diff options
Diffstat (limited to 'programs/_startklips/_startklips.in')
| -rwxr-xr-x | programs/_startklips/_startklips.in | 367 |
1 files changed, 0 insertions, 367 deletions
diff --git a/programs/_startklips/_startklips.in b/programs/_startklips/_startklips.in deleted file mode 100755 index 7f85a94de..000000000 --- a/programs/_startklips/_startklips.in +++ /dev/null @@ -1,367 +0,0 @@ -#!/bin/sh -# KLIPS startup script -# Copyright (C) 1998, 1999, 2001, 2002 Henry Spencer. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: _startklips.in,v 1.6 2005/05/06 22:11:33 as Exp $ - -me='ipsec _startklips' # for messages - -# KLIPS-related paths -sysflags=/proc/sys/net/ipsec -modules=/proc/modules -# full rp_filter path is $rpfilter1/interface/$rpfilter2 -rpfilter1=/proc/sys/net/ipv4/conf -rpfilter2=rp_filter -# %unchanged or setting (0, 1, or 2) -rpfiltercontrol=0 -ipsecversion=/proc/net/ipsec_version -moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec -bareversion=`uname -r | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'` -moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec -modulename=ipsec.o -klips=true -netkey=/proc/net/pfkey - -info=/dev/null -log=daemon.error -for dummy -do - case "$1" in - --log) log="$2" ; shift ;; - --info) info="$2" ; shift ;; - --debug) debug="$2" ; shift ;; - --omtu) omtu="$2" ; shift ;; - --fragicmp) fragicmp="$2" ; shift ;; - --hidetos) hidetos="$2" ; shift ;; - --rpfilter) rpfiltercontrol="$2" ; shift ;; - --) shift ; break ;; - -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; - *) break ;; - esac - shift -done - - - -# some shell functions, to clarify the actual code - -# set up a system flag based on a variable -# sysflag value shortname default flagname -sysflag() { - case "$1" in - '') v="$3" ;; - *) v="$1" ;; - esac - if test ! -f $sysflags/$4 - then - if test " $v" != " $3" - then - echo "cannot do $2=$v, $sysflags/$4 does not exist" - exit 1 - else - return # can't set, but it's the default anyway - fi - fi - case "$v" in - yes|no) ;; - *) echo "unknown (not yes/no) $2 value \`$1'" - exit 1 - ;; - esac - case "$v" in - yes) echo 1 >$sysflags/$4 ;; - no) echo 0 >$sysflags/$4 ;; - esac -} - -# set up a Klips interface -klipsinterface() { - # pull apart the interface spec - virt=`expr $1 : '\([^=]*\)=.*'` - phys=`expr $1 : '[^=]*=\(.*\)'` - case "$virt" in - ipsec[0-9]) ;; - *) echo "invalid interface \`$virt' in \`$1'" ; exit 1 ;; - esac - - # figure out ifconfig for interface - addr= - eval `ifconfig $phys | - awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ { - gsub(/:/, " ", $0) - print "addr=" $3 - other = $5 - if ($4 == "Bcast") - print "type=broadcast" - else if ($4 == "P-t-P") - print "type=pointopoint" - else if (NF == 5) { - print "type=" - other = "" - } else - print "type=unknown" - print "otheraddr=" other - print "mask=" $NF - }'` - if test " $addr" = " " - then - echo "unable to determine address of \`$phys'" - exit 1 - fi - if test " $type" = " unknown" - then - echo "\`$phys' is of an unknown type" - exit 1 - fi - if test " $omtu" != " " - then - mtu="mtu $omtu" - else - mtu= - fi - echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly - - if $klips - then - # attach the interface and bring it up - ipsec tncfg --attach --virtual $virt --physical $phys - ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu - fi - - # if %defaultroute, note the facts - if test " $2" != " " - then - ( - echo "defaultroutephys=$phys" - echo "defaultroutevirt=$virt" - echo "defaultrouteaddr=$addr" - if test " $2" != " 0.0.0.0" - then - echo "defaultroutenexthop=$2" - fi - ) >>$info - else - echo '#dr: no default route' >>$info - fi - - # check for rp_filter trouble - checkif $phys # thought to be a problem only on phys -} - -# check an interface for problems -checkif() { - $klips || return 0 - rpf=$rpfilter1/$1/$rpfilter2 - if test -f $rpf - then - r="`cat $rpf`" - if test " $r" != " 0" - then - case "$r-$rpfiltercontrol" in - 0-%unchanged|0-0|1-1|2-2) - # happy state - ;; - *-%unchanged) - echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)" - ;; - [012]-[012]) - echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)" - echo "$rpfiltercontrol" >$rpf - ;; - [012]-*) - echo "ERROR: unknown rpfilter setting: $rpfiltercontrol" - ;; - *) - echo "ERROR: unknown $rpf value $r" - ;; - esac - fi - fi -} - -# interfaces=%defaultroute: put ipsec0 on top of default route's interface -defaultinterface() { - phys=`netstat -nr | - awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'` - if test " $phys" = " " - then - echo "no default route, %defaultroute cannot cope!!!" - exit 1 - fi - if test `echo " $phys" | wc -l` -gt 1 - then - echo "multiple default routes, %defaultroute cannot cope!!!" - exit 1 - fi - next=`netstat -nr | - awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'` - klipsinterface "ipsec0=$phys" $next -} - -# log only to syslog, not to stdout/stderr -logonly() { - logger -p $log -t ipsec_setup -} - -# sort out which module is appropriate, changing it if necessary -setmodule() { - wantgoo="`ipsec calcgoo /proc/ksyms`" - module=$moduleplace/$modulename - if test -f $module - then - goo="`nm -ao $module | ipsec calcgoo`" - if test " $wantgoo" = " $goo" - then - return # looks right - fi - fi - if test -f $moduleinstplace/$wantgoo - then - echo "insmod failed, but found matching template module $wantgoo." - echo "Copying $moduleinstplace/$wantgoo to $module." - rm -f $module - mkdir -p $moduleplace - cp -p $moduleinstplace/$wantgoo $module - # "depmod -a" gets done by caller - fi -} - - - -# main line - -# load module if possible -if test ! -f $ipsecversion && test ! -f $netkey -then - # statically compiled KLIPS not found; try to load the module - insmod ipsec -fi - -if test ! -f $ipsecversion && test ! -f $netkey -then - modprobe -v af_key -fi - -if test -f $netkey -then - klips=false - if test -f $modules - then - modprobe -qv ah4 - modprobe -qv esp4 - modprobe -qv ipcomp - modprobe -qv xfrm4_tunnel - modprobe -qv xfrm_user - fi -fi - -if test ! -f $ipsecversion && $klips -then - if test -r $modules # kernel does have modules - then - setmodule - unset MODPATH MODULECONF # no user overrides! - depmod -a >/dev/null 2>&1 - modprobe -v ipsec - fi - if test ! -f $ipsecversion - then - echo "kernel appears to lack KLIPS" - exit 1 - fi -fi - -# load all compiled algo modules -if $klips -then - for alg in aes serpent twofish blowfish sha2 - do - if test -f $moduleinstplace/alg/ipsec_$alg.o - then - modprobe ipsec_$alg - fi - done -fi - -# figure out debugging flags -case "$debug" in -'') debug=none ;; -esac -if test -r /proc/net/ipsec_klipsdebug -then - echo "KLIPS debug \`$debug'" | logonly - case "$debug" in - none) ipsec klipsdebug --none ;; - all) ipsec klipsdebug --all ;; - *) ipsec klipsdebug --none - for d in $debug - do - ipsec klipsdebug --set $d - done - ;; - esac -elif $klips -then - if test " $debug" != " none" - then - echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities" - fi -fi - -# figure out misc. kernel config -if test -d $sysflags -then - sysflag "$fragicmp" "fragicmp" yes icmp - echo 1 >$sysflags/inbound_policy_check # no debate - sysflag no "no_eroute_pass" no no_eroute_pass # obsolete parm - sysflag no "opportunistic" no opportunistic # obsolete parm - sysflag "$hidetos" "hidetos" yes tos -elif $klips -then - echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!" - # carry on -fi - -if $klips; then - # clear tables out in case dregs have been left over - ipsec eroute --clear - ipsec spi --clear -elif test $netkey -then - if ip xfrm state > /dev/null 2>&1 - then - ip xfrm state flush - ip xfrm policy flush - elif type setkey > /dev/null 2>&1 - then - setkey -F - setkey -FP - else - echo "WARNING: cannot flush state/policy database -- \`$1'" | - logger -s -p $log -t ipsec_setup - fi -fi - -# figure out interfaces -for i -do - case "$i" in - ipsec*=?*) klipsinterface "$i" ;; - %defaultroute) defaultinterface ;; - *) echo "interface \`$i' not understood" - exit 1 - ;; - esac -done - -exit 0 |