diff options
Diffstat (limited to 'programs/_realsetup/_realsetup.in')
| -rwxr-xr-x | programs/_realsetup/_realsetup.in | 456 |
1 files changed, 456 insertions, 0 deletions
diff --git a/programs/_realsetup/_realsetup.in b/programs/_realsetup/_realsetup.in new file mode 100755 index 000000000..91b6e98d3 --- /dev/null +++ b/programs/_realsetup/_realsetup.in @@ -0,0 +1,456 @@ +#!/bin/sh +# IPsec startup and shutdown command +# Copyright (C) 1998, 1999, 2001 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _realsetup.in,v 1.10 2005/09/25 21:30:52 as Exp $ + +IPSEC_NAME=strongSwan + +me='ipsec setup' # for messages + +# Misc. paths (some of this should perhaps be overrideable from ipsec.conf). +plutopid=/var/run/pluto.pid +subsyslock=/var/lock/subsys/ipsec +lock=/var/run/ipsec_setup.pid +info=/var/run/ipsec.info +sysflags=/proc/sys/net/ipsec +modules=/proc/modules +ipforward=/proc/sys/net/ipv4/ip_forward +ipsecversion=/proc/net/ipsec_version +kamepfkey=/proc/net/pfkey + +# make sure output of (e.g.) ifconfig is in English +unset LANG LANGUAGE LC_ALL LC_MESSAGES + +# check we were called properly +if test " $IPSEC_confreadsection" != " setup" +then + echo "$me: $0 must be called by ipsec_setup" >&2 + exit 1 +fi +# defaults for "config setup" items + +IPSECinterfaces=${IPSECinterfaces:-%defaultroute} + if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi +# IPSECforwardcontrol "no" +# IPSECsyslog "daemon.error" +# IPSECklipsdebug "none" +# IPSECplutodebug "none" +# IPSECdumpdir "" (no dump) +# IPSECmanualstart "" +# IPSECpluto "yes" +IPSECplutowait=${IPSECplutowait:-no} +# IPSECprepluto "" +# IPSECpostpluto "" +# IPSECfragicmp "yes" +# IPSEChidetos "yes" +IPSECrp_filter=${IPSECrp_filter:-0} +IPSECuniqueids=${IPSECuniqueids:-yes} +IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0} +# IPSECpkcs11module "" +# IPSECoverridemtu "" + +# Shall we trace? +execute="true" +display="false" +for i in $IPSEC_setupflags +do + case "$i" in + "--showonly") execute="false" ; display=true ;; + "--show") display=true ;; + esac +done + +if $display +then + echo " " PATH="$PATH" +fi + +perform() { + if $display + then + echo " " "$*" + fi + + if $execute + then + eval "$*" + fi +} + +# function to set up manually-keyed connections +manualconns() { + if test " $IPSECmanualstart" != " " + then + for tu in $IPSECmanualstart + do + perform ipsec manual --up $tu + done + fi + + # search for things to "ipsec manual --up": auto == "manual" + eval `ipsec _confread --varprefix MANUALSTART --search auto manual` + if test " $MANUALSTART_confreadstatus" != " " + then + echo "auto=manual search: $MANUALSTART_confreadstatus" + echo "unable to determine what conns to manual --up; none done" + elif test " $MANUALSTART_confreadnames" != " " + then + for tu in $MANUALSTART_confreadnames + do + perform ipsec manual --up $tu + done + fi +} + +# for no-stdout logging: +LOGONLY="logger -p $IPSECsyslog -t ipsec_setup" + +# What an ugly string. +# Must be a string, not a function, because it is nested +# within another sequence (for plutorun). +# Luckily there are NO substitutions in it. +KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ; + test "X$ifl" != "X" && + for i in $ifl ; + do + ifconfig $i down ; + ipsec tncfg --detach --virtual $i ; + done ; + test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ; + ipsec eroute --clear ; + ipsec spi --clear ; + for alg in aes serpent twofish blowfish sha2 ; + do + lsmod 2>&1 | grep "^ipsec_$alg" > /dev/null && rmmod ipsec_$alg ; + done ; + lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec' + +if test -f $kamepfkey +then + KILLKLIPS=' + if ip xfrm state > /dev/null 2>&1 ; + then + ip xfrm state flush ; + ip xfrm policy flush ; + elif type setkey > /dev/null 2>&1 ; + then + setkey -F ; + setkey -FP ; + fi' +fi + + + +# do it +case "$1" in + start|--start|_autostart) + # First, does it seem to be going already? + perform test ! -f $lock "||" "{" \ + echo "\"$IPSEC_NAME IPsec apparently already running, start aborted\"" ";" \ + exit 1 ";" \ + "}" + + # announcement + # (Warning, changes to this log message may affect barf.) + version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`" + case "$1" in + start|--start) perform echo "\"Starting $IPSEC_NAME IPsec $version...\"" ;; + _autostart) perform echo "\"Restarting $IPSEC_NAME IPsec $version...\"" ;; + esac + + # preliminaries + perform rm -f $lock + + for f in /dev/random /dev/urandom + do + perform test -r $f "||" "{" \ + echo "\"...unable to start $IPSEC_NAME IPsec, no $f!\"" ";" \ + exit 1 ";" \ + "}" + done + + # the meaning of $$ at a different runtime is questionable! + perform echo '$$' ">" $lock + perform test -s $lock "||" "{" \ + echo "\"...unable to create $lock, aborting start!\"" ";" \ + rm -f $lock ";" \ + exit 1 ";" \ + "}" + + perform ">" $info + + # here we go + perform ipsec _startklips \ + --info $info \ + --debug "\"$IPSECklipsdebug\"" \ + --omtu "\"$IPSECoverridemtu\"" \ + --fragicmp "\"$IPSECfragicmp\"" \ + --hidetos "\"$IPSEChidetos\"" \ + --rpfilter "\"$IPSECrp_filter\"" \ + --log "\"$IPSECsyslog\"" \ + $IPSECinterfaces "||" \ + "{" rm -f $lock ";" exit 1 ";" "}" + + perform test -f $ipsecversion "||" \ + test -f $kamepfkey "||" "{" \ + echo "\"OOPS, should have aborted! Broken shell!\"" ";" \ + exit 1 ";" \ + "}" + + # misc pre-Pluto setup + + perform test -d `dirname $subsyslock` "&&" touch $subsyslock + + if test " $IPSECforwardcontrol" = " yes" + then + perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \ + echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \ + echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \ + echo 1 ">" $ipforward ";" \ + "}" + fi + manualconns + + plutorestartoncrash="" + case "$IPSECplutorestartoncrash" in + true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";; + false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;; + esac + + # Pluto + case "$1" in + start|--start) re= ;; + _autostart) re=--re ;; + esac + if test " $IPSECpluto" != " no" + then + perform ipsec _plutorun $re \ + --debug "\"$IPSECplutodebug\"" \ + --uniqueids "\"$IPSECuniqueids\"" \ + --nocrsend "\"$IPSECnocrsend\"" \ + --strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \ + --cachecrls "\"$IPSECcachecrls\"" \ + --nat_traversal "\"$IPSECnat_traversal\"" \ + --keep_alive "\"$IPSECkeep_alive\"" \ + --force_keepalive "\"$IPSECforce_keepalive\"" \ + --disable_port_floating "\"$IPSECdisable_port_floating\"" \ + --virtual_private "\"$IPSECvirtual_private\"" \ + --crlcheckinterval "\"$IPSECcrlcheckinterval\"" \ + --pkcs11module "\"$IPSECpkcs11module\"" \ + --pkcs11keepstate "\"$IPSECpkcs11keepstate\"" \ + --pkcs11proxy "\"$IPSECpkcs11proxy\"" \ + --dump "\"$IPSECdumpdir\"" \ + --opts "\"$IPSECplutoopts\"" \ + --stderrlog "\"$IPSECplutostderrlog\"" \ + --wait "\"$IPSECplutowait\"" \ + --pre "\"$IPSECprepluto\"" \ + --post "\"$IPSECpostpluto\"" \ + --log "\"$IPSECsyslog\"" $plutorestartoncrash \ + --pid "\"$plutopid\"" "||" "{" \ + $KILLKLIPS ";" \ + rm -f $lock ";" \ + exit 1 ";" \ + "}" + fi + + # done! + perform echo "\"...$IPSEC_NAME IPsec started\"" "|" $LOGONLY + ;; + + stop|--stop|_autostop) # _autostop is same as stop + # Shut things down. + perform echo "\"Stopping $IPSEC_NAME IPsec...\"" + perform \ + if test -r $lock ";" \ + then \ + status=0 ";" \ + . $info ";" \ + else \ + echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \ + echo "\"doing cleanup anyway...\"" ";" \ + status=1 ";" \ + fi + if test " $IPSECforwardcontrol" = " yes" + then + perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \ + echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \ + echo 0 ">" $ipforward ";" \ + "}" + fi + + perform test -f $plutopid "&&" "{" \ + if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \ + then \ + ipsec whack --shutdown "|" grep -v "^002" ";" \ + sleep 1 ";" \ + if test -s $plutopid ";" \ + then \ + echo "\"Attempt to shut Pluto down failed! Trying kill:\"" ";" \ + kill '`' cat $plutopid '`' ";" \ + sleep 5 ";" \ + fi ";" \ + else \ + echo "\"Removing orphaned $plutopid:\"" ";" \ + fi ";" \ + rm -f $plutopid ";" \ + "}" + + perform $KILLKLIPS + + perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock + + perform rm -f $info $lock + perform echo "...$IPSEC_NAME IPsec stopped" "|" $LOGONLY + perform exit \$status + ;; + + status|--status) + if test " $IPSEC_setupflags" != " " + then + echo "$me $1 does not support $IPSEC_setupflags" + exit 1 + fi + + if test -f $info + then + hasinfo=yes + fi + + if test -f $lock + then + haslock=yes + fi + + if test -f $subsyslock + then + hassublock=yes + fi + + if test -s $plutopid + then + if ps -p `cat $plutopid` >/dev/null + then + plutokind=normal + elif ps -C pluto >/dev/null + then + plutokind=illicit + fi + elif ps -C pluto >/dev/null + then + plutokind=orphaned + else + plutokind=no + fi + + if test -r /proc/net/ipsec_eroute + then + if test " `wc -l </proc/net/ipsec_eroute`" -gt 0 + then + eroutes=yes + fi + fi + + if test -r $ipsecversion + then + klips=yes + elif test -r $modules + then + klips=maybe + else + klips=none + fi + + if test "$haslock" + then + echo "IPsec running" + # might not be a subsystem lock dir, ignore that issue + if test "$plutokind" = "normal" -a "$klips" = "yes" -a "$hasinfo" + then + echo "pluto pid `cat $plutopid`" + exit 0 + fi + echo "but..." + if test "$plutokind" != "normal" + then + echo "$plutokind Pluto running!" + fi + if test ! "$hasinfo" + then + echo "$info file missing!" + fi + case $klips in + maybe) echo "KLIPS module is not loaded!" ;; + none) echo "no KLIPS in kernel!" ;; + esac + if test "$eroutes" + then + echo "some eroutes exist" + fi + exit 1 + else + echo "IPsec stopped" + if test ! "$hassublock" -a ! "$hasinfo" -a "$plutokind" = "no" \ + -a ! "$eroutes" + then + exit 0 + fi + echo "but..." + if test "$hassublock" + then + echo "has subsystem lock ($subsyslock)!" + fi + if test "$hasinfo" + then + echo "has $info file!" + fi + if test "$plutokind" != "normal" + then + echo "$plutokind Pluto is running!" + fi + if test "$eroutes" + then + echo "some eroutes exist!" + fi + exit 1 + fi + ;; + + --version) + if test " $IPSEC_setupflags" != " " + then + echo "$me $1 does not support $IPSEC_setupflags" + exit 1 + fi + + echo "$me $IPSEC_VERSION" + exit 0 + ;; + + --help) + if test " $IPSEC_setupflags" != " " + then + echo "$me $1 does not support $IPSEC_setupflags" + exit 1 + fi + + echo "Usage: $me {--start|--stop|--restart|--status}" + exit 0 + ;; + + *) + echo "Usage: $me {--start|--stop|--restart|--status}" >&2 + exit 2 +esac + +exit 0 |