-
Notifications
You must be signed in to change notification settings - Fork 213
Code design and explanations
This is currently an ad-hoc scribble place to jot down notes while encountering things, being confused, and getting it explained by a programmer. It will get updated slowly and strangely, but feel free to add to it
- event driven
- state machine based
- not really threaded
- helpers and continuations
- userland state vs kernel state
Pluto has a concept of connections and states. A connection is what you define in a configuration file. There are a few types of connections, differentiated by c→kind
- CK_PERMANENT: static single connection which can be up or down
- CK_TEMPLATE: a connection that can have multiple instantiations. The template itself is never “up”
- CK_INSTANCE: An instance of a template
The reason for instantiating a template is that some part of the connection is variable, and you do not want to change the template itself. Examples include
- right=%any Roadwarriors who have different right= IP addresses
- rightprotoport=17/%any These connections can ask for any 1 port (usually depends on the NAT)
- rightsubnet=vnet:%priv These connections can happen when Openswan is a “cloud gateway” where connecting clients differ their RFC1918 space
- narrowing=yes (IKEv2) These connections can be dynamically narrowed on demand.
- struct state
- struct connection
- struct end
- stf_status
- pluto --nhelpers 0
- do this by adding in [setup] section of /etc/ipsec.conf:
nhelpers=0- compile stage define: PLUTO_CRYPTO_HELPER_DEBUG
- pluto --nofork
- The init script is created from setup (programs/setup/setup.in)
- Some other scripts involved:
– _realsetup (called by setup; calls _plutorun)
– _plutorun (launches pluto and calls _plutoload)
– _plutoload (loads the init file by calling ipsec addconn which calls whack on each connection)
- the init file is /etc/ipsec.conf
- it is NOT read on startup by pluto
- some of the above startup scripts run a program that reads it, and then send the config, piece by piece, to pluto via a command called whack.
- include/ietf_constants.h and lib/libopenswan/constants.c
- include/pluto_constants.h
- programs/pluto/state.h
- marshalling code in in_struct/out_struct – should be the only place for host/network ordering
- include/packet.h
- lib/libipsecconf/
- lib/libipsecsecrets/