Import initial strongswan 2.7.0 version into SVN.

1 files changed, 367 insertions, 0 deletions

diff --git a/programs/_startklips/_startklips.in b/programs/_startklips/_startklips.in
new file mode 100755
index 000000000..7f85a94de
--- /dev/null
+++ b/programs/_startklips/_startklips.in
@@ -0,0 +1,367 @@
+#!/bin/sh
+# KLIPS startup script
+# Copyright (C) 1998, 1999, 2001, 2002  Henry Spencer.
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: _startklips.in,v 1.6 2005/05/06 22:11:33 as Exp $
+
+me='ipsec _startklips'		# for messages
+
+# KLIPS-related paths
+sysflags=/proc/sys/net/ipsec
+modules=/proc/modules
+# full rp_filter path is $rpfilter1/interface/$rpfilter2
+rpfilter1=/proc/sys/net/ipv4/conf
+rpfilter2=rp_filter
+# %unchanged or setting (0, 1, or 2)
+rpfiltercontrol=0
+ipsecversion=/proc/net/ipsec_version
+moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec
+bareversion=`uname -r | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'`
+moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec
+modulename=ipsec.o
+klips=true
+netkey=/proc/net/pfkey
+
+info=/dev/null
+log=daemon.error
+for dummy
+do
+	case "$1" in
+	--log)		log="$2" ; shift	;;
+	--info)		info="$2" ; shift	;;
+	--debug)	debug="$2" ; shift	;;
+	--omtu)		omtu="$2" ; shift	;;
+	--fragicmp)	fragicmp="$2" ; shift	;;
+	--hidetos)	hidetos="$2" ; shift	;;
+	--rpfilter)	rpfiltercontrol="$2" ; shift	;;
+	--)	shift ; break	;;
+	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
+	*)	break	;;
+	esac
+	shift
+done
+
+
+
+# some shell functions, to clarify the actual code
+
+# set up a system flag based on a variable
+# sysflag value shortname default flagname
+sysflag() {
+	case "$1" in
+	'')	v="$3"	;;
+	*)	v="$1"	;;
+	esac
+	if test ! -f $sysflags/$4
+	then
+		if test " $v" != " $3"
+		then
+			echo "cannot do $2=$v, $sysflags/$4 does not exist"
+			exit 1
+		else
+			return	# can't set, but it's the default anyway
+		fi
+	fi
+	case "$v" in
+	yes|no)	;;
+	*)	echo "unknown (not yes/no) $2 value \`$1'"
+		exit 1
+		;;
+	esac
+	case "$v" in
+	yes)	echo 1 >$sysflags/$4	;;
+	no)	echo 0 >$sysflags/$4	;;
+	esac
+}
+
+# set up a Klips interface
+klipsinterface() {
+	# pull apart the interface spec
+	virt=`expr $1 : '\([^=]*\)=.*'`
+	phys=`expr $1 : '[^=]*=\(.*\)'`
+	case "$virt" in
+	ipsec[0-9])	;;
+	*)	echo "invalid interface \`$virt' in \`$1'" ; exit 1	;;
+	esac
+
+	# figure out ifconfig for interface
+	addr=
+	eval `ifconfig $phys |
+		awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ {
+			gsub(/:/, " ", $0)
+			print "addr=" $3
+			other = $5
+			if ($4 == "Bcast")
+				print "type=broadcast"
+			else if ($4 == "P-t-P")
+				print "type=pointopoint"
+			else if (NF == 5) {
+				print "type="
+				other = ""
+			} else
+				print "type=unknown"
+			print "otheraddr=" other
+			print "mask=" $NF
+		}'`
+	if test " $addr" = " "
+	then
+		echo "unable to determine address of \`$phys'"
+		exit 1
+	fi
+	if test " $type" = " unknown"
+	then
+		echo "\`$phys' is of an unknown type"
+		exit 1
+	fi
+	if test " $omtu" != " "
+	then
+		mtu="mtu $omtu"
+	else
+		mtu=
+	fi
+	echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly
+
+	if $klips
+	then
+		# attach the interface and bring it up
+		ipsec tncfg --attach --virtual $virt --physical $phys
+		ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu
+	fi
+
+	# if %defaultroute, note the facts
+	if test " $2" != " "
+	then
+		(
+			echo "defaultroutephys=$phys"
+			echo "defaultroutevirt=$virt"
+			echo "defaultrouteaddr=$addr"
+			if test " $2" != " 0.0.0.0"
+			then
+				echo "defaultroutenexthop=$2"
+			fi
+		) >>$info
+	else
+		echo '#dr: no default route' >>$info
+	fi
+
+	# check for rp_filter trouble
+	checkif $phys			# thought to be a problem only on phys
+}
+
+# check an interface for problems
+checkif() {
+	$klips || return 0
+	rpf=$rpfilter1/$1/$rpfilter2
+	if test -f $rpf
+	then
+		r="`cat $rpf`"
+		if test " $r" != " 0"
+		then
+			case "$r-$rpfiltercontrol" in
+			0-%unchanged|0-0|1-1|2-2)
+				# happy state
+				;;
+			*-%unchanged)
+				echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)"
+				;;
+			[012]-[012])
+				echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)"
+				echo "$rpfiltercontrol" >$rpf
+				;;
+			[012]-*)
+				echo "ERROR: unknown rpfilter setting: $rpfiltercontrol"
+				;;
+			*)
+				echo "ERROR: unknown $rpf value $r"
+				;;
+			esac
+		fi
+	fi
+}
+
+# interfaces=%defaultroute:  put ipsec0 on top of default route's interface
+defaultinterface() {
+	phys=`netstat -nr |
+		awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'`
+	if test " $phys" = " "
+	then
+		echo "no default route, %defaultroute cannot cope!!!"
+		exit 1
+	fi
+	if test `echo " $phys" | wc -l` -gt 1
+	then
+		echo "multiple default routes, %defaultroute cannot cope!!!"
+		exit 1
+	fi
+	next=`netstat -nr |
+		awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'`
+	klipsinterface "ipsec0=$phys" $next
+}
+
+# log only to syslog, not to stdout/stderr
+logonly() {
+	logger -p $log -t ipsec_setup
+}
+
+# sort out which module is appropriate, changing it if necessary
+setmodule() {
+        wantgoo="`ipsec calcgoo /proc/ksyms`"
+        module=$moduleplace/$modulename
+        if test -f $module
+        then
+                goo="`nm -ao $module | ipsec calcgoo`"
+                if test " $wantgoo" = " $goo"
+                then
+                        return          # looks right
+                fi
+        fi
+        if test -f $moduleinstplace/$wantgoo
+        then
+                echo "insmod failed, but found matching template module $wantgoo."
+                echo "Copying $moduleinstplace/$wantgoo to $module."
+                rm -f $module
+                mkdir -p $moduleplace
+                cp -p $moduleinstplace/$wantgoo $module
+                # "depmod -a" gets done by caller
+        fi
+}
+
+
+
+# main line
+
+# load module if possible
+if test ! -f $ipsecversion && test ! -f $netkey
+then
+    # statically compiled KLIPS not found; try to load the module
+    insmod ipsec
+fi
+
+if test ! -f $ipsecversion && test ! -f $netkey
+then
+	modprobe -v af_key
+fi
+
+if test -f $netkey
+then
+	klips=false
+	if test -f $modules
+	then
+		modprobe -qv ah4
+		modprobe -qv esp4
+		modprobe -qv ipcomp
+		modprobe -qv xfrm4_tunnel
+		modprobe -qv xfrm_user
+	fi
+fi
+
+if test ! -f $ipsecversion && $klips
+then
+        if test -r $modules             # kernel does have modules
+        then
+                setmodule
+                unset MODPATH MODULECONF        # no user overrides!
+                depmod -a >/dev/null 2>&1
+                modprobe -v ipsec
+        fi
+        if test ! -f $ipsecversion
+        then
+                echo "kernel appears to lack KLIPS"
+                exit 1
+        fi
+fi
+
+# load all compiled algo modules
+if $klips
+then
+	for alg in aes serpent twofish blowfish sha2
+	do
+		if test -f $moduleinstplace/alg/ipsec_$alg.o
+		then
+			modprobe ipsec_$alg
+		fi
+	done
+fi
+
+# figure out debugging flags
+case "$debug" in
+'')	debug=none	;;
+esac
+if test -r /proc/net/ipsec_klipsdebug
+then
+	echo "KLIPS debug \`$debug'" | logonly
+	case "$debug" in
+	none)	ipsec klipsdebug --none	;;
+	all)	ipsec klipsdebug --all	;;
+	*)	ipsec klipsdebug --none
+		for d in $debug
+		do
+			ipsec klipsdebug --set $d
+		done
+		;;
+	esac
+elif $klips
+then
+	if test " $debug" != " none"
+	then
+		echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities"
+	fi
+fi
+
+# figure out misc. kernel config
+if test -d $sysflags
+then
+	sysflag "$fragicmp" "fragicmp" yes icmp
+	echo 1 >$sysflags/inbound_policy_check		# no debate
+	sysflag no "no_eroute_pass" no no_eroute_pass	# obsolete parm
+	sysflag no "opportunistic" no opportunistic	# obsolete parm
+	sysflag "$hidetos" "hidetos" yes tos
+elif $klips
+then
+	echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!"
+	# carry on
+fi
+
+if $klips; then
+	# clear tables out in case dregs have been left over
+	ipsec eroute --clear
+	ipsec spi --clear
+elif test $netkey
+then
+	if ip xfrm state > /dev/null 2>&1
+	then
+		ip xfrm state flush
+		ip xfrm policy flush
+	elif type setkey > /dev/null 2>&1
+	then
+          	setkey -F
+          	setkey -FP
+	else
+        	echo "WARNING: cannot flush state/policy database -- \`$1'" |
+                	logger -s -p $log -t ipsec_setup
+  	fi
+fi
+
+# figure out interfaces
+for i
+do
+	case "$i" in
+	ipsec*=?*)	klipsinterface "$i"	;;
+	%defaultroute)	defaultinterface	;;
+	*)	echo "interface \`$i' not understood"
+		exit 1
+		;;
+	esac
+done
+
+exit 0