diff options
Diffstat (limited to 'programs/setup')
| -rw-r--r-- | programs/setup/.cvsignore | 1 | ||||
| -rw-r--r-- | programs/setup/Makefile | 22 | ||||
| -rw-r--r-- | programs/setup/setup.8 | 142 | ||||
| -rwxr-xr-x | programs/setup/setup.in | 162 |
4 files changed, 327 insertions, 0 deletions
diff --git a/programs/setup/.cvsignore b/programs/setup/.cvsignore new file mode 100644 index 000000000..146f275e0 --- /dev/null +++ b/programs/setup/.cvsignore @@ -0,0 +1 @@ +setup diff --git a/programs/setup/Makefile b/programs/setup/Makefile new file mode 100644 index 000000000..f12d452b2 --- /dev/null +++ b/programs/setup/Makefile @@ -0,0 +1,22 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.3 2006/02/10 11:28:15 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=setup +EXTRA8MAN=setup.8 + +include ../Makefile.program diff --git a/programs/setup/setup.8 b/programs/setup/setup.8 new file mode 100644 index 000000000..e2980ee74 --- /dev/null +++ b/programs/setup/setup.8 @@ -0,0 +1,142 @@ +.TH IPSEC_SETUP 8 "23 July 2001" +.\" RCSID $Id: setup.8,v 1.1 2004/03/15 20:35:31 as Exp $ +.SH NAME +ipsec setup \- control IPsec subsystem +.SH SYNOPSIS +.B ipsec +.B setup +[ +.B \-\-show +| +.B \-\-showonly +] +command +.SH DESCRIPTION +.I Setup +controls the FreeS/WAN IPsec subsystem, +including both the Klips kernel code and the Pluto key-negotiation daemon. +(It is a synonym for the ``rc'' script for the subsystem; +the system runs the equivalent of +.B "ipsec setup start" +at boot time, +and +.B "ipsec setup stop" +at shutdown time, more or less.) +.PP +The action taken depends on the specific +.IR command , +and on the contents of the +.B config +.B setup +section of the +IPsec configuration file (\c +.IR /etc/ipsec.conf , +see +.IR ipsec.conf (5)). +Current +.IR command s +are: +.TP 10 +.B start +start Klips and Pluto, +including setting up Klips to do crypto operations on the +interface(s) specified in the configuration file, +and (if the configuration file so specifies) +setting up manually-keyed connections and/or +asking Pluto to negotiate automatically-keyed connections +to other security gateways +.TP +.B stop +shut down Klips and Pluto, +including tearing down all existing crypto connections +.TP +.B restart +equivalent to +.B stop +followed by +.B start +.TP +.B status +report the status of the subsystem; +normally just reports +.B "IPsec running" +and +.BR "pluto pid \fInnn\fP" , +or +.BR "IPsec stopped" , +and exits with status 0, +but will go into more detail (and exit with status 1) +if something strange is found. +(An ``illicit'' Pluto is one that does not match the process ID in +Pluto's lock file; +an ``orphaned'' Pluto is one with no lock file.) +.PP +The +.B stop +operation tries to clean up properly even if assorted accidents +have occurred, +e.g. Pluto having died without removing its lock file. +If +.B stop +discovers that the subsystem is (supposedly) not running, +it will complain, +but will do its cleanup anyway before exiting with status 1. +.PP +Although a number of configuration-file parameters influence +.IR setup 's +operations, the key one is the +.B interfaces +parameter, which must be right or chaos will ensue. +.PP +The +.B \-\-show +and +.B \-\-showonly +options cause +.I setup +to display the shell commands that it would execute. +.B \-\-showonly +suppresses their execution. +Only +.BR start , +.BR stop , +and +.B restart +commands recognize these flags. +.SH FILES +.ta \w'/proc/sys/net/ipv4/ip_forward'u+2n +/etc/rc.d/init.d/ipsec the script itself +.br +/etc/init.d/ipsec alternate location for the script +.br +/etc/ipsec.conf IPsec configuration file +.br +/proc/sys/net/ipv4/ip_forward forwarding control +.br +/var/run/ipsec.info saved information +.br +/var/run/pluto.pid Pluto lock file +.br +/var/run/ipsec_setup.pid IPsec lock file +.SH SEE ALSO +ipsec.conf(5), ipsec(8), ipsec_manual(8), ipsec_auto(8), route(8) +.SH DIAGNOSTICS +All output from the commands +.B start +and +.B stop +goes both to standard +output and to +.IR syslogd (8), +via +.IR logger (1). +Selected additional information is logged only to +.IR syslogd (8). +.SH HISTORY +Written for the FreeS/WAN project +<http://www.freeswan.org> +by Henry Spencer. +.SH BUGS +Old versions of +.IR logger (1) +inject spurious extra newlines onto standard output. diff --git a/programs/setup/setup.in b/programs/setup/setup.in new file mode 100755 index 000000000..1e43d0d67 --- /dev/null +++ b/programs/setup/setup.in @@ -0,0 +1,162 @@ +#!/bin/sh +# IPsec startup and shutdown script +# Copyright (C) 1998, 1999, 2001 Henry Spencer. +# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: setup.in,v 1.1 2004/03/15 20:35:31 as Exp $ +# +# ipsec init.d script for starting and stopping +# the IPsec security subsystem (KLIPS and Pluto). +# +# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec) +# and is also accessible as "ipsec setup" (the preferred route for human +# invocation). +# +# The startup and shutdown times are a difficult compromise (in particular, +# it is almost impossible to reconcile them with the insanely early/late +# times of NFS filesystem startup/shutdown). Startup is after startup of +# syslog and pcmcia support; shutdown is just before shutdown of syslog. +# +# chkconfig: 2345 47 68 +# description: IPsec provides encrypted and authenticated communications; \ +# KLIPS is the kernel half of it, Pluto is the user-level management daemon. + +me='ipsec setup' # for messages + + +# where the private directory and the config files are +IPSEC_EXECDIR="${IPSEC_EXECDIR-@IPSEC_EXECDIR@}" +IPSEC_LIBDIR="${IPSEC_LIBDIR-@IPSEC_LIBDIR@}" +IPSEC_SBINDIR="${IPSEC_SBINDIR-@IPSEC_SBINDIR@}" +IPSEC_CONFS="${IPSEC_CONFS-@IPSEC_CONFS@}" + +if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command +then + # we must establish a suitable PATH ourselves + PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin + export PATH + + IPSEC_DIR="$IPSEC_LIBDIR" + export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR +fi + +# Check that the ipsec command is available. +found= +for dir in `echo $PATH | tr ':' ' '` +do + if test -f $dir/ipsec -a -x $dir/ipsec + then + found=yes + break # NOTE BREAK OUT + fi +done +if ! test "$found" +then + echo "cannot find ipsec command -- \`$1' aborted" | + logger -s -p daemon.error -t ipsec_setup + exit 1 +fi + +# accept a few flags + +export IPSEC_setupflags +IPSEC_setupflags="" + +config="" + +for dummy +do + case "$1" in + --showonly|--show) IPSEC_setupflags="$1" ;; + --config) config="--config $2" ; shift ;; + *) break ;; + esac + shift +done + + +# Pick up IPsec configuration (until we have done this, successfully, we +# do not know where errors should go, hence the explicit "daemon.error"s.) +# Note the "--export", which exports the variables created. +eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup` +if test " $IPSEC_confreadstatus" != " " +then + echo "$IPSEC_confreadstatus -- \`$1' aborted" | + logger -s -p daemon.error -t ipsec_setup + exit 1 +fi + +IPSEC_confreadsection=${IPSEC_confreadsection:-setup} +export IPSEC_confreadsection + +IPSECsyslog=${IPSECsyslog-daemon.error} +export IPSECsyslog + +# misc setup +umask 022 + + +# do it +case "$1" in + start|--start|stop|--stop|_autostop|_autostart) + if test " `id -u`" != " 0" + then + echo "permission denied (must be superuser)" | + logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 + exit 1 + fi + tmp=/var/run/ipsec_setup.st + ( + ipsec _realsetup $1 + echo "$?" >$tmp + ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 + st=$? + if test -f $tmp + then + st=`cat $tmp` + rm -f $tmp + fi + exit $st + ;; + + restart|--restart|force-reload) + $0 $IPSEC_setupflags stop + $0 $IPSEC_setupflags start + ;; + + _autorestart) # for internal use only + $0 $IPSEC_setupflags _autostop + $0 $IPSEC_setupflags _autostart + ;; + + status|--status) + ipsec _realsetup $1 + exit + ;; + + --version) + echo "$me $IPSEC_VERSION" + exit 0 + ;; + + --help) + echo "Usage: $me {--start|--stop|--restart|--status}" + exit 0 + ;; + + *) + echo "Usage: $me {--start|--stop|--restart|--status}" >&2 + exit 2 +esac + +exit 0 |