📄 whack.c
字号:
}#endif else if (END_FIRST <= c && c <= END_LAST) { /* END_* options are added to end_seen. * Reject repeated options (unless later code intervenes). */ lset_t f = LELEM(c - END_FIRST); if (end_seen & f) diagq("duplicated flag", long_opts[long_index].name); end_seen |= f; opts_seen |= LELEM(OPT_CD); } else if (CD_FIRST <= c && c <= CD_LAST) { /* CD_* options are added to cd_seen. * Reject repeated options (unless later code intervenes). */ lset_t f = LELEM(c - CD_FIRST); if (cd_seen & f) diagq("duplicated flag", long_opts[long_index].name); cd_seen |= f; opts_seen |= LELEM(OPT_CD); } /* Note: "break"ing from switch terminates loop. * most cases should end with "continue". */ switch (c) { case EOF - OPTION_OFFSET: /* end of flags */ break; case 0 - OPTION_OFFSET: /* long option already handled */ continue; case ':' - OPTION_OFFSET: /* diagnostic already printed by getopt_long */ case '?' - OPTION_OFFSET: /* diagnostic already printed by getopt_long */ diag(NULL); /* print no additional diagnostic, but exit sadly */ break; /* not actually reached */ case 'h' - OPTION_OFFSET: /* --help */ help(); return 0; /* GNU coding standards say to stop here */ case 'v' - OPTION_OFFSET: /* --version */ { const char **sp = ipsec_copyright_notice(); printf("%s\n", ipsec_version_string()); for (; *sp != NULL; sp++) puts(*sp); } return 0; /* GNU coding standards say to stop here */ case 'l' - OPTION_OFFSET: /* --label <string> */ label = optarg; /* remember for diagnostics */ continue; case '+' - OPTION_OFFSET: /* --optionsfrom <filename> */ optionsfrom(optarg, &argc, &argv, optind, stderr); /* does not return on error */ continue; /* the rest of the options combine in complex ways */ case OPT_CTLBASE: /* --port <ctlbase> */ if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path) , "%s%s", optarg, CTL_SUFFIX) == -1) diag("<ctlbase>" CTL_SUFFIX " must be fit in a sun_addr"); continue; case OPT_NAME: /* --name <connection-name> */ name = optarg; msg.name = optarg; continue; case OPT_KEYID: /* --keyid <identity> */ msg.whack_key = TRUE; msg.keyid = optarg; /* decoded by Pluto */ continue; case OPT_MYID: /* --myid <identity> */ msg.whack_myid = TRUE; msg.myid = optarg; /* decoded by Pluto */ continue; case OPT_ADDKEY: /* --addkey */ msg.whack_addkey = TRUE; continue; case OPT_PUBKEYRSA: /* --pubkeyrsa <key> */ { static char keyspace[RSA_MAX_ENCODING_BYTES]; char diag_space[TTODATAV_BUF]; const char *ugh = ttodatav(optarg, 0, 0 , keyspace, sizeof(keyspace) , &msg.keyval.len, diag_space, sizeof(diag_space) , TTODATAV_SPACECOUNTS); if (ugh != NULL) { char ugh_space[80]; /* perhaps enough space */ snprintf(ugh_space, sizeof(ugh_space) , "RSA public-key data malformed (%s)", ugh); diagq(ugh_space, optarg); } msg.pubkey_alg = PUBKEY_ALG_RSA; msg.keyval.ptr = keyspace; } continue; case OPT_ROUTE: /* --route */ msg.whack_route = TRUE; continue; case OPT_UNROUTE: /* --unroute */ msg.whack_unroute = TRUE; continue; case OPT_INITIATE: /* --initiate */ msg.whack_initiate = TRUE; continue; case OPT_TERMINATE: /* --terminate */ msg.whack_terminate = TRUE; continue; case OPT_DELETE: /* --delete */ msg.whack_delete = TRUE; continue; case OPT_DELETESTATE: /* --deletestate <state_object_number> */ msg.whack_deletestate = TRUE; msg.whack_deletestateno = opt_whole; continue; case OPT_DELETECRASH: /* --crash <ip-address> */ msg.whack_crash = TRUE; diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.whack_crash_peer), optarg); if (isanyaddr(&msg.whack_crash_peer)) diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg); continue; case OPT_LISTEN: /* --listen */ msg.whack_listen = TRUE; continue; case OPT_UNLISTEN: /* --unlisten */ msg.whack_unlisten = TRUE; continue; case OPT_PURGEOCSP: /* --purgeocsp */ msg.whack_purgeocsp = TRUE; continue; case OPT_REREADSECRETS: /* --rereadsecrets */ case OPT_REREADCACERTS: /* --rereadcacerts */ case OPT_REREADAACERTS: /* --rereadaacerts */ case OPT_REREADOCSPCERTS: /* --rereadocspcerts */ case OPT_REREADACERTS: /* --rereadacerts */ case OPT_REREADCRLS: /* --rereadcrls */ msg.whack_reread |= LELEM(c-OPT_REREADSECRETS); continue; case OPT_REREADALL: /* --rereadall */ msg.whack_reread = REREAD_ALL; continue; case OPT_STATUS: /* --status */ msg.whack_status = TRUE; continue; case OPT_SHUTDOWN: /* --shutdown */ msg.whack_shutdown = TRUE; continue; case OPT_OPPO_HERE: /* --oppohere <ip-address> */ tunnel_af_used_by = long_opts[long_index].name; diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_my_client), optarg); if (isanyaddr(&msg.oppo_my_client)) diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg); continue; case OPT_OPPO_THERE: /* --oppohere <ip-address> */ tunnel_af_used_by = long_opts[long_index].name; diagq(ttoaddr(optarg, 0, msg.tunnel_addr_family, &msg.oppo_peer_client), optarg); if (isanyaddr(&msg.oppo_peer_client)) diagq("0.0.0.0 or 0::0 isn't a valid client address", optarg); continue; case OPT_ASYNC: msg.whack_async = TRUE; continue; /* List options */ case LST_UTC: /* --utc */ msg.whack_utc = TRUE; continue; case LST_PUBKEYS: /* --listpubkeys */ case LST_CERTS: /* --listcerts */ case LST_CACERTS: /* --listcacerts */ case LST_ACERTS: /* --listacerts */ case LST_AACERTS: /* --listaacerts */ case LST_OCSPCERTS: /* --listocspcerts */ case LST_GROUPS: /* --listgroups */ case LST_CRLS: /* --listcrls */ case LST_OCSP: /* --listocsp */ case LST_CARDS: /* --listcards */ case LST_EVENTS: /* --listcards */ msg.whack_list |= LELEM(c - LST_PUBKEYS); continue; case LST_ALL: /* --listall */ msg.whack_list = LIST_ALL; continue; /* Connection Description options */ case END_HOST: /* --host <ip-address> */ { lset_t new_policy = LEMPTY; af_used_by = long_opts[long_index].name; diagq(anyaddr(msg.addr_family, &msg.right.host_addr), optarg); if (streq(optarg, "%any")) { } else if (streq(optarg, "%opportunistic")) { /* always use tunnel mode; mark as opportunistic */ new_policy |= POLICY_TUNNEL | POLICY_OPPO; } else if (streq(optarg, "%group")) { /* always use tunnel mode; mark as group */ new_policy |= POLICY_TUNNEL | POLICY_GROUP; } else if (streq(optarg, "%opportunisticgroup")) { /* always use tunnel mode; mark as opportunistic */ new_policy |= POLICY_TUNNEL | POLICY_OPPO | POLICY_GROUP; } else { diagq(ttoaddr(optarg, 0, msg.addr_family , &msg.right.host_addr), optarg); } msg.policy |= new_policy; if (new_policy & (POLICY_OPPO | POLICY_GROUP)) { if (!LHAS(end_seen, END_CLIENT - END_FIRST)) { /* set host to 0.0.0 and --client to 0.0.0.0/0 * or IPV6 equivalent */ ip_address any; tunnel_af_used_by = optarg; diagq(anyaddr(msg.tunnel_addr_family, &any), optarg); diagq(initsubnet(&any, 0, '0', &msg.right.client), optarg); } msg.right.has_client = TRUE; } if (new_policy & POLICY_GROUP) { /* client subnet must not be specified by user: * it will come from the group's file. */ if (LHAS(end_seen, END_CLIENT - END_FIRST)) diag("--host %group clashes with --client"); end_seen |= LELEM(END_CLIENT - END_FIRST); } if (new_policy & POLICY_OPPO) msg.right.key_from_DNS_on_demand = TRUE; continue; } case END_ID: /* --id <identity> */ msg.right.id = optarg; /* decoded by Pluto */ continue;#ifdef XAUTH case END_XAUTHSERVER: /* --xauthserver */ msg.right.xauth_server = TRUE; continue; case END_XAUTHCLIENT: /* --xauthclient */ msg.right.xauth_client = TRUE; continue;#else case END_XAUTHSERVER: case END_XAUTHCLIENT: diag("pluto is not built with XAUTH support"); continue;#endif#ifdef MODECFG case END_MODECFGCLIENT: msg.right.modecfg_client = TRUE; continue; case END_MODECFGSERVER: msg.right.modecfg_server = TRUE; continue;#endif case END_SENDCERT: if(streq(optarg, "yes") || streq(optarg, "always")) { msg.right.sendcert = cert_alwayssend; } else if(streq(optarg, "no") || streq(optarg, "never")) { msg.right.sendcert = cert_neversend; } else if(streq(optarg, "ifasked")) { msg.right.sendcert = cert_sendifasked; } else if(streq(optarg, "forced")) { msg.right.sendcert = cert_forcedtype; } else { diagq("whack sendcert value is not legal", optarg); continue; } continue; case END_CERTTYPE: msg.right.certtype = opt_whole; continue; case END_CERT: /* --cert <path> */ msg.right.cert = optarg; /* decoded by Pluto */ continue; case END_CA: /* --ca <distinguished name> */ msg.right.ca = optarg; /* decoded by Pluto */ continue; case END_GROUPS:/* --groups <access control groups> */ msg.right.groups = optarg; /* decoded by Pluto */ continue; case END_IKEPORT: /* --ikeport <port-number> */ if (opt_whole<=0 || opt_whole >= 0x10000) diagq("<port-number> must be a number between 1 and 65535", optarg); msg.right.host_port = opt_whole; continue; case END_NEXTHOP: /* --nexthop <ip-address> */ af_used_by = long_opts[long_index].name; if (streq(optarg, "%direct")) diagq(anyaddr(msg.addr_family , &msg.right.host_nexthop), optarg); else diagq(ttoaddr(optarg, 0, msg.addr_family , &msg.right.host_nexthop), optarg); continue; case END_SRCIP: /* --srcip <ip-address> */ af_used_by = long_opts[long_index].name; diagq(ttoaddr(optarg, 0, msg.addr_family , &msg.right.host_srcip), optarg); continue; case END_CLIENT: /* --client <subnet> */ if (end_seen & LELEM(END_CLIENTWITHIN - END_FIRST)) diag("--client conflicts with --clientwithin"); tunnel_af_used_by = long_opts[long_index].name;#ifdef VIRTUAL_IP if ( ((strlen(optarg)>=6) && (strncmp(optarg,"vhost:",6)==0)) || ((strlen(optarg)>=5) && (strncmp(optarg,"vnet:",5)==0)) ) { msg.right.virt = optarg; } else { diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg); msg.right.has_client = TRUE; }#else diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg); msg.right.has_client = TRUE;#endif msg.policy |= POLICY_TUNNEL; /* client => tunnel */ continue; case END_CLIENTWITHIN: /* --clienwithin <address range> */ if (end_seen & LELEM(END_CLIENT - END_FIRST)) diag("--clientwithin conflicts with --client"); tunnel_af_used_by = long_opts[long_index].name; diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg); msg.right.has_client = TRUE; msg.policy |= POLICY_TUNNEL; /* client => tunnel */ msg.right.has_client_wildcard = TRUE; continue; case END_CLIENTPROTOPORT: /* --clientprotoport <protocol>/<port> */ diagq(ttoprotoport(optarg, 0, &msg.right.protocol, &msg.right.port , &msg.right.has_port_wildcard), optarg); continue; case END_DNSKEYONDEMAND: /* --dnskeyondemand */ msg.right.key_from_DNS_on_demand = TRUE; continue; case END_UPDOWN: /* --updown <updown> */ msg.right.updown = optarg; continue; case CD_TO: /* --to */ /* process right end, move it to left, reset it */ if (!LHAS(end_seen, END_HOST - END_FIRST)) diag("connection missing --host before --to"); msg.left = msg.right; clear_end(&msg.right); end_seen_before_to = end_seen; end_seen = LEMPTY; continue; case CD_PSK: /* --psk */ case CD_RSASIG: /* --rsasig */ case CD_ENCRYPT: /* --encrypt */ case CD_AUTHENTICATE: /* --authenticate */ case CD_COMPRESS: /* --compress */ case CD_TUNNEL: /* --tunnel */ case CD_PFS: /* --pfs */ case CD_AGGRESSIVE: /* --aggrmode */ case CD_DISABLEARRIVALCHECK: /* --disablearrivalcheck */ case CD_DONT_REKEY: /* --donotrekey */ case CD_MODECFGPULL: /* --modecfgpull */ msg.policy |= LELEM(c - CD_POLICY_FIRST); continue; /* --initiateontraffic * --pass * --drop * --reject */ case CD_SHUNT0: msg.policy = (msg.policy & ~POLICY_SHUNT_MASK) | ((lset_t)aux << POLICY_SHUNT_SHIFT); continue; /* --failnone * --failpass * --faildrop * --failreject */ case CD_FAIL0: msg.policy = (msg.policy & ~POLICY_FAIL_MASK) | ((lset_t)aux << POLICY_FAIL_SHIFT); continue; case CD_IKELIFETIME: /* --ikelifetime <seconds> */ msg.sa_ike_life_seconds = opt_whole; continue; case CD_IPSECLIFETIME: /* --ipseclifetime <seconds> */ msg.sa_ipsec_life_seconds = opt_whole; continue; case CD_RKMARGIN: /* --rekeymargin <seconds> */ msg.sa_rekey_margin = opt_whole; continue; case CD_RKFUZZ: /* --rekeyfuzz <percentage> */ msg.sa_rekey_fuzz = opt_whole; continue; case CD_KTRIES: /* --keyingtries <count> */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -