pluto实现分析(9)

 
本文档的Copyleft归yfydz所有,使用GPL发布,可以自由拷贝,转载,转载时请保持文档的完整性,
严禁用于任何商业用途。
msn: [email protected]
来源: http://yfydz.cublog.cn

9. 连接处理

关于连接的基本处理在programs/pluto/connections.c中定义,该文件是一个很大的文件,差不多
130K,只是拣主要的处理函数进行分析, 而且关于OE的处理就忽略了。

9.1 新增连接

该函数被whack_handle (rcv_whack.c)函数调用,用于系统初始化从配置文件读取的连接信息,建立
连接结构。

void
add_connection(const struct whack_message *wm)
{
    struct alg_info_ike *alg_info_ike;
    const char *ugh;
// IKE算法指针初始化清零
    alg_info_ike = NULL;

// 检查连接名称对应的连接是否已经存在, 是则打印一个警告信息,但仍继续操作
    if (con_by_name(wm->name, FALSE) != NULL)
    {
 loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", wm->name);
    }
// 检查连接左右双方的协议是否相同, 是必须要求相同的
    else if (wm->right.protocol != wm->left.protocol)
    {
 /* this should haven been diagnosed by whack
  * !!! overloaded use of RC_CLASH
  */
 loglog(RC_CLASH, "the protocol must be the same for leftport and rightport");
    }
// 检查配置文件中"ike="定义的算法信息是否存在,如果定义"ike=",表示协商过程中的算法是
// 固定的,不是协商的
    else if(wm->ike != NULL
     && ((alg_info_ike = alg_info_ike_create_from_str(wm->ike, &ugh))==NULL
  || alg_info_ike->alg_info_cnt==0)) {
 if (alg_info_ike!= NULL && alg_info_ike->alg_info_cnt==0) {
     loglog(RC_NOALGO
     , "got 0 transforms for ike=\"%s\""
     , wm->esp);
     return;
 }
 loglog(RC_NOALGO
        , "esp string error: %s"
        , ugh? ugh : "Unknown");
 return;
    }
// IKE算法存在或需要自动协商算法的情况
    else if ((wm->ike == NULL || alg_info_ike != NULL)
// 检查连接的左右端点的地址信息是否合法,可以允许一边地址是ANY,但不能两边都是ANY
      && check_connection_end(&wm->right, &wm->left, wm)
      && check_connection_end(&wm->left, &wm->right, wm))
    {
 bool same_rightca, same_leftca;
// 分配新连接
 struct connection *c = alloc_thing(struct connection, "struct connection");
 same_rightca = same_leftca = FALSE;
// 连接名称
 c->name = wm->name;
// 连接策略
 c->policy = wm->policy;
 DBG(DBG_CONTROL,
     DBG_log("Added new connection %s with policy %s"
      , c->name
      , prettypolicy(c->policy)));
// 检查是否定义压缩处理而内核却不支持压缩   
 if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
     loglog(RC_COMMENT
  , "ignoring --compress in \"%s\" because KLIPS is not configured to do
IPCOMP"
  , c->name);
 c->alg_info_esp = NULL;
#ifdef KERNEL_ALG
// 解析"esp="定义的ESP算法
 if (wm->esp) 
 {
  DBG(DBG_CONTROL, DBG_log("from whack: got --esp=%s", wm->esp ? wm->esp:
"NULL"));
// 解析算法信息
  c->alg_info_esp = alg_info_esp_create_from_str(wm->esp? wm->esp : "",
&ugh, FALSE);
  DBG(DBG_CRYPT|DBG_CONTROL,
   static char buf[256]="<NULL>";
   if (c->alg_info_esp)
    alg_info_snprint(buf, sizeof(buf),
       (struct alg_info *)c->alg_info_esp,
TRUE);
   DBG_log("esp string values: %s", buf);
  );
  if (c->alg_info_esp) {
   if (c->alg_info_esp->alg_info_cnt==0) {
    loglog(RC_NOALGO
     , "got 0 transforms for esp=\"%s\""
     , wm->esp);
    return;
   }
  } else {
   loglog(RC_NOALGO
    , "esp string error: %s"
    , ugh? ugh : "Unknown");
   return;
  }
  c->alg_esp = clone_str(wm->esp, "esp string");
 }
#endif 
 c->alg_info_ike = NULL;
#ifdef IKE_ALG
// 解析"ike="定义的IKE算法
 if (wm->ike)
 {
// 这是刚才解析的IKE算法结构
     c->alg_info_ike = alg_info_ike;
     DBG(DBG_CONTROL, DBG_log("from whack: got --ike=%s", wm->ike));
     DBG(DBG_CRYPT|DBG_CONTROL,
  char buf[256];
  alg_info_snprint(buf, sizeof(buf),
     (struct alg_info *)c->alg_info_ike, TRUE);
  DBG_log("ike string values: %s", buf);
  );
     if (c->alg_info_ike) {
  if (c->alg_info_ike->alg_info_cnt==0) {
      loglog(RC_NOALGO
      , "got 0 transforms for ike=\"%s\""
      , wm->ike);
      return;
  }
     } else {
  loglog(RC_NOALGO
         , "ike string error: %s"
         , ugh? ugh : "Unknown");
  return;
     }
     c->alg_ike = clone_str(wm->ike, "ike string");
 }
#endif
// SA参数: IKE生命期
 c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
// IPSEC生命期
 c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
// 重协商间隔
 c->sa_rekey_margin = wm->sa_rekey_margin;
 c->sa_rekey_fuzz = wm->sa_rekey_fuzz;
// 重协商尝试次数
 c->sa_keying_tries = wm->sa_keying_tries;
 /* RFC 3706 DPD */
// DPD参数
        c->dpd_delay = wm->dpd_delay;
// DPD超时
        c->dpd_timeout = wm->dpd_timeout;
// DPD超时后的动作
        c->dpd_action = wm->dpd_action;
// 强制UDP封装
 c->forceencaps = wm->forceencaps;
// 地址协议族
 c->addr_family = wm->addr_family;
// 通道内地址协议族
 c->tunnel_addr_family = wm->tunnel_addr_family;
 c->requested_ca = NULL;
// 解析连接端点地址信息
 same_leftca  = extract_end(&c->spd.this, &wm->left, "left");
 same_rightca = extract_end(&c->spd.that, &wm->right, "right");
// 填充安全策略的路由结构参数
// CA名称
 if (same_rightca)
     c->spd.that.ca = c->spd.this.ca;
 else if (same_leftca)
     c->spd.this.ca = c->spd.that.ca;
// 建立端点地址信息
 default_end(&c->spd.this, &c->spd.that.host_addr);
 default_end(&c->spd.that, &c->spd.this.host_addr);
 /* force any wildcard host IP address, any wildcard subnet
  * or any wildcard ID to that end
  */
 if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
 || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards)
 {
     struct end t = c->spd.this;
     c->spd.this = c->spd.that;
     c->spd.that = t;
 }
 c->spd.next = NULL;
// 请求ID,唯一值
 c->spd.reqid = gen_reqid();
 /* set internal fields */
 c->instance_serial = 0;
// 添加到系统连接链表的链表头
 c->ac_next = connections;
 connections = c;
// 初始化参数为无效值
 c->interface = NULL;
 c->spd.routing = RT_UNROUTED;
 c->newest_isakmp_sa = SOS_NOBODY;
 c->newest_ipsec_sa = SOS_NOBODY;
 c->spd.eroute_owner = SOS_NOBODY;
// 确定连接类型
 if (c->policy & POLICY_GROUP)
 {
// 组策略
     c->kind = CK_GROUP;
     add_group(c);
 }
 else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
  || c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard 
  || ((c->policy & POLICY_SHUNT_MASK) == 0  && c-
>spd.that.has_id_wildcards ))
 {
// 一端地址不固定的动态连接,此时的连接结构只相对于一个连接模板,等具体有端点连接
// 时才具体实例化
     DBG(DBG_CONTROL, DBG_log("based upon policy, the connection is a
template."));
     /* Opportunistic or Road Warrior or wildcard client subnet
      * or wildcard ID */
     c->kind = CK_TEMPLATE;
 }
 else
 {
// 固定连接, 双方地址固定
     c->kind = CK_PERMANENT;
 }
// 确定策略优先级
 set_policy_prio(c); /* must be after kind is set */
#ifdef DEBUG
 c->extra_debugging = wm->debugging;
#endif
 c->gw_info = NULL;
#ifdef VIRTUAL_IP
 passert(!(wm->left.virt && wm->right.virt));
// 虚拟IP参数设置
 if (wm->left.virt || wm->right.virt) {
     passert(isanyaddr(&c->spd.that.host_addr));
     c->spd.that.virt = create_virtual(c,
  wm->left.virt ? wm->left.virt : wm->right.virt);
     if (c->spd.that.virt)
  c->spd.that.has_client = TRUE;
 }
#endif
// 去共享化,将原来共享的参数重新分配各自的空间保存,不再共享
 unshare_connection_strings(c);
#ifdef KERNEL_ALG
// 内核算法引用数增加
 alg_info_addref((struct alg_info *)c->alg_info_esp);
#endif
#ifdef IKE_ALG
// IKE算法引用数增加
 alg_info_addref((struct alg_info *)c->alg_info_ike);
#endif
// 确定方向, 确定使用的ipsec*网卡
 (void)orient(c);
// 将连接转换为主机对
 connect_to_host_pair(c);
 /* log all about this connection */
// 在日志中记录详细的连接信息
 openswan_log("added connection description \"%s\"", c->name);
 DBG(DBG_CONTROL,
     char topo[CONNECTION_BUF];
     (void) format_connection(topo, sizeof(topo), c, &c->spd);
     DBG_log("%s", topo);
     /* Make sure that address families can be correctly inferred
      * from printed ends.
      */
     passert(c->addr_family == addrtypeof(&c->spd.this.host_addr)
  && c->addr_family == addrtypeof(&c->spd.this.host_nexthop)
  && (c->spd.this.has_client? c->tunnel_addr_family : c->addr_family)
    == subnettypeof(&c->spd.this.client)
  && c->addr_family == addrtypeof(&c->spd.that.host_addr)
  && c->addr_family == addrtypeof(&c->spd.that.host_nexthop)
  && (c->spd.that.has_client? c->tunnel_addr_family : c->addr_family)
    == subnettypeof(&c->spd.that.client));
     DBG_log("ike_life: %lus; ipsec_life: %lus; rekey_margin: %lus;"
  " rekey_fuzz: %lu%%; keyingtries: %lu; policy: %s"
  , (unsigned long) c->sa_ike_life_seconds
  , (unsigned long) c->sa_ipsec_life_seconds
  , (unsigned long) c->sa_rekey_margin
  , (unsigned long) c->sa_rekey_fuzz
  , (unsigned long) c->sa_keying_tries
  , prettypolicy(c->policy));
 );
    } else {
 loglog(RC_FATAL, "attempt to load incomplete connection");
    }
}

 
9.2 启动连接

该函数可能被whack_handle (rcv_whack.c)函数或dpd_timeout (dpd.c)调用, 启动连接, 如果连接
双方地址固定就发起IKE协商, 如果是动态连接的服务器端, 无法启动, 继续监听状态。
void
initiate_connection(const char *name, int whackfd
      , lset_t moredebug
      , enum crypto_importance importance)
{
// 根据名称查找连接结构
    struct connection *c = con_by_name(name, TRUE);
    if (c != NULL)
    {
// 连接找到
// 将该连接作为系统当前连接
 set_cur_connection(c);
 /* turn on any extra debugging asked for */
 c->extra_debugging |= moredebug;
 if (!oriented(*c))
 {
// 没确定方向的连接
     loglog(RC_ORIENT, "We cannot identify ourselves with either end of this
connection.");
 }
 else if (NEVER_NEGOTIATE(c->policy))
 {
// 无协商连接, 不需要进入协商
     loglog(RC_INITSHUNT
  , "cannot initiate an authby=never connection");
 }
 else if (c->kind != CK_PERMANENT)
 {
// 非固定连接, 是动态连接, 不能启动, 继续监听
     if (isanyaddr(&c->spd.that.host_addr))
  loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP
address (kind=%s)"
         , enum_show(&connection_kind_names, c->kind));
     else
  loglog(RC_WILDCARD, "cannot initiate connection with ID wildcards
(kind=%s)"
         , enum_show(&connection_kind_names, c->kind));
 }
 else
 {
// 可以启动连接
     /* We will only request an IPsec SA if policy isn't empty
      * (ignoring Main Mode items).
      * This is a fudge, but not yet important.
      * If we are to proceed asynchronously, whackfd will be NULL_FD.
      */
// 策略启动
     c->policy |= POLICY_UP;
     if(c->policy & POLICY_ENCRYPT) {
// 需要加密的话获取算法和SADB
  struct alg_info_esp *alg = c->alg_info_esp;
  struct db_sa *phase2_sa = kernel_alg_makedb(alg, TRUE);
  
  if(alg != NULL && phase2_sa == NULL) {
      whack_log(RC_NOALGO, "can not initiate: no acceptable kernel
algorithms loaded");
      reset_cur_connection();
      close_any(whackfd);
      return;
  }
  free_sa(phase2_sa);
     }
#ifdef SMARTCARD
// 进行smartcard验证, 失败时也不能启动
     /* do we have to prompt for a PIN code? */
     if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
  scx_get_pin(c->spd.this.sc, whackfd);
     if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
     {
  loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
     }
     else
#endif
     {
// 发起IKE协商
  ipsecdoi_initiate(whackfd, c, c->policy, 1
      , SOS_NOBODY, importance);
  whackfd = NULL_FD; /* protect from close */
     }
 }
 reset_cur_connection();
    }
    close_any(whackfd);
}
 

9.3 删除连接

删除连接有几个不同的函数:

/* Delete connections with the specified name */
// 按名称删除连接,函数被whack_handle (rcv_whack.c)函数调用
void
delete_connections_by_name(const char *name, bool strict)
{
// 根据名称查找连接
    struct connection *c = con_by_name(name, strict);
// 删除连接,循环删除所有同名的连接
    for (; c != NULL; c = con_by_name(name, FALSE))
 delete_connection(c, FALSE);
}

// 删除全部连接
void
delete_every_connection(void)
{
// 遍历连接链表,删除连接
    while (connections != NULL)
 delete_connection(connections, TRUE);
}

// 释放连接
void
release_connection(struct connection *c, bool relations)
{
    if (c->kind == CK_INSTANCE)
    {
// 如果连接是实例化所得的连接,删除该连接
 /* This does everything we need.
  * Note that we will be called recursively by delete_connection,
  * but kind will be CK_GOING_AWAY.
  */
 delete_connection(c, relations);
    }
    else
    {
// 否则清除连接相关的状态
 flush_pending_by_connection(c);
 delete_states_by_connection(c, relations);
 unroute_connection(c);
    }
}
 
// 删除连接的核心函数
void
delete_connection(struct connection *c, bool relations)
{
    struct spd_route *sr;
// 备份当前连接作为返回时系统的当前连接, 如果要删除的连接就是当前连接,为空
    struct connection *old_cur_connection
 = cur_connection == c? NULL : cur_connection;
#ifdef DEBUG
    lset_t old_cur_debugging = cur_debugging;
#endif
// 设置连接为当前连接
    set_cur_connection(c);
    /* Must be careful to avoid circularity:
     * we mark c as going away so it won't get deleted recursively.
     */
    passert(c->kind != CK_GOING_AWAY);
    if (c->kind == CK_INSTANCE)
    {
// 如果是实例化后得到的连接, 将连接类型改为CK_GOING_AWAY
 openswan_log("deleting connection \"%s\" instance with peer %s {isakmp=#%
lu/ipsec=#%lu}"
      , c->name
      , ip_str(&c->spd.that.host_addr)
      , c->newest_isakmp_sa, c->newest_ipsec_sa);
 c->kind = CK_GOING_AWAY;
    }
    else
    {
 openswan_log("deleting connection");
    }
// 释放连接的相关状态,注意这时连接的类型已经肯定不是CK_INSTANCE了,
// 所以不会出现递归调用的情况
    release_connection(c, relations); /* won't delete c */
// 释放组
    if (c->kind == CK_GROUP)
 delete_group(c);
    /* free up any logging resources */
// 关闭日志资源
    perpeer_logfree(c);
    /* find and delete c from connections list */
// 将连接从系统连接链表中断开
    list_rm(struct connection, ac_next, c, connections);
// 恢复系统原来的当前连接
    cur_connection = old_cur_connection;
    /* find and delete c from the host pair list */
// 从主机对链表中删除连接
    if (c->host_pair == NULL)
    {
// 从unoriented_connections链表中断开
 list_rm(struct connection, hp_next, c, unoriented_connections);
    }
    else
    {
 struct host_pair *hp = c->host_pair;
// 从主机对链表中断开
 list_rm(struct connection, hp_next, c, hp->connections);
 c->host_pair = NULL; /* redundant, but safe */
 /* if there are no more connections with this host_pair
  * and we haven't even made an initial contact, let's delete
  * this guy in case we were created by an attempted DOS attack.
  */
// 如果该主机对已经没有其他连接, 释放该主机对
 if (hp->connections == NULL
 && !hp->initial_connection_sent)
 {
     passert(hp->pending == NULL); /* ??? must deal with this! */
     list_rm(struct host_pair, next, hp, host_pairs);
     pfree(hp);
 }
    }
#ifdef VIRTUAL_IP
// 释放虚拟IP资源
    if (c->kind != CK_GOING_AWAY) pfreeany(c->spd.that.virt);
#endif
#ifdef DEBUG
    set_debugging(old_cur_debugging);
#endif
// 释放连接名称空间
    pfreeany(c->name);
    sr = &c->spd;
// 释放连接的所有安全策略路由
    while(sr) {
 delete_sr(c, sr);
 sr = sr->next;
    }
// 释放CA信息
    free_generalNames(c->requested_ca, TRUE);
// 减少网关使用计数
    gw_delref(&c->gw_info);
#ifdef KERNEL_ALG
// 减少内核算法使用计数
    alg_info_delref((struct alg_info **)&c->alg_info_esp);
#endif
#ifdef IKE_ALG
// 减少IKE算法使用计数
    alg_info_delref((struct alg_info **)&c->alg_info_ike);
#endif
// 释放连接空间
    pfree(c);
}
 
9.4 停止连接

该函数被whack_handle (rcv_whack.c)函数调用,用于停止连接, 释放连接相关的SA。

void
terminate_connection(const char *nm)
{
    /* Loop because more than one may match (master and instances)
     * But at least one is required (enforced by con_by_name).
     */
    struct connection *c, *n;
// 只要还能找到连接就循环操作
    for (c = con_by_name(nm, TRUE); c != NULL; c = n)
    {
// 该连接的链表下一项, 会在循环时赋值给c
 n = c->ac_next; /* grab this before c might disappear */
// 名称匹配
 if (streq(c->name, nm)
// 类型是永久,实例,或要死的
 && c->kind >= CK_PERMANENT
// 策略需协商
 && !NEVER_NEGOTIATE(c->policy))
 {
// 设置为当前连接
     set_cur_connection(c);
     openswan_log("terminating SAs using this connection");
// 策略停
     c->policy &= ~POLICY_UP;
// 释放连接相关所有状态
     flush_pending_by_connection(c);
     delete_states_by_connection(c, FALSE);
     reset_cur_connection();
 }
    }
}

9.5 查找连接

9.5.1 根据名称查找连接
/* find a connection by name.
 * If strict, don't accept a CK_INSTANCE.
 * Move the winner (if any) to the front.
 * If none is found, and strict, a diagnostic is logged to whack.
 */
struct connection *
con_by_name(const char *nm, bool strict)
{
    struct connection *p, *prev;
// 遍历连接链表
    for (prev = NULL, p = connections; ; prev = p, p = p->ac_next)
    {
 if (p == NULL)
 {
// 到链表末尾,中断
     if (strict)
  whack_log(RC_UNKNOWN_NAME
      , "no connection named \"%s\"", nm);
     break;
 }
// 名称要相同
 if (streq(p->name, nm)
// 如果是严格情况,连接类型不能是实例化的连接
 && (!strict || p->kind != CK_INSTANCE))
 {
     if (prev != NULL)
     {
// 从当前位置断开
  prev->ac_next = p->ac_next; /* remove p from list */
// 设置为链表头
  p->ac_next = connections; /* and stick it on front */
  connections = p;
     }
     break;
 }
    }
    return p;
}

9.5.2 查找子连接

通常是连接是动态连接时使用, 在quick_inI1_outR1_authtail()和info_lookuphostpair()等函数中
调用:
struct connection *
find_client_connection(struct connection *c
         , const ip_subnet *our_net
         , const ip_subnet *peer_net
         , const u_int8_t our_protocol
         , const u_int16_t our_port
         , const u_int8_t peer_protocol
         , const u_int16_t peer_port)
{
    struct connection *d;
    struct spd_route *sr;
#ifdef DEBUG
    if (DBGP(DBG_CONTROLMORE))
    {
 char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
 subnettot(our_net,  0, s1, sizeof(s1));
 subnettot(peer_net, 0, d1, sizeof(d1));
 DBG_log("find_client_connection starting with %s"
     , (c ? c->name : "(none)"));
 DBG_log("  looking for %s:%d/%d -> %s:%d/%d"
     , s1, our_protocol, our_port
     , d1, peer_protocol, peer_port);
    }
#endif /* DEBUG */
    /* give priority to current connection
     * but even greater priority to a routed concrete connection
     */
    {
 struct connection *unrouted = NULL;
 int srnum = -1;
// 遍历连接的安全策略路由,如果找到未路由的连接(unrouted != NULL),中断循环
 for (sr = &c->spd; unrouted == NULL && sr != NULL; sr = sr->next)
 {
     srnum++;
#ifdef DEBUG
     if (DBGP(DBG_CONTROLMORE))
     {
  char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
  subnettot(&sr->this.client, 0, s2, sizeof(s2));
  subnettot(&sr->that.client, 0, d2, sizeof(d2));
  DBG_log("  concrete checking against sr#%d %s -> %s"
   , srnum, s2, d2);
     }
#endif /* DEBUG */
// 比较安全策略路由的本地子网,对端子网,本地协议,本地端口,对端协议,对端端口是否匹配
     if (samesubnet(&sr->this.client, our_net)
  && samesubnet(&sr->that.client, peer_net)
  && (sr->this.protocol == our_protocol)
  && (!sr->this.port || (sr->this.port == our_port))
  && (sr->that.protocol == peer_protocol)
  && (!sr->that.port || (sr->that.port == peer_port)))
     {
  passert(oriented(*c));
// 如果已经路由过了,返回该连接
  if (routed(sr->routing))
      return c;
// 没路由过的连接, 可以中断循环了
  unrouted = c;
     }
 }
 /* exact match? */
// 目前最多只有未路由的连接,进行更详细地查找
 d = fc_try(c, c->host_pair, NULL, our_net, peer_net
     , our_protocol, our_port, peer_protocol, peer_port);
 DBG(DBG_CONTROLMORE,
     DBG_log("  fc_try %s gives %s"
      , c->name
      , (d ? d->name : "none"))
 )
// 没找到,还是用未路由的连接
 if (d == NULL)
     d = unrouted;
    }

// 如果d为空, 没有找到合适的连接
    if (d == NULL)
    {
 /* look for an abstract connection to match */
 struct spd_route *sr;
 struct host_pair *hp = NULL;
// 遍历连接的安全策略路由,如果找到主机对(hp!=NULL),中断循环
 for (sr = &c->spd; hp==NULL && sr != NULL; sr = sr->next)
 {
// 根据连接双方的地址查找合适的主机对
     hp = find_host_pair(&sr->this.host_addr
    , sr->this.host_port
    , NULL
    , sr->that.host_port);
#ifdef DEBUG
     if (DBGP(DBG_CONTROLMORE))
     {
  char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
  subnettot(&sr->this.client, 0, s2, sizeof(s2));
  subnettot(&sr->that.client, 0, d2, sizeof(d2));
  DBG_log("  checking hostpair %s -> %s is %s"
   , s2, d2
   , (hp ? "found" : "not found"));
     }
#endif /* DEBUG */
 }
 if (hp != NULL)
 {
// 找到, 使用该主机对作为参数重新查找
     /* RW match with actual peer_id or abstract peer_id? */
     d = fc_try(c, hp, NULL, our_net, peer_net
  , our_protocol, our_port, peer_protocol, peer_port);

// 如果还是没找到,重新进行OE查找
     if (d == NULL
     && subnetishost(our_net)
     && subnetishost(peer_net))
     {
  /* Opportunistic match?
   * Always use abstract peer_id.
   * Note that later instantiation will result in the same peer_id.
   */
  d = fc_try_oppo(c, hp, our_net, peer_net
      , our_protocol, our_port, peer_protocol, peer_port);
     }
 }
    }
    DBG(DBG_CONTROLMORE,
 DBG_log("  concluding with d = %s"
  , (d ? d->name : "none"))
    )
    return d;
}

/* find_client_connection: given a connection suitable for ISAKMP
 * (i.e. the hosts match), find a one suitable for IPSEC
 * (i.e. with matching clients).
 *
 * If we don't find an exact match (not even our current connection),
 * we try for one that still needs instantiation.  Try Road Warrior
 * abstract connections and the Opportunistic abstract connections.
 * This requires inverse instantiation: abstraction.
 *
 * After failing to find an exact match, we abstract the peer
 * to be NO_IP (the wildcard value).  This enables matches with
 * Road Warrior and Opportunistic abstract connections.
 *
 * After failing that search, we also abstract the Phase 1 peer ID
 * if possible.  If the peer's ID was the peer's IP address, we make
 * it NO_ID; instantiation will make it the peer's IP address again.
 *
 * If searching for a Road Warrior abstract connection fails,
 * and conditions are suitable, we search for the best Opportunistic
 * abstract connection.
 *
 * Note: in the end, both Phase 1 IDs must be preserved, after any
 * instantiation.  They are the IDs that have been authenticated.
 */
#define PATH_WEIGHT 1
#define WILD_WEIGHT (MAX_CA_PATH_LEN+1)
#define PRIO_WEIGHT (MAX_WILDCARDS+1)*WILD_WEIGHT
/* fc_try: a helper function for find_client_connection */
static struct connection *
fc_try(const struct connection *c
, struct host_pair *hp
, const struct id *peer_id UNUSED
, const ip_subnet *our_net
, const ip_subnet *peer_net
, const u_int8_t our_protocol
, const u_int16_t our_port
, const u_int8_t peer_protocol
, const u_int16_t peer_port)
{
    struct connection *d;
    struct connection *best = NULL;
    policy_prio_t best_prio = BOTTOM_PRIO;
    int wildcards, pathlen;
    const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
// 遍历主机对相关的所有连接
    for (d = hp->connections; d != NULL; d = d->hp_next)
    {
 struct spd_route *sr;
// 忽略组连接
 if (d->policy & POLICY_GROUP)
     continue;
// 检查本地ID,对端ID,对端CA是否匹配
 if (!(same_id(&c->spd.this.id, &d->spd.this.id)
       && match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
       && trusted_ca(c->spd.that.ca, d->spd.that.ca, &pathlen)))
     continue;
     /* compare protocol and ports */
// 检查本地协议,本地端口,对端协议,对端端口是否匹配
 if (d->spd.this.protocol != our_protocol
     ||  (d->spd.this.port && d->spd.this.port != our_port)
     ||  d->spd.that.protocol != peer_protocol
            || (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
     continue;
 /* non-Opportunistic case:
  * our_client must match.
  *
  * So must peer_client, but the testing is complicated
  * by the fact that the peer might be a wildcard
  * and if so, the default value of that.client
  * won't match the default peer_net.  The appropriate test:
  *
  * If d has a peer client, it must match peer_net.
  * If d has no peer client, peer_net must just have peer itself.
  */
// 该连接的以上参数全部匹配
// 遍历该连接的安全策略路由,判断是否是最优连接
 for (sr = &d->spd; best != d && sr != NULL; sr = sr->next)
 {
     policy_prio_t prio;
#ifdef DEBUG
     if (DBGP(DBG_CONTROLMORE))
     {
  char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
  char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
  subnettot(our_net,  0, s1, sizeof(s1));
  subnettot(peer_net, 0, d1, sizeof(d1));
  subnettot(&sr->this.client,  0, s3, sizeof(s3));
  subnettot(&sr->that.client,  0, d3, sizeof(d3));
  DBG_log("  fc_try trying "
   "%s:%s:%d/%d -> %s:%d/%d vs %s:%s:%d/%d -> %s:%d/%d"
   , c->name, s1, c->spd.this.protocol, c->spd.this.port
     , d1, c->spd.that.protocol, c->spd.that.port
   , d->name, s3, sr->this.protocol, sr->this.port
     , d3, sr->that.protocol, sr->that.port);
     }
#endif /* DEBUG */
// 检查本地子网是否相同
     if (!samesubnet(&sr->this.client, our_net))
  continue;
     if (sr->that.has_client)
     {
// 检查对端子网是否匹配
  if (sr->that.has_client_wildcard) {
      if (!subnetinsubnet(peer_net, &sr->that.client))
   continue;
  } else {
#ifdef VIRTUAL_IP
      if ((!samesubnet(&sr->that.client, peer_net)) && (!
is_virtual_connection(d)))
#else
      if (!samesubnet(&sr->that.client, peer_net))
#endif
   continue;
#ifdef VIRTUAL_IP
      if ((is_virtual_connection(d)) &&
   ( (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr))
||
   (is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id))
))
       continue;
#endif
  }
     }
     else
     {
// 如果对端是子网,循环跳过
  if (!peer_net_is_host)
      continue;
     }
     /* We've run the gauntlet -- success:
      * We've got an exact match of subnets.
      * The connection is feasible, but we continue looking for the best.
      * The highest priority wins, implementing eroute-like rule.
      * - a routed connection is preferrred
      * - given that, the smallest number of ID wildcards are preferred
      * - given that, the shortest CA pathlength is preferred
      */
// 计算优先权
     prio = PRIO_WEIGHT * routed(sr->routing)
   + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
   + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen)
   + 1;
// 如果该优先权超过限值,可以算最优的连接了
     if (prio > best_prio)
     {
  best = d;
  best_prio = prio;
     }
 }
    }
    if (best != NULL && NEVER_NEGOTIATE(best->policy))
 best = NULL;
    DBG(DBG_CONTROLMORE,
 DBG_log("  fc_try concluding with %s [%ld]"
  , (best ? best->name : "none"), best_prio)
    )
    return best;
}

9.5.3 根据状态精炼合适的连接

/* given an up-until-now satisfactory connection, find the best connection
 * now that we just got the Phase 1 Id Payload from the peer.
 *
 * Comments in the code describe the (tricky!) matching criteria.
 * Although this routine could handle the initiator case,
 * it isn't currently called in this case.
 * If it were, it could "upgrade" an Opportunistic Connection
 * to a Road Warrior Connection if a suitable Peer ID were found.
 *
 * In RFC 2409 "The Internet Key Exchange (IKE)",
 * in 5.1 "IKE Phase 1 Authenticated With Signatures", describing Main
 * Mode:
 *
 *         Initiator                          Responder
 *        -----------                        -----------
 *         HDR, SA                     -->
 *                                     <--    HDR, SA
 *         HDR, KE, Ni                 -->
 *                                     <--    HDR, KE, Nr
 *         HDR*, IDii, [ CERT, ] SIG_I -->
 *                                     <--    HDR*, IDir, [ CERT, ] SIG_R
 *
 * In 5.4 "Phase 1 Authenticated With a Pre-Shared Key":
 *
 *               HDR, SA             -->
 *                                   <--    HDR, SA
 *               HDR, KE, Ni         -->
 *                                   <--    HDR, KE, Nr
 *               HDR*, IDii, HASH_I  -->
 *                                   <--    HDR*, IDir, HASH_R
 *
 * refine_host_connection could be called in two case:
 *
 * - the Responder receives the IDii payload:
 *   + [PSK] after using PSK to decode this message
 *   + before sending its IDir payload
 *   + before using its ID in HASH_R computation
 *   + [DSig] before using its private key to sign SIG_R
 *   + before using the Initiator's ID in HASH_I calculation
 *   + [DSig] before using the Initiator's public key to check SIG_I
 *
 * - the Initiator receives the IDir payload:
 *   + [PSK] after using PSK to encode previous message and decode this message
 *   + after sending its IDii payload
 *   + after using its ID in HASH_I computation
 *   + [DSig] after using its private key to sign SIG_I
 *   + before using the Responder's ID to compute HASH_R
 *   + [DSig] before using Responder's public key to check SIG_R
 *
 * refine_host_connection can choose a different connection, as long as
 * nothing already used is changed.
 *
 * In the Initiator case, the particular connection might have been
 * specified by whatever provoked Pluto to initiate.  For example:
 * whack --initiate connection-name
 * The advantages of switching connections when we're the Initiator seem
 * less important than the disadvantages, so after FreeS/WAN 1.9, we
 * don't do this.
 */
struct connection *
refine_host_connection(const struct state *st, const struct id *peer_id
, bool initiator, bool aggrmode)
{
// 状态对应的连接
    struct connection *c = st->st_connection;
// 认证方法
    u_int16_t auth = st->st_oakley.auth;
    struct connection *d;
    struct connection *best_found = NULL;
    lset_t auth_policy;
// 策略模式
    lset_t p1mode_policy = aggrmode ? POLICY_AGGRESSIVE : LEMPTY;
    const struct RSA_private_key *my_RSA_pri = NULL;
// 对方IP是否不确定
    bool wcpip; /* wildcard Peer IP? */
    int wildcards, best_wildcards;
    int our_pathlen, best_our_pathlen, peer_pathlen, best_peer_pathlen;
    chunk_t peer_ca;
    const chunk_t *psk;
    psk = NULL;
    our_pathlen = peer_pathlen = 0;
    best_our_pathlen  = 0;
    best_peer_pathlen = 0;
    wildcards = best_wildcards = 0;
    DBG(DBG_CONTROLMORE
  , DBG_log("refine_connection: starting with %s"
     , c->name));
// 根据对方ID获取对方CA
    peer_ca = get_peer_ca(peer_id);
// 检查对端ID是否匹配
    if (same_id(&c->spd.that.id, peer_id)
// 是否是信任的CA
 && trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen)
 && peer_pathlen == 0
// 是否是请求的CA
 && match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen)
 && our_pathlen == 0
 ) {
 DBG(DBG_CONTROLMORE
     , DBG_log("refine_connection: happy with starting point: %s"
        , c->name));
// OK, 返回状态对应连接
 return c; /* peer ID matches current connection -- look no further */
    }
#if defined(XAUTH)
// 如果是XAUTH, 更新认证方法
    auth = xauth_calcbaseauth(auth);
#endif
    switch (auth)
    {
// 共享密钥认证
    case OAKLEY_PRESHARED_KEY:
 auth_policy = POLICY_PSK;
// 获取共享密钥
 psk = get_preshared_secret(c);
 /* It should be virtually impossible to fail to find PSK:
  * we just used it to decode the current message!
  */
 if (psk == NULL)
     return NULL; /* cannot determine PSK! */
 break;
// RSA签名认证  
    case OAKLEY_RSA_SIG:
 auth_policy = POLICY_RSASIG;
 if (initiator && c->spd.this.sc == NULL)
 {
     /* at this point, we've committed to our RSA private key:
      * we used it in our previous message.
      */
// 获取RSA密钥
     my_RSA_pri = get_RSA_private_key(c);
     if (my_RSA_pri == NULL)
  return NULL; /* cannot determine my RSA private key! */
 }
 break;
    default:
 bad_case(auth);
    }
    /* The current connection won't do: search for one that will.
     * First search for one with the same pair of hosts.
     * If that fails, search for a suitable Road Warrior or Opportunistic
     * connection (i.e. wildcard peer IP).
     * We need to match:
     * - peer_id (slightly complicated by instantiation)
     * - if PSK auth, the key must not change (we used it to decode message)
     * - policy-as-used must be acceptable to new connection
     * - if initiator, also:
     *   + our ID must not change (we sent it in previous message)
     *   + our RSA key must not change (we used in in previous message)
     */
// 连接C对应的主机对相关的连接链表
    d = c->host_pair->connections;
    for (wcpip = FALSE; ; wcpip = TRUE)
    {
// 遍历链表
 for (; d != NULL; d = d->hp_next)
 {
// 对端ID匹配
     bool match1 = match_id(peer_id, &d->spd.that.id, &wildcards);
// 是否信任的CA
     bool match2 = trusted_ca(peer_ca, d->spd.that.ca, &peer_pathlen);
// 是否是请求的CA
     bool match3 = match_requested_ca(c->requested_ca, d->spd.this.ca,
&our_pathlen);
// 三个条件都要满足
     bool match = match1 && match2 && match3;
     DBG(DBG_CONTROLMORE
  , DBG_log("refine_connection: checking %s against %s, best=%s with
match=%d(id=%d/ca=%d/reqca=%d)"
     , c->name, d->name, best_found ? best_found->name : "(none)"
     , match, match1, match2, match3));
     /* ignore group connections */
// 组策略跳过
     if (d->policy & POLICY_GROUP)
  continue;
     /* check if peer_id matches, exactly or after instantiation */
// 不匹配跳过
     if (!match)
  continue;
     /* if initiator, our ID must match exactly */
// 如果是初始方, 检查本地ID是否匹配
     if (initiator && !same_id(&c->spd.this.id, &d->spd.this.id))
  continue;
     /* authentication used must fit policy of this connection */
// 策略检查
     if ((d->policy & auth_policy) == LEMPTY)
  continue; /* our auth isn't OK for this connection */
// 策略模式检查
     if ((d->policy & POLICY_AGGRESSIVE) ^ p1mode_policy)
  continue;   /* disallow phase1 main/aggressive mode mismatch */
#ifdef XAUTH
// 是否是相同的XAUTH角色, 都是服务器还是都是客户端
     if (d->spd.this.xauth_server != c->spd.this.xauth_server)
  continue; /* disallow xauth/no xauth mismatch */
     if (d->spd.this.xauth_client != c->spd.this.xauth_client)
  continue; /* disallow xauth/no xauth mismatch */
#endif
     DBG(DBG_CONTROLMORE
  , DBG_log("refine_connection: checked %s against %s, now for see if
best"
     , c->name, d->name));
     switch (auth)
     {
     case OAKLEY_PRESHARED_KEY:
  /* secret must match the one we already used */
  {
// 获取连接d的共享密钥
      const chunk_t *dpsk = get_preshared_secret(d);
      if (dpsk == NULL)
   continue; /* no secret */
// 如果此共享密钥和连接c的共享密钥不匹配,跳过
      if (psk != dpsk)
   if (psk->len != dpsk->len
   || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
       continue; /* different secret */
  }
  break;
     case OAKLEY_RSA_SIG:
  /* We must at least be able to find our private key.
   * If we initiated, it must match the one we
   * used in the SIG_I payload that we sent previously.
   */
   if (d->spd.this.sc == NULL) /* no smartcard */
  {
// 获取连接d的RSA密钥
      const struct RSA_private_key *pri
   = get_RSA_private_key(d);
// 如果和连接c的RSA密钥不匹配,跳过
      if (pri == NULL
      || (initiator && (c->spd.this.sc != NULL
   || !same_RSA_public_key(&my_RSA_pri->pub, &pri->pub))))
       continue;
  }
  else if (initiator && c->spd.this.sc != d->spd.this.sc)
      continue;
  break;
     default:
  bad_case(auth);
     }
     /* d has passed all the tests.
      * We'll go with it if the Peer ID was an exact match.
      */
// 前面都匹配,而且匹配时的各返回参数都是0, 可返回该连接
     if (match && wildcards == 0 && peer_pathlen == 0 && our_pathlen == 0)
  return d;
     /* We'll remember it as best_found in case an exact
      * match doesn't come along.
      */
// 根据这3个返回参数更新最优连接
     if (best_found == NULL || wildcards < best_wildcards
     || ((wildcards == best_wildcards && peer_pathlen < best_peer_pathlen)
  || (peer_pathlen == best_peer_pathlen && our_pathlen <
best_our_pathlen)))
     {
  DBG(DBG_CONTROLMORE
      , DBG_log("refine_connection: picking new best %s (wild=%d,
peer_pathlen=%d/our=%d)"
          , d->name
          , wildcards, peer_pathlen, our_pathlen));
  best_found = d;
  best_wildcards = wildcards;
  best_peer_pathlen = peer_pathlen;
  best_our_pathlen = our_pathlen;
     }
 }
// 如果是动态对端,返回该最合适连接
 if (wcpip)
     return best_found; /* been around twice already */
 /* Starting second time around.
  * We're willing to settle for a connection that needs Peer IP
  * instantiated: Road Warrior or Opportunistic.
  * Look on list of connections for host pair with wildcard Peer IP
  */
// 根据本地地址端口和对方端口查找主机对的连接
 d = find_host_pair_connections(__FUNCTION__, &c->spd.this.host_addr
           , c->spd.this.host_port
           , (ip_address *)NULL
           , c->spd.that.host_port);
    }
}

9.5.4 根据地址端口查找连接

/* find head of list of connections with this pair of hosts */
static struct connection *
find_host_pair_connections(const char *func
      , const ip_address *myaddr, u_int16_t myport   

      , const ip_address *hisaddr, u_int16_t hisport)
{
    char b1[ADDRTOT_BUF],b2[ADDRTOT_BUF];
// 根据本地地址,本地端口,对端地址,对端端口查找主机对
    struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
    DBG(DBG_CONTROLMORE
 , DBG_log("find_host_pair_conn (%s): %s:%d %s:%d -> hp:%s\n"
    , func
    , (addrtot(myaddr,  0, b1, sizeof(b1)), b1)
    , myport
    , hisaddr ? (addrtot(hisaddr, 0, b2, sizeof(b2)), b2) : "%any"
    , hisport
    , (hp && hp->connections) ? hp->connections->name : "none"));
// 如果找到主机对, 返回主机对对应的连接(这是个链表, 返回的是链表头)    
    return hp == NULL? NULL : hp->connections;
}
 
9.5.5 查找合适安全策略路由的连接
/* Find the connection to connection c's peer's client with the
 * largest value of .routing.  All other things being equal,
 * preference is given to c.  If none is routed, return NULL.
 *
 * If erop is non-null, set *erop to a connection sharing both
 * our client subnet and peer's client subnet with the largest value
 * of .routing.  If none is erouted, set *erop to NULL.
 *
 * The return value is used to find other connections sharing a route.
 * *erop is used to find other connections sharing an eroute.
 */
struct connection *
route_owner(struct connection *c
     , struct spd_route **srp
     , struct connection **erop
     , struct spd_route **esrp)
{
    struct connection *d
 , *best_ro = c
 , *best_ero = c;
    struct spd_route *srd, *src;
    struct spd_route *best_sr, *best_esr;
    enum routing_t best_routing, best_erouting;
    passert(oriented(*c));
    best_sr  = NULL;
    best_esr = NULL;
    best_routing = c->spd.routing;
    best_erouting = best_routing;
// 遍历系统连接链表
    for (d = connections; d != NULL; d = d->ac_next)
    {
// 遍历每个连接的安全策略路由连接
 for (srd = &d->spd; srd; srd = srd->next)
 {
// 非路由,跳过
     if (srd->routing == RT_UNROUTED)
  continue;
// 遍历连接c的安全策略路由链表
     for (src=\'#\'" src; src=src->next)
     {
// 比较这两个安全策略路由参数是否匹配
// 对端子网
  if (!samesubnet(&src->that.client, &srd->that.client))
      continue;
// 对端协议
  if (src->that.protocol != srd->that.protocol)
      continue;
// 对端端口
  if (src->that.port != srd->that.port)
      continue;
  passert(oriented(*d));
// best_routing初始化为c的路由
// 如果新路由的路由值更大, 更新best_ro
  if (srd->routing > best_routing)
  {
      best_ro = d;
      best_sr = srd;
      best_routing = srd->routing;
  }
// 比较本地子网
  if (!samesubnet(&src->this.client, &srd->this.client))
      continue;
// 本地协议
  if (src->this.protocol != srd->this.protocol)
      continue;
// 本地端口
  if (src->this.port != srd->this.port)
      continue;
// best_erouting初始化为c的路由
// 如果新路由的路由值更大, 更新best_ero
  if (srd->routing > best_erouting)
  {
      best_ero = d;
      best_esr = srd;
      best_erouting = srd->routing;
  }
     }
 }
    }
// 打印调试信息
    DBG(DBG_CONTROL,
 {
     char cib[CONN_INST_BUF];
     err_t m = builddiag("route owner of \"%s\"%s %s:"
  , c->name
  , (fmt_conn_instance(c, cib), cib)
  , enum_name(&routing_story, c->spd.routing));
     if (!routed(best_ro->spd.routing))
  m = builddiag("%s NULL", m);
     else if (best_ro == c)
  m = builddiag("%s self", m);
     else
  m = builddiag("%s \"%s\"%s %s", m
      , best_ro->name
      , (fmt_conn_instance(best_ro, cib), cib)
      , enum_name(&routing_story, best_ro->spd.routing));
     if (erop != NULL)
     {
  m = builddiag("%s; eroute owner:", m);
  if (!erouted(best_ero->spd.routing))
      m = builddiag("%s NULL", m);
  else if (best_ero == c)
      m = builddiag("%s self", m);
  else
      m = builddiag("%s \"%s\"%s %s", m
   , best_ero->name
   , (fmt_conn_instance(best_ero, cib), cib)
   , enum_name(&routing_story, best_ero->spd.routing));
     }
     DBG_log("%s", m);
 });
// 将best_ero返回
    if (erop != NULL)
 *erop = erouted(best_erouting)? best_ero : NULL;
// 将best_sr和best_esr返回
    if (srp != NULL )
    {
 *srp = best_sr;
 if (esrp != NULL )
     *esrp = best_esr;
    }
// 返回找到的best_ro
    return routed(best_routing)? best_ro : NULL;
}

9.6 输出连接状态

void
show_connections_status(void)
{
    struct connection *c;
    int count, i;
    struct connection **array;

    /* make an array of connections, and sort it */
    count=0;
// 连接链表计数
    for (c = connections; c != NULL; c = c->ac_next)
    {
 count++;
    }
// 分配能容纳所有连接指针的空间, 注意只是指针, 不是整个结构
    array = alloc_bytes(sizeof(struct connection *)*count, "connection array");
    count=0;
// 复制所有连接指针
    for (c = connections; c != NULL; c = c->ac_next)
    {
 array[count++]=c;
    }
    /* sort it! */
// 快速排序,按名称,类型,优先权值排序
    qsort(array, count, sizeof(struct connection *), connection_compare_qsort);
// 遍历所有连接
    for (i=0; i<count; i++)
    {
 const char *ifn;
 char instance[1 + 10 + 1];
 char prio[POLICY_PRIO_BUF];
 c = array[i];
// ipsec网卡名称
 ifn = oriented(*c)? c->interface->ip_dev->id_rname : "";
 instance[0] = '\0';
// 将实例连接的序列号转换为字符串
 if (c->kind == CK_INSTANCE && c->instance_serial != 0)
     snprintf(instance, sizeof(instance), "[%lu]", c->instance_serial);
 /* show topology */
 {
     char topo[CONNECTION_BUF];
     struct spd_route *sr = &c->spd;
     int num=0;
// 遍历安全策略路由
     while (sr != NULL)
     {
  char srcip[ADDRTOT_BUF], dstip[ADDRTOT_BUF];
  char thissemi[3+sizeof("srcup=")];
  char thatsemi[3+sizeof("dstup=")];
  char *thisup, *thatup;
// 输出连接信息到topo数组
  (void) format_connection(topo, sizeof(topo), c, sr);
// 向whack输出
  whack_log(RC_COMMENT, "\"%s\"%s: %s; %s; eroute owner: #%lu"
     , c->name, instance, topo
     , enum_name(&routing_story, sr->routing)
     , sr->eroute_owner);
// 本地地址
  if(addrbytesptr(&c->spd.this.host_srcip, NULL) == 0
     || isanyaddr(&c->spd.this.host_srcip)) {
      strcpy(srcip, "unset");
  } else {
      addrtot(&sr->this.host_srcip, 0, srcip, sizeof(srcip));
  }
// 对端地址
  if(addrbytesptr(&c->spd.that.host_srcip, NULL) == 0
     || isanyaddr(&c->spd.that.host_srcip)) {
      strcpy(dstip, "unset");
  } else {
      addrtot(&sr->that.host_srcip, 0, dstip, sizeof(dstip));
  }
  thissemi[0]='\0';
  thisup=thissemi;
  if(sr->this.updown) {
      thissemi[0]=';';
      thissemi[1]=' ';
      thissemi[2]='\0';
      strcat(thissemi, "srcup=");
      thisup=sr->this.updown;
  }
  
  thatsemi[0]='\0';
  thatup=thatsemi;
  if(sr->that.updown) {
      thatsemi[0]=';';
      thatsemi[1]=' ';
      thatsemi[2]='\0';
      strcat(thatsemi, "dstup=");
      thatup=sr->that.updown;
  }
// 向whack输出  
  whack_log(RC_COMMENT, "\"%s\"%s:     srcip=%s; dstip=%s%s%s%s%s;"
     , c->name, instance, srcip, dstip
     , thissemi, thisup
     , thatsemi, thatup);
  sr = sr->next;
  num++;
     }
 }
// 输出CA信息
 /* show CAs */
 if (c->spd.this.ca.ptr != NULL || c->spd.that.ca.ptr != NULL)
 {
     char this_ca[IDTOA_BUF], that_ca[IDTOA_BUF];
     dntoa_or_null(this_ca, IDTOA_BUF, c->spd.this.ca, "%any");
     dntoa_or_null(that_ca, IDTOA_BUF, c->spd.that.ca, "%any");
     whack_log(RC_COMMENT
  , "\"%s\"%s:   CAs: '%s'...'%s'"
  , c->name
  , instance
  , this_ca
  , that_ca);
 }
// 输出生命期
 whack_log(RC_COMMENT
     , "\"%s\"%s:   ike_life: %lus; ipsec_life: %lus;"
     " rekey_margin: %lus; rekey_fuzz: %lu%%; keyingtries: %lu"
     , c->name
     , instance
     , (unsigned long) c->sa_ike_life_seconds
     , (unsigned long) c->sa_ipsec_life_seconds
     , (unsigned long) c->sa_rekey_margin
     , (unsigned long) c->sa_rekey_fuzz
     , (unsigned long) c->sa_keying_tries);
 if (c->policy_next)
 {
     whack_log(RC_COMMENT
        , "\"%s\"%s:   policy_next: %s"
        , c->name, instance, c->policy_next->name);
 }
 /* Note: we display key_from_DNS_on_demand as if policy [lr]KOD */
// 输出策略优先级信息
 fmt_policy_prio(c->prio, prio);
 whack_log(RC_COMMENT
     , "\"%s\"%s:   policy: %s%s%s; prio: %s; interface: %s; encap: %s;"
     , c->name
     , instance
     , prettypolicy(c->policy)
     , c->spd.this.key_from_DNS_on_demand? "+lKOD" : ""
     , c->spd.that.key_from_DNS_on_demand? "+rKOD" : ""
     , prio
     , ifn
    ,c->forceencaps ? "udp" : "esp");
// 输出DPD信息
 /* slightly complicated stuff to avoid extra crap */
 if(c->dpd_timeout > 0 || DBGP(DBG_DPD)) {
     whack_log(RC_COMMENT
        , "\"%s\"%s:   dpd: %s; delay:%lu; timeout:%lu; "
        , c->name
        , instance
        , enum_name(&dpd_action_names, c->dpd_action)
        , c->dpd_delay, c->dpd_timeout);
 }
 if(c->extra_debugging) {
     whack_log(RC_COMMENT, "\"%s\"%s:   debug: %s"
        , c->name
        , instance
        , bitnamesof(debug_bit_names
       , c->extra_debugging));
 }
// 输出SA信息
 whack_log(RC_COMMENT
     , "\"%s\"%s:   newest ISAKMP SA: #%ld; newest IPsec SA: #%ld; "
     , c->name
     , instance
     , c->newest_isakmp_sa
     , c->newest_ipsec_sa);
#ifdef IKE_ALG
// 输出IKE算法信息
 ike_alg_show_connection(c, instance);
#endif
#ifdef KERNEL_ALG
// 输出内核算法信息
 kernel_alg_show_connection(c, instance);
#endif
    }
// 释放数组
    pfree(array);
}

...... 待续 ......
 

你可能感兴趣的:(职场,休闲)