summaryrefslogtreecommitdiff
path: root/testing/hosts/alice/etc/init.d
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2006-05-22 05:12:18 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2006-05-22 05:12:18 +0000
commitaa0f5b38aec14428b4b80e06f90ff781f8bca5f1 (patch)
tree95f3d0c8cb0d59d88900dbbd72110d7ab6e15b2a /testing/hosts/alice/etc/init.d
parent7c383bc22113b23718be89fe18eeb251942d7356 (diff)
downloadvyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.tar.gz
vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.zip
Import initial strongswan 2.7.0 version into SVN.
Diffstat (limited to 'testing/hosts/alice/etc/init.d')
-rwxr-xr-xtesting/hosts/alice/etc/init.d/iptables74
-rwxr-xr-xtesting/hosts/alice/etc/init.d/net.eth0314
2 files changed, 388 insertions, 0 deletions
diff --git a/testing/hosts/alice/etc/init.d/iptables b/testing/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..1097ac5a4
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,74 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow NAT-T
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/hosts/alice/etc/init.d/net.eth0 b/testing/hosts/alice/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+ set -x
+ devnull=/dev/stderr
+else
+ devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+ use hotplug pcmcia
+}
+
+checkconfig() {
+ if [[ -z "${ifconfig_IFACE}" ]]; then
+ eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+ eerror "(or \$iface_$IFACE for old-style configuration)"
+ return 1
+ fi
+ if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+ eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+ return 1
+ fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+ LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+# status_IFACE (up or '')
+# vlans_IFACE (space-separated list)
+# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE)
+# dhcpcd_IFACE (command-line args for dhcpcd)
+# routes_IFACE (array of route lines)
+# inet6_IFACE (array of inet6 lines)
+# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails)
+setup_vars() {
+ local i iface="${1//\./_}"
+
+ status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+ eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+ eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+ eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+ eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+ eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+ eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+ # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+ # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+ eval local iface_IFACE=\"\$\{iface_$iface\}\"
+ if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+ # Make sure these get evaluated as arrays
+ local -a aliases broadcasts netmasks
+
+ # Start with the primary interface
+ ifconfig_IFACE=( "${iface_IFACE}" )
+
+ # ..then add aliases
+ eval aliases=( \$\{alias_$iface\} )
+ eval broadcasts=( \$\{broadcast_$iface\} )
+ eval netmasks=( \$\{netmask_$iface\} )
+ for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+ ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+ done
+ fi
+
+ # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+ if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+ inet6_IFACE=( ${inet6_IFACE} )
+ fi
+}
+
+iface_start() {
+ local IFACE=${1} i x retval
+ checkconfig || return 1
+
+ if [[ ${ifconfig_IFACE} != dhcp ]]; then
+ # Show the address, but catch if this interface will be inet6 only
+ i=${ifconfig_IFACE%% *}
+ if [[ ${i} == *.*.*.* ]]; then
+ ebegin "Bringing ${IFACE} up (${i})"
+ else
+ ebegin "Bringing ${IFACE} up"
+ fi
+ # ifconfig does not always return failure ..
+ ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+ ifconfig ${IFACE} up &>${devnull}
+ eend $? || return $?
+ else
+ # Check that eth0 was not brought up by the kernel ...
+ if [[ ${status_IFACE} == up ]]; then
+ einfo "Keeping kernel configuration for ${IFACE}"
+ else
+ ebegin "Bringing ${IFACE} up via DHCP"
+ /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+ retval=$?
+ eend $retval
+ if [[ $retval == 0 ]]; then
+ # DHCP succeeded, show address retrieved
+ i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' |
+ cut -d: -f2)
+ [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}"
+ elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+ # DHCP failed, try fallback.
+ # Show the address, but catch if this interface will be inet6 only
+ i=${ifconfig_fallback_IFACE%% *}
+ if [[ ${i} == *.*.*.* ]]; then
+ ebegin "Using fallback configuration (${i}) for ${IFACE}"
+ else
+ ebegin "Using fallback configuration for ${IFACE}"
+ fi
+ ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+ ifconfig ${IFACE} up &>${devnull}
+ eend $? || return $?
+ else
+ return $retval
+ fi
+ fi
+ fi
+
+ if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+ einfo " Adding aliases"
+ for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+ ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+ ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+ eend $?
+ done
+ fi
+
+ if [[ -n ${inet6_IFACE} ]]; then
+ einfo " Adding inet6 addresses"
+ for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+ ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}"
+ ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+ eend $?
+ done
+ fi
+
+ # Set static routes
+ if [[ -n ${routes_IFACE} ]]; then
+ einfo " Adding routes"
+ for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+ ebegin " ${routes_IFACE[i]}"
+ /sbin/route add ${routes_IFACE[i]}
+ eend $?
+ done
+ fi
+
+ # Set default route if applicable to this interface
+ if [[ ${gateway} == ${IFACE}/* ]]; then
+ local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+ local gw=${gateway#*/}
+ if [[ ${ogw} != ${gw} ]]; then
+ ebegin " Setting default gateway ($gw)"
+
+ # First delete any existing route if it was setup by kernel...
+ /sbin/route del default dev ${IFACE} &>${devnull}
+
+ # Second delete old gateway if it was set...
+ /sbin/route del default gw ${ogw} &>${devnull}
+
+ # Third add our new default gateway
+ /sbin/route add default gw ${gw} >${devnull}
+ eend $? || {
+ true # need to have some command in here
+ # Note: This originally called stop, which is obviously
+ # wrong since it's calling with a local version of IFACE.
+ # The below code works correctly to abort configuration of
+ # the interface, but is commented because we're assuming
+ # that default route failure should not cause the interface
+ # to be unconfigured.
+ #local error=$?
+ #ewarn "Aborting configuration of ${IFACE}"
+ #iface_stop ${IFACE}
+ #return ${error}
+ }
+ fi
+ fi
+
+ # Enabling rp_filter causes wacky packets to be auto-dropped by
+ # the kernel. Note that we only do this if it is not set via
+ # /etc/sysctl.conf ...
+ if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+ -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+ echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+ fi
+}
+
+# iface_stop: bring down an interface. Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran. Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+ local IFACE=${1} i x aliases inet6 count
+
+ # Try to do a simple down (no aliases, no inet6, no dhcp)
+ aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+ inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+ if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+ ebegin "Bringing ${IFACE} down"
+ ifconfig ${IFACE} down &>/dev/null
+ eend 0
+ return 0
+ fi
+
+ einfo "Bringing ${IFACE} down"
+
+ # Stop aliases before primary interface.
+ # Note this must be done in reverse order, since ifconfig eth0:1
+ # will remove eth0:2, etc. It might be sufficient to simply remove
+ # the base interface but we're being safe here.
+ for i in ${aliases} ${IFACE}; do
+
+ # Delete all the inet6 addresses for this interface
+ inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+ if [[ -n ${inet6} ]]; then
+ einfo " Removing inet6 addresses"
+ for x in ${inet6}; do
+ ebegin " ${IFACE} inet6 del ${x}"
+ ifconfig ${i} inet6 del ${x}
+ eend $?
+ done
+ fi
+
+ # Stop DHCP (should be N/A for aliases)
+ # Don't trust current configuration... investigate ourselves
+ if /sbin/dhcpcd -z ${i} &>${devnull}; then
+ ebegin " Releasing DHCP lease for ${IFACE}"
+ for ((count = 0; count < 9; count = count + 1)); do
+ /sbin/dhcpcd -z ${i} &>${devnull} || break
+ sleep 1
+ done
+ [[ ${count} -lt 9 ]]
+ eend $? "Timed out"
+ fi
+ ebegin " Stopping ${i}"
+ ifconfig ${i} down &>${devnull}
+ eend 0
+ done
+
+ return 0
+}
+
+start() {
+ # These variables are set by setup_vars
+ local status_IFACE vlans_IFACE dhcpcd_IFACE
+ local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+ # Call user-defined preup function if it exists
+ if [[ $(type -t preup) == function ]]; then
+ einfo "Running preup function"
+ preup ${IFACE} || {
+ eerror "preup ${IFACE} failed"
+ return 1
+ }
+ fi
+
+ # Start the primary interface and aliases
+ setup_vars ${IFACE}
+ iface_start ${IFACE} || return 1
+
+ # Start vlans
+ local vlan
+ for vlan in ${vlans_IFACE}; do
+ /sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+ setup_vars ${IFACE}.${vlan}
+ iface_start ${IFACE}.${vlan}
+ done
+
+ # Call user-defined postup function if it exists
+ if [[ $(type -t postup) == function ]]; then
+ einfo "Running postup function"
+ postup ${IFACE}
+ fi
+}
+
+stop() {
+ # Call user-defined predown function if it exists
+ if [[ $(type -t predown) == function ]]; then
+ einfo "Running predown function"
+ predown ${IFACE}
+ fi
+
+ # Don't depend on setup_vars since configuration might have changed.
+ # Investigate current configuration instead.
+ local vlan
+ for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+ iface_stop ${vlan}
+ /sbin/vconfig rem ${vlan} >${devnull}
+ done
+
+ iface_stop ${IFACE} || return 1 # always succeeds, btw
+
+ # Call user-defined postdown function if it exists
+ if [[ $(type -t postdown) == function ]]; then
+ einfo "Running postdown function"
+ postdown ${IFACE}
+ fi
+}
+
+# vim:ts=4