.IR ipsec_auto (8) -and -.IR ipsec_manual (8). -Here's a simple example: -.PP -.ne 10 -.nf -.ft B -.ta 1c -conn snt - left=10.11.11.1 - leftsubnet=10.0.1.0/24 - leftnexthop=172.16.55.66 - right=192.168.22.1 - rightsubnet=10.0.2.0/24 - rightnexthop=172.16.88.99 - keyingtries=%forever -.ft -.fi -.PP -A note on terminology... -In automatic keying, there are two kinds of communications going on: -transmission of user IP packets, and gateway-to-gateway negotiations for -keying, rekeying, and general control. -The data path (a set of ``IPsec SAs'') used for user packets is herein -referred to as the ``connection''; -the path used for negotiations (built with ``ISAKMP SAs'') is referred to as -the ``keying channel''. -.PP -To avoid trivial editing of the configuration file to suit it to each system -involved in a connection, -connection specifications are written in terms of -.I left -and -.I right -participants, -rather than in terms of local and remote. -Which participant is considered -.I left -or -.I right -is arbitrary; -IPsec figures out which one it is being run on based on internal information. -This permits using identical connection specifications on both ends. -There are cases where there is no symmetry; a good convention is to -use -.I left -for the local side and -.I right -for the remote side (the first letters are a good mnemonic). -.PP -Many of the parameters relate to one participant or the other; -only the ones for -.I left -are listed here, but every parameter whose name begins with -.B left -has a -.B right -counterpart, -whose description is the same but with -.B left -and -.B right -reversed. -.PP -Parameters are optional unless marked ``(required)''; -a parameter required for manual keying need not be included for -a connection which will use only automatic keying, and vice versa. -.SS "CONN PARAMETERS: GENERAL" -The following parameters are relevant to both automatic and manual keying. -Unless otherwise noted, -for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B type -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded; and -.BR reject , -signifying that packets should be discarded and a diagnostic ICMP returned. -.TP -.B left -(required) -the IP address of the left participant's public-network interface, -in any form accepted by -.IR ipsec_ttoaddr (3) -or one of several magic values. -If it is -.BR %defaultroute , -and -the -.B config -.B setup -section's, -.B interfaces -specification contains -.BR %defaultroute, -.B left -will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time); -this also overrides any value supplied for -.BR leftnexthop . -(Either -.B left -or -.B right -may be -.BR %defaultroute , -but not both.) -The value -.B %any -signifies an address to be filled in (by automatic keying) during -negotiation. -The value -.B %opportunistic -signifies that both -.B left -and -.B leftnexthop -are to be filled in (by automatic keying) from DNS data for -.BR left 's -client. -The values -.B %group -and -.B %opportunisticgroup -makes this a policy group conn: one that will be instantiated -into a regular or opportunistic conn for each CIDR block listed in the -policy group file with the same name as the conn. -.TP -.B leftsubnet -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR -(actually, any form acceptable to -.IR ipsec_ttosubnet (3)); -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant only -.TP -.B leftnexthop -next-hop gateway IP address for the left participant's connection -to the public network; -defaults to -.B %direct -(meaning -.IR right ). -If the value is to be overridden by the -.B left=%defaultroute -method (see above), -an explicit value must -.I not -be given. -If that method is not being used, -but -.B leftnexthop -is -.BR %defaultroute , -and -.B interfaces=%defaultroute -is used in the -.B config -.B setup -section, -the next-hop gateway address of the default-route interface -will be used. -The magic value -.B %direct -signifies a value to be filled in (by automatic keying) -with the peer's address. -Relevant only locally, other end need not agree on it. -.TP -.B leftupdown -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -See -.IR ipsec_pluto (8) -for details. -Relevant only locally, other end need not agree on it. -.TP -.B leftfirewall -whether the left participant is doing forwarding-firewalling -(including masquerading) for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; -acceptable values are -.B yes -and (the default) -.BR no . -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default -.I updown -script. -See notes below. -Relevant only locally, other end need not agree on it. -.PP -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default -.I updown -script (see -.IR ipsec_pluto (8)). -.PP -The implementation of this makes certain assumptions about firewall setup, -notably the use of the old -.I ipfwadm -interface to the firewall. -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. -.SS "CONN PARAMETERS: AUTOMATIC KEYING" -The following parameters are relevant only to automatic keying, -and are ignored in manual keying. -Unless otherwise noted, -for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B auto -what operation, if any, should be done automatically at IPsec startup; -currently-accepted values are -.B add -(signifying an -.B ipsec auto -.BR \-\-add ), -.B route -(signifying that plus an -.B ipsec auto -.BR \-\-route ), -.B start -(signifying that plus an -.B ipsec auto -.BR \-\-up ), -.B manual -(signifying an -.B ipsec -.B manual -.BR \-\-up ), -and -.B ignore -(also the default) (signifying no automatic startup operation). -See the -.B config -.B setup -discussion below. -Relevant only locally, other end need not agree on it -(but in general, for an intended-to-be-permanent connection, -both ends should use -.B auto=start -to ensure that any reboot causes immediate renegotiation). -.TP -.B auth -whether authentication should be done as part of -ESP encryption, or separately using the AH protocol; -acceptable values are -.B esp -(the default) and -.BR ah . -.TP -.B authby -how the two security gateways should authenticate each other; -acceptable values are -.B secret -for shared secrets, -.B rsasig -for RSA digital signatures (the default), -.B secret|rsasig -for either, and -.B never -if negotiation is never to be attempted or accepted (useful for shunt-only conns). -Digital signatures are superior in every way to shared secrets. -.TP -.B compress -whether IPComp compression of content is proposed on the connection -(link-level compression does not work on encrypted data, -so to be effective, compression must be done \fIbefore\fR encryption); -acceptable values are -.B yes -and -.B no -(the default). -The two ends need not agree. -A value of -.B yes -causes IPsec to propose both compressed and uncompressed, -and prefer compressed. -A value of -.B no -prevents IPsec from proposing compression; -a proposal to compress will still be accepted. -.TP -.B disablearrivalcheck -whether KLIPS's normal tunnel-exit check -(that a packet emerging from a tunnel has plausible addresses in its header) -should be disabled; -acceptable values are -.B yes -and -.B no -(the default). -Tunnel-exit checks improve security and do not break any normal configuration. -Relevant only locally, other end need not agree on it. -.TP -.B dpdaction -controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where -R_U_THERE IKE notification messages are periodically sent in order to check the -liveliness of the IPsec peer. The default is.. -.B none -which disables the active sending of R_U_THERE notifications. -Nevertheless pluto will always send the DPD Vendor ID during connection set up -in order to signal the readiness to act passively as a responder if the peer -wants to use DPD. The values -.B clear -and -.B hold -both activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted ( -.B clear -) or put in the hold state ( -.B hold -). -.TP -.B dpddelay -defines the period time interval with which R_U_THERE messages are sent to the peer. -.TP -.B dpdtimeout -defines the timeout interval, after which all connections to a peer are deleted -in case of inactivity. -.TP -.B failureshunt -what to do with packets when negotiation fails. -The default is -.BR none : -no shunt; -.BR passthrough , -.BR drop , -and -.B reject -have the obvious meanings. -.TP -.B ikelifetime -how long the keying channel of a connection (buzzphrase: ``ISAKMP SA'') -should last before being renegotiated; -acceptable values as for -.B keyexchange -method of key exchange; -the default and currently the only accepted value is -.B ike -.TP -.B keylife -(default set by -.IR ipsec_pluto (8), -currently -.BR 3h , -maximum -.BR 24h ). -The two-ends-disagree case is similar to that of -.BR keylife . -.TP -.B keyingtries -how many attempts (a whole number or \fB%forever\fP) should be made to -negotiate a connection, or a replacement for one, before giving up -(default -.BR %forever ). -The value \fB%forever\fP -means ``never give up'' (obsolete: this can be written \fB0\fP). -Relevant only locally, other end need not agree on it. -.TP -.B keylife -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires. -The two ends need not exactly agree on -.BR keylife , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. -.TP -.B leftca -the distinguished name of a certificate authority which is required to -lie in the trust path going from the left participant's certificate up -to the root certification authority. -.TP -.B leftcert -the path to the left participant's X.509 certificate. The file can be coded either in -PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to -.B /etc/ipsec.d/certs -are accepted. By default -.B leftcert -sets -.B leftid -to the distinguished name of the certificate's subject and -.B leftca -to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a -.B leftid -value which must be certified by the certificate, though. -.TP -.B leftgroups -a comma separated list of group names. If the -.B leftgroups -parameter is present then the peer must be a member of at least one -of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been -issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts\fP. -.TP -.B leftid -how -the left participant -should be identified for authentication; -defaults to -.BR left . -Can be an IP address (in any -.IR ipsec_ttoaddr (3) -syntax) -or a fully-qualified domain name preceded by -.B @ -(which is used as a literal string and not resolved). -The magic value -.B %myid -stands for the current setting of \fImyid\fP. -This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set, -it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise -it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. -.TP -.B leftrsasigkey -the left participant's -public key for RSA signature authentication, -in RFC 2537 format using -.IR ipsec_ttodata (3) -encoding. -The magic value -.B %none -means the same as not specifying a value (useful to override a default). -The value -.B %cert -(the default) -means that the key is extracted from a certificate. -The value -.B %dnsondemand -means the key is to be fetched from DNS at the time it is needed. -The value -.B %dnsonload -means the key is to be fetched from DNS at the time -the connection description is read from -.IR ipsec.conf ; -currently this will be treated as -.B %none -if -.B right=%any -or -.BR right=%opportunistic . -The value -.B %dns -is currently treated as -.B %dnsonload -but will change to -.B %dnsondemand -in the future. -The identity used for the left participant -must be a specific host, not -.B %any -or another magic value. -.B Caution: -if two connection descriptions -specify different public keys for the same -.BR leftid , -confusion and madness will ensue. -.TP -.B leftrsasigkey2 -if present, a second public key. -Either key can authenticate the signature, allowing for key rollover. -.TP -.B leftsourceip -.TP -.B leftsubnetwithin -.TP -.B pfs -whether Perfect Forward Secrecy of keys is desired on the connection's -keying channel -(with PFS, penetration of the key-exchange protocol -does not compromise keys negotiated earlier); -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B rekey -whether a connection should be renegotiated when it is about to expire; -acceptable values are -.B yes -(the default) -and -.BR no . -The two ends need not agree, -but while a value of -.B no -prevents Pluto from requesting renegotiation, -it does not prevent responding to renegotiation requested from the other end, -so -.B no -will be largely ineffective unless both ends agree on it. -.TP -.B rekeyfuzz -maximum percentage by which -.B rekeymargin -should be randomly increased to randomize rekeying intervals -(important for hosts with many connections); -acceptable values are an integer, -which may exceed 100, -followed by a `%' -(default set by -.IR ipsec_pluto (8), -currently -.BR 100% ). -The value of -.BR rekeymargin , -after this random increase, -must not exceed -.BR keylife . -The value -.B 0% -will suppress time randomization. -Relevant only locally, other end need not agree on it. -.TP -.B rekeymargin -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B keylife -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. -.SS "CONN PARAMETERS: MANUAL KEYING" -The following parameters are relevant only to manual keying, -and are ignored in automatic keying. -Unless otherwise noted, -for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -A manually-keyed -connection must specify at least one of AH or ESP. -.TP 14 -.B spi -(this or -.B spibase -required for manual keying) -the SPI number to be used for the connection (see -.IR ipsec_manual (8)); -must be of the form \fB0x\fIhex\fB\fR, -where -.I hex -is one or more hexadecimal digits -(note, it will generally be necessary to make -.I spi -at least -.B 0x100 -to be acceptable to KLIPS, -and use of SPIs in the range -.BR 0x100 - 0xfff -is recommended) -.TP 14 -.B spibase -(this or -.B spi -required for manual keying) -the base number for the SPIs to be used for the connection (see -.IR ipsec_manual (8)); -must be of the form \fB0x\fIhex\fB0\fR, -where -.I hex -is one or more hexadecimal digits -(note, it will generally be necessary to make -.I spibase -at least -.B 0x100 -for the resulting SPIs -to be acceptable to KLIPS, -and use of numbers in the range -.BR 0x100 - 0xff0 -is recommended) -.TP -.B esp -ESP encryption/authentication algorithm to be used -for the connection, e.g. -.B 3des-md5-96 -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-esp -option); -default is not to use ESP -.TP -.B espenckey -ESP encryption key -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-enckey -option) -(may be specified separately for each direction using -.B leftespenckey -(leftward SA) -and -.B rightespenckey -parameters) -.TP -.B espauthkey -ESP authentication key -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-authkey -option) -(may be specified separately for each direction using -.B leftespauthkey -(leftward SA) -and -.B rightespauthkey -parameters) -.TP -.B espreplay_window -ESP replay-window setting, -an integer from -.B 0 -(the -.IR ipsec_manual -default, which turns off replay protection) to -.BR 64 ; -relevant only if ESP authentication is being used -.TP -.B leftespspi -SPI to be used for the leftward ESP SA, overriding -automatic assignment using -.B spi -or -.BR spibase ; -typically a hexadecimal number beginning with -.B 0x -.TP -.B ah -AH authentication algorithm to be used -for the connection, e.g. -.B hmac-md5-96 -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-ah -option); -default is not to use AH -.TP -.B ahkey -(required if -.B ah -is present) AH authentication key -(must be suitable as a value of -.IR ipsec_spi (8)'s -.B \-\-authkey -option) -(may be specified separately for each direction using -.B leftahkey -(leftward SA) -and -.B rightahkey -parameters) -.TP -.B ahreplay_window -AH replay-window setting, -an integer from -.B 0 -(the -.I ipsec_manual -default, which turns off replay protection) to -.B 64 -.TP -.B leftahspi -SPI to be used for the leftward AH SA, overriding -automatic assignment using -.B spi -or -.BR spibase ; -typically a hexadecimal number beginning with -.B 0x -.SH "CA SECTIONS" -This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). -.TP 10 -.B auto -currently can have either the value -.B ignore -or -.B add -. -.TP -.B cacert -defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -.TP -.B crluri -defines a CRL distribution point (ldap, http, or file URI) -.TP -.B crluri2 -defines an alternative CRL distribution point (ldap, http, or file URI) -.TP -.B ldaphost -defines an ldap host. -.TP -.B ocspuri -defines an OCSP URI. -.SH "CONFIG SECTIONS" -At present, the only -.B config -section known to the IPsec software is the one named -.BR setup , -which contains information used when the software is being started -(see -.IR ipsec_setup (8)). -Here's an example: -.PP -.ne 8 -.nf -.ft B -.ta 1c -config setup - interfaces="ipsec0=eth1 ipsec1=ppp0" - klipsdebug=none - plutodebug=all - manualstart= -.ft -.fi -.PP -Parameters are optional unless marked ``(required)''. -The currently-accepted -.I parameter -names in a -.B config -.B setup -section are: -.TP 14 -.B myid -the identity to be used for -.BR %myid . -.B %myid -is used in the implicit policy group conns and can be used as -an identity in explicit conns. -If unspecified, -.B %myid -is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise -the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. -An explicit value generally starts with ``\fB@\fP''. -.TP -.B interfaces -virtual and physical interfaces for IPsec to use: -a single -\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated -by white space, or -.BR %none . -One of the pairs may be written as -.BR %defaultroute , -which means: find the interface \fId\fR that the default route points to, -and then act as if the value was ``\fBipsec0=\fId\fR''. -.B %defaultroute -is the default; -.B %none -must be used to denote no interfaces. -If -.B %defaultroute -is used (implicitly or explicitly) -information about the default route and its interface is noted for -use by -.IR ipsec_manual (8) -and -.IR ipsec_auto (8).) -.TP -.B forwardcontrol -whether -.I setup -should turn IP forwarding on -(if it's not already on) as IPsec is started, -and turn it off again (if it was off) as IPsec is stopped; -acceptable values are -.B yes -and (the default) -.BR no . -For this to have full effect, forwarding must be -disabled before the hardware interfaces are brought -up (e.g., -.B "net.ipv4.ip_forward\ =\ 0" -in Red Hat 6.x -.IR /etc/sysctl.conf ), -because IPsec doesn't get control early enough to do that. -.TP -.B rp_filter -whether and how -.I setup -should adjust the reverse path filtering mechanism for the -physical devices to be used. -Values are \fB%unchanged\fP (to leave it alone) -or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to). -\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP -is badly documented; it must be \fB0\fP in many cases -for ipsec to function. -The default value for the parameter is \fB0\fP. -.TP -.B syslog -the -.IR syslog (2) -``facility'' name and priority to use for -startup/shutdown log messages, -default -.BR daemon.error . -.TP -.B klipsdebug -how much KLIPS debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names separated by white space) are enabled; -for details on available debugging types, see -.IR ipsec_klipsdebug (8). -.TP -.B plutodebug -how much Pluto debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names without the -.B \-\-debug\- -prefix, -separated by white space) are enabled; -for details on available debugging types, see -.IR ipsec_pluto (8). -.TP -.B plutoopts -additional options to pass to pluto upon startup. See -.IR ipsec_pluto (8). -.TP -.B plutostderrlog -do not use syslog, but rather log to stderr, and direct stderr to the -argument file. -.TP -.B dumpdir -in what directory should things started by -.I setup -(notably the Pluto daemon) be allowed to -dump core? -The empty value (the default) means they are not -allowed to. -.TP -.B manualstart -which manually-keyed connections to set up at startup -(empty, a name, or a quoted list of names separated by white space); -see -.IR ipsec_manual (8). -Default is none. -.TP -.B pluto -whether to start Pluto or not; -Values are -.B yes -(the default) -or -.B no -(useful only in special circumstances). -.TP -.B plutowait -should Pluto wait for each -negotiation attempt that is part of startup to -finish before proceeding with the next? -Values are -.B yes -or -.BR no -(the default). -.TP -.B prepluto -shell command to run before starting Pluto -(e.g., to decrypt an encrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B postpluto -shell command to run after starting Pluto -(e.g., to remove a decrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B fragicmp -whether a tunnel's need to fragment a packet should be reported -back with an ICMP message, -in an attempt to make the sender lower his PMTU estimate; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B hidetos -whether a tunnel packet's TOS field should be set to -.B 0 -rather than copied from the user packet inside; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. -.TP -.B overridemtu -value that the MTU of the ipsec\fIn\fR interface(s) should be set to, -overriding IPsec's (large) default. -This parameter is needed only in special situations. -.TP -.B nat_traversal -.TP -.B crlcheckinterval -.TP -.B strictcrlpolicy -.TP -.B pkcs11module -.TP -.B pkcs11keepstate - -.SH CHOOSING A CONNECTION -.PP -When choosing a connection to apply to an outbound packet caught with a -.BR %trap, -the system prefers the one with the most specific eroute that -includes the packet's source and destination IP addresses. -Source subnets are examined before destination subnets. -For initiating, only routed connections are considered. For responding, -unrouted but added connections are considered. -.PP -When choosing a connection to use to respond to a negotiation which -doesn't match an ordinary conn, an opportunistic connection -may be instantiated. Eventually, its instance will be /32 -> /32, but -for earlier stages of the negotiation, there will not be enough -information about the client subnets to complete the instantiation. -.SH FILES -.nf -/etc/ipsec.conf -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts - -.SH SEE ALSO -ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8) -.SH HISTORY -Written for the FreeS/WAN project - -by Henry Spencer. Extended for the strongSwan project - -by Andreas Steffen. -.SH BUGS -.PP -When -.B type -or -.B failureshunt -is set to -.B drop -or -.BR reject, -strongSwan blocks outbound packets using eroutes, but assumes inbound -blocking is handled by the firewall. strongSwan offers firewall hooks -via an ``updown'' script. However, the default -.B ipsec _updown -provides no help in controlling a modern firewall. -.PP -Including attributes of the keying channel -(authentication methods, -.BR ikelifetime , -etc.) -as an attribute of a connection, -rather than of a participant pair, is dubious and incurs limitations. -.PP -.IR Ipsec_manual -is not nearly as generous about the syntax of subnets, -addresses, etc. as the usual strongSwan user interfaces. -Four-component dotted-decimal must be used for all addresses. -It -.I is -smart enough to translate bit-count netmasks to dotted-decimal form. -.PP -It would be good to have a line-continuation syntax, -especially for the very long lines involved in -RSA signature keys. -.PP -The ability to specify different identities, -.BR authby , -and public keys for different automatic-keyed connections -between the same participants is misleading; -this doesn't work dependably because the identity of the participants -is not known early enough. -This is especially awkward for the ``Road Warrior'' case, -where the remote IP address is specified as -.BR 0.0.0.0 , -and that is considered to be the ``participant'' for such connections. -.PP -In principle it might be necessary to control MTU on an -interface-by-interface basis, -rather than with the single global override that -.B overridemtu -provides. -.PP -A number of features which \fIcould\fR be implemented in -both manual and automatic keying -actually are not yet implemented for manual keying. -This is unlikely to be fixed any time soon. -.PP -If conns are to be added before DNS is available, -\fBleft=\fP\fIFQDN\fP, -\fBleftnextop=\fP\fIFQDN\fP, -and -.B leftrsasigkey=%dnsonload -will fail. -.IR ipsec_pluto (8) -does not actually use the public key for our side of a conn but it -isn't generally known at a add-time which side is ours (Road Warrior -and Opportunistic conns are currently exceptions). -.PP -The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns. diff --git a/programs/_confread/ipsec.conf.in b/programs/_confread/ipsec.conf.in deleted file mode 100644 index 296986459..000000000 --- a/programs/_confread/ipsec.conf.in +++ /dev/null @@ -1,44 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# RCSID $Id: ipsec.conf.in,v 1.7 2006/01/31 13:09:10 as Exp $ - -# Manual: ipsec.conf.5 -# Help: http://www.strongswan.org/docs/readme.htm - -version 2.0 # conforms to second version of ipsec.conf specification - -# basic configuration - -config setup - # Debug-logging controls: "none" for (almost) none, "all" for lots. - # plutodebug=all - # crlcheckinterval=600 - # strictcrlpolicy=yes - # cachecrls=yes - # nat_traversal=yes - -# Uncomment to activate Opportunistic Encryption (OE) -# include /etc/ipsec.d/examples/oe.conf - -# Add connections here. - -# Sample VPN connections - -#conn sample-self-signed -# left=%defaultroute -# leftsubnet=10.1.0.0/16 -# leftcert=selfCert.der -# leftsendcert=never -# right=192.168.0.2 -# rightsubnet=10.2.0.0/16 -# rightcert=peerCert.der -# auto=start - -#conn sample-with-ca-cert -# left=%defaultroute -# leftsubnet=10.1.0.0/16 -# leftcert=myCert.pem -# right=192.168.0.2 -# rightsubnet=10.2.0.0/16 -# rightid="C=CH, O=Linux strongSwan CN=peer name" -# auto=start diff --git a/programs/_confread/private-or-clear.in b/programs/_confread/private-or-clear.in deleted file mode 100644 index c66b1d29f..000000000 --- a/programs/_confread/private-or-clear.in +++ /dev/null @@ -1,14 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should be private, if possible, but in the clear otherwise. -# -# If the target has a TXT (later IPSECKEY) record that specifies -# authentication material, we will require private (i.e. encrypted) -# communications. If no such record is found, communications will be -# in the clear. -# -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: private-or-clear.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# - -0.0.0.0/0 diff --git a/programs/_confread/private.in b/programs/_confread/private.in deleted file mode 100644 index 9d4bd6c67..000000000 --- a/programs/_confread/private.in +++ /dev/null @@ -1,6 +0,0 @@ -# This file defines the set of CIDRs (network/mask-length) to which -# communication should always be private (i.e. encrypted). -# See @FINALDOCDIR@/policygroups.html for details. -# -# $Id: private.in,v 1.1 2004/03/15 20:35:27 as Exp $ -# diff --git a/programs/_confread/randomize b/programs/_confread/randomize deleted file mode 100755 index 26d80a8f3..000000000 --- a/programs/_confread/randomize +++ /dev/null @@ -1,28 +0,0 @@ -#! /bin/sh -# internal utility for putting random keys into sample configuration file -# Copyright (C) 1998, 1999 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: randomize,v 1.1 2004/03/15 20:35:27 as Exp $ - -awk '/`[0-9]+`/ { - match($0, /`[0-9]+`/) - n = substr($0, RSTART+1, RLENGTH-2) - cmd = "./ranbits --quick " n - cmd | getline key - cmd | getline eof - close(cmd) - sub(/`[0-9]+`/, key, $0) - print - next -} -{ print }' $* diff --git a/programs/_copyright/.cvsignore b/programs/_copyright/.cvsignore deleted file mode 100644 index 23ebcb381..000000000 --- a/programs/_copyright/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_copyright diff --git a/programs/_copyright/Makefile b/programs/_copyright/Makefile deleted file mode 100644 index 52c594b68..000000000 --- a/programs/_copyright/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_copyright -PROGRAMDIR=${LIBDIR} -LIBS=${FREESWANLIB} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:07 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_copyright/_copyright.8 b/programs/_copyright/_copyright.8 deleted file mode 100644 index 87e4adc98..000000000 --- a/programs/_copyright/_copyright.8 +++ /dev/null @@ -1,32 +0,0 @@ -.TH _COPYRIGHT 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _copyright.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _copyright \- prints FreeSWAN copyright -.SH DESCRIPTION -.I _copyright -outputs the FreeSWAN copyright, and version numbers for "ipsec --copyright" -.SH "SEE ALSO" -ipsec(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project - -by Michael Richardson. Program written by Henry Spencer. -.\" -.\" $Log: _copyright.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_copyright/_copyright.c b/programs/_copyright/_copyright.c deleted file mode 100644 index 0fb360f40..000000000 --- a/programs/_copyright/_copyright.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * copyright reporter - * (just avoids having the info in more than one place in the source) - * Copyright (C) 2001 Henry Spencer. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id: _copyright.c,v 1.1 2004/03/15 20:35:27 as Exp $ - */ - -#include -#include -#include -#include -#include -#include -#include - -char usage[] = "Usage: ipsec _copyright"; -struct option opts[] = { - {"help", 0, NULL, 'h',}, - {"version", 0, NULL, 'v',}, - {0, 0, NULL, 0, }, -}; - -char me[] = "ipsec _copyright"; /* for messages */ - -int -main(int argc, char *argv[]) -{ - int opt; - extern int optind; - int errflg = 0; - const char *version = ipsec_version_code(); - const char **notice = ipsec_copyright_notice(); - const char **co; - - while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF) - switch (opt) { - case 'h': /* help */ - printf("%s\n", usage); - exit(0); - break; - case 'v': /* version */ - printf("%s %s\n", me, version); - exit(0); - break; - case '?': - default: - errflg = 1; - break; - } - if (errflg || optind != argc) { - fprintf(stderr, "%s\n", usage); - exit(2); - } - - for (co = notice; *co != NULL; co++) - printf("%s\n", *co); - exit(0); -} diff --git a/programs/_include/.cvsignore b/programs/_include/.cvsignore deleted file mode 100644 index ab6204115..000000000 --- a/programs/_include/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_include diff --git a/programs/_include/Makefile b/programs/_include/Makefile deleted file mode 100644 index 6b5f11682..000000000 --- a/programs/_include/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_include -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:11 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_include/_include.8 b/programs/_include/_include.8 deleted file mode 100644 index 56ffa0723..000000000 --- a/programs/_include/_include.8 +++ /dev/null @@ -1,35 +0,0 @@ -.TH _INCLUDE 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _include.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _include \- internal script to process config files -.SH DESCRIPTION -.I _include -is used by -.I _confread -to process -.B include -directives in /etc/ipsec.conf. -.SH "SEE ALSO" -ipsec(8), ipsec__confread(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Program written by Henry Spencer. -.\" -.\" $Log: _include.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_include/_include.in b/programs/_include/_include.in deleted file mode 100755 index 10a8a49e4..000000000 --- a/programs/_include/_include.in +++ /dev/null @@ -1,102 +0,0 @@ -#! /bin/sh -# implements nested file inclusion for control files, including wildcarding -# Copyright (C) 1998, 1999 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _include.in,v 1.2 2004/03/15 21:03:06 as Exp $ -# -# Output includes marker lines for file changes: -# "#< filename lineno" signals entry into that file -# "#> filename lineno" signals return to that file -# The lineno is the line number of the *next* line. -# -# Errors are reported with a "#:message" line rather than on stderr. -# -# Lines which look like marker and report lines are never passed through. - -IPSEC_NAME="strongSwan" - -usage="Usage: $0 file ..." -me="ipsec _include" - -for dummy -do - case "$1" in - --inband) ;; # back compatibility - --help) echo "$usage" ; exit 0 ;; - --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; - --) shift ; break ;; - -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -case $# in -0) echo "$usage" >&2 ; exit 2 ;; -esac - -for f -do - if test ! -r "$f" - then - if test ! "$f" = "/etc/ipsec.conf" - then - echo "#:cannot open configuration file \'$f\'" - if test "$f" = "/etc/ipsec.secrets" - then - echo "#:Your secrets file will be created when you start $IPSEC_NAME for the first time." - fi - exit 1 - else - exit 1 - fi - fi -done - -awk 'BEGIN { - wasfile = "" -} -FNR == 1 { - print "" - print "#<", FILENAME, 1 - lineno = 0 - wasfile = FILENAME -} -{ - lineno++ - # lineno is now the number of this line -} -/^#[<>:]/ { - next -} -/^include[ \t]+/ { - orig = $0 - sub(/[ \t]+#.*$/, "") - if (NF != 2) { - msg = "(" FILENAME ", line " lineno ")" - msg = msg " include syntax error in \"" orig "\"" - print "#:" msg - exit 1 - } - newfile = $2 - if (newfile !~ /^\// && FILENAME ~ /\//) { - prefix = FILENAME - sub("[^/]+$", "", prefix) - newfile = prefix newfile - } - system("ipsec _include " newfile) - print "" - print "#>", FILENAME, lineno + 1 - next -} -{ print }' $* diff --git a/programs/_keycensor/.cvsignore b/programs/_keycensor/.cvsignore deleted file mode 100644 index 97d0bb2bf..000000000 --- a/programs/_keycensor/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_keycensor diff --git a/programs/_keycensor/Makefile b/programs/_keycensor/Makefile deleted file mode 100644 index bc495328f..000000000 --- a/programs/_keycensor/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_keycensor -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:15 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_keycensor/_keycensor.8 b/programs/_keycensor/_keycensor.8 deleted file mode 100644 index 89a97a9f9..000000000 --- a/programs/_keycensor/_keycensor.8 +++ /dev/null @@ -1,33 +0,0 @@ -.TH _KEYCENSOR 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _keycensor.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _keycensor \- internal routine to remove sensitive information -.SH DESCRIPTION -.I _keycensor -is used by -.B ipsec barf -to process the /etc/ipsec.secrets file, removing private key info. -.SH "SEE ALSO" -ipsec(8), ipsec_barf(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program by Henry Spencer. -.\" -.\" $Log: _keycensor.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_keycensor/_keycensor.in b/programs/_keycensor/_keycensor.in deleted file mode 100755 index 7d6f257e5..000000000 --- a/programs/_keycensor/_keycensor.in +++ /dev/null @@ -1,52 +0,0 @@ -#! /bin/sh -# implements key censoring for barf -# Copyright (C) 1999, 2002 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _keycensor.in,v 1.1 2004/03/15 20:35:27 as Exp $ - -usage="Usage: $0 [file ...]" -me="ipsec _keycensor" - -for dummy -do - case "$1" in - --help) echo "$usage" ; exit 0 ;; - --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; - --) shift ; break ;; - -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -awk ' /(sig|enc|auth)key[ \t]*=[ \t]*[^%]/ { - i = match($0, /key[ \t]*=[ \t]*/) - i += RLENGTH - cold = substr($0, 1, i-1) - hot = substr($0, i) - sub(/[ \t]+(#.*)?$/, "", hot) - q = "'"'"'" # single quote - if (hot ~ q) - cooled = "[cannot be condensed]" - else if (hot ~ /^0s/) - cooled = "[keyid " substr(hot, 3, 9) "]" - else { - run = "echo " q hot q " | md5sum" - run | getline - close(run) - cooled = "[sums to " substr($1, 1, 4) "...]" - } - print cold cooled - next - } - { print }' $* diff --git a/programs/_plutoload/.cvsignore b/programs/_plutoload/.cvsignore deleted file mode 100644 index cbcf7e699..000000000 --- a/programs/_plutoload/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_plutoload diff --git a/programs/_plutoload/Makefile b/programs/_plutoload/Makefile deleted file mode 100644 index af9ffee18..000000000 --- a/programs/_plutoload/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_plutoload -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:19 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_plutoload/_plutoload.8 b/programs/_plutoload/_plutoload.8 deleted file mode 100644 index ba421b6c3..000000000 --- a/programs/_plutoload/_plutoload.8 +++ /dev/null @@ -1,33 +0,0 @@ -.TH _PLUTOLOAD 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _plutoload.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _plutoload \- internal script to start pluto -.SH DESCRIPTION -.I _plutoload -is called by -.B _plutorun -to actually start the pluto executable. -.SH "SEE ALSO" -ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutorun(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program by Henry Spencer. -.\" -.\" $Log: _plutoload.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_plutoload/_plutoload.in b/programs/_plutoload/_plutoload.in deleted file mode 100755 index 73841197d..000000000 --- a/programs/_plutoload/_plutoload.in +++ /dev/null @@ -1,164 +0,0 @@ -#!/bin/sh -# Pluto database-loading script -# Copyright (C) 1998, 1999, 2001 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _plutoload.in,v 1.2 2004/03/31 16:15:10 as Exp $ -# -# exit status is 13 for protocol violation, that of Pluto otherwise - -me='ipsec _plutoload' # for messages - -for dummy -do - case "$1" in - --load) plutoload="$2" ; shift ;; - --start) plutostart="$2" ; shift ;; - --wait) plutowait="$2" ; shift ;; - --post) postpluto="$2" ; shift ;; - --) shift ; break ;; - -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -# load ca information -eval `ipsec _confread --varprefix PLUTO --type ca --search auto add start` -if test " $PLUTO_confreadstatus" != " " -then - echo "auto=add/start search: $PLUTO_confreadstatus" - echo "unable to determine what ca information to add -- adding none" - caload= -else - caload="$PLUTO_confreadnames" -fi - -# searches, if needed -# the way the searches were done ensures plutoload >= plutoroute >= plutostart - -# search for things to "ipsec auto --add": auto in "add" "route" "start" -eval `ipsec _confread --varprefix PLUTO --search auto add route start` -if test " $PLUTO_confreadstatus" != " " -then - echo "auto=add/route/start search: $PLUTO_confreadstatus" - echo "unable to determine what conns to add -- adding none" - plutoload= -else - plutoload="$PLUTO_confreadnames" -fi - -# search for things to "ipsec auto --route": auto in "route" "start" -eval `ipsec _confread --varprefix PLUTO --search auto route start` -if test " $PLUTO_confreadstatus" != " " -then - echo "auto=route/start search: $PLUTO_confreadstatus" - echo "unable to determine what conns to route -- routing none" - plutoroute= -else - plutoroute="$PLUTO_confreadnames" -fi - -# search for things to "ipsec auto --up": auto in "start" -eval `ipsec _confread --varprefix PLUTO --search auto start` -if test " $PLUTO_confreadstatus" != " " -then - echo "auto=start search: $PLUTO_confreadstatus" - echo "unable to determine what conns to start -- starting none" - plutostart= -else - plutostart="$PLUTO_confreadnames" -fi - -# await Pluto's readiness (not likely to be an issue, but...) -eofed=y -while read saying -do - case "$saying" in - 'Pluto initialized') eofed= ; break ;; # NOTE BREAK OUT - *) echo "pluto unexpectedly said \`$saying'" ;; - esac -done -if test "$eofed" -then - echo "pluto died unexpectedly!?!" - exit 13 -fi - -# ca database load -for tu in $caload -do - ipsec auto --type ca --add $tu || - echo "...could not add ca \"$tu\"" -done - -# conn database load -for tu in $plutoload -do - ipsec auto --add $tu || - echo "...could not add conn \"$tu\"" -done - -# enable listening -ipsec auto --ready - -# execute any post-startup cleanup -if test " $postpluto" != " " -then - $postpluto - st=$? - if test " $st" -ne 0 - then - echo "...postpluto command exited with status $st" - fi -fi - -# quickly establish routing -for tu in $plutoroute -do - ipsec auto --route $tu || - echo "...could not route conn \"$tu\"" -done - -# tunnel initiation, which may take a while -async= -if test " $plutowait" = " no" -then - async="--asynchronous" -fi -for tu in $plutostart -do - ipsec auto --up $async $tu || - echo "...could not start conn \"$tu\"" -done - -# report any further utterances, and watch for exit status -eofed=y -while read saying -do - case "$saying" in - exit) eofed= ; break ;; # NOTE BREAK OUT - *) echo "pluto unexpectedly says \`$saying'" ;; - esac -done -if test "$eofed" -then - echo "pluto died without exit status!?!" - exit 13 -fi -if read status -then - exit $status -else - echo "pluto yielded no exit status!?!" - exit 13 -fi diff --git a/programs/_plutorun/.cvsignore b/programs/_plutorun/.cvsignore deleted file mode 100644 index 13e0ae1a1..000000000 --- a/programs/_plutorun/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_plutorun diff --git a/programs/_plutorun/Makefile b/programs/_plutorun/Makefile deleted file mode 100644 index b0928797c..000000000 --- a/programs/_plutorun/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_plutorun -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:26 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_plutorun/_plutorun.8 b/programs/_plutorun/_plutorun.8 deleted file mode 100644 index 9de6927dc..000000000 --- a/programs/_plutorun/_plutorun.8 +++ /dev/null @@ -1,37 +0,0 @@ -.TH _PLUTORUN 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _plutorun.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _plutorun \- internal script to start pluto -.SH DESCRIPTION -.I _plutorun -is called by -.B _realsetup -to configure and bring up -.B ipsec_pluto(8). -It calls -.B _plutoload -to invoke pluto, and watches to makes sure that pluto is restarted if it fails. -.SH "SEE ALSO" -ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutoload(8), ipsec_pluto(8). -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program written by Henry Spencer. -.\" -.\" $Log: _plutorun.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_plutorun/_plutorun.in b/programs/_plutorun/_plutorun.in deleted file mode 100755 index b02afeefb..000000000 --- a/programs/_plutorun/_plutorun.in +++ /dev/null @@ -1,281 +0,0 @@ -#!/bin/sh -# Pluto control daemon -# Copyright (C) 1998, 1999, 2001 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _plutorun.in,v 1.9 2005/10/16 13:28:15 as Exp $ - -me='ipsec _plutorun' # for messages - -info=/var/run/ipsec.info - -popts= -stderrlog= -plutorestartoncrash=true - -wherelog=daemon.error -pidfile=/var/run/pluto.pid -verb="Starting" -for dummy -do - case "$1" in - --re) verb="Restarting" ;; - --plutorestartoncrash) plutorestartoncrash="$2"; shift ;; - --debug) plutodebug="$2" ; shift ;; - --uniqueids) uniqueids="$2" ; shift ;; - --nat_traversal) nat_traversal="$2" ; shift ;; - --keep_alive) keep_alive="$2" ; shift ;; - --force_keepalive) force_keepalive="$2" ; shift ;; - --disable_port_floating) disable_port_floating="$2" ; shift ;; - --virtual_private) virtual_private="$2" ; shift ;; - --nocrsend) nocrsend="$2" ; shift ;; - --strictcrlpolicy) strictcrlpolicy="$2" ; shift ;; - --crlcheckinterval) crlcheckinterval="$2"; shift ;; - --cachecrls) cachecrls="$2" ; shift ;; - --pkcs11module) pkcs11module="$2"; shift ;; - --pkcs11keepstate) pkcs11keepstate="$2"; shift ;; - --pkcs11proxy) pkcs11proxy="$2"; shift ;; - --dump) dumpdir="$2" ; shift ;; - --opts) popts="$2" ; shift ;; - --stderrlog) stderrlog="$2" ; shift ;; - --wait) plutowait="$2" ; shift ;; - --pre) prepluto="$2" ; shift ;; - --post) postpluto="$2" ; shift ;; - --log) wherelog="$2" ; shift ;; - --pid) pidfile="$2" ; shift ;; - --) shift ; break ;; - -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -# initially we are in the foreground, with parent looking after logging - -# precautions -if test -f $pidfile -then - echo "pluto appears to be running already (\`$pidfile' exists), will not start another" - exit 1 -fi -if test ! -e /dev/urandom -then - echo "cannot start Pluto, system lacks \`/dev/urandom'!?!" - exit 1 -fi - -# sort out options -for d in $plutodebug -do - popts="$popts --debug-$d" -done -case "$uniqueids" in -yes) popts="$popts --uniqueids" ;; -no|'') ;; -*) echo "unknown uniqueids value (not yes/no) \`$IPSECuniqueids'" ;; -esac -case "$nocrsend" in -yes) popts="$popts --nocrsend" ;; -no|'') ;; -*) echo "unknown nocrsend value (not yes/no) \`$IPSECnocrsend'" ;; -esac -case "$strictcrlpolicy" in -yes) popts="$popts --strictcrlpolicy" ;; -no|'') ;; -*) echo "unknown strictcrlpolicy value (not yes/no) \`$IPSECstrictcrlpolicy'" ;; -esac -case "$cachecrls" in -yes) popts="$popts --cachecrls" ;; -no|'') ;; -*) echo "unknown cachecrls value (not yes/no) \`$IPSECcachecrls'" ;; -esac -case "$nat_traversal" in -yes) popts="$popts --nat_traversal" ;; -no|'') ;; -*) echo "unknown nat_traversal value (not yes/no) \`$IPSECnat_traversal'" ;; -esac -[ -n "$keep_alive" ] && popts="$popts --keep_alive $keep_alive" -case "$force_keepalive" in -yes) popts="$popts --force_keepalive" ;; -no|'') ;; -*) echo "unknown force_keepalive value (not yes/no) \`$IPSECforce_keepalive'" ;; -esac -case "$disable_port_floating" in -yes) popts="$popts --disable_port_floating" ;; -no|'') ;; -*) echo "unknown disable_port_floating (not yes/no) \`$disable_port_floating'" ;; -esac -case "$pkcs11keepstate" in -yes) popts="$popts --pkcs11keepstate" ;; -no|'') ;; -*) echo "unknown pkcs11keepstate value (not yes/no) \`$IPSECpkcs11keepstate'" ;; -esac -case "$pkcs11proxy" in -yes) popts="$popts --pkcs11proxy" ;; -no|'') ;; -*) echo "unknown pkcs11proxy value (not yes/no) \`$IPSECpkcs11proxy'" ;; -esac - -[ -n "$virtual_private" ] && popts="$popts --virtual_private $virtual_private" - -# add crl check interval -if test ${crlcheckinterval:-0} -gt 0 -then - popts="$popts --crlcheckinterval $crlcheckinterval" -fi - -if test -n "$pkcs11module" -then - popts="$popts --pkcs11module $pkcs11module" -fi - -if test -n "$stderrlog" -then - popts="$popts --stderrlog 2>>$stderrlog" - - if test -f $stderrlog - then - if test ! -w $stderrlog - then - echo Cannot write to \"$stderrlog\". - exit 1 - fi - else - if test ! -w "`dirname $stderrlog`" - then - echo Cannot write to directory to create \"$stderrlog\". - exit 1 - fi - fi - - echo "Plutorun started on "`date` >$stderrlog -fi - -# set up dump directory -if test " $dumpdir" = " " -then - ulimit -c 0 # preclude core dumps -elif test ! -d "$dumpdir" -then - echo "dumpdir \`$dumpdir' does not exist, ignored" - ulimit -c 0 # preclude core dumps -elif cd $dumpdir # put them where desired -then - ulimit -c unlimited # permit them -else - echo "cannot cd to dumpdir \`$dumpdir', ignored" - ulimit -c 0 # preclude them -fi - -# execute any preliminaries -if test " $prepluto" != " " -then - $prepluto - st=$? - if test " $st" -ne 0 - then - echo "...prepluto command exited with status $st" - fi -fi - -IPSEC_SECRETS=${IPSEC_CONFS}/ipsec.secrets -if test ! -f "${IPSEC_SECRETS}" -then - ( logger -p authpriv.info -t ipsec__plutorun No file ${IPSEC_SECRETS}, generating key. - ipsec scepclient --out pkcs1 --out cert-self --quiet - echo -e "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n" > ${IPSEC_SECRETS} - chmod 600 ${IPSEC_SECRETS} - echo ": RSA myKey.der" >> ${IPSEC_SECRETS} - - # tell pluto to go re-read the file - ipsec auto --rereadsecrets - ) & -fi - -# -# make sure that the isakmp port is open! -# -if test -f /etc/sysconfig/ipchains -then - if egrep -q 500:500 /etc/sysconfig/ipchains - then - : - else - ipchains -I input 1 -p udp -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 500:500 -j ACCEPT - # if it redhat, then save the rules again. - if [ -f /etc/redhat-release ] - then - sh /etc/rc.d/init.d/ipchains save - fi - fi -fi - -# spin off into the background, with our own logging -echo "$verb Pluto subsystem..." | logger -p authpriv.error -t ipsec__plutorun -execdir=${IPSEC_EXECDIR-@IPSEC_EXECDIR@} -libdir=${IPSEC_LIBDIR-@IPSEC_LIBDIR@} -until ( - if test -s $info - then - . $info - export defaultroutephys defaultroutevirt defaultrouteaddr defaultroutenexthop - fi - # eval allows $popts to contain redirection and other magic - eval $execdir/pluto --nofork --secretsfile "$IPSEC_SECRETS" --policygroupsdir "${IPSEC_CONFS}/ipsec.d/policies" $popts - status=$? - echo "exit" - echo $status - ) | $libdir/_plutoload --wait "$plutowait" --post "$postpluto" -do - status=$? - case "$status" in - 13) echo "internal failure in pluto scripts, impossible to carry on" - exit 1 - ;; - 10) echo "pluto apparently already running (?!?), giving up" - exit 1 - ;; - 137) echo "pluto killed by SIGKILL, terminating without restart or unlock" - exit 0 - ;; - 143) echo "pluto killed by SIGTERM, terminating without restart" - # pluto now does its own unlock for this - exit 0 - ;; - *) st=$status - if $plutorestartoncrash - then - : - else - exit 0 - fi - - if test $st -gt 128 - then - st="$st (signal `expr $st - 128`)" - fi - echo "!pluto failure!: exited with error status $st" - echo "restarting IPsec after pause..." - ( - sleep 10 - ipsec setup _autorestart - ) /dev/null 2>&1 & - exit 1 - ###sleep 10 - ###rm -rf $pidfile - #### and go around the loop again - ;; - esac -done &1 | - logger -s -p $wherelog -t ipsec__plutorun >/dev/null 2>/dev/null & - -exit 0 diff --git a/programs/_realsetup/.cvsignore b/programs/_realsetup/.cvsignore deleted file mode 100644 index 54941b8a3..000000000 --- a/programs/_realsetup/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_realsetup diff --git a/programs/_realsetup/Makefile b/programs/_realsetup/Makefile deleted file mode 100644 index c339007e0..000000000 --- a/programs/_realsetup/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_realsetup -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:34 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_realsetup/_realsetup.8 b/programs/_realsetup/_realsetup.8 deleted file mode 100644 index 51b647115..000000000 --- a/programs/_realsetup/_realsetup.8 +++ /dev/null @@ -1,36 +0,0 @@ -.TH _REALSETUP 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _realsetup.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _realsetup \- internal routine to start FreeS/WAN. -.SH DESCRIPTION -.I _realsetup -is called by the system init scripts to start the FreeS/WAN -system. It starts -.B KLIPS -(the kernel component) and -.B pluto -(the userspace keying component). -.SH "SEE ALSO" -ipsec(8), ipsec__klipsstart(8), ipsec__plutorun(8). -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program by Henry Spencer. -.\" -.\" $Log: _realsetup.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_realsetup/_realsetup.in b/programs/_realsetup/_realsetup.in deleted file mode 100755 index 91b6e98d3..000000000 --- a/programs/_realsetup/_realsetup.in +++ /dev/null @@ -1,456 +0,0 @@ -#!/bin/sh -# IPsec startup and shutdown command -# Copyright (C) 1998, 1999, 2001 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _realsetup.in,v 1.10 2005/09/25 21:30:52 as Exp $ - -IPSEC_NAME=strongSwan - -me='ipsec setup' # for messages - -# Misc. paths (some of this should perhaps be overrideable from ipsec.conf). -plutopid=/var/run/pluto.pid -subsyslock=/var/lock/subsys/ipsec -lock=/var/run/ipsec_setup.pid -info=/var/run/ipsec.info -sysflags=/proc/sys/net/ipsec -modules=/proc/modules -ipforward=/proc/sys/net/ipv4/ip_forward -ipsecversion=/proc/net/ipsec_version -kamepfkey=/proc/net/pfkey - -# make sure output of (e.g.) ifconfig is in English -unset LANG LANGUAGE LC_ALL LC_MESSAGES - -# check we were called properly -if test " $IPSEC_confreadsection" != " setup" -then - echo "$me: $0 must be called by ipsec_setup" >&2 - exit 1 -fi -# defaults for "config setup" items - -IPSECinterfaces=${IPSECinterfaces:-%defaultroute} - if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi -# IPSECforwardcontrol "no" -# IPSECsyslog "daemon.error" -# IPSECklipsdebug "none" -# IPSECplutodebug "none" -# IPSECdumpdir "" (no dump) -# IPSECmanualstart "" -# IPSECpluto "yes" -IPSECplutowait=${IPSECplutowait:-no} -# IPSECprepluto "" -# IPSECpostpluto "" -# IPSECfragicmp "yes" -# IPSEChidetos "yes" -IPSECrp_filter=${IPSECrp_filter:-0} -IPSECuniqueids=${IPSECuniqueids:-yes} -IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0} -# IPSECpkcs11module "" -# IPSECoverridemtu "" - -# Shall we trace? -execute="true" -display="false" -for i in $IPSEC_setupflags -do - case "$i" in - "--showonly") execute="false" ; display=true ;; - "--show") display=true ;; - esac -done - -if $display -then - echo " " PATH="$PATH" -fi - -perform() { - if $display - then - echo " " "$*" - fi - - if $execute - then - eval "$*" - fi -} - -# function to set up manually-keyed connections -manualconns() { - if test " $IPSECmanualstart" != " " - then - for tu in $IPSECmanualstart - do - perform ipsec manual --up $tu - done - fi - - # search for things to "ipsec manual --up": auto == "manual" - eval `ipsec _confread --varprefix MANUALSTART --search auto manual` - if test " $MANUALSTART_confreadstatus" != " " - then - echo "auto=manual search: $MANUALSTART_confreadstatus" - echo "unable to determine what conns to manual --up; none done" - elif test " $MANUALSTART_confreadnames" != " " - then - for tu in $MANUALSTART_confreadnames - do - perform ipsec manual --up $tu - done - fi -} - -# for no-stdout logging: -LOGONLY="logger -p $IPSECsyslog -t ipsec_setup" - -# What an ugly string. -# Must be a string, not a function, because it is nested -# within another sequence (for plutorun). -# Luckily there are NO substitutions in it. -KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ; - test "X$ifl" != "X" && - for i in $ifl ; - do - ifconfig $i down ; - ipsec tncfg --detach --virtual $i ; - done ; - test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ; - ipsec eroute --clear ; - ipsec spi --clear ; - for alg in aes serpent twofish blowfish sha2 ; - do - lsmod 2>&1 | grep "^ipsec_$alg" > /dev/null && rmmod ipsec_$alg ; - done ; - lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec' - -if test -f $kamepfkey -then - KILLKLIPS=' - if ip xfrm state > /dev/null 2>&1 ; - then - ip xfrm state flush ; - ip xfrm policy flush ; - elif type setkey > /dev/null 2>&1 ; - then - setkey -F ; - setkey -FP ; - fi' -fi - - - -# do it -case "$1" in - start|--start|_autostart) - # First, does it seem to be going already? - perform test ! -f $lock "||" "{" \ - echo "\"$IPSEC_NAME IPsec apparently already running, start aborted\"" ";" \ - exit 1 ";" \ - "}" - - # announcement - # (Warning, changes to this log message may affect barf.) - version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`" - case "$1" in - start|--start) perform echo "\"Starting $IPSEC_NAME IPsec $version...\"" ;; - _autostart) perform echo "\"Restarting $IPSEC_NAME IPsec $version...\"" ;; - esac - - # preliminaries - perform rm -f $lock - - for f in /dev/random /dev/urandom - do - perform test -r $f "||" "{" \ - echo "\"...unable to start $IPSEC_NAME IPsec, no $f!\"" ";" \ - exit 1 ";" \ - "}" - done - - # the meaning of $$ at a different runtime is questionable! - perform echo '$$' ">" $lock - perform test -s $lock "||" "{" \ - echo "\"...unable to create $lock, aborting start!\"" ";" \ - rm -f $lock ";" \ - exit 1 ";" \ - "}" - - perform ">" $info - - # here we go - perform ipsec _startklips \ - --info $info \ - --debug "\"$IPSECklipsdebug\"" \ - --omtu "\"$IPSECoverridemtu\"" \ - --fragicmp "\"$IPSECfragicmp\"" \ - --hidetos "\"$IPSEChidetos\"" \ - --rpfilter "\"$IPSECrp_filter\"" \ - --log "\"$IPSECsyslog\"" \ - $IPSECinterfaces "||" \ - "{" rm -f $lock ";" exit 1 ";" "}" - - perform test -f $ipsecversion "||" \ - test -f $kamepfkey "||" "{" \ - echo "\"OOPS, should have aborted! Broken shell!\"" ";" \ - exit 1 ";" \ - "}" - - # misc pre-Pluto setup - - perform test -d `dirname $subsyslock` "&&" touch $subsyslock - - if test " $IPSECforwardcontrol" = " yes" - then - perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \ - echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \ - echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \ - echo 1 ">" $ipforward ";" \ - "}" - fi - manualconns - - plutorestartoncrash="" - case "$IPSECplutorestartoncrash" in - true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";; - false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;; - esac - - # Pluto - case "$1" in - start|--start) re= ;; - _autostart) re=--re ;; - esac - if test " $IPSECpluto" != " no" - then - perform ipsec _plutorun $re \ - --debug "\"$IPSECplutodebug\"" \ - --uniqueids "\"$IPSECuniqueids\"" \ - --nocrsend "\"$IPSECnocrsend\"" \ - --strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \ - --cachecrls "\"$IPSECcachecrls\"" \ - --nat_traversal "\"$IPSECnat_traversal\"" \ - --keep_alive "\"$IPSECkeep_alive\"" \ - --force_keepalive "\"$IPSECforce_keepalive\"" \ - --disable_port_floating "\"$IPSECdisable_port_floating\"" \ - --virtual_private "\"$IPSECvirtual_private\"" \ - --crlcheckinterval "\"$IPSECcrlcheckinterval\"" \ - --pkcs11module "\"$IPSECpkcs11module\"" \ - --pkcs11keepstate "\"$IPSECpkcs11keepstate\"" \ - --pkcs11proxy "\"$IPSECpkcs11proxy\"" \ - --dump "\"$IPSECdumpdir\"" \ - --opts "\"$IPSECplutoopts\"" \ - --stderrlog "\"$IPSECplutostderrlog\"" \ - --wait "\"$IPSECplutowait\"" \ - --pre "\"$IPSECprepluto\"" \ - --post "\"$IPSECpostpluto\"" \ - --log "\"$IPSECsyslog\"" $plutorestartoncrash \ - --pid "\"$plutopid\"" "||" "{" \ - $KILLKLIPS ";" \ - rm -f $lock ";" \ - exit 1 ";" \ - "}" - fi - - # done! - perform echo "\"...$IPSEC_NAME IPsec started\"" "|" $LOGONLY - ;; - - stop|--stop|_autostop) # _autostop is same as stop - # Shut things down. - perform echo "\"Stopping $IPSEC_NAME IPsec...\"" - perform \ - if test -r $lock ";" \ - then \ - status=0 ";" \ - . $info ";" \ - else \ - echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \ - echo "\"doing cleanup anyway...\"" ";" \ - status=1 ";" \ - fi - if test " $IPSECforwardcontrol" = " yes" - then - perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \ - echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \ - echo 0 ">" $ipforward ";" \ - "}" - fi - - perform test -f $plutopid "&&" "{" \ - if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \ - then \ - ipsec whack --shutdown "|" grep -v "^002" ";" \ - sleep 1 ";" \ - if test -s $plutopid ";" \ - then \ - echo "\"Attempt to shut Pluto down failed! Trying kill:\"" ";" \ - kill '`' cat $plutopid '`' ";" \ - sleep 5 ";" \ - fi ";" \ - else \ - echo "\"Removing orphaned $plutopid:\"" ";" \ - fi ";" \ - rm -f $plutopid ";" \ - "}" - - perform $KILLKLIPS - - perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock - - perform rm -f $info $lock - perform echo "...$IPSEC_NAME IPsec stopped" "|" $LOGONLY - perform exit \$status - ;; - - status|--status) - if test " $IPSEC_setupflags" != " " - then - echo "$me $1 does not support $IPSEC_setupflags" - exit 1 - fi - - if test -f $info - then - hasinfo=yes - fi - - if test -f $lock - then - haslock=yes - fi - - if test -f $subsyslock - then - hassublock=yes - fi - - if test -s $plutopid - then - if ps -p `cat $plutopid` >/dev/null - then - plutokind=normal - elif ps -C pluto >/dev/null - then - plutokind=illicit - fi - elif ps -C pluto >/dev/null - then - plutokind=orphaned - else - plutokind=no - fi - - if test -r /proc/net/ipsec_eroute - then - if test " `wc -l &2 - exit 2 -esac - -exit 0 diff --git a/programs/_secretcensor/.cvsignore b/programs/_secretcensor/.cvsignore deleted file mode 100644 index 202d856fe..000000000 --- a/programs/_secretcensor/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_secretcensor diff --git a/programs/_secretcensor/Makefile b/programs/_secretcensor/Makefile deleted file mode 100644 index 3df15286e..000000000 --- a/programs/_secretcensor/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_secretcensor -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:38 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_secretcensor/_secretcensor.8 b/programs/_secretcensor/_secretcensor.8 deleted file mode 100644 index d502bbd37..000000000 --- a/programs/_secretcensor/_secretcensor.8 +++ /dev/null @@ -1,34 +0,0 @@ -.TH _SECRETCENSOR 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _secretcensor.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _secretcensor \- internal routing to sanitize files -.SH DESCRIPTION -.I _secretcensor -is called by -.B ipsec barf -to process the /etc/ipsec.secrets file to remove the private key components -from the file prior to revealing the contents. -.SH "SEE ALSO" -ipsec(8), ipsec_barf(8). -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program by Henry Spencer. -.\" -.\" $Log: _secretcensor.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_secretcensor/_secretcensor.in b/programs/_secretcensor/_secretcensor.in deleted file mode 100755 index 150c13cbc..000000000 --- a/programs/_secretcensor/_secretcensor.in +++ /dev/null @@ -1,75 +0,0 @@ -#! /bin/sh -# implements secret censoring for barf -# Copyright (C) 1999 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _secretcensor.in,v 1.1 2004/03/15 20:35:27 as Exp $ - -usage="Usage: $0 [file ...]" -me="ipsec _secretcensor" - -for dummy -do - case "$1" in - --help) echo "$usage" ; exit 0 ;; - --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; - --) shift ; break ;; - -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -awk ' function cool(hot, q, cooled, run) { - # warning: may destroy input line! - q = "'"'"'" # single quote - if (hot ~ q) - return "[cannot be summed]" - if (hot ~ /^0s/) - return "[keyid " substr(hot, 3, 9) "]" - run = "echo " q hot q " | md5sum" - run | getline - close(run) - return "[sums to " substr($1, 1, 4) "...]" - } - /"/ { - i = match($0, /"[^"]+"/) - cold1 = substr($0, 1, i) - cold2 = substr($0, i+RLENGTH-1) - hot = substr($0, i+1, RLENGTH-2) - print cold1 cool(hot) cold2 - next - } - /#pubkey=/ { - i = match($0, /^.*#pubkey=/) - i += RLENGTH-1 - cold = substr($0, 1, i) - hot = substr($0, i+1) - print cold cool(hot) - next - } - /#IN KEY / { - i = match($0, /^.*[ \t][^ \t]/) - i += RLENGTH-2 - cold = substr($0, 1, i) - hot = substr($0, i+1) - print cold cool("0s" hot) - next - } - /^[ \t]+(Modulus|P[a-z]+Exponent|Prime[12]|Exponent[12]|Coefficient):/ { - i = match($0, /^[^:]*:[ \t]*/) - i += RLENGTH-1 - cold = substr($0, 1, i) - print cold "[...]" - next - } - { print }' $* diff --git a/programs/_startklips/.cvsignore b/programs/_startklips/.cvsignore deleted file mode 100644 index a206fe65f..000000000 --- a/programs/_startklips/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -_startklips diff --git a/programs/_startklips/Makefile b/programs/_startklips/Makefile deleted file mode 100644 index 9df701b0e..000000000 --- a/programs/_startklips/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_startklips -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.3 2002/08/02 16:01:42 mcr -# moved user visible programs to $PREFIX/libexec, while moving -# private files to $PREFIX/lib. -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/_startklips/_startklips.8 b/programs/_startklips/_startklips.8 deleted file mode 100644 index 066699085..000000000 --- a/programs/_startklips/_startklips.8 +++ /dev/null @@ -1,33 +0,0 @@ -.TH _STARTKLIPS 8 "25 Apr 2002" -.\" -.\" RCSID $Id: _startklips.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec _startklips \- internal script to bring up kernel components -.SH DESCRIPTION -.I _startklips -brings up the FreeS/WAN kernel component. This involves loading any -required modules, attaching and configuring the ipsecX pseudo-devices and -attaching the pseudo-devices to the physical devices. -.SH "SEE ALSO" -ipsec(8), ipsec_tncfg(8). -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program by Henry Spencer. -.\" -.\" $Log: _startklips.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/programs/_startklips/_startklips.in b/programs/_startklips/_startklips.in deleted file mode 100755 index 7f85a94de..000000000 --- a/programs/_startklips/_startklips.in +++ /dev/null @@ -1,367 +0,0 @@ -#!/bin/sh -# KLIPS startup script -# Copyright (C) 1998, 1999, 2001, 2002 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _startklips.in,v 1.6 2005/05/06 22:11:33 as Exp $ - -me='ipsec _startklips' # for messages - -# KLIPS-related paths -sysflags=/proc/sys/net/ipsec -modules=/proc/modules -# full rp_filter path is $rpfilter1/interface/$rpfilter2 -rpfilter1=/proc/sys/net/ipv4/conf -rpfilter2=rp_filter -# %unchanged or setting (0, 1, or 2) -rpfiltercontrol=0 -ipsecversion=/proc/net/ipsec_version -moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec -bareversion=`uname -r | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'` -moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec -modulename=ipsec.o -klips=true -netkey=/proc/net/pfkey - -info=/dev/null -log=daemon.error -for dummy -do - case "$1" in - --log) log="$2" ; shift ;; - --info) info="$2" ; shift ;; - --debug) debug="$2" ; shift ;; - --omtu) omtu="$2" ; shift ;; - --fragicmp) fragicmp="$2" ; shift ;; - --hidetos) hidetos="$2" ; shift ;; - --rpfilter) rpfiltercontrol="$2" ; shift ;; - --) shift ; break ;; - -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - - - -# some shell functions, to clarify the actual code - -# set up a system flag based on a variable -# sysflag value shortname default flagname -sysflag() { - case "$1" in - '') v="$3" ;; - *) v="$1" ;; - esac - if test ! -f $sysflags/$4 - then - if test " $v" != " $3" - then - echo "cannot do $2=$v, $sysflags/$4 does not exist" - exit 1 - else - return # can't set, but it's the default anyway - fi - fi - case "$v" in - yes|no) ;; - *) echo "unknown (not yes/no) $2 value \`$1'" - exit 1 - ;; - esac - case "$v" in - yes) echo 1 >$sysflags/$4 ;; - no) echo 0 >$sysflags/$4 ;; - esac -} - -# set up a Klips interface -klipsinterface() { - # pull apart the interface spec - virt=`expr $1 : '\([^=]*\)=.*'` - phys=`expr $1 : '[^=]*=\(.*\)'` - case "$virt" in - ipsec[0-9]) ;; - *) echo "invalid interface \`$virt' in \`$1'" ; exit 1 ;; - esac - - # figure out ifconfig for interface - addr= - eval `ifconfig $phys | - awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ { - gsub(/:/, " ", $0) - print "addr=" $3 - other = $5 - if ($4 == "Bcast") - print "type=broadcast" - else if ($4 == "P-t-P") - print "type=pointopoint" - else if (NF == 5) { - print "type=" - other = "" - } else - print "type=unknown" - print "otheraddr=" other - print "mask=" $NF - }'` - if test " $addr" = " " - then - echo "unable to determine address of \`$phys'" - exit 1 - fi - if test " $type" = " unknown" - then - echo "\`$phys' is of an unknown type" - exit 1 - fi - if test " $omtu" != " " - then - mtu="mtu $omtu" - else - mtu= - fi - echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly - - if $klips - then - # attach the interface and bring it up - ipsec tncfg --attach --virtual $virt --physical $phys - ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu - fi - - # if %defaultroute, note the facts - if test " $2" != " " - then - ( - echo "defaultroutephys=$phys" - echo "defaultroutevirt=$virt" - echo "defaultrouteaddr=$addr" - if test " $2" != " 0.0.0.0" - then - echo "defaultroutenexthop=$2" - fi - ) >>$info - else - echo '#dr: no default route' >>$info - fi - - # check for rp_filter trouble - checkif $phys # thought to be a problem only on phys -} - -# check an interface for problems -checkif() { - $klips || return 0 - rpf=$rpfilter1/$1/$rpfilter2 - if test -f $rpf - then - r="`cat $rpf`" - if test " $r" != " 0" - then - case "$r-$rpfiltercontrol" in - 0-%unchanged|0-0|1-1|2-2) - # happy state - ;; - *-%unchanged) - echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)" - ;; - [012]-[012]) - echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)" - echo "$rpfiltercontrol" >$rpf - ;; - [012]-*) - echo "ERROR: unknown rpfilter setting: $rpfiltercontrol" - ;; - *) - echo "ERROR: unknown $rpf value $r" - ;; - esac - fi - fi -} - -# interfaces=%defaultroute: put ipsec0 on top of default route's interface -defaultinterface() { - phys=`netstat -nr | - awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'` - if test " $phys" = " " - then - echo "no default route, %defaultroute cannot cope!!!" - exit 1 - fi - if test `echo " $phys" | wc -l` -gt 1 - then - echo "multiple default routes, %defaultroute cannot cope!!!" - exit 1 - fi - next=`netstat -nr | - awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'` - klipsinterface "ipsec0=$phys" $next -} - -# log only to syslog, not to stdout/stderr -logonly() { - logger -p $log -t ipsec_setup -} - -# sort out which module is appropriate, changing it if necessary -setmodule() { - wantgoo="`ipsec calcgoo /proc/ksyms`" - module=$moduleplace/$modulename - if test -f $module - then - goo="`nm -ao $module | ipsec calcgoo`" - if test " $wantgoo" = " $goo" - then - return # looks right - fi - fi - if test -f $moduleinstplace/$wantgoo - then - echo "insmod failed, but found matching template module $wantgoo." - echo "Copying $moduleinstplace/$wantgoo to $module." - rm -f $module - mkdir -p $moduleplace - cp -p $moduleinstplace/$wantgoo $module - # "depmod -a" gets done by caller - fi -} - - - -# main line - -# load module if possible -if test ! -f $ipsecversion && test ! -f $netkey -then - # statically compiled KLIPS not found; try to load the module - insmod ipsec -fi - -if test ! -f $ipsecversion && test ! -f $netkey -then - modprobe -v af_key -fi - -if test -f $netkey -then - klips=false - if test -f $modules - then - modprobe -qv ah4 - modprobe -qv esp4 - modprobe -qv ipcomp - modprobe -qv xfrm4_tunnel - modprobe -qv xfrm_user - fi -fi - -if test ! -f $ipsecversion && $klips -then - if test -r $modules # kernel does have modules - then - setmodule - unset MODPATH MODULECONF # no user overrides! - depmod -a >/dev/null 2>&1 - modprobe -v ipsec - fi - if test ! -f $ipsecversion - then - echo "kernel appears to lack KLIPS" - exit 1 - fi -fi - -# load all compiled algo modules -if $klips -then - for alg in aes serpent twofish blowfish sha2 - do - if test -f $moduleinstplace/alg/ipsec_$alg.o - then - modprobe ipsec_$alg - fi - done -fi - -# figure out debugging flags -case "$debug" in -'') debug=none ;; -esac -if test -r /proc/net/ipsec_klipsdebug -then - echo "KLIPS debug \`$debug'" | logonly - case "$debug" in - none) ipsec klipsdebug --none ;; - all) ipsec klipsdebug --all ;; - *) ipsec klipsdebug --none - for d in $debug - do - ipsec klipsdebug --set $d - done - ;; - esac -elif $klips -then - if test " $debug" != " none" - then - echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities" - fi -fi - -# figure out misc. kernel config -if test -d $sysflags -then - sysflag "$fragicmp" "fragicmp" yes icmp - echo 1 >$sysflags/inbound_policy_check # no debate - sysflag no "no_eroute_pass" no no_eroute_pass # obsolete parm - sysflag no "opportunistic" no opportunistic # obsolete parm - sysflag "$hidetos" "hidetos" yes tos -elif $klips -then - echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!" - # carry on -fi - -if $klips; then - # clear tables out in case dregs have been left over - ipsec eroute --clear - ipsec spi --clear -elif test $netkey -then - if ip xfrm state > /dev/null 2>&1 - then - ip xfrm state flush - ip xfrm policy flush - elif type setkey > /dev/null 2>&1 - then - setkey -F - setkey -FP - else - echo "WARNING: cannot flush state/policy database -- \`$1'" | - logger -s -p $log -t ipsec_setup - fi -fi - -# figure out interfaces -for i -do - case "$i" in - ipsec*=?*) klipsinterface "$i" ;; - %defaultroute) defaultinterface ;; - *) echo "interface \`$i' not understood" - exit 1 - ;; - esac -done - -exit 0 diff --git a/programs/_updown/.cvsignore b/programs/_updown/.cvsignore deleted file mode 100644 index 81e2e4f86..000000000 --- a/programs/_updown/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -_updown -_updown.in diff --git a/programs/_updown/Makefile b/programs/_updown/Makefile deleted file mode 100644 index e0aaab488..000000000 --- a/programs/_updown/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_updown -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program diff --git a/programs/_updown/_updown.8 b/programs/_updown/_updown.8 deleted file mode 100644 index 5107d3694..000000000 --- a/programs/_updown/_updown.8 +++ /dev/null @@ -1,19 +0,0 @@ -.TH _UPDOWN 8 "27 Apr 2006" -.\" -.\" RCSID $Id: _updown.8,v 1.2 2006/04/17 06:48:49 as Exp $ -.\" -.SH NAME -ipsec _updown \- route and firewall manipulation script -.SH SYNOPSIS -.I _updown -is invoked by pluto when it has brought up a new connection. This script -is used to insert the appropriate routing entries for IPsec operation. -It can also be used to insert and delete dynamic iptables firewall rules. -The interface to the script is documented in the pluto man page. -.SH "SEE ALSO" -ipsec(8), ipsec_pluto(8). -.SH HISTORY -Man page written for the Linux FreeS/WAN project -by Michael Richardson. Original program written by Henry Spencer. Extended -for the Linux strongSwan project by Andreas -Steffen. diff --git a/programs/_updown/_updown.in b/programs/_updown/_updown.in deleted file mode 100755 index 8db74f737..000000000 --- a/programs/_updown/_updown.in +++ /dev/null @@ -1,503 +0,0 @@ -#! /bin/sh -# iproute2 version, default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2006 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _updown.in,v 1.2 2006/04/17 15:06:29 as Exp $ - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# things that this script gets (from ipsec_pluto(8) man page) -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica­ -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the ESP policy -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub­ -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. -# - -# uncomment to log VPN connections -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn -# - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - parms="$PLUTO_PEER_CLIENT" - - parms2= - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - if [ -f /etc/sysconfig/defaultsource ] - then - . /etc/sysconfig/defaultsource - fi - - if [ -f /etc/conf.d/defaultsource ] - then - . /etc/conf.d/defaultsource - fi - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - parms3= - if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" - then - addsource - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - -# the big choice -case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; -up-host-v6:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/programs/_updown_espmark/Makefile b/programs/_updown_espmark/Makefile deleted file mode 100644 index bd9cd38cb..000000000 --- a/programs/_updown_espmark/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2005/04/07 21:34:19 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=_updown_espmark -PROGRAMDIR=${LIBDIR} - -include ../Makefile.program diff --git a/programs/_updown_espmark/_updown_espmark.8 b/programs/_updown_espmark/_updown_espmark.8 deleted file mode 100644 index 91eaa5cb7..000000000 --- a/programs/_updown_espmark/_updown_espmark.8 +++ /dev/null @@ -1,18 +0,0 @@ -.TH _UPDOWN_ESPMARK 8 "7 Apr 2005" -.\" -.\" RCSID $Id: _updown_espmark.8,v 1.1 2005/04/07 21:34:19 as Exp $ -.\" -.SH NAME -ipsec _updown_espmark \- manages routes and firewall rules -.SH SYNOPSIS -.I _updown_espmark -is invoked by pluto when it has brought up a new connection. This script -is used to insert the appropriate routing and iptables firewall entries for -IPsec operation. The incoming ESP traffic must be marked by a static rule -in the mangle table. The default value for the mark is 50. -The interface to the script is documented in the pluto man page. -.SH "SEE ALSO" -ipsec(8), ipsec_pluto(8). -.SH HISTORY -Man page written for the Linux strongSwan project -by Andreas Steffen. Original program written by Henry Spencer. diff --git a/programs/_updown_espmark/_updown_espmark.in b/programs/_updown_espmark/_updown_espmark.in deleted file mode 100644 index 3627d470d..000000000 --- a/programs/_updown_espmark/_updown_espmark.in +++ /dev/null @@ -1,452 +0,0 @@ -#! /bin/sh -# iproute2 version, default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _updown_espmark.in,v 1.4 2005/09/14 14:33:05 as Exp $ - - - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# FreeS/WAN use yours instead of this default one. - -# things that this script gets (from ipsec_pluto(8) man page) -# -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica­ -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub­ -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. -# - -# logging of VPN connections -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn -# - -# check interface version -case "$PLUTO_VERSION" in -1.[0]) # Older Pluto?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - parms="$PLUTO_PEER_CLIENT" - - parms2= - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - if [ -f /etc/sysconfig/defaultsource ] - then - . /etc/sysconfig/defaultsource - fi - - if [ -f /etc/conf.d/defaultsource ] - then - . /etc/conf.d/defaultsource - fi - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - parms3= - if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" - then - addsource - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# define ESP mark -ESP_MARK=50 - -# add the following static rule to the INPUT chain in the mangle table -# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50 - -# NAT traversal via UDP encapsulation is supported with the rule -# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50 - -# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - CHECK_MARK="" -else - CHECK_MARK="-m mark --mark $ESP_MARK" -fi - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - -# the big choice -case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; -up-host:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - ;; -down-host:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - # connection to me going down - # If you are doing a custom version, firewall commands go here. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $CHECK_MARK -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $CHECK_MARK -j ACCEPT - # - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - ;; -up-client:ipfwadm) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ - -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK - ;; -down-client:ipfwadm) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ - -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK - ;; -# -# IPv6 -# -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; -up-host-v6:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/programs/auto/.cvsignore b/programs/auto/.cvsignore deleted file mode 100644 index 865faf10c..000000000 --- a/programs/auto/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -auto diff --git a/programs/auto/Makefile b/programs/auto/Makefile deleted file mode 100644 index 035dbf708..000000000 --- a/programs/auto/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.2 2006/02/10 11:28:38 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=auto - -include ../Makefile.program diff --git a/programs/auto/auto.8 b/programs/auto/auto.8 deleted file mode 100644 index 21b5fd11b..000000000 --- a/programs/auto/auto.8 +++ /dev/null @@ -1,481 +0,0 @@ -.TH IPSEC_AUTO 8 "17 December 2004" -.\" RCSID $Id: auto.8,v 1.6 2004/12/17 22:34:38 as Exp $ -.SH NAME -ipsec auto \- control automatically-keyed IPsec connections -.SH SYNOPSIS -.B ipsec -.B auto -[ -.B \-\-show -] [ -.B \-\-showonly -] [ -.B \-\-asynchronous -] -.br -\ \ \ [ -.B \-\-config -configfile -] [ -.B \-\-verbose -] [ -.B \-\-type conn -] -.br -\ \ \ operation -connection -.sp -.B ipsec -.B auto -[ -.B \-\-show -] [ -.B \-\-showonly -] -.br -\ \ \ [ -.B \-\-config -configfile -] [ -.B \-\-verbose -] -.B \-\-type ca -.br -\ \ \ operation -ca -.sp -.B ipsec -.B auto -[ -.B \-\-show -] [ -.B \-\-showonly -] operation -.SH DESCRIPTION -.I Auto -manipulates automatically-keyed strongSwan IPsec connections, -setting them up and shutting them down -based on the information in the IPsec configuration file. -In the normal usage, -.I connection -is the name of a connection specification in the configuration file; -.I ca -is the name of a Certification Authority (CA) specification in the configuration file; -.I operation -is -.BR \-\-add , -.BR \-\-delete , -.BR \-\-replace , -.BR \-\-up , -.BR \-\-down , -.BR \-\-route , -or -.BR \-\-unroute . -The -.BR \-\-status -and -.BR \-\-statusall -.I operations -may take a -.I connection -name. -The -.BR \-\-ready , -.BR \-\-rereadsecrets , -.BR \-\-rereadgroups , -.BR \-\-rereadcacerts , -.BR \-\-rereadaacerts , -.BR \-\-rereadocspcerts , -.BR \-\-rereadacerts , -.BR \-\-rereadcrls , -.BR \-\-rereadall , -.BR \-\-listalgs , -.BR \-\-listpubkeys , -.BR \-\-listcerts , -.BR \-\-listcacerts , -.BR \-\-listaacerts , -.BR \-\-listocspcerts , -.BR \-\-listacerts , -.BR \-\-listgroups , -.BR \-\-listcainfos , -.BR \-\-listcrls , -.BR \-\-listocsp , -.BR \-\-listcards , -.BR \-\-listall , -and -.BR \-\-purgeocsp -.I operations -do not take a connection name. -.I Auto -generates suitable -commands and feeds them to a shell for execution. -.PP -The -.B \-\-add -operation adds a connection or ca specification to the internal database -within -.IR pluto ; -it will fail if -.I pluto -already has a specification by that name. -The -.B \-\-delete -operation deletes a connection or ca specification from -.IR pluto 's -internal database (also tearing down any connections based on it); -it will fail if the specification does not exist. -The -.B \-\-replace -operation is equivalent to -.B \-\-delete -(if there is already a specification by the given name) -followed by -.BR \-\-add , -and is a convenience for updating -.IR pluto 's -internal specification to match an external one. -(Note that a -.B \-\-rereadsecrets -may also be needed.) -The -.B \-\-rereadgroups -operation causes any changes to the policy group files to take effect -(this is currently a synonym for -.BR \-\-ready , -but that may change). -None of the other operations alters the internal database. -.PP -The -.B \-\-up -operation asks -.I pluto -to establish a connection based on an entry in its internal database. -The -.B \-\-down -operation tells -.I pluto -to tear down such a connection. -.PP -Normally, -.I pluto -establishes a route to the destination specified for a connection as -part of the -.B \-\-up -operation. -However, the route and only the route can be established with the -.B \-\-route -operation. -Until and unless an actual connection is established, -this discards any packets sent there, -which may be preferable to having them sent elsewhere based on a more -general route (e.g., a default route). -.PP -Normally, -.IR pluto 's -route to a destination remains in place when a -.B \-\-down -operation is used to take the connection down -(or if connection setup, or later automatic rekeying, fails). -This permits establishing a new connection (perhaps using a -different specification; the route is altered as necessary) -without having a ``window'' in which packets might go elsewhere -based on a more general route. -Such a route can be removed using the -.B \-\-unroute -operation -(and is implicitly removed by -.BR \-\-delete ). -.PP -The -.B \-\-ready -operation tells -.I pluto -to listen for connection-setup requests from other hosts. -Doing an -.B \-\-up -operation before doing -.B \-\-ready -on both ends is futile and will not work, -although this is now automated as part of IPsec startup and -should not normally be an issue. -.PP -The -.B \-\-status -operation asks -.I pluto -for current connection status either for all connections -(no connection argument) or a for specified -.I connection -name. For more detailed information use -.B \-\-statusall -\. The output format is ad-hoc and likely to change. -.PP -The -.B \-\-rereadsecrets -operation tells -.I pluto -to re-read the -.I /etc/ipsec.secrets -secret-keys file, -which it normally reads only at startup time. -(This is currently a synonym for -.BR \-\-ready , -but that may change.) -.PP -The -.B \-\-rereadcacerts -operation reads all certificate files contained in the -.IR /etc/ipsec.d/cacerts -directory and adds them to -.IR pluto 's -list of Certification Authority (CA) certificates. -.PP -The -.B \-\-rereadaacerts -operation reads all certificate files contained in the -.IR /etc/ipsec.d/aacerts -directory and adds them to -.IR pluto 's -list of Authorization Authority (AA) certificates. -.PP -The -.B \-\-rereadocspcerts -operation reads all certificate files contained in the -.IR /etc/ipsec.d/ocspcerts -directory and adds them to -.IR pluto 's -list of OCSP signer certificates. -.PP -The -.B \-\-rereadacerts -operation reads all certificate files contained in the -.IR /etc/ipsec.d/acerts -directory and adds them to -.IR pluto 's -list of attribute certificates. -.PP -The -.B \-\-rereadcrls -operation reads all certificate revocation list (CRL) files -contained in the -.IR /etc/ipsec.d/crls -directory and adds them to -.IR pluto 's -list of CRLs. -.PP -The -.B \-\-rereadall -operation is equivalent to the execution of -.BR \-\-rereadsecrets , -.BR \-\-rereadcacerts , -.BR \-\-rereadaacerts , -.BR \-\-rereadocspcerts , -.BR \-\-rereadacerts , -and -.BR \-\-rereadcrls . -.PP -The -.B \-\-listalgs -operation lists all registed IKE encryption and hash algorithms, -that are available to -.IR pluto , -as well as the Diffie-Hellman (DH) groups. -.PP -The -.B \-\-listpubkeys -operation lists all RSA public keys either received from peers -via the IKE protocol embedded in authenticated certificate payloads -or loaded locally using the -.BR rightcert \ / -.BR leftcert -or -.BR rightrsasigkey \ / -.BR leftrsasigkey -parameters in -.IR ipsec.conf (5). -.PP -The -.B \-\-listcerts -operation lists all X.509 and OpenPGP certificates loaded locally using the -.BR rightcert -and -.BR leftcert -parameters in -.IR ipsec.conf (5). -.PP -The -.B \-\-listcacerts -operation lists all X.509 CA certificates either loaded locally from the -.IR /etc/ipsec.d/cacerts -directory or received in PKCS#7-wrapped certificate payloads via -the IKE protocol. -.PP -The -.B \-\-listaacerts -operation lists all X.509 AA certificates loaded locally from the -.IR /etc/ipsec.d/aacerts -directory. -.PP -The -.B \-\-listocspcerts -operation lists all OCSP signer certificates either loaded locally from the -.IR /etc/ipsec.d/ocspcerts -directory or received via the Online Certificate Status Protocol -from an OCSP server. -.PP -The -.B \-\-listacerts -operation lists all X.509 attribute certificates loaded locally from the -.IR /etc/ipsec.d/acerts -directory. -.PP -The -.B \-\-listgropus -operation lists all groups that are either used in connection definitions in -.IR ipsec.conf (5) -or are embedded in loaded X.509 attributes certificates. -.PP -The -.B \-\-listcainfos -operation lists the certification authority information specified in the ca -sections of -.IR ipsec.conf (5). -.PP -The -.B \-\-listcrls -operation lists all Certificate Revocation Lists (CRLs) either loaded -locally from the -.IR /etc/ipsec.d/crls -directory or fetched dynamically from an HTTP or LDAP server. -.PP -The -.B \-\-listocsp -operation lists the certicates status information fetched from -OCSP servers. -.PP -The -.B \-\-purgeocsp -operation deletes any cached certificate status information and pending -OCSP fetch requests. -.PP -The -.B \-\-listcards -operation lists information about attached smartcards or crypto tokens. -.PP -The -.B \-\-listall -operation is equivalent to the execution of -.BR \-\-listalgs , -.BR \-\-listpubkeys , -.BR \-\-listcerts , -.BR \-\-listcacerts , -.BR \-\-listaacerts , -.BR \-\-listocspcerts , -.BR \-\-listacerts , -.BR \-\-listgroups , -.BR \-\-listcainfos , -.BR \-\-listcrls , -.BR \-\-listocsp , -and -.BR \-\-listcards . -.PP -The -.B \-\-show -option turns on the -.B \-x -option of the shell used to execute the commands, -so each command is shown as it is executed. -.PP -The -.B \-\-showonly -option causes -.I auto -to show the commands it would run, on standard output, -and not run them. -.PP -The -.B \-\-asynchronous -option, applicable only to the -.B up -operation, -tells -.I pluto -to attempt to establish the connection, -but does not delay to report results. -This is especially useful to start multiple connections in parallel -when network links are slow. -.PP -The -.B \-\-verbose -option instructs -.I auto -to pass through all output from -.IR ipsec_whack (8), -including log output that is normally filtered out as uninteresting. -.PP -The -.B \-\-config -option specifies a non-standard location for the IPsec -configuration file (default -.IR /etc/ipsec.conf ). -.PP -See -.IR ipsec.conf (5) -for details of the configuration file. -Apart from the basic parameters which specify the endpoints and routing -of a connection (\fBleft\fR -and -.BR right , -plus possibly -.BR leftsubnet , -.BR leftnexthop , -.BR leftfirewall , -their -.B right -equivalents, -and perhaps -.BR type ), -an -.I auto -connection almost certainly needs a -.B keyingtries -parameter (since the -.B keyingtries -default is poorly chosen). -.SH FILES -.ta \w'/var/run/ipsec.info'u+4n -/etc/ipsec.conf default IPSEC configuration file -.br -/var/run/ipsec.info \fB%defaultroute\fR information -.SH SEE ALSO -ipsec.conf(5), ipsec(8), ipsec_pluto(8), ipsec_whack(8), ipsec_manual(8) -.SH HISTORY -Written for the FreeS/WAN project - -by Henry Spencer. -Extended for the strongSwan project - -by Andreas Steffen. -.SH BUGS -Although an -.B \-\-up -operation does connection setup on both ends, -.B \-\-down -tears only one end of the connection down -(although the orphaned end will eventually time out). -.PP -There is no support for -.B passthrough -connections. -.PP -A connection description which uses -.B %defaultroute -for one of its -.B nexthop -parameters but not the other may be falsely -rejected as erroneous in some circumstances. -.PP -The exit status of -.B \-\-showonly -does not always reflect errors discovered during processing of the request. -(This is fine for human inspection, but not so good for use in scripts.) diff --git a/programs/auto/auto.in b/programs/auto/auto.in deleted file mode 100755 index 05568f9b5..000000000 --- a/programs/auto/auto.in +++ /dev/null @@ -1,660 +0,0 @@ -#! /bin/sh -# user interface to automatic keying and Pluto in general -# Copyright (C) 1998, 1999, 2000 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: auto.in,v 1.17 2006/04/20 04:42:12 as Exp $ - -me='ipsec auto' -usage="Usage: - $me [--showonly] [--asynchronous] --up connectionname - $me [--showonly] [-- type conn|ca] --{add|delete|replace|down} name - $me [--showonly] --{route|unroute} connectionname - $me [--showonly] --ready - $me [--showonly] --{status|statusall} [connectionname] - $me [--showonly] --{rereadsecrets|rereadgroups} - $me [--showonly] --{rereadcacerts|rereadaacerts|rereadocspcerts} - $me [--showonly] --{rereadacerts|rereadcrls|rereadall} - $me [--showonly] [--utc] --{listalgs|listpubkeys|listcerts} - $me [--showonly] [--utc] --{listcacerts|listaacerts|listocspcerts} - $me [--showonly] [--utc] --{listacerts|listgroups|listcainfos} - $me [--showonly] [--utc] --{listcrls|listocsp|listcards|listall} - $me [--showonly] --purgeocsp - - other options: [--config ipsecconfigfile] [--verbose] [--show]" - -showonly= -config= -info=/var/run/ipsec.info -shopts= -noinclude= -async= -logfilter='$1 != "002"' -op= -argc= -utc= -type="conn" -name="--name" - -for dummy -do - case "$1" in - --help) echo "$usage" ; exit 0 ;; - --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; - --show) shopts=-x ;; - --showonly) showonly=yes ;; - --utc) utc="$1" ;; - --config) config="--config $2" ; shift ;; - --noinclude) noinclude=--noinclude ;; - --asynchronous) async="--asynchronous" ;; - --verbose) logfilter='1' ;; - --type) type="$2" ; shift ;; - --up|--down|--add|--delete|--replace|--route|--unroute) - if test " $op" != " " - then - echo "$usage" >&2 - exit 2 - fi - op="$1" - argc=1 - if test "$type" = "ca" - then - name="--caname" - case "$op" in - --add|--delete|--replace) ;; - --*) echo "$op option not supported for --type ca"; - exit 3 ;; - esac - fi - ;; - --status|--statusall) - if test " $op" != " " - then - echo "$usage" >&2 - exit 2 - fi - op="$1" - argc=1 - if test $# -eq 1 - then - argc=0; name= - fi - ;; - --ready|--rereadsecrets|--rereadgroups|\ - --rereadcacerts|--rereadaacerts|--rereadocspcerts|\ - --rereadacerts|--rereadcrls|--rereadall|\ - --listalgs|--listpubkeys|--listcerts|\ - --listcacerts|--listaacerts|--listocspcerts|\ - --listacerts|--listgroups|--listcainfos|\ - --listcrls|--listocsp|--listcards|--listall|\ - --purgeocsp) - if test " $op" != " " - then - echo "$usage" >&2 - exit 2 - fi - op="$1" - argc=0 - ;; - --) shift ; break ;; - -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - -names= -case "$op" in ---*) if test " $argc" -ne $# - then - echo "$usage" >&2 - exit 2 - fi - names="$*" - ;; -*) echo "$usage" >&2 ; exit 2 ;; -esac - - -runit() { - if test "$showonly" - then - cat - else - ( - echo '(' - cat - echo ')' - echo 'echo = $?' - ) | sh $shopts | - awk "/^= / { exit \$2 } $logfilter { print }" - fi -} - -case "$op" in ---ready) echo "ipsec whack --listen" | runit ; exit ;; ---rereadsecrets) echo "ipsec whack --rereadsecrets" | runit ; exit ;; ---rereadgroups) echo "ipsec whack --listen" | runit ; exit ;; ---rereadcacerts) echo "ipsec whack --rereadcacerts" | runit ; exit ;; ---rereadaacerts) echo "ipsec whack --rereadaacerts" | runit ; exit ;; ---rereadocspcerts) echo "ipsec whack --rereadocspcerts" | runit ; exit ;; ---rereadacerts) echo "ipsec whack --rereadacerts" | runit ; exit ;; ---rereadcrls) echo "ipsec whack --rereadcrls" | runit ; exit ;; ---rereadall) echo "ipsec whack --rereadall" | runit ; exit ;; ---listalgs) echo "ipsec whack --listalgs" | runit ; exit ;; ---listpubkeys) echo "ipsec whack $utc --listpubkeys" | runit ; exit ;; ---listcerts) echo "ipsec whack $utc --listcerts" | runit ; exit ;; ---listcacerts) echo "ipsec whack $utc --listcacerts" | runit ; exit ;; ---listaacerts) echo "ipsec whack $utc --listaacerts" | runit ; exit ;; ---listocspcerts) echo "ipsec whack $utc --listocspcerts" | runit ; exit ;; ---listacerts) echo "ipsec whack $utc --listacerts" | runit ; exit ;; ---listgroups) echo "ipsec whack $utc --listgroups" | runit ; exit ;; ---listcainfos) echo "ipsec whack $utc --listcainfos" | runit ; exit ;; ---listcrls) echo "ipsec whack $utc --listcrls" | runit ; exit ;; ---listocsp) echo "ipsec whack $utc --listocsp" | runit ; exit ;; ---listcards) echo "ipsec whack $utc --listcards" | runit ; exit ;; ---listall) echo "ipsec whack $utc --listall" | runit ; exit ;; ---purgeocsp) echo "ipsec whack $utc --purgeocsp" | runit ; exit ;; ---up) echo "ipsec whack $async --name $names --initiate" | runit ; exit ;; ---down) echo "ipsec whack --name $names --terminate" | runit ; exit ;; ---delete) echo "ipsec whack $name $names --delete" | runit ; exit ;; ---route) echo "ipsec whack --name $names --route" | runit ; exit ;; ---unroute) echo "ipsec whack --name $names --unroute" | runit ; exit ;; ---status) echo "ipsec whack $name $names --status" | runit ; exit ;; ---statusall) echo "ipsec whack $name $names --statusall" | runit ; exit ;; -esac - -if test -s $info -then - . $info -fi - -ipsec _confread $config $noinclude --type $type $names | -awk -v section="$type" ' BEGIN { - FS = "\t" - op = "'"$op"'" - err = "cat >&2" - draddr = "'"$defaultrouteaddr"'" - drnexthop = "'"$defaultroutenexthop"'" - failed = 0 - s[""] = "" - init() - print "PATH=\"'"$PATH"'\"" - print "export PATH" - flip["left"] = "right" - flip["right"] = "left" - } - function init(n) { - for (n in s) - delete s[n] - name = "" - seensome = 0 - } - $1 == ":" { - s[$2] = $3 - seensome = 1 - next - } - $1 == "!" { - if ($2 != "") - fail($2) - next - } - $1 == "=" { - if (name == "") - name = $2 - next - } - $1 == "." { - if (section == "ca") - output_ca() - else - output() - init() - next - } - { - fail("internal error, unknown type code " v($1)) - } - function fail(m) { - print "ipsec_auto: fatal error in " v(name) ": " m |err - failed = 1 - exit - } - function yesno(k) { - if ((k in s) && s[k] != "yes" && s[k] != "no") - fail("parameter " v(k) " must be \"yes\" or \"no\"") - } - function setdefault(k, val) { - if (!(k in s)) - s[k] = val - } - function was(new, old) { - if (!(new in s) && (old in s)) - s[new] = s[old] - } - function need(k) { - if (!(k in s)) - fail("connection has no " v(k) " parameter specified") - if (s[k] == "") - fail("parameter " v(k) " value must be non-empty") - } - function integer(k) { - if (!(k in s)) - return - if (s[k] !~ /^[0-9]+$/) - fail("parameter " v(k) " value must be integer") - } - function duration(k, n, t) { - if (!(k in s)) - return - t = s[k] - n = substr(t, 1, length(t)-1) - if (t ~ /^[0-9]+$/) - s[k] = t - else if (t ~ /^[0-9]+s$/) - s[k] = n - else if (t ~ /^[0-9]+(\.[0-9]+)?m$/) - s[k] = int(n*60) - else if (t ~ /^[0-9]+(\.[0-9]+)?h$/) - s[k] = int(n*3600) - else if (t ~ /^[0-9]+(\.[0-9]+)?d$/) - s[k] = int(n*3600*24) - else - fail("parameter " v(k) " not valid time, must be nnn[smhd]") - } - function nexthopset(dir, val, k) { - k = dir "nexthop" - if (k in s) - fail("non-default value of " k " is being overridden") - if (val != "") - s[k] = val - else if (k in s) - delete s[k] - } - function id(dir, k) { - k = dir "id" - if (!(k in s)) - k = dir - return s[k] - } - function whackkey(dir, which, flag, rk, n) { - if (id(dir) == "%opportunistic") - return - rk = s[dir which] - if (rk == "%dnsondemand") - { - kod="--dnskeyondemand" - return - } - if (rk == "" || rk == "%none" || rk == "%cert" || rk == "0x00") - return - n = "\"\\\"" name "\\\" " dir which"\"" - if (rk == "%dns" || rk == "%dnsonload") - { - if (id(flip[dir]) == "%opportunistic" || s[flip[dir]] == "%any") - return - print "ipsec whack --label", n, flag, - "--keyid", q(id(dir)), "\\" - } - else - { - print "ipsec whack --label", n, flag, - "--keyid", q(id(dir)), - "--pubkeyrsa", q(rk), "\\" - } - print "\t|| exit $?" - } - function q(str) { # quoting for shell - return "\"" str "\"" - } - function qs(k) { # utility abbreviation for q(s[k]) - return q(s[k]) - } - function v(str) { # quoting for human viewing - return "\"" str "\"" - } - function output() { - if (!seensome) - fail("internal error, output called inappropriately") - - setdefault("type", "tunnel") - type_flags = "" - t = s["type"] - if (t == "tunnel") { - # do NOT default subnets to side/32, despite what - # the docs say... - type_flags = "--tunnel" - } else if (t == "transport") { - if ("leftsubnet" in s) - fail("type=transport incompatible with leftsubnet") - if ("rightsubnet" in s) - fail("type=transport incompatible with rightsubnet") - type_flags = "" - } else if (t == "passthrough") { - type_flags = "--pass" - } else if (t == "drop") { - type_flags = "--drop" - } else if (t == "reject") { - type_flags = "--reject" - } else - fail("unknown type " v(t)) - - setdefault("failureshunt", "none") - t = s["failureshunt"] - if (t == "passthrough") - type_flags = type_flags " --failpass"; - else if (t == "drop") - type_flags = type_flags " --faildrop"; - else if (t == "reject") - type_flags = type_flags " --failreject"; - else if (t != "none") - fail("unknown failureshunt value " v(t)) - - need("left") - need("right") - if (s["left"] == "%defaultroute") { - if (s["right"] == "%defaultroute") - fail("left and right cannot both be %defaultroute") - if (draddr == "") - fail("%defaultroute requested but not known") - s["left"] = draddr - nexthopset("left", drnexthop) - } else if (s["right"] == "%defaultroute") { - if (draddr == "") - fail("%defaultroute requested but not known") - s["right"] = draddr - nexthopset("right", drnexthop) - } - - setdefault("keyexchange", "ike") - if (s["keyexchange"] != "ike") - fail("only know how to do keyexchange=ike") - setdefault("auth", "esp") - if (("auth" in s) && s["auth"] != "esp" && s["auth"] != "ah") - fail("only know how to do auth=esp or auth=ah") - yesno("pfs") - - setdefault("pfs", "yes") - duration("dpddelay") - duration("dpdtimeout") - if ("dpdaction" in s) - { - setdefault("dpddelay",30) - setdefault("dpdtimeout",120) - } - yesno("compress") - setdefault("compress", "no") - setdefault("keylife", "1h") - duration("keylife") - yesno("rekey") - setdefault("rekey", "yes") - setdefault("rekeymargin", "9m") - duration("rekeymargin") - setdefault("keyingtries", "%forever") - if (s["keyingtries"] == "%forever") - s["keyingtries"] = 0 - integer("keyingtries") - if ("rekeyfuzz" in s) { - if (s["rekeyfuzz"] !~ /%$/) - fail("rekeyfuzz must be nnn%") - r = s["rekeyfuzz"] - s["rekeyfuzz"] = substr(r, 1, length(r)-1) - integer("rekeyfuzz") - } - duration("ikelifetime") - setdefault("disablearrivalcheck", "no") - - setdefault("leftsendcert", "always") - setdefault("rightsendcert", "always") - - setdefault("leftnexthop", "%direct") - setdefault("rightnexthop", "%direct") - if (s["leftnexthop"] == s["left"]) - fail("left and leftnexthop must not be the same") - if (s["rightnexthop"] == s["right"]) - fail("right and rightnexthop must not be the same") - if (s["leftnexthop"] == "%defaultroute") { - if (drnexthop == "") - fail("%defaultroute requested but not known") - s["leftnexthop"] = drnexthop - } - if (s["rightnexthop"] == "%defaultroute") { - if (drnexthop == "") - fail("%defaultroute requested but not known") - s["rightnexthop"] = drnexthop - } - - if ("leftfirewall" in s && "leftupdown" in s) - fail("cannot have both leftfirewall and leftupdown") - if ("rightfirewall" in s && "rightupdown" in s) - fail("cannot have both rightfirewall and rightupdown") - setdefault("leftupdown", "ipsec _updown") - setdefault("rightupdown", "ipsec _updown") - setdefault("lefthostaccess", "no") - setdefault("righthostaccess", "no") - yesno("lefthostaccess") - yesno("righthostaccess") - lha = "" - if (s["lefthostaccess"] == "yes") - lha = "--hostaccess" - rha = "" - if (s["righthostaccess"] == "yes") - rha = "--hostaccess" - setdefault("leftfirewall", "no") - setdefault("rightfirewall", "no") - yesno("leftfirewall") - yesno("rightfirewall") - if (s["leftfirewall"] == "yes") - s["leftupdown"] = s["leftupdown"] " iptables" - if (s["rightfirewall"] == "yes") - s["rightupdown"] = s["rightupdown"] " iptables" - - setdefault("authby", "rsasig") - t = s["authby"] - if (t == "rsasig" || t == "secret|rsasig" || t == "rsasig|secret") { - authtype = "--rsasig" - type_flags = "--encrypt " type_flags - if (!("leftcert" in s)) { - setdefault("leftrsasigkey", "%cert") - if (id("left") == "%any" && - !(s["leftrsasigkey"] == "%cert" || - s["leftrsasigkey"] == "0x00") ) - fail("ID " v(id("left")) " cannot have RSA key") - } - if (!("rightcert" in s)) { - setdefault("rightrsasigkey", "%cert") - if (id("right") == "%any" && - !(s["rightrsasigkey"] == "%cert" || - s["rightrsasigkey"] == "0x00") ) - fail("ID " v(id("right")) " cannot have RSA key") - } - if (t != "rsasig") - authtype = authtype " --psk" - } else if (t == "secret") { - authtype = "--psk" - type_flags = "--encrypt " type_flags - } else if (t == "never") { - authtype = "" - } else { - fail("unknown authby value " v(t)) - } - - settings = type_flags - setdefault("ike", "3des-sha,3des-md5") - if (s["ike"] != "") - settings = settings " --ike " qs("ike") - setdefault("esp", "3des") - if (s["esp"] != "") - settings = settings " --esp " qs("esp") - if (s["auth"] == "ah") - settings = settings " --authenticate" - if (s["pfs"] == "yes") { - settings = settings " --pfs" - if (s["pfsgroup"] != "") - settings = settings " --pfsgroup " qs("pfsgroup") - } - - if (s["dpdaction"]) - settings = settings " --dpdaction " qs("dpdaction") - if (s["dpddelay"]) - settings = settings " --dpddelay " qs("dpddelay") - if (s["dpdtimeout"]) - settings = settings " --dpdtimeout " qs("dpdtimeout") - - if (s["compress"] == "yes") - settings = settings " --compress" - if (op == "--replace") - settings = settings " --delete" - if ("ikelifetime" in s) - settings = settings " --ikelifetime " qs("ikelifetime") - if (s["disablearrivalcheck"] == "yes") - settings = settings " --disablearrivalcheck" - settings = settings " " authtype - - lc = "" - rc = "" - if ("leftsubnet" in s) - lc = "--client " qs("leftsubnet") - if ("rightsubnet" in s) - rc = "--client " qs("rightsubnet") - if ("leftsubnetwithin" in s) - lc = lc " --clientwithin " qs("leftsubnetwithin") - if ("rightsubnetwithin" in s) - rc = rc " --clientwithin " qs("rightsubnetwithin") - lp = "" - rp = "" - if ("leftprotoport" in s) - lp = "--clientprotoport " qs("leftprotoport") - if ("rightprotoport" in s) - rp = "--clientprotoport " qs("rightprotoport") - lud = "--updown " qs("leftupdown") - rud = "--updown " qs("rightupdown") - - lid = "" - if ("leftid" in s) - lid = "--id " qs("leftid") - rid = "" - if ("rightid" in s) - rid = "--id " qs("rightid") - lsip = "" - if ("leftsourceip" in s) - lsip = "--srcip " qs("leftsourceip") - rsip = "" - if ("rightsourceip" in s) - rsip = "--srcip " qs("rightsourceip") - lscert = "" - if ("leftsendcert" in s) - lscert = "--sendcert " qs("leftsendcert") - rscert = "" - if ("rightsendcert" in s) - rscert = "--sendcert " qs("rightsendcert") - lcert = "" - if ("leftcert" in s) - lcert = "--cert " qs("leftcert") - rcert = "" - if ("rightcert" in s) - rcert = "--cert " qs("rightcert") - lca = "" - if ("leftca" in s) - lca = "--ca " qs("leftca") - rca = "" - if ("rightca" in s) - rca = "--ca " qs("rightca") - lgr = "" - if ("leftgroups" in s) - lgr = "--groups " qs("leftgroups") - rgr = "" - if ("rightgroups" in s) - rgr = "--groups " qs("rightgroups") - fuzz = "" - if ("rekeyfuzz" in s) - fuzz = "--rekeyfuzz " qs("rekeyfuzz") - rk = "" - if (s["rekey"] == "no") - rk = "--dontrekey" - pd = "" - if ("_plutodevel" in s) - pd = "--plutodevel " s["_plutodevel"] # not qs() - - lkod = "" - rkod = "" - if (authtype != "--psk") { - kod = "" - whackkey("left", "rsasigkey", "") - whackkey("left", "rsasigkey2", "--addkey") - lkod = kod - kod = "" - whackkey("right", "rsasigkey", "") - whackkey("right", "rsasigkey2", "--addkey") - rkod = kod - } - print "ipsec whack --name", name, settings, "\\" - print "\t--host", qs("left"), lc, lp, "--nexthop", - qs("leftnexthop"), lud, lha, lid, lkod, lscert, lcert, lca, lsip, lgr, "\\" - print "\t--to", "--host", qs("right"), rc, rp, "--nexthop", - qs("rightnexthop"), rud, rha, rid, rkod, rscert, rcert, rca, rsip, rgr, "\\" - print "\t--ipseclifetime", qs("keylife"), - "--rekeymargin", qs("rekeymargin"), "\\" - print "\t--keyingtries", qs("keyingtries"), fuzz, rk, pd, "\\" - print "\t|| exit $?" - } - function output_ca() { - if (!seensome) - fail("internal error, output called inappropriately") - settings = "" - if (op == "--replace") - settings = "--delete" - cacert = "" - if ("cacert" in s) - cacert = "--cacert " qs("cacert") - ldaphost = "" - if ("ldaphost" in s) - ldaphost = "--ldaphost " qs("ldaphost") - ldapbase = "" - if ("ldapbase" in s) - ldapbase = "--ldapbase " qs("ldapbase") - crluri = "" - if ("crluri" in s) - crluri = "--crluri " qs("crluri") - crluri2 = "" - if ("crluri2" in s) - crluri2 = "--crluri2 " qs("crluri2") - ocspuri = "" - if ("ocspuri" in s) - ocspuri = "--ocspuri " qs("ocspuri") - yesno("strictcrlpolicy") - setdefault("strictcrlpolicy", "no") - if (s["strictcrlpolicy"] == "yes") - settings = settings " --strictcrlpolicy" - yesno("cachecrls") - setdefault("cachecrls", "no") - if (s["cachecrls"] == "yes") - settings = settings " --cachecrls" - - print "ipsec whack --caname", name, settings, cacert, ldaphost, ldapbase, - crluri, crluri2, ocspuri, "\\" - print "\t|| exit $?" - } - END { - if (failed) { - print "# fatal error discovered, force failure using \"false\" command" - print "false" - exit 1 # just on general principles - } - if (seensome) { - if (section == "ca") - output_ca() - else - output() - } - }' | runit diff --git a/programs/barf/.cvsignore b/programs/barf/.cvsignore deleted file mode 100644 index bca77a6ee..000000000 --- a/programs/barf/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -barf diff --git a/programs/barf/Makefile b/programs/barf/Makefile deleted file mode 100644 index 6a20d4ee2..000000000 --- a/programs/barf/Makefile +++ /dev/null @@ -1,38 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=barf - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.2 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# - diff --git a/programs/barf/barf.8 b/programs/barf/barf.8 deleted file mode 100644 index e692a4e5f..000000000 --- a/programs/barf/barf.8 +++ /dev/null @@ -1,84 +0,0 @@ -.TH IPSEC_BARF 8 "17 March 2002" -.\" RCSID $Id: barf.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.SH NAME -ipsec barf \- spew out collected IPsec debugging information -.SH SYNOPSIS -.B ipsec -.B barf -[ -.B \-\-short -] -.sp -.SH DESCRIPTION -.I Barf -outputs (on standard output) a collection of debugging information -(contents of files, selections from logs, etc.) -related to the IPsec encryption/authentication system. -It is primarily a convenience for remote debugging, -a single command which packages up (and labels) all information -that might be relevant to diagnosing a problem in IPsec. -.PP -.PP -The -.B \-\-short -option limits the length of -the log portion of -.IR barf 's -output, which can otherwise be extremely voluminous -if debug logging is turned on. -.PP -.I Barf -censors its output, -replacing keys -and secrets with brief checksums to avoid revealing sensitive information. -.PP -Beware that the output of both commands is aimed at humans, -not programs, -and the output format is subject to change without warning. -.PP -.I Barf -has to figure out which files in -.I /var/log -contain the IPsec log messages. -It looks for KLIPS and general log messages first in -.IR messages -and -.IR syslog , -and for Pluto messages first in -.IR secure , -.IR auth.log , -and -.IR debug . -In both cases, -if it does not find what it is looking for in one of those ``likely'' places, -it will resort to a brute-force search of most (non-compressed) files in -.IR /var/log . -.SH FILES -.nf -/proc/net/* -/var/log/* -/etc/ipsec.conf -/etc/ipsec.secrets -.fi -.SH HISTORY -Written for the Linux FreeS/WAN project - -by Henry Spencer. -.SH BUGS -.I Barf -uses heuristics to try to pick relevant material out of the logs, -and relevant messages -which are not labelled with any of the tags that -.I barf -looks for will be lost. -We think we've eliminated the last such case, but one never knows... -.PP -Finding -.I updown -scripts (so they can be included in output) is, in general, difficult. -.I Barf -uses a very simple heuristic that is easily fooled. -.PP -The brute-force search for the right log files can get expensive on -systems with a lot of clutter in -.IR /var/log . diff --git a/programs/barf/barf.in b/programs/barf/barf.in deleted file mode 100755 index 99cc3546c..000000000 --- a/programs/barf/barf.in +++ /dev/null @@ -1,296 +0,0 @@ -#! /bin/sh -# dump assorted information of use in debugging -# Copyright (C) 1998, 1999 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: barf.in,v 1.4 2004/09/23 21:08:23 as Exp $ - -IPSEC_NAME="strongSwan" - -KERNSRC=${KERNSRC-/usr/src/linux} -LOGS=${LOGS-/var/log} -CONFS=${IPSEC_CONFS-/etc} -CONFDDIR=${IPSEC_CONFDDIR-/etc/ipsec.d} -me="ipsec barf" - -# kludge to produce no barf output mentioning policygroups if none are present. -# This will not catch ".file" policygroups. -PREPOLICIES=${CONFDDIR}/policies -if [ `ls $PREPOLICIES 2> /dev/null | wc -l` -ne 0 ] -then - POLICIES=$PREPOLICIES -fi - -# message patterns that start relevant parts of logs -fstart="Starting $IPSEC_NAME" -pstart='Starting Pluto subsystem' - -case "$1" in ---help) echo "Usage: ipsec barf" ; exit 0 ;; ---version) echo "$me $IPSEC_VERSION" ; exit 0 ;; -esac - -# make sure output is in English -unset LANG LANGUAGE LC_ALL LC_MESSAGES - -# log-location guesser, results in $findlog_file and $findlog_startline -# Fine point: startline is the *last* line containing "string", or -# failing that, the *first* line containing "fallbackstring". -findlog() { # findlog string fallbackstring possiblefile ... - s="$1" - shift - t="$1" - shift - # try the suggested files first - for f in $* - do - if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$s" $LOGS/$f - then - # aha, this one has it - findlog_file=$LOGS/$f - findlog_startline=`egrep -n "$s" $LOGS/$f | - sed -n '$s/:.*//p'` - return 0 - fi - done - for f in $* - do - if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f - then - # aha, this one has it - findlog_file=$LOGS/$f - findlog_startline=`egrep -n "$t" $LOGS/$f | - sed -n '1s/:.*//p'` - return 0 - fi - done - # nope, resort to a search, newest first, of uncompressed logs - for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'` - do - if test -r $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f - then - # found it - findlog_file=$LOGS/$f - findlog_startline=`egrep -n "$s" $LOGS/$f | - sed -n '$s/:.*//p'` - return 0 - fi - done - for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'` - do - if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f - then - # found it - findlog_file=$LOGS/$f - findlog_startline=`egrep -n "$t" $LOGS/$f | - sed -n '1s/:.*//p'` - return 0 - fi - done -# echo "$0: unable to find $LOGS/$1 or local equivalent" >&2 - findlog_file=/dev/null - findlog_startline=1 # arbitrary -} - -# try to guess where logs are -findlog "$fstart" "klips" messages syslog -if test " $findlog_file" = " /dev/null" -then -echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run $IPSEC_NAME for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." -fi -klog=$findlog_file -kline=$findlog_startline - -findlog "$pstart" "Pluto" secure auth.log debug -if test " $findlog_file" = " /dev/null" -then -echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run $IPSEC_NAME for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." -fi -plog=$findlog_file -pline=$findlog_startline - -# /lib/modules examiner -modulegoo() { - set +x - for d in `ls /lib/modules` - do - if test -d /lib/modules/$d - then - f=/lib/modules/$d/$1 - if test -f $f - then - nm -g $f | egrep "$2" - else - echo - fi | sed "s;^;$d: ;" - fi - done - set -x -} - -# advanced shell deviousness to get dividers into output -_________________________() { - $2 # something to do nothing and not echo anything -} - -exec 2>&1 # stderr on stdout, so errors go into main output - -hostname ; date -set -x -_________________________ version -ipsec --version -_________________________ proc/version -cat /proc/version -_________________________ proc/net/ipsec_eroute -sort -sg +3 /proc/net/ipsec_eroute || cat /proc/net/ipsec_eroute -_________________________ netstat-rn -netstat -nr -_________________________ proc/net/ipsec_spi -cat /proc/net/ipsec_spi -_________________________ proc/net/ipsec_spigrp -cat /proc/net/ipsec_spigrp -_________________________ proc/net/ipsec_tncfg -cat /proc/net/ipsec_tncfg -_________________________ proc/net/pf_key -cat /proc/net/pf_key -_________________________ proc/net/pf_key-star -( cd /proc/net && egrep '^' pf_key_* ) -_________________________ proc/sys/net/ipsec-star -( cd /proc/sys/net/ipsec && egrep '^' * ) -_________________________ ipsec/statusall -ipsec auto --statusall -_________________________ ifconfig-a -ifconfig -a -_________________________ mii-tool -if [ -x /sbin/mii-tool ] -then - /sbin/mii-tool -v -elif [ -x /usr/sbin/mii-tool ] -then - /usr/sbin/mii-tool -v -else - mii-tool -v -fi -_________________________ ipsec/directory -ipsec --directory -_________________________ hostname/fqdn -hostname --fqdn -_________________________ hostname/ipaddress -hostname --ip-address -_________________________ uptime -uptime -_________________________ ps -# -i ppid picks up the header -ps alxwf | egrep -i 'ppid|pluto|ipsec|klips' -_________________________ ipsec/showdefaults -ipsec showdefaults -_________________________ ipsec/conf -ipsec _include $CONFS/ipsec.conf | ipsec _keycensor -_________________________ ipsec/secrets -ipsec _include $CONFS/ipsec.secrets | ipsec _secretcensor -_________________________ ipsec/listall -ipsec auto --listall -if [ $POLICIES ] -then - for policy in $POLICIES/*; do base=`basename $policy`; - _________________________ ipsec/policies/$base - cat $policy - done -fi -_________________________ ipsec/ls-libdir -ls -l ${IPSEC_LIBDIR-/usr/local/lib/ipsec} -_________________________ ipsec/ls-execdir -ls -l ${IPSEC_EXECDIR-/usr/local/libexec/ipsec} -_________________________ ipsec/updowns -for f in `ls ${IPSEC_EXECDIR-/usr/local/libexec/ipsec} | egrep updown` -do - cat ${IPSEC_EXECDIR-/usr/local/libexec/ipsec}/$f -done -_________________________ proc/net/dev -cat /proc/net/dev -_________________________ proc/net/route -cat /proc/net/route -_________________________ proc/sys/net/ipv4/ip_forward -cat /proc/sys/net/ipv4/ip_forward -_________________________ proc/sys/net/ipv4/conf/star-rp_filter -( cd /proc/sys/net/ipv4/conf && egrep '^' */rp_filter ) -_________________________ uname-a -uname -a -_________________________ redhat-release -if test -r /etc/redhat-release -then - cat /etc/redhat-release -fi -_________________________ proc/net/ipsec_version -cat /proc/net/ipsec_version -_________________________ iptables/list -iptables -L -v -n -_________________________ ipchains/list -ipchains -L -v -n -_________________________ ipfwadm/forward -ipfwadm -F -l -n -e -_________________________ ipfwadm/input -ipfwadm -I -l -n -e -_________________________ ipfwadm/output -ipfwadm -O -l -n -e -_________________________ iptables/nat -iptables -t nat -L -v -n -_________________________ ipchains/masq -ipchains -M -L -v -n -_________________________ ipfwadm/masq -ipfwadm -M -l -n -e -_________________________ iptables/mangle -iptables -t mangle -L -v -n -_________________________ proc/modules -cat /proc/modules -_________________________ proc/meminfo -cat /proc/meminfo -_________________________ dev/ipsec-ls -ls -l /dev/ipsec* -_________________________ proc/net/ipsec-ls -ls -l /proc/net/ipsec_* -_________________________ usr/src/linux/.config -if test -f $KERNSRC/.config -then - egrep 'IP|NETLINK' $KERNSRC/.config -fi -_________________________ etc/syslog.conf -cat /etc/syslog.conf -_________________________ etc/resolv.conf -cat /etc/resolv.conf -_________________________ lib/modules-ls -ls -ltr /lib/modules -_________________________ proc/ksyms-netif_rx -egrep netif_rx /proc/ksyms -_________________________ lib/modules-netif_rx -modulegoo kernel/net/ipv4/ipip.o netif_rx -_________________________ kern.debug -if test -f $LOGS/kern.debug -then - tail -100 $LOGS/kern.debug -fi -_________________________ klog -sed -n $kline,'$'p $klog | - egrep -i 'ipsec|klips|pluto' | - case "$1" in - --short) tail -500 ;; - *) cat ;; - esac -_________________________ plog -sed -n $pline,'$'p $plog | - egrep -i 'pluto' | - case "$1" in - --short) tail -500 ;; - *) cat ;; - esac -_________________________ date -date diff --git a/programs/calcgoo/.cvsignore b/programs/calcgoo/.cvsignore deleted file mode 100644 index b4aa748b7..000000000 --- a/programs/calcgoo/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -calcgoo diff --git a/programs/calcgoo/Makefile b/programs/calcgoo/Makefile deleted file mode 100644 index 8e3cae9ea..000000000 --- a/programs/calcgoo/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# Makefile for miscelaneous programs -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM=calcgoo - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.1 2002/06/10 04:27:25 mcr -# calcgoo program processes kernel symbol list and generates a -# composite value by xor'ing the programmed symbol. -# -# Revision 1.1 2002/06/10 00:19:44 mcr -# rename "ipsec check" to "ipsec verify" -# -# Revision 1.1 2002/06/08 17:01:25 mcr -# added new program "ipsec check" to do rudamentary testing -# on a newly installed system to see if it is OE ready. -# -# -# - diff --git a/programs/calcgoo/calcgoo.8 b/programs/calcgoo/calcgoo.8 deleted file mode 100644 index ceb576e41..000000000 --- a/programs/calcgoo/calcgoo.8 +++ /dev/null @@ -1,31 +0,0 @@ -.TH IPSEC_CALCGOO 8 "8 June 2002" -.\" RCSID $Id: calcgoo.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.SH NAME -ipsec calcgoo \- calculate hex value for matching modules and kernels -.SH SYNOPSIS -.B ipsec -.B calcgoo -.SH DESCRIPTION -.I calcgoo -accepts the output of -.B nm -ao -or -.B /proc/ksyms -and extracts a release dependant list of symbols from it. The symbols -are processed to extract the values assigned during the MODVERSIONS -process. This process makes sure that Linux modules are only loaded -on matching kernels. -.P -This routine is used to find an appropriate module to match the currently -running kernel by _startklips. -.SH FILES -.nf -/proc/ksyms -.fi -.SH "SEE ALSO" -ipsec__startklips(8), genksyms(8) -.SH HISTORY -Written for the Linux FreeS/WAN project - -by Michael Richardson. -.SH BUGS diff --git a/programs/calcgoo/calcgoo.in b/programs/calcgoo/calcgoo.in deleted file mode 100644 index 0d383d173..000000000 --- a/programs/calcgoo/calcgoo.in +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/perl - -$MODULE_GOO_LIST="@MODULE_GOO_LIST@"; - -@goo = split(/\s+/,$MODULE_GOO_LIST); - -$sep="("; -$goore=" "; - -#print "GOO: ",join('|',@goo),"\n"; - -foreach $sym (@goo) { - $goore=${goore}.${sep}.${sym}; - $sep="|"; -} -$goore=${goore}.")_R(smp_){0,1}([0-9A-F]{8})"; - -#print "GOORE: $goore\n"; - -while(<>) { - chomp; - if(/$goore/io) { - $sym=$1; - $goosym=$3; - $bingoo=hex($goosym); - if($2 eq "smp_") { - $bingoo++; - } - #print STDERR "Processing $goosym (from $_)\n"; - $bingoo{$sym}=$bingoo; - } -} -$wholegoo=0; -foreach $sym (keys %bingoo) { - $wholegoo=$wholegoo ^ $bingoo{$sym}; -} -print sprintf("%08x", $wholegoo)."\n"; - -# Local variables:: -# mode: perl -# End variables:: - - diff --git a/programs/eroute/.cvsignore b/programs/eroute/.cvsignore deleted file mode 100644 index 133c4b456..000000000 --- a/programs/eroute/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -eroute diff --git a/programs/eroute/Makefile b/programs/eroute/Makefile deleted file mode 100644 index 6d8f68033..000000000 --- a/programs/eroute/Makefile +++ /dev/null @@ -1,52 +0,0 @@ -# Makefile for the KLIPS interface utilities -# Copyright (C) 1998, 1999 Henry Spencer. -# Copyright (C) 1999, 2000, 2001 Richard Guy Briggs -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ - -FREESWANSRCDIR=../.. -include ${FREESWANSRCDIR}/Makefile.inc - -PROGRAM:=eroute -EXTRA5PROC=eroute.5 - -LIBS:=${FREESWANLIB} - -include ../Makefile.program - -# -# $Log: Makefile,v $ -# Revision 1.1 2004/03/15 20:35:27 as -# added files from freeswan-2.04-x509-1.5.3 -# -# Revision 1.4 2002/06/03 20:25:31 mcr -# man page for files actually existant in /proc/net changed back to -# ipsec_foo via new EXTRA5PROC process. -# -# Revision 1.3 2002/06/02 22:02:14 mcr -# changed TOPDIR->FREESWANSRCDIR in all Makefiles. -# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the -# kernel sense.) -# -# Revision 1.2 2002/04/26 01:21:26 mcr -# while tracking down a missing (not installed) /etc/ipsec.conf, -# MCR has decided that it is not okay for each program subdir to have -# some subset (determined with -f) of possible files. -# Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -# Optional PROGRAM.5 files have been added to the makefiles. -# -# Revision 1.1 2002/04/24 07:55:32 mcr -# #include patches and Makefiles for post-reorg compilation. -# -# -# diff --git a/programs/eroute/eroute.5 b/programs/eroute/eroute.5 deleted file mode 100644 index 52b3f4d25..000000000 --- a/programs/eroute/eroute.5 +++ /dev/null @@ -1,272 +0,0 @@ -.TH IPSEC_EROUTE 5 "20 Sep 2001" -.\" -.\" RCSID $Id: eroute.5,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec_eroute \- list of existing eroutes -.SH SYNOPSIS -.B ipsec -.B eroute -.PP -.B cat -.B /proc/net/ipsec_eroute -.SH DESCRIPTION -.I /proc/net/ipsec_eroute -lists the IPSEC extended routing tables, -which control what (if any) processing is applied -to non-encrypted packets arriving for IPSEC processing and forwarding. -At this point it is a read-only file. -.PP -A table entry consists of: -.IP + 3 -packet count, -.IP + -source address with mask and source port (0 if all ports or not applicable) -.IP + -a '->' separator for visual and automated parsing between src and dst -.IP + -destination address with mask and destination port (0 if all ports or -not applicable) -.IP + -a '=>' separator for visual and automated parsing between selection -criteria and SAID to use -.IP + -SAID (Security Association IDentifier), comprised of: -.IP + 6 -protocol -(\fIproto\fR), -.IP + -address family -(\fIaf\fR), -where '.' stands for IPv4 and ':' for IPv6 -.IP + -Security Parameters Index -(\fISPI\fR), -.IP + -effective destination -(\fIedst\fR), -where the packet should be forwarded after processing -(normally the other security gateway) -together indicate which Security Association should be used to process -the packet, -.IP + 3 -a ':' separating the SAID from the transport protocol (0 if all protocols) -.IP + -source identity text string with no whitespace, in parens, -.IP + -destination identity text string with no whitespace, in parens -.PP -Addresses are written as IPv4 dotted quads or IPv6 coloned hex, -protocol is one of "ah", "esp", "comp" or "tun" -and -SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6 -. -.PP -SAIDs are written as "protoafSPI@edst". There are also 5 -"magic" SAIDs which have special meaning: -.IP + 3 -.B %drop -means that matches are to be dropped -.IP + -.B %reject -means that matches are to be dropped and an ICMP returned, if -possible to inform -.IP + -.B %trap -means that matches are to trigger an ACQUIRE message to the Key -Management daemon(s) and a hold eroute will be put in place to -prevent subsequent packets also triggering ACQUIRE messages. -.IP + -.B %hold -means that matches are to stored until the eroute is replaced or -until that eroute gets reaped -.IP + -.B %pass -means that matches are to allowed to pass without IPSEC processing -.br -.ne 5 -.SH EXAMPLES -.LP -.B "1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0 " -.br -.B " () ()" -.LP -means that 1,867 packets have been sent to an -.BR eroute -that has been set up to protect traffic between the subnet -.BR 172.31.252.0 -with a subnet mask of -.BR 24 -bits and the default address/mask represented by an address of -.BR 0.0.0.0 -with a subnet mask of -.BR 0 -bits using the local machine as a security gateway on this end of the -tunnel and the machine -.BR 192.168.43.1 -on the other end of the tunnel with a Security Association IDentifier of -.BR tun0x130@192.168.43.1 -which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a -Security Parameters Index of -.BR 130 -in hexadecimal with no identies defined for either end. -.LP -.B "746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6 " -.br -.B " () ()" -.LP -means that 746 packets have been sent to an -.BR eroute -that has been set up to protect traffic sent from any port on the host -.BR 192.168.2.110 -to the SMTP (TCP, port 25) port on the host -.BR 192.168.2.120 -with a Security Association IDentifier of -.BR tun0x130@192.168.2.120 -which means that it is a transport mode connection with a -Security Parameters Index of -.BR 130 -in hexadecimal with no identies defined for either end. -.LP -.B 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () () -.LP -means that 125 packets have been sent to an -.BR eroute -that has been set up to protect traffic between the subnet -.BR 3049:1:: -with a subnet mask of -.BR 64 -bits and the default address/mask represented by an address of -.BR 0:0 -with a subnet mask of -.BR 0 -bits using the local machine as a security gateway on this end of the -tunnel and the machine -.BR 3058:4::5 -on the other end of the tunnel with a Security Association IDentifier of -.BR tun:130@3058:4::5 -which means that it is a tunnel mode connection with a -Security Parameters Index of -.BR 130 -in hexadecimal with no identies defined for either end. -.LP -.B 42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough -.LP -means that 42 packets have been sent to an -.BR eroute -that has been set up to pass the traffic from the subnet -.BR 192.168.6.0 -with a subnet mask of -.BR 24 -bits and to subnet -.BR 192.168.7.0 -with a subnet mask of -.BR 24 -bits without any IPSEC processing with no identies defined for either end. -.LP -.B 2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) () -.LP -means that 2112 packets have been sent to an -.BR eroute -that has been set up to hold the traffic from the host -.BR 192.168.8.55 -and to host -.BR 192.168.9.47 -until a key exchange from a Key Management daemon -succeeds and puts in an SA or fails and puts in a pass -or drop eroute depending on the default configuration with the local client -defined as "east" and no identy defined for the remote end. -.LP -.B "2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 => " -.br -.B " esp0xe6de@192.168.2.120:0 () ()" -.LP -means that 2001 packets have been sent to an -.BR eroute -that has been set up to protect traffic between the host -.BR 192.168.2.110 -and the host -.BR 192.168.2.120 -using -.BR 192.168.2.110 -as a security gateway on this end of the -connection and the machine -.BR 192.168.2.120 -on the other end of the connection with a Security Association IDentifier of -.BR esp0xe6de@192.168.2.120 -which means that it is a transport mode connection with a Security -Parameters Index of -.BR e6de -in hexadecimal using Encapsuation Security Payload protocol (50, -IPPROTO_ESP) with no identies defined for either end. -.LP -.B "1984 3049:1::110/128 -> 3049:1::120/128 => " -.br -.B " ah:f5ed@3049:1::120 () ()" -.LP -means that 1984 packets have been sent to an -.BR eroute -that has been set up to authenticate traffic between the host -.BR 3049:1::110 -and the host -.BR 3049:1::120 -using -.BR 3049:1::110 -as a security gateway on this end of the -connection and the machine -.BR 3049:1::120 -on the other end of the connection with a Security Association IDentifier of -.BR ah:f5ed@3049:1::120 -which means that it is a transport mode connection with a Security -Parameters Index of -.BR f5ed -in hexadecimal using Authentication Header protocol (51, -IPPROTO_AH) with no identies defined for either end. -.SH FILES -/proc/net/ipsec_eroute, /usr/local/bin/ipsec -.SH "SEE ALSO" -ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5), -ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5), -ipsec_pf_key(5) -.SH HISTORY -Written for the Linux FreeS/WAN project - -by Richard Guy Briggs. -.\" -.\" $Log: eroute.5,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.9 2002/04/24 07:35:38 mcr -.\" Moved from ./klips/utils/eroute.5,v -.\" -.\" Revision 1.8 2001/09/20 15:33:13 rgb -.\" PF_KEYv2 ident extension output documentation. -.\" -.\" Revision 1.7 2001/05/29 05:15:31 rgb -.\" Added packet count field at beginning of line. -.\" -.\" Revision 1.6 2001/02/26 19:58:32 rgb -.\" Put SAID elements in order they appear in SAID. -.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part -.\" of the new SPD and to support opportunistic. -.\" -.\" Revision 1.5 2000/09/17 18:56:48 rgb -.\" Added IPCOMP support. -.\" -.\" Revision 1.4 2000/09/13 15:54:31 rgb -.\" Added Gerhard's ipv6 updates. -.\" -.\" Revision 1.3 2000/06/30 18:21:55 rgb -.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) -.\" and correct FILES sections to no longer refer to /dev/ipsec which has -.\" been removed since PF_KEY does not use it. -.\" -.\" Revision 1.2 2000/06/28 12:44:11 henry -.\" format touchup -.\" -.\" Revision 1.1 2000/06/28 05:43:00 rgb -.\" Added manpages for all 5 klips utils. -.\" -.\" -.\" diff --git a/programs/eroute/eroute.8 b/programs/eroute/eroute.8 deleted file mode 100644 index d9449632b..000000000 --- a/programs/eroute/eroute.8 +++ /dev/null @@ -1,354 +0,0 @@ -.TH IPSEC_EROUTE 8 "21 Jun 2000" -.\" -.\" RCSID $Id: eroute.8,v 1.1 2004/03/15 20:35:27 as Exp $ -.\" -.SH NAME -ipsec eroute \- manipulate IPSEC extended routing tables -.SH SYNOPSIS -.B ipsec -.B eroute -.PP -.B ipsec -.B eroute -.B \-\-add -.B \-\-eraf (inet | inet6) -.B \-\-src -src/srcmaskbits|srcmask -.B \-\-dst -dst/dstmaskbits|dstmask -[ -.B \-\-transport\-proto -transport-protocol -] -[ -.B \-\-src\-port -source-port -] -[ -.B \-\-dst\-port -dest-port -] - -.PP -.B ipsec -.B eroute -.B \-\-replace -.B \-\-eraf (inet | inet6) -.B \-\-src -src/srcmaskbits|srcmask -.B \-\-dst -dst/dstmaskbits|dstmask -[ -.B \-\-transport\-proto -transport-protocol -] -[ -.B \-\-src\-port -source-port -] -[ -.B \-\-dst\-port -dest-port -] - -.PP -.B ipsec -.B eroute -.B \-\-del -.B \-\-eraf (inet | inet6) -.B \-\-src -src/srcmaskbits|srcmask -.B \-\-dst -dst/dstmaskbits|dstmask -[ -.B \-\-transport\-proto -transport-protocol -] -[ -.B \-\-src\-port -source-port -] -[ -.B \-\-dst\-port -dest-port -] -.PP -.B ipsec -.B eroute -.B \-\-clear -.PP -.B ipsec -.B eroute -.B \-\-help -.PP -.B ipsec -.B eroute -.B \-\-version -.PP -Where is -.B \-\-af -(inet | inet6) -.B \-\-edst -edst -.B \-\-spi -spi -.B \-\-proto -proto -OR -.B \-\-said -said -OR -.B \-\-said -.B (%passthrough | %passthrough4 | %passthrough6 | %drop | %reject | %trap | %hold | %pass ) -.SH DESCRIPTION -.I Eroute -manages the IPSEC extended routing tables, -which control what (if any) processing is applied -to non-encrypted packets arriving for IPSEC processing and forwarding. -The form with no additional arguments lists the contents of -/proc/net/ipsec_eroute. -The -.B \-\-add -form adds a table entry, the -.B \-\-replace -form replaces a table entry, while the -.B \-\-del -form deletes one. The -.B \-\-clear -form deletes the entire table. -.PP -A table entry consists of: -.IP + 3 -source and destination addresses, -with masks, source and destination ports and protocol -for selection of packets. The source and destination ports are only -legal if the transport protocol is -.BR TCP -or -.BR UDP. -A port can be specified as either decimal, hexadecimal (leading 0x), -octal (leading 0) or a name listed in the first column of /etc/services. -A transport protocol can be specified as either decimal, hexadecimal -(leading 0x), octal (leading 0) or a name listed in the first column -of /etc/protocols. If a transport protocol or port is not specified -then it defaults to 0 which means all protocols or all ports -respectively. -.IP + -Security Association IDentifier, comprised of: -.IP + 6 -protocol -(\fIproto\fR), indicating (together with the -effective destination and the security parameters index) -which Security Association should be used to process the packet -.IP + -address family -(\fIaf\fR), -.IP + -Security Parameters Index -(\fIspi\fR), indicating (together with the -effective destination and protocol) -which Security Association should be used to process the packet -(must be larger than or equal to 0x100) -.IP + -effective destination -(\fIedst\fR), -where the packet should be forwarded after processing -(normally the other security gateway) -.IP + 3 -OR -.IP + 6 -SAID -(\fIsaid\fR), indicating -which Security Association should be used to process the packet -.PP -Addresses are written as IPv4 dotted quads or IPv6 coloned hex, -protocol is one of "ah", "esp", "comp" or "tun" and SPIs are -prefixed hexadecimal numbers where '.' represents IPv4 and ':' -stands for IPv6. -.PP -SAIDs are written as "protoafSPI@address". There are also 5 -"magic" SAIDs which have special meaning: -.IP + 3 -.B %drop -means that matches are to be dropped -.IP + -.B %reject -means that matches are to be dropped and an ICMP returned, if -possible to inform -.IP + -.B %trap -means that matches are to trigger an ACQUIRE message to the Key -Management daemon(s) and a hold eroute will be put in place to -prevent subsequent packets also triggering ACQUIRE messages. -.IP + -.B %hold -means that matches are to stored until the eroute is replaced or -until that eroute gets reaped -.IP + -.B %pass -means that matches are to allowed to pass without IPSEC processing -.PP -The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5). -.br -.ne 5 -.SH EXAMPLES -.LP -.B "ipsec eroute \-\-add \-\-eraf inet \-\-src 192.168.0.1/32 \e" -.br -.B " \-\-dst 192.168.2.0/24 \-\-af inet \-\-edst 192.168.0.2 \e" -.br -.B " \-\-spi 0x135 \-\-proto tun" -.LP -sets up an -.BR eroute -on a Security Gateway to protect traffic between the host -.BR 192.168.0.1 -and the subnet -.BR 192.168.2.0 -with -.BR 24 -bits of subnet mask via Security Gateway -.BR 192.168.0.2 -using the Security Association with address -.BR 192.168.0.2 , -Security Parameters Index -.BR 0x135 -and protocol -.BR tun -(50, IPPROTO_ESP). -.LP -.B "ipsec eroute \-\-add \-\-eraf inet6 \-\-src 3049:1::1/128 \e" -.br -.B " \-\-dst 3049:2::/64 \-\-af inet6 \-\-edst 3049:1::2 \e" -.br -.B " \-\-spi 0x145 \-\-proto tun" -.LP -sets up an -.BR eroute -on a Security Gateway to protect traffic between the host -.BR 3049:1::1 -and the subnet -.BR 3049:2:: -with -.BR 64 -bits of subnet mask via Security Gateway -.BR 3049:1::2 -using the Security Association with address -.BR 3049:1::2 , -Security Parameters Index -.BR 0x145 -and protocol -.BR tun -(50, IPPROTO_ESP). -.LP -.B "ipsec eroute \-\-replace \-\-eraf inet \-\-src company.com/24 \e" -.br -.B " \-\-dst ftp.ngo.org/32 \-\-said tun.135@gw.ngo.org" -.LP -replaces an -.BR eroute -on a Security Gateway to protect traffic between the subnet -.BR company.com -with -.BR 24 -bits of subnet mask and the host -.BR ftp.ngo.org -via Security Gateway -.BR gw.ngo.org -using the Security Association with Security Association ID -.BR tun0x135@gw.ngo.org -.LP -.B "ipsec eroute \-\-del \-\-eraf inet \-\-src company.com/24 \e" -.br -.B " \-\-dst www.ietf.org/32 \-\-said %passthrough4" -.LP -deletes an -.BR eroute -on a Security Gateway that allowed traffic between the subnet -.BR company.com -with -.BR 24 -bits of subnet mask and the host -.BR www.ietf.org -to pass in the clear, unprocessed. -.LP -.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e" -.br -.B " \-\-dst mail.ngo.org/32 \-\-transport-proto 6 \e" -.br -.B " \-\-dst\-port 110 \-\-said tun.135@mail.ngo.org" -.LP -sets up an -.BR eroute -on on a Security Gateway to protect only TCP traffic on port 110 -(pop3) between the subnet -.BR company.com -with -.BR 24 -bits of subnet mask and the host -.BR ftp.ngo.org -via Security Gateway -.BR mail.ngo.org -using the Security Association with Security Association ID -.BR tun0x135@mail.ngo.org. -Note that any other traffic bound for -.BR mail.ngo.org -that is routed via the ipsec device will be dropped. If you wish to -allow other traffic to pass through then you must add a %pass rule. -For example the following rule when combined with the above will -ensure that POP3 messages read from -.BR mail.ngo.org -will be encrypted but all other traffic to/from -.BR mail.ngo.org -will be in clear text. -.LP -.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e" -.br -.B " \-\-dst mail.ngo.org/32 \-\-said %pass" -.br -.LP -.SH FILES -/proc/net/ipsec_eroute, /usr/local/bin/ipsec -.SH "SEE ALSO" -ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8), -ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5) -.SH HISTORY -Written for the Linux FreeS/WAN project - -by Richard Guy Briggs. -.\" -.\" $Log: eroute.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.25 2002/04/24 07:35:38 mcr -.\" Moved from ./klips/utils/eroute.8,v -.\" -.\" Revision 1.24 2001/02/26 19:58:49 rgb -.\" Added a comment on the restriction of spi > 0x100. -.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part -.\" of the new SPD and to support opportunistic. -.\" -.\" Revision 1.23 2000/09/17 18:56:48 rgb -.\" Added IPCOMP support. -.\" -.\" Revision 1.22 2000/09/13 15:54:31 rgb -.\" Added Gerhard's ipv6 updates. -.\" -.\" Revision 1.21 2000/06/30 18:21:55 rgb -.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) -.\" and correct FILES sections to no longer refer to /dev/ipsec which has -.\" been removed since PF_KEY does not use it. -.\" -.\" Revision 1.20 2000/06/21 16:54:57 rgb -.\" Added 'no additional args' text for listing contents of -.\" /proc/net/ipsec_* files. -.\" -.\" Revision 1.19 1999/07/19 18:47:24 henry -.\" fix slightly-misformed comments -.\" -.\" Revision 1.18 1999/04/06 04:54:37 rgb -.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes -.\" patch shell fixes. -.\" -.\" diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c deleted file mode 100644 index d1b2bff0a..000000000 --- a/programs/eroute/eroute.c +++ /dev/null @@ -1,1044 +0,0 @@ -/* - * manipulate eroutes - * Copyright (C) 1996 John Ioannidis. - * Copyright (C) 1997, 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -char eroute_c_version[] = "RCSID $Id: eroute.c,v 1.3 2005/02/24 20:03:46 as Exp $"; - - -#include -#include /* new */ -#include -#include -#include /* system(), strtoul() */ - -#include -#include -#include -#include -#include -#include - - -#include -#include -#if 0 -#include /* CONFIG_IPSEC_PFKEYv2 */ -#endif -/* permanently turn it on since netlink support has been disabled */ - -#include -#include -#include - -#include "freeswan/radij.h" -#include "freeswan/ipsec_encap.h" - -#include -#include - -char *program_name; -char me[] = "ipsec eroute"; -extern char *optarg; -extern int optind, opterr, optopt; -char *eroute_af_opt, *said_af_opt, *edst_opt, *spi_opt, *proto_opt, *said_opt, *dst_opt, *src_opt; -char *transport_proto_opt, *src_port_opt, *dst_port_opt; -int action_type = 0; - -int pfkey_sock; -fd_set pfkey_socks; -uint32_t pfkey_seq = 0; - -#define EMT_IFADDR 1 /* set enc if addr */ -#define EMT_SETSPI 2 /* Set SPI properties */ -#define EMT_DELSPI 3 /* Delete an SPI */ -#define EMT_GRPSPIS 4 /* Group SPIs (output order) */ -#define EMT_SETEROUTE 5 /* set an extended route */ -#define EMT_DELEROUTE 6 /* del an extended route */ -#define EMT_TESTROUTE 7 /* try to find route, print to console */ -#define EMT_SETDEBUG 8 /* set debug level if active */ -#define EMT_UNGRPSPIS 9 /* UnGroup SPIs (output order) */ -#define EMT_CLREROUTE 10 /* clear the extended route table */ -#define EMT_CLRSPIS 11 /* clear the spi table */ -#define EMT_REPLACEROUTE 12 /* set an extended route */ -#define EMT_GETDEBUG 13 /* get debug level if active */ -#define EMT_INEROUTE 14 /* set incoming policy for IPIP on a chain */ - -static void -add_port(int af, ip_address * addr, short port) -{ - switch (af) - { - case AF_INET: - addr->u.v4.sin_port = port; - break; - case AF_INET6: - addr->u.v6.sin6_port = port; - break; - } -} - -static void -usage(char* arg) -{ - fprintf(stdout, "usage: %s --{add,addin,replace} --eraf --src /| --dst /| [ --transport-proto ] [ --src-port ] [ --dst-port ] \n", arg); - fprintf(stdout, " where is '--af --edst --spi --proto '\n"); - fprintf(stdout, " OR '--said '\n"); - fprintf(stdout, " OR '--said <%%passthrough | %%passthrough4 | %%passthrough6 | %%drop | %%reject | %%trap | %%hold | %%pass>'.\n"); - fprintf(stdout, " %s --del --eraf --src /| --dst /| [ --transport-proto ] [ --src-port ] [ --dst-port ]\n", arg); - fprintf(stdout, " %s --clear\n", arg); - fprintf(stdout, " %s --help\n", arg); - fprintf(stdout, " %s --version\n", arg); - fprintf(stdout, " %s\n", arg); - fprintf(stdout, " [ --debug ] is optional to any %s command.\n", arg); - fprintf(stdout, " [ --label